def get_options(self):
for option in super(BaseMetaSearch, self).get_options():
yield option
yield Flag(
'pkey_only?',
label=_("Primary key only"),
doc=_("Results should contain primary key attribute only "
"(\"%s\")") % 'name',
)
class cert_remove_hold(MethodOverride):
has_output_params = (
Flag(
'unrevoked',
label=_('Unrevoked'),
),
Str(
'error_string',
label=_('Error'),
),
)
def get_options(self):
"""
Iterate through parameters for ``Command.options`` namespace.
This method gets called by `HasParam._create_param_namespace()`.
For commands that return entries two special options are generated:
--all makes the command retrieve/display all attributes
--raw makes the command display attributes as they are stored
Subclasses can override this to customize how the arguments are
determined. For an example of why this can be useful, see the
`ipalib.crud.Create` subclass.
"""
for option in self._get_param_iterable('options'):
yield option
for o in self.has_output:
if isinstance(o, (Entry, ListOfEntries)):
yield Flag('all',
cli_name='all',
doc=_('Retrieve and print all attributes from the server. Affects command output.'),
exclude='webui',
flags=['no_output'],
)
yield Flag('raw',
cli_name='raw',
doc=_('Print entries as stored on the server. Only affects output format.'),
exclude='webui',
flags=['no_output'],
)
break
yield Str('version?',
doc=_('Client version. Used to determine if server will accept request.'),
exclude='webui',
flags=['no_option', 'no_output'],
)
class certmaprule(LDAPObject):
"""
Certificate Identity Mapping Rules
"""
label = _('Certificate Identity Mapping Rules')
label_singular = _('Certificate Identity Mapping Rule')
object_name = _('Certificate Identity Mapping Rule')
object_name_plural = _('Certificate Identity Mapping Rules')
object_class = ['ipacertmaprule']
container_dn = api.env.container_certmaprules
default_attributes = [
'cn', 'description', 'ipacertmapmaprule', 'ipacertmapmatchrule',
'associateddomain', 'ipacertmappriority', 'ipaenabledflag'
]
search_attributes = [
'cn', 'description', 'ipacertmapmaprule', 'ipacertmapmatchrule',
'associateddomain', 'ipacertmappriority', 'ipaenabledflag'
]
takes_params = (
Str(
'cn',
cli_name='rulename',
primary_key=True,
label=_('Rule name'),
doc=_('Certificate Identity Mapping Rule name'),
),
Str(
'description?',
cli_name='desc',
label=_('Description'),
doc=_('Certificate Identity Mapping Rule description'),
),
Str(
'ipacertmapmaprule?',
cli_name='maprule',
label=_('Mapping rule'),
doc=_('Rule used to map the certificate with a user entry'),
),
Str(
'ipacertmapmatchrule?',
cli_name='matchrule',
label=_('Matching rule'),
doc=_('Rule used to check if a certificate can be used for'
' authentication'),
),
DNSNameParam(
'associateddomain*',
cli_name='domain',
label=_('Domain name'),
doc=_('Domain where the user entry will be searched'),
),
Int(
'ipacertmappriority?',
cli_name='priority',
label=_('Priority'),
doc=_('Priority of the rule (higher number means lower priority'),
minvalue=0,
),
Flag('ipaenabledflag?',
label=_('Enabled'),
flags=['no_option'],
default=True),
)
permission_filter_objectclasses = ['ipacertmaprule']
managed_permissions = {
'System: Add Certmap Rules': {
'replaces_global_anonymous_aci': True,
'ipapermright': {'add'},
'default_privileges':
{'Certificate Identity Mapping Administrators'},
},
'System: Read Certmap Rules': {
'replaces_global_anonymous_aci': True,
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'objectclass',
'cn',
'description',
'ipacertmapmaprule',
'ipacertmapmatchrule',
'associateddomain',
'ipacertmappriority',
'ipaenabledflag',
},
},
'System: Delete Certmap Rules': {
'replaces_global_anonymous_aci': True,
'ipapermright': {'delete'},
'default_privileges':
{'Certificate Identity Mapping Administrators'},
},
'System: Modify Certmap Rules': {
'replaces_global_anonymous_aci': True,
'ipapermright': {'write'},
'ipapermdefaultattr': {
'objectclass',
'cn',
'description',
'ipacertmapmaprule',
'ipacertmapmatchrule',
'associateddomain',
'ipacertmappriority',
'ipaenabledflag',
},
'default_privileges':
{'Certificate Identity Mapping Administrators'},
},
}
group.managed_permissions.update(
{
"System: Read FAS group attributes": {
"replaces_global_anonymous_aci": True,
"ipapermbindruletype": "all",
"ipapermright": {"read", "search", "compare"},
"ipapermtargetfilter": ["(objectclass=fasgroup)"],
"ipapermdefaultattr": set(group_fas_attributes),
},
}
)
group.takes_params += (
Flag(
"fasgroup?",
label=_("FAS group"),
flags={"virtual_attribute", "no_create", "no_update", "no_search"},
),
URL("fasurl?", cli_name="fasurl", label=_("Group URL"), maxlength=255,),
Email(
"fasmailinglist?",
cli_name="fasmailinglist",
label=_("Mailing list address"),
maxlength=255,
),
IRCChannel(
"fasircchannel*",
cli_name="fasircchannel",
label=_("IRC network and channel"),
maxlength=255,
),
group_show.has_output_params += fasagreement_member_output_params
group.managed_permissions.update({
"System: Read FAS group attributes": {
"replaces_global_anonymous_aci": True,
"ipapermbindruletype": "all",
"ipapermright": {"read", "search", "compare"},
"ipapermtargetfilter": ["(objectclass=fasgroup)"],
"ipapermdefaultattr": set(group_fas_attributes),
},
})
group.takes_params += (
Flag(
"fasgroup?",
label=_("FAS group"),
flags={"virtual_attribute", "no_create", "no_update", "no_search"},
),
URL(
"fasurl?",
cli_name="fasurl",
label=_("Group URL"),
maxlength=255,
),
Email(
"fasmailinglist?",
cli_name="fasmailinglist",
label=_("Mailing list address"),
maxlength=255,
),
IRCChannel(
"ipapermtargetfilter": ["(objectclass=fasuser)"],
"ipapermdefaultattr": {"nsAccountLock"}.union(fas_user_attributes),
},
# not yet supported
# "System: Self-Modify FAS user attributes": {
# "replaces_global_anonymous_aci": True,
# "ipapermright": {"write"},
# "ipapermtargetfilter": ["(objectclass=fasuser)"],
# "ipapermbindruletype": "self",
# "ipapermdefaultattr": fas_user_attributes.copy(),
# },
}, )
user_find.takes_options += (Flag(
"fasuser",
cli_name="fasuser",
doc=_("Search for FAS users"),
default=False,
), )
def check_fasuser_attr(entry):
"""Common function to verify fasuser attributes"""
fasrhbzemail = entry.get("fasrhbzemail")
if fasrhbzemail is not None and "@" not in fasrhbzemail:
msg = _("invalid e-mail format: %(email)s")
raise errors.ValidationError(name="fasrhbzemail",
errors=msg % {"email": fasrhbzemail})
def user_add_fas_precb(self, ldap, dn, entry, attrs_list, *keys, **options):
if any(option.startswith("fas") for option in options):
