diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2009-03-23 15:18:55 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2009-03-25 11:03:03 -0400 |
| commit | d6814f3aae1e3af371eaf9d10ae37bfee464015a (patch) | |
| tree | 54028c303b9cdec63e10907011f5ca7d289223c4 /ipalib | |
| parent | fcfcc765249c97ff621d298a48e7bb6474134f5b (diff) | |
| download | freeipa-d6814f3aae1e3af371eaf9d10ae37bfee464015a.tar.gz freeipa-d6814f3aae1e3af371eaf9d10ae37bfee464015a.tar.xz freeipa-d6814f3aae1e3af371eaf9d10ae37bfee464015a.zip | |
Implement a few new targets for ACIs
Also switch to the StrEnum parameter type for some options so we let the
framework do the enforcement
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/aci.py | 40 |
1 files changed, 32 insertions, 8 deletions
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 6eb482642..6a2a1c2d7 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -23,9 +23,15 @@ Frontend plugins for managing DS ACIs from ipalib import api, crud, errors2 from ipalib import Object, Command # Plugin base classes -from ipalib import Str, Flag, Int # Parameter types +from ipalib import Str, Flag, Int, StrEnum # Parameter types from ipalib.aci import ACI +type_map = { + 'user': 'ldap:///uid=*,%s,%s' % (api.env.container_user, api.env.basedn), + 'group': 'ldap:///cn=*,%s,%s' % (api.env.container_group, api.env.basedn), + 'host': 'ldap:///cn=*,%s,%s' % (api.env.container_host, api.env.basedn) +} + def make_aci(current, aciname, kw): try: taskgroup = api.Command['taskgroup_show'](kw['taskgroup']) @@ -39,12 +45,25 @@ def make_aci(current, aciname, kw): a.permissions = kw['permissions'].replace(' ','').split(',') a.set_bindrule("groupdn = \"ldap:///%s\"" % taskgroup['dn']) if kw.get('attrs', None): - a.set_target_attr(kw['attrs'].split()) - if kw.get('type', None): - a.set_target_attr(kw['attrs'].split()) + a.set_target_attr(kw['attrs'].split(',')) if kw.get('memberof', None): group = api.Command['group_show'](kw['memberof']) a.set_target_filter("memberOf=%s" % group['dn'].decode('UTF-8')) + if kw.get('type', None): + target = type_map[kw.get('type')] + a.set_target(target) + if kw.get('targetgroup', None): + # Purposely no try here so we'll raise a NotFound + group = api.Command['group_show'](kw.get('targetgroup')) + target = "ldap:///%s" % group.get('dn') + a.set_target(target) + if kw.get('subtree',None): + # See if the subtree is a full URI + target = kw.get('subtree') + if not target.startswith("ldap:///"): + target = "ldap:///" + target + a.set_target(target) + return a def search_by_name(acis, aciname): @@ -169,14 +188,16 @@ class aci(Object): Str('taskgroup', doc='Name of taskgroup this ACI grants access to', ), - Str('permissions', - doc='Permissions to grant: read, write', + StrEnum('permissions', + doc='Permissions to grant: read, write, add, delete, selfwrite, all', + values=(u'read', u'write', u'add', u'delete', u'selfwrite', u'all') ), Str('attrs?', doc='Comma-separated list of attributes', ), - Str('type?', + StrEnum('type?', doc='type of IPA object: user, group, host', + values=(u'user', u'group') ), Str('memberof?', doc='member of a group', @@ -187,6 +208,9 @@ class aci(Object): Str('subtree?', doc='A subtree to apply the ACI to', ), + Str('targetgroup?', + doc='Apply the ACI to a specific group', + ), ) api.register(aci) @@ -247,7 +271,7 @@ class aci_del(crud.Delete): currentaci = ldap.retrieve(self.api.env.basedn, ['aci']) acilist = currentaci.get('aci') a = search_by_name(acilist, aciname) - i = acilist.index(str(a)) + i = acilist.index(a) del acilist[i] kwupdate = {'aci': acilist} |