diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-03-01 14:02:28 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-03-01 21:02:33 -0500 |
| commit | d55d8bfa7ed1d3617274c9f53974e7bf5209cc4e (patch) | |
| tree | c5b69a401c0c8ae3dba503bf0bb7137cd641e382 /ipalib/plugins/sudorule.py | |
| parent | 31eebda584d556454104a8fbf26974b6b49d9589 (diff) | |
| download | freeipa-d55d8bfa7ed1d3617274c9f53974e7bf5209cc4e.tar.gz freeipa-d55d8bfa7ed1d3617274c9f53974e7bf5209cc4e.tar.xz freeipa-d55d8bfa7ed1d3617274c9f53974e7bf5209cc4e.zip | |
Add support for sudoOrder
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.
The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.
https://fedorahosted.org/freeipa/ticket/1314
Diffstat (limited to 'ipalib/plugins/sudorule.py')
| -rw-r--r-- | ipalib/plugins/sudorule.py | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index ff7b756a3..de7a7af37 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -40,6 +40,10 @@ FreeIPA provides a means to configure the various aspects of Sudo: RunAsGroup: The group(s) whose gid rights Sudo will be invoked with. Options: The various Sudoers Options that can modify Sudo's behavior. +An order can be added to a sudorule to control the order in which they +are evaluated (if the client supports it). This order is an integer and +must be unique. + FreeIPA provides a designated binddn to use with Sudo located at: uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com @@ -80,6 +84,7 @@ class sudorule(LDAPObject): 'memberallowcmd', 'memberdenycmd', 'ipasudoopt', 'ipasudorunas', 'ipasudorunasgroup', 'ipasudorunasusercategory', 'ipasudorunasgroupcategory', + 'sudoorder', ] uuid_attribute = 'ipauniqueid' rdn_attribute = 'ipauniqueid' @@ -139,6 +144,13 @@ class sudorule(LDAPObject): doc=_('RunAs Group category the rule applies to'), values=(u'all', ), ), + Int('sudoorder?', + cli_name='order', + label=_('Sudo order'), + doc=_('integer to order the Sudo rules'), + default=0, + minvalue=0, + ), Str('memberuser_user?', label=_('Users'), flags=['no_create', 'no_update', 'no_search'], @@ -207,6 +219,25 @@ class sudorule(LDAPObject): ), ) + order_not_unique_msg = _( + 'order must be a unique value (%(order)d already used by %(rule)s)' + ) + + def check_order_uniqueness(self, *keys, **options): + if 'sudoorder' in options: + entries = self.methods.find( + sudoorder=options['sudoorder'] + )['result'] + if len(entries) > 0: + rule_name = entries[0]['cn'][0] + raise errors.ValidationError( + name='order', + error=self.order_not_unique_msg % { + 'order': options['sudoorder'], + 'rule': rule_name, + } + ) + api.register(sudorule) @@ -214,6 +245,7 @@ class sudorule_add(LDAPCreate): __doc__ = _('Create new Sudo Rule.') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + self.obj.check_order_uniqueness(*keys, **options) # Sudo Rules are enabled by default entry_attrs['ipaenabledflag'] = 'TRUE' return dn @@ -236,6 +268,15 @@ class sudorule_mod(LDAPUpdate): msg_summary = _('Modified Sudo Rule "%(value)s"') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + if 'sudoorder' in options: + new_order = options.get('sudoorder') + old_entry = self.api.Command.sudorule_show(keys[-1])['result'] + if 'sudoorder' in old_entry: + old_order = int(old_entry['sudoorder'][0]) + if old_order != new_order: + self.obj.check_order_uniqueness(*keys, **options) + else: + self.obj.check_order_uniqueness(*keys, **options) try: (_dn, _entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: |