def __verify_setup(self): try: node = as_node(self.context) except: raise EInvalidValue("Invalid Context", "%s" % self.context) policies = list(self.parent.get_policies()) policies.remove(self) for policy in policies: if policy.uses_expression != self.uses_expression: continue if policy.context != self.context: continue # Policy contexts are same. message = ("Conflicting policy configurations detected." "Policies %s and %s have same context: '%s'.") msglog.log("broadway", msglog.types.WARN, message % (self, policy, self.context)) if policy.is_running(): message = "Running policy '%s' already has context: %s" raise TypeError(message % (policy.name, self.context)) else: message = ("%s ignoring context conflict: " "conflicting policy is not running.") msglog.log("broadway", msglog.types.WARN, message % self) permissions = self.parent.get_permissions() rolemap = self.rolemap.copy() for role, granted in rolemap.items(): if not self.parent.parent.role_manager.has_role(role): message = 'Policy "%s" ' % self.url message += 'removing role "%s". ' % role message += 'It does not exist.' msglog.log('broadway', msglog.types.WARN, message) del (self.rolemap[role]) elif isinstance(granted, (list, tuple)): for permission in granted: if permission not in permissions: message = 'Policy "%s" ' % self.url message += 'removing permission "%s" ' % permission message += 'from role "%s". ' % role message += 'Permission does not exist.' msglog.log('broadway', msglog.types.WARN, message) self.rolemap[role].remove(permission) return
def __verify_setup(self): try: node = as_node(self.context) except: raise EInvalidValue("Invalid Context", "%s" % self.context) policies = list(self.parent.get_policies()) policies.remove(self) for policy in policies: if policy.uses_expression != self.uses_expression: continue if policy.context != self.context: continue # Policy contexts are same. message = ("Conflicting policy configurations detected." "Policies %s and %s have same context: '%s'.") msglog.log("broadway", msglog.types.WARN, message % (self, policy, self.context)) if policy.is_running(): message = "Running policy '%s' already has context: %s" raise TypeError(message % (policy.name, self.context)) else: message = ("%s ignoring context conflict: " "conflicting policy is not running.") msglog.log("broadway", msglog.types.WARN, message % self) permissions = self.parent.get_permissions() rolemap = self.rolemap.copy() for role, granted in rolemap.items(): if not self.parent.parent.role_manager.has_role(role): message = 'Policy "%s" ' % self.url message += 'removing role "%s". ' % role message += 'It does not exist.' msglog.log('broadway', msglog.types.WARN, message) del(self.rolemap[role]) elif isinstance(granted, (list, tuple)): for permission in granted: if permission not in permissions: message = 'Policy "%s" ' % self.url message += 'removing permission "%s" ' % permission message += 'from role "%s". ' % role message += 'Permission does not exist.' msglog.log('broadway', msglog.types.WARN, message) self.rolemap[role].remove(permission) return
def __synchronize_system(self, usernode, currentname=None, validate=True): system_users = PasswdFile() system_shadow = ShadowFile() system_groups = GroupFile() userchange = False shadowchange = False groupchange = False group_is_private = False system_users.load() system_shadow.load() system_groups.load() flag = 0 #flag will be used to check if system admin is #being demoted. bug CSCth82465 #if system admin is being demoted, #it's entry will be removed and added again if usernode and usernode.name in system_users: userentry = system_users[usernode.name] #user is a system administrator, but not mpxadmin, #and it's current role is not mpxadmin #i.e. a system administrator other than mpxadmin is being demoted if userentry.user_type() == 'mpxadmin' \ and usernode.name != 'mpxadmin' \ and self.role_manager.administrator.name not in usernode.roles: flag = 1 if usernode is None or flag: # If no usernode is provided, the user with name 'currentname' is # being removed. if flag: currentname = usernode.name if currentname is None: raise ValueError('Name must be provided when removing user.') userentry = system_users[currentname] # Loop through all groups to which user belongs, removing user. groups = userentry.groups(system_groups) for groupentry in groups: users = groupentry.user_list() # User is not in user list of private group, so only # groups in to which user *also* belongs are modified. if currentname in users: users.remove(currentname) groupentry.user_list(users) groupchange = True message = 'removed user "%s" from group "%s".' self.output_message(message % (currentname, groupentry.group())) # If a private group was associated with the user--a group # whose name is the same as the user name and whose member # list contains no entries--find and remove it to keep clean. if currentname in system_groups: groupentry = system_groups[currentname] if len(groupentry.user_list()) == 0: # Private group for user entry, remove it. del (system_groups[currentname]) groupchange = True self.output_message('removed private group "%s".' % currentname) # Finally, delete user itself. del (system_users[userentry.user()]) userchange = True # delete user details from /etc/shadow del (system_shadow[userentry.user()]) shadowchange = True self.output_message('removed user "%s" from system.' % currentname) #delete user from the cache as_node('/services/User Manager').remove_user(currentname) if usernode: username = usernode.name # Name may be being changed. Node reference always has correct # name, where 'currentname' is the previous name if the name # is in fact being changed. Rename child operations take # advantage of this. if currentname is None: currentname = username if currentname in system_users: # User already exists, must be being updated. fd = open("/etc/group", "r") userentry = system_users[currentname] userid = userentry.uid() groupid = userentry.gid() flag = 1 for line in fd.readlines(): if re.search(str(groupid), line, re.IGNORECASE) != None: flag = 0 break if flag: cmd = "addgroup -g " cmd += str(groupid) cmd += " " cmd += currentname os.system(cmd) flag = 0 groupentry = system_groups[groupid] shadowentry = system_shadow[currentname] else: # User is completely new and user and private group # must be created. userid = system_users.new_uid() while userid in system_groups: userid = system_users.new_uid(userid) else: groupid = userid userentry = PasswdEntry() groupentry = GroupEntry() shadowentry = ShadowEntry() message = 'creating user "%s" and group "%s".' self.output_message(message % (username, username)) # A private group has the same name as the associated # user account. group_is_private = False if groupentry.group() == userentry.user(): group_is_private = True # If username has changed: change entry and flag. if userentry.user() != username: groups = [] if userentry.user() is not None: # New users cause exception when doing # group lookup before name is set. groups = userentry.groups(system_groups) currentname = userentry.user() userentry.user(username, validate) userchange = True shadowentry.user(username, validate) shadowchange = True message = 'changed user name from "%s" to "%s".' self.output_message(message % (currentname, username)) # Modify groups to which user belongs to reflect updated name. for group in groups: users = group.user_list() if currentname in users and username not in users: users[users.index(currentname)] = username group.user_list(users) groupchange = True message = 'changed user "%s" in group "%s" to "%s".' self.output_message( message % (currentname, group.group(), username)) # If group is only for this user and group name isn't username, # change and flag. if group_is_private and groupentry.group() != username: currentgroup = groupentry.group() groupentry.group(username) groupchange = True message = 'changed group name from "%s" to "%s".' self.output_message(message % (currentgroup, username)) # Change user-entry's password if doesn't match user node's. password = usernode.password if len(password ) and not shadowentry.password_matches_crypt(password): shadowentry.user(username, validate) shadowentry.passwd(password, validate) userentry.passwd('x', False) shadowentry.lstchg() shadowchange = True userchange = True self.output_message('changed password for user "%s".' % username) # Set user-entry UID to calulated UID (used for new entries). if not userentry.uid() == userid: currentuid = userentry.uid() userentry.uid(userid) userchange = True message = 'changed UID for user "%s" from %s to %s.' self.output_message(message % (username, currentuid, userid)) # Set user-entry GID to calculated GID (used for new entries). if userentry.gid() != groupid: currentgid = userentry.gid() userentry.gid(groupid) userchange = True message = 'changed GID for user "%s" from %s to %s.' self.output_message(message % (username, currentgid, groupid)) if not userentry.gecos(): currentgecos = userentry.gecos() userentry.gecos('ROLE=user') userchange = True message = 'changed gecos for user "%s" from %s to %s.' self.output_message(message % (username, currentgecos, 'ROLE=user')) # Set group-entry GID to calculated GID (should match whether private or not). if groupentry.gid() != groupid: currentgid = groupentry.gid() groupentry.gid(groupid) groupchange = True message = 'changed GID for group "%s" from %s to %s.' self.output_message(message % (groupentry.group(), currentgid, groupid)) if userchange: # Passwd file changed, set user into user dicationary # in case user was newly created, and save back file. system_users[userentry.user()] = userentry system_users.save() userchange = False as_node('/services/User Manager').remove_user(usernode.name) if shadowchange: # /etc/shadow file changed, set user into user dicationary # in case user was newly created, and save back file. system_shadow[shadowentry.user()] = shadowentry system_shadow.save() shadowchange = False if groupchange: # Group file changed, set user into groups dicationary # in case group was newly created, and save back file. system_groups[groupentry.group()] = groupentry system_groups.save() groupchange = False roles = usernode.roles[:] if self.role_manager.administrator.name in roles: if userentry.user_type() != 'mpxadmin': userchange = True shadowchange = True groupchange = True userentry.user_type('mpxadmin', system_users, system_groups) self.output_message( 'made user "%s" into "mpxadmin" type.' % username) if username in system_groups: group = system_groups[username] if userentry.gid() != group.gid(): users = group.user_list() if len(users) == 0: del (system_groups[username]) groupchange = True message = 'removed group "%s". ' % username message += 'Group no longer referenced.' else: message = 'not removing group "%s". ' % username message += 'Still has users %s.' % (users, ) self.output_message(message) elif userentry.user_type() == 'mpxadmin': message = 'System Administrator cannot be demoted. ' message += 'User "%s" must be removed in order to demote.' raise TypeError(message % username) if userchange: system_users.save() userchange = False username = usernode.name if usernode else currentname as_node('/services/User Manager').remove_user(username) if shadowchange: system_shadow.save() shadowchange = False if groupchange: system_groups.save() userchange = False return (userchange or groupchange or shadowchange)