Esempio n. 1
0
 def apply(self, xmlgpo):
     result = True
     converted = self.convert(xmlgpo)
     if converted is None:
         # TODO: Inform about the problem
         return False
     for entry in converted:
         if result is False:
             break
         for guid in entry['guids']:
             if result is False:
                 break
             node = self.collection.find_one({'adObjectGUID': guid})
             domain = get_domain(node, self.collection)
             if node is None:
                 result = False
                 # TODO: Inform about the problem
                 continue
             old_node = deepcopy(node)
             for policy in entry['policies']:
                 policy_id = policy.keys()[0]
                 if policy_id not in domain.get('master_policies', {}) and node.get('policies', {}).get(policy_id, None):
                     continue
                 node['policies'][policy_id] = policy[policy_id]
             result = self._saveMongoADObject(node, old_node)
     return result
Esempio n. 2
0
def is_gecos_master_or_403(request, collection_nodes, obj, schema_detail):
    domain = get_domain(obj, collection_nodes)
    if domain and domain['master'] != MASTER_DEFAULT and not is_local_user(obj, collection_nodes):
        if '_id' not in obj:
            raise HTTPForbidden()
        else:
            mongo_obj = collection_nodes.find_one({'_id': ObjectId(obj['_id'])})
            mongo_obj = schema_detail().serialize(mongo_obj)
            obj = schema_detail().serialize(obj)
            del obj['policies']
            del mongo_obj['policies']
            if obj != mongo_obj:
                raise HTTPForbidden()
Esempio n. 3
0
def is_gecos_master_or_403(request, collection_nodes, obj, schema_detail):
    domain = get_domain(obj, collection_nodes)
    if domain and domain['master'] != MASTER_DEFAULT and not is_local_user(obj, collection_nodes):
        if '_id' not in obj:
            raise HTTPForbidden()
        else:
            mongo_obj = collection_nodes.find_one({'_id': ObjectId(obj['_id'])})
            mongo_obj = schema_detail().serialize(mongo_obj)
            obj = schema_detail().serialize(obj)
            del obj['policies']
            del mongo_obj['policies']
            if obj != mongo_obj:
                raise HTTPForbidden()
Esempio n. 4
0
    def check_unique_node_name_by_type_at_domain(self, obj):
        unique = check_unique_node_name_by_type_at_domain(
            self.request.db.nodes, obj)
        if not unique:
            self.request.errors.add('body', 'name',
                                    "Name must be unique in domain.")
        if unique and not is_domain(obj) and not is_root(obj):
            # Check that the node name is not the same as the domain name
            domain = get_domain(obj, self.request.db.nodes)
            if domain['name'].lower() == obj['name'].lower():
                self.request.errors.add('body', 'name',
                                        "Name already used as domain name.")
                return False

        return unique
Esempio n. 5
0
def master_policy_no_updated_or_403(request, collection_nodes, obj):
    if obj['type'] in RESOURCES_EMITTERS_TYPES or is_local_user(obj, collection_nodes):
        return
    domain = get_domain(obj, collection_nodes) or {}
    master_policies = domain.get('master_policies', {})
    if master_policies:
        if '_id' in obj:
            mongo_obj = collection_nodes.find_one({'_id': obj['_id']})
        else:
            mongo_obj = {}
        mongo_policies = mongo_obj.get('policies', {})
        policies = obj.get('policies', {})
        for policy_id, value in master_policies.items():
            if mongo_policies.get(policy_id, None) != policies.get(policy_id, None):
                raise HTTPForbidden()
Esempio n. 6
0
def master_policy_no_updated_or_403(request, collection_nodes, obj):
    if obj['type'] in RESOURCES_EMITTERS_TYPES or is_local_user(obj, collection_nodes):
        return
    domain = get_domain(obj, collection_nodes) or {}
    master_policies = domain.get('master_policies', {})
    if master_policies:
        if '_id' in obj:
            mongo_obj = collection_nodes.find_one({'_id': obj['_id']})
        else:
            mongo_obj = {}
        mongo_policies = mongo_obj.get('policies', {})
        policies = obj.get('policies', {})
        for policy_id, _value in master_policies.items():
            if mongo_policies.get(policy_id, None) != policies.get(policy_id, None):
                raise HTTPForbidden()
Esempio n. 7
0
    def check_node(self, node):
        '''
        Check the policies applied to a node
        '''
        logger.info('Checking node: "%s" type:%s path: %s' %
                    (node['name'], node['type'], node['path']))

        # Check for name duplicates
        if not check_unique_node_name_by_type_at_domain(self.db.nodes, node):
            logger.error('Duplicates found for node: "%s" type:%s path: %s' %
                         (node['name'], node['type'], node['path']))
        elif not is_domain(node) and not is_root(node):
            # Check that the node name is not the same as the domain name
            domain = get_domain(node, self.db.nodes)
            if domain['name'].lower() == node['name'].lower():
                logger.error(
                    'The node has the same name as the domain: "%s" type:%s path: %s'
                    % (node['name'], node['type'], node['path']))

        if self.options.inheritance:
            inheritance_node = deepcopy(node)

        # Check policies
        if 'policies' in node:
            to_remove = []
            # Check the policies data
            for policy in node['policies']:
                logger.debug('Checking policy with ID: %s' % (policy))
                if not str(policy) in self.policiesdata:
                    logger.warn(
                        "Can't find %s policy data in the database! (probably deprecated)"
                        % (policy))
                    to_remove.append(str(policy))

                else:
                    policydata = self.policiesdata[str(policy)]
                    nodedata = node['policies'][str(policy)]

                    # Emiters policies have a "name" field in the data
                    # Non emiters policies have a "title" field in the data
                    namefield = 'name'
                    if not (namefield in policydata):
                        namefield = 'title'

                    if not ('name' in policydata):
                        logger.critical(
                            'Policy with ID: %s doesn\'t have a name nor title!'
                            % (str(policy)))
                        continue

                    logger.info('Checking node: "%s" Checking policy: "%s"' %
                                (node['name'], policydata[namefield]))
                    if 'DEPRECATED' in policydata[namefield]:
                        logger.warning('Using deprecated policy: %s' %
                                       (policydata[namefield]))

                    logger.debug('Node policy data: %s' %
                                 (json.dumps(node['policies'][str(policy)])))

                    is_emitter_policy = False
                    emitter_policy_slug = None
                    if "is_emitter_policy" in policydata:
                        is_emitter_policy = policydata["is_emitter_policy"]
                        emitter_policy_slug = policydata["slug"]

                    # Check object
                    self.check_object_property(policydata['schema'], nodedata,
                                               None, is_emitter_policy,
                                               emitter_policy_slug)

                    if self.options.inheritance:
                        # Check inheritance field
                        trace_inheritance(logger, self.db,
                                          'change', inheritance_node,
                                          deepcopy(policydata))

            changed = False
            for policy in to_remove:
                logger.info("FIXED: Remove %s policy information" % (policy))
                del node['policies'][str(policy)]
                changed = True

            if changed:
                self.db.nodes.update({'_id': ObjectId(node['_id'])},
                                     {'$set': {
                                         'policies': node['policies']
                                     }})

        else:
            logger.debug('No policies in this node.')

        if self.options.inheritance and (
                'inheritance' in inheritance_node) and (
                    (not 'inheritance' in node) or
                    (inheritance_node['inheritance'] != node['inheritance'])):

            # Save inheritance field
            logger.info('FIXED: updating inheritance field!')
            self.db.nodes.update(
                {'_id': ObjectId(node['_id'])},
                {'$set': {
                    'inheritance': inheritance_node['inheritance']
                }})

        # Check referenced nodes
        if node['type'] == 'user':
            # Check computers
            new_id_list = self.check_referenced_nodes(node['computers'],
                                                      ['computer'],
                                                      'computers')
            difference = set(node['computers']).difference(set(new_id_list))
            if len(difference) > 0:
                logger.info('FIXED: remove %s references' % (difference))
                self.db.nodes.update({'_id': ObjectId(node['_id'])},
                                     {'$set': {
                                         'computers': new_id_list
                                     }})

            # Check user data
            self.check_user_data(node)

            # Check memberof
            new_id_list = self.check_referenced_nodes(node['memberof'],
                                                      ['group'], 'memberof')
            difference = set(node['memberof']).difference(set(new_id_list))
            if len(difference) > 0:
                logger.info('FIXED: remove %s references' % (difference))
                self.db.nodes.update({'_id': ObjectId(node['_id'])},
                                     {'$set': {
                                         'memberof': new_id_list
                                     }})

        if node['type'] == 'computer':
            # Check memberof
            new_id_list = self.check_referenced_nodes(node['memberof'],
                                                      ['group'], 'memberof')
            difference = set(node['memberof']).difference(set(new_id_list))
            if len(difference) > 0:
                logger.info('FIXED: remove %s references' % (difference))
                self.db.nodes.update({'_id': ObjectId(node['_id'])},
                                     {'$set': {
                                         'memberof': new_id_list
                                     }})

        if node['type'] == 'group':
            # Check memberof
            new_id_list = self.check_referenced_nodes(node['memberof'],
                                                      ['group'], 'memberof')
            difference = set(node['memberof']).difference(set(new_id_list))
            if len(difference) > 0:
                logger.info('FIXED: remove %s references' % (difference))
                self.db.nodes.update({'_id': ObjectId(node['_id'])},
                                     {'$set': {
                                         'memberof': new_id_list
                                     }})

            # Check members
            new_id_list = self.check_referenced_nodes(
                node['members'], ['user', 'computer', 'group'], 'members')
            difference = set(node['members']).difference(set(new_id_list))
            if len(difference) > 0:
                logger.info('FIXED: remove %s references' % (difference))
                self.db.nodes.update({'_id': ObjectId(node['_id'])},
                                     {'$set': {
                                         'members': new_id_list
                                     }})