class LocalOrRemote(Command):
"""
A command that is explicitly executed locally or remotely.
This is for commands that makes sense to execute either locally or
remotely to return a perhaps different result. The best example of
this is the `ipalib.plugins.f_misc.env` plugin which returns the
key/value pairs describing the configuration state: it can be
"""
takes_options = (
Flag('server?',
doc=_('Forward to server instead of running locally'),
),
)
def run(self, *args, **options):
"""
Dispatch to forward() or execute() based on ``server`` option.
When running in a client context, this command is executed remotely if
``options['server']`` is true; otherwise it is executed locally.
When running in a server context, this command is always executed
locally and the value of ``options['server']`` is ignored.
"""
if options['server'] and not self.env.in_server:
return self.forward(*args, **options)
return self.execute(*args, **options)
class server_role_find(Search):
__doc__ = _('Find a server role on a server(s)')
obj_name = 'server_role'
attr_name = 'find'
msg_summary = ngettext('%(count)s server role matched',
'%(count)s server roles matched', 0)
takes_options = Search.takes_options + (
Int(
'timelimit?',
label=_('Time Limit'),
doc=_('Time limit of search in seconds (0 is unlimited)'),
flags=['no_display'],
minvalue=0,
autofill=False,
),
Int(
'sizelimit?',
label=_('Size Limit'),
doc=_('Maximum number of entries returned (0 is unlimited)'),
flags=['no_display'],
minvalue=0,
autofill=False,
), Flag(
'include_master',
doc=_('Include IPA master entries'),
))
def execute(self, *keys, **options):
if keys:
return dict(result=[], count=0, truncated=False)
server = options.get('server_server', None)
role_name = options.get('role_servrole', None)
status = options.get('status', None)
if server is not None:
self.obj.ensure_master_exists(server)
role_status = self.obj.backend.server_role_search(
server_server=server, role_servrole=role_name, status=status)
# Don't display "IPA master" information unless the role is
# requested explicitly. All servers are considered IPA masters,
# except for replicas during installation.
if options.get('include_master') or role_name == "IPA master":
result = role_status
else:
result = [
r for r in role_status if r[u'role_servrole'] != "IPA master"
]
return dict(
result=result,
count=len(result),
truncated=False,
)
class cert_remove_hold(MethodOverride):
has_output_params = (
Flag('unrevoked',
label=_('Unrevoked'),
),
Str('error_string',
label=_('Error'),
),
)
def get_options(self):
for option in super(BaseMetaSearch, self).get_options():
yield option
yield Flag(
'pkey_only?',
label=_("Primary key only"),
doc=_("Results should contain primary key attribute only "
"(\"%s\")") % 'name',
)
def get_options(self):
"""
Iterate through parameters for ``Command.options`` namespace.
This method gets called by `HasParam._create_param_namespace()`.
For commands that return entries two special options are generated:
--all makes the command retrieve/display all attributes
--raw makes the command display attributes as they are stored
Subclasses can override this to customize how the arguments are
determined. For an example of why this can be useful, see the
`ipalib.crud.Create` subclass.
"""
for option in self._get_param_iterable('options'):
yield option
for o in self.has_output:
if isinstance(o, (Entry, ListOfEntries)):
yield Flag('all',
cli_name='all',
doc=_('Retrieve and print all attributes from the server. Affects command output.'),
exclude='webui',
flags=['no_output'],
)
yield Flag('raw',
cli_name='raw',
doc=_('Print entries as stored on the server. Only affects output format.'),
exclude='webui',
flags=['no_output'],
)
break
yield Str('version?',
doc=_('Client version. Used to determine if server will accept request.'),
exclude='webui',
flags=['no_option', 'no_output'],
)
class certmaprule(LDAPObject):
"""
Certificate Identity Mapping Rules
"""
label = _('Certificate Identity Mapping Rules')
label_singular = _('Certificate Identity Mapping Rule')
object_name = _('Certificate Identity Mapping Rule')
object_name_plural = _('Certificate Identity Mapping Rules')
object_class = ['ipacertmaprule']
container_dn = api.env.container_certmaprules
default_attributes = [
'cn', 'description', 'ipacertmapmaprule', 'ipacertmapmatchrule',
'associateddomain', 'ipacertmappriority', 'ipaenabledflag'
]
search_attributes = [
'cn', 'description', 'ipacertmapmaprule', 'ipacertmapmatchrule',
'associateddomain', 'ipacertmappriority', 'ipaenabledflag'
]
takes_params = (
Str(
'cn',
cli_name='rulename',
primary_key=True,
label=_('Rule name'),
doc=_('Certificate Identity Mapping Rule name'),
),
Str(
'description?',
cli_name='desc',
label=_('Description'),
doc=_('Certificate Identity Mapping Rule description'),
),
Str(
'ipacertmapmaprule?',
cli_name='maprule',
label=_('Mapping rule'),
doc=_('Rule used to map the certificate with a user entry'),
),
Str(
'ipacertmapmatchrule?',
cli_name='matchrule',
label=_('Matching rule'),
doc=_('Rule used to check if a certificate can be used for'
' authentication'),
),
DNSNameParam(
'associateddomain*',
cli_name='domain',
label=_('Domain name'),
doc=_('Domain where the user entry will be searched'),
),
Int(
'ipacertmappriority?',
cli_name='priority',
label=_('Priority'),
doc=_('Priority of the rule (higher number means lower priority'),
minvalue=0,
),
Flag('ipaenabledflag?',
label=_('Enabled'),
flags=['no_option'],
default=True),
)
permission_filter_objectclasses = ['ipacertmaprule']
managed_permissions = {
'System: Add Certmap Rules': {
'replaces_global_anonymous_aci': True,
'ipapermright': {'add'},
'default_privileges':
{'Certificate Identity Mapping Administrators'},
},
'System: Read Certmap Rules': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'objectclass',
'cn',
'description',
'ipacertmapmaprule',
'ipacertmapmatchrule',
'associateddomain',
'ipacertmappriority',
'ipaenabledflag',
},
},
'System: Delete Certmap Rules': {
'replaces_global_anonymous_aci': True,
'ipapermright': {'delete'},
'default_privileges':
{'Certificate Identity Mapping Administrators'},
},
'System: Modify Certmap Rules': {
'replaces_global_anonymous_aci': True,
'ipapermright': {'write'},
'ipapermdefaultattr': {
'objectclass',
'cn',
'description',
'ipacertmapmaprule',
'ipacertmapmatchrule',
'associateddomain',
'ipacertmappriority',
'ipaenabledflag',
},
'default_privileges':
{'Certificate Identity Mapping Administrators'},
},
}
group.managed_permissions.update(
{
"System: Read FAS group attributes": {
"replaces_global_anonymous_aci": True,
"ipapermbindruletype": "all",
"ipapermright": {"read", "search", "compare"},
"ipapermtargetfilter": ["(objectclass=fasgroup)"],
"ipapermdefaultattr": set(group_fas_attributes),
},
}
)
group.takes_params += (
Flag(
"fasgroup?",
label=_("FAS group"),
flags={"virtual_attribute", "no_create", "no_update", "no_search"},
),
URL("fasurl?", cli_name="fasurl", label=_("Group URL"), maxlength=255,),
Email(
"fasmailinglist?",
cli_name="fasmailinglist",
label=_("Mailing list address"),
maxlength=255,
),
IRCChannel(
"fasircchannel*",
cli_name="fasircchannel",
label=_("IRC network and channel"),
maxlength=255,
),
group_show.has_output_params += fasagreement_member_output_params
group.managed_permissions.update({
"System: Read FAS group attributes": {
"replaces_global_anonymous_aci": True,
"ipapermbindruletype": "all",
"ipapermright": {"read", "search", "compare"},
"ipapermtargetfilter": ["(objectclass=fasgroup)"],
"ipapermdefaultattr": set(group_fas_attributes),
},
})
group.takes_params += (
Flag(
"fasgroup?",
label=_("FAS group"),
flags={"virtual_attribute", "no_create", "no_update", "no_search"},
),
URL(
"fasurl?",
cli_name="fasurl",
label=_("Group URL"),
maxlength=255,
),
Email(
"fasmailinglist?",
cli_name="fasmailinglist",
label=_("Mailing list address"),
maxlength=255,
),
IRCChannel(
"ipapermtargetfilter": ["(objectclass=fasuser)"],
"ipapermdefaultattr": {"nsAccountLock"}.union(fas_user_attributes),
},
# not yet supported
# "System: Self-Modify FAS user attributes": {
# "replaces_global_anonymous_aci": True,
# "ipapermright": {"write"},
# "ipapermtargetfilter": ["(objectclass=fasuser)"],
# "ipapermbindruletype": "self",
# "ipapermdefaultattr": fas_user_attributes.copy(),
# },
}, )
user_find.takes_options += (Flag(
"fasuser",
cli_name="fasuser",
doc=_("Search for FAS users"),
default=False,
), )
def check_fasuser_attr(entry):
"""Common function to verify fasuser attributes"""
fasrhbzemail = entry.get("fasrhbzemail")
if fasrhbzemail is not None and "@" not in fasrhbzemail:
msg = _("invalid e-mail format: %(email)s")
raise errors.ValidationError(name="fasrhbzemail",
errors=msg % {"email": fasrhbzemail})
def user_add_fas_precb(self, ldap, dn, entry, attrs_list, *keys, **options):
if any(option.startswith("fas") for option in options):
