def make_aci(self, entry):
"""Make an ACI string from the given permission entry"""
aci = ACI()
name = entry.single_value['cn']
aci.name = 'permission:%s' % name
ipapermtarget = entry.single_value.get('ipapermtarget')
if ipapermtarget:
aci.set_target('ldap:///%s' % ipapermtarget)
ipapermtargetfilter = entry.single_value.get('ipapermtargetfilter')
if ipapermtargetfilter:
aci.set_target_filter(ipapermtargetfilter)
ipapermbindruletype = entry.single_value.get('ipapermbindruletype',
'permission')
if ipapermbindruletype == 'permission':
dn = DN(('cn', name), self.container_dn, self.api.env.basedn)
aci.set_bindrule('groupdn = "ldap:///%s"' % dn)
elif ipapermbindruletype == 'all':
aci.set_bindrule('userdn = "ldap:///all"')
elif ipapermbindruletype == 'anonymous':
aci.set_bindrule('userdn = "ldap:///anyone"')
else:
raise ValueError(ipapermbindruletype)
aci.permissions = entry['ipapermright']
aci.set_target_attr(entry.get('ipapermallowedattr', []))
return aci.export_to_string()
def make_test_aci():
a = ACI()
a.name ="foo"
a.set_target_attr(['title','givenname'], "!=")
a.set_bindrule_keyword("groupdn")
a.set_bindrule_operator("=")
a.set_bindrule_expression("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"")
a.permissions = ['read','write','add']
return a
def make_test_aci():
a = ACI()
a.name = "foo"
a.set_target_attr(['title', 'givenname'], "!=")
a.set_bindrule_keyword("groupdn")
a.set_bindrule_operator("=")
a.set_bindrule_expression(
"\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"")
a.permissions = ['read', 'write', 'add']
return a
def test_aci_equality():
a = make_test_aci()
print(a)
b = ACI()
b.name ="foo"
b.set_target_attr(['givenname','title'], "!=")
b.set_bindrule_keyword("groupdn")
b.set_bindrule_operator("=")
b.set_bindrule_expression("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"")
b.permissions = ['add','read','write']
print(b)
assert a.isequal(b)
assert a == b
assert not a != b
def test_aci_equality():
a = make_test_aci()
print(a)
b = ACI()
b.name = "foo"
b.set_target_attr(['givenname', 'title'], "!=")
b.set_bindrule_keyword("groupdn")
b.set_bindrule_operator("=")
b.set_bindrule_expression(
"\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"")
b.permissions = ['add', 'read', 'write']
print(b)
assert a.isequal(b)
assert a == b
assert not a != b # pylint: disable=unneeded-not
def _make_aci(ldap, current, aciname, kw):
"""
Given a name and a set of keywords construct an ACI.
"""
# Do some quick and dirty validation.
checked_args=['type','filter','subtree','targetgroup','attrs','memberof']
valid={}
for arg in checked_args:
if arg in kw:
valid[arg]=kw[arg] is not None
else:
valid[arg]=False
if valid['type'] + valid['filter'] + valid['subtree'] + valid['targetgroup'] > 1:
raise errors.ValidationError(name='target', error=_('type, filter, subtree and targetgroup are mutually exclusive'))
if 'aciprefix' not in kw:
raise errors.ValidationError(name='aciprefix', error=_('ACI prefix is required'))
if sum(valid.values()) == 0:
raise errors.ValidationError(name='target', error=_('at least one of: type, filter, subtree, targetgroup, attrs or memberof are required'))
if valid['filter'] + valid['memberof'] > 1:
raise errors.ValidationError(name='target', error=_('filter and memberof are mutually exclusive'))
group = 'group' in kw
permission = 'permission' in kw
selfaci = 'selfaci' in kw and kw['selfaci'] == True
if group + permission + selfaci > 1:
raise errors.ValidationError(name='target', error=_('group, permission and self are mutually exclusive'))
elif group + permission + selfaci == 0:
raise errors.ValidationError(name='target', error=_('One of group, permission or self is required'))
# Grab the dn of the group we're granting access to. This group may be a
# permission or a user group.
entry_attrs = []
if permission:
# This will raise NotFound if the permission doesn't exist
try:
entry_attrs = api.Command['permission_show'](kw['permission'])['result']
except errors.NotFound as e:
if 'test' in kw and not kw.get('test'):
raise e
else:
entry_attrs = {
'dn': DN(('cn', kw['permission']),
api.env.container_permission, api.env.basedn),
}
elif group:
# Not so friendly with groups. This will raise
try:
group_dn = api.Object['group'].get_dn_if_exists(kw['group'])
entry_attrs = {'dn': group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_("Group '%s' does not exist") % kw['group'])
try:
a = ACI(current)
a.name = _make_aci_name(kw['aciprefix'], aciname)
a.permissions = kw['permissions']
if 'selfaci' in kw and kw['selfaci']:
a.set_bindrule('userdn = "ldap:///self"')
else:
dn = entry_attrs['dn']
a.set_bindrule('groupdn = "ldap:///%s"' % dn)
if valid['attrs']:
a.set_target_attr(kw['attrs'])
if valid['memberof']:
try:
api.Object['group'].get_dn_if_exists(kw['memberof'])
except errors.NotFound:
api.Object['group'].handle_not_found(kw['memberof'])
groupdn = _group_from_memberof(kw['memberof'])
a.set_target_filter('memberOf=%s' % groupdn)
if valid['filter']:
# Test the filter by performing a simple search on it. The
# filter is considered valid if either it returns some entries
# or it returns no entries, otherwise we let whatever exception
# happened be raised.
if kw['filter'] in ('', None, u''):
raise errors.BadSearchFilter(info=_('empty filter'))
try:
entries = ldap.find_entries(filter=kw['filter'])
except errors.NotFound:
pass
a.set_target_filter(kw['filter'])
if valid['type']:
target = _type_map[kw['type']]
a.set_target(target)
if valid['targetgroup']:
# Purposely no try here so we'll raise a NotFound
group_dn = api.Object['group'].get_dn_if_exists(kw['targetgroup'])
target = 'ldap:///%s' % group_dn
a.set_target(target)
if valid['subtree']:
# See if the subtree is a full URI
target = kw['subtree']
if not target.startswith('ldap:///'):
target = 'ldap:///%s' % target
a.set_target(target)
except SyntaxError as e:
raise errors.ValidationError(name='target', error=_('Syntax Error: %(error)s') % dict(error=str(e)))
return a
def _make_aci(ldap, current, aciname, kw):
"""
Given a name and a set of keywords construct an ACI.
"""
# Do some quick and dirty validation.
checked_args = [
'type', 'filter', 'subtree', 'targetgroup', 'attrs', 'memberof'
]
valid = {}
for arg in checked_args:
if arg in kw:
valid[arg] = kw[arg] is not None
else:
valid[arg] = False
if valid['type'] + valid['filter'] + valid['subtree'] + valid[
'targetgroup'] > 1:
raise errors.ValidationError(
name='target',
error=_(
'type, filter, subtree and targetgroup are mutually exclusive')
)
if 'aciprefix' not in kw:
raise errors.ValidationError(name='aciprefix',
error=_('ACI prefix is required'))
if sum(valid.values()) == 0:
raise errors.ValidationError(
name='target',
error=
_('at least one of: type, filter, subtree, targetgroup, attrs or memberof are required'
))
if valid['filter'] + valid['memberof'] > 1:
raise errors.ValidationError(
name='target',
error=_('filter and memberof are mutually exclusive'))
group = 'group' in kw
permission = 'permission' in kw
selfaci = 'selfaci' in kw and kw['selfaci'] == True
if group + permission + selfaci > 1:
raise errors.ValidationError(
name='target',
error=_('group, permission and self are mutually exclusive'))
elif group + permission + selfaci == 0:
raise errors.ValidationError(
name='target',
error=_('One of group, permission or self is required'))
# Grab the dn of the group we're granting access to. This group may be a
# permission or a user group.
entry_attrs = []
if permission:
# This will raise NotFound if the permission doesn't exist
try:
entry_attrs = api.Command['permission_show'](
kw['permission'])['result']
except errors.NotFound as e:
if 'test' in kw and not kw.get('test'):
raise e
else:
entry_attrs = {
'dn':
DN(('cn', kw['permission']), api.env.container_permission,
api.env.basedn),
}
elif group:
# Not so friendly with groups. This will raise
try:
group_dn = api.Object['group'].get_dn_if_exists(kw['group'])
entry_attrs = {'dn': group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_("Group '%s' does not exist") %
kw['group'])
try:
a = ACI(current)
a.name = _make_aci_name(kw['aciprefix'], aciname)
a.permissions = kw['permissions']
if 'selfaci' in kw and kw['selfaci']:
a.set_bindrule('userdn = "ldap:///self"')
else:
dn = entry_attrs['dn']
a.set_bindrule('groupdn = "ldap:///%s"' % dn)
if valid['attrs']:
a.set_target_attr(kw['attrs'])
if valid['memberof']:
try:
api.Object['group'].get_dn_if_exists(kw['memberof'])
except errors.NotFound:
raise api.Object['group'].handle_not_found(kw['memberof'])
groupdn = _group_from_memberof(kw['memberof'])
a.set_target_filter('memberOf=%s' % groupdn)
if valid['filter']:
# Test the filter by performing a simple search on it. The
# filter is considered valid if either it returns some entries
# or it returns no entries, otherwise we let whatever exception
# happened be raised.
if kw['filter'] in ('', None, u''):
raise errors.BadSearchFilter(info=_('empty filter'))
try:
ldap.find_entries(filter=kw['filter'])
except errors.NotFound:
pass
a.set_target_filter(kw['filter'])
if valid['type']:
target = _type_map[kw['type']]
a.set_target(target)
if valid['targetgroup']:
# Purposely no try here so we'll raise a NotFound
group_dn = api.Object['group'].get_dn_if_exists(kw['targetgroup'])
target = 'ldap:///%s' % group_dn
a.set_target(target)
if valid['subtree']:
# See if the subtree is a full URI
target = kw['subtree']
if not target.startswith('ldap:///'):
target = 'ldap:///%s' % target
a.set_target(target)
except SyntaxError as e:
raise errors.ValidationError(name='target',
error=_('Syntax Error: %(error)s') %
dict(error=str(e)))
return a
def _make_aci(ldap, current, aciname, kw):
"""
Given a name and a set of keywords construct an ACI.
"""
# Do some quick and dirty validation.
checked_args = ["type", "filter", "subtree", "targetgroup", "attrs", "memberof"]
valid = {}
for arg in checked_args:
if arg in kw:
valid[arg] = kw[arg] is not None
else:
valid[arg] = False
if valid["type"] + valid["filter"] + valid["subtree"] + valid["targetgroup"] > 1:
raise errors.ValidationError(
name="target", error=_("type, filter, subtree and targetgroup are mutually exclusive")
)
if "aciprefix" not in kw:
raise errors.ValidationError(name="aciprefix", error=_("ACI prefix is required"))
if sum(valid.values()) == 0:
raise errors.ValidationError(
name="target",
error=_("at least one of: type, filter, subtree, targetgroup, attrs or memberof are required"),
)
if valid["filter"] + valid["memberof"] > 1:
raise errors.ValidationError(name="target", error=_("filter and memberof are mutually exclusive"))
group = "group" in kw
permission = "permission" in kw
selfaci = "selfaci" in kw and kw["selfaci"] == True
if group + permission + selfaci > 1:
raise errors.ValidationError(name="target", error=_("group, permission and self are mutually exclusive"))
elif group + permission + selfaci == 0:
raise errors.ValidationError(name="target", error=_("One of group, permission or self is required"))
# Grab the dn of the group we're granting access to. This group may be a
# permission or a user group.
entry_attrs = []
if permission:
# This will raise NotFound if the permission doesn't exist
try:
entry_attrs = api.Command["permission_show"](kw["permission"])["result"]
except errors.NotFound as e:
if "test" in kw and not kw.get("test"):
raise e
else:
entry_attrs = {"dn": DN(("cn", kw["permission"]), api.env.container_permission, api.env.basedn)}
elif group:
# Not so friendly with groups. This will raise
try:
group_dn = api.Object["group"].get_dn_if_exists(kw["group"])
entry_attrs = {"dn": group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_("Group '%s' does not exist") % kw["group"])
try:
a = ACI(current)
a.name = _make_aci_name(kw["aciprefix"], aciname)
a.permissions = kw["permissions"]
if "selfaci" in kw and kw["selfaci"]:
a.set_bindrule('userdn = "ldap:///self"')
else:
dn = entry_attrs["dn"]
a.set_bindrule('groupdn = "ldap:///%s"' % dn)
if valid["attrs"]:
a.set_target_attr(kw["attrs"])
if valid["memberof"]:
try:
api.Object["group"].get_dn_if_exists(kw["memberof"])
except errors.NotFound:
api.Object["group"].handle_not_found(kw["memberof"])
groupdn = _group_from_memberof(kw["memberof"])
a.set_target_filter("memberOf=%s" % groupdn)
if valid["filter"]:
# Test the filter by performing a simple search on it. The
# filter is considered valid if either it returns some entries
# or it returns no entries, otherwise we let whatever exception
# happened be raised.
if kw["filter"] in ("", None, u""):
raise errors.BadSearchFilter(info=_("empty filter"))
try:
entries = ldap.find_entries(filter=kw["filter"])
except errors.NotFound:
pass
a.set_target_filter(kw["filter"])
if valid["type"]:
target = _type_map[kw["type"]]
a.set_target(target)
if valid["targetgroup"]:
# Purposely no try here so we'll raise a NotFound
group_dn = api.Object["group"].get_dn_if_exists(kw["targetgroup"])
target = "ldap:///%s" % group_dn
a.set_target(target)
if valid["subtree"]:
# See if the subtree is a full URI
target = kw["subtree"]
if not target.startswith("ldap:///"):
target = "ldap:///%s" % target
a.set_target(target)
except SyntaxError as e:
raise errors.ValidationError(name="target", error=_("Syntax Error: %(error)s") % dict(error=str(e)))
return a
group_dn = api.Object["group"].get_dn_if_exists(kw["group"])
entry_attrs = {"dn": group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_("Group '%s' does not exist") % kw["group"])
try:
a = ACI(current)
a.name = _make_aci_name(kw["aciprefix"], aciname)
a.permissions = kw["permissions"]
if "selfaci" in kw and kw["selfaci"]:
a.set_bindrule('userdn = "ldap:///self"')
else:
dn = entry_attrs["dn"]
a.set_bindrule('groupdn = "ldap:///%s"' % dn)
if valid["attrs"]:
a.set_target_attr(kw["attrs"])
if valid["memberof"]:
try:
api.Object["group"].get_dn_if_exists(kw["memberof"])
except errors.NotFound:
api.Object["group"].handle_not_found(kw["memberof"])
groupdn = _group_from_memberof(kw["memberof"])
a.set_target_filter("memberOf=%s" % groupdn)
if valid["filter"]:
# Test the filter by performing a simple search on it. The
# filter is considered valid if either it returns some entries
# or it returns no entries, otherwise we let whatever exception
# happened be raised.
if kw["filter"] in ("", None, u""):
raise errors.BadSearchFilter(info=_("empty filter"))
try:
entry_attrs = {'dn': group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_("Group '%s' does not exist") %
kw['group'])
try:
a = ACI(current)
a.name = _make_aci_name(kw['aciprefix'], aciname)
a.permissions = kw['permissions']
if 'selfaci' in kw and kw['selfaci']:
a.set_bindrule('userdn = "ldap:///self"')
else:
dn = entry_attrs['dn']
a.set_bindrule('groupdn = "ldap:///%s"' % dn)
if valid['attrs']:
a.set_target_attr(kw['attrs'])
if valid['memberof']:
try:
api.Object['group'].get_dn_if_exists(kw['memberof'])
except errors.NotFound:
api.Object['group'].handle_not_found(kw['memberof'])
groupdn = _group_from_memberof(kw['memberof'])
a.set_target_filter('memberOf=%s' % groupdn)
if valid['filter']:
# Test the filter by performing a simple search on it. The
# filter is considered valid if either it returns some entries
# or it returns no entries, otherwise we let whatever exception
# happened be raised.
if kw['filter'] in ('', None, u''):
raise errors.BadSearchFilter(info=_('empty filter'))
try:
group_dn = api.Object['group'].get_dn_if_exists(kw['group'])
entry_attrs = {'dn': group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_("Group '%s' does not exist") % kw['group'])
try:
a = ACI(current)
a.name = _make_aci_name(kw['aciprefix'], aciname)
a.permissions = kw['permissions']
if 'selfaci' in kw and kw['selfaci']:
a.set_bindrule('userdn = "ldap:///self"')
else:
dn = entry_attrs['dn']
a.set_bindrule('groupdn = "ldap:///%s"' % dn)
if valid['attrs']:
a.set_target_attr(kw['attrs'])
if valid['memberof']:
try:
api.Object['group'].get_dn_if_exists(kw['memberof'])
except errors.NotFound:
api.Object['group'].handle_not_found(kw['memberof'])
groupdn = _group_from_memberof(kw['memberof'])
a.set_target_filter('memberOf=%s' % groupdn)
if valid['filter']:
# Test the filter by performing a simple search on it. The
# filter is considered valid if either it returns some entries
# or it returns no entries, otherwise we let whatever exception
# happened be raised.
if kw['filter'] in ('', None, u''):
raise errors.BadSearchFilter(info=_('empty filter'))
try:
