summaryrefslogtreecommitdiffstats
path: root/ipa-server/ipa-gui/ipagui/controllers.py
diff options
context:
space:
mode:
Diffstat (limited to 'ipa-server/ipa-gui/ipagui/controllers.py')
-rw-r--r--ipa-server/ipa-gui/ipagui/controllers.py355
1 files changed, 322 insertions, 33 deletions
diff --git a/ipa-server/ipa-gui/ipagui/controllers.py b/ipa-server/ipa-gui/ipagui/controllers.py
index a07555257..c16f04c63 100644
--- a/ipa-server/ipa-gui/ipagui/controllers.py
+++ b/ipa-server/ipa-gui/ipagui/controllers.py
@@ -2,6 +2,7 @@ import random
from pickle import dumps, loads
from base64 import b64encode, b64decode
+import os
import cherrypy
import turbogears
from turbogears import controllers, expose, flash
@@ -18,12 +19,15 @@ import ipa.ipaclient
import ipa.user
import xmlrpclib
import forms.user
+import forms.group
from helpers import userhelper
from ipa import ipaerror
ipa.config.init_config()
user_new_form = forms.user.UserNewForm()
user_edit_form = forms.user.UserEditForm()
+group_new_form = forms.group.GroupNewForm()
+group_edit_form = forms.group.GroupEditForm()
password_chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
@@ -31,6 +35,8 @@ client = ipa.ipaclient.IPAClient(True)
user_fields = ['*', 'nsAccountLock']
+group_fields = ['*']
+
def restrict_post():
if cherrypy.request.method != "POST":
turbogears.flash("This method only accepts posts")
@@ -55,7 +61,7 @@ class Root(controllers.RootController):
if kw.get('searchtype') == "Users":
return self.userlist(uid=kw.get('searchvalue'))
else:
- return self.index()
+ return self.grouplist(criteria=kw.get('searchvalue'))
@@ -77,7 +83,7 @@ class Root(controllers.RootController):
def usercreate(self, **kw):
"""Creates a new user"""
restrict_post()
- client.set_principal(identity.current.user_name)
+ client.set_krbccache(os.environ["KRB5CCNAME"])
if kw.get('submit') == 'Cancel':
turbogears.flash("Add user cancelled")
raise turbogears.redirect('/userlist')
@@ -115,24 +121,28 @@ class Root(controllers.RootController):
if tg_errors:
turbogears.flash("There was a problem with the form!")
- client.set_principal(identity.current.user_name)
- user = client.get_user_by_uid(uid, user_fields)
- user_dict = user.toDict()
- # Edit shouldn't fill in the password field.
- if user_dict.has_key('userpassword'):
- del(user_dict['userpassword'])
-
- # store a copy of the original user for the update later
- user_data = b64encode(dumps(user_dict))
- user_dict['user_orig'] = user_data
- return dict(form=user_edit_form, user=user_dict)
+ try:
+ client.set_krbccache(os.environ["KRB5CCNAME"])
+ user = client.get_user_by_uid(uid, user_fields)
+ user_dict = user.toDict()
+ # Edit shouldn't fill in the password field.
+ if user_dict.has_key('userpassword'):
+ del(user_dict['userpassword'])
+
+ # store a copy of the original user for the update later
+ user_data = b64encode(dumps(user_dict))
+ user_dict['user_orig'] = user_data
+ return dict(form=user_edit_form, user=user_dict)
+ except ipaerror.IPAError, e:
+ turbogears.flash("User edit failed: " + str(e))
+ raise turbogears.redirect('/usershow', uid=kw.get('uid'))
@expose()
@identity.require(identity.not_anonymous())
def userupdate(self, **kw):
"""Updates an existing user"""
restrict_post()
- client.set_principal(identity.current.user_name)
+ client.set_krbccache(os.environ["KRB5CCNAME"])
if kw.get('submit') == 'Cancel Edit':
turbogears.flash("Edit user cancelled")
raise turbogears.redirect('/usershow', uid=kw.get('uid'))
@@ -142,6 +152,7 @@ class Root(controllers.RootController):
return dict(form=user_edit_form, user=kw,
tg_template='ipagui.templates.useredit')
+ password_change = False
try:
orig_user_dict = loads(b64decode(kw.get('user_orig')))
@@ -154,12 +165,11 @@ class Root(controllers.RootController):
new_user.setValue('nsAccountLock', 'true')
else:
new_user.setValue('nsAccountLock', None)
- if kw.get('userpassword'):
- new_user.setValue('userpassword', kw.get('userpassword'))
- if kw.get('uidnumber'):
- new_user.setValue('uidnumber', kw.get('uidnumber'))
- if kw.get('gidnumber'):
- new_user.setValue('gidnumber', kw.get('gidnumber'))
+ if kw.get('editprotected') == 'true':
+ if kw.get('userpassword'):
+ password_change = True
+ new_user.setValue('uidnumber', str(kw.get('uidnumber')))
+ new_user.setValue('gidnumber', str(kw.get('gidnumber')))
#
# this is a hack until we decide on the policy for names/cn/sn/givenName
@@ -169,19 +179,33 @@ class Root(controllers.RootController):
new_user.getValue('sn')))
rv = client.update_user(new_user)
- turbogears.flash("%s updated!" % kw['uid'])
- raise turbogears.redirect('/usershow', uid=kw['uid'])
+ except ipaerror.exception_for(ipaerror.LDAP_EMPTY_MODLIST), e:
+ if not password_change:
+ turbogears.flash("User update failed: " + str(e))
+ return dict(form=user_edit_form, user=kw,
+ tg_template='ipagui.templates.useredit')
except ipaerror.IPAError, e:
turbogears.flash("User update failed: " + str(e))
return dict(form=user_edit_form, user=kw,
tg_template='ipagui.templates.useredit')
+ try:
+ if password_change:
+ rv = client.modifyPassword(kw['uid'], "", kw.get('userpassword'))
+ except ipaerror.IPAError, e:
+ turbogears.flash("User password change failed: " + str(e))
+ return dict(form=user_edit_form, user=kw,
+ tg_template='ipagui.templates.useredit')
+
+ turbogears.flash("%s updated!" % kw['uid'])
+ raise turbogears.redirect('/usershow', uid=kw['uid'])
+
@expose("ipagui.templates.userlist")
@identity.require(identity.not_anonymous())
def userlist(self, **kw):
- """Retrieve a list of all users and display them in one huge list"""
- client.set_principal(identity.current.user_name)
+ """Searches for users and displays list of results"""
+ client.set_krbccache(os.environ["KRB5CCNAME"])
users = None
counter = 0
uid = kw.get('uid')
@@ -199,12 +223,32 @@ class Root(controllers.RootController):
return dict(users=users, uid=uid, fields=forms.user.UserFields())
+ @expose("ipagui.templates.userlistajax")
+ @identity.require(identity.not_anonymous())
+ def userlist_ajax(self, **kw):
+ """Searches for users and displays list of results in a table.
+ This method is used for ajax calls."""
+ client.set_principal(identity.current.user_name)
+ users = []
+ searchlimit = 100
+ uid = kw.get('uid')
+ if uid != None and len(uid) > 0:
+ try:
+ users = client.find_users(uid.encode('utf-8'), None, searchlimit)
+ counter = users[0]
+ users = users[1:]
+ except ipaerror.IPAError, e:
+ turbogears.flash("User list failed: " + str(e))
+
+ return dict(users=users, uid=uid, fields=forms.user.UserFields(),
+ counter=counter)
+
@expose("ipagui.templates.usershow")
@identity.require(identity.not_anonymous())
def usershow(self, uid):
"""Retrieve a single user for display"""
- client.set_principal(identity.current.user_name)
+ client.set_krbccache(os.environ["KRB5CCNAME"])
try:
user = client.get_user_by_uid(uid, user_fields)
return dict(user=user.toDict(), fields=forms.user.UserFields())
@@ -242,7 +286,7 @@ class Root(controllers.RootController):
if (len(givenname) == 0) or (len(sn) == 0):
return ""
- client.set_principal(identity.current.user_name)
+ client.set_krbccache(os.environ["KRB5CCNAME"])
givenname = givenname.lower()
sn = sn.lower()
@@ -283,10 +327,12 @@ class Root(controllers.RootController):
return ""
@expose()
+ @identity.require(identity.not_anonymous())
def suggest_email(self, givenname, sn):
if (len(givenname) == 0) or (len(sn) == 0):
return ""
+ client.set_principal(identity.current.user_name)
givenname = givenname.lower()
sn = sn.lower()
@@ -328,16 +374,259 @@ class Root(controllers.RootController):
@expose("ipagui.templates.groupindex")
@identity.require(identity.not_anonymous())
def groupindex(self, tg_errors=None):
- client.set_principal(identity.current.user_name)
+ client.set_krbccache(os.environ["KRB5CCNAME"])
return dict()
+ @expose("ipagui.templates.groupnew")
+ @identity.require(identity.not_anonymous())
+ def groupnew(self, tg_errors=None):
+ """Displays the new group form"""
+ if tg_errors:
+ turbogears.flash("There was a problem with the form!")
+
+ client.set_principal(identity.current.user_name)
- ############
- # Resource #
- ############
+ return dict(form=group_new_form)
- @expose("ipagui.templates.resindex")
+ @expose()
@identity.require(identity.not_anonymous())
- def resindex(self, tg_errors=None):
+ def groupcreate(self, **kw):
+ """Creates a new group"""
+ restrict_post()
client.set_principal(identity.current.user_name)
- return dict()
+
+ if kw.get('submit') == 'Cancel':
+ turbogears.flash("Add group cancelled")
+ raise turbogears.redirect('/')
+
+ tg_errors, kw = self.groupcreatevalidate(**kw)
+ if tg_errors:
+ return dict(form=group_new_form, tg_template='ipagui.templates.groupnew')
+
+ try:
+ new_group = ipa.group.Group()
+ new_group.setValue('cn', kw.get('cn'))
+ new_group.setValue('description', kw.get('description'))
+
+ rv = client.add_group(new_group)
+ turbogears.flash("%s added!" % kw.get('cn'))
+ raise turbogears.redirect('/groupshow', cn=kw.get('cn'))
+ except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE):
+ turbogears.flash("Group with name '%s' already exists" %
+ kw.get('cn'))
+ return dict(form=group_new_form, tg_template='ipagui.templates.groupnew')
+ except ipaerror.IPAError, e:
+ turbogears.flash("Group add failed: " + str(e) + "<br/>" + str(e.detail))
+ return dict(form=group_new_form, tg_template='ipagui.templates.groupnew')
+
+
+ @expose("ipagui.templates.groupedit")
+ @identity.require(identity.not_anonymous())
+ def groupedit(self, cn, tg_errors=None):
+ """Displays the edit group form"""
+ if tg_errors:
+ turbogears.flash("There was a problem with the form!")
+
+ client.set_principal(identity.current.user_name)
+ try:
+ group = client.get_group_by_cn(cn, group_fields)
+
+ group_dict = group.toDict()
+
+ #
+ # convert members to users, for easier manipulation on the page
+ #
+ member_dns = []
+ if group_dict.has_key('uniquemember'):
+ member_dns = group_dict.get('uniquemember')
+ # remove from dict - it's not needed for update
+ # and we are storing the members in a different form
+ del group_dict['uniquemember']
+ if not(isinstance(member_dns,list) or isinstance(member_dns,tuple)):
+ member_dns = [member_dns]
+
+ # TODO: convert this into an efficient (single) function call
+ member_users = map(
+ lambda dn: client.get_user_by_dn(dn, ['givenname', 'sn', 'uid']),
+ member_dns)
+
+ # Map users into an array of dicts, which can be serialized
+ # (so we don't have to do this on each round trip)
+ member_dicts = map(lambda user: user.toDict(), member_users)
+
+ # store a copy of the original group for the update later
+ group_data = b64encode(dumps(group_dict))
+ member_data = b64encode(dumps(member_dicts))
+ group_dict['group_orig'] = group_data
+ group_dict['member_data'] = member_data
+
+ return dict(form=group_edit_form, group=group_dict, members=member_dicts)
+ except ipaerror.IPAError, e:
+ turbogears.flash("Group edit failed: " + str(e))
+ raise turbogears.redirect('/groupshow', uid=kw.get('cn'))
+
+ @expose()
+ @identity.require(identity.not_anonymous())
+ def groupupdate(self, **kw):
+ """Updates an existing group"""
+ restrict_post()
+ client.set_principal(identity.current.user_name)
+ if kw.get('submit') == 'Cancel Edit':
+ turbogears.flash("Edit group cancelled")
+ raise turbogears.redirect('/groupshow', cn=kw.get('cn'))
+
+ # Decode the member data, in case we need to round trip
+ member_dicts = loads(b64decode(kw.get('member_data')))
+
+
+ tg_errors, kw = self.groupupdatevalidate(**kw)
+ if tg_errors:
+ return dict(form=group_edit_form, group=kw, members=member_dicts,
+ tg_template='ipagui.templates.groupedit')
+
+ group_modified = False
+
+ #
+ # Update group itself
+ #
+ try:
+ orig_group_dict = loads(b64decode(kw.get('group_orig')))
+
+ new_group = ipa.group.Group(orig_group_dict)
+ if new_group.description != kw.get('description'):
+ group_modified = True
+ new_group.setValue('description', kw.get('description'))
+ if kw.get('editprotected') == 'true':
+ new_gid = str(kw.get('gidnumber'))
+ if new_group.gidnumber != new_gid:
+ group_modified = True
+ new_group.setValue('gidnumber', new_gid)
+
+ if group_modified:
+ rv = client.update_group(new_group)
+ #
+ # If the group update succeeds, but below operations fail, we
+ # need to make sure a subsequent submit doesn't try to update
+ # the group again.
+ #
+ kw['group_orig'] = b64encode(dumps(new_group.toDict()))
+ except ipaerror.IPAError, e:
+ turbogears.flash("User update failed: " + str(e))
+ return dict(form=group_edit_form, group=kw, members=member_dicts,
+ tg_template='ipagui.templates.groupedit')
+
+ #
+ # Add members
+ #
+ failed_adds = []
+ try:
+ uidadds = kw.get('uidadd')
+ if uidadds != None:
+ if not(isinstance(uidadds,list) or isinstance(uidadds,tuple)):
+ uidadds = [uidadds]
+ failed_adds = client.add_users_to_group(uidadds, kw.get('cn'))
+ kw['uidadd'] = failed_adds
+ except ipaerror.IPAError, e:
+ turbogears.flash("User update failed: " + str(e))
+ return dict(form=group_edit_form, group=kw, members=member_dicts,
+ tg_template='ipagui.templates.groupedit')
+
+ #
+ # Remove members
+ #
+ failed_dels = []
+ try:
+ uiddels = kw.get('uiddel')
+ if uiddels != None:
+ if not(isinstance(uiddels,list) or isinstance(uiddels,tuple)):
+ uiddels = [uiddels]
+ failed_dels = client.remove_users_from_group(uiddels, kw.get('cn'))
+ kw['uiddel'] = failed_dels
+ except ipaerror.IPAError, e:
+ turbogears.flash("User update failed: " + str(e))
+ return dict(form=group_edit_form, group=kw, members=member_dicts,
+ tg_template='ipagui.templates.groupedit')
+
+ #
+ # TODO - check failed ops to see if it's because of another update.
+ # handle "someone else already did it" errors better - perhaps
+ # not even as an error
+ # TODO - update the Group Members list.
+ # (note that we have to handle the above todo first, or else
+ # there will be an error message, but the add/del lists will
+ # be empty)
+ #
+ if (len(failed_adds) > 0) or (len(failed_dels) > 0):
+ message = "There was an error updating group members.<br />"
+ message += "Failures have been preserved in the add/remove lists."
+ if group_modified:
+ message = "Group Details successfully updated.<br />" + message
+ turbogears.flash(message)
+ return dict(form=group_edit_form, group=kw, members=member_dicts,
+ tg_template='ipagui.templates.groupedit')
+
+ turbogears.flash("%s updated!" % kw['cn'])
+ raise turbogears.redirect('/groupshow', cn=kw['cn'])
+
+
+ @expose("ipagui.templates.grouplist")
+ @identity.require(identity.not_anonymous())
+ def grouplist(self, **kw):
+ """Search for groups and display results"""
+ client.set_principal(identity.current.user_name)
+ groups = None
+ # counter = 0
+ criteria = kw.get('criteria')
+ if criteria != None and len(criteria) > 0:
+ try:
+ groups = client.find_groups(criteria.encode('utf-8'))
+ counter = groups[0]
+ groups = groups[1:]
+ if counter == -1:
+ turbogears.flash("These results are truncated.<br />" +
+ "Please refine your search and try again.")
+ except ipaerror.IPAError, e:
+ turbogears.flash("Find groups failed: " + str(e))
+ raise turbogears.redirect("/grouplist")
+
+ return dict(groups=groups, criteria=criteria, fields=forms.group.GroupFields())
+
+ @expose("ipagui.templates.groupshow")
+ @identity.require(identity.not_anonymous())
+ def groupshow(self, cn):
+ """Retrieve a single group for display"""
+ client.set_principal(identity.current.user_name)
+ try:
+ group = client.get_group_by_cn(cn, group_fields)
+ group_dict = group.toDict()
+
+ #
+ # convert members to users, for display on the page
+ #
+ member_dns = []
+ if group_dict.has_key('uniquemember'):
+ member_dns = group_dict.get('uniquemember')
+ if not(isinstance(member_dns,list) or isinstance(member_dns,tuple)):
+ member_dns = [member_dns]
+
+ # TODO: convert this into an efficient (single) function call
+ member_users = map(
+ lambda dn: client.get_user_by_dn(dn, ['givenname', 'sn', 'uid']),
+ member_dns)
+ member_dicts = map(lambda user: user.toDict(), member_users)
+
+ return dict(group=group_dict, fields=forms.group.GroupFields(),
+ members = member_dicts)
+ except ipaerror.IPAError, e:
+ turbogears.flash("Group show failed: " + str(e))
+ raise turbogears.redirect("/")
+
+ @validate(form=group_new_form)
+ @identity.require(identity.not_anonymous())
+ def groupcreatevalidate(self, tg_errors=None, **kw):
+ return tg_errors, kw
+
+ @validate(form=group_edit_form)
+ @identity.require(identity.not_anonymous())
+ def groupupdatevalidate(self, tg_errors=None, **kw):
+ return tg_errors, kw
generated by cgit (git 2.34.1) at 2024-05-24 06:29:23 +0000