diff options
| author | John Dennis <jdennis@redhat.com> | 2012-05-13 07:36:35 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-08-12 16:23:24 -0400 |
| commit | 94d457e83c172320707fbf13f7a1587dad128ece (patch) | |
| tree | e1e2d88ee436114f1f82f2ba4141c6318089765a /ipalib | |
| parent | be9614654ee8232323a19ec56e551c4f66e6cc72 (diff) | |
| download | freeipa-94d457e83c172320707fbf13f7a1587dad128ece.tar.gz freeipa-94d457e83c172320707fbf13f7a1587dad128ece.tar.xz freeipa-94d457e83c172320707fbf13f7a1587dad128ece.zip | |
Use DN objects instead of strings
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
Diffstat (limited to 'ipalib')
36 files changed, 454 insertions, 1818 deletions
diff --git a/ipalib/__init__.py b/ipalib/__init__.py index dd861a826..8bf37f048 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -878,7 +878,7 @@ from backend import Backend from frontend import Command, LocalOrRemote, Updater from frontend import Object, Method, Property from crud import Create, Retrieve, Update, Delete, Search -from parameters import DefaultFrom, Bool, Flag, Int, Decimal, Bytes, Str, IA5Str, Password +from parameters import DefaultFrom, Bool, Flag, Int, Decimal, Bytes, Str, IA5Str, Password, DNParam from parameters import BytesEnum, StrEnum, AccessTime, File from errors import SkipPluginModule from text import _, ngettext, GettextFactory, NGettextFactory diff --git a/ipalib/aci.py b/ipalib/aci.py index 1b607a393..53c0053c6 100755 --- a/ipalib/aci.py +++ b/ipalib/aci.py @@ -254,32 +254,6 @@ class ACI: # We got this far so lets declare them the same return True -def extract_group_cns(aci_list, client): - """ - Extracts all the cn's from a list of aci's and returns them as a hash - from group_dn to group_cn. - - It first tries to cheat by looking at the first rdn for the - group dn. If that's not cn for some reason, it looks up the group. - """ - group_dn_to_cn = {} - for aci in aci_list: - for dn in (aci.source_group, aci.dest_group): - if not group_dn_to_cn.has_key(dn): - rdn_list = ldap.explode_dn(dn, 0) - first_rdn = rdn_list[0] - (type,value) = first_rdn.split('=') - if type == "cn": - group_dn_to_cn[dn] = value - else: - try: - group = client.get_entry_by_dn(dn, ['cn']) - group_dn_to_cn[dn] = group.getValue('cn') - except Exception: - group_dn_to_cn[dn] = 'unknown' - - return group_dn_to_cn - if __name__ == '__main__': # a = ACI('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)') # print a diff --git a/ipalib/config.py b/ipalib/config.py index 5e3ef8d9b..3c9aeaa28 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -35,6 +35,7 @@ import os from os import path import sys from socket import getfqdn +from ipapython.dn import DN from base import check_name from constants import CONFIG_SECTION @@ -256,12 +257,14 @@ class Env(object): value = m[value] elif value.isdigit(): value = int(value) + elif key in ('basedn'): + value = DN(value) else: try: value = float(value) except (TypeError, ValueError): pass - assert type(value) in (unicode, int, float, bool, NoneType) + assert type(value) in (unicode, int, float, bool, NoneType, DN) object.__setattr__(self, key, value) self.__d[key] = value diff --git a/ipalib/constants.py b/ipalib/constants.py index f0f89a3b3..59649865b 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -22,6 +22,7 @@ All constants centralised in one file. """ import socket +from ipapython.dn import DN from ipapython.version import VERSION try: FQDN = socket.getfqdn() @@ -69,44 +70,44 @@ DEFAULT_CONFIG = ( # Domain, realm, basedn: ('domain', 'example.com'), ('realm', 'EXAMPLE.COM'), - ('basedn', 'dc=example,dc=com'), + ('basedn', DN(('dc', 'example'), ('dc', 'com'))), # LDAP containers: - ('container_accounts', 'cn=accounts'), - ('container_user', 'cn=users,cn=accounts'), - ('container_group', 'cn=groups,cn=accounts'), - ('container_service', 'cn=services,cn=accounts'), - ('container_host', 'cn=computers,cn=accounts'), - ('container_hostgroup', 'cn=hostgroups,cn=accounts'), - ('container_rolegroup', 'cn=roles,cn=accounts'), - ('container_permission', 'cn=permissions,cn=pbac'), - ('container_privilege', 'cn=privileges,cn=pbac'), - ('container_automount', 'cn=automount'), - ('container_policies', 'cn=policies'), - ('container_configs', 'cn=configs,cn=policies'), - ('container_roles', 'cn=roles,cn=policies'), - ('container_applications', 'cn=applications,cn=configs,cn=policies'), - ('container_policygroups', 'cn=policygroups,cn=configs,cn=policies'), - ('container_policylinks', 'cn=policylinks,cn=configs,cn=policies'), - ('container_netgroup', 'cn=ng,cn=alt'), - ('container_hbac', 'cn=hbac'), - ('container_hbacservice', 'cn=hbacservices,cn=hbac'), - ('container_hbacservicegroup', 'cn=hbacservicegroups,cn=hbac'), - ('container_dns', 'cn=dns'), - ('container_virtual', 'cn=virtual operations,cn=etc'), - ('container_sudorule', 'cn=sudorules,cn=sudo'), - ('container_sudocmd', 'cn=sudocmds,cn=sudo'), - ('container_sudocmdgroup', 'cn=sudocmdgroups,cn=sudo'), - ('container_entitlements', 'cn=entitlements,cn=etc'), - ('container_automember', 'cn=automember,cn=etc'), - ('container_selinux', 'cn=usermap,cn=selinux'), - ('container_s4u2proxy', 'cn=s4u2proxy,cn=etc'), - ('container_cifsdomains', 'cn=ad,cn=etc'), - ('container_trusts', 'cn=trusts'), - ('container_adtrusts', 'cn=ad,cn=trusts'), - ('container_ranges', 'cn=ranges,cn=etc'), - ('container_dna', 'cn=dna,cn=ipa,cn=etc'), - ('container_dna_posix_ids', 'cn=posix-ids,cn=dna,cn=ipa,cn=etc'), + ('container_accounts', DN(('cn', 'accounts'))), + ('container_user', DN(('cn', 'users'), ('cn', 'accounts'))), + ('container_group', DN(('cn', 'groups'), ('cn', 'accounts'))), + ('container_service', DN(('cn', 'services'), ('cn', 'accounts'))), + ('container_host', DN(('cn', 'computers'), ('cn', 'accounts'))), + ('container_hostgroup', DN(('cn', 'hostgroups'), ('cn', 'accounts'))), + ('container_rolegroup', DN(('cn', 'roles'), ('cn', 'accounts'))), + ('container_permission', DN(('cn', 'permissions'), ('cn', 'pbac'))), + ('container_privilege', DN(('cn', 'privileges'), ('cn', 'pbac'))), + ('container_automount', DN(('cn', 'automount'))), + ('container_policies', DN(('cn', 'policies'))), + ('container_configs', DN(('cn', 'configs'), ('cn', 'policies'))), + ('container_roles', DN(('cn', 'roles'), ('cn', 'policies'))), + ('container_applications', DN(('cn', 'applications'), ('cn', 'configs'), ('cn', 'policies'))), + ('container_policygroups', DN(('cn', 'policygroups'), ('cn', 'configs'), ('cn', 'policies'))), + ('container_policylinks', DN(('cn', 'policylinks'), ('cn', 'configs'), ('cn', 'policies'))), + ('container_netgroup', DN(('cn', 'ng'), ('cn', 'alt'))), + ('container_hbac', DN(('cn', 'hbac'))), + ('container_hbacservice', DN(('cn', 'hbacservices'), ('cn', 'hbac'))), + ('container_hbacservicegroup', DN(('cn', 'hbacservicegroups'), ('cn', 'hbac'))), + ('container_dns', DN(('cn', 'dns'))), + ('container_virtual', DN(('cn', 'virtual operations'), ('cn', 'etc'))), + ('container_sudorule', DN(('cn', 'sudorules'), ('cn', 'sudo'))), + ('container_sudocmd', DN(('cn', 'sudocmds'), ('cn', 'sudo'))), + ('container_sudocmdgroup', DN(('cn', 'sudocmdgroups'), ('cn', 'sudo'))), + ('container_entitlements', DN(('cn', 'entitlements'), ('cn', 'etc'))), + ('container_automember', DN(('cn', 'automember'), ('cn', 'etc'))), + ('container_selinux', DN(('cn', 'usermap'), ('cn', 'selinux'))), + ('container_s4u2proxy', DN(('cn', 's4u2proxy'), ('cn', 'etc'))), + ('container_cifsdomains', DN(('cn', 'ad'), ('cn', 'etc'))), + ('container_trusts', DN(('cn', 'trusts'))), + ('container_adtrusts', DN(('cn', 'ad'), ('cn', 'trusts'))), + ('container_ranges', DN(('cn', 'ranges'), ('cn', 'etc'))), + ('container_dna', DN(('cn', 'dna'), ('cn', 'ipa'), ('cn', 'etc'))), + ('container_dna_posix_ids', DN(('cn', 'posix-ids'), ('cn', 'dna'), ('cn', 'ipa'), ('cn', 'etc'))), # Ports, hosts, and URIs: # FIXME: let's renamed xmlrpc_uri to rpc_xml_uri diff --git a/ipalib/dn.py b/ipalib/dn.py deleted file mode 100644 index 6f2f7deb5..000000000 --- a/ipalib/dn.py +++ /dev/null @@ -1,1337 +0,0 @@ -# Authors: -# John Dennis <jdennis@redhat.com> -# -# Copyright (C) 2011 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -from ldap.dn import str2dn, dn2str -from ldap import DECODING_ERROR -import codecs -import sys - -utf8_codec = codecs.lookup('utf-8') - -__all__ = ['AVA', 'RDN', 'DN'] - -''' - -Goal ----- - -To allow a Python programmer the ability to operate on DN's -(Distinguished Names) in a simple intuitive manner supporting all the -Pythonic mechanisms for manipulating objects such that the simple -majority case remains simple with simple code, yet the corner cases -are fully supported. With the result both simple and complex cases are -100% correct. - -This is achieved with a fair of amount of syntax sugar which is best -described as "Do What I Mean" (i.e. DWIM). The class implementations -take simple expressions and internally convert them to their more -complex full definitions hiding much of the complexity from the -programmer. - -Anatomy of a DN ---------------- - -Some definitions: - -AVA - An AVA is an Attribute Value Assertion. In more simple terms it's - an attribute value pair typically expressed as attr=value - (e.g. cn=Bob). Both the attr and value in an AVA when expressed in - a string representation are subject to encoding rules. - -RDN - A RDN is a Relative Distinguished Name. A RDN is a non-empty set of - AVA's. In the common case a RDN is single valued consisting of 1 - AVA (e.g. cn=Bob). But a RDN may be multi-valued consisting of - more than one AVA. Because the RDN is a set of AVA's the AVA's are - unordered when they appear in a multi-valued RDN. In the string - representation of a RDN AVA's are separated by the plus sign (+). - -DN - A DN is a ordered sequence of 1 or more RDN's. In the string - representation of a DN each RDN is separated by a comma (,) - -Thus a DN is: - -Sequence of set of <encoded attr, encoded value> pairs - -The following are valid DN's - -# 1 RDN with 1 AVA (e.g. cn=Bob) -RDN(AVA) - -# 2 RDN's each with 1 AVA (e.g. cn=Bob,dc=redhat.com) -RDN(AVA),RDN(AVA) - -# 2 RDN's the first RDN is multi-valued with 2 AVA's -# the second RDN is singled valued with 1 AVA -# (e.g. cn=Bob+ou=people,dc=redhat.com -RDN({AVA,AVA}),RDN(AVA) - -Common programming mistakes ---------------------------- - -DN's present a pernicious problem for programmers. They appear to have -a very simple string format in the majority case, a sequence of -attr=value pairs separated by commas. For example: - -dn='cn=Bob,ou=people,dc=redhat,dc=com' - -As such there is a tendency to believe you can form DN's by simple -string manipulations such as: - -dn='%s=%s' % ('cn','Bob') + ',ou=people,dc=redhat,dc=com' - -Or to extract a attr & value by searching the string, for example: - -attr=dn[0 : dn.find('=')] -value=dn[dn.find('=')+1 : dn.find(',')] - -Or compare a value returned by an LDAP query to a known value: - -if value == 'Bob' - -All of these simple coding assumptions are WRONG and will FAIL when a -DN is not one of the simple DN's (simple DN's are probably the 95% of -all DN's). This is what makes DN handling pernicious. What works in -95% of the cases and is simple, fails for the 5% of DN's which are not -simple. - -Examples of where the simple assumptions fail are: - -* A RDN may be multi-valued - -* A multi-valued RDN has no ordering on it's components - -* Attr's and values must be UTF-8 encoded - -* String representations of AVA's, RDN's and DN's must be completely UTF-8 - -* An attr or value may have reserved characters which must be escaped. - -* Whitespace needs special handling - -To complicate matters a bit more the RFC for the string representation -of DN's (RFC 4514) permits a variety of different syntax's each of -which can evaluate to exactly the same DN but have different string -representations. For example, the attr "r,w" which contains a reserved -character (the comma) can be encoded as a string in these different -ways: - -'r\,w' # backslash escape -'r\2cw' # hexadecimal ascii escape -'#722C77' # binary encoded - -It should be clear a DN string may NOT be a simple string, rather a DN -string is ENCODED. For simple strings the encoding of the DN is -identical to the simple string value (this common case leads to -erroneous assumptions and bugs because it does not account for -encodings). - -The openldap library we use at the client level uses the backslash -escape form. The LDAP server we use uses the hexadecimal ascii escape -form. Thus 'r,w' appears as 'r\,w' when sent from the client to the -LDAP server as part of a DN. But when it's returned as a DN from the -server in an LDAP search it's returned as 'r\2cw'. Any attempt to -compare 'r\,w' to 'r\2cw' for equality will fail despite the fact they -are indeed equal once decoded. Such a test fails because you're -comparing two different encodings of the same value. In MIME you -wouldn't expect the base64 encoding of a string to be equal to the -same string encoded as quoted-printable would you? - -When you are comparing attrs or values which are part of a DN and -other string you MUST: - -* Know if either of the strings have been encoded and make sure you're - comparing only decoded components component-wise. - -* Extract the component from the DN and decode it. You CANNOT decode - the entire DN as a string and operate on it. Why? Consider a value - with a comma embedded in it. For example: - - cn=r\2cw,cn=privilege - - Is a DN with 2 RDN components: cn=r,w followed by "cn=privilege" - - But if you decode the entire DN string as a whole you would get: - - cn=r,w,cn=privilege - - Which is a malformed DN with 3 RDN's, the 2nd RDN is invalid. - -* Determine if a RDN is multi-valued, if so you must account - for the fact each AVA component in the multi-valued RDN can appear - in any order and still be equivalent. For example the following two - RDN's are equal: - - cn=Bob+ou=people - ou=people+cn=Bob - - In addition each AVA (cn=Bob & ou=people) needs to be - INDEPENDENTLY decoded prior to comparing the unordered set of AVA's - in the multi-valued RDN. - -If you are trying to form a new DN or RDN from a raw string you cannot -simply do string concatenation or string formatting unless you ESCAPE -the components independently prior to concatenation, for example: - - base = 'dc=redhat,dc=com' - value = 'r,w' - dn = 'cn=%s,%s' % (value, base) - -Will result in the malformed DN 'cn=r,w,dc=redhat,dc=com' - -Syntax Sugar ------------- - -The majority of DN's have a simple string form: - -attr=value,attr=value - -We want the programmer to be able to create DN's, compare them, and -operate on their components as simply and concisely as possible so -the classes are implemented to provide a lot of syntax sugar. - -The classes automatically handle UTF-8 <-> Unicode conversions. Every -attr and value which is returned from a class will be Unicode. Every -attr and value assigned into an object will be promoted to -Unicode. All string representations in RFC 4514 format will be UTF-8 -and properly escaped. Thus at the "user" or "API" level every string -is Unicode with the single exception that the str() method returns RFC -compliant escaped UTF-8. - -RDN's are assumed to be single-valued. If you need a multi-valued RDN -(an exception) you must explicitly create a multi-valued RDN. - -Thus DN's are assumed to be a sequence of attr, value pairs, which is -equivalent to a sequence of RDN's. The attr and value in the pair MUST -be strings. - -The DN and RDN constructors take a sequence, the constructor parses -the sequence to find items it knows about. - -The DN constructor will accept in it's sequence: - * tuple of 2 strings, converting it to an RDN - * list of 2 strings, converting it to an RDN - * a RDN object - * a DN syntax string (e.g. 'cn=Bob,dc=redhat.com') - -Note DN syntax strings should be avoided if possible when passing to a -constructor because they run afoul of the problems outlined above -which the DN, RDN & AVA classes are meant to overcome. But sometimes a -DN syntax string is all you have to work with. DN strings which come -from a LDAP library or server will be properly formed and it's safe to -use those. However DN strings provided via user input should be -treated suspiciously as they may be improperly formed. You can test -for this by passing the string to the DN constructor and see if it -throws an exception. - -The sequence passed to the DN constructor takes each item in order, -produces one or more RDN's from it and appends those RDN in order to -its internal RDN sequence. - -For example: - - DN(('cn', 'Bob'), ('dc', 'redhat.com')) - -This is equivalent to the DN string: - - cn=Bob,dc=redhat.com - -And is exactly equal to: - - DN(RDN(AVA('cn','Bob')),RDN(AVA('dc','redhat.com'))) - -The following are alternative syntax's which are all exactly -equivalent to the above example. - - DN(['cn', 'Bob'], ['dc', 'redhat.com']) - DN(RDN('cn', 'Bob'), RDN('dc', 'redhat.com')) - -You can provide a properly escaped string representation. - - DN('cn=Bob,dc=redhat.com') - -You can mix and match any of the forms in the constructor parameter -list. - - DN(('cn', 'Bob'), 'dc=redhat.com') - DN(('cn', 'Bob'), RDN('dc', 'redhat.com')) - -AVA's have an attr and value property, thus if you have an AVA - -# Get the attr and value -ava.attr -> u'cn' -ava.value -> u'Bob' - -# Set the attr and value -ava.attr = 'cn' -ava.value = 'Bob' - -Since RDN's are assumed to be single valued, exactly the same -behavior applies to an RDN. If the RDN is multi-valued then the attr -property returns the attr of the first AVA, likewise for the value. - -# Get the attr and value -rdn.attr -> u'cn' -rdn.value -> u'Bob' - -# Set the attr and value -rdn.attr = 'cn' -rdn.value = 'Bob' - -Also RDN's can be indexed by name or position (see the RDN class doc -for details). - -rdn['cn'] -> u'Bob' -rdn[0] -> AVA('cn', 'Bob') - -A DN is a sequence of RDN's, as such any of Python's container -operators can be applied to a DN in a intuitive way. - -# How many RDN's in a DN? -len(dn) - -# WARNING, this a count of RDN's not how characters there are in the -# string representation the dn, instead that would be: -len(str(dn)) - -# Iterate over each RDN in a DN -for rdn in dn: - -# Get the first RDN in a DN -dn[0] -> RDN('cn', 'Bob') - -# Get the value of the first RDN in a DN -dn[0].value -> u'Bob' - -# Get the value of the first RDN by indexing by attr name -dn['cn'] -> u'Bob' - -# WARNING, when a string is used as an index key the FIRST RDN's value -# in the sequence whose attr matches the key is returned. Thus if you -# have a DN like this "cn=foo,cn=bar" then dn['cn'] will always return -# 'foo' even though there is another attr with the name 'cn'. This is -# almost always what the programmer wants. See the class doc for how -# you can override this default behavior and get a list of every value -# whose attr matches the key. - -# Set the first RDN in the DN (all are equivalent) -dn[0] = ('cn', 'Bob') -dn[0] = ['cn', 'Bob'] -dn[0] = RDN('cn', 'Bob') - -dn[0].attr = 'cn' -dn[0].value = 'Bob' - -# Get the first two RDN's using slices -dn[0:2] - -# Get the last two RDN's using slices -dn[-2:] - -# Get a list of all RDN's using slices -dn[:] - -# Set the 2nd and 3rd RDN using slices (all are equivalent) -dn[1:3] = ('cn', 'Bob), ('dc', 'redhat.com') -dn[1:3] = RDN('cn', 'Bob), RDN('dc', 'redhat.com') - -String representations and escapes: - -# To get an RFC compliant string representation of a DN, RDN or AVA -# simply call str() on it or evaluate it in a string context. -str(dn) -> 'cn=Bob,dc=redhat.com' - -# When working with attr's and values you do not have to worry about -# escapes, simply use the raw unescaped string in a natural fashion. - -rdn = RDN('cn', 'r,w') - -# Thus: -rdn.value == 'r,w' -> True - -# But: -str(rdn) == 'cn=r,w' -> False -# Because: -str(rdn) -> 'cn=r\2cw' or 'cn='r\,w' # depending on the underlying LDAP library - -Equality and Comparing: - -# All DN's, RDN's and AVA's support equality testing in an intuitive -# manner. -dn1 = DN(('cn', 'Bob')) -dn2 = DN(RDN('cn', 'Bob')) -dn1 == dn2 -> True -dn1[0] == dn2[0] -> True -dn1[0].value = 'Bobby' -dn1 == dn2 -> False - -DN objects implement startswith(), endswith() and the "in" membership -operator. You may pass a DN or RDN object to these. Examples: - -if dn.endswith(base_dn): -if dn.startswith(rdn1): -if container_dn in dn: - -# See the class doc for how DN's, RDN's and AVA's compare -# (e.g. cmp()). The general rule is for objects supporting multiple -# values first their lengths are compared, then if the lengths match -# the respective components of each are pair-wise compared until one -# is discovered to be non-equal. The comparision is case insensitive. - -Concatenation and In-Place Addition: - -# DN's and RDN's can be concatenated. -# Return a new DN by appending the RDN's of dn2 to dn1 -dn3 = dn1 + dn2 - -# Append a RDN to DN's RDN sequence (all are equivalent) -dn += ('cn', 'Bob') -dn += RDN('cn', 'Bob') - -# Append a DN to an existing DN -dn1 += dn2 - -Finally see the unittest for a more complete set of ways you can -manipulate these objects. - -''' - -def _adjust_indices(start, end, length): - 'helper to fixup start/end slice values' - - if end > length: - end = length - elif end < 0: - end += length - if end < 0: - end = 0 - - if start < 0: - start += length - if start < 0: - start = 0 - - return start, end - -class AVA(object): - ''' - AVA(arg0, ...) - - An AVA is an LDAP Attribute Value Assertion. It is convenient to think of - AVA's as a <attr,value> pair. AVA's are members of RDN's (Relative - Distinguished Name). - - The AVA constructor is passed a sequence of args and a set of - keyword parameters used for configuration. - - The arg sequence may be: - - 1) With 2 string (or unicode) arguments, the first argument will be the - attr, the 2nd the value. - - 2) With a sigle list or tuple argument containing exactly 2 string (or unicode - members), the first member is the attr and the second is the value. - - 3) With a single string (or unicode) argument, in this case the string will - be interpretted using the DN syntax described in RFC 4514 to yield a AVA - <attr,value> pair. The parsing recognizes the DN syntax escaping rules. - - For example: - - ava = AVA('cn', 'Bob') # case 1: two strings - ava = AVA(('cn', 'Bob')) # case 2: 2-valued tuple - ava = AVA(['cn', 'Bob']) # case 2: 2-valued list - ava = AVA('cn=Bob') # case 3: DN syntax - - AVA object have two properties for accessing their data: - - attr: the attribute name, cn in our exmaple - value: the attribute's value, Bob in our example - - When attr and value are returned they will always be unicode. When - attr or value are set they will be promoted to unicode. - - AVA objects support indexing by name, e.g. - - ava['cn'] - - returns the value (Bob in our example). If the index does key does not match - the attr then a KeyError will be raised. - - AVA objects support equality testing and comparsion (e.g. cmp()). When they - are compared the attr is compared first, if the 2 attr's are equal then the - values are compared. The comparision is case insensitive (because attr's map - to numeric OID's and their values derive from from the 'name' atribute type - (OID 2.5.4.41) whose EQUALITY MATCH RULE is caseIgnoreMatch. - - The str method of an AVA returns the string representation in RFC 4514 DN - syntax with proper escaping. - ''' - flags = 0 - - def __init__(self, *args, **kwds): - if len(args) == 1: - arg = args[0] - if isinstance(arg, basestring): - try: - rdns = str2dn(arg.encode('utf-8')) - except DECODING_ERROR: - raise ValueError("malformed AVA string = \"%s\"" % arg) - if len(rdns) != 1: - raise ValueError("multiple RDN's specified by \"%s\"" % (arg)) - rdn = rdns[0] - if len(rdn) != 1: - raise ValueError("multiple AVA's specified by \"%s\"" % (arg)) - ava = rdn[0] - elif isinstance(arg, (tuple, list)): - ava = arg - if len(ava) != 2: - raise ValueError("tuple or list must be 2-valued, not \"%s\"" % (ava)) - else: - raise TypeError("with 1 argument, argument must be str,unicode,tuple or list, got %s instead" % \ - arg.__class__.__name__) - - attr = ava[0] - value = ava[1] - elif len(args) == 2: - attr = args[0] - value = args[1] - else: - raise TypeError("takes 1 or 2 arguments (%d given)" % (len(args))) - - if not isinstance(attr, basestring): - raise TypeError("attr must be basestring, got %s instead" % attr.__class__.__name__) - if not isinstance(value, basestring): - raise TypeError("value must be basestring, got %s instead" % value.__class__.__name__) - - self.attr = attr - self.value = value - - def _get_attr(self): - return self._attr_unicode - - def _set_attr(self, new_attr): - if not isinstance(new_attr, basestring): - raise TypeError("attr must be basestring, got %s instead" % new_attr.__class__.__name__) - - if isinstance(new_attr, unicode): - self._attr_unicode = new_attr - else: - self._attr_unicode = utf8_codec.decode(new_attr)[0] - - attr = property(_get_attr, _set_attr) - - def _get_value(self): - return self._value_unicode - - def _set_value(self, new_value): - if not isinstance(new_value, basestring): - raise TypeError("value must be basestring, got %s instead" % new_value.__class__.__name__) - - if isinstance(new_value, unicode): - self._value_unicode = new_value - else: - self._value_unicode = utf8_codec.decode(new_value)[0] - - value = property(_get_value, _set_value) - - def _to_openldap(self): - return [[(self._attr_unicode.encode('utf-8'), self._value_unicode.encode('utf-8'), self.flags)]] - - def __str__(self): - return dn2str(self._to_openldap()) - - def __getitem__(self, key): - if isinstance(key, basestring): - if key == self._attr_unicode: - return self._value_unicode - raise KeyError("\"%s\" not found in %s" % (key, self.__str__())) - else: - raise TypeError("unsupported type for AVA indexing, must be basestring; not %s" % \ - (key.__class__.__name__)) - - def __eq__(self, other): - ''' - The attr comparison is case insensitive because attr is - really an LDAP attribute type which means it's specified with - an OID (dotted number) and not a string. Since OID's are - numeric the human readable name which maps to the OID is not - significant in case. - - The value comparison is also case insensitive because the all - attribute types used in a DN are derived from the 'name' - atribute type (OID 2.5.4.41) whose EQUALITY MATCH RULE is - caseIgnoreMatch. - ''' - if not isinstance(other, self.__class__): - raise TypeError("expected AVA but got %s" % (other.__class__.__name__)) - - return self._attr_unicode.lower() == other.attr.lower() and \ - self._value_unicode.lower() == other.value.lower() - - def __cmp__(self, other): - 'comparision is case insensitive, see __eq__ doc for explanation' - - if not isinstance(other, self.__class__): - raise TypeError("expected AVA but got %s" % (other.__class__.__name__)) - - result = cmp(self._attr_unicode.lower(), other.attr.lower()) - if result != 0: - return result - result = cmp(self._value_unicode.lower(), other.value.lower()) - return result - -class RDN(object): - ''' - RDN(arg0, ..., first_key_match=True) - - An RDN is a LDAP Relative Distinguished Name. RDN's are members of DN's - (Distinguished Name). An RDN contains 1 or more AVA's. If the RDN contains - more than one AVA it is said to be a multi-valued RDN. When an RDN is - multi-valued the AVA's are unorderd comprising a set. However this - implementation orders the AVA's according to the AVA comparison function to - make equality and comparison testing easier. Think of this a canonical - normalization (however LDAP does not impose any ordering on multiple AVA's - within an RDN). Single valued RDN's are the norm and thus the RDN - constructor has simple syntax for them. - - The RDN constructor is passed a sequence of args and a set of - keyword parameters used for configuration. - - The constructor iterates though the sequence and adds AVA's to the RDN. - - The arg sequence may be: - - * A 2-valued tuple or list denotes the <attr,value> pair of an AVA. The - first member is the attr and the second member is the value, both members - must be strings (or unicode). The tuple or list is passed to the AVA - constructor and the resulting AVA is added to the RDN. Multiple tuples or - lists may appear in the argument list, each adds one additional AVA to the - RDN. - - * A single string (or unicode) argument, in this case the string will - be interpretted using the DN syntax described in RFC 4514 to yield one or - more AVA <attr,value> pairs. The parsing recognizes the DN syntax escaping - rules. - - * A AVA object, the AVA will be copied into the new RDN respecting - the constructors keyword configuration parameters. - - * A RDN object, the AVA's in the RDN are copied into the new RDN - respecting the constructors keyword configuration parameters. - - Single AVA Examples: - - RDN(('cn', 'Bob')) # tuple yields 1 AVA - RDN('cn=Bob') # DN syntax with 1 AVA - RDN(AVA('cn', 'Bob')) # AVA object adds 1 AVA - - Multiple AVA Examples: - - RDN(('cn', 'Bob'),('ou', 'people')) # 2 tuples yields 2 AVA's - RDN('cn=Bob+ou=people') # DN syntax with 2 AVA's - RDN(AVA('cn', 'Bob'),AVA('ou', 'people')) # 2 AVA objects adds 2 AVA's - RDN(('cn', 'Bob'), 'ou=people') # 2 args, 1st tuple forms 1 AVA, - # 2nd DN syntax string adds 1 AVA, - # 2 AVA's in total - - Note: The RHS of a slice assignment is interpreted exactly in the - same manner as the constructor argument list (see above examples). - - RDN objects support iteration over their AVA members. You can iterate all - AVA members via any Python iteration syntax. RDN objects support full Python - indexing using bracket [] notation. Examples: - - len(rdn) # return the number of AVA's - rdn[0] # indexing the first AVA - rdn['cn'] # index by AVA attr, returns AVA value - for ava in rdn: # iterate over each AVA - rdn[:] # a slice, in this case a copy of each AVA - - WARNING: When indexing by attr (e.g. rdn['cn']) there is a possibility more - than one AVA has the same attr name as the index key. The default behavior - is to return the value of the first AVA whose attr matches the index - key. This behavior can be modified by setting the first_key_match property - to false in the RDN object. If first_key_match is False a list of all values - will be returned instead. The first_key_match behavior is the default and is - useful because duplicate attr names in multi-valued RDN's are rare. We seek - the most useful common case for programmer friendliness, but you should be - aware of the caveat. - - RDN objects support the AVA attr and value properties as another programmer - convenience because the vast majority of RDN's are single valued. The attr - and value properties return the attr and value properties of the first AVA - in the RDN, for example: - - rdn = RDN(('cn', 'Bob')) # rdn has 1 AVA whose attr == 'cn' and value == 'Bob' - len(rdn) -> 1 - rdn.attr -> u'cn' # exactly equivalent to rdn[0].attr - rdn.value -> u'Bob' # exactly equivalent to rdn[0].value - - When attr and value are returned they will always be unicode. When - attr or value are set they will be promoted to unicode. - - If an RDN is multi-valued the attr and value properties still return only - the first AVA's properties, programmer beware! Recall the AVA's in the RDN - are sorted according the to AVA collating semantics. - - RDN objects support equality testing and comparision. See AVA for the - definition of the comparision method. - - RDN objects support concatenation and addition with other RDN's or AVA's - - rdn1 + rdn2 # yields a new RDN object with the contents of each RDN. - rdn1 + ava1 # yields a new RDN object with the contents of rdn1 and ava1 - - RDN objects can add AVA's objects via in-place addition. - - rdn1 += rdn2 # rdn1 now contains the sum of rdn1 and rdn2 - rdn1 += ava1 # rdn1 has ava1 added to it. - - The str method of an RDN returns the string representation in RFC 4514 DN - syntax with proper escaping. - ''' - - flags = 0 - - def __init__(self, *args, **kwds): - self.first_key_match = kwds.get('first_key_match', True) - self.avas = self._avas_from_sequence(args) - self.avas.sort() - - def _ava_from_value(self, value): - if isinstance(value, AVA): - return AVA(value.attr, value.value) - elif isinstance(value, RDN): - avas = [] - for ava in value.avas: - avas.append(AVA(ava.attr, ava.value)) - if len(avas) == 1: - return avas[0] - else: - return avas - elif isinstance(value, basestring): - try: - rdns = str2dn(value.encode('utf-8')) - if len(rdns) != 1: - raise ValueError("multiple RDN's specified by \"%s\"" % (value)) - rdn = rdns[0] - if len(rdn) == 1: - return AVA(rdn[0][0], rdn[0][1]) - else: - avas = [] - for ava_tuple in rdn: - avas.append(AVA(ava_tuple[0], ava_tuple[1])) - return avas - except DECODING_ERROR: - raise ValueError("malformed RDN string = \"%s\"" % value) - elif isinstance(value, (tuple, list)): - if len(value) != 2: - raise ValueError("tuple or list must be 2-valued, not \"%s\"" % (value)) - return AVA(value) - else: - raise TypeError("must be str,unicode,tuple, or AVA, got %s instead" % \ - value.__class__.__name__) - - - def _avas_from_sequence(self, seq): - avas = [] - - for item in seq: - ava = self._ava_from_value(item) - if isinstance(ava, list): - avas.extend(ava) - else: - avas.append(ava) - return avas - - def _to_openldap(self): - return [[(ava.attr.encode('utf-8'), ava.value.encode('utf-8'), self.flags) for ava in self.avas]] - - def __str__(self): - return dn2str(self._to_openldap()) - - def _next(self): - for ava in self.avas: - yield ava - - def __iter__(self): - return self._next() - - def __len__(self): - return len(self.avas) - - def __getitem__(self, key): - if isinstance(key, (int, long, slice)): - return self.avas[key] - elif isinstance(key, basestring): - if self.first_key_match: - for ava in self.avas: - if key == ava.attr: - return ava.value - raise KeyError("\"%s\" not found in %s" % (key, self.__str__())) - else: - avas = [] - for ava in self.avas: - if key == ava.attr: - avas.append(ava.value) - if len(avas) > 0: - return avas - raise KeyError("\"%s\" not found in %s" % (key, self.__str__())) - else: - raise TypeError("unsupported type for RDN indexing, must be int, basestring or slice; not %s" % \ - (key.__class__.__name__)) - - def __setitem__(self, key, value): - if isinstance(key, (int, long)): - new_ava = self._ava_from_value(value) - if isinstance(new_ava, list): - raise TypeError("cannot assign multiple AVA's to single entry") - self.avas[key] = new_ava - elif isinstance(key, slice): - avas = self._avas_from_sequence(value) - self.avas[key] = avas - elif isinstance(key, basestring): - new_ava = self._ava_from_value(value) - if isinstance(new_ava, list): - raise TypeError("cannot assign multiple AVA's to single entry") - found = False - i = 0 - while i < len(self.avas): - if key == self.avas[i].attr: - found = True - self.avas[i] = new_ava - if self.first_key_match: - break - i += 1 - if not found: - raise KeyError("\"%s\" not found in %s" % (key, self.__str__())) - else: - raise TypeError("unsupported type for RDN indexing, must be int, basestring or slice; not %s" % \ - (key.__class__.__name__)) - self.avas.sort() - - def _get_attr(self): - if len(self.avas) == 0: - raise IndexError("No AVA's in this RDN") - return self.avas[0].attr - - def _set_attr(self, new_attr): - if len(self.avas) == 0: - raise IndexError("No AVA's in this RDN") - - if not isinstance(new_attr, basestring): - raise TypeError("attr must be basestring, got %s instead" % new_attr.__class__.__name__) - - self.avas[0].attr = new_attr - - attr = property(_get_attr, _set_attr) - - def _get_value(self): - if len(self.avas) == 0: - raise IndexError("No AVA's in this RDN") - return self.avas[0].value - - def _set_value(self, new_value): - if len(self.avas) == 0: - raise IndexError("No AVA's in this RDN") - - if not isinstance(new_value, basestring): - raise TypeError("value must be basestring, got %s instead" % new_value.__class__.__name__) - - self.avas[0].value = new_value - - value = property(_get_value, _set_value) - - def __eq__(self, other): - if not isinstance(other, self.__class__): - raise TypeError("expected RDN but got %s" % (other.__class__.__name__)) - - return self.avas == other.avas - - def __cmp__(self, other): - if not isinstance(other, self.__class__): - raise TypeError("expected RDN but got %s" % (other.__class__.__name__)) - - result = cmp(len(self), len(other)) - if result != 0: - return result - i = 0 - while i < len(self): - result = cmp(self[i], other[i]) - if result != 0: - return result - i += 1 - return 0 - - def __add__(self, other): - result = RDN(self, first_key_match=self.first_key_match) - if isinstance(other, RDN): - for ava in other.avas: - result.avas.append(AVA(ava.attr, ava.value)) - elif isinstance(other, AVA): - result.avas.append(AVA(other.attr, other.value)) - elif isinstance(other, basestring): - rdn = RDN(other) - for ava in rdn.avas: - result.avas.append(AVA(ava.attr, ava.value)) - else: - raise TypeError("expected RDN, AVA or basestring but got %s" % (other.__class__.__name__)) - - result.avas.sort() - return result - - def __iadd__(self, other): - if isinstance(other, RDN): - for ava in other.avas: - self.avas.append(AVA(ava.attr, ava.value)) - elif isinstance(other, AVA): - self.avas.append(AVA(other.attr, other.value)) - elif isinstance(other, basestring): - rdn = RDN(other) - for ava in rdn.avas: - self.avas.append(AVA(ava.attr, ava.value)) - else: - raise TypeError("expected RDN, AVA or basestring but got %s" % (other.__class__.__name__)) - - self.avas.sort() - return self - -class DN(object): - ''' - DN(arg0, ..., first_key_match=True) - - A DN is a LDAP Distinguished Name. A DN is an ordered sequence of RDN's. - - The DN constructor is passed a sequence of args and a set of - keyword parameters used for configuration. normalize means the - attr and value will be converted to lower case. - - The constructor iterates through the sequence and adds the RDN's - it finds in order to the DN object. Each item in the sequence may - be: - - * A 2-valued tuple or list. The first member is the attr and the - second member is the value of an RDN, both members must be - strings (or unicode). The tuple or list is passed to the RDN - constructor and the resulting RDN is appended to the - DN. Multiple tuples or lists may appear in the argument list, - each adds one additional RDN to the DN. - - * A single string (or unicode) argument, in this case the string - will be interpretted using the DN syntax described in RFC 4514 - to yield one or more RDN's which will be appended in order to - the DN. The parsing recognizes the DN syntax escaping rules. - - * A RDN object, the RDN will copied respecting the constructors - keyword configuration parameters and appended in order. - - * A DN object, the RDN's in the DN are copied respecting the - constructors keyword configuration parameters and appended in - order. - - Single DN Examples: - - DN(('cn', 'Bob')) # tuple yields 1 RDN - DN(['cn', 'Bob']) # list yields 1 RDN - DN('cn=Bob') # DN syntax with 1 RDN - DN(RDN('cn', 'Bob')) # RDN object adds 1 RDN - - Multiple RDN Examples: - - DN(('cn', 'Bob'),('ou', 'people')) # 2 tuples yields 2 RDN's - # 2 RDN's total - DN('cn=Bob,ou=people') # DN syntax with 2 RDN's - # 2 RDN's total - DN(RDN('cn', 'Bob'),RDN('ou', 'people')) # 2 RDN objects - # 2 RDN's total - DN(('cn', 'Bob'), "ou=people') # 1st tuple adds 1 RDN - # 2nd DN syntax string adds 1 RDN - # 2 RDN's total - base_dn = DN('dc=redhat,dc=com') - container_dn = DN('cn=sudorules,cn=sudo') - DN(('cn', 'Bob'), container_dn, base_dn) - # 1st arg adds 1 RDN, cn=Bob - # 2nd arg adds 2 RDN's, cn=sudorules,cn=sudo - # 3rd arg adds 2 RDN's, dc=redhat,dc=com - # 5 RDN's total - - - Note: The RHS of a slice assignment is interpreted exactly in the - same manner as the constructor argument list (see above examples). - - DN objects support iteration over their RDN members. You can iterate all - RDN members via any Python iteration syntax. DN objects support full Python - indexing using bracket [] notation. Examples: - - len(rdn) # return the number of RDN's - rdn[0] # indexing the first RDN - rdn['cn'] # index by RDN attr, returns RDN value - for ava in rdn: # iterate over each RDN - rdn[:] # a slice, in this case a copy of each RDN - - WARNING: When indexing by attr (e.g. rdn['cn']) there is a possibility more - than one RDN has the same attr name as the index key. The default behavior - is to return the value of the first RDN whose attr matches the index - key. This behavior can be modified by setting the first_key_match property - to false in the RDN object. If first_key_match is False a list of all values - will be returned instead. The first_key_match behavior is the default and is - useful because typical usage is to seek the first matching RDN. We seek - the most useful common case for programmer friendliness, but you should be - aware of the caveat. - - DN object support slices. - - # Get the first two RDN's using slices - dn[0:2] - - # Get the last two RDN's using slices - dn[-2:] - - # Get a list of all RDN's using slices - dn[:] - - # Set the 2nd and 3rd RDN using slices (all are equivalent) - dn[1:3] = ('cn', 'Bob'), ('dc', 'redhat.com') - dn[1:3] = [['cn', 'Bob'], ['dc', 'redhat.com']] - dn[1:3] = RDN('cn', 'Bob'), RDN('dc', 'redhat.com') - - DN objects support the insert operation. - - dn.insert(i,x) is exactly equivalent to dn[i:i] = [x], thus the following - are all equivalent: - - dn.insert(i, ('cn','Bob')) - dn.insert(i, ['cn','Bob']) - dn.insert(i, RDN(('cn','Bob'))) - dn[i:i] = [('cn','Bob')] - - DN objects support equality testing and comparision. See RDN for the - definition of the comparision method. - - DN objects implement startswith(), endswith() and the "in" membership - operator. You may pass a DN or RDN object to these. Examples: - - # Test if dn ends with the contents of base_dn - if dn.endswith(base_dn): - # Test if dn starts with a rdn - if dn.startswith(rdn1): - # Test if a container is present in a dn - if container_dn in dn: - - DN objects support concatenation and addition with other DN's or RDN's - or strings (interpreted as RFC 4514 DN syntax). - - # yields a new DN object with the RDN's of dn2 appended to the RDN's of dn1 - dn1 + dn2 - - # yields a new DN object with the rdn1 appended to the RDN's of dn1 - dn1 + rdn1 - - DN objects can add RDN's objects via in-place addition. - - dn1 += dn2 # dn2 RDN's are appended to the dn1's RDN's - dn1 += rdn1 # dn1 has rdn appended to its RDN's - dn1 += "dc=redhat.com" # string is converted to DN, then appended - - The str method of an DN returns the string representation in RFC 4514 DN - syntax with proper escaping. - ''' - - flags = 0 - - def __init__(self, *args, **kwds): - self.first_key_match = kwds.get('first_key_match', True) - self.first_key_match = True - self.rdns = self._rdns_from_sequence(args) - - def _rdn_from_value(self, value): - if isinstance(value, RDN): - return RDN(value, first_key_match=self.first_key_match) - elif isinstance(value, DN): - rdns = [] - for rdn in value.rdns: - rdns.append(RDN(rdn, first_key_match=self.first_key_match)) - if len(rdns) == 1: - return rdns[0] - else: - return rdns - elif isinstance(value, basestring): - rdns = [] - try: - dn_list = str2dn(value.encode('utf-8')) - for rdn_list in dn_list: - avas = [] - for ava_tuple in rdn_list: - avas.append(AVA(ava_tuple[0], ava_tuple[1])) - rdn = RDN(*avas, first_key_match=self.first_key_match) - rdns.append(rdn) - except DECODING_ERROR: - raise ValueError("malformed RDN string = \"%s\"" % value) - if len(rdns) == 1: - return rdns[0] - else: - return rdns - elif isinstance(value, (tuple, list)): - if len(value) != 2: - raise ValueError("tuple or list must be 2-valued, not \"%s\"" % (value)) - rdn = RDN(value, first_key_match=self.first_key_match) - return rdn - else: - raise TypeError("must be str,unicode,tuple, or RDN, got %s instead" % \ - value.__class__.__name__) - - def _rdns_from_sequence(self, seq): - rdns = [] - - for item in seq: - rdn = self._rdn_from_value(item) - if isinstance(rdn, list): - rdns.extend(rdn) - else: - rdns.append(rdn) - return rdns - - def _to_openldap(self): - return [[(ava.attr.encode('utf-8'), ava.value.encode('utf-8'), self.flags) for ava in rdn] for rdn in self.rdns] - - def __str__(self): - return dn2str(self._to_openldap()) - - def _next(self): - for rdn in self.rdns: - yield rdn - - def __iter__(self): - return self._next() - - def __len__(self): - return len(self.rdns) - - def __getitem__(self, key): - if isinstance(key, (int, long, slice)): - return self.rdns[key] - elif isinstance(key, basestring): - if self.first_key_match: - for rdn in self.rdns: - if key == rdn.attr: - return rdn.value - raise KeyError("\"%s\" not found in %s" % (key, self.__str__())) - else: - rdns = [] - for rdn in self.rdns: - if key == rdn.attr: - rdns.append(rdn.value) - if len(rdns) > 0: - return rdns - raise KeyError("\"%s\" not found in %s" % (key, self.__str__())) - else: - raise TypeError("unsupported type for DN indexing, must be int, basestring or slice; not %s" % \ - (key.__class__.__name__)) - - def __setitem__(self, key, value): - if isinstance(key, (int, long)): - new_rdn = self._rdn_from_value(value) - if isinstance(new_rdn, list): - raise TypeError("cannot assign multiple RDN's to single entry") - self.rdns[key] = new_rdn - elif isinstance(key, slice): - rdns = self._rdns_from_sequence(value) - self.rdns[key] = rdns - elif isinstance(key, basestring): - new_rdn = self._rdn_from_value(value) - if isinstance(new_rdn, list): - raise TypeError("cannot assign multiple values to single entry") - found = False - i = 0 - while i < len(self.rdns): - if key == self.rdns[i].attr: - found = True - self.rdns[i] = new_rdn - if self.first_key_match: break - i += 1 - if not found: - raise KeyError("\"%s\" not found in %s" % (key, self.__str__())) - else: - raise TypeError("unsupported type for DN indexing, must be int, basestring or slice; not %s" % \ - (key.__class__.__name__)) - - def __eq__(self, other): - if not isinstance(other, self.__class__): - raise TypeError("expected DN but got %s" % (other.__class__.__name__)) - - return self.rdns == other.rdns - - def __cmp__(self, other): - if not isinstance(other, self.__class__): - raise TypeError("expected DN but got %s" % (other.__class__.__name__)) - - result = cmp(len(self), len(other)) - if result != 0: - return result - return self._cmp_sequence(other, 0, len(self)) - - def _cmp_sequence(self, pattern, self_start, pat_len): - self_idx = self_start - pat_idx = 0 - while pat_idx < pat_len: - result = cmp(self[self_idx], pattern[pat_idx]) - if result != 0: - return result - self_idx += 1 - pat_idx += 1 - return 0 - - def __add__(self, other): - result = DN(self, first_key_match=self.first_key_match) - if isinstance(other, self.__class__): - for rdn in other.rdns: - result.rdns.append(RDN(rdn, first_key_match=self.first_key_match)) - elif isinstance(other, RDN): - result.rdns.append(RDN(other, first_key_match=self.first_key_match)) - elif isinstance(other, basestring): - dn = DN(other, first_key_match=self.first_key_match) - for rdn in dn.rdns: - result.rdns.append(rdn) - else: - raise TypeError("expected DN, RDN or basestring but got %s" % (other.__class__.__name__)) - - return result - - def __iadd__(self, other): - if isinstance(other, DN): - for rdn in other.rdns: - self.rdns.append(RDN(rdn, first_key_match=self.first_key_match)) - elif isinstance(other, RDN): - self.rdns.append(RDN(other, first_key_match=self.first_key_match)) - elif isinstance(other, basestring): - dn = DN(other, first_key_match=self.first_key_match) - self.__iadd__(dn) - else: - raise TypeError("expected DN, RDN or basestring but got %s" % (other.__class__.__name__)) - - return self - - def insert(self, i, x): - ''' - x must be a 2-value tuple or list promotable to an RDN object, - or a RDN object. - - dn.insert(i, x) is the same as s[i:i] = [x] - - When a negative index is passed as the first parameter to the - insert() method, the list length is added, as for slice - indices. If it is still negative, it is truncated to zero, as - for slice indices. - ''' - self.rdns.insert(i, self._rdn_from_value(x)) - - # The implementation of startswith, endswith, tailmatch, adjust_indices - # was based on the Python's stringobject.c implementation - - def startswith(self, prefix, start=0, end=sys.maxsize): - ''' - Return True if the dn starts with the specified prefix (either a DN or - RDN object), False otherwise. With optional start, test dn beginning at - that position. With optional end, stop comparing dn at that position. - prefix can also be a tuple of dn's or rdn's to try. - ''' - if isinstance(prefix, tuple): - for pat in prefix: - if self._tailmatch(pat, start, end, -1): - return True - return False - - return self._tailmatch(prefix, start, end, -1) - - def endswith(self, suffix, start=0, end=sys.maxsize): - ''' - Return True if dn ends with the specified suffix (either a DN or RDN - object), False otherwise. With optional start, test dn beginning at - that position. With optional end, stop comparing dn at that position. - suffix can also be a tuple of dn's or rdn's to try. - ''' - if isinstance(suffix, tuple): - for pat in suffix: - if self._tailmatch(pat, start, end, +1): - return True - return False - - return self._tailmatch(suffix, start, end, +1) - - def _tailmatch(self, pattern, start, end, direction): - ''' - Matches the end (direction >= 0) or start (direction < 0) of self - against pattern (either a DN or RDN), using the start and end - arguments. Returns 0 if not found and 1 if found. - ''' - - if isinstance(pattern, DN): - pat_len = len(pattern) - elif isinstance(pattern, RDN): - pat_len = 1 - else: - raise TypeError("expected DN or RDN but got %s" % (pattern.__class__.__name__)) - - self_len = len(self) - - start, end = _adjust_indices(start, end, self_len) - - if direction < 0: # starswith - if start+pat_len > self_len: - return 0 - else: # endswith - if end-start < pat_len or start > self_len: - return 0 - - if end-pat_len >= start: - start = end - pat_len - - if isinstance(pattern, DN): - if end-start >= pat_len: - return not self._cmp_sequence(pattern, start, pat_len) - return 0 - else: - return self.rdns[start] == pattern - - def __contains__(self, other): - 'Return the outcome of the test other in self. Note the reversed operands.' - - if isinstance(other, DN): - other_len = len(other) - end = len(self) - other_len - i = 0 - while i <= end: - result = self._cmp_sequence(other, i, other_len) - if result == 0: - return True - i += 1 - return False - - elif isinstance(other, RDN): - return other in self.rdns - else: - raise TypeError("expected DN or RDN but got %s" % (other.__class__.__name__)) - - - - - diff --git a/ipalib/encoder.py b/ipalib/encoder.py deleted file mode 100644 index 691f4d8ca..000000000 --- a/ipalib/encoder.py +++ /dev/null @@ -1,213 +0,0 @@ -# Authors: -# Pavel Zuna <pzuna@redhat.com> -# -# Copyright (C) 2009 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -""" -Encoding capabilities. -""" - -from decimal import Decimal - -class EncoderSettings(object): - """ - Container for encoder settings. - """ - encode_to = 'utf-8' - encode_none = False - encode_dict_keys = False - encode_dict_keys_postprocess = True - encode_dict_vals = True - encode_dict_vals_postprocess = True - encode_postprocessor = staticmethod(lambda x: x) - - decode_from = 'utf-8' - decode_none = False - decode_dict_keys = False - decode_dict_keys_postprocess = True - decode_dict_vals = True - decode_dict_vals_postprocess = True - decode_dict_vals_table = dict() - decode_dict_vals_table_keygen = staticmethod(lambda x, y: x) - decode_postprocessor = staticmethod(lambda x: x) - - -class Encoder(object): - """ - Base class implementing encoding of python scalar types to strings - and vise-versa. - """ - - encoder_settings = EncoderSettings() - - def __init__(self): - # each instance should have its own settings - self.encoder_settings = EncoderSettings() - - def _decode_dict_val(self, key, val): - f = self.encoder_settings.decode_dict_vals_table.get( - self.encoder_settings.decode_dict_vals_table_keygen(key, val) - ) - if f: - return val - return self.decode(val) - - def encode(self, var): - """ - Encode any python built-in python type variable into `self.encode_to`. - - Compound types have their individual members encoded. - - Returns an encoded copy of 'var'. - """ - if isinstance(var, str): - return var - elif isinstance(var, unicode): - return self.encoder_settings.encode_postprocessor( - var.encode(self.encoder_settings.encode_to) - ) - elif isinstance(var, bool): - if var: - var = 'TRUE' - else: - var = 'FALSE' - return self.encoder_settings.encode_postprocessor( - var.encode(self.encoder_settings.encode_to) - ) - elif isinstance(var, (float, Decimal, int, long)): - return self.encoder_settings.encode_postprocessor( - str(var).encode(self.encoder_settings.encode_to) - ) - elif isinstance(var, list): - return [self.encode(m) for m in var] - elif isinstance(var, tuple): - return tuple(self.encode(m) for m in var) - elif isinstance(var, dict): - if self.encoder_settings.encode_dict_keys: - dct = dict() - if not self.encoder_settings.encode_dict_keys_postprocess: - tmp = self.encoder_settings.encode_postprocessor - self.encoder_settings.encode_postprocessor = lambda x: x - for (k, v) in var.iteritems(): - dct[self.encode(k)] = v - if not self.encoder_settings.encode_dict_keys_postprocess: - self.encoder_settings.encode_postprocessor = tmp - else: - dct = dict(var) - if self.encoder_settings.encode_dict_vals: - if not self.encoder_settings.encode_dict_vals_postprocess: - tmp = self.encoder_settings.encode_postprocessor - self.encoder_settings.encode_postprocessor = lambda x: x - for (k, v) in dct.iteritems(): - dct[k] = self.encode(v) - if not self.encoder_settings.encode_dict_vals_postprocess: - self.encoder_settings.encode_postprocessor = tmp - return dct - elif var is None: - if self.encoder_settings.encode_none: - return self.encoder_settings.encode_postprocessor( - str(var).encode(self.encoder_settings.encode_to) - ) - return None - raise TypeError('python built-in type expected, got \'%s\'', type(var)) - - def decode(self, var): - """ - Decode strings in `self.decode_from` into python strings. - - Compound types have their individual members decoded. - - Dictionaries can have their values decoded into other types - by looking up keys in `self.decode_dict_vals_table`. - - Returns a decoded copy of 'var'. - """ - if isinstance(var, unicode): - return var - elif isinstance(var, str): - return self.encoder_settings.decode_postprocessor( - var.decode(self.encoder_settings.decode_from) - ) - elif isinstance(var, (bool, float, Decimal, int, long)): - return var - elif isinstance(var, list): - return [self.decode(m) for m in var] - elif isinstance(var, tuple): - return tuple(self.decode(m) for m in var) - elif isinstance(var, dict): - if self.encoder_settings.decode_dict_keys: - dct = dict() - if not self.encoder_settings.decode_dict_keys_postprocess: - tmp = self.encoder_settings.decode_postprocessor - self.encoder_settings.decode_postprocessor = lambda x: x - for (k, v) in var.iteritems(): - dct[self.decode(k)] = v - if not self.encoder_settings.decode_dict_keys_postprocess: - self.encoder_settings.decode_postprocessor = tmp - else: - dct = dict(var) - if self.encoder_settings.decode_dict_vals: - if not self.encoder_settings.decode_dict_vals_postprocess: - tmp = self.encoder_settings.decode_postprocessor - self.encoder_settings.decode_postprocessor = lambda x: x - for (k, v) in dct.iteritems(): - dct[k] = self._decode_dict_val(k, v) - if not self.encoder_settings.decode_dict_vals_postprocess: - self.encoder_settings.decode_postprocessor = tmp - return dct - elif var is None: - if self.encoder_settings.decode_none: - return self.encoder_settings.decode_postprocessor( - str(var).decode(self.encoder_settings.decode_from) - ) - return None - raise TypeError('python built-in type expected, got \'%s\'', type(var)) - -## ENCODER METHOD DECORATORS - -def encode_args(*outer_args): - def decorate(f): - def new_f(*args, **kwargs): - assert isinstance(args[0], Encoder), \ - 'first argument not Encoder instance' - new_args = list(args) - for a in outer_args: - if isinstance(a, int): - if a < len(args): - new_args[a] = args[0].encode(args[a]) - elif isinstance(a, basestring): - if a in kwargs: - kwargs[a] = args[0].encode(kwargs[a]) - else: - raise TypeError( - 'encode_args takes a list of ints and basestrings' - ) - return f(*new_args, **kwargs) - new_f.func_name = f.func_name - return new_f - return decorate - - -def decode_retval(): - def decorate(f): - def new_f(*args, **kwargs): - assert isinstance(args[0], Encoder), \ - 'first argument not Encoder instance' - return args[0].decode(f(*args, **kwargs)) - new_f.func_name = f.func_name - return new_f - return decorate - diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 98b02dd6d..dd505a179 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -112,7 +112,7 @@ from errors import ConversionError, RequirementError, ValidationError from errors import PasswordMismatch from constants import NULLS, TYPE_ERROR, CALLABLE_ERROR from text import Gettext, FixMe - +from ipapython.dn import DN class DefaultFrom(ReadOnly): """ @@ -1845,6 +1845,23 @@ class AccessTime(Str): return None +class DNParam(Param): + type = DN + + def _convert_scalar(self, value, index=None): + """ + Convert a single scalar value. + """ + if type(value) is self.type: + return value + + try: + dn = DN(value) + except Exception, e: + raise ConversionError(name=self.get_param_name(), index=index, + error=ugettext(e)) + return dn + def create_param(spec): """ Create an `Str` instance from the shorthand ``spec``. diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 7a27ce116..7d5bf504c 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -123,24 +123,22 @@ from ipalib import api, crud, errors from ipalib import Object, Command from ipalib import Flag, Int, Str, StrEnum from ipalib.aci import ACI -from ipalib.dn import DN from ipalib import output from ipalib import _, ngettext from ipalib.plugins.baseldap import gen_pkey_only_option -if api.env.in_server and api.env.context in ['lite', 'server']: - from ldap import explode_dn from ipapython.ipa_log_manager import * +from ipapython.dn import DN ACI_NAME_PREFIX_SEP = ":" _type_map = { - 'user': 'ldap:///uid=*,%s,%s' % (api.env.container_user, api.env.basedn), - 'group': 'ldap:///cn=*,%s,%s' % (api.env.container_group, api.env.basedn), - 'host': 'ldap:///fqdn=*,%s,%s' % (api.env.container_host, api.env.basedn), - 'hostgroup': 'ldap:///cn=*,%s,%s' % (api.env.container_hostgroup, api.env.basedn), - 'service': 'ldap:///krbprincipalname=*,%s,%s' % (api.env.container_service, api.env.basedn), - 'netgroup': 'ldap:///ipauniqueid=*,%s,%s' % (api.env.container_netgroup, api.env.basedn), - 'dnsrecord': 'ldap:///idnsname=*,%s,%s' % (api.env.container_dns, api.env.basedn), + 'user': 'ldap:///' + str(DN(('uid', '*'), api.env.container_user, api.env.basedn)), + 'group': 'ldap:///' + str(DN(('cn', '*'), api.env.container_group, api.env.basedn)), + 'host': 'ldap:///' + str(DN(('fqdn', '*'), api.env.container_host, api.env.basedn)), + 'hostgroup': 'ldap:///' + str(DN(('cn', '*'), api.env.container_hostgroup, api.env.basedn)), + 'service': 'ldap:///' + str(DN(('krbprincipalname', '*'), api.env.container_service, api.env.basedn)), + 'netgroup': 'ldap:///' + str(DN(('ipauniqueid', '*'), api.env.container_netgroup, api.env.basedn)), + 'dnsrecord': 'ldap:///' + str(DN(('idnsname', '*'), api.env.container_dns, api.env.basedn)), } _valid_permissions_values = [ @@ -247,7 +245,7 @@ def _make_aci(ldap, current, aciname, kw): if 'test' in kw and not kw.get('test'): raise e else: - entry_attrs = {'dn': 'cn=%s,%s' % (kw['permission'], api.env.container_permission)} + entry_attrs = {'dn': DN(('cn', kw['permission']), api.env.container_permission)} elif group: # Not so friendly with groups. This will raise try: @@ -343,10 +341,9 @@ def _aci_to_kw(ldap, a, test=False, pkey_only=False): else: # See if the target is a group. If so we set the # targetgroup attr, otherwise we consider it a subtree - if api.env.container_group in target: - targetdn = unicode(target.replace('ldap:///','')) - target = DN(targetdn) - kw['targetgroup'] = target['cn'] + targetdn = DN(target.replace('ldap:///','')) + if targetdn.endswith(DN(api.env.container_group, api.env.basedn)): + kw['targetgroup'] = targetdn[0]['cn'] else: kw['subtree'] = unicode(target) @@ -357,15 +354,16 @@ def _aci_to_kw(ldap, a, test=False, pkey_only=False): elif groupdn == 'anyone': pass else: - if groupdn.startswith('cn='): - dn = '' + groupdn = DN(groupdn) + if len(groupdn) and groupdn[0].attr == 'cn': + dn = DN() entry_attrs = {} try: (dn, entry_attrs) = ldap.get_entry(groupdn, ['cn']) except errors.NotFound, e: # FIXME, use real name here if test: - dn = 'cn=%s,%s' % ('test', api.env.container_permission) + dn = DN(('cn', 'test'), api.env.container_permission) entry_attrs = {'cn': [u'test']} if api.env.container_permission in dn: kw['permission'] = entry_attrs['cn'][0] @@ -801,11 +799,11 @@ class aci_find(crud.Search): if kw.get('group'): for a in acis: groupdn = a.bindrule['expression'] - groupdn = groupdn.replace('ldap:///','') - cn = None - if groupdn.startswith('cn='): - cn = explode_dn(groupdn)[0] - cn = cn.replace('cn=','') + groupdn = DN(groupdn.replace('ldap:///','')) + try: + cn = groupdn[0]['cn'].value + except (IndexError, KeyError): + cn = None if cn is None or cn != kw['group']: try: results.remove(a) @@ -818,9 +816,11 @@ class aci_find(crud.Search): if 'target' in a.target: target = a.target['target']['expression'] if api.env.container_group in target: - targetdn = unicode(target.replace('ldap:///','')) - cn = explode_dn(targetdn)[0] - cn = cn.replace('cn=','') + targetdn = DN(target.replace('ldap:///','')) + try: + cn = targetdn[0]['cn'] + except (IndexError, KeyError): + cn = None if cn == kw['targetgroup']: found = True if not found: diff --git a/ipalib/plugins/automember.py b/ipalib/plugins/automember.py index 7ccb0bb2f..40359604b 100644 --- a/ipalib/plugins/automember.py +++ b/ipalib/plugins/automember.py @@ -22,8 +22,8 @@ from ipalib import Str, StrEnum from ipalib.plugins.baseldap import * from ipalib import _, ngettext from ipalib.request import context -from ipalib.dn import * import ldap as _ldap +from ipapython.dn import DN __doc__ = _(""" Auto Membership Rule. @@ -200,19 +200,16 @@ class automember(LDAPObject): parent_dn = self.container_dn grouptype = options['type'] try: - ndn = DN(('cn', keys[-1]), ('cn', grouptype), DN(parent_dn)) + ndn = DN(('cn', keys[-1]), ('cn', grouptype), parent_dn) except IndexError: - ndn = DN(('cn', grouptype), DN(parent_dn)) - parent_dn = str(ndn) - return parent_dn + ndn = DN(('cn', grouptype), parent_dn) + return ndn def check_attr(self, attr): """ Verify that the user supplied key is a valid attribute in the schema """ ldap = self.api.Backend.ldap2 - if not ldap.schema: - ldap.get_schema() obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr) if obj is not None: return obj @@ -238,6 +235,7 @@ class automember_add(LDAPCreate): msg_summary = _('Added automember rule "%(value)s"') def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) entry_attrs['cn'] = keys[-1] if not automember_container_exists(self.api.Backend.ldap2): @@ -284,6 +282,7 @@ class automember_add_condition(LDAPUpdate): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) # Check to see if the automember rule exists try: (tdn, test_attrs) = ldap.get_entry(dn, []) @@ -370,6 +369,7 @@ class automember_remove_condition(LDAPUpdate): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) # Check to see if the automember rule exists try: (tdn, test_attrs) = ldap.get_entry(dn, []) @@ -479,10 +479,10 @@ class automember_find(LDAPSearch): ) def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): + assert isinstance(base_dn, DN) scope = ldap.SCOPE_SUBTREE - ndn = DN(('cn', options['type']), DN(base_dn)) - base_dn = str(ndn) - return (filters, base_dn, scope) + ndn = DN(('cn', options['type']), base_dn) + return (filters, ndn, scope) api.register(automember_find) @@ -520,7 +520,6 @@ class automember_default_group_set(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): dn = DN(('cn', options['type']), api.env.container_automember) - dn = str(dn) entry_attrs['automemberdefaultgroup'] = self.obj.dn_exists(options['type'], options['automemberdefaultgroup']) return dn @@ -542,7 +541,6 @@ class automember_default_group_remove(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): dn = DN(('cn', options['type']), api.env.container_automember) - dn = str(dn) attr = 'automemberdefaultgroup' (dn, entry_attrs_) = ldap.get_entry( @@ -556,6 +554,7 @@ class automember_default_group_remove(LDAPUpdate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) if 'automemberdefaultgroup' not in entry_attrs: entry_attrs['automemberdefaultgroup'] = unicode(_('No default (fallback) group set')) return dn @@ -576,10 +575,10 @@ class automember_default_group_show(LDAPRetrieve): def pre_callback(self, ldap, dn, attrs_list, *keys, **options): dn = DN(('cn', options['type']), api.env.container_automember) - dn = str(dn) return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) if 'automemberdefaultgroup' not in entry_attrs: entry_attrs['automemberdefaultgroup'] = unicode(_('No default (fallback) group set')) return dn diff --git a/ipalib/plugins/automount.py b/ipalib/plugins/automount.py index 5c9f42b4c..8e9eb5745 100644 --- a/ipalib/plugins/automount.py +++ b/ipalib/plugins/automount.py @@ -227,6 +227,7 @@ class automountlocation_add(LDAPCreate): msg_summary = _('Added automount location "%(value)s"') def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) # create auto.master for the new location self.api.Command['automountmap_add'](keys[-1], u'auto.master') @@ -595,6 +596,7 @@ class automountmap_del(LDAPDelete): msg_summary = _('Deleted automount map "%(value)s"') def post_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) # delete optional parental connection (direct maps may not have this) try: (dn_, entry_attrs) = ldap.find_entry_by_attr( @@ -718,7 +720,7 @@ class automountkey(LDAPObject): (kwargs['automountkey'], kwargs['automountinformation']) else: sfilter = '(automountkey=%s)' % kwargs['automountkey'] - basedn = 'automountmapname=%s,cn=%s,%s' % (parent_keys[1], parent_keys[0], self.container_dn) + basedn = DN(('automountmapname', parent_keys[1]), ('cn', parent_keys[0]), self.container_dn) attrs_list = ['*'] (entries, truncated) = ldap.find_entries(sfilter, attrs_list, basedn, _ldap.SCOPE_ONELEVEL) @@ -790,6 +792,7 @@ class automountkey_add(LDAPCreate): internal_options = ['description', 'add_operation'] def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) options.pop('add_operation', None) options.pop('description', None) self.obj.check_key_uniqueness(keys[-2], keys[-1], **options) @@ -926,6 +929,7 @@ class automountkey_mod(LDAPUpdate): yield key def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) if 'newautomountkey' in options: entry_attrs['automountkey'] = options['newautomountkey'] if 'newautomountinformation' in options: diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 32dae5160..e05f59ff4 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -34,7 +34,7 @@ from ipalib.cli import to_cli, from_cli from ipalib import output from ipalib.text import _ from ipalib.util import json_serialize, validate_hostname -from ipalib.dn import * +from ipapython.dn import DN, RDN global_output_params = ( Flag('has_password', @@ -200,6 +200,7 @@ def validate_attribute(ugettext, name, attr): raise errors.ValidationError(name=name, error='Invalid format. Should be name=value') def get_effective_rights(ldap, dn, attrs=None): + assert isinstance(dn, DN) if attrs is None: attrs = ['*', 'nsaccountlock', 'cospriority'] rights = ldap.get_effective_rights(dn, attrs) @@ -332,6 +333,7 @@ def add_external_pre_callback(membertype, ldap, dn, keys, options): membertype is the type of member """ + assert isinstance(dn, DN) # validate hostname with allowed underscore characters, non-fqdn # hostnames are allowed def validate_host(hostname): @@ -361,12 +363,14 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl membertype is the type of member: user, externalattr is one of externaluser, """ + assert isinstance(dn, DN) completed_external = 0 normalize = options.get('external_callback_normalize', True) # Sift through the failures. We assume that these are all # entries that aren't stored in IPA, aka external entries. if memberattr in failed and membertype in failed[memberattr]: (dn, entry_attrs_) = ldap.get_entry(dn, [externalattr]) + assert isinstance(dn, DN) members = entry_attrs.get(memberattr, []) external_entries = entry_attrs_.get(externalattr, []) lc_external_entries = set(e.lower() for e in external_entries) @@ -374,6 +378,7 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl for entry in failed[memberattr][membertype]: membername = entry[0].lower() member_dn = api.Object[membertype].get_dn(membername) + assert isinstance(member_dn, DN) if (membername not in lc_external_entries and member_dn not in members): # Not an IPA entry, assume external @@ -406,6 +411,7 @@ def add_external_post_callback(memberattr, membertype, externalattr, ldap, compl return (completed + completed_external, dn) def remove_external_post_callback(memberattr, membertype, externalattr, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) # Run through the failures and gracefully remove any member defined # as an external member. if memberattr in failed and membertype in failed[memberattr]: @@ -440,7 +446,7 @@ def host_is_master(ldap, fqdn): Raises an exception if a master, otherwise returns nothing. """ - master_dn = str(DN('cn=%s' % fqdn, 'cn=masters,cn=ipa,cn=etc', api.env.basedn)) + master_dn = DN(('cn', fqdn), ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) try: (dn, entry_attrs) = ldap.get_entry(master_dn, ['objectclass']) raise errors.ValidationError(name='hostname', error=_('An IPA master host cannot be deleted or disabled')) @@ -518,9 +524,11 @@ class LDAPObject(Object): return self.backend.make_dn_from_attr( self.primary_key.name, keys[-1], parent_dn ) + assert isinstance(parent_dn, DN) return parent_dn def get_primary_key_from_dn(self, dn): + assert isinstance(dn, DN) try: if self.rdn_attribute: (dn, entry_attrs) = self.backend.get_entry( @@ -532,8 +540,6 @@ class LDAPObject(Object): return '' except errors.NotFound: pass - # DN object assures we're returning a decoded (unescaped) value - dn = DN(dn) try: return dn[self.primary_key.name] except KeyError: @@ -567,7 +573,7 @@ class LDAPObject(Object): for member in entry_attrs.setdefault(attr, []): for ldap_obj_name in self.attribute_members[attr]: ldap_obj = self.api.Object[ldap_obj_name] - if member.find(ldap_obj.container_dn) > 0: + if ldap_obj.container_dn in member: new_attr = '%s_%s' % (attr, ldap_obj.name) entry_attrs.setdefault(new_attr, []).append( ldap_obj.get_primary_key_from_dn(member) @@ -623,7 +629,6 @@ class LDAPObject(Object): def __json__(self): ldap = self.backend - ldap.get_schema() json_dict = dict( (a, getattr(self, a)) for a in self.json_friendly_attributes ) @@ -777,52 +782,47 @@ last, after all sets and adds."""), _callback_registry = dict(pre={}, post={}, exc={}, interactive_prompt={}) - def _convert_2_dict(self, attrs): + def _convert_2_dict(self, ldap, attrs): """ Convert a string in the form of name/value pairs into a dictionary. :param attrs: A list of name/value pair strings, in the "name=value" format. May also be a single string, or None. """ - if attrs is None: - return {} - - if not isinstance(attrs, (tuple, list)): - attrs = [attrs] newdict = {} + if attrs is None: + attrs = [] + elif not type(attrs) in (list, tuple): + attrs = [attrs] for a in attrs: - m = re.match("^\s*(?P<attr>.*?)\s*=\s*(?P<value>.*?)\s*$", a) - attr = str(m.group('attr').lower()) - value = m.group('value') - + m = re.match("\s*(.*?)\s*=\s*(.*?)\s*$", a) + attr = str(m.group(1)).lower() + value = m.group(2) if attr in self.obj.params and attr not in self.params: # The attribute is managed by IPA, but it didn't get cloned # to the command. This happens with no_update/no_create attrs. raise errors.ValidationError( name=attr, error=_('attribute is not configurable')) + if len(value) == 0: + # None means "delete this attribute" + value = None - newdict.setdefault(attr, []).append(value) + if ldap.has_dn_syntax(attr): + value = DN(value) + if attr in newdict: + if type(value) in (tuple,): + newdict[attr] += list(value) + else: + newdict[attr].append(value) + else: + if type(value) in (tuple,): + newdict[attr] = list(value) + else: + newdict[attr] = [value] return newdict - def _convert_entry(self, entry_attrs): - result = {} - for attr, val in entry_attrs.iteritems(): - if val is None: - val = [] - elif not isinstance(val, (tuple, list)): - val = [val] - - result[attr] = [] - for v in val: - if isinstance(v, str): - # This is a Binary value, base64 encode it - v = base64.b64encode(v) - result[attr].append(unicode(v)) - - return result - def process_attr_options(self, entry_attrs, dn, keys, options): """ Process all --setattr, --addattr, and --delattr options and add the @@ -847,14 +847,15 @@ last, after all sets and adds."""), :param keys: List of command arguments :param options: List of options """ + if all(k not in options for k in ("setattr", "addattr", "delattr")): return ldap = self.obj.backend - adddict = self._convert_2_dict(options.get('addattr', [])) - setdict = self._convert_2_dict(options.get('setattr', [])) - deldict = self._convert_2_dict(options.get('delattr', [])) + adddict = self._convert_2_dict(ldap, options.get('addattr', [])) + setdict = self._convert_2_dict(ldap, options.get('setattr', [])) + deldict = self._convert_2_dict(ldap, options.get('delattr', [])) setattrs = set(setdict.keys()) addattrs = set(adddict.keys()) @@ -865,24 +866,24 @@ last, after all sets and adds."""), direct_del = delattrs needldapattrs = [] else: + assert isinstance(dn, DN) direct_add = setattrs & addattrs direct_del = setattrs & delattrs needldapattrs = list((addattrs | delattrs) - setattrs) - mod_attrs = self._convert_entry(entry_attrs) - for attr, val in setdict.iteritems(): - mod_attrs[attr] = val + entry_attrs[attr] = val for attr in direct_add: - mod_attrs.setdefault(attr, []).extend(adddict[attr]) + entry_attrs.setdefault(attr, []).extend(adddict[attr]) for attr in direct_del: for delval in deldict[attr]: try: - mod_attrs[attr].remove(delval) + entry_attrs[attr].remove(delval) except ValueError: - raise errors.AttrValueNotFound(attr=attr, value=delval) + raise errors.AttrValueNotFound(attr=attr, + value=delval) if needldapattrs: try: @@ -901,27 +902,28 @@ last, after all sets and adds."""), raise errors.ValidationError(name=del_nonexisting.pop(), error=_('No such attribute on this entry')) - old_entry = self._convert_entry(old_entry) - for attr in needldapattrs: - mod_attrs[attr] = old_entry.get(attr, []) + entry_attrs[attr] = old_entry.get(attr, []) if attr in addattrs: - mod_attrs[attr].extend(adddict.get(attr, [])) + entry_attrs[attr].extend(adddict.get(attr, [])) for delval in deldict.get(attr, []): try: - mod_attrs[attr].remove(delval) + entry_attrs[attr].remove(delval) except ValueError: + if isinstance(delval, str): + # This is a Binary value, base64 encode it + delval = unicode(base64.b64encode(delval)) raise errors.AttrValueNotFound(attr=attr, value=delval) # normalize all values changedattrs = setattrs | addattrs | delattrs for attr in changedattrs: - value = mod_attrs[attr] if attr in self.params and self.params[attr].attribute: - param = self.params[attr] # convert single-value params to scalars + param = self.params[attr] + value = entry_attrs[attr] if not param.multivalue: if len(value) == 1: value = value[0] @@ -931,19 +933,19 @@ last, after all sets and adds."""), raise errors.OnlyOneValueAllowed(attr=attr) # validate, convert and encode params try: - value = param(value) + value = param(value) except errors.ValidationError, err: raise errors.ValidationError(name=attr, error=err.error) except errors.ConversionError, err: raise errors.ConversionError(name=attr, error=err.error) + entry_attrs[attr] = value else: # unknown attribute: remove duplicite and invalid values - value = list(set([val for val in value if val])) - if not value: - value = None - elif isinstance(value, (tuple, list)) and len(value) == 1: - value = value[0] - entry_attrs[attr] = value + entry_attrs[attr] = list(set([val for val in entry_attrs[attr] if val])) + if not entry_attrs[attr]: + entry_attrs[attr] = None + elif isinstance(entry_attrs[attr], (tuple, list)) and len(entry_attrs[attr]) == 1: + entry_attrs[attr] = entry_attrs[attr][0] @classmethod def register_pre_callback(cls, callback, first=False): @@ -1021,8 +1023,13 @@ class LDAPCreate(BaseLDAPCommand, crud.Create): entry_attrs[self.obj.uuid_attribute] = 'autogenerate' dn = self.obj.get_dn(*keys, **options) + assert isinstance(dn, DN) if self.obj.rdn_attribute: - if not dn.startswith('%s=' % self.obj.primary_key.name): + try: + dn_attr = dn[0].attr + except (IndexError, KeyError): + dn_attr = None + if dn_attr != self.obj.primary_key.name: self.obj.handle_duplicate_entry(*keys) dn = ldap.make_dn( entry_attrs, self.obj.rdn_attribute, self.obj.container_dn @@ -1038,9 +1045,9 @@ class LDAPCreate(BaseLDAPCommand, crud.Create): for callback in self.get_callbacks('pre'): dn = callback( self, ldap, dn, entry_attrs, attrs_list, *keys, **options) + assert isinstance(dn, DN) _check_single_value_attrs(self.params, entry_attrs) - ldap.get_schema() _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.limit_object_classes), entry_attrs.keys(), allow_only=True) _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.disallow_object_classes), entry_attrs.keys(), allow_only=False) @@ -1074,16 +1081,19 @@ class LDAPCreate(BaseLDAPCommand, crud.Create): self.obj.primary_key.name, keys[-1], object_class, attrs_list, self.obj.container_dn ) + assert isinstance(dn, DN) else: (dn, entry_attrs) = self._exc_wrapper(keys, options, ldap.get_entry)( dn, attrs_list, normalize=self.obj.normalize_dn ) + assert isinstance(dn, DN) except errors.NotFound: self.obj.handle_not_found(*keys) for callback in self.get_callbacks('post'): dn = callback(self, ldap, dn, entry_attrs, *keys, **options) + assert isinstance(dn, DN) entry_attrs['dn'] = dn self.obj.convert_attribute_members(entry_attrs, *keys, **options) @@ -1092,9 +1102,11 @@ class LDAPCreate(BaseLDAPCommand, crud.Create): return dict(result=entry_attrs, value=u'') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return dn def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): @@ -1181,6 +1193,7 @@ class LDAPRetrieve(LDAPQuery): ldap = self.obj.backend dn = self.obj.get_dn(*keys, **options) + assert isinstance(dn, DN) if options.get('all', False): attrs_list = ['*'] + self.obj.default_attributes @@ -1189,11 +1202,13 @@ class LDAPRetrieve(LDAPQuery): for callback in self.get_callbacks('pre'): dn = callback(self, ldap, dn, attrs_list, *keys, **options) + assert isinstance(dn, DN) try: (dn, entry_attrs) = self._exc_wrapper(keys, options, ldap.get_entry)( dn, attrs_list, normalize=self.obj.normalize_dn ) + assert isinstance(dn, DN) except errors.NotFound: self.obj.handle_not_found(*keys) @@ -1202,17 +1217,21 @@ class LDAPRetrieve(LDAPQuery): for callback in self.get_callbacks('post'): dn = callback(self, ldap, dn, entry_attrs, *keys, **options) + assert isinstance(dn, DN) self.obj.convert_attribute_members(entry_attrs, *keys, **options) + assert isinstance(dn, DN) entry_attrs['dn'] = dn if self.obj.primary_key and keys[-1] is not None: return dict(result=entry_attrs, value=keys[-1]) return dict(result=entry_attrs, value=u'') def pre_callback(self, ldap, dn, attrs_list, *keys, **options): + assert isinstance(dn, DN) return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return dn def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): @@ -1261,6 +1280,7 @@ class LDAPUpdate(LDAPQuery, crud.Update): raise errors.EmptyModlist() dn = self.obj.get_dn(*keys, **options) + assert isinstance(dn, DN) entry_attrs = self.args_options_2_entry(**options) @@ -1279,8 +1299,8 @@ class LDAPUpdate(LDAPQuery, crud.Update): for callback in self.get_callbacks('pre'): dn = callback( self, ldap, dn, entry_attrs, attrs_list, *keys, **options) + assert isinstance(dn, DN) - ldap.get_schema() _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.limit_object_classes), entry_attrs.keys(), allow_only=True) _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.disallow_object_classes), entry_attrs.keys(), allow_only=False) @@ -1294,10 +1314,10 @@ class LDAPUpdate(LDAPQuery, crud.Update): if self.obj.rdn_is_primary_key and self.obj.primary_key.name in entry_attrs: # RDN change self._exc_wrapper(keys, options, ldap.update_entry_rdn)(dn, - unicode('%s=%s' % (self.obj.primary_key.name, - entry_attrs[self.obj.primary_key.name]))) + RDN((self.obj.primary_key.name, entry_attrs[self.obj.primary_key.name]))) rdnkeys = keys[:-1] + (entry_attrs[self.obj.primary_key.name], ) dn = self.obj.get_dn(*rdnkeys) + assert isinstance(dn, DN) del entry_attrs[self.obj.primary_key.name] options['rdnupdate'] = True rdnupdate = True @@ -1306,6 +1326,7 @@ class LDAPUpdate(LDAPQuery, crud.Update): # to decide what to do. An EmptyModlist in this context doesn't # mean an error occurred, just that there were no other updates to # perform. + assert isinstance(dn, DN) self._exc_wrapper(keys, options, ldap.update_entry)(dn, entry_attrs, normalize=self.obj.normalize_dn) except errors.EmptyModlist, e: if not rdnupdate: @@ -1327,6 +1348,7 @@ class LDAPUpdate(LDAPQuery, crud.Update): for callback in self.get_callbacks('post'): dn = callback(self, ldap, dn, entry_attrs, *keys, **options) + assert isinstance(dn, DN) self.obj.convert_attribute_members(entry_attrs, *keys, **options) if self.obj.primary_key and keys[-1] is not None: @@ -1334,9 +1356,11 @@ class LDAPUpdate(LDAPQuery, crud.Update): return dict(result=entry_attrs, value=u'') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return dn def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): @@ -1360,11 +1384,14 @@ class LDAPDelete(LDAPMultiQuery): def delete_entry(pkey): nkeys = keys[:-1] + (pkey, ) dn = self.obj.get_dn(*nkeys, **options) + assert isinstance(dn, DN) for callback in self.get_callbacks('pre'): dn = callback(self, ldap, dn, *nkeys, **options) + assert isinstance(dn, DN) def delete_subtree(base_dn): + assert isinstance(base_dn, DN) truncated = True while truncated: try: @@ -1412,9 +1439,11 @@ class LDAPDelete(LDAPMultiQuery): return dict(result=dict(failed=u''), value=u'') def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) return dn def post_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) return True def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): @@ -1495,14 +1524,17 @@ class LDAPAddMember(LDAPModMember): (member_dns, failed) = self.get_member_dns(**options) dn = self.obj.get_dn(*keys, **options) + assert isinstance(dn, DN) for callback in self.get_callbacks('pre'): dn = callback(self, ldap, dn, member_dns, failed, *keys, **options) + assert isinstance(dn, DN) completed = 0 for (attr, objs) in member_dns.iteritems(): for ldap_obj_name in objs: for m_dn in member_dns[attr][ldap_obj_name]: + assert isinstance(m_dn, DN) if not m_dn: continue try: @@ -1534,7 +1566,9 @@ class LDAPAddMember(LDAPModMember): (completed, dn) = callback( self, ldap, completed, failed, dn, entry_attrs, *keys, **options) + assert isinstance(dn, DN) + assert isinstance(dn, DN) entry_attrs['dn'] = dn self.obj.convert_attribute_members(entry_attrs, *keys, **options) return dict( @@ -1544,9 +1578,11 @@ class LDAPAddMember(LDAPModMember): ) def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) return dn def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return (completed, dn) def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): @@ -1583,14 +1619,17 @@ class LDAPRemoveMember(LDAPModMember): (member_dns, failed) = self.get_member_dns(**options) dn = self.obj.get_dn(*keys, **options) + assert isinstance(dn, DN) for callback in self.get_callbacks('pre'): dn = callback(self, ldap, dn, member_dns, failed, *keys, **options) + assert isinstance(dn, DN) completed = 0 for (attr, objs) in member_dns.iteritems(): for ldap_obj_name, m_dns in objs.iteritems(): for m_dn in m_dns: + assert isinstance(m_dn, DN) if not m_dn: continue try: @@ -1625,7 +1664,9 @@ class LDAPRemoveMember(LDAPModMember): (completed, dn) = callback( self, ldap, completed, failed, dn, entry_attrs, *keys, **options) + assert isinstance(dn, DN) + assert isinstance(dn, DN) entry_attrs['dn'] = dn self.obj.convert_attribute_members(entry_attrs, *keys, **options) @@ -1636,9 +1677,11 @@ class LDAPRemoveMember(LDAPModMember): ) def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) return dn def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return (completed, dn) def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): @@ -1765,6 +1808,7 @@ class LDAPSearch(BaseLDAPCommand, crud.Search): base_dn = self.api.Object[self.obj.parent_object].get_dn(*args[:-1]) else: base_dn = self.obj.container_dn + assert isinstance(base_dn, DN) search_kw = self.args_options_2_entry(**options) @@ -1812,6 +1856,7 @@ class LDAPSearch(BaseLDAPCommand, crud.Search): for callback in self.get_callbacks('pre'): (filter, base_dn, scope) = callback( self, ldap, filter, attrs_list, base_dn, scope, *args, **options) + assert isinstance(base_dn, DN) try: (entries, truncated) = self._exc_wrapper(args, options, ldap.find_entries)( @@ -1827,14 +1872,16 @@ class LDAPSearch(BaseLDAPCommand, crud.Search): if self.sort_result_entries: if self.obj.primary_key: - sortfn=lambda x,y: cmp(x[1][self.obj.primary_key.name][0].lower(), y[1][self.obj.primary_key.name][0].lower()) - entries.sort(sortfn) + def sort_key(x): + return x[1][self.obj.primary_key.name][0].lower() + entries.sort(key=sort_key) if not options.get('raw', False): for e in entries: self.obj.convert_attribute_members(e[1], *args, **options) for e in entries: + assert isinstance(e[0], DN) e[1]['dn'] = e[0] entries = [e for (dn, e) in entries] @@ -1845,6 +1892,7 @@ class LDAPSearch(BaseLDAPCommand, crud.Search): ) def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): + assert isinstance(base_dn, DN) return (filters, base_dn, scope) def post_callback(self, ldap, entries, truncated, *args, **options): @@ -1926,9 +1974,11 @@ class LDAPAddReverseMember(LDAPModReverseMember): # Ensure our target exists result = self.api.Command[self.show_command](keys[-1])['result'] dn = result['dn'] + assert isinstance(dn, DN) for callback in self.get_callbacks('pre'): dn = callback(self, ldap, dn, *keys, **options) + assert isinstance(dn, DN) if options.get('all', False): attrs_list = ['*'] + self.obj.default_attributes @@ -1967,7 +2017,9 @@ class LDAPAddReverseMember(LDAPModReverseMember): (completed, dn) = callback( self, ldap, completed, failed, dn, entry_attrs, *keys, **options) + assert isinstance(dn, DN) + assert isinstance(dn, DN) entry_attrs['dn'] = dn return dict( completed=completed, @@ -1976,9 +2028,11 @@ class LDAPAddReverseMember(LDAPModReverseMember): ) def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) return dn def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return (completed, dn) def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): @@ -2022,9 +2076,11 @@ class LDAPRemoveReverseMember(LDAPModReverseMember): # Ensure our target exists result = self.api.Command[self.show_command](keys[-1])['result'] dn = result['dn'] + assert isinstance(dn, DN) for callback in self.get_callbacks('pre'): dn = callback(self, ldap, dn, *keys, **options) + assert isinstance(dn, DN) if options.get('all', False): attrs_list = ['*'] + self.obj.default_attributes @@ -2063,7 +2119,9 @@ class LDAPRemoveReverseMember(LDAPModReverseMember): (completed, dn) = callback( self, ldap, completed, failed, dn, entry_attrs, *keys, **options) + assert isinstance(dn, DN) + assert isinstance(dn, DN) entry_attrs['dn'] = dn return dict( completed=completed, @@ -2072,9 +2130,11 @@ class LDAPRemoveReverseMember(LDAPModReverseMember): ) def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) return dn def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return (completed, dn) def exc_callback(self, keys, options, exc, call_func, *call_args, **call_kwargs): diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index 9573bbb65..ef0fd79fa 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -19,7 +19,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from ipalib import api -from ipalib import Bool, Int, Str, IA5Str, StrEnum +from ipalib import Bool, Int, Str, IA5Str, StrEnum, DNParam from ipalib.plugins.baseldap import * from ipalib import _ from ipalib.errors import ValidationError @@ -149,7 +149,7 @@ class config(LDAPObject): label=_('Enable migration mode'), doc=_('Enable migration mode'), ), - Str('ipacertificatesubjectbase', + DNParam('ipacertificatesubjectbase', cli_name='subject', label=_('Certificate Subject base'), doc=_('Base for certificate subjects (OU=Test,O=Example)'), @@ -199,7 +199,7 @@ class config(LDAPObject): ) def get_dn(self, *keys, **kwargs): - return 'cn=ipaconfig,cn=etc' + return DN(('cn', 'ipaconfig'), ('cn', 'etc')) api.register(config) @@ -208,6 +208,7 @@ class config_mod(LDAPUpdate): __doc__ = _('Modify configuration options.') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) if 'ipadefaultprimarygroup' in entry_attrs: group=entry_attrs['ipadefaultprimarygroup'] try: diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 6727d052f..991eb0164 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -35,7 +35,6 @@ from ipalib.util import (validate_zonemgr, normalize_zonemgr, validate_hostname, validate_dns_label, validate_domain_name, get_dns_forward_zone_update_policy, get_dns_reverse_zone_update_policy) from ipapython.ipautil import valid_ip, CheckedIPAddress, is_host_resolvable -from ldap import explode_dn __doc__ = _(""" Domain Name System (DNS) @@ -802,10 +801,10 @@ class DNSRecord(Str): # callbacks for per-type special record behavior def dnsrecord_add_pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - pass + assert isinstance(dn, DN) def dnsrecord_add_post_callback(self, ldap, dn, entry_attrs, *keys, **options): - pass + assert isinstance(dn, DN) class ForwardRecord(DNSRecord): extra = ( @@ -817,6 +816,7 @@ class ForwardRecord(DNSRecord): ) def dnsrecord_add_pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) reverse_option = self._convert_dnsrecord_extra(self.extra[0]) if options.get(reverse_option.name): records = entry_attrs.get(self.name, []) @@ -832,6 +832,7 @@ class ForwardRecord(DNSRecord): setattr(context, '%s_reverse' % self.name, entry_attrs.get(self.name)) def dnsrecord_add_post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) rev_records = getattr(context, '%s_reverse' % self.name, []) if rev_records: @@ -1727,6 +1728,7 @@ class dnszone_add(LDAPCreate): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) if not dns_container_exists(self.api.Backend.ldap2): raise errors.NotFound(reason=_('DNS is not configured')) @@ -1751,6 +1753,7 @@ class dnszone_add(LDAPCreate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) if 'ip_address' in options: nameserver = entry_attrs['idnssoamname'][0][:-1] # ends with a dot nsparts = nameserver.split('.') @@ -1813,6 +1816,7 @@ class dnszone_find(LDAPSearch): ) def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): + assert isinstance(base_dn, DN) if options.get('forward_only', False): search_kw = {} search_kw['idnsname'] = _valid_reverse_zones.keys() @@ -1980,6 +1984,7 @@ class dnsrecord(LDAPObject): ) def _nsrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) nsrecords = entry_attrs.get('nsrecord') if options.get('force', False) or nsrecords is None: return @@ -1987,6 +1992,7 @@ class dnsrecord(LDAPObject): check_ns_rec_resolvable(keys[0], nsrecord) def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) ptrrecords = entry_attrs.get('ptrrecord') if ptrrecords is None: return @@ -2015,6 +2021,7 @@ class dnsrecord(LDAPObject): % dict(name=zone_name, count=zone_len, user_count=ip_addr_comp_count))) def run_precallback_validators(self, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) ldap = self.api.Backend.ldap2 for rtype in entry_attrs: @@ -2049,7 +2056,7 @@ class dnsrecord(LDAPObject): def get_dns_masters(self): ldap = self.api.Backend.ldap2 - base_dn = 'cn=masters,cn=ipa,cn=etc,%s' % self.api.env.basedn + base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), self.api.env.basedn) ldap_filter = '(&(objectClass=ipaConfigObject)(cn=DNS))' dns_masters = [] @@ -2058,9 +2065,12 @@ class dnsrecord(LDAPObject): for entry in entries: master_dn = entry[0] - if master_dn.startswith('cn='): - master = explode_dn(master_dn)[1].replace('cn=','') + assert isinstance(master_dn, DN) + try: + master = master_dn[1]['cn'] dns_masters.append(master) + except (IndexError, KeyError): + pass except errors.NotFound: return [] @@ -2254,6 +2264,7 @@ class dnsrecord_add(LDAPCreate): kw.update(user_options) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) precallback_attrs = [] processed_attrs = [] for option in options: @@ -2354,6 +2365,7 @@ class dnsrecord_add(LDAPCreate): raise exc def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) for attr in getattr(context, 'dnsrecord_precallback_attrs', []): param = self.params[attr] param.dnsrecord_add_post_callback(ldap, dn, entry_attrs, *keys, **options) @@ -2382,6 +2394,7 @@ class dnsrecord_mod(LDAPUpdate): return super(dnsrecord_mod, self).args_options_2_entry(*keys, **options) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) if options.get('rename') and self.obj.is_pkey_zone_record(*keys): # zone rename is not allowed raise errors.ValidationError(name='rename', @@ -2466,10 +2479,12 @@ class dnsrecord_mod(LDAPUpdate): return result def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) if self.obj.is_pkey_zone_record(*keys): entry_attrs[self.obj.primary_key.name] = [_dns_zone_record] self.obj.postprocess_record(entry_attrs, **options) + return dn def interactive_prompt_callback(self, kw): try: @@ -2564,6 +2579,7 @@ class dnsrecord_del(LDAPUpdate): yield option def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) try: (dn_, old_entry) = ldap.get_entry( dn, _record_attributes, @@ -2626,9 +2642,11 @@ class dnsrecord_del(LDAPUpdate): return result def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) if self.obj.is_pkey_zone_record(*keys): entry_attrs[self.obj.primary_key.name] = [_dns_zone_record] self.obj.postprocess_record(entry_attrs, **options) + return dn def args_options_2_entry(self, *keys, **options): self.obj.has_cli_options(options, self.no_option_msg) @@ -2697,6 +2715,7 @@ class dnsrecord_show(LDAPRetrieve): ) def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) if self.obj.is_pkey_zone_record(*keys): entry_attrs[self.obj.primary_key.name] = [_dns_zone_record] self.obj.postprocess_record(entry_attrs, **options) @@ -2723,6 +2742,7 @@ class dnsrecord_find(LDAPSearch): yield option def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): + assert isinstance(base_dn, DN) # include zone record (root entry) in the search return (filter, base_dn, ldap.SCOPE_SUBTREE) @@ -2774,7 +2794,7 @@ class dns_is_enabled(Command): NO_CLI = True has_output = output.standard_value - base_dn = 'cn=masters,cn=ipa,cn=etc,%s' % api.env.basedn + base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) filter = '(&(objectClass=ipaConfigObject)(cn=DNS))' def execute(self, *args, **options): diff --git a/ipalib/plugins/entitle.py b/ipalib/plugins/entitle.py index 5ccdb6510..67e7f959e 100644 --- a/ipalib/plugins/entitle.py +++ b/ipalib/plugins/entitle.py @@ -318,6 +318,7 @@ class entitle_consume(LDAPUpdate): return result def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) quantity = keys[-1] os.environ['LANG'] = 'en_US' @@ -361,6 +362,7 @@ class entitle_consume(LDAPUpdate): Returning the certificates isn't very interesting. Return the status of entitlements instead. """ + assert isinstance(dn, DN) if 'usercertificate' in entry_attrs: del entry_attrs['usercertificate'] if 'userpkcs12' in entry_attrs: @@ -504,7 +506,7 @@ class entitle_register(LDAPCreate): """ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - dn = '%s,%s' % (self.obj.container_dn, self.api.env.basedn) + dn = DN(self.obj.container_dn, self.api.env.basedn) if not ldap.can_add(dn): raise errors.ACIError(info='No permission to register') os.environ['LANG'] = 'en_US' @@ -604,6 +606,7 @@ class entitle_import(LDAPUpdate): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) try: (db, uuid, certfile, keyfile) = get_uuid(ldap) if db is not None: @@ -622,7 +625,7 @@ class entitle_import(LDAPUpdate): raise errors.CertificateFormatError(error=_('Not an entitlement certificate')) except M2Crypto.X509.X509Error: raise errors.CertificateFormatError(error=_('Not an entitlement certificate')) - dn = 'ipaentitlementid=%s,%s' % (entry_attrs['ipaentitlementid'], dn) + dn = DN(('ipaentitlementid', entry_attrs['ipaentitlementid']), dn) (dn, current_attrs) = ldap.get_entry( dn, ['*'], normalize=self.obj.normalize_dn ) @@ -689,6 +692,7 @@ class entitle_sync(LDAPUpdate): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) os.environ['LANG'] = 'en_US' locale.setlocale(locale.LC_ALL, '') @@ -719,6 +723,7 @@ class entitle_sync(LDAPUpdate): Returning the certificates isn't very interesting. Return the status of entitlements instead. """ + assert isinstance(dn, DN) if 'usercertificate' in entry_attrs: del entry_attrs['usercertificate'] if 'userpkcs12' in entry_attrs: diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 74bea1700..011587206 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -156,6 +156,7 @@ class group_add(LDAPCreate): # As both 'external' and 'nonposix' options have default= set for # them, they will always be present in options dict, thus we can # safely reference the values + assert isinstance(dn, DN) if options['external']: entry_attrs['objectclass'].append('ipaexternalgroup') if 'gidnumber' in options: @@ -176,6 +177,7 @@ class group_del(LDAPDelete): msg_summary = _('Deleted group "%(value)s"') def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) config = ldap.get_ipa_config()[1] def_primary_group = config.get('ipadefaultprimarygroup', '') def_primary_group_dn = group_dn = self.obj.get_dn(def_primary_group) @@ -192,6 +194,7 @@ class group_del(LDAPDelete): return dn def post_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) try: api.Command['pwpolicy_del'](keys[-1]) except errors.NotFound: @@ -220,6 +223,7 @@ class group_mod(LDAPUpdate): ) def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) if ('posix' in options and options['posix']) or 'gidnumber' in options: (dn, old_entry_attrs) = ldap.get_entry(dn, ['objectclass']) if 'ipaexternalgroup' in old_entry_attrs['objectclass']: @@ -275,6 +279,7 @@ class group_find(LDAPSearch): ) def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): + assert isinstance(base_dn, DN) # if looking for private groups, we need to create a new search filter, # because private groups have different object classes if options['private']: @@ -319,6 +324,7 @@ class group_add_member(LDAPAddMember): ) def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) result = (completed, dn) if 'ipaexternalmember' in options: if not _dcerpc_bindings_installed: @@ -367,6 +373,7 @@ class group_remove_member(LDAPRemoveMember): ) def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) if keys[0] == protected_group_name: result = api.Command.group_show(protected_group_name) users_left = set(result['result'].get('member_user', [])) @@ -377,6 +384,7 @@ class group_remove_member(LDAPRemoveMember): return dn def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) result = (completed, dn) if 'ipaexternalmember' in options: sids = options['ipaexternalmember'] diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index 460083622..94f0d0e20 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -231,6 +231,7 @@ class hbacrule_add(LDAPCreate): msg_summary = _('Added HBAC rule "%(value)s"') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) # HBAC rules are enabled by default entry_attrs['ipaenabledflag'] = 'TRUE' return dn @@ -244,6 +245,7 @@ class hbacrule_del(LDAPDelete): msg_summary = _('Deleted HBAC rule "%(value)s"') def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) kw = dict(seealso=keys[0]) _entries = api.Command.selinuxusermap_find(None, **kw) if _entries['count']: @@ -260,6 +262,7 @@ class hbacrule_mod(LDAPUpdate): msg_summary = _('Modified HBAC rule "%(value)s"') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) try: (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) except errors.NotFound: @@ -436,6 +439,7 @@ class hbacrule_add_user(LDAPAddMember): member_count_out = ('%i object added.', '%i objects added.') def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) try: (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: @@ -464,6 +468,7 @@ class hbacrule_add_host(LDAPAddMember): member_count_out = ('%i object added.', '%i objects added.') def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) try: (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: @@ -492,6 +497,7 @@ class hbacrule_add_sourcehost(LDAPAddMember): member_count_out = ('%i object added.', '%i objects added.') def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) try: (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: @@ -502,6 +508,7 @@ class hbacrule_add_sourcehost(LDAPAddMember): return add_external_pre_callback('host', ldap, dn, keys, options) def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return add_external_post_callback('sourcehost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(hbacrule_add_sourcehost) @@ -514,6 +521,7 @@ class hbacrule_remove_sourcehost(LDAPRemoveMember): member_count_out = ('%i object removed.', '%i objects removed.') def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return remove_external_post_callback('sourcehost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(hbacrule_remove_sourcehost) @@ -526,6 +534,7 @@ class hbacrule_add_service(LDAPAddMember): member_count_out = ('%i object added.', '%i objects added.') def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) try: (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index e8967b8c0..a417ba0f7 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -38,10 +38,10 @@ from ipalib.plugins.dns import (dns_container_exists, _record_types, from ipalib.plugins.dns import get_reverse_zone from ipalib import _, ngettext from ipalib import x509 -from ipalib.dn import * from ipalib.request import context from ipalib.util import validate_sshpubkey, output_sshpubkey from ipapython.ipautil import ipa_generate_password, CheckedIPAddress, make_sshfp +from ipapython.dn import DN __doc__ = _(""" Hosts/Machines @@ -379,6 +379,7 @@ class host_add(LDAPCreate): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) if options.get('ip_address') and dns_container_exists(ldap): parts = keys[-1].split('.') host = parts[0] @@ -423,6 +424,7 @@ class host_add(LDAPCreate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) exc = None if dns_container_exists(ldap): try: @@ -483,6 +485,7 @@ class host_del(LDAPDelete): ) def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) # If we aren't given a fqdn, find it if _hostname_validator(None, keys[-1]) is not None: hostentry = api.Command['host_show'](keys[-1])['result'] @@ -599,6 +602,7 @@ class host_mod(LDAPUpdate): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) # Allow an existing OTP to be reset but don't allow a OTP to be # added to an enrolled host. if options.get('userpassword') or options.get('random'): @@ -690,6 +694,7 @@ class host_mod(LDAPUpdate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) if options.get('random', False): entry_attrs['randompassword'] = unicode(getattr(context, 'randompassword')) set_certificate_attrs(entry_attrs) @@ -728,6 +733,7 @@ class host_find(LDAPSearch): yield option def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): + assert isinstance(base_dn, DN) if 'locality' in attrs_list: attrs_list.remove('locality') attrs_list.append('l') @@ -808,6 +814,7 @@ class host_show(LDAPRetrieve): member_attributes = ['managedby'] def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj.get_password_attributes(ldap, dn, entry_attrs) if entry_attrs['has_password']: # If an OTP is set there is no keytab, at least not one @@ -891,8 +898,7 @@ class host_disable(LDAPQuery): try: serial = unicode(x509.get_serial_number(cert, x509.DER)) try: - result = api.Command['cert_show'](unicode(serial))['result' -] + result = api.Command['cert_show'](unicode(serial))['result'] if 'revocation_reason' not in result: try: api.Command['cert_revoke'](unicode(serial), revocation_reason=4) @@ -928,6 +934,7 @@ class host_disable(LDAPQuery): ) def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj.suppress_netgroup_memberof(entry_attrs) return dn @@ -941,6 +948,7 @@ class host_add_managedby(LDAPAddMember): allow_same = True def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj.suppress_netgroup_memberof(entry_attrs) return (completed, dn) @@ -954,6 +962,7 @@ class host_remove_managedby(LDAPRemoveMember): has_output_params = LDAPRemoveMember.has_output_params + host_output_params def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj.suppress_netgroup_memberof(entry_attrs) return (completed, dn) diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py index b68c45842..7e6fe6d65 100644 --- a/ipalib/plugins/hostgroup.py +++ b/ipalib/plugins/hostgroup.py @@ -21,7 +21,7 @@ from ipalib.plugins.baseldap import * from ipalib import api, Int, _, ngettext, errors from ipalib.plugins.netgroup import NETGROUP_PATTERN, NETGROUP_PATTERN_ERRMSG -from ipalib.dn import DN +from ipapython.dn import DN __doc__ = _(""" Groups of hosts. @@ -119,6 +119,7 @@ class hostgroup_add(LDAPCreate): msg_summary = _('Added hostgroup "%(value)s"') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) try: # check duplicity with hostgroups first to provide proper error netgroup = api.Command['hostgroup_show'](keys[-1]) @@ -140,6 +141,7 @@ class hostgroup_add(LDAPCreate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) # Always wait for the associated netgroup to be created so we can # be sure to ignore it in memberOf newentry = wait_for_value(ldap, dn, 'objectclass', 'mepOriginEntry') @@ -166,6 +168,7 @@ class hostgroup_mod(LDAPUpdate): msg_summary = _('Modified hostgroup "%(value)s"') def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj.suppress_netgroup_memberof(dn, entry_attrs) return dn @@ -195,6 +198,7 @@ class hostgroup_show(LDAPRetrieve): __doc__ = _('Display information about a hostgroup.') def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj.suppress_netgroup_memberof( dn, entry_attrs) return dn @@ -205,6 +209,7 @@ class hostgroup_add_member(LDAPAddMember): __doc__ = _('Add members to a hostgroup.') def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj.suppress_netgroup_memberof(dn, entry_attrs) return (completed, dn) @@ -215,6 +220,7 @@ class hostgroup_remove_member(LDAPRemoveMember): __doc__ = _('Remove members from a hostgroup.') def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj.suppress_netgroup_memberof(dn, entry_attrs) return (completed, dn) diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py index 0f80c770c..60674cc06 100644 --- a/ipalib/plugins/krbtpolicy.py +++ b/ipalib/plugins/krbtpolicy.py @@ -71,7 +71,7 @@ class krbtpolicy(LDAPObject): """ Kerberos Ticket Policy object """ - container_dn = 'cn=%s,cn=kerberos' % api.env.realm + container_dn = DN(('cn', api.env.realm), ('cn', 'kerberos')) object_name = _('kerberos ticket policy settings') default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage'] limit_object_classes = ['krbticketpolicyaux'] @@ -112,6 +112,7 @@ class krbtpolicy_mod(LDAPUpdate): __doc__ = _('Modify Kerberos ticket policy.') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) # disable all flag # ticket policies are attached to objects with unrelated attributes if options.get('all'): @@ -125,6 +126,7 @@ class krbtpolicy_show(LDAPRetrieve): __doc__ = _('Display the current Kerberos ticket policy.') def pre_callback(self, ldap, dn, attrs_list, *keys, **options): + assert isinstance(dn, DN) # disable all flag # ticket policies are attached to objects with unrelated attributes if options.get('all'): @@ -132,6 +134,7 @@ class krbtpolicy_show(LDAPRetrieve): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) if keys[-1] is not None: # if policy for a specific user isn't set, display global values if 'krbmaxticketlife' not in entry_attrs or \ diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py index a8c1c6d82..157ab4447 100644 --- a/ipalib/plugins/migration.py +++ b/ipalib/plugins/migration.py @@ -21,10 +21,8 @@ import re import ldap as _ldap from ipalib import api, errors, output -from ipalib import Command, Password, Str, Flag, StrEnum +from ipalib import Command, Password, Str, Flag, StrEnum, DNParam from ipalib.cli import to_cli -from ipalib.util import validate_dn_param -from ipalib.dn import * from ipalib.plugins.user import NO_UPG_MAGIC if api.env.in_server and api.env.context in ['lite', 'server']: try: @@ -32,6 +30,7 @@ if api.env.in_server and api.env.context in ['lite', 'server']: except StandardError, e: raise e from ipalib import _ +from ipapython.dn import DN __doc__ = _(""" Migration to IPA @@ -114,18 +113,10 @@ _dn_err_msg = _('Malformed DN') _supported_schemas = (u'RFC2307bis', u'RFC2307') -_compat_dn = "cn=Schema Compatibility,cn=plugins,cn=config" - -def is_DN_syntax(ldap, attr): - """ - Check the schema to see if the attribute uses DN syntax. - - Returns True/False - """ - obj = ldap.schema.get_obj(_ldap.schema.AttributeType, attr) - return obj is not None and obj.syntax == '1.3.6.1.4.1.1466.115.121.1.12' +_compat_dn = DN(('cn', 'Schema Compatibility'), ('cn', 'plugins'), ('cn', 'config')) def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs): + assert isinstance(dn, DN) attr_blacklist = ['krbprincipalkey','memberofindirect','memberindirect'] attr_blacklist.extend(kwargs.get('attr_blacklist', [])) ds_ldap = ctx['ds_ldap'] @@ -198,17 +189,18 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs # tree for attr in entry_attrs.keys(): - if is_DN_syntax(ldap, attr): + if ldap.has_dn_syntax(attr): for ind, value in enumerate(entry_attrs[attr]): + assert isinstance(value, DN) try: (remote_dn, remote_entry) = ds_ldap.get_entry(value, [api.Object.user.primary_key.name, api.Object.group.primary_key.name]) except errors.NotFound: api.log.warn('%s: attribute %s refers to non-existent entry %s' % (pkey, attr, value)) continue - if value.lower().endswith(search_bases['user']): + if value.endswith(search_bases['user']): primary_key = api.Object.user.primary_key.name container = api.env.container_user - elif value.lower().endswith(search_bases['group']): + elif value.endswith(search_bases['group']): primary_key = api.Object.group.primary_key.name container = api.env.container_group else: @@ -221,15 +213,13 @@ def _pre_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs api.log.debug('converting DN value %s for %s in %s' % (value, attr, dn)) rdnval = remote_entry[primary_key][0].lower() - entry_attrs[attr][ind] = \ - str(DN((primary_key, rdnval), - container, - api.env.basedn)) + entry_attrs[attr][ind] = DN((primary_key, rdnval), container, api.env.basedn) return dn def _post_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx): + assert isinstance(dn, DN) # add user to the default group try: ldap.add_entry_to_group(dn, ctx['def_group_dn']) @@ -246,6 +236,7 @@ def _post_migrate_user(ldap, pkey, dn, entry_attrs, failed, config, ctx): # GROUP MIGRATION CALLBACKS AND VARS def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwargs): + def convert_members_rfc2307bis(member_attr, search_bases, overwrite=False): """ Convert DNs in member attributes to work in IPA. @@ -253,24 +244,19 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg new_members = [] entry_attrs.setdefault(member_attr, []) for m in entry_attrs[member_attr]: + assert isinstance(m, DN) try: - # what str2dn returns looks like [[('cn', 'foo', 4)], [('dc', 'example', 1)], [('dc', 'com', 1)]] - rdn = _ldap.dn.str2dn(m ,flags=_ldap.DN_FORMAT_LDAPV3)[0] - rdnval = rdn[0][1] + rdnval = m[0].value except IndexError: api.log.error('Malformed DN %s has no RDN?' % m) continue - if m.lower().endswith(search_bases['user']): + if m.endswith(search_bases['user']): api.log.info('migrating user %s' % m) - m = '%s=%s,%s' % (api.Object.user.primary_key.name, - rdnval, - api.env.container_user) - elif m.lower().endswith(search_bases['group']): + m = DN((api.Object.user.primary_key.name, rdnval), api.env.container_user) + elif m.endswith(search_bases['group']): api.log.info('migrating group %s' % m) - m = '%s=%s,%s' % (api.Object.group.primary_key.name, - rdnval, - api.env.container_group) + m = DN((api.Object.group.primary_key.name, rdnval), api.env.container_group) else: api.log.error('entry %s does not belong into any known container' % m) continue @@ -290,12 +276,11 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg new_members = [] entry_attrs.setdefault(member_attr, []) for m in entry_attrs[member_attr]: - memberdn = '%s=%s,%s' % (api.Object.user.primary_key.name, - m, - api.env.container_user) + memberdn = DN((api.Object.user.primary_key.name, m), api.env.container_user) new_members.append(ldap.normalize_dn(memberdn)) entry_attrs['member'] = new_members + assert isinstance(dn, DN) attr_blacklist = ['memberofindirect','memberindirect'] attr_blacklist.extend(kwargs.get('attr_blacklist', [])) @@ -330,6 +315,7 @@ def _pre_migrate_group(ldap, pkey, dn, entry_attrs, failed, config, ctx, **kwarg def _group_exc_callback(ldap, dn, entry_attrs, exc, options): + assert isinstance(dn, DN) if isinstance(exc, errors.DuplicateEntry): if options.get('groupoverwritegid', False) and \ entry_attrs.get('gidnumber') is not None: @@ -424,24 +410,24 @@ class migrate_ds(Command): ) takes_options = ( - Str('binddn?', validate_dn_param, + DNParam('binddn?', cli_name='bind_dn', label=_('Bind DN'), - default=u'cn=directory manager', + default=DN(('cn', 'directory manager')), autofill=True, ), - Str('usercontainer', validate_dn_param, + DNParam('usercontainer', cli_name='user_container', label=_('User container'), doc=_('DN of container for users in DS relative to base DN'), - default=u'ou=people', + default=DN(('ou', 'people')), autofill=True, ), - Str('groupcontainer', validate_dn_param, + DNParam('groupcontainer', cli_name='group_container', label=_('Group container'), doc=_('DN of container for groups in DS relative to base DN'), - default=u'ou=groups', + default=DN(('ou', 'groups')), autofill=True, ), Str('userobjectclass+', @@ -511,7 +497,7 @@ class migrate_ds(Command): doc=_('Continuous operation mode. Errors are reported but the process continues'), default=False, ), - Str('basedn?', + DNParam('basedn?', cli_name='base_dn', label=_('Base DN'), doc=_('Base DN on remote LDAP server'), @@ -594,11 +580,9 @@ can use their Kerberos accounts.''') def _get_search_bases(self, options, ds_base_dn, migrate_order): search_bases = dict() - ds_base_dn = DN(ds_base_dn) for ldap_obj_name in migrate_order: container = options.get('%scontainer' % to_cli(ldap_obj_name)) if container: - container = DN(container) # Don't append base dn if user already appended it in the container dn if container.endswith(ds_base_dn): search_base = container @@ -606,13 +590,14 @@ can use their Kerberos accounts.''') search_base = DN(container, ds_base_dn) else: search_base = ds_base_dn - search_bases[ldap_obj_name] = str(search_base) + search_bases[ldap_obj_name] = search_base return search_bases def migrate(self, ldap, config, ds_ldap, ds_base_dn, options): """ Migrate objects from DS to LDAP. """ + assert isinstance(ds_base_dn, DN) migrated = {} # {'OBJ': ['PKEY1', 'PKEY2', ...], ...} failed = {} # {'OBJ': {'PKEY1': 'Failed 'cos blabla', ...}, ...} search_bases = self._get_search_bases(options, ds_base_dn, self.migrate_order) @@ -703,6 +688,7 @@ can use their Kerberos accounts.''') continue dn = ldap_obj.get_dn(pkey) + assert isinstance(dn, DN) entry_attrs['objectclass'] = list( set( config.get( @@ -722,6 +708,7 @@ can use their Kerberos accounts.''') valid_gids = valid_gids, **blacklists ) + assert isinstance(dn, DN) if not dn: continue except errors.NotFound, e: @@ -760,6 +747,8 @@ can use their Kerberos accounts.''') config = ldap.get_ipa_config()[1] ds_base_dn = options.get('basedn') + if ds_base_dn is not None: + assert isinstance(ds_base_dn, DN) # check if migration mode is enabled if config.get('ipamigrationenabled', ('FALSE', ))[0] == 'FALSE': @@ -773,6 +762,7 @@ can use their Kerberos accounts.''') if not options.get('compat'): try: (dn,check_compat) = ldap.get_entry(_compat_dn, normalize=False) + assert isinstance(dn, DN) if check_compat is not None and \ check_compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': return dict(result={}, failed={}, enabled=True, compat=False) @@ -782,14 +772,16 @@ can use their Kerberos accounts.''') if not ds_base_dn: # retrieve base DN from remote LDAP server (entries, truncated) = ds_ldap.find_entries( - '', ['namingcontexts', 'defaultnamingcontext'], '', + '', ['namingcontexts', 'defaultnamingcontext'], DN(''), _ldap.SCOPE_BASE, size_limit=-1, time_limit=0, ) if 'defaultnamingcontext' in entries[0][1]: - ds_base_dn = entries[0][1]['defaultnamingcontext'][0] + ds_base_dn = DN(entries[0][1]['defaultnamingcontext'][0]) + assert isinstance(ds_base_dn, DN) else: try: - ds_base_dn = entries[0][1]['namingcontexts'][0] + ds_base_dn = DN(entries[0][1]['namingcontexts'][0]) + assert isinstance(ds_base_dn, DN) except (IndexError, KeyError), e: raise StandardError(str(e)) diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py index 4236feeb7..263d66b55 100644 --- a/ipalib/plugins/netgroup.py +++ b/ipalib/plugins/netgroup.py @@ -162,6 +162,7 @@ class netgroup_add(LDAPCreate): u'Hostgroups and netgroups share a common namespace') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) entry_attrs.setdefault('nisdomainname', self.api.env.domain) try: @@ -203,6 +204,7 @@ class netgroup_mod(LDAPUpdate): msg_summary = _('Modified netgroup "%(value)s"') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) try: (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) except errors.NotFound: @@ -238,6 +240,7 @@ class netgroup_find(LDAPSearch): ) def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): + assert isinstance(base_dn, DN) # Do not display private mepManagedEntry netgroups by default # If looking for managed groups, we need to omit the negation search filter @@ -267,8 +270,11 @@ class netgroup_add_member(LDAPAddMember): member_attributes = ['memberuser', 'memberhost', 'member'] has_output_params = LDAPAddMember.has_output_params + output_params def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) return add_external_pre_callback('host', ldap, dn, keys, options) + def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return add_external_post_callback('memberhost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(netgroup_add_member) @@ -280,6 +286,7 @@ class netgroup_remove_member(LDAPRemoveMember): member_attributes = ['memberuser', 'memberhost', 'member'] has_output_params = LDAPRemoveMember.has_output_params + output_params def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return remove_external_post_callback('memberhost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(netgroup_remove_member) diff --git a/ipalib/plugins/passwd.py b/ipalib/plugins/passwd.py index 9bee314ec..2c83560b1 100644 --- a/ipalib/plugins/passwd.py +++ b/ipalib/plugins/passwd.py @@ -24,6 +24,7 @@ from ipalib import _ from ipalib import output from ipalib.plugins.user import split_principal, validate_principal, normalize_principal from ipalib.request import context +from ipapython.dn import DN __doc__ = _(""" Set a user's password @@ -104,7 +105,7 @@ class passwd(Command): (dn, entry_attrs) = ldap.find_entry_by_attr( 'krbprincipalname', principal, 'posixaccount', [''], - ",".join([api.env.container_user, api.env.basedn]) + DN(api.env.container_user, api.env.basedn) ) if principal == getattr(context, 'principal') and \ diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 89f9eaa62..befa74df8 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -22,6 +22,7 @@ from ipalib import api, _, ngettext from ipalib import Flag, Str, StrEnum from ipalib.request import context from ipalib import errors +from ipapython.dn import DN, EditableDN __doc__ = _(""" Permissions @@ -202,6 +203,7 @@ class permission_add(LDAPCreate): has_output_params = LDAPCreate.has_output_params + output_params def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) # Test the ACI before going any further opts = self.obj.filter_aci_attributes(options) opts['test'] = True @@ -219,6 +221,7 @@ class permission_add(LDAPCreate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) # Now actually add the aci. opts = self.obj.filter_aci_attributes(options) opts['test'] = False @@ -275,6 +278,7 @@ class permission_add_noaci(LDAPCreate): yield option def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) permission_type = options.get('permissiontype') if permission_type: entry_attrs['ipapermissiontype'] = [ permission_type ] @@ -297,6 +301,7 @@ class permission_del(LDAPDelete): ) def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) if not options.get('force') and not self.obj.check_system(ldap, dn, *keys): raise errors.ACIError(info='A SYSTEM permission may not be removed') # remove permission even when the underlying ACI is missing @@ -316,6 +321,7 @@ class permission_mod(LDAPUpdate): has_output_params = LDAPUpdate.has_output_params + output_params def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) if not self.obj.check_system(ldap, dn, *keys): raise errors.ACIError(info='A SYSTEM permission may not be modified') @@ -332,10 +338,13 @@ class permission_mod(LDAPUpdate): if 'rename' in options: if options['rename']: try: - new_dn = dn.replace(keys[-1].lower(), options['rename'], 1) - (new_dn, attrs) = ldap.get_entry( - new_dn, attrs_list, normalize=self.obj.normalize_dn - ) + try: + new_dn = EditableDN(dn) + new_dn[0]['cn'] # assure the first RDN has cn as it's type + except (IndexError, KeyError), e: + raise ValueError("expected dn starting with 'cn=' but got '%s'" % dn) + new_dn[0].value = options['rename'] + (new_dn, attrs) = ldap.get_entry(new_dn, attrs_list, normalize=self.obj.normalize_dn) raise errors.DuplicateEntry() except errors.NotFound: pass # permission may be renamed, continue @@ -371,6 +380,7 @@ class permission_mod(LDAPUpdate): raise exc def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) # rename the underlying ACI after the change to permission cn = keys[-1] @@ -480,6 +490,7 @@ class permission_show(LDAPRetrieve): has_output_params = LDAPRetrieve.has_output_params + output_params def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) try: common_options = filter_options(options, ['all', 'raw']) aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX, diff --git a/ipalib/plugins/pkinit.py b/ipalib/plugins/pkinit.py index cb3b9c2fc..2d11f0244 100644 --- a/ipalib/plugins/pkinit.py +++ b/ipalib/plugins/pkinit.py @@ -21,6 +21,7 @@ from ipalib import api, errors from ipalib import Int, Str from ipalib import Object, Command from ipalib import _ +from ipapython.dn import DN __doc__ = _(""" Kerberos pkinit options @@ -67,9 +68,7 @@ class pkinit_anonymous(Command): __doc__ = _('Enable or Disable Anonymous PKINIT.') princ_name = 'WELLKNOWN/ANONYMOUS@%s' % api.env.realm - default_dn = 'krbprincipalname=%s,cn=%s,cn=kerberos,%s' % ( - princ_name, api.env.realm, api.env.basedn - ) + default_dn = DN(('krbprincipalname', princ_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn) takes_args = ( Str('action', valid_arg), diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py index 77e6f2c79..33c8329f7 100644 --- a/ipalib/plugins/pwpolicy.py +++ b/ipalib/plugins/pwpolicy.py @@ -19,11 +19,12 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from ipalib import api -from ipalib import Int, Str +from ipalib import Int, Str, DNParam from ipalib.plugins.baseldap import * from ipalib import _ from ipalib.request import context from ipapython.ipautil import run +from ipapython.dn import DN from distutils import version __doc__ = _(""" @@ -75,13 +76,13 @@ class cosentry(LDAPObject): """ NO_CLI = True - container_dn = 'cn=costemplates,%s' % api.env.container_accounts + container_dn = DN(('cn', 'costemplates'), api.env.container_accounts) object_class = ['top', 'costemplate', 'extensibleobject', 'krbcontainer'] default_attributes = ['cn', 'cospriority', 'krbpwdpolicyreference'] takes_params = ( Str('cn', primary_key=True), - Str('krbpwdpolicyreference'), + DNParam('krbpwdpolicyreference'), Int('cospriority', minvalue=0), ) @@ -102,8 +103,7 @@ class cosentry(LDAPObject): )['result'] if len(entries) > 0: group_name = self.api.Object.group.get_primary_key_from_dn( - entries[0]['cn'][0] - ) + DN(entries[0]['cn'][0])) raise errors.ValidationError( name='priority', error=self.priority_not_unique_msg % { @@ -119,6 +119,7 @@ class cosentry_add(LDAPCreate): NO_CLI = True def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) # check for existence of the group result = self.api.Command.group_show(keys[-1], all=True)['result'] oc = map(lambda x:x.lower(),result['objectclass']) @@ -141,6 +142,7 @@ class cosentry_mod(LDAPUpdate): NO_CLI = True def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) new_cospriority = options.get('cospriority') if new_cospriority is not None: cos_entry = self.api.Command.cosentry_show(keys[-1])['result'] @@ -167,13 +169,13 @@ api.register(cosentry_find) global_policy_name = 'global_policy' -global_policy_dn = 'cn=%s,cn=%s,cn=kerberos,%s' % (global_policy_name, api.env.realm, api.env.basedn) +global_policy_dn = DN(('cn', global_policy_name), ('cn', api.env.realm), ('cn', 'kerberos'), api.env.basedn) class pwpolicy(LDAPObject): """ Password Policy object """ - container_dn = 'cn=%s,cn=kerberos' % api.env.realm + container_dn = DN(('cn', api.env.realm), ('cn', 'kerberos')) object_name = _('password policy') object_name_plural = _('password policies') object_class = ['top', 'nscontainer', 'krbpwdpolicy'] @@ -339,6 +341,7 @@ class pwpolicy_add(LDAPCreate): yield self.obj.primary_key.clone(attribute=True, required=True) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) self.obj.convert_time_on_input(entry_attrs) self.obj.validate_lifetime(entry_attrs, True) self.api.Command.cosentry_add( @@ -348,6 +351,7 @@ class pwpolicy_add(LDAPCreate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.log.info('%r' % entry_attrs) # attribute rights are not allowed for pwpolicy_add self.obj.add_cospriority(entry_attrs, keys[-1], rights=False) @@ -366,7 +370,8 @@ class pwpolicy_del(LDAPDelete): ) def pre_callback(self, ldap, dn, *keys, **options): - if dn.lower() == global_policy_dn.lower(): + assert isinstance(dn, DN) + if dn == global_policy_dn: raise errors.ValidationError( name='group', error=_('cannot delete global password policy') @@ -374,6 +379,7 @@ class pwpolicy_del(LDAPDelete): return dn def post_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) try: self.api.Command.cosentry_del(keys[-1]) except errors.NotFound: @@ -387,6 +393,7 @@ class pwpolicy_mod(LDAPUpdate): __doc__ = _('Modify a group password policy.') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) self.obj.convert_time_on_input(entry_attrs) self.obj.validate_lifetime(entry_attrs, False, *keys) setattr(context, 'cosupdate', False) @@ -408,6 +415,7 @@ class pwpolicy_mod(LDAPUpdate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) rights = options.get('all', False) and options.get('rights', False) self.obj.add_cospriority(entry_attrs, keys[-1], rights) self.obj.convert_time_for_output(entry_attrs, **options) @@ -436,6 +444,7 @@ class pwpolicy_show(LDAPRetrieve): ) def pre_callback(self, ldap, dn, attrs_list, *keys, **options): + assert isinstance(dn, DN) if options.get('user') is not None: user_entry = self.api.Command.user_show( options['user'], all=True @@ -445,6 +454,7 @@ class pwpolicy_show(LDAPRetrieve): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) rights = options.get('all', False) and options.get('rights', False) self.obj.add_cospriority(entry_attrs, keys[-1], rights) self.obj.convert_time_for_output(entry_attrs, **options) diff --git a/ipalib/plugins/range.py b/ipalib/plugins/range.py index 39849b661..c1d918679 100644 --- a/ipalib/plugins/range.py +++ b/ipalib/plugins/range.py @@ -96,6 +96,7 @@ class range_add(LDAPCreate): msg_summary = _('Added ID range "%(value)s"') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) if ('ipanttrusteddomainsid' not in options and 'ipasecondarybaserid' not in options): raise errors.ValidationError(name=_('Range setup'), @@ -110,6 +111,7 @@ class range_add(LDAPCreate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj.handle_iparangetype(entry_attrs, options, keep_objectclass=True) return dn @@ -128,6 +130,7 @@ class range_find(LDAPSearch): # Since all range types are stored within separate containers under # 'cn=ranges,cn=etc' search can be done on a one-level scope def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): + assert isinstance(base_dn, DN) attrs_list.append('objectclass') return (filters, base_dn, ldap.SCOPE_ONELEVEL) @@ -140,10 +143,12 @@ class range_show(LDAPRetrieve): __doc__ = _('Display information about a range.') def pre_callback(self, ldap, dn, attrs_list, *keys, **options): + assert isinstance(dn, DN) attrs_list.append('objectclass') return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj.handle_iparangetype(entry_attrs, options) return dn @@ -153,10 +158,12 @@ class range_mod(LDAPUpdate): msg_summary = _('Modified ID range "%(value)s"') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) attrs_list.append('objectclass') return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj.handle_iparangetype(entry_attrs, options) return dn @@ -166,4 +173,3 @@ api.register(range_mod) api.register(range_del) api.register(range_find) api.register(range_show) - diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py index 160e68c96..988cb4f0b 100644 --- a/ipalib/plugins/selinuxusermap.py +++ b/ipalib/plugins/selinuxusermap.py @@ -234,6 +234,7 @@ class selinuxusermap_add(LDAPCreate): msg_summary = _('Added SELinux User Map "%(value)s"') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) # rules are enabled by default entry_attrs['ipaenabledflag'] = 'TRUE' validate_selinuxuser_inlist(ldap, entry_attrs['ipaselinuxuser']) @@ -243,6 +244,7 @@ class selinuxusermap_add(LDAPCreate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj._convert_seealso(ldap, entry_attrs, **options) return dn @@ -264,6 +266,7 @@ class selinuxusermap_mod(LDAPUpdate): msg_summary = _('Modified SELinux User Map "%(value)s"') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) try: (_dn, _entry_attrs) = ldap.get_entry(dn, attrs_list) except errors.NotFound: @@ -288,6 +291,7 @@ class selinuxusermap_mod(LDAPUpdate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj._convert_seealso(ldap, entry_attrs, **options) return dn @@ -331,6 +335,7 @@ class selinuxusermap_show(LDAPRetrieve): __doc__ = _('Display the properties of a SELinux User Map rule.') def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj._convert_seealso(ldap, entry_attrs, **options) return dn @@ -398,6 +403,7 @@ class selinuxusermap_add_user(LDAPAddMember): member_count_out = ('%i object added.', '%i objects added.') def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) try: (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: @@ -428,6 +434,7 @@ class selinuxusermap_add_host(LDAPAddMember): member_count_out = ('%i object added.', '%i objects added.') def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) try: (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 7cb7b8030..213711ab3 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -278,6 +278,7 @@ class service_add(LDAPCreate): ), ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) (service, hostname, realm) = split_principal(keys[-1]) if service.lower() == 'host' and not options['force']: raise errors.HostService() @@ -322,6 +323,7 @@ class service_del(LDAPDelete): msg_summary = _('Deleted service "%(value)s"') member_attributes = ['managedby'] def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) # In the case of services we don't want IPA master services to be # deleted. This is a limited few though. If the user has their own # custom services allow them to manage them. @@ -367,6 +369,7 @@ class service_mod(LDAPUpdate): member_attributes = ['managedby'] def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) if 'usercertificate' in options: (service, hostname, realm) = split_principal(keys[-1]) cert = options.get('usercertificate') @@ -386,7 +389,9 @@ class service_mod(LDAPUpdate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) set_certificate_attrs(entry_attrs) + return dn api.register(service_mod) @@ -402,6 +407,7 @@ class service_find(LDAPSearch): has_output_params = LDAPSearch.has_output_params + output_params def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **options): + assert isinstance(base_dn, DN) # lisp style! custom_filter = '(&(objectclass=ipaService)' \ '(!(objectClass=posixAccount))' \ @@ -439,6 +445,7 @@ class service_show(LDAPRetrieve): has_output_params = LDAPRetrieve.has_output_params + output_params def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) self.obj.get_password_attributes(ldap, dn, entry_attrs) set_certificate_attrs(entry_attrs) diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 723cce2e4..e2937949b 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -246,6 +246,7 @@ class sudorule_add(LDAPCreate): __doc__ = _('Create new Sudo Rule.') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) self.obj.check_order_uniqueness(*keys, **options) # Sudo Rules are enabled by default entry_attrs['ipaenabledflag'] = 'TRUE' @@ -269,6 +270,7 @@ class sudorule_mod(LDAPUpdate): msg_summary = _('Modified Sudo Rule "%(value)s"') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) if 'sudoorder' in options: new_order = options.get('sudoorder') old_entry = self.api.Command.sudorule_show(keys[-1])['result'] @@ -371,6 +373,7 @@ class sudorule_add_allow_command(LDAPAddMember): member_count_out = ('%i object added.', '%i objects added.') def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) try: (_dn, _entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: @@ -399,6 +402,7 @@ class sudorule_add_deny_command(LDAPAddMember): member_count_out = ('%i object added.', '%i objects added.') def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) try: (_dn, _entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: @@ -426,6 +430,7 @@ class sudorule_add_user(LDAPAddMember): member_count_out = ('%i object added.', '%i objects added.') def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) try: (_dn, _entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: @@ -435,6 +440,7 @@ class sudorule_add_user(LDAPAddMember): return add_external_pre_callback('user', ldap, dn, keys, options) def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return add_external_post_callback('memberuser', 'user', 'externaluser', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(sudorule_add_user) @@ -447,6 +453,7 @@ class sudorule_remove_user(LDAPRemoveMember): member_count_out = ('%i object removed.', '%i objects removed.') def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return remove_external_post_callback('memberuser', 'user', 'externaluser', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(sudorule_remove_user) @@ -459,6 +466,7 @@ class sudorule_add_host(LDAPAddMember): member_count_out = ('%i object added.', '%i objects added.') def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + assert isinstance(dn, DN) try: (_dn, _entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: @@ -468,6 +476,7 @@ class sudorule_add_host(LDAPAddMember): return add_external_pre_callback('host', ldap, dn, keys, options) def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return add_external_post_callback('memberhost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(sudorule_add_host) @@ -480,6 +489,7 @@ class sudorule_remove_host(LDAPRemoveMember): member_count_out = ('%i object removed.', '%i objects removed.') def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return remove_external_post_callback('memberhost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(sudorule_remove_host) @@ -491,6 +501,7 @@ class sudorule_add_runasuser(LDAPAddMember): member_count_out = ('%i object added.', '%i objects added.') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) def check_validity(runas): v = unicode(runas) if v.upper() == u'ALL': @@ -521,6 +532,7 @@ class sudorule_add_runasuser(LDAPAddMember): return add_external_pre_callback('user', ldap, dn, keys, options) def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return add_external_post_callback('ipasudorunas', 'user', 'ipasudorunasextuser', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(sudorule_add_runasuser) @@ -533,6 +545,7 @@ class sudorule_remove_runasuser(LDAPRemoveMember): member_count_out = ('%i object removed.', '%i objects removed.') def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return remove_external_post_callback('ipasudorunas', 'user', 'ipasudorunasextuser', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(sudorule_remove_runasuser) @@ -545,6 +558,7 @@ class sudorule_add_runasgroup(LDAPAddMember): member_count_out = ('%i object added.', '%i objects added.') def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) def check_validity(runas): v = unicode(runas) if v.upper() == u'ALL': @@ -569,6 +583,7 @@ class sudorule_add_runasgroup(LDAPAddMember): return add_external_pre_callback('group', ldap, dn, keys, options) def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return add_external_post_callback('ipasudorunasgroup', 'group', 'ipasudorunasextgroup', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(sudorule_add_runasgroup) @@ -581,6 +596,7 @@ class sudorule_remove_runasgroup(LDAPRemoveMember): member_count_out = ('%i object removed.', '%i objects removed.') def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) return remove_external_post_callback('ipasudorunasgroup', 'group', 'ipasudorunasextgroup', ldap, completed, failed, dn, entry_attrs, keys, options) api.register(sudorule_remove_runasgroup) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index acb65b388..a70293bff 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -107,9 +107,10 @@ class trust(LDAPObject): ) def make_trust_dn(env, trust_type, dn): + assert isinstance(dn, DN) if trust_type in trust.trust_types: container_dn = DN(('cn', trust_type), env.container_trusts, env.basedn) - return unicode(DN(DN(dn)[0], container_dn)) + return DN(dn[0], container_dn) return dn class trust_add(LDAPCreate): @@ -214,6 +215,7 @@ class trust_del(LDAPDelete): msg_summary = _('Deleted trust "%(value)s"') def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) try: result = self.api.Command.trust_show(keys[-1]) except errors.NotFound, e: @@ -226,6 +228,7 @@ class trust_mod(LDAPUpdate): msg_summary = _('Modified trust "%(value)s"') def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) result = None try: result = self.api.Command.trust_show(keys[-1]) @@ -245,6 +248,7 @@ class trust_find(LDAPSearch): # Since all trusts types are stored within separate containers under 'cn=trusts', # search needs to be done on a sub-tree scope def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): + assert isinstance(base_dn, DN) return (filters, base_dn, ldap.SCOPE_SUBTREE) class trust_show(LDAPRetrieve): @@ -271,6 +275,7 @@ class trust_show(LDAPRetrieve): return result def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) if 'trust_show_type' in options: return make_trust_dn(self.env, options['trust_show_type'], dn) return dn @@ -281,4 +286,3 @@ api.register(trust_mod) api.register(trust_del) api.register(trust_find) api.register(trust_show) - diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index c19d9a666..529699f9a 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -375,11 +375,12 @@ class user(LDAPObject): if not manager: return None - if isinstance(manager, basestring): + if not isinstance(manager, list): manager = [manager] try: + container_dn = DN(self.container_dn, api.env.basedn) for m in xrange(len(manager)): - if manager[m].endswith('%s,%s' % (self.container_dn, api.env.basedn)): + if isinstance(manager[m], DN) and manager[m].endswith(container_dn): continue (dn, entry_attrs) = self.backend.find_entry_by_attr( self.primary_key.name, manager[m], self.object_class, [''], @@ -420,6 +421,7 @@ class user_add(LDAPCreate): ) def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) if not options.get('noprivate', False): try: # The Managed Entries plugin will allow a user to be created @@ -459,7 +461,9 @@ class user_add(LDAPCreate): homes_root = config.get('ipahomesrootdir', ['/home'])[0] # build user's home directory based on his uid entry_attrs['homedirectory'] = posixpath.join(homes_root, keys[-1]) - entry_attrs.setdefault('krbpwdpolicyreference', 'cn=global_policy,cn=%s,cn=kerberos,%s' % (api.env.realm, api.env.basedn)) + entry_attrs.setdefault('krbpwdpolicyreference', + DN(('cn', 'global_policy'), ('cn', api.env.realm), ('cn', 'kerberos'), + api.env.basedn)) entry_attrs.setdefault('krbprincipalname', '%s@%s' % (entry_attrs['uid'], api.env.realm)) if entry_attrs.get('gidnumber', DNA_MAGIC) == DNA_MAGIC: @@ -496,6 +500,7 @@ class user_add(LDAPCreate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) config = ldap.get_ipa_config()[1] # add the user we just created into the default primary group def_primary_group = config.get('ipadefaultprimarygroup') @@ -544,6 +549,7 @@ class user_del(LDAPDelete): msg_summary = _('Deleted user "%(value)s"') def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) protected_group_name = u'admins' result = api.Command.group_show(protected_group_name) if result['result'].get('member_user', []) == [keys[-1]]: @@ -562,6 +568,7 @@ class user_mod(LDAPUpdate): has_output_params = LDAPUpdate.has_output_params + user_output_params def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) if options.get('rename') is not None: config = ldap.get_ipa_config()[1] if 'ipamaxusernamelength' in config: @@ -592,6 +599,7 @@ class user_mod(LDAPUpdate): return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) if options.get('random', False): try: entry_attrs['randompassword'] = unicode(getattr(context, 'randompassword')) @@ -621,6 +629,7 @@ class user_find(LDAPSearch): ) def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *keys, **options): + assert isinstance(base_dn, DN) if options.get('whoami'): return ("(&(objectclass=posixaccount)(krbprincipalname=%s))"%\ getattr(context, 'principal'), base_dn, scope) @@ -651,6 +660,7 @@ class user_show(LDAPRetrieve): has_output_params = LDAPRetrieve.has_output_params + user_output_params def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) convert_nsaccountlock(entry_attrs) self.obj._convert_manager(entry_attrs, **options) self.obj.get_password_attributes(ldap, dn, entry_attrs) @@ -763,7 +773,7 @@ class user_status(LDAPQuery): # Get list of masters try: (masters, truncated) = ldap.find_entries( - None, ['*'], 'cn=masters,cn=ipa,cn=etc,%s' % api.env.basedn, + None, ['*'], DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn), ldap.SCOPE_ONELEVEL ) except errors.NotFound: diff --git a/ipalib/plugins/virtual.py b/ipalib/plugins/virtual.py index c827d3d9d..8db1a9653 100644 --- a/ipalib/plugins/virtual.py +++ b/ipalib/plugins/virtual.py @@ -23,6 +23,7 @@ Base classes for non-LDAP backend plugins. from ipalib import api from ipalib import Command from ipalib import errors +from ipapython.dn import DN class VirtualCommand(Command): """ @@ -55,7 +56,7 @@ class VirtualCommand(Command): ldap = self.api.Backend.ldap2 self.log.debug("IPA: virtual verify %s" % operation) - operationdn = "cn=%s,%s,%s" % (operation, self.api.env.container_virtual, self.api.env.basedn) + operationdn = DN(('cn', operation), self.api.env.container_virtual, self.api.env.basedn) try: if not ldap.can_write(operationdn, "objectclass"): diff --git a/ipalib/rpc.py b/ipalib/rpc.py index 8a6a51088..a22fae505 100644 --- a/ipalib/rpc.py +++ b/ipalib/rpc.py @@ -57,6 +57,7 @@ from nss.error import NSPRError from urllib2 import urlparse from ipalib.krb_utils import KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, KRB5KRB_AP_ERR_TKT_EXPIRED, \ KRB5_FCC_PERM, KRB5_FCC_NOFILE, KRB5_CC_FORMAT, KRB5_REALM_CANT_RESOLVE +from ipapython.dn import DN COOKIE_NAME = 'ipa_session_cookie:%s' @@ -83,7 +84,7 @@ def xml_wrap(value): """ if type(value) in (list, tuple): return tuple(xml_wrap(v) for v in value) - if type(value) is dict: + if isinstance(value, dict): return dict( (k, xml_wrap(v)) for (k, v) in value.iteritems() ) @@ -92,6 +93,8 @@ def xml_wrap(value): if type(value) is Decimal: # transfer Decimal as a string return unicode(value) + if isinstance(value, DN): + return str(value) assert type(value) in (unicode, int, float, bool, NoneType) return value diff --git a/ipalib/session.py b/ipalib/session.py index 4b783bbcb..87fa44825 100644 --- a/ipalib/session.py +++ b/ipalib/session.py @@ -628,7 +628,7 @@ mod_auth_kerb. Everything else remains the same. default_max_session_duration = 60*60 # number of seconds -ISO8601_DATETIME_FMT = '%Y-%m-%dT%H:%M:%S' # FIXME jrd, this should be defined elsewhere +ISO8601_DATETIME_FMT = '%Y-%m-%dT%H:%M:%S' # FIXME, this should be defined elsewhere def fmt_time(timestamp): return time.strftime(ISO8601_DATETIME_FMT, time.localtime(timestamp)) diff --git a/ipalib/util.py b/ipalib/util.py index 039ffb06d..abd50da7d 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -33,8 +33,8 @@ from dns.exception import DNSException from ipalib import errors from ipalib.text import _ -from ipalib.dn import DN, RDN from ipapython.ipautil import decode_ssh_pubkey +from ipapython.dn import DN, RDN def json_serialize(obj): @@ -472,10 +472,3 @@ def validate_rdn_param(ugettext, value): except Exception, e: return str(e) return None - -def validate_dn_param(ugettext, value): - try: - rdn = DN(value) - except Exception, e: - return str(e) - return None diff --git a/ipalib/x509.py b/ipalib/x509.py index 1b133adfb..84c1acfcd 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -42,7 +42,7 @@ from ipalib import api from ipalib import _ from ipalib import util from ipalib import errors -from ipalib.dn import DN +from ipapython.dn import DN PEM = 0 DER = 1 |