diff options
Diffstat (limited to 'ipalib/plugins/virtual.py')
-rw-r--r-- | ipalib/plugins/virtual.py | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/ipalib/plugins/virtual.py b/ipalib/plugins/virtual.py new file mode 100644 index 000000000..a1dfbdf68 --- /dev/null +++ b/ipalib/plugins/virtual.py @@ -0,0 +1,73 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2009 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +""" +Base classes for non-LDAP backend plugins. +""" +from ipalib import api +from ipalib import Command +from ipalib import errors + +class VirtualCommand(Command): + """ + A command that doesn't use the LDAP backend but wants to use the + LDAP access control system to make authorization decisions. + + The class variable operation is the commonName attribute of the + entry to be tested against. + + In advance, you need to create an entry of the form: + cn=<operation>, api.env.container_virtual, api.env.basedn + + Ex. + cn=request certificate, cn=virtual operations, dc=example, dc=com + """ + operation = None + + def execute(self, *args, **kw): + """ + Perform the LDAP query to determine authorization. + + This should be executed via super() before any actual work is done. + """ + if self.operation is None: + raise errors.ACIError(info='operation not defined') + + ldap = self.api.Backend.ldap + self.log.info("IPA: virtual verify %s" % self.operation) + + operationdn = "cn=%s,%s,%s" % (self.operation, self.api.env.container_virtual, self.api.env.basedn) + + # By adding this unknown objectclass we do several things. + # DS checks ACIs before the objectclass so we can test for ACI + # errors to know if we have rights. If we do have rights then the + # update will fail anyway with a Database error because of an + # unknown objectclass, so we can catch that gracefully as well. + try: + updatekw = {'objectclass': ['somerandomunknownclass']} + ldap.update(operationdn, **updatekw) + except errors.ACIError, e: + self.log.debug("%s" % str(e)) + raise errors.ACIError(info='not allowed to perform this command') + except errors.DatabaseError: + return + except Exception, e: + # Something unexpected happened. Log it and deny access to be safe. + self.log.info("Virtual verify failed: %s" % str(e)) + raise errors.ACIError(info='not allowed to perform this command') |