def _remove_server_custodia_keys(self, ldap, master): """ Delete all Custodia encryption and signing keys """ conn = self.Backend.ldap2 env = self.api.env # search for memberPrincipal=*/fqdn@realm member_filter = ldap.make_filter_from_attr( 'memberPrincipal', "/{}@{}".format(master, env.realm), exact=False, leading_wildcard=True, trailing_wildcard=False) custodia_subtree = DN(env.container_custodia, env.basedn) try: entries = conn.get_entries(custodia_subtree, ldap.SCOPE_SUBTREE, filter=member_filter) for entry in entries: conn.delete_entry(entry) except errors.NotFound: pass except Exception as e: self.add_message( messages.ServerRemovalWarning( message=_( "Failed to clean up Custodia keys for " "%(master)s: %(err)s") % dict(master=master, err=e)))
def _get_enabled_servrole_filter(self, ldap, servroles): """ return a filter matching any master which has all the specified roles enabled. """ def _get_masters_with_enabled_servrole(role): role_status = self.api.Command.server_role_find( server_server=None, role_servrole=role, status=ENABLED)['result'] return set( r[u'server_server'] for r in role_status) enabled_masters = _get_masters_with_enabled_servrole( servroles[0]) for role in servroles[1:]: enabled_masters.intersection_update( _get_masters_with_enabled_servrole(role) ) if not enabled_masters: return '(!(objectclass=*))' return ldap.make_filter_from_attr( 'cn', list(enabled_masters), rules=ldap.MATCH_ANY )
def _remove_server_custodia_keys(self, ldap, master): """ Delete all Custodia encryption and signing keys """ conn = self.Backend.ldap2 env = self.api.env # search for memberPrincipal=*/fqdn@realm member_filter = ldap.make_filter_from_attr('memberPrincipal', "/{}@{}".format( master, env.realm), exact=False, leading_wildcard=True, trailing_wildcard=False) custodia_subtree = DN(env.container_custodia, env.basedn) try: entries = conn.get_entries(custodia_subtree, ldap.SCOPE_SUBTREE, filter=member_filter) for entry in entries: conn.delete_entry(entry) except errors.NotFound: pass except Exception as e: self.add_message( messages.ServerRemovalWarning( message=_("Failed to clean up Custodia keys for " "%(master)s: %(err)s") % dict(master=master, err=e)))
def _get_enabled_servrole_filter(self, ldap, servroles): """ return a filter matching any master which has all the specified roles enabled. """ def _get_masters_with_enabled_servrole(role): role_status = self.api.Command.server_role_find( server_server=None, role_servrole=role, status=ENABLED, include_master=True, )['result'] return set(r[u'server_server'] for r in role_status) enabled_masters = _get_masters_with_enabled_servrole(servroles[0]) for role in servroles[1:]: enabled_masters.intersection_update( _get_masters_with_enabled_servrole(role)) if not enabled_masters: return '(!(objectclass=*))' return ldap.make_filter_from_attr('cn', list(enabled_masters), rules=ldap.MATCH_ANY)
def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): included = options.get('topologysuffix') excluded = options.get('no_topologysuffix') if included or excluded: topologysuffix = self.api.Object.topologysuffix suffixes = self.obj._get_suffixes() suffixes = {s[1]: s[0] for s in suffixes} if included: included = [topologysuffix.get_dn(pk) for pk in included] try: included = [suffixes[dn] for dn in included] except KeyError: # force empty result filter = '(!(objectclass=*))' else: filter = ldap.make_filter_from_attr( 'iparepltopomanagedsuffix', included, ldap.MATCH_ALL ) filters = ldap.combine_filters( (filters, filter), ldap.MATCH_ALL ) if excluded: excluded = [topologysuffix.get_dn(pk) for pk in excluded] excluded = [suffixes[dn] for dn in excluded if dn in suffixes] filter = ldap.make_filter_from_attr( 'iparepltopomanagedsuffix', excluded, ldap.MATCH_NONE ) filters = ldap.combine_filters( (filters, filter), ldap.MATCH_ALL ) if options.get('servrole', []): servrole_filter = self._get_enabled_servrole_filter( ldap, options['servrole']) filters = ldap.combine_filters( (filters, servrole_filter), ldap.MATCH_ALL) return (filters, base_dn, scope)