def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) def check_validity(runas): v = unicode(runas) if v.upper() == u'ALL': return False return True try: _entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: self.obj.handle_not_found(*keys) if is_all(_entry_attrs, 'ipasudorunasusercategory') or \ is_all(_entry_attrs, 'ipasudorunasgroupcategory'): raise errors.MutuallyExclusiveError( reason=_("users cannot be added when runAs user or runAs " "group category='all'")) if 'group' in options: for name in options['group']: if not check_validity(name): raise errors.ValidationError(name='runas-group', error=unicode(_("RunAsGroup does not accept " "'%(name)s' as a group name")) % dict(name=name)) return add_external_pre_callback('group', ldap, dn, keys, options)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) try: entry_attrs = ldap.get_entry(dn, attrs_list) dn = entry_attrs.dn except errors.NotFound: self.obj.handle_not_found(*keys) # Commented until subca plugin arrives #if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: # raise errors.MutuallyExclusiveError(reason=_( # "CA category cannot be set to 'all' " # "while there are allowed CAs")) if (is_all(options, 'ipacertprofilecategory') and 'ipamembercertprofile' in entry_attrs): raise errors.MutuallyExclusiveError(reason=_( "profile category cannot be set to 'all' " "while there are allowed profiles")) if is_all(options, 'usercategory') and 'memberuser' in entry_attrs: raise errors.MutuallyExclusiveError(reason=_( "user category cannot be set to 'all' " "while there are allowed users")) if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs: raise errors.MutuallyExclusiveError(reason=_( "host category cannot be set to 'all' " "while there are allowed hosts")) if is_all(options, 'servicecategory') and 'memberservice' in entry_attrs: raise errors.MutuallyExclusiveError(reason=_( "service category cannot be set to 'all' " "while there are allowed services")) return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) if 'sudoorder' in options: new_order = options.get('sudoorder') old_entry = self.api.Command.sudorule_show(keys[-1])['result'] if 'sudoorder' in old_entry: old_order = int(old_entry['sudoorder'][0]) if old_order != new_order: self.obj.check_order_uniqueness(*keys, **options) else: self.obj.check_order_uniqueness(*keys, **options) try: (_dn, _entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: self.obj.handle_not_found(*keys) if is_all(options, 'usercategory') and 'memberuser' in _entry_attrs: raise errors.MutuallyExclusiveError(reason=_("user category cannot be set to 'all' while there are allowed users")) if is_all(options, 'hostcategory') and 'memberhost' in _entry_attrs: raise errors.MutuallyExclusiveError(reason=_("host category cannot be set to 'all' while there are allowed hosts")) if is_all(options, 'cmdcategory') and ('memberallowcmd' or 'memberdenywcmd') in _entry_attrs: raise errors.MutuallyExclusiveError(reason=_("command category cannot be set to 'all' while there are allow or deny commands")) if is_all(options, 'ipasudorunasusercategory') and 'ipasudorunas' in _entry_attrs: raise errors.MutuallyExclusiveError(reason=_("user runAs category cannot be set to 'all' while there are users")) if is_all(options, 'ipasudorunasgroupcategory') and 'ipasudorunasgroup' in _entry_attrs: raise errors.MutuallyExclusiveError(reason=_("group runAs category cannot be set to 'all' while there are groups")) return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) try: entry_attrs = ldap.get_entry(dn, attrs_list) dn = entry_attrs.dn except errors.NotFound: self.obj.handle_not_found(*keys) # Commented until subca plugin arrives #if is_all(options, 'ipacacategory') and 'ipamemberca' in entry_attrs: # raise errors.MutuallyExclusiveError(reason=_( # "CA category cannot be set to 'all' " # "while there are allowed CAs")) if (is_all(options, 'ipacertprofilecategory') and 'ipamembercertprofile' in entry_attrs): raise errors.MutuallyExclusiveError( reason=_("profile category cannot be set to 'all' " "while there are allowed profiles")) if is_all(options, 'usercategory') and 'memberuser' in entry_attrs: raise errors.MutuallyExclusiveError( reason=_("user category cannot be set to 'all' " "while there are allowed users")) if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs: raise errors.MutuallyExclusiveError( reason=_("host category cannot be set to 'all' " "while there are allowed hosts")) if is_all(options, 'servicecategory') and 'memberservice' in entry_attrs: raise errors.MutuallyExclusiveError( reason=_("service category cannot be set to 'all' " "while there are allowed services")) return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) def check_validity(runas): v = unicode(runas) if v.upper() == u'ALL': return False return True try: (_dn, _entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: self.obj.handle_not_found(*keys) if is_all(_entry_attrs, 'ipasudorunasusercategory') or \ is_all(_entry_attrs, 'ipasudorunasgroupcategory'): raise errors.MutuallyExclusiveError(reason=_("users cannot be added when runAs user or runAs group category='all'")) if 'user' in options: for name in options['user']: if not check_validity(name): raise errors.ValidationError(name='runas-user', error=unicode(_("RunAsUser does not accept '%(name)s' as a user name")) % dict(name=name)) if 'group' in options: for name in options['group']: if not check_validity(name): raise errors.ValidationError(name='runas-user', error=unicode(_("RunAsUser does not accept '%(name)s' as a group name")) % dict(name=name)) return add_external_pre_callback('user', ldap, dn, keys, options)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) try: (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) except errors.NotFound: self.obj.handle_not_found(*keys) if is_all(options, 'usercategory') and 'memberuser' in entry_attrs: raise errors.MutuallyExclusiveError(reason=_("user category cannot be set to 'all' while there are allowed users")) if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs: raise errors.MutuallyExclusiveError(reason=_("host category cannot be set to 'all' while there are allowed hosts")) return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) try: (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) except errors.NotFound: self.obj.handle_not_found(*keys) if is_all(options, 'usercategory') and 'memberuser' in entry_attrs: raise errors.MutuallyExclusiveError(reason=_( "user category cannot be set to 'all' while there are allowed users" )) if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs: raise errors.MutuallyExclusiveError(reason=_( "host category cannot be set to 'all' while there are allowed hosts" )) return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) if 'sudoorder' in options: new_order = options.get('sudoorder') old_entry = self.api.Command.sudorule_show(keys[-1])['result'] if 'sudoorder' in old_entry: old_order = int(old_entry['sudoorder'][0]) if old_order != new_order: self.obj.check_order_uniqueness(*keys, **options) else: self.obj.check_order_uniqueness(*keys, **options) try: _entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: self.obj.handle_not_found(*keys) error = _("%(type)s category cannot be set to 'all' " "while there are allowed %(objects)s") category_info = [( 'usercategory', ['memberuser', 'externaluser'], error % {'type': _('user'), 'objects': _('users')} ), ( 'hostcategory', ['memberhost', 'externalhost', 'hostmask'], error % {'type': _('host'), 'objects': _('hosts')} ), ( 'cmdcategory', ['memberallowcmd'], error % {'type': _('command'), 'objects': _('commands')} ), ( 'ipasudorunasusercategory', ['ipasudorunas', 'ipasudorunasextuser', 'ipasudorunasextusergroup'], error % {'type': _('runAs user'), 'objects': _('runAs users')} ), ( 'ipasudorunasgroupcategory', ['ipasudorunasgroup', 'ipasudorunasextgroup'], error % {'type': _('group runAs'), 'objects': _('runAs groups')} ), ] # Enforce the checks for all the categories for category, member_attrs, error in category_info: any_member_attrs_set = any(attr in _entry_attrs for attr in member_attrs) if is_all(options, category) and any_member_attrs_set: raise errors.MutuallyExclusiveError(reason=error) return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) if 'sudoorder' in options: new_order = options.get('sudoorder') old_entry = self.api.Command.sudorule_show(keys[-1])['result'] if 'sudoorder' in old_entry: old_order = int(old_entry['sudoorder'][0]) if old_order != new_order: self.obj.check_order_uniqueness(*keys, **options) else: self.obj.check_order_uniqueness(*keys, **options) try: (_dn, _entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: self.obj.handle_not_found(*keys) if is_all(options, 'usercategory') and 'memberuser' in _entry_attrs: raise errors.MutuallyExclusiveError(reason=_( "user category cannot be set to 'all' while there are allowed users" )) if is_all(options, 'hostcategory') and 'memberhost' in _entry_attrs: raise errors.MutuallyExclusiveError(reason=_( "host category cannot be set to 'all' while there are allowed hosts" )) if is_all(options, 'cmdcategory') and ('memberallowcmd' or 'memberdenywcmd') in _entry_attrs: raise errors.MutuallyExclusiveError(reason=_( "command category cannot be set to 'all' while there are allow or deny commands" )) if is_all( options, 'ipasudorunasusercategory') and 'ipasudorunas' in _entry_attrs: raise errors.MutuallyExclusiveError(reason=_( "user runAs category cannot be set to 'all' while there are users" )) if is_all(options, 'ipasudorunasgroupcategory' ) and 'ipasudorunasgroup' in _entry_attrs: raise errors.MutuallyExclusiveError(reason=_( "group runAs category cannot be set to 'all' while there are groups" )) return dn
def pre_callback(self, ldap, dn, found, not_found, *keys, **options): assert isinstance(dn, DN) try: (_dn, _entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: self.obj.handle_not_found(*keys) if is_all(_entry_attrs, 'hostcategory'): raise errors.MutuallyExclusiveError(reason=_("hosts cannot be added when host category='all'")) return add_external_pre_callback('host', ldap, dn, keys, options)
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) try: (_dn, _entry_attrs) = ldap.get_entry(dn, attrs_list) except errors.NotFound: self.obj.handle_not_found(*keys) is_to_be_deleted = lambda x: (x in _entry_attrs and x in entry_attrs) and \ entry_attrs[x] == None # makes sure the local members and hbacrule is not set at the same time # memberuser or memberhost could have been set using --setattr is_to_be_set = lambda x: ((x in _entry_attrs and _entry_attrs[x] != None) or \ (x in entry_attrs and entry_attrs[x] != None)) and \ not is_to_be_deleted(x) are_local_members_to_be_set = any( is_to_be_set(attr) for attr in ('usercategory', 'hostcategory', 'memberuser', 'memberhost')) is_hbacrule_to_be_set = is_to_be_set('seealso') # this can disable all modifications if hbacrule and local members were # set at the same time bypassing this commad, e.g. using ldapmodify if are_local_members_to_be_set and is_hbacrule_to_be_set: raise errors.MutuallyExclusiveError(reason=notboth_err) if is_all(entry_attrs, 'usercategory') and 'memberuser' in entry_attrs: raise errors.MutuallyExclusiveError( reason="user category " "cannot be set to 'all' while there are allowed users") if is_all(entry_attrs, 'hostcategory') and 'memberhost' in entry_attrs: raise errors.MutuallyExclusiveError( reason="host category " "cannot be set to 'all' while there are allowed hosts") if 'ipaselinuxuser' in entry_attrs: validate_selinuxuser_inlist(ldap, entry_attrs['ipaselinuxuser']) if 'seealso' in entry_attrs: entry_attrs['seealso'] = self.obj._normalize_seealso( entry_attrs['seealso']) return dn
def pre_callback(self, ldap, dn, found, not_found, *keys, **options): assert isinstance(dn, DN) try: entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) dn = entry_attrs.dn except errors.NotFound: self.obj.handle_not_found(*keys) if is_all(entry_attrs, "ipacertprofilecategory"): raise errors.MutuallyExclusiveError(reason=_("profiles cannot be added when profile category='all'")) return dn
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) try: _entry_attrs = ldap.get_entry(dn, attrs_list) except errors.NotFound: self.obj.handle_not_found(*keys) is_to_be_deleted = lambda x: (x in _entry_attrs and x in entry_attrs) and \ entry_attrs[x] == None # makes sure the local members and hbacrule is not set at the same time # memberuser or memberhost could have been set using --setattr is_to_be_set = lambda x: ((x in _entry_attrs and _entry_attrs[x] != None) or \ (x in entry_attrs and entry_attrs[x] != None)) and \ not is_to_be_deleted(x) are_local_members_to_be_set = any(is_to_be_set(attr) for attr in ('usercategory', 'hostcategory', 'memberuser', 'memberhost')) is_hbacrule_to_be_set = is_to_be_set('seealso') # this can disable all modifications if hbacrule and local members were # set at the same time bypassing this commad, e.g. using ldapmodify if are_local_members_to_be_set and is_hbacrule_to_be_set: raise errors.MutuallyExclusiveError(reason=notboth_err) if is_all(entry_attrs, 'usercategory') and 'memberuser' in entry_attrs: raise errors.MutuallyExclusiveError(reason="user category " "cannot be set to 'all' while there are allowed users") if is_all(entry_attrs, 'hostcategory') and 'memberhost' in entry_attrs: raise errors.MutuallyExclusiveError(reason="host category " "cannot be set to 'all' while there are allowed hosts") if 'ipaselinuxuser' in entry_attrs: validate_selinuxuser_inlist(ldap, entry_attrs['ipaselinuxuser']) if 'seealso' in entry_attrs: entry_attrs['seealso'] = self.obj._normalize_seealso(entry_attrs['seealso']) return dn
def pre_callback(self, ldap, dn, found, not_found, *keys, **options): assert isinstance(dn, DN) try: entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) dn = entry_attrs.dn except errors.NotFound: self.obj.handle_not_found(*keys) if is_all(entry_attrs, 'ipacertprofilecategory'): raise errors.MutuallyExclusiveError(reason=_( "profiles cannot be added when profile category='all'")) return dn
def pre_callback(self, ldap, dn, found, not_found, *keys, **options): assert isinstance(dn, DN) try: (_dn, _entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: self.obj.handle_not_found(*keys) if is_all(_entry_attrs, 'hostcategory'): raise errors.MutuallyExclusiveError( reason=_("hosts cannot be added when host category='all'")) return add_external_pre_callback('host', ldap, dn, keys, options)
def pre_callback(self, ldap, dn, found, not_found, *keys, **options): assert isinstance(dn, DN) try: _entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: self.obj.handle_not_found(*keys) if is_all(_entry_attrs, 'cmdcategory'): raise errors.MutuallyExclusiveError( reason=_("commands cannot be added when command " "category='all'")) return dn