summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/plugins/update_anonymous_aci.py
blob: 943b2457774c964fa66d97496bb66ef1f4e80f1c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# Authors:
#   Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2013  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from copy import deepcopy
from ipaserver.install.plugins import FIRST, LAST
from ipaserver.install.plugins.baseupdate import PostUpdate
from ipalib import api, errors
from ipalib.aci import ACI
from ipalib.plugins import aci
from ipapython.ipa_log_manager import *

class update_anonymous_aci(PostUpdate):
    """
    Update the Anonymous ACI to ensure that all secrets are protected.
    """
    order = FIRST

    def execute(self, **options):
        aciname = u'Enable Anonymous access'
        aciprefix = u'none'
        ldap = self.obj.backend
        targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))'
        filter = None

        entry_attrs = ldap.get_entry(api.env.basedn, ['aci'])

        acistrs = entry_attrs.get('aci', [])
        acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', []))
        try:
            rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
        except errors.NotFound:
            root_logger.error('Anonymous ACI not found, cannot update it')
            return False, False, []

        attrs = rawaci.target['targetattr']['expression']
        rawfilter = rawaci.target.get('targetfilter', None)
        if rawfilter is not None:
            filter = rawfilter['expression']

        update_attrs = deepcopy(attrs)

        needed_attrs = []
        for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'):
            if attr not in attrs:
                needed_attrs.append(attr)

        update_attrs.extend(needed_attrs)
        if (len(attrs) == len(update_attrs) and
            filter == targetfilter):
            root_logger.debug("Anonymous ACI already update-to-date")
            return (False, False, [])

        for tmpaci in acistrs:
            candidate = ACI(tmpaci)
            if rawaci.isequal(candidate):
                acistrs.remove(tmpaci)
                break

        if len(attrs) != len(update_attrs):
            root_logger.debug("New Anonymous ACI attributes needed: %s",
                needed_attrs)

            rawaci.target['targetattr']['expression'] = update_attrs

        if filter != targetfilter:
            root_logger.debug("New Anonymous ACI targetfilter needed.")

            rawaci.set_target_filter(targetfilter)

        acistrs.append(unicode(rawaci))
        entry_attrs['aci'] = acistrs

        try:
            ldap.update_entry(entry_attrs)
        except Exception, e:
            root_logger.error("Failed to update Anonymous ACI: %s" % e)

        return (False, False, [])

api.register(update_anonymous_aci)