def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
def check_validity(runas):
v = unicode(runas)
if v.upper() == u'ALL':
return False
return True
try:
_entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(_entry_attrs, 'ipasudorunasusercategory') or \
is_all(_entry_attrs, 'ipasudorunasgroupcategory'):
raise errors.MutuallyExclusiveError(
reason=_("users cannot be added when runAs user or runAs "
"group category='all'"))
if 'group' in options:
for name in options['group']:
if not check_validity(name):
raise errors.ValidationError(name='runas-group',
error=unicode(_("RunAsGroup does not accept "
"'%(name)s' as a group name")) %
dict(name=name))
return add_external_pre_callback('group', ldap, dn, keys, options)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
try:
entry_attrs = ldap.get_entry(dn, attrs_list)
dn = entry_attrs.dn
except errors.NotFound:
self.obj.handle_not_found(*keys)
# Commented until subca plugin arrives
#if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs:
# raise errors.MutuallyExclusiveError(reason=_(
# "CA category cannot be set to 'all' "
# "while there are allowed CAs"))
if (is_all(options, 'ipacertprofilecategory')
and 'ipamembercertprofile' in entry_attrs):
raise errors.MutuallyExclusiveError(reason=_(
"profile category cannot be set to 'all' "
"while there are allowed profiles"))
if is_all(options, 'usercategory') and 'memberuser' in entry_attrs:
raise errors.MutuallyExclusiveError(reason=_(
"user category cannot be set to 'all' "
"while there are allowed users"))
if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs:
raise errors.MutuallyExclusiveError(reason=_(
"host category cannot be set to 'all' "
"while there are allowed hosts"))
if is_all(options, 'servicecategory') and 'memberservice' in entry_attrs:
raise errors.MutuallyExclusiveError(reason=_(
"service category cannot be set to 'all' "
"while there are allowed services"))
return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
if 'sudoorder' in options:
new_order = options.get('sudoorder')
old_entry = self.api.Command.sudorule_show(keys[-1])['result']
if 'sudoorder' in old_entry:
old_order = int(old_entry['sudoorder'][0])
if old_order != new_order:
self.obj.check_order_uniqueness(*keys, **options)
else:
self.obj.check_order_uniqueness(*keys, **options)
try:
(_dn, _entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(options, 'usercategory') and 'memberuser' in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_("user category cannot be set to 'all' while there are allowed users"))
if is_all(options, 'hostcategory') and 'memberhost' in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_("host category cannot be set to 'all' while there are allowed hosts"))
if is_all(options, 'cmdcategory') and ('memberallowcmd' or
'memberdenywcmd') in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_("command category cannot be set to 'all' while there are allow or deny commands"))
if is_all(options, 'ipasudorunasusercategory') and 'ipasudorunas' in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_("user runAs category cannot be set to 'all' while there are users"))
if is_all(options, 'ipasudorunasgroupcategory') and 'ipasudorunasgroup' in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_("group runAs category cannot be set to 'all' while there are groups"))
return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
assert isinstance(dn, DN)
try:
entry_attrs = ldap.get_entry(dn, attrs_list)
dn = entry_attrs.dn
except errors.NotFound:
self.obj.handle_not_found(*keys)
# Commented until subca plugin arrives
#if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs:
# raise errors.MutuallyExclusiveError(reason=_(
# "CA category cannot be set to 'all' "
# "while there are allowed CAs"))
if (is_all(options, 'ipacertprofilecategory')
and 'ipamembercertprofile' in entry_attrs):
raise errors.MutuallyExclusiveError(
reason=_("profile category cannot be set to 'all' "
"while there are allowed profiles"))
if is_all(options, 'usercategory') and 'memberuser' in entry_attrs:
raise errors.MutuallyExclusiveError(
reason=_("user category cannot be set to 'all' "
"while there are allowed users"))
if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs:
raise errors.MutuallyExclusiveError(
reason=_("host category cannot be set to 'all' "
"while there are allowed hosts"))
if is_all(options,
'servicecategory') and 'memberservice' in entry_attrs:
raise errors.MutuallyExclusiveError(
reason=_("service category cannot be set to 'all' "
"while there are allowed services"))
return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
def check_validity(runas):
v = unicode(runas)
if v.upper() == u'ALL':
return False
return True
try:
(_dn, _entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(_entry_attrs, 'ipasudorunasusercategory') or \
is_all(_entry_attrs, 'ipasudorunasgroupcategory'):
raise errors.MutuallyExclusiveError(reason=_("users cannot be added when runAs user or runAs group category='all'"))
if 'user' in options:
for name in options['user']:
if not check_validity(name):
raise errors.ValidationError(name='runas-user',
error=unicode(_("RunAsUser does not accept '%(name)s' as a user name")) %
dict(name=name))
if 'group' in options:
for name in options['group']:
if not check_validity(name):
raise errors.ValidationError(name='runas-user',
error=unicode(_("RunAsUser does not accept '%(name)s' as a group name")) %
dict(name=name))
return add_external_pre_callback('user', ldap, dn, keys, options)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
try:
(dn, entry_attrs) = ldap.get_entry(dn, attrs_list)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(options, 'usercategory') and 'memberuser' in entry_attrs:
raise errors.MutuallyExclusiveError(reason=_("user category cannot be set to 'all' while there are allowed users"))
if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs:
raise errors.MutuallyExclusiveError(reason=_("host category cannot be set to 'all' while there are allowed hosts"))
return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
assert isinstance(dn, DN)
try:
(dn, entry_attrs) = ldap.get_entry(dn, attrs_list)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(options, 'usercategory') and 'memberuser' in entry_attrs:
raise errors.MutuallyExclusiveError(reason=_(
"user category cannot be set to 'all' while there are allowed users"
))
if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs:
raise errors.MutuallyExclusiveError(reason=_(
"host category cannot be set to 'all' while there are allowed hosts"
))
return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
if 'sudoorder' in options:
new_order = options.get('sudoorder')
old_entry = self.api.Command.sudorule_show(keys[-1])['result']
if 'sudoorder' in old_entry:
old_order = int(old_entry['sudoorder'][0])
if old_order != new_order:
self.obj.check_order_uniqueness(*keys, **options)
else:
self.obj.check_order_uniqueness(*keys, **options)
try:
_entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
error = _("%(type)s category cannot be set to 'all' "
"while there are allowed %(objects)s")
category_info = [(
'usercategory',
['memberuser', 'externaluser'],
error % {'type': _('user'), 'objects': _('users')}
),
(
'hostcategory',
['memberhost', 'externalhost', 'hostmask'],
error % {'type': _('host'), 'objects': _('hosts')}
),
(
'cmdcategory',
['memberallowcmd'],
error % {'type': _('command'), 'objects': _('commands')}
),
(
'ipasudorunasusercategory',
['ipasudorunas', 'ipasudorunasextuser',
'ipasudorunasextusergroup'],
error % {'type': _('runAs user'), 'objects': _('runAs users')}
),
(
'ipasudorunasgroupcategory',
['ipasudorunasgroup', 'ipasudorunasextgroup'],
error % {'type': _('group runAs'), 'objects': _('runAs groups')}
),
]
# Enforce the checks for all the categories
for category, member_attrs, error in category_info:
any_member_attrs_set = any(attr in _entry_attrs
for attr in member_attrs)
if is_all(options, category) and any_member_attrs_set:
raise errors.MutuallyExclusiveError(reason=error)
return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
if 'sudoorder' in options:
new_order = options.get('sudoorder')
old_entry = self.api.Command.sudorule_show(keys[-1])['result']
if 'sudoorder' in old_entry:
old_order = int(old_entry['sudoorder'][0])
if old_order != new_order:
self.obj.check_order_uniqueness(*keys, **options)
else:
self.obj.check_order_uniqueness(*keys, **options)
try:
_entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
error = _("%(type)s category cannot be set to 'all' "
"while there are allowed %(objects)s")
category_info = [(
'usercategory',
['memberuser', 'externaluser'],
error % {'type': _('user'), 'objects': _('users')}
),
(
'hostcategory',
['memberhost', 'externalhost', 'hostmask'],
error % {'type': _('host'), 'objects': _('hosts')}
),
(
'cmdcategory',
['memberallowcmd'],
error % {'type': _('command'), 'objects': _('commands')}
),
(
'ipasudorunasusercategory',
['ipasudorunas', 'ipasudorunasextuser',
'ipasudorunasextusergroup'],
error % {'type': _('runAs user'), 'objects': _('runAs users')}
),
(
'ipasudorunasgroupcategory',
['ipasudorunasgroup', 'ipasudorunasextgroup'],
error % {'type': _('group runAs'), 'objects': _('runAs groups')}
),
]
# Enforce the checks for all the categories
for category, member_attrs, error in category_info:
any_member_attrs_set = any(attr in _entry_attrs
for attr in member_attrs)
if is_all(options, category) and any_member_attrs_set:
raise errors.MutuallyExclusiveError(reason=error)
return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
assert isinstance(dn, DN)
if 'sudoorder' in options:
new_order = options.get('sudoorder')
old_entry = self.api.Command.sudorule_show(keys[-1])['result']
if 'sudoorder' in old_entry:
old_order = int(old_entry['sudoorder'][0])
if old_order != new_order:
self.obj.check_order_uniqueness(*keys, **options)
else:
self.obj.check_order_uniqueness(*keys, **options)
try:
(_dn, _entry_attrs) = ldap.get_entry(dn,
self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(options, 'usercategory') and 'memberuser' in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_(
"user category cannot be set to 'all' while there are allowed users"
))
if is_all(options, 'hostcategory') and 'memberhost' in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_(
"host category cannot be set to 'all' while there are allowed hosts"
))
if is_all(options,
'cmdcategory') and ('memberallowcmd'
or 'memberdenywcmd') in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_(
"command category cannot be set to 'all' while there are allow or deny commands"
))
if is_all(
options,
'ipasudorunasusercategory') and 'ipasudorunas' in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_(
"user runAs category cannot be set to 'all' while there are users"
))
if is_all(options, 'ipasudorunasgroupcategory'
) and 'ipasudorunasgroup' in _entry_attrs:
raise errors.MutuallyExclusiveError(reason=_(
"group runAs category cannot be set to 'all' while there are groups"
))
return dn
def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
assert isinstance(dn, DN)
try:
(_dn, _entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(_entry_attrs, 'hostcategory'):
raise errors.MutuallyExclusiveError(reason=_("hosts cannot be added when host category='all'"))
return add_external_pre_callback('host', ldap, dn, keys, options)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
**options):
assert isinstance(dn, DN)
try:
(_dn, _entry_attrs) = ldap.get_entry(dn, attrs_list)
except errors.NotFound:
self.obj.handle_not_found(*keys)
is_to_be_deleted = lambda x: (x in _entry_attrs and x in entry_attrs) and \
entry_attrs[x] == None
# makes sure the local members and hbacrule is not set at the same time
# memberuser or memberhost could have been set using --setattr
is_to_be_set = lambda x: ((x in _entry_attrs and _entry_attrs[x] != None) or \
(x in entry_attrs and entry_attrs[x] != None)) and \
not is_to_be_deleted(x)
are_local_members_to_be_set = any(
is_to_be_set(attr) for attr in ('usercategory', 'hostcategory',
'memberuser', 'memberhost'))
is_hbacrule_to_be_set = is_to_be_set('seealso')
# this can disable all modifications if hbacrule and local members were
# set at the same time bypassing this commad, e.g. using ldapmodify
if are_local_members_to_be_set and is_hbacrule_to_be_set:
raise errors.MutuallyExclusiveError(reason=notboth_err)
if is_all(entry_attrs, 'usercategory') and 'memberuser' in entry_attrs:
raise errors.MutuallyExclusiveError(
reason="user category "
"cannot be set to 'all' while there are allowed users")
if is_all(entry_attrs, 'hostcategory') and 'memberhost' in entry_attrs:
raise errors.MutuallyExclusiveError(
reason="host category "
"cannot be set to 'all' while there are allowed hosts")
if 'ipaselinuxuser' in entry_attrs:
validate_selinuxuser_inlist(ldap, entry_attrs['ipaselinuxuser'])
if 'seealso' in entry_attrs:
entry_attrs['seealso'] = self.obj._normalize_seealso(
entry_attrs['seealso'])
return dn
def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
assert isinstance(dn, DN)
try:
entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
dn = entry_attrs.dn
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(entry_attrs, "ipacertprofilecategory"):
raise errors.MutuallyExclusiveError(reason=_("profiles cannot be added when profile category='all'"))
return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
try:
_entry_attrs = ldap.get_entry(dn, attrs_list)
except errors.NotFound:
self.obj.handle_not_found(*keys)
is_to_be_deleted = lambda x: (x in _entry_attrs and x in entry_attrs) and \
entry_attrs[x] == None
# makes sure the local members and hbacrule is not set at the same time
# memberuser or memberhost could have been set using --setattr
is_to_be_set = lambda x: ((x in _entry_attrs and _entry_attrs[x] != None) or \
(x in entry_attrs and entry_attrs[x] != None)) and \
not is_to_be_deleted(x)
are_local_members_to_be_set = any(is_to_be_set(attr)
for attr in ('usercategory',
'hostcategory',
'memberuser',
'memberhost'))
is_hbacrule_to_be_set = is_to_be_set('seealso')
# this can disable all modifications if hbacrule and local members were
# set at the same time bypassing this commad, e.g. using ldapmodify
if are_local_members_to_be_set and is_hbacrule_to_be_set:
raise errors.MutuallyExclusiveError(reason=notboth_err)
if is_all(entry_attrs, 'usercategory') and 'memberuser' in entry_attrs:
raise errors.MutuallyExclusiveError(reason="user category "
"cannot be set to 'all' while there are allowed users")
if is_all(entry_attrs, 'hostcategory') and 'memberhost' in entry_attrs:
raise errors.MutuallyExclusiveError(reason="host category "
"cannot be set to 'all' while there are allowed hosts")
if 'ipaselinuxuser' in entry_attrs:
validate_selinuxuser_inlist(ldap, entry_attrs['ipaselinuxuser'])
if 'seealso' in entry_attrs:
entry_attrs['seealso'] = self.obj._normalize_seealso(entry_attrs['seealso'])
return dn
def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
assert isinstance(dn, DN)
try:
entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
dn = entry_attrs.dn
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(entry_attrs, 'ipacertprofilecategory'):
raise errors.MutuallyExclusiveError(reason=_(
"profiles cannot be added when profile category='all'"))
return dn
def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
assert isinstance(dn, DN)
try:
(_dn, _entry_attrs) = ldap.get_entry(dn,
self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(_entry_attrs, 'hostcategory'):
raise errors.MutuallyExclusiveError(
reason=_("hosts cannot be added when host category='all'"))
return add_external_pre_callback('host', ldap, dn, keys, options)
def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
assert isinstance(dn, DN)
try:
_entry_attrs = ldap.get_entry(dn, self.obj.default_attributes)
except errors.NotFound:
self.obj.handle_not_found(*keys)
if is_all(_entry_attrs, 'cmdcategory'):
raise errors.MutuallyExclusiveError(
reason=_("commands cannot be added when command "
"category='all'"))
return dn
