예제 #1
0
def validated_read(argname, filename, mode='r', encoding=None):
    """Read file and catch errors

    IOError and UnicodeError (for text files) are turned into a
    ValidationError
    """
    try:
        with io.open(filename, mode=mode, encoding=encoding) as f:
            data = f.read()
    except IOError as exc:
        raise errors.ValidationError(
            name=argname,
            error=_("Cannot read file '%(filename)s': %(exc)s") % {
                'filename': filename,
                'exc': exc.args[1]
            })
    except UnicodeError as exc:
        raise errors.ValidationError(
            name=argname,
            error=_("Cannot decode file '%(filename)s': %(exc)s") % {
                'filename': filename,
                'exc': exc
            })
    return data
예제 #2
0
    def test_invalid_preferred_languages(self, user):
        """ Try to assign various invalid preferred languages to user """
        user.ensure_exists()
        for invalidlanguage in invalidlanguages:
            command = user.make_update_command(
                dict(preferredlanguage=invalidlanguage)
            )

            with raises_exact(errors.ValidationError(
                    name='preferredlanguage',
                    error=(u'must match RFC 2068 - 14.4, e.g., '
                           '"da, en-gb;q=0.8, en;q=0.7"')
            )):
                command()
        user.delete()
예제 #3
0
    def validate_ipakrbauthzdata(self, entry):
        new_value = entry.get('ipakrbauthzdata', [])

        if not new_value:
            return

        if not isinstance(new_value, (list, tuple)):
            new_value = set([new_value])
        else:
            new_value = set(new_value)

        if u'NONE' in new_value and len(new_value) > 1:
            raise errors.ValidationError(
                name='ipakrbauthzdata',
                error=_('NONE value cannot be combined with other PAC types'))
예제 #4
0
def normalize_mail_attrs(entry_attrs):
    if 'mail' in entry_attrs:
        if len(entry_attrs['mail']) > 1:
            raise errors.ValidationError(
                name='mail',
                error=_('Mail attribute has to be single-valued.'
                        'Use alias/sendalias to specify more addresses.'))
        else:
            if 'primarymail' in entry_attrs:
                entry_attrs['mail'] = [entry_attrs['primarymail']]
            else:
                entry_attrs['primarymail'] = entry_attrs['mail'][0]

    if 'primarymail' in entry_attrs:
        entry_attrs['mail'] = [entry_attrs['primarymail']]
예제 #5
0
파일: service.py 프로젝트: limitup/freeipa
def check_required_principal(ldap, principal):
    """
    Raise an error if the host of this principal is an IPA master and one
    of the principals required for proper execution.
    """
    if not principal.is_service:
        # bypass check if principal is not a service principal,
        # see https://pagure.io/freeipa/issue/7793
        return
    try:
        host_is_master(ldap, principal.hostname)
    except errors.ValidationError:
        service_types = ['HTTP', 'ldap', 'DNS', 'dogtagldap']
        if principal.service_name in service_types:
            raise errors.ValidationError(name='principal', error=_('This principal is required by the IPA master'))
예제 #6
0
    def normalize_and_validate_email(self, email, config=None):
        if not config:
            config = self.backend.get_ipa_config()

        # check if default email domain should be added
        defaultdomain = config.get('ipadefaultemaildomain', [None])[0]
        if email:
            norm_email = []
            if not isinstance(email, (list, tuple)):
                email = [email]
            for m in email:
                if isinstance(m, str):
                    if '@' not in m and defaultdomain:
                        m = m + u'@' + defaultdomain
                    if not Email(m):
                        raise errors.ValidationError(name='email', error=_('invalid e-mail format: %(email)s') % dict(email=m))
                    norm_email.append(m)
                else:
                    if not Email(m):
                        raise errors.ValidationError(name='email', error=_('invalid e-mail format: %(email)s') % dict(email=m))
                    norm_email.append(m)
            return norm_email

        return email
예제 #7
0
    def check_order_uniqueness(self, *keys, **options):
        if options.get('sudoorder') is not None:
            entries = self.methods.find(
                sudoorder=options['sudoorder']
            )['result']

            if len(entries) > 0:
                rule_name = entries[0]['cn'][0]
                raise errors.ValidationError(
                    name='order',
                    error=self.order_not_unique_msg % {
                        'order': options['sudoorder'],
                        'rule': rule_name,
                    }
                )
예제 #8
0
    def validate_minlength(self, ldap, entry_attrs, add=False, *keys):
        """
        If any of the libpwquality options are used then the minimum
        length must be >= 6 which is the built-in default of libpwquality.
        Allowing a lower value to be set will result in a failed policy
        check and a generic error message.
        """
        def get_val(entry, attr):
            """Get a single value from a list or a string"""
            val = entry.get(attr, 0)
            if isinstance(val, list):
                val = val[0]
            return val

        def has_pwquality_set(entry):
            for attr in [
                    'ipapwdmaxrepeat', 'ipapwdmaxsequence', 'ipapwddictcheck',
                    'ipapwdusercheck'
            ]:
                val = get_val(entry, attr)
                if val not in ('FALSE', '0', 0, None):
                    return True
            return False

        has_pwquality_value = False
        if not add:
            if len(keys) > 0:
                existing_entry = self.api.Command.pwpolicy_show(
                    keys[-1],
                    all=True,
                )['result']
            else:
                existing_entry = self.api.Command.pwpolicy_show(
                    all=True, )['result']
            existing_entry.update(entry_attrs)
            min_length = int(get_val(existing_entry, 'krbpwdminlength'))

            has_pwquality_value = has_pwquality_set(existing_entry)
        else:
            min_length = int(get_val(entry_attrs, 'krbpwdminlength'))
            has_pwquality_value = has_pwquality_set(entry_attrs)

        if min_length and min_length < 6 and has_pwquality_value:
            raise errors.ValidationError(
                name='minlength',
                error=_('Minimum length must be >= 6 if maxrepeat, '
                        'maxsequence, dictcheck or usercheck are defined'))
예제 #9
0
파일: ca.py 프로젝트: zz22394/freeipa
    def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options):
        ca_enabled_check(self.api)
        if not ldap.can_add(dn[1:], 'ipaca'):
            raise errors.ACIError(
                info=_("Insufficient 'add' privilege for entry '%s'.") % dn)

        # check that DN only includes standard naming attributes
        dn_attrs = {
            ava.attr.lower()
            for rdn in options['ipacasubjectdn'] for ava in rdn
        }
        x509_attrs = {
            attr.lower()
            for attr in six.viewvalues(ATTR_NAME_BY_OID)
        }
        unknown_attrs = dn_attrs - x509_attrs
        if len(unknown_attrs) > 0:
            raise errors.ValidationError(
                name=_("Subject DN"),
                error=_("Unrecognized attributes: %(attrs)s") %
                dict(attrs=", ".join(unknown_attrs)))

        # check for name collision before creating CA in Dogtag
        try:
            api.Object.ca.get_dn_if_exists(keys[-1])
            self.obj.handle_duplicate_entry(*keys)
        except errors.NotFound:
            pass

        # check for subject collision before creating CA in Dogtag
        result = api.Command.ca_find(ipacasubjectdn=options['ipacasubjectdn'])
        if result['count'] > 0:
            raise errors.DuplicateEntry(
                message=_("Subject DN is already used by CA '%s'") %
                result['result'][0]['cn'][0])

        # Create the CA in Dogtag.
        with self.api.Backend.ra_lightweight_ca as ca_api:
            resp = ca_api.create_ca(options['ipacasubjectdn'])
        entry['ipacaid'] = [resp['id']]
        entry['ipacaissuerdn'] = [resp['issuerDN']]

        # In the event that the issued certificate's subject DN
        # differs from what was requested, record the actual DN.
        #
        entry['ipacasubjectdn'] = [resp['dn']]
        return dn
예제 #10
0
파일: server.py 프로젝트: wanglu119/freeipa
    def execute(self, *keys, **options):
        # the server must be the local host
        if keys[-2] != api.env.host:
            raise errors.ValidationError(
                name='cn', error=_("must be \"%s\"") % api.env.host)

        # the server entry must exist
        try:
            self.obj.get_dn_if_exists(*keys[:-1])
        except errors.NotFound:
            self.obj.handle_not_found(keys[-2])

        # the user must have the Replication Administrators privilege
        privilege = u'Replication Administrators'
        privilege_dn = self.api.Object.privilege.get_dn(privilege)
        ldap = self.obj.backend
        filter = ldap.make_filter({
            'krbprincipalname': context.principal,  # pylint: disable=no-member
            'memberof': privilege_dn},
            rules=ldap.MATCH_ALL)
        try:
            ldap.find_entries(base_dn=self.api.env.basedn, filter=filter)
        except errors.NotFound:
            raise errors.ACIError(
                info=_("not allowed to perform server connection check"))

        dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)

        bus = dbus.SystemBus()
        obj = bus.get_object('org.freeipa.server', '/',
                             follow_name_owner_changes=True)
        server = dbus.Interface(obj, 'org.freeipa.server')

        ret, stdout, _stderr = server.conncheck(keys[-1])

        result = dict(
            result=(ret == 0),
            value=keys[-2],
        )

        for line in stdout.splitlines():
            messages.add_message(options['version'],
                                 result,
                                 messages.ExternalCommandOutput(line=line))

        return result
예제 #11
0
    def handle_subordinate_ids(self, ldap, dn, entry_attrs):
        """Handle ipaSubordinateId object class"""
        new_subuid = entry_attrs.single_value.get("ipasubuidnumber")
        new_subgid = entry_attrs.single_value.get("ipasubgidnumber")

        if new_subuid is None:
            new_subuid = DNA_MAGIC

        # enforce subuid == subgid
        if new_subgid is not None and new_subgid != new_subuid:
            raise errors.ValidationError(
                name="ipasubgidnumber",
                error=_("subgidnumber must be equal to subuidnumber"),
            )

        self.set_subordinate_ids(ldap, dn, entry_attrs, new_subuid)
        return True
예제 #12
0
    def pre_callback(self, ldap, dn, entry, entry_attrs, *keys, **options):
        ca_enabled_check()
        context.profile = options['file']

        match = self.PROFILE_ID_PATTERN.search(options['file'])
        if match is None:
            # no profileId found, use CLI value as profileId.
            context.profile = u'profileId=%s\n%s' % (keys[0], context.profile)
        elif keys[0] != match.group(1):
            raise errors.ValidationError(
                name='file',
                error=
                _("Profile ID '%(cli_value)s' does not match profile data '%(file_value)s'"
                  ) % {
                      'cli_value': keys[0],
                      'file_value': match.group(1)
                  })
        return dn
예제 #13
0
 def validate_trusted_domain_sid(self, sid):
     if not _dcerpc_bindings_installed:
         raise errors.NotFound(reason=_(
             'Cannot perform SID validation without Samba 4 support installed. '
             'Make sure you have installed server-trust-ad sub-package of IPA on the server'
         ))
     domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
     if not domain_validator.is_configured():
         raise errors.NotFound(reason=_(
             'Cross-realm trusts are not configured. '
             'Make sure you have run ipa-adtrust-install on the IPA server first'
         ))
     if not domain_validator.is_trusted_sid_valid(sid):
         raise errors.ValidationError(
             name='domain SID',
             error=_(
                 'SID is not recognized as a valid SID for a trusted domain'
             ))
예제 #14
0
def ensure_last_krbprincipalname(ldap, entry_attrs, *keys):
    """
    ensure that the LDAP entry has at least one value of krbprincipalname
    and that this value is equal to krbcanonicalname

    :param ldap: LDAP connection object
    :param entry_attrs: LDAP entry made prior to update
    :param options: command options
    """
    entry = ldap.get_entry(entry_attrs.dn,
                           ['krbcanonicalname', 'krbprincipalname'])

    krbcanonicalname = entry.single_value.get('krbcanonicalname', None)

    if krbcanonicalname in keys[-1]:
        raise errors.ValidationError(
            name='krbprincipalname',
            error=_('at least one value equal to the canonical '
                    'principal name must be present'))
예제 #15
0
def validate_radiusserver(ugettext, server):
    split = server.rsplit(':', 1)
    server = split[0]
    if len(split) == 2:
        try:
            port = int(split[1])
            if (port < 0 or port > 65535):
                raise ValueError()
        except ValueError:
            raise ValidationError(name="ipatokenradiusserver",
                                  error=_('invalid port number'))

    if validate_ipaddr(server):
        return

    try:
        validate_hostname(server, check_fqdn=True, allow_underscore=True)
    except ValueError as e:
        raise errors.ValidationError(name="ipatokenradiusserver", error=str(e))
예제 #16
0
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
                  **options):
     assert isinstance(dn, DN)
     self.obj.convert_time_on_input(entry_attrs)
     self.obj.validate_lifetime(entry_attrs, False, *keys)
     setattr(context, 'cosupdate', False)
     if options.get('cospriority') is not None:
         if keys[-1] is None:
             raise errors.ValidationError(
                 name='priority',
                 error=_('priority cannot be set on global policy'))
         try:
             self.api.Command.cosentry_mod(
                 keys[-1], cospriority=options['cospriority'])
         except errors.EmptyModlist as e:
             if len(entry_attrs) == 1:  # cospriority only was passed
                 raise e
         else:
             setattr(context, 'cosupdate', True)
     return dn
예제 #17
0
파일: ca.py 프로젝트: xxblx/freeipa
    def forward(self, *keys, **options):
        filename = None
        if 'certificate_out' in options:
            filename = options.pop('certificate_out')
            try:
                util.check_writable_file(filename)
            except errors.FileError as e:
                raise errors.ValidationError(name='certificate-out',
                                             error=str(e))

        result = super(WithCertOutArgs, self).forward(*keys, **options)
        if filename:
            if options.get('chain', False):
                certs = result['result']['certificate_chain']
            else:
                certs = [base64.b64decode(result['result']['certificate'])]
            certs = (x509.load_der_x509_certificate(cert) for cert in certs)
            x509.write_certificate_list(certs, filename)

        return result
예제 #18
0
파일: baseuser.py 프로젝트: zpytela/freeipa
def update_samba_attrs(ldap, dn, entry_attrs, **options):
    smb_attrs = {
        'ipantlogonscript', 'ipantprofilepath', 'ipanthomedirectory',
        'ipanthomedirectorydrive'
    }
    if 'objectclass' not in entry_attrs:
        try:
            oc = ldap.get_entry(dn, ['objectclass'])['objectclass']
        except errors.NotFound:
            # In case the entry really does not exist,
            # compare against an empty list
            oc = []
    else:
        oc = entry_attrs['objectclass']
    if 'ipantuserattrs' not in (item.lower() for item in oc):
        for attr in smb_attrs:
            if options.get(attr, None):
                raise errors.ValidationError(
                    name=attr,
                    error=_('Object class ipaNTUserAttrs is missing, '
                            'user entry cannot have SMB attributes.'))
예제 #19
0
파일: server.py 프로젝트: zpytela/freeipa
    def execute(self, *keys, **options):
        # the server must be the local host
        if keys[-2] != api.env.host:
            raise errors.ValidationError(name='cn',
                                         error=_("must be \"%s\"") %
                                         api.env.host)

        # the server entry must exist
        try:
            self.obj.get_dn_if_exists(*keys[:-1])
        except errors.NotFound:
            raise self.obj.handle_not_found(keys[-2])

        # the user must have the Replication Administrators privilege
        privilege = u'Replication Administrators'
        if not principal_has_privilege(self.api, context.principal, privilege):
            raise errors.ACIError(
                info=_("not allowed to perform server connection check"))

        dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)

        bus = dbus.SystemBus()
        obj = bus.get_object('org.freeipa.server',
                             '/',
                             follow_name_owner_changes=True)
        server = dbus.Interface(obj, 'org.freeipa.server')

        ret, stdout, _stderr = server.conncheck(keys[-1])

        result = dict(
            result=(ret == 0),
            value=keys[-2],
        )

        for line in stdout.splitlines():
            messages.add_message(options['version'], result,
                                 messages.ExternalCommandOutput(line=line))

        return result
예제 #20
0
def validate_external_object(ldap, dn, keys, options, value, object_type):
    trusted_objects = options.get('trusted_objects', [])
    param = api.Object[object_type].primary_key
    if object_type == 'group' and value.startswith('%'):
        value = value[1:]
    o_id = param(value)

    try:
        param.validate(o_id)
    except errors.ValidationError as e:
        membertype = object_type
        try:
            id = resolve_object_to_anchor(ldap, object_type, o_id, False)
            if id.startswith(SID_ANCHOR_PREFIX):
                if object_type == 'group':
                    trusted_objects.append('%' + value)
                else:
                    trusted_objects.append(value)
                options['trusted_objects'] = trusted_objects
                return
        except errors.NotFound:
            raise errors.ValidationError(name=membertype, error=e.error)
예제 #21
0
    def forward(self, *args, **options):
        if 'certificate_out' in options:
            certificate_out = options.pop('certificate_out')
            try:
                util.check_writable_file(certificate_out)
            except errors.FileError as e:
                raise errors.ValidationError(name='certificate-out',
                                             error=str(e))
        else:
            certificate_out = None

        result = super(CertRetrieveOverride, self).forward(*args, **options)

        if certificate_out is not None:
            if options.get('chain', False):
                certs = result['result']['certificate_chain']
            else:
                certs = [base64.b64decode(result['result']['certificate'])]
            certs = (x509.load_der_x509_certificate(cert) for cert in certs)
            x509.write_certificate_list(certs, certificate_out)

        return result
예제 #22
0
def validate_permission_to_privilege(api, permission):
    ldap = api.Backend.ldap2
    ldapfilter = ldap.combine_filters(rules='&', filters=[
        '(objectClass=ipaPermissionV2)', '(!(ipaPermBindRuleType=permission))',
        ldap.make_filter_from_attr('cn', permission, rules='|')])
    try:
        entries, _truncated = ldap.find_entries(
            filter=ldapfilter,
            attrs_list=['cn', 'ipapermbindruletype'],
            base_dn=DN(api.env.container_permission, api.env.basedn),
            size_limit=1)
    except errors.NotFound:
        pass
    else:
        entry = entries[0]
        message = _('cannot add permission "%(perm)s" with bindtype '
                    '"%(bindtype)s" to a privilege')
        raise errors.ValidationError(
            name='permission',
            error=message % {
                'perm': entry.single_value['cn'],
                'bindtype': entry.single_value.get(
                    'ipapermbindruletype', 'permission')})
예제 #23
0
파일: pwpolicy.py 프로젝트: zpytela/freeipa
    def validate_lifetime(self, entry_attrs, add=False, *keys):
        """
        Ensure that the maximum lifetime is greater than the minimum.
        If there is no minimum lifetime set then don't return an error.
        """
        maxlife=entry_attrs.get('krbmaxpwdlife', None)
        minlife=entry_attrs.get('krbminpwdlife', None)
        existing_entry = {}
        if not add: # then read existing entry
            existing_entry = self.api.Command.pwpolicy_show(keys[-1],
                all=True,
            )['result']
            if minlife is None and 'krbminpwdlife' in existing_entry:
                minlife = int(existing_entry['krbminpwdlife'][0]) * 3600
            if maxlife is None and 'krbmaxpwdlife' in existing_entry:
                maxlife = int(existing_entry['krbmaxpwdlife'][0]) * 86400

        if maxlife not in (None, 0) and minlife is not None:
            if minlife > maxlife:
                raise errors.ValidationError(
                    name='maxlife',
                    error=_('Maximum password life must be greater than minimum.'),
                )
예제 #24
0
def _make_aci(ldap, current, aciname, kw):
    """
    Given a name and a set of keywords construct an ACI.
    """
    # Do some quick and dirty validation.
    checked_args=['type','filter','subtree','targetgroup','attrs','memberof']
    valid={}
    for arg in checked_args:
        if arg in kw:
            valid[arg]=kw[arg] is not None
        else:
            valid[arg]=False

    if valid['type'] + valid['filter'] + valid['subtree'] + valid['targetgroup'] > 1:
        raise errors.ValidationError(name='target', error=_('type, filter, subtree and targetgroup are mutually exclusive'))

    if 'aciprefix' not in kw:
        raise errors.ValidationError(name='aciprefix', error=_('ACI prefix is required'))

    if sum(valid.itervalues()) == 0:
        raise errors.ValidationError(name='target', error=_('at least one of: type, filter, subtree, targetgroup, attrs or memberof are required'))

    if valid['filter'] + valid['memberof'] > 1:
        raise errors.ValidationError(name='target', error=_('filter and memberof are mutually exclusive'))

    group = 'group' in kw
    permission = 'permission' in kw
    selfaci = 'selfaci' in kw and kw['selfaci'] == True
    if group + permission + selfaci > 1:
        raise errors.ValidationError(name='target', error=_('group, permission and self are mutually exclusive'))
    elif group + permission + selfaci == 0:
        raise errors.ValidationError(name='target', error=_('One of group, permission or self is required'))

    # Grab the dn of the group we're granting access to. This group may be a
    # permission or a user group.
    entry_attrs = []
    if permission:
        # This will raise NotFound if the permission doesn't exist
        try:
            entry_attrs = api.Command['permission_show'](kw['permission'])['result']
        except errors.NotFound, e:
            if 'test' in kw and not kw.get('test'):
                raise e
            else:
                entry_attrs = {'dn': DN(('cn', kw['permission']), api.env.container_permission)}
예제 #25
0
    def _add(self, api_instance, master):
        """
        add attribute to the master
        :param api_instance: API instance
        :param master: master FQDN

        :raises: * errors.ValidationError if the associated role is not enabled
                   on the master
        """

        assoc_role_providers = self._get_assoc_role_providers(api_instance)
        ldap = api_instance.Backend.ldap2

        if master not in assoc_role_providers:
            raise errors.ValidationError(
                name=master,
                error=_("must have %(role)s role enabled" %
                        {'role': self.associated_role.name})
            )

        master_dn = self._get_master_dn(api_instance, master)
        service_entry = self._get_masters_service_entry(ldap, master_dn)
        self._add_attribute_to_svc_entry(ldap, service_entry)
예제 #26
0
    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
       # convert CIDR to separate IP and mask. Validator has already checked syntax
       if '/' in keys[0]:
           sl = keys[0].split('/')
           dn = DN(('cn',sl[0])) + dn[1:]
           entry_attrs['cn'] = sl[0]
           entry_attrs['dhcpnetmask'] = sl[1]
       elif not 'dhcpnetmask' in options:
           raise errors.ValidationError(
               name=keys[0], error=_('either subnet name should include size, e.g. 128.6.0.0/16, or --netmask must be specified'))

       if not 'dhcpoption' in  entry_attrs:
          #broadcast-address 172.17.8.223, routers 172.17.8.193, subnet-mask 255.255.255.224
          cidr = entry_attrs['dhcpnetmask']
          net = None
          try: 
             net = ipaddress.IPv4Network(_(str(entry_attrs['cn']) + '/' + str(cidr)))
          except ValueError:
             raise self.obj.handle_not_found('invalid address')
          options = ['broadcast-address ' + str(net.broadcast_address),
                     'subnet-mask ' + str(net.netmask),
                     'routers ' + str(next(net.hosts()))]
          entry_attrs['dhcpoption'] = options

       # in case user did something weird, get netmask from cidr spec. that's what
       # the dhcpd ldap code does
       c = entry_attrs['dhcpnetmask']
       net = None
       try: 
           net = ipaddress.IPv4Network(_(str(entry_attrs['cn']) + '/' + str(c)))
       except ValueError:
            raise self.obj.handle_not_found('invalid address')

       check_dhcp_entry('subnet ' + str(entry_attrs['cn']) + ' netmask ' + str(net.netmask) + '{', '}', entry_attrs);
          
       return dn
예제 #27
0
    def execute(self, *keys, **options):
        parentmap = options.pop('parentmap', None)
        key = options.pop('key')
        result = self.api.Command['automountmap_add'](*keys, **options)
        try:
            if parentmap != u'auto.master':
                if key.startswith('/'):
                    raise errors.ValidationError(
                        name='mount',
                        error=_('mount point is relative to parent map, '
                                'cannot begin with /'))
                location = keys[0]
                map = keys[1]
                options['automountinformation'] = map

                # Ensure the referenced map exists
                self.api.Command['automountmap_show'](location, parentmap)
                # Add a submount key
                self.api.Command['automountkey_add'](
                    location,
                    parentmap,
                    automountkey=key,
                    automountinformation='-fstype=autofs ldap:%s' % map)
            else:  # adding to auto.master
                # Ensure auto.master exists
                self.api.Command['automountmap_show'](keys[0], parentmap)
                self.api.Command['automountkey_add'](
                    keys[0],
                    u'auto.master',
                    automountkey=key,
                    automountinformation=keys[1])
        except Exception:
            # The key exists, drop the map
            self.api.Command['automountmap_del'](*keys)
            raise
        return result
예제 #28
0
파일: server.py 프로젝트: zpytela/freeipa
 def _check_hide_server(self, fqdn):
     result = self.api.Command.config_show()['result']
     err = []
     # single value entries
     if result.get("ca_renewal_master_server") == fqdn:
         err.append(_("Cannot hide CA renewal master."))
     if result.get("dnssec_key_master_server") == fqdn:
         err.append(_("Cannot hide DNSSec key master."))
     # multi value entries, only fail if we are the last one
     checks = [
         ("ca_server_server", "CA"),
         ("dns_server_server", "DNS"),
         ("ipa_master_server", "IPA"),
         ("kra_server_server", "KRA"),
     ]
     for key, name in checks:
         values = result.get(key, [])
         if values == [fqdn]:  # fqdn is the only entry
             err.append(
                 _("Cannot hide last enabled %(name)s server.") %
                 {'name': name})
     if err:
         raise errors.ValidationError(name=fqdn,
                                      error=' '.join(str(e) for e in err))
예제 #29
0
 def pre_callback(self, ldap, dn, *keys, **options):
     if options.get('permission'):
         # We can only add permissions with bind rule type set to
         # "permission" (or old-style permissions)
         ldapfilter = ldap.combine_filters(
             rules='&',
             filters=[
                 '(objectClass=ipaPermissionV2)',
                 '(!(ipaPermBindRuleType=permission))',
                 ldap.make_filter_from_attr('cn',
                                            options['permission'],
                                            rules='|'),
             ])
         try:
             entries, truncated = ldap.find_entries(
                 filter=ldapfilter,
                 attrs_list=['cn', 'ipapermbindruletype'],
                 base_dn=DN(self.api.env.container_permission,
                            self.api.env.basedn),
                 size_limit=1)
         except errors.NotFound:
             pass
         else:
             entry = entries[0]
             message = _('cannot add permission "%(perm)s" with bindtype '
                         '"%(bindtype)s" to a privilege')
             raise errors.ValidationError(
                 name='permission',
                 error=message % {
                     'perm':
                     entry.single_value['cn'],
                     'bindtype':
                     entry.single_value.get('ipapermbindruletype',
                                            'permission')
                 })
     return dn
예제 #30
0
파일: service.py 프로젝트: wladich/freeipa
def validate_auth_indicator(entry):
    new_value = entry.get('krbprincipalauthind', None)
    if not new_value:
        return
    # The following services are considered internal IPA services
    # and shouldn't be allowed to have auth indicators.
    # https://pagure.io/freeipa/issue/8206
    pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
    if pkey == str(entry.dn):
        # krbcanonicalname may not be set yet if this is a host entry,
        # try krbprincipalname
        if 'krbprincipalname' in entry:
            pkey = entry['krbprincipalname']
    principal = kerberos.Principal(pkey)
    server = api.Command.server_find(principal.hostname)['result']
    if server:
        prefixes = ("host", "cifs", "ldap", "HTTP")
    else:
        prefixes = ("cifs", )
    if principal.service_name in prefixes:
        raise errors.ValidationError(
            name='krbprincipalauthind',
            error=_('authentication indicators not allowed '
                    'in service "%s"' % principal.service_name))