def make_aci(self, entry): """Make an ACI string from the given permission entry""" aci = ACI() name = entry.single_value['cn'] aci.name = 'permission:%s' % name ipapermtarget = entry.single_value.get('ipapermtarget') if ipapermtarget: aci.set_target('ldap:///%s' % ipapermtarget) ipapermtargetfilter = entry.single_value.get('ipapermtargetfilter') if ipapermtargetfilter: aci.set_target_filter(ipapermtargetfilter) ipapermbindruletype = entry.single_value.get('ipapermbindruletype', 'permission') if ipapermbindruletype == 'permission': dn = DN(('cn', name), self.container_dn, self.api.env.basedn) aci.set_bindrule('groupdn = "ldap:///%s"' % dn) elif ipapermbindruletype == 'all': aci.set_bindrule('userdn = "ldap:///all"') elif ipapermbindruletype == 'anonymous': aci.set_bindrule('userdn = "ldap:///anyone"') else: raise ValueError(ipapermbindruletype) aci.permissions = entry['ipapermright'] aci.set_target_attr(entry.get('ipapermallowedattr', [])) return aci.export_to_string()
def make_test_aci(): a = ACI() a.name ="foo" a.set_target_attr(['title','givenname'], "!=") a.set_bindrule_keyword("groupdn") a.set_bindrule_operator("=") a.set_bindrule_expression("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") a.permissions = ['read','write','add'] return a
def make_test_aci(): a = ACI() a.name = "foo" a.set_target_attr(['title', 'givenname'], "!=") a.set_bindrule_keyword("groupdn") a.set_bindrule_operator("=") a.set_bindrule_expression( "\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") a.permissions = ['read', 'write', 'add'] return a
def test_aci_equality(): a = make_test_aci() print(a) b = ACI() b.name ="foo" b.set_target_attr(['givenname','title'], "!=") b.set_bindrule_keyword("groupdn") b.set_bindrule_operator("=") b.set_bindrule_expression("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") b.permissions = ['add','read','write'] print(b) assert a.isequal(b) assert a == b assert not a != b
def test_aci_equality(): a = make_test_aci() print(a) b = ACI() b.name = "foo" b.set_target_attr(['givenname', 'title'], "!=") b.set_bindrule_keyword("groupdn") b.set_bindrule_operator("=") b.set_bindrule_expression( "\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") b.permissions = ['add', 'read', 'write'] print(b) assert a.isequal(b) assert a == b assert not a != b # pylint: disable=unneeded-not
def _make_aci(ldap, current, aciname, kw): """ Given a name and a set of keywords construct an ACI. """ # Do some quick and dirty validation. checked_args=['type','filter','subtree','targetgroup','attrs','memberof'] valid={} for arg in checked_args: if arg in kw: valid[arg]=kw[arg] is not None else: valid[arg]=False if valid['type'] + valid['filter'] + valid['subtree'] + valid['targetgroup'] > 1: raise errors.ValidationError(name='target', error=_('type, filter, subtree and targetgroup are mutually exclusive')) if 'aciprefix' not in kw: raise errors.ValidationError(name='aciprefix', error=_('ACI prefix is required')) if sum(valid.values()) == 0: raise errors.ValidationError(name='target', error=_('at least one of: type, filter, subtree, targetgroup, attrs or memberof are required')) if valid['filter'] + valid['memberof'] > 1: raise errors.ValidationError(name='target', error=_('filter and memberof are mutually exclusive')) group = 'group' in kw permission = 'permission' in kw selfaci = 'selfaci' in kw and kw['selfaci'] == True if group + permission + selfaci > 1: raise errors.ValidationError(name='target', error=_('group, permission and self are mutually exclusive')) elif group + permission + selfaci == 0: raise errors.ValidationError(name='target', error=_('One of group, permission or self is required')) # Grab the dn of the group we're granting access to. This group may be a # permission or a user group. entry_attrs = [] if permission: # This will raise NotFound if the permission doesn't exist try: entry_attrs = api.Command['permission_show'](kw['permission'])['result'] except errors.NotFound as e: if 'test' in kw and not kw.get('test'): raise e else: entry_attrs = { 'dn': DN(('cn', kw['permission']), api.env.container_permission, api.env.basedn), } elif group: # Not so friendly with groups. This will raise try: group_dn = api.Object['group'].get_dn_if_exists(kw['group']) entry_attrs = {'dn': group_dn} except errors.NotFound: raise errors.NotFound(reason=_("Group '%s' does not exist") % kw['group']) try: a = ACI(current) a.name = _make_aci_name(kw['aciprefix'], aciname) a.permissions = kw['permissions'] if 'selfaci' in kw and kw['selfaci']: a.set_bindrule('userdn = "ldap:///self"') else: dn = entry_attrs['dn'] a.set_bindrule('groupdn = "ldap:///%s"' % dn) if valid['attrs']: a.set_target_attr(kw['attrs']) if valid['memberof']: try: api.Object['group'].get_dn_if_exists(kw['memberof']) except errors.NotFound: api.Object['group'].handle_not_found(kw['memberof']) groupdn = _group_from_memberof(kw['memberof']) a.set_target_filter('memberOf=%s' % groupdn) if valid['filter']: # Test the filter by performing a simple search on it. The # filter is considered valid if either it returns some entries # or it returns no entries, otherwise we let whatever exception # happened be raised. if kw['filter'] in ('', None, u''): raise errors.BadSearchFilter(info=_('empty filter')) try: entries = ldap.find_entries(filter=kw['filter']) except errors.NotFound: pass a.set_target_filter(kw['filter']) if valid['type']: target = _type_map[kw['type']] a.set_target(target) if valid['targetgroup']: # Purposely no try here so we'll raise a NotFound group_dn = api.Object['group'].get_dn_if_exists(kw['targetgroup']) target = 'ldap:///%s' % group_dn a.set_target(target) if valid['subtree']: # See if the subtree is a full URI target = kw['subtree'] if not target.startswith('ldap:///'): target = 'ldap:///%s' % target a.set_target(target) except SyntaxError as e: raise errors.ValidationError(name='target', error=_('Syntax Error: %(error)s') % dict(error=str(e))) return a
def _make_aci(ldap, current, aciname, kw): """ Given a name and a set of keywords construct an ACI. """ # Do some quick and dirty validation. checked_args = [ 'type', 'filter', 'subtree', 'targetgroup', 'attrs', 'memberof' ] valid = {} for arg in checked_args: if arg in kw: valid[arg] = kw[arg] is not None else: valid[arg] = False if valid['type'] + valid['filter'] + valid['subtree'] + valid[ 'targetgroup'] > 1: raise errors.ValidationError( name='target', error=_( 'type, filter, subtree and targetgroup are mutually exclusive') ) if 'aciprefix' not in kw: raise errors.ValidationError(name='aciprefix', error=_('ACI prefix is required')) if sum(valid.values()) == 0: raise errors.ValidationError( name='target', error= _('at least one of: type, filter, subtree, targetgroup, attrs or memberof are required' )) if valid['filter'] + valid['memberof'] > 1: raise errors.ValidationError( name='target', error=_('filter and memberof are mutually exclusive')) group = 'group' in kw permission = 'permission' in kw selfaci = 'selfaci' in kw and kw['selfaci'] == True if group + permission + selfaci > 1: raise errors.ValidationError( name='target', error=_('group, permission and self are mutually exclusive')) elif group + permission + selfaci == 0: raise errors.ValidationError( name='target', error=_('One of group, permission or self is required')) # Grab the dn of the group we're granting access to. This group may be a # permission or a user group. entry_attrs = [] if permission: # This will raise NotFound if the permission doesn't exist try: entry_attrs = api.Command['permission_show']( kw['permission'])['result'] except errors.NotFound as e: if 'test' in kw and not kw.get('test'): raise e else: entry_attrs = { 'dn': DN(('cn', kw['permission']), api.env.container_permission, api.env.basedn), } elif group: # Not so friendly with groups. This will raise try: group_dn = api.Object['group'].get_dn_if_exists(kw['group']) entry_attrs = {'dn': group_dn} except errors.NotFound: raise errors.NotFound(reason=_("Group '%s' does not exist") % kw['group']) try: a = ACI(current) a.name = _make_aci_name(kw['aciprefix'], aciname) a.permissions = kw['permissions'] if 'selfaci' in kw and kw['selfaci']: a.set_bindrule('userdn = "ldap:///self"') else: dn = entry_attrs['dn'] a.set_bindrule('groupdn = "ldap:///%s"' % dn) if valid['attrs']: a.set_target_attr(kw['attrs']) if valid['memberof']: try: api.Object['group'].get_dn_if_exists(kw['memberof']) except errors.NotFound: raise api.Object['group'].handle_not_found(kw['memberof']) groupdn = _group_from_memberof(kw['memberof']) a.set_target_filter('memberOf=%s' % groupdn) if valid['filter']: # Test the filter by performing a simple search on it. The # filter is considered valid if either it returns some entries # or it returns no entries, otherwise we let whatever exception # happened be raised. if kw['filter'] in ('', None, u''): raise errors.BadSearchFilter(info=_('empty filter')) try: ldap.find_entries(filter=kw['filter']) except errors.NotFound: pass a.set_target_filter(kw['filter']) if valid['type']: target = _type_map[kw['type']] a.set_target(target) if valid['targetgroup']: # Purposely no try here so we'll raise a NotFound group_dn = api.Object['group'].get_dn_if_exists(kw['targetgroup']) target = 'ldap:///%s' % group_dn a.set_target(target) if valid['subtree']: # See if the subtree is a full URI target = kw['subtree'] if not target.startswith('ldap:///'): target = 'ldap:///%s' % target a.set_target(target) except SyntaxError as e: raise errors.ValidationError(name='target', error=_('Syntax Error: %(error)s') % dict(error=str(e))) return a
def _make_aci(ldap, current, aciname, kw): """ Given a name and a set of keywords construct an ACI. """ # Do some quick and dirty validation. checked_args = ["type", "filter", "subtree", "targetgroup", "attrs", "memberof"] valid = {} for arg in checked_args: if arg in kw: valid[arg] = kw[arg] is not None else: valid[arg] = False if valid["type"] + valid["filter"] + valid["subtree"] + valid["targetgroup"] > 1: raise errors.ValidationError( name="target", error=_("type, filter, subtree and targetgroup are mutually exclusive") ) if "aciprefix" not in kw: raise errors.ValidationError(name="aciprefix", error=_("ACI prefix is required")) if sum(valid.values()) == 0: raise errors.ValidationError( name="target", error=_("at least one of: type, filter, subtree, targetgroup, attrs or memberof are required"), ) if valid["filter"] + valid["memberof"] > 1: raise errors.ValidationError(name="target", error=_("filter and memberof are mutually exclusive")) group = "group" in kw permission = "permission" in kw selfaci = "selfaci" in kw and kw["selfaci"] == True if group + permission + selfaci > 1: raise errors.ValidationError(name="target", error=_("group, permission and self are mutually exclusive")) elif group + permission + selfaci == 0: raise errors.ValidationError(name="target", error=_("One of group, permission or self is required")) # Grab the dn of the group we're granting access to. This group may be a # permission or a user group. entry_attrs = [] if permission: # This will raise NotFound if the permission doesn't exist try: entry_attrs = api.Command["permission_show"](kw["permission"])["result"] except errors.NotFound as e: if "test" in kw and not kw.get("test"): raise e else: entry_attrs = {"dn": DN(("cn", kw["permission"]), api.env.container_permission, api.env.basedn)} elif group: # Not so friendly with groups. This will raise try: group_dn = api.Object["group"].get_dn_if_exists(kw["group"]) entry_attrs = {"dn": group_dn} except errors.NotFound: raise errors.NotFound(reason=_("Group '%s' does not exist") % kw["group"]) try: a = ACI(current) a.name = _make_aci_name(kw["aciprefix"], aciname) a.permissions = kw["permissions"] if "selfaci" in kw and kw["selfaci"]: a.set_bindrule('userdn = "ldap:///self"') else: dn = entry_attrs["dn"] a.set_bindrule('groupdn = "ldap:///%s"' % dn) if valid["attrs"]: a.set_target_attr(kw["attrs"]) if valid["memberof"]: try: api.Object["group"].get_dn_if_exists(kw["memberof"]) except errors.NotFound: api.Object["group"].handle_not_found(kw["memberof"]) groupdn = _group_from_memberof(kw["memberof"]) a.set_target_filter("memberOf=%s" % groupdn) if valid["filter"]: # Test the filter by performing a simple search on it. The # filter is considered valid if either it returns some entries # or it returns no entries, otherwise we let whatever exception # happened be raised. if kw["filter"] in ("", None, u""): raise errors.BadSearchFilter(info=_("empty filter")) try: entries = ldap.find_entries(filter=kw["filter"]) except errors.NotFound: pass a.set_target_filter(kw["filter"]) if valid["type"]: target = _type_map[kw["type"]] a.set_target(target) if valid["targetgroup"]: # Purposely no try here so we'll raise a NotFound group_dn = api.Object["group"].get_dn_if_exists(kw["targetgroup"]) target = "ldap:///%s" % group_dn a.set_target(target) if valid["subtree"]: # See if the subtree is a full URI target = kw["subtree"] if not target.startswith("ldap:///"): target = "ldap:///%s" % target a.set_target(target) except SyntaxError as e: raise errors.ValidationError(name="target", error=_("Syntax Error: %(error)s") % dict(error=str(e))) return a
group_dn = api.Object["group"].get_dn_if_exists(kw["group"]) entry_attrs = {"dn": group_dn} except errors.NotFound: raise errors.NotFound(reason=_("Group '%s' does not exist") % kw["group"]) try: a = ACI(current) a.name = _make_aci_name(kw["aciprefix"], aciname) a.permissions = kw["permissions"] if "selfaci" in kw and kw["selfaci"]: a.set_bindrule('userdn = "ldap:///self"') else: dn = entry_attrs["dn"] a.set_bindrule('groupdn = "ldap:///%s"' % dn) if valid["attrs"]: a.set_target_attr(kw["attrs"]) if valid["memberof"]: try: api.Object["group"].get_dn_if_exists(kw["memberof"]) except errors.NotFound: api.Object["group"].handle_not_found(kw["memberof"]) groupdn = _group_from_memberof(kw["memberof"]) a.set_target_filter("memberOf=%s" % groupdn) if valid["filter"]: # Test the filter by performing a simple search on it. The # filter is considered valid if either it returns some entries # or it returns no entries, otherwise we let whatever exception # happened be raised. if kw["filter"] in ("", None, u""): raise errors.BadSearchFilter(info=_("empty filter")) try:
entry_attrs = {'dn': group_dn} except errors.NotFound: raise errors.NotFound(reason=_("Group '%s' does not exist") % kw['group']) try: a = ACI(current) a.name = _make_aci_name(kw['aciprefix'], aciname) a.permissions = kw['permissions'] if 'selfaci' in kw and kw['selfaci']: a.set_bindrule('userdn = "ldap:///self"') else: dn = entry_attrs['dn'] a.set_bindrule('groupdn = "ldap:///%s"' % dn) if valid['attrs']: a.set_target_attr(kw['attrs']) if valid['memberof']: try: api.Object['group'].get_dn_if_exists(kw['memberof']) except errors.NotFound: api.Object['group'].handle_not_found(kw['memberof']) groupdn = _group_from_memberof(kw['memberof']) a.set_target_filter('memberOf=%s' % groupdn) if valid['filter']: # Test the filter by performing a simple search on it. The # filter is considered valid if either it returns some entries # or it returns no entries, otherwise we let whatever exception # happened be raised. if kw['filter'] in ('', None, u''): raise errors.BadSearchFilter(info=_('empty filter')) try:
group_dn = api.Object['group'].get_dn_if_exists(kw['group']) entry_attrs = {'dn': group_dn} except errors.NotFound: raise errors.NotFound(reason=_("Group '%s' does not exist") % kw['group']) try: a = ACI(current) a.name = _make_aci_name(kw['aciprefix'], aciname) a.permissions = kw['permissions'] if 'selfaci' in kw and kw['selfaci']: a.set_bindrule('userdn = "ldap:///self"') else: dn = entry_attrs['dn'] a.set_bindrule('groupdn = "ldap:///%s"' % dn) if valid['attrs']: a.set_target_attr(kw['attrs']) if valid['memberof']: try: api.Object['group'].get_dn_if_exists(kw['memberof']) except errors.NotFound: api.Object['group'].handle_not_found(kw['memberof']) groupdn = _group_from_memberof(kw['memberof']) a.set_target_filter('memberOf=%s' % groupdn) if valid['filter']: # Test the filter by performing a simple search on it. The # filter is considered valid if either it returns some entries # or it returns no entries, otherwise we let whatever exception # happened be raised. if kw['filter'] in ('', None, u''): raise errors.BadSearchFilter(info=_('empty filter')) try: