def execute(self, aciname, aciprefix, **options):
"""
Execute the aci-delete operation.
:param aciname: The name of the ACI being deleted.
:param aciprefix: The ACI prefix.
"""
ldap = self.api.Backend.ldap2
entry = ldap.get_entry(self.api.env.basedn, ['aci'])
acistrs = entry.get('aci', [])
acis = _convert_strings_to_acis(acistrs)
aci = _find_aci_by_name(acis, aciprefix, aciname)
for a in acistrs:
candidate = ACI(a)
if aci.isequal(candidate):
acistrs.remove(a)
break
entry['aci'] = acistrs
ldap.update_entry(entry)
return dict(
result=True,
value=pkey_to_value(aciname, options),
)
def _convert_strings_to_acis(acistrs):
acis = []
for a in acistrs:
try:
acis.append(ACI(a))
except SyntaxError, e:
root_logger.warning("Failed to parse: %s" % a)
def remove_anonymous_read_aci(self, ldap, anonymous_read_aci):
base_entry = ldap.get_entry(self.api.env.basedn, ['aci'])
acistrs = base_entry.get('aci', [])
for acistr in acistrs:
if ACI(acistr).isequal(anonymous_read_aci):
logger.debug('Removing anonymous ACI: %s', acistr)
acistrs.remove(acistr)
break
else:
return
ldap.update_entry(base_entry)
def _make_aci(ldap, current, aciname, kw):
"""
Given a name and a set of keywords construct an ACI.
"""
# Do some quick and dirty validation.
checked_args=['type','filter','subtree','targetgroup','attrs','memberof']
valid={}
for arg in checked_args:
if arg in kw:
valid[arg]=kw[arg] is not None
else:
valid[arg]=False
if valid['type'] + valid['filter'] + valid['subtree'] + valid['targetgroup'] > 1:
raise errors.ValidationError(name='target', error=_('type, filter, subtree and targetgroup are mutually exclusive'))
if 'aciprefix' not in kw:
raise errors.ValidationError(name='aciprefix', error=_('ACI prefix is required'))
if sum(valid.values()) == 0:
raise errors.ValidationError(name='target', error=_('at least one of: type, filter, subtree, targetgroup, attrs or memberof are required'))
if valid['filter'] + valid['memberof'] > 1:
raise errors.ValidationError(name='target', error=_('filter and memberof are mutually exclusive'))
group = 'group' in kw
permission = 'permission' in kw
selfaci = 'selfaci' in kw and kw['selfaci'] == True
if group + permission + selfaci > 1:
raise errors.ValidationError(name='target', error=_('group, permission and self are mutually exclusive'))
elif group + permission + selfaci == 0:
raise errors.ValidationError(name='target', error=_('One of group, permission or self is required'))
# Grab the dn of the group we're granting access to. This group may be a
# permission or a user group.
entry_attrs = []
if permission:
# This will raise NotFound if the permission doesn't exist
try:
entry_attrs = api.Command['permission_show'](kw['permission'])['result']
except errors.NotFound as e:
if 'test' in kw and not kw.get('test'):
raise e
else:
entry_attrs = {
'dn': DN(('cn', kw['permission']),
api.env.container_permission, api.env.basedn),
}
elif group:
# Not so friendly with groups. This will raise
try:
group_dn = api.Object['group'].get_dn_if_exists(kw['group'])
entry_attrs = {'dn': group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_("Group '%s' does not exist") % kw['group'])
try:
a = ACI(current)
a.name = _make_aci_name(kw['aciprefix'], aciname)
a.permissions = kw['permissions']
if 'selfaci' in kw and kw['selfaci']:
a.set_bindrule('userdn = "ldap:///self"')
else:
dn = entry_attrs['dn']
a.set_bindrule('groupdn = "ldap:///%s"' % dn)
if valid['attrs']:
a.set_target_attr(kw['attrs'])
if valid['memberof']:
try:
api.Object['group'].get_dn_if_exists(kw['memberof'])
except errors.NotFound:
api.Object['group'].handle_not_found(kw['memberof'])
groupdn = _group_from_memberof(kw['memberof'])
a.set_target_filter('memberOf=%s' % groupdn)
if valid['filter']:
# Test the filter by performing a simple search on it. The
# filter is considered valid if either it returns some entries
# or it returns no entries, otherwise we let whatever exception
# happened be raised.
if kw['filter'] in ('', None, u''):
raise errors.BadSearchFilter(info=_('empty filter'))
try:
entries = ldap.find_entries(filter=kw['filter'])
except errors.NotFound:
pass
a.set_target_filter(kw['filter'])
if valid['type']:
target = _type_map[kw['type']]
a.set_target(target)
if valid['targetgroup']:
# Purposely no try here so we'll raise a NotFound
group_dn = api.Object['group'].get_dn_if_exists(kw['targetgroup'])
target = 'ldap:///%s' % group_dn
a.set_target(target)
if valid['subtree']:
# See if the subtree is a full URI
target = kw['subtree']
if not target.startswith('ldap:///'):
target = 'ldap:///%s' % target
a.set_target(target)
except SyntaxError as e:
raise errors.ValidationError(name='target', error=_('Syntax Error: %(error)s') % dict(error=str(e)))
return a
def make_test_aci():
a = ACI()
a.name = "foo"
a.set_target_attr(['title', 'givenname'], "!=")
a.set_bindrule_keyword("groupdn")
a.set_bindrule_operator("=")
a.set_bindrule_expression(
"\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"")
a.permissions = ['read', 'write', 'add']
return a
def check_aci_parsing(source, expected):
a = ACI(source)
print('ACI was: ', a)
print('Expected:', expected)
assert str(ACI(source)) == expected
def test_aci_equality():
a = make_test_aci()
print(a)
b = ACI()
b.name = "foo"
b.set_target_attr(['givenname', 'title'], "!=")
b.set_bindrule_keyword("groupdn")
b.set_bindrule_operator("=")
b.set_bindrule_expression(
"\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"")
b.permissions = ['add', 'read', 'write']
print(b)
assert a.isequal(b)
assert a == b
assert not a != b # pylint: disable=unneeded-not
def make_test_aci():
a = ACI()
a.name ="foo"
a.set_target_attr(['title','givenname'], "!=")
a.set_bindrule_keyword("groupdn")
a.set_bindrule_operator("=")
a.set_bindrule_expression("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"")
a.permissions = ['read','write','add']
return a
def _make_aci(ldap, current, aciname, kw):
"""
Given a name and a set of keywords construct an ACI.
"""
# Do some quick and dirty validation.
checked_args = ["type", "filter", "subtree", "targetgroup", "attrs", "memberof"]
valid = {}
for arg in checked_args:
if arg in kw:
valid[arg] = kw[arg] is not None
else:
valid[arg] = False
if valid["type"] + valid["filter"] + valid["subtree"] + valid["targetgroup"] > 1:
raise errors.ValidationError(
name="target", error=_("type, filter, subtree and targetgroup are mutually exclusive")
)
if "aciprefix" not in kw:
raise errors.ValidationError(name="aciprefix", error=_("ACI prefix is required"))
if sum(valid.values()) == 0:
raise errors.ValidationError(
name="target",
error=_("at least one of: type, filter, subtree, targetgroup, attrs or memberof are required"),
)
if valid["filter"] + valid["memberof"] > 1:
raise errors.ValidationError(name="target", error=_("filter and memberof are mutually exclusive"))
group = "group" in kw
permission = "permission" in kw
selfaci = "selfaci" in kw and kw["selfaci"] == True
if group + permission + selfaci > 1:
raise errors.ValidationError(name="target", error=_("group, permission and self are mutually exclusive"))
elif group + permission + selfaci == 0:
raise errors.ValidationError(name="target", error=_("One of group, permission or self is required"))
# Grab the dn of the group we're granting access to. This group may be a
# permission or a user group.
entry_attrs = []
if permission:
# This will raise NotFound if the permission doesn't exist
try:
entry_attrs = api.Command["permission_show"](kw["permission"])["result"]
except errors.NotFound as e:
if "test" in kw and not kw.get("test"):
raise e
else:
entry_attrs = {"dn": DN(("cn", kw["permission"]), api.env.container_permission, api.env.basedn)}
elif group:
# Not so friendly with groups. This will raise
try:
group_dn = api.Object["group"].get_dn_if_exists(kw["group"])
entry_attrs = {"dn": group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_("Group '%s' does not exist") % kw["group"])
try:
a = ACI(current)
a.name = _make_aci_name(kw["aciprefix"], aciname)
a.permissions = kw["permissions"]
if "selfaci" in kw and kw["selfaci"]:
a.set_bindrule('userdn = "ldap:///self"')
else:
dn = entry_attrs["dn"]
a.set_bindrule('groupdn = "ldap:///%s"' % dn)
if valid["attrs"]:
a.set_target_attr(kw["attrs"])
if valid["memberof"]:
try:
api.Object["group"].get_dn_if_exists(kw["memberof"])
except errors.NotFound:
api.Object["group"].handle_not_found(kw["memberof"])
groupdn = _group_from_memberof(kw["memberof"])
a.set_target_filter("memberOf=%s" % groupdn)
if valid["filter"]:
# Test the filter by performing a simple search on it. The
# filter is considered valid if either it returns some entries
# or it returns no entries, otherwise we let whatever exception
# happened be raised.
if kw["filter"] in ("", None, u""):
raise errors.BadSearchFilter(info=_("empty filter"))
try:
entries = ldap.find_entries(filter=kw["filter"])
except errors.NotFound:
pass
a.set_target_filter(kw["filter"])
if valid["type"]:
target = _type_map[kw["type"]]
a.set_target(target)
if valid["targetgroup"]:
# Purposely no try here so we'll raise a NotFound
group_dn = api.Object["group"].get_dn_if_exists(kw["targetgroup"])
target = "ldap:///%s" % group_dn
a.set_target(target)
if valid["subtree"]:
# See if the subtree is a full URI
target = kw["subtree"]
if not target.startswith("ldap:///"):
target = "ldap:///%s" % target
a.set_target(target)
except SyntaxError as e:
raise errors.ValidationError(name="target", error=_("Syntax Error: %(error)s") % dict(error=str(e)))
return a
def make_aci(self, entry):
"""Make an ACI string from the given permission entry"""
aci = ACI()
name = entry.single_value['cn']
aci.name = 'permission:%s' % name
ipapermtarget = entry.single_value.get('ipapermtarget')
if ipapermtarget:
aci.set_target('ldap:///%s' % ipapermtarget)
ipapermtargetfilter = entry.single_value.get('ipapermtargetfilter')
if ipapermtargetfilter:
aci.set_target_filter(ipapermtargetfilter)
ipapermbindruletype = entry.single_value.get('ipapermbindruletype',
'permission')
if ipapermbindruletype == 'permission':
dn = DN(('cn', name), self.container_dn, self.api.env.basedn)
aci.set_bindrule('groupdn = "ldap:///%s"' % dn)
elif ipapermbindruletype == 'all':
aci.set_bindrule('userdn = "ldap:///all"')
elif ipapermbindruletype == 'anonymous':
aci.set_bindrule('userdn = "ldap:///anyone"')
else:
raise ValueError(ipapermbindruletype)
aci.permissions = entry['ipapermright']
aci.set_target_attr(entry.get('ipapermallowedattr', []))
return aci.export_to_string()
entry_attrs = api.Command["permission_show"](kw["permission"])["result"]
except errors.NotFound, e:
if "test" in kw and not kw.get("test"):
raise e
else:
entry_attrs = {"dn": DN(("cn", kw["permission"]), api.env.container_permission)}
elif group:
# Not so friendly with groups. This will raise
try:
group_dn = api.Object["group"].get_dn_if_exists(kw["group"])
entry_attrs = {"dn": group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_("Group '%s' does not exist") % kw["group"])
try:
a = ACI(current)
a.name = _make_aci_name(kw["aciprefix"], aciname)
a.permissions = kw["permissions"]
if "selfaci" in kw and kw["selfaci"]:
a.set_bindrule('userdn = "ldap:///self"')
else:
dn = entry_attrs["dn"]
a.set_bindrule('groupdn = "ldap:///%s"' % dn)
if valid["attrs"]:
a.set_target_attr(kw["attrs"])
if valid["memberof"]:
try:
api.Object["group"].get_dn_if_exists(kw["memberof"])
except errors.NotFound:
api.Object["group"].handle_not_found(kw["memberof"])
groupdn = _group_from_memberof(kw["memberof"])
entry_attrs = {
'dn':
DN(('cn', kw['permission']), api.env.container_permission,
api.env.basedn),
}
elif group:
# Not so friendly with groups. This will raise
try:
group_dn = api.Object['group'].get_dn_if_exists(kw['group'])
entry_attrs = {'dn': group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_("Group '%s' does not exist") %
kw['group'])
try:
a = ACI(current)
a.name = _make_aci_name(kw['aciprefix'], aciname)
a.permissions = kw['permissions']
if 'selfaci' in kw and kw['selfaci']:
a.set_bindrule('userdn = "ldap:///self"')
else:
dn = entry_attrs['dn']
a.set_bindrule('groupdn = "ldap:///%s"' % dn)
if valid['attrs']:
a.set_target_attr(kw['attrs'])
if valid['memberof']:
try:
api.Object['group'].get_dn_if_exists(kw['memberof'])
except errors.NotFound:
api.Object['group'].handle_not_found(kw['memberof'])
groupdn = _group_from_memberof(kw['memberof'])
def test_aci_equality():
a = make_test_aci()
print(a)
b = ACI()
b.name ="foo"
b.set_target_attr(['givenname','title'], "!=")
b.set_bindrule_keyword("groupdn")
b.set_bindrule_operator("=")
b.set_bindrule_expression("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"")
b.permissions = ['add','read','write']
print(b)
assert a.isequal(b)
assert a == b
assert not a != b
def update_permission(self, ldap, obj, name, template, anonymous_read_aci):
"""Update the given permission and the corresponding ACI"""
assert name.startswith('System:')
dn = self.api.Object[permission].get_dn(name)
permission_plugin = self.api.Object[permission]
try:
attrs_list = list(permission_plugin.default_attributes)
attrs_list.remove('memberindirect')
entry = ldap.get_entry(dn, attrs_list)
is_new = False
except errors.NotFound:
entry = ldap.make_entry(dn)
is_new = True
self.update_entry(obj, entry, template,
anonymous_read_aci, is_new=is_new)
remove_legacy = False
if 'replaces' in template:
sub_dict = {
'SUFFIX': str(self.api.env.basedn),
'REALM': str(self.api.env.realm),
}
legacy_acistrs = [ipautil.template_str(r, sub_dict)
for r in template['replaces']]
legacy_aci = ACI(legacy_acistrs[0])
prefix, sep, legacy_name = legacy_aci.name.partition(':')
assert prefix == 'permission' and sep
legacy_dn = permission_plugin.get_dn(legacy_name)
try:
legacy_entry = ldap.get_entry(legacy_dn,
['ipapermissiontype', 'cn'])
except errors.NotFound:
logger.debug("Legacy permission %s not found", legacy_name)
else:
if 'ipapermissiontype' not in legacy_entry:
if is_new:
_acientry, acistr = (
permission_plugin._get_aci_entry_and_string(
legacy_entry, notfound_ok=True))
try:
included, excluded = self.get_upgrade_attr_lists(
acistr, legacy_acistrs)
except IncompatibleACIModification:
logger.error(
"Permission '%s' has been modified from its "
"default; not updating it to '%s'.",
legacy_name, name)
return
else:
logger.debug("Merging attributes from legacy "
"permission '%s'", legacy_name)
logger.debug("Included attrs: %s",
', '.join(sorted(included)))
logger.debug("Excluded attrs: %s",
', '.join(sorted(excluded)))
entry['ipapermincludedattr'] = list(included)
entry['ipapermexcludedattr'] = list(excluded)
remove_legacy = True
else:
logger.debug("Ignoring attributes in legacy "
"permission '%s' because '%s' exists",
legacy_name, name)
remove_legacy = True
else:
logger.debug("Ignoring V2 permission named '%s'",
legacy_name)
update_aci = True
logger.debug('Updating managed permission: %s', name)
if is_new:
ldap.add_entry(entry)
else:
try:
ldap.update_entry(entry)
except errors.EmptyModlist:
logger.debug('No changes to permission: %s', name)
update_aci = False
if update_aci:
logger.debug('Updating ACI for managed permission: %s', name)
permission_plugin.update_aci(entry)
if remove_legacy:
logger.debug("Removing legacy permission '%s'", legacy_name)
self.api.Command[permission_del](unicode(legacy_name))
for name in template.get('replaces_system', ()):
name = unicode(name)
try:
entry = ldap.get_entry(permission_plugin.get_dn(name),
['ipapermissiontype'])
except errors.NotFound:
logger.debug("Legacy permission '%s' not found", name)
else:
flags = entry.get('ipapermissiontype', [])
if list(flags) == ['SYSTEM']:
logger.debug("Removing legacy permission '%s'", name)
self.api.Command[permission_del](name, force=True)
else:
logger.debug("Ignoring V2 permission '%s'", name)
def _make_aci(ldap, current, aciname, kw):
"""
Given a name and a set of keywords construct an ACI.
"""
# Do some quick and dirty validation.
checked_args = [
'type', 'filter', 'subtree', 'targetgroup', 'attrs', 'memberof'
]
valid = {}
for arg in checked_args:
if arg in kw:
valid[arg] = kw[arg] is not None
else:
valid[arg] = False
if valid['type'] + valid['filter'] + valid['subtree'] + valid[
'targetgroup'] > 1:
raise errors.ValidationError(
name='target',
error=_(
'type, filter, subtree and targetgroup are mutually exclusive')
)
if 'aciprefix' not in kw:
raise errors.ValidationError(name='aciprefix',
error=_('ACI prefix is required'))
if sum(valid.values()) == 0:
raise errors.ValidationError(
name='target',
error=
_('at least one of: type, filter, subtree, targetgroup, attrs or memberof are required'
))
if valid['filter'] + valid['memberof'] > 1:
raise errors.ValidationError(
name='target',
error=_('filter and memberof are mutually exclusive'))
group = 'group' in kw
permission = 'permission' in kw
selfaci = 'selfaci' in kw and kw['selfaci'] == True
if group + permission + selfaci > 1:
raise errors.ValidationError(
name='target',
error=_('group, permission and self are mutually exclusive'))
elif group + permission + selfaci == 0:
raise errors.ValidationError(
name='target',
error=_('One of group, permission or self is required'))
# Grab the dn of the group we're granting access to. This group may be a
# permission or a user group.
entry_attrs = []
if permission:
# This will raise NotFound if the permission doesn't exist
try:
entry_attrs = api.Command['permission_show'](
kw['permission'])['result']
except errors.NotFound as e:
if 'test' in kw and not kw.get('test'):
raise e
else:
entry_attrs = {
'dn':
DN(('cn', kw['permission']), api.env.container_permission,
api.env.basedn),
}
elif group:
# Not so friendly with groups. This will raise
try:
group_dn = api.Object['group'].get_dn_if_exists(kw['group'])
entry_attrs = {'dn': group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_("Group '%s' does not exist") %
kw['group'])
try:
a = ACI(current)
a.name = _make_aci_name(kw['aciprefix'], aciname)
a.permissions = kw['permissions']
if 'selfaci' in kw and kw['selfaci']:
a.set_bindrule('userdn = "ldap:///self"')
else:
dn = entry_attrs['dn']
a.set_bindrule('groupdn = "ldap:///%s"' % dn)
if valid['attrs']:
a.set_target_attr(kw['attrs'])
if valid['memberof']:
try:
api.Object['group'].get_dn_if_exists(kw['memberof'])
except errors.NotFound:
raise api.Object['group'].handle_not_found(kw['memberof'])
groupdn = _group_from_memberof(kw['memberof'])
a.set_target_filter('memberOf=%s' % groupdn)
if valid['filter']:
# Test the filter by performing a simple search on it. The
# filter is considered valid if either it returns some entries
# or it returns no entries, otherwise we let whatever exception
# happened be raised.
if kw['filter'] in ('', None, u''):
raise errors.BadSearchFilter(info=_('empty filter'))
try:
ldap.find_entries(filter=kw['filter'])
except errors.NotFound:
pass
a.set_target_filter(kw['filter'])
if valid['type']:
target = _type_map[kw['type']]
a.set_target(target)
if valid['targetgroup']:
# Purposely no try here so we'll raise a NotFound
group_dn = api.Object['group'].get_dn_if_exists(kw['targetgroup'])
target = 'ldap:///%s' % group_dn
a.set_target(target)
if valid['subtree']:
# See if the subtree is a full URI
target = kw['subtree']
if not target.startswith('ldap:///'):
target = 'ldap:///%s' % target
a.set_target(target)
except SyntaxError as e:
raise errors.ValidationError(name='target',
error=_('Syntax Error: %(error)s') %
dict(error=str(e)))
return a
def get_upgrade_attr_lists(self, current_acistring, default_acistrings):
"""Compute included and excluded attributes for a new permission
:param current_acistring: ACI is in LDAP currently
:param default_acistrings:
List of all default ACIs IPA historically used for this permission
:return:
(ipapermincludedattr, ipapermexcludedattr) for the upgraded
permission
An attribute will be included if the user has it in LDAP but it does
not appear in *any* historic ACI.
It will be excluded if it is in *all* historic ACIs but not in LDAP.
Rationale: When we don't know which version of an ACI the user is
upgrading from, we only consider attributes where all the versions
agree. For other attrs we'll use the default from the new managed perm.
If the ACIs differ in something else than the list of attributes,
raise IncompatibleACIModification. This means manual action is needed
(either delete the old permission or change it to resemble the default
again, then re-run ipa-ldap-updater).
In case there are multiple historic default ACIs, and some of them
are compatible with the current but other ones aren't, we deduce that
the user is upgrading from one of the compatible ones.
The incompatible ones are removed from consideration, both for
compatibility and attribute lists.
"""
assert default_acistrings
def _pop_targetattr(aci):
"""Return the attr list it as a set, clear it in the ACI object
"""
targetattr = aci.target.get('targetattr')
if targetattr:
attrs = targetattr['expression']
targetattr['expression'] = []
return set(t.lower() for t in attrs)
else:
return set()
current_aci = ACI(current_acistring)
current_attrs = _pop_targetattr(current_aci)
logger.debug("Current ACI for '%s': %s",
current_aci.name, current_acistring)
attrs_in_all_defaults = None
attrs_in_any_defaults = set()
all_incompatible = True
for default_acistring in default_acistrings:
default_aci = ACI(default_acistring)
default_attrs = _pop_targetattr(default_aci)
logger.debug("Default ACI for '%s': %s",
default_aci.name, default_acistring)
if current_aci != default_aci:
logger.debug('ACIs not compatible')
continue
all_incompatible = False
if attrs_in_all_defaults is None:
attrs_in_all_defaults = set(default_attrs)
else:
attrs_in_all_defaults &= attrs_in_all_defaults
attrs_in_any_defaults |= default_attrs
if all_incompatible:
logger.debug('All old default ACIs are incompatible')
raise(IncompatibleACIModification())
included = current_attrs - attrs_in_any_defaults
excluded = attrs_in_all_defaults - current_attrs
return included, excluded
raise e
else:
entry_attrs = {
'dn': DN(('cn', kw['permission']),
api.env.container_permission, api.env.basedn),
}
elif group:
# Not so friendly with groups. This will raise
try:
group_dn = api.Object['group'].get_dn_if_exists(kw['group'])
entry_attrs = {'dn': group_dn}
except errors.NotFound:
raise errors.NotFound(reason=_("Group '%s' does not exist") % kw['group'])
try:
a = ACI(current)
a.name = _make_aci_name(kw['aciprefix'], aciname)
a.permissions = kw['permissions']
if 'selfaci' in kw and kw['selfaci']:
a.set_bindrule('userdn = "ldap:///self"')
else:
dn = entry_attrs['dn']
a.set_bindrule('groupdn = "ldap:///%s"' % dn)
if valid['attrs']:
a.set_target_attr(kw['attrs'])
if valid['memberof']:
try:
api.Object['group'].get_dn_if_exists(kw['memberof'])
except errors.NotFound:
api.Object['group'].handle_not_found(kw['memberof'])
groupdn = _group_from_memberof(kw['memberof'])
