Remove the global anonymous read ACI

Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>

2 files changed, 19 insertions, 96 deletions

diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
deleted file mode 100644
index 943b24577..000000000
--- a/ipaserver/install/plugins/update_anonymous_aci.py
+++ /dev/null
@@ -1,96 +0,0 @@
-# Authors:
-#   Rob Crittenden <rcritten@redhat.com>
-#
-# Copyright (C) 2013  Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-from copy import deepcopy
-from ipaserver.install.plugins import FIRST, LAST
-from ipaserver.install.plugins.baseupdate import PostUpdate
-from ipalib import api, errors
-from ipalib.aci import ACI
-from ipalib.plugins import aci
-from ipapython.ipa_log_manager import *
-
-class update_anonymous_aci(PostUpdate):
-    """
-    Update the Anonymous ACI to ensure that all secrets are protected.
-    """
-    order = FIRST
-
-    def execute(self, **options):
-        aciname = u'Enable Anonymous access'
-        aciprefix = u'none'
-        ldap = self.obj.backend
-        targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))'
-        filter = None
-
-        entry_attrs = ldap.get_entry(api.env.basedn, ['aci'])
-
-        acistrs = entry_attrs.get('aci', [])
-        acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', []))
-        try:
-            rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
-        except errors.NotFound:
-            root_logger.error('Anonymous ACI not found, cannot update it')
-            return False, False, []
-
-        attrs = rawaci.target['targetattr']['expression']
-        rawfilter = rawaci.target.get('targetfilter', None)
-        if rawfilter is not None:
-            filter = rawfilter['expression']
-
-        update_attrs = deepcopy(attrs)
-
-        needed_attrs = []
-        for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'):
-            if attr not in attrs:
-                needed_attrs.append(attr)
-
-        update_attrs.extend(needed_attrs)
-        if (len(attrs) == len(update_attrs) and
-            filter == targetfilter):
-            root_logger.debug("Anonymous ACI already update-to-date")
-            return (False, False, [])
-
-        for tmpaci in acistrs:
-            candidate = ACI(tmpaci)
-            if rawaci.isequal(candidate):
-                acistrs.remove(tmpaci)
-                break
-
-        if len(attrs) != len(update_attrs):
-            root_logger.debug("New Anonymous ACI attributes needed: %s",
-                needed_attrs)
-
-            rawaci.target['targetattr']['expression'] = update_attrs
-
-        if filter != targetfilter:
-            root_logger.debug("New Anonymous ACI targetfilter needed.")
-
-            rawaci.set_target_filter(targetfilter)
-
-        acistrs.append(unicode(rawaci))
-        entry_attrs['aci'] = acistrs
-
-        try:
-            ldap.update_entry(entry_attrs)
-        except Exception, e:
-            root_logger.error("Failed to update Anonymous ACI: %s" % e)
-
-        return (False, False, [])
-
-api.register(update_anonymous_aci)
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 72c1b131f..c9994c77d 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -81,6 +81,7 @@ from ipapython.dn import DN
 from ipalib.plugable import Registry
 from ipalib.plugins import aci
 from ipalib.plugins.permission import permission
+from ipalib.aci import ACI
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install.plugins import LAST
 from ipaserver.install.plugins.baseupdate import PostUpdate
@@ -250,6 +251,21 @@ class update_managed_permissions(PostUpdate):
         except errors.NotFound:
             return None
 
+    def remove_anonymous_read_aci(self, ldap, anonymous_read_aci):
+        base_entry = ldap.get_entry(self.api.env.basedn, ['aci'])
+
+        acistrs = base_entry.get('aci', [])
+
+        for acistr in acistrs:
+            if ACI(acistr).isequal(anonymous_read_aci):
+                self.log.info('Removing anonymous ACI: %s', acistr)
+                acistrs.remove(acistr)
+                break
+        else:
+            return
+
+        ldap.update_entry(base_entry)
+
     def execute(self, **options):
         ldap = self.api.Backend[ldap2]
 
@@ -276,6 +292,9 @@ class update_managed_permissions(PostUpdate):
             self.update_permission(ldap, None, unicode(name), template,
                                    anonymous_read_aci)
 
+        if anonymous_read_aci:
+            self.remove_anonymous_read_aci(ldap, anonymous_read_aci)
+
         return False, False, ()
 
     def update_permission(self, ldap, obj, name, template, anonymous_read_aci):