Allow user overrides to specify SSH public keys

Overrides for users can have SSH public keys. This, however, will not enable SSH public keys from overrides to be actually used until SSSD gets fixed to pull them in. SSSD ticket for SSH public keys in overrides: https://fedorahosted.org/sssd/ticket/2454 Resolves https://fedorahosted.org/freeipa/ticket/4509 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
author: Alexander Bokovoy <abokovoy@redhat.com> 2014-10-10 09:26:13 +0300
committer: Petr Vobornik <pvoborni@redhat.com> 2014-10-13 12:08:50 +0200
commit: ca42d3469a6f83376d33b08d7bb4b43c2e93d604 (patch)
tree: ff2787205fbbf48b58c67dec5217b1f2e04cee9c
parent: 63be2ee9f0296e1366c77258929c7ce2dad53154 (diff)
download: freeipa-ca42d3469a6f83376d33b08d7bb4b43c2e93d604.tar.gz
freeipa-ca42d3469a6f83376d33b08d7bb4b43c2e93d604.tar.xz
freeipa-ca42d3469a6f83376d33b08d7bb4b43c2e93d604.zip
2 files changed, 48 insertions, 2 deletions
diff --git a/API.txt b/API.txt
index 41b852b65..5316ac2eb 100644
--- a/API.txt
+++ b/API.txt
@@ -2104,7 +2104,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: idoverrideuser_add
-args: 2,11,3
+args: 2,12,3
 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True)
 arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -2112,6 +2112,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False)
 option: Str('homedirectory', attribute=True, cli_name='homedir', multivalue=False, required=False)
 option: Str('ipaoriginaluid', attribute=True, cli_name='ipaoriginaluid', multivalue=False, required=False)
+option: Str('ipasshpubkey', attribute=True, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
 option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('setattr*', cli_name='setattr', exclude='webui')
@@ -2152,7 +2153,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('truncated', <type 'bool'>, None)
 command: idoverrideuser_mod
-args: 2,14,3
+args: 2,15,3
 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True)
 arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -2161,6 +2162,7 @@ option: Str('delattr*', cli_name='delattr', exclude='webui')
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False)
 option: Str('homedirectory', attribute=True, autofill=False, cli_name='homedir', multivalue=False, required=False)
 option: Str('ipaoriginaluid', attribute=True, autofill=False, cli_name='ipaoriginaluid', multivalue=False, required=False)
+option: Str('ipasshpubkey', attribute=True, autofill=False, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
 option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('rename', cli_name='rename', multivalue=False, primary_key=True, required=False)
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index afaa6f910..c0b108260 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -25,6 +25,8 @@ from ipalib.plugins.hostgroup import get_complete_hostgroup_member_list
 from ipalib import api, Str, Int, Flag, _, ngettext, errors, output
 from ipalib.constants import IPA_ANCHOR_PREFIX, SID_ANCHOR_PREFIX
 from ipalib.plugable import Registry
+from ipalib.util import (normalize_sshpubkey, validate_sshpubkey,
+    convert_sshpubkey_post)
 
 from ipapython.dn import DN
 
@@ -658,6 +660,7 @@ class idoverrideuser(baseidoverride):
     object_class = baseidoverride.object_class + ['ipaUserOverride']
     default_attributes = baseidoverride.default_attributes + [
        'homeDirectory', 'uidNumber', 'uid', 'ipaOriginalUid', 'loginShell',
+       'ipaSshPubkey',
     ]
 
     takes_params = baseidoverride.takes_params + (
@@ -686,6 +689,13 @@ class idoverrideuser(baseidoverride):
         Str('ipaoriginaluid?',
             flags=['no_option', 'no_output']
             ),
+        Str('ipasshpubkey*', validate_sshpubkey,
+            cli_name='sshpubkey',
+            label=_('SSH public key'),
+            normalizer=normalize_sshpubkey,
+            csv=True,
+            flags=['no_search'],
+        ),
     )
 
     override_object = 'user'
@@ -758,6 +768,13 @@ class idoverrideuser_add(baseidoverride_add):
         self.obj.update_original_uid_reference(entry_attrs)
         return dn
 
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        dn = super(idoverrideuser_add, self).post_callback(ldap, dn,
+                 entry_attrs, *keys, **options)
+        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        return dn
+
+
 
 @register()
 class idoverrideuser_del(baseidoverride_del):
@@ -777,6 +794,20 @@ class idoverrideuser_mod(baseidoverride_mod):
         # Update the ipaOriginalUid
         self.obj.set_anchoruuid_from_dn(dn, entry_attrs)
         self.obj.update_original_uid_reference(entry_attrs)
+        if 'objectclass' in entry_attrs:
+            obj_classes = entry_attrs['objectclass']
+        else:
+            _entry_attrs = ldap.get_entry(dn, ['objectclass'])
+            obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass']
+
+        if 'ipasshpubkey' in entry_attrs and 'ipasshuser' not in obj_classes:
+            obj_classes.append('ipasshuser')
+        return dn
+
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        dn = super(idoverrideuser_mod, self).post_callback(ldap, dn,
+                 entry_attrs, *keys, **options)
+        convert_sshpubkey_post(ldap, dn, entry_attrs)
         return dn
 
 
@@ -786,11 +817,24 @@ class idoverrideuser_find(baseidoverride_find):
     msg_summary = ngettext('%(count)d User ID override matched',
                            '%(count)d User ID overrides matched', 0)
 
+    def post_callback(self, ldap, entries, truncated, *args, **options):
+        truncated = super(idoverrideuser_find, self).post_callback(
+            ldap, entries, truncated, *args, **options)
+        for entry in entries:
+            convert_sshpubkey_post(ldap, entry.dn, entry)
+        return truncated
+
 
 @register()
 class idoverrideuser_show(baseidoverride_show):
     __doc__ = _('Display information about an User ID override.')
 
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        dn = super(idoverrideuser_show, self).post_callback(ldap, dn,
+                 entry_attrs, *keys, **options)
+        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        return dn
+
 
 @register()
 class idoverridegroup_add(baseidoverride_add):
author	Alexander Bokovoy <abokovoy@redhat.com>	2014-10-10 09:26:13 +0300
committer	Petr Vobornik <pvoborni@redhat.com>	2014-10-13 12:08:50 +0200
commit	ca42d3469a6f83376d33b08d7bb4b43c2e93d604 (patch)
tree	ff2787205fbbf48b58c67dec5217b1f2e04cee9c
parent	63be2ee9f0296e1366c77258929c7ce2dad53154 (diff)
download	freeipa-ca42d3469a6f83376d33b08d7bb4b43c2e93d604.tar.gz freeipa-ca42d3469a6f83376d33b08d7bb4b43c2e93d604.tar.xz freeipa-ca42d3469a6f83376d33b08d7bb4b43c2e93d604.zip