def __verify_setup(self):
try:
node = as_node(self.context)
except:
raise EInvalidValue("Invalid Context", "%s" % self.context)
policies = list(self.parent.get_policies())
policies.remove(self)
for policy in policies:
if policy.uses_expression != self.uses_expression:
continue
if policy.context != self.context:
continue
# Policy contexts are same.
message = ("Conflicting policy configurations detected."
"Policies %s and %s have same context: '%s'.")
msglog.log("broadway", msglog.types.WARN,
message % (self, policy, self.context))
if policy.is_running():
message = "Running policy '%s' already has context: %s"
raise TypeError(message % (policy.name, self.context))
else:
message = ("%s ignoring context conflict: "
"conflicting policy is not running.")
msglog.log("broadway", msglog.types.WARN, message % self)
permissions = self.parent.get_permissions()
rolemap = self.rolemap.copy()
for role, granted in rolemap.items():
if not self.parent.parent.role_manager.has_role(role):
message = 'Policy "%s" ' % self.url
message += 'removing role "%s". ' % role
message += 'It does not exist.'
msglog.log('broadway', msglog.types.WARN, message)
del (self.rolemap[role])
elif isinstance(granted, (list, tuple)):
for permission in granted:
if permission not in permissions:
message = 'Policy "%s" ' % self.url
message += 'removing permission "%s" ' % permission
message += 'from role "%s". ' % role
message += 'Permission does not exist.'
msglog.log('broadway', msglog.types.WARN, message)
self.rolemap[role].remove(permission)
return
def __verify_setup(self):
try:
node = as_node(self.context)
except:
raise EInvalidValue("Invalid Context", "%s" % self.context)
policies = list(self.parent.get_policies())
policies.remove(self)
for policy in policies:
if policy.uses_expression != self.uses_expression:
continue
if policy.context != self.context:
continue
# Policy contexts are same.
message = ("Conflicting policy configurations detected."
"Policies %s and %s have same context: '%s'.")
msglog.log("broadway", msglog.types.WARN,
message % (self, policy, self.context))
if policy.is_running():
message = "Running policy '%s' already has context: %s"
raise TypeError(message % (policy.name, self.context))
else:
message = ("%s ignoring context conflict: "
"conflicting policy is not running.")
msglog.log("broadway", msglog.types.WARN, message % self)
permissions = self.parent.get_permissions()
rolemap = self.rolemap.copy()
for role, granted in rolemap.items():
if not self.parent.parent.role_manager.has_role(role):
message = 'Policy "%s" ' % self.url
message += 'removing role "%s". ' % role
message += 'It does not exist.'
msglog.log('broadway', msglog.types.WARN, message)
del(self.rolemap[role])
elif isinstance(granted, (list, tuple)):
for permission in granted:
if permission not in permissions:
message = 'Policy "%s" ' % self.url
message += 'removing permission "%s" ' % permission
message += 'from role "%s". ' % role
message += 'Permission does not exist.'
msglog.log('broadway', msglog.types.WARN, message)
self.rolemap[role].remove(permission)
return
def __synchronize_system(self, usernode, currentname=None, validate=True):
system_users = PasswdFile()
system_shadow = ShadowFile()
system_groups = GroupFile()
userchange = False
shadowchange = False
groupchange = False
group_is_private = False
system_users.load()
system_shadow.load()
system_groups.load()
flag = 0
#flag will be used to check if system admin is
#being demoted. bug CSCth82465
#if system admin is being demoted,
#it's entry will be removed and added again
if usernode and usernode.name in system_users:
userentry = system_users[usernode.name]
#user is a system administrator, but not mpxadmin,
#and it's current role is not mpxadmin
#i.e. a system administrator other than mpxadmin is being demoted
if userentry.user_type() == 'mpxadmin' \
and usernode.name != 'mpxadmin' \
and self.role_manager.administrator.name not in usernode.roles:
flag = 1
if usernode is None or flag:
# If no usernode is provided, the user with name 'currentname' is
# being removed.
if flag:
currentname = usernode.name
if currentname is None:
raise ValueError('Name must be provided when removing user.')
userentry = system_users[currentname]
# Loop through all groups to which user belongs, removing user.
groups = userentry.groups(system_groups)
for groupentry in groups:
users = groupentry.user_list()
# User is not in user list of private group, so only
# groups in to which user *also* belongs are modified.
if currentname in users:
users.remove(currentname)
groupentry.user_list(users)
groupchange = True
message = 'removed user "%s" from group "%s".'
self.output_message(message %
(currentname, groupentry.group()))
# If a private group was associated with the user--a group
# whose name is the same as the user name and whose member
# list contains no entries--find and remove it to keep clean.
if currentname in system_groups:
groupentry = system_groups[currentname]
if len(groupentry.user_list()) == 0:
# Private group for user entry, remove it.
del (system_groups[currentname])
groupchange = True
self.output_message('removed private group "%s".' %
currentname)
# Finally, delete user itself.
del (system_users[userentry.user()])
userchange = True
# delete user details from /etc/shadow
del (system_shadow[userentry.user()])
shadowchange = True
self.output_message('removed user "%s" from system.' % currentname)
#delete user from the cache
as_node('/services/User Manager').remove_user(currentname)
if usernode:
username = usernode.name
# Name may be being changed. Node reference always has correct
# name, where 'currentname' is the previous name if the name
# is in fact being changed. Rename child operations take
# advantage of this.
if currentname is None:
currentname = username
if currentname in system_users:
# User already exists, must be being updated.
fd = open("/etc/group", "r")
userentry = system_users[currentname]
userid = userentry.uid()
groupid = userentry.gid()
flag = 1
for line in fd.readlines():
if re.search(str(groupid), line, re.IGNORECASE) != None:
flag = 0
break
if flag:
cmd = "addgroup -g "
cmd += str(groupid)
cmd += " "
cmd += currentname
os.system(cmd)
flag = 0
groupentry = system_groups[groupid]
shadowentry = system_shadow[currentname]
else:
# User is completely new and user and private group
# must be created.
userid = system_users.new_uid()
while userid in system_groups:
userid = system_users.new_uid(userid)
else:
groupid = userid
userentry = PasswdEntry()
groupentry = GroupEntry()
shadowentry = ShadowEntry()
message = 'creating user "%s" and group "%s".'
self.output_message(message % (username, username))
# A private group has the same name as the associated
# user account.
group_is_private = False
if groupentry.group() == userentry.user():
group_is_private = True
# If username has changed: change entry and flag.
if userentry.user() != username:
groups = []
if userentry.user() is not None:
# New users cause exception when doing
# group lookup before name is set.
groups = userentry.groups(system_groups)
currentname = userentry.user()
userentry.user(username, validate)
userchange = True
shadowentry.user(username, validate)
shadowchange = True
message = 'changed user name from "%s" to "%s".'
self.output_message(message % (currentname, username))
# Modify groups to which user belongs to reflect updated name.
for group in groups:
users = group.user_list()
if currentname in users and username not in users:
users[users.index(currentname)] = username
group.user_list(users)
groupchange = True
message = 'changed user "%s" in group "%s" to "%s".'
self.output_message(
message % (currentname, group.group(), username))
# If group is only for this user and group name isn't username,
# change and flag.
if group_is_private and groupentry.group() != username:
currentgroup = groupentry.group()
groupentry.group(username)
groupchange = True
message = 'changed group name from "%s" to "%s".'
self.output_message(message % (currentgroup, username))
# Change user-entry's password if doesn't match user node's.
password = usernode.password
if len(password
) and not shadowentry.password_matches_crypt(password):
shadowentry.user(username, validate)
shadowentry.passwd(password, validate)
userentry.passwd('x', False)
shadowentry.lstchg()
shadowchange = True
userchange = True
self.output_message('changed password for user "%s".' %
username)
# Set user-entry UID to calulated UID (used for new entries).
if not userentry.uid() == userid:
currentuid = userentry.uid()
userentry.uid(userid)
userchange = True
message = 'changed UID for user "%s" from %s to %s.'
self.output_message(message % (username, currentuid, userid))
# Set user-entry GID to calculated GID (used for new entries).
if userentry.gid() != groupid:
currentgid = userentry.gid()
userentry.gid(groupid)
userchange = True
message = 'changed GID for user "%s" from %s to %s.'
self.output_message(message % (username, currentgid, groupid))
if not userentry.gecos():
currentgecos = userentry.gecos()
userentry.gecos('ROLE=user')
userchange = True
message = 'changed gecos for user "%s" from %s to %s.'
self.output_message(message %
(username, currentgecos, 'ROLE=user'))
# Set group-entry GID to calculated GID (should match whether private or not).
if groupentry.gid() != groupid:
currentgid = groupentry.gid()
groupentry.gid(groupid)
groupchange = True
message = 'changed GID for group "%s" from %s to %s.'
self.output_message(message %
(groupentry.group(), currentgid, groupid))
if userchange:
# Passwd file changed, set user into user dicationary
# in case user was newly created, and save back file.
system_users[userentry.user()] = userentry
system_users.save()
userchange = False
as_node('/services/User Manager').remove_user(usernode.name)
if shadowchange:
# /etc/shadow file changed, set user into user dicationary
# in case user was newly created, and save back file.
system_shadow[shadowentry.user()] = shadowentry
system_shadow.save()
shadowchange = False
if groupchange:
# Group file changed, set user into groups dicationary
# in case group was newly created, and save back file.
system_groups[groupentry.group()] = groupentry
system_groups.save()
groupchange = False
roles = usernode.roles[:]
if self.role_manager.administrator.name in roles:
if userentry.user_type() != 'mpxadmin':
userchange = True
shadowchange = True
groupchange = True
userentry.user_type('mpxadmin', system_users,
system_groups)
self.output_message(
'made user "%s" into "mpxadmin" type.' % username)
if username in system_groups:
group = system_groups[username]
if userentry.gid() != group.gid():
users = group.user_list()
if len(users) == 0:
del (system_groups[username])
groupchange = True
message = 'removed group "%s". ' % username
message += 'Group no longer referenced.'
else:
message = 'not removing group "%s". ' % username
message += 'Still has users %s.' % (users, )
self.output_message(message)
elif userentry.user_type() == 'mpxadmin':
message = 'System Administrator cannot be demoted. '
message += 'User "%s" must be removed in order to demote.'
raise TypeError(message % username)
if userchange:
system_users.save()
userchange = False
username = usernode.name if usernode else currentname
as_node('/services/User Manager').remove_user(username)
if shadowchange:
system_shadow.save()
shadowchange = False
if groupchange:
system_groups.save()
userchange = False
return (userchange or groupchange or shadowchange)
