websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Debian patch 4.0.5-6~numeezy

Browse Source
This commit is contained in:
Alexandre Ellert
2016-02-17 15:07:45 +01:00
committed by Mario Fetka
parent c44de33144
commit 10dfc9587b
1203 changed files with 53869 additions and 241462 deletions
Download Patch File Download Diff File Expand all files Collapse all files

281
ipaserver/install/plugins/update_managed_permissions.py
View File

@@ -40,13 +40,13 @@ dict of the same format is defined in this module.
The permission name must start with the "System:" prefix.
The template dictionary can have the following keys:
* ipapermtarget, ipapermtargetfilter, ipapermlocation, ipapermright, ,ipapermtargetto, ipapermtargetfrom, objectclass
* ipapermtarget, ipapermtargetfilter, ipapermlocation, ipapermright, objectclass
- Directly used as attributes on the permission.
- Replaced when upgrading an existing permission
- If not specified, these default to the defaults of a permission of the
corresponding --type, or, if non_object is specified, or if not on an
object, to general permission defaults .
- ipapermlocation, ipatargetto, ipapermtargetfrom, ipapermtarget must be DNs
- ipapermlocation and ipapermtarget must be DNs
- ipapermtargetfilter and objectclass must be iterables of strings
* ipapermbindruletype
- Directly used as attribute on the permission.
@@ -83,19 +83,17 @@ No other keys are allowed in the template
The plugin also deletes permissions specified in OBSOLETE_PERMISSIONS.
"""
import six
from ipalib import api, errors
from ipapython.dn import DN
from ipalib.plugable import Registry
from ipalib.plugins import aci
from ipalib.plugins.permission import permission, permission_del
from ipalib.aci import ACI
from ipalib import Updater
from ipapython import ipautil
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install.plugins import LAST
from ipaserver.install.plugins.baseupdate import PostUpdate
if six.PY3:
unicode = str
register = Registry()
@@ -119,17 +117,6 @@ NONOBJECT_PERMISSIONS = {
},
'default_privileges': {'IPA Masters Readers'},
},
'System: Compat Tree ID View targets': {
'replaces_global_anonymous_aci': True,
'ipapermlocation': api.env.basedn,
'ipapermtarget': DN('cn=*,cn=compat', api.env.basedn),
'ipapermtargetfilter': {'(objectclass=ipaOverrideTarget)'},
'ipapermbindruletype': 'anonymous',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'ipaAnchorUUID',
},
},
'System: Read DNA Configuration': {
'replaces_global_anonymous_aci': True,
'ipapermlocation': DN('cn=dna,cn=ipa,cn=etc', api.env.basedn),
@@ -152,29 +139,6 @@ NONOBJECT_PERMISSIONS = {
'cn', 'objectclass', 'usercertificate',
},
},
'System: Add CA Certificate For Renewal': {
'ipapermlocation': DN('cn=ca_renewal,cn=ipa,cn=etc', api.env.basedn),
'ipapermtarget': DN(
'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc',
api.env.basedn),
'ipapermtargetfilter': {'(objectclass=pkiuser)'},
'ipapermbindruletype': 'permission',
'ipapermright': {'add'},
'default_privileges': {'Certificate Administrators'},
},
'System: Modify CA Certificate For Renewal': {
'ipapermlocation': DN('cn=ca_renewal,cn=ipa,cn=etc', api.env.basedn),
'ipapermtarget': DN(
'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc',
api.env.basedn),
'ipapermtargetfilter': {'(objectclass=pkiuser)'},
'ipapermbindruletype': 'permission',
'ipapermright': {'write'},
'ipapermdefaultattr': {
'usercertificate',
},
'default_privileges': {'Certificate Administrators'},
},
'System: Read CA Certificate': {
'replaces_global_anonymous_aci': True,
'ipapermlocation': DN('cn=CAcert,cn=ipa,cn=etc', api.env.basedn),
@@ -186,52 +150,6 @@ NONOBJECT_PERMISSIONS = {
'authorityrevocationlist', 'crosscertificatepair',
},
},
'System: Modify CA Certificate': {
'ipapermlocation': DN('cn=CAcert,cn=ipa,cn=etc', api.env.basedn),
'ipapermtargetfilter': {'(objectclass=pkica)'},
'ipapermbindruletype': 'permission',
'ipapermright': {'write'},
'ipapermdefaultattr': {
'cacertificate',
},
'default_privileges': {'Certificate Administrators'},
},
'System: Read Certificate Store Entries': {
'ipapermlocation': DN('cn=certificates,cn=ipa,cn=etc', api.env.basedn),
'ipapermtargetfilter': {'(objectclass=ipacertificate)'},
'ipapermbindruletype': 'anonymous',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'cn', 'objectclass', 'ipacertsubject', 'ipacertissuerserial',
'ipapublickey', 'ipaconfigstring', 'cacertificate', 'ipakeytrust',
'ipakeyusage', 'ipakeyextusage',
},
},
'System: Add Certificate Store Entry': {
'ipapermlocation': DN('cn=certificates,cn=ipa,cn=etc', api.env.basedn),
'ipapermtargetfilter': {'(objectclass=ipacertificate)'},
'ipapermbindruletype': 'permission',
'ipapermright': {'add'},
'default_privileges': {'Certificate Administrators'},
},
'System: Modify Certificate Store Entry': {
'ipapermlocation': DN('cn=certificates,cn=ipa,cn=etc', api.env.basedn),
'ipapermtargetfilter': {'(objectclass=ipacertificate)'},
'ipapermbindruletype': 'permission',
'ipapermright': {'write'},
'ipapermdefaultattr': {
'ipacertissuerserial', 'ipaconfigstring', 'cacertificate',
'ipakeytrust', 'ipakeyusage', 'ipakeyextusage',
},
'default_privileges': {'Certificate Administrators'},
},
'System: Remove Certificate Store Entry': {
'ipapermlocation': DN('cn=certificates,cn=ipa,cn=etc', api.env.basedn),
'ipapermtargetfilter': {'(objectclass=ipacertificate)'},
'ipapermbindruletype': 'permission',
'ipapermright': {'delete'},
'default_privileges': {'Certificate Administrators'},
},
'System: Read Replication Information': {
'replaces_global_anonymous_aci': True,
'ipapermlocation': DN('cn=replication,cn=etc', api.env.basedn),
@@ -262,35 +180,67 @@ NONOBJECT_PERMISSIONS = {
'ipantdomainguid', 'ipantfallbackprimarygroup',
},
},
'System: Read DUA Profile': {
'ipapermlocation': DN('ou=profile', api.env.basedn),
'System: Read Replication Agreements': {
'ipapermlocation': DN('cn=config'),
'ipapermtargetfilter': {
'(|'
'(objectclass=organizationalUnit)'
'(objectclass=DUAConfigProfile)'
'(objectclass=nsds5Replica)'
'(objectclass=nsds5replicationagreement)'
'(objectclass=nsDSWindowsReplicationAgreement)'
'(objectClass=nsMappingTree)'
')'
},
'ipapermbindruletype': 'anonymous',
'ipapermbindruletype': 'permission',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'objectclass', 'ou', 'cn', 'defaultServerList',
'preferredServerList', 'defaultSearchBase', 'defaultSearchScope',
'searchTimeLimit', 'bindTimeLimit', 'credentialLevel',
'authenticationMethod', 'followReferrals', 'dereferenceAliases',
'serviceSearchDescriptor', 'serviceCredentialLevel',
'serviceAuthenticationMethod', 'objectclassMap', 'attributeMap',
'profileTTL'
'cn', 'objectclass',
# nsds5Replica
'nsds5replicaroot', 'nsds5replicaid', 'nsds5replicacleanruv',
'nsds5replicaabortcleanruv', 'nsds5replicatype',
'nsds5replicabinddn', 'nsstate', 'nsds5replicaname',
'nsds5flags', 'nsds5task', 'nsds5replicareferral',
'nsds5replicaautoreferral', 'nsds5replicapurgedelay',
'nsds5replicatombstonepurgeinterval', 'nsds5replicachangecount',
'nsds5replicalegacyconsumer', 'nsds5replicaprotocoltimeout',
'nsds5replicabackoffmin', 'nsds5replicabackoffmax',
# nsds5replicationagreement
'nsds5replicacleanruvnotified', 'nsds5replicahost',
'nsds5replicaport', 'nsds5replicatransportinfo',
'nsds5replicabinddn', 'nsds5replicacredentials',
'nsds5replicabindmethod', 'nsds5replicaroot',
'nsds5replicatedattributelist',
'nsds5replicatedattributelisttotal', 'nsds5replicaupdateschedule',
'nsds5beginreplicarefresh', 'description', 'nsds50ruv',
'nsruvreplicalastmodified', 'nsds5replicatimeout',
'nsds5replicachangessentsincestartup', 'nsds5replicalastupdateend',
'nsds5replicalastupdatestart', 'nsds5replicalastupdatestatus',
'nsds5replicaupdateinprogress', 'nsds5replicalastinitend',
'nsds5replicaenabled', 'nsds5replicalastinitstart',
'nsds5replicalastinitstatus', 'nsds5debugreplicatimeout',
'nsds5replicabusywaittime', 'nsds5replicastripattrs',
'nsds5replicasessionpausetime', 'nsds5replicaprotocoltimeout',
# nsDSWindowsReplicationAgreement
'nsds5replicahost', 'nsds5replicaport',
'nsds5replicatransportinfo', 'nsds5replicabinddn',
'nsds5replicacredentials', 'nsds5replicabindmethod',
'nsds5replicaroot', 'nsds5replicatedattributelist',
'nsds5replicaupdateschedule', 'nsds5beginreplicarefresh',
'description', 'nsds50ruv', 'nsruvreplicalastmodified',
'nsds5replicatimeout', 'nsds5replicachangessentsincestartup',
'nsds5replicalastupdateend', 'nsds5replicalastupdatestart',
'nsds5replicalastupdatestatus', 'nsds5replicaupdateinprogress',
'nsds5replicalastinitend', 'nsds5replicalastinitstart',
'nsds5replicalastinitstatus', 'nsds5debugreplicatimeout',
'nsds5replicabusywaittime', 'nsds5replicasessionpausetime',
'nsds7windowsreplicasubtree', 'nsds7directoryreplicasubtree',
'nsds7newwinusersyncenabled', 'nsds7newwingroupsyncenabled',
'nsds7windowsdomain', 'nsds7dirsynccookie', 'winsyncinterval',
'onewaysync', 'winsyncmoveaction', 'nsds5replicaenabled',
'winsyncdirectoryfilter', 'winsyncwindowsfilter',
'winsyncsubtreepair',
},
},
'System: Read Domain Level': {
'ipapermlocation': DN('cn=Domain Level,cn=ipa,cn=etc', api.env.basedn),
'ipapermtargetfilter': {'(objectclass=ipadomainlevelconfig)'},
'ipapermbindruletype': 'all',
'ipapermright': {'read', 'search', 'compare'},
'ipapermdefaultattr': {
'ipadomainlevel', 'objectclass',
},
},
'default_privileges': {'Replication Administrators'},
}
}
@@ -299,13 +249,14 @@ class IncompatibleACIModification(Exception):
@register()
class update_managed_permissions(Updater):
class update_managed_permissions(PostUpdate):
"""Update managed permissions after an update.
Update managed permissions according to templates specified in plugins.
For read permissions, puts any attributes specified in the legacy
Anonymous access ACI in the exclude list when creating the permission.
"""
order = LAST
def get_anonymous_read_aci(self, ldap):
aciname = u'Enable Anonymous access'
@@ -327,7 +278,7 @@ class update_managed_permissions(Updater):
for acistr in acistrs:
if ACI(acistr).isequal(anonymous_read_aci):
self.log.debug('Removing anonymous ACI: %s', acistr)
self.log.info('Removing anonymous ACI: %s', acistr)
acistrs.remove(acistr)
break
else:
@@ -343,31 +294,31 @@ class update_managed_permissions(Updater):
"""
for obj in sorted(self.api.Object(), key=lambda o: o.name):
managed_permissions = getattr(obj, 'managed_permissions', {})
for name, template in sorted(managed_permissions.items()):
for name, template in sorted(managed_permissions.iteritems()):
yield name, template, obj
for name, template in sorted(NONOBJECT_PERMISSIONS.items()):
for name, template in sorted(NONOBJECT_PERMISSIONS.iteritems()):
yield name, template, None
def execute(self, **options):
ldap = self.api.Backend.ldap2
ldap = self.api.Backend[ldap2]
anonymous_read_aci = self.get_anonymous_read_aci(ldap)
if anonymous_read_aci:
self.log.debug('Anonymous read ACI: %s', anonymous_read_aci)
self.log.info('Anonymous read ACI: %s', anonymous_read_aci)
else:
self.log.debug('Anonymous ACI not found')
self.log.info('Anonymous ACI not found')
current_obj = () # initially distinct from any obj value, even None
for name, template, obj in self.get_templates():
if current_obj != obj:
if obj:
self.log.debug('Updating managed permissions for %s',
self.log.info('Updating managed permissions for %s',
obj.name)
else:
self.log.debug('Updating non-object managed permissions')
self.log.info('Updating non-object managed permissions')
current_obj = obj
self.update_permission(ldap,
@@ -388,9 +339,9 @@ class update_managed_permissions(Updater):
except errors.NotFound:
self.log.debug('Obsolete permission not found')
else:
self.log.debug('Obsolete permission deleted: %s', obsolete_name)
self.log.info('Obsolete permission deleted: %s', obsolete_name)
return False, ()
return False, False, ()
def update_permission(self, ldap, obj, name, template, anonymous_read_aci):
"""Update the given permission and the corresponding ACI"""
@@ -480,7 +431,7 @@ class update_managed_permissions(Updater):
permission_plugin.update_aci(entry)
if remove_legacy:
self.log.debug("Removing legacy permission '%s'", legacy_name)
self.log.info("Removing legacy permission '%s'", legacy_name)
self.api.Command[permission_del](unicode(legacy_name))
for name in template.get('replaces_system', ()):
@@ -489,14 +440,14 @@ class update_managed_permissions(Updater):
entry = ldap.get_entry(permission_plugin.get_dn(name),
['ipapermissiontype'])
except errors.NotFound:
self.log.debug("Legacy permission '%s' not found", name)
self.log.info("Legacy permission '%s' not found", name)
else:
flags = entry.get('ipapermissiontype', [])
if list(flags) == ['SYSTEM']:
self.log.debug("Removing legacy permission '%s'", name)
self.log.info("Removing legacy permission '%s'", name)
self.api.Command[permission_del](name, force=True)
else:
self.log.debug("Ignoring V2 permission '%s'", name)
self.log.info("Ignoring V2 permission '%s'", name)
def get_upgrade_attr_lists(self, current_acistring, default_acistrings):
"""Compute included and excluded attributes for a new permission
@@ -622,14 +573,6 @@ class update_managed_permissions(Updater):
if ipapermtarget is not None:
entry['ipapermtarget'] = ipapermtarget
ipapermtargetto = template.pop('ipapermtargetto', None)
if ipapermtargetto is not None:
entry['ipapermtargetto'] = ipapermtargetto
ipapermtargetfrom = template.pop('ipapermtargetfrom', None)
if ipapermtargetfrom is not None:
entry['ipapermtargetfrom'] = ipapermtargetfrom
# Attributes from template
bindruletype = template.pop('ipapermbindruletype', 'permission')
if is_new:
@@ -659,7 +602,7 @@ class update_managed_permissions(Updater):
anonymous_read_aci.target['targetattr']['expression'])
read_blacklist &= attributes
if read_blacklist:
self.log.debug('Excluded attributes for %s: %s',
self.log.info('Excluded attributes for %s: %s',
name, ', '.join(read_blacklist))
entry['ipapermexcludedattr'] = list(read_blacklist)
@@ -668,75 +611,3 @@ class update_managed_permissions(Updater):
raise ValueError(
'Unknown key(s) in managed permission template %s: %s' % (
name, ', '.join(template.keys())))
@register()
class update_read_replication_agreements_permission(Updater):
"""'Read replication agreements' permission must not be managed permission
https://fedorahosted.org/freeipa/ticket/5631
Existing permission "cn=System: Read Replication Agreements" must be moved
to non-managed permission "cn=Read Replication Agreements" using modrdn
ldap operation to keep current membership of the permission set by user.
ACI is updated via update files
"""
def execute(self, **options):
ldap = self.api.Backend.ldap2
old_perm_dn = DN(
('cn', 'System: Read Replication Agreements'),
self.api.env.container_permission,
self.api.env.basedn
)
new_perm_dn = DN(
('cn', 'Read Replication Agreements'),
self.api.env.container_permission,
self.api.env.basedn
)
try:
perm_entry = ldap.get_entry(old_perm_dn)
except errors.NotFound:
self.log.debug("Old permission not found")
return False, ()
try:
ldap.get_entry(new_perm_dn)
except errors.NotFound:
# we can happily upgrade
pass
else:
self.log.error("Permission '{}' cannot be upgraded. "
"Permission with target name '{}' already "
"exists".format(old_perm_dn, new_perm_dn))
return False, ()
# values are case insensitive
for t in list(perm_entry['ipapermissiontype']):
if t.lower() in ['managed', 'v2']:
perm_entry['ipapermissiontype'].remove(t)
for o in list(perm_entry['objectclass']):
if o.lower() == 'ipapermissionv2':
# remove permission V2 objectclass and related attributes
perm_entry['objectclass'].remove(o)
perm_entry['ipapermdefaultattr'] = []
perm_entry['ipapermright'] = []
perm_entry['ipapermbindruletype'] = []
perm_entry['ipapermlocation'] = []
perm_entry['ipapermtargetfilter'] = []
self.log.debug("Removing MANAGED attributes from permission %s",
old_perm_dn)
try:
ldap.update_entry(perm_entry)
except errors.EmptyModlist:
pass
# do modrdn on permission
self.log.debug("modrdn: %s -> %s", old_perm_dn, new_perm_dn)
ldap.move_entry(old_perm_dn, new_perm_dn)
return False, ()