diff options
| -rwxr-xr-x | ipalib/aci.py | 251 | ||||
| -rw-r--r-- | ipalib/plugins/aci.py | 438 |
2 files changed, 602 insertions, 87 deletions
diff --git a/ipalib/aci.py b/ipalib/aci.py index 9dde767c..a9219f8d 100755 --- a/ipalib/aci.py +++ b/ipalib/aci.py @@ -29,6 +29,16 @@ ACIPat = re.compile(r'\s*(\(.*\)+)\s*\(version\s+3.0\s*;\s*acl\s+\"(.*)\"\s*;\s* # Break the permissions/bind_rules out PermPat = re.compile(r'(\w+)\s*\((.*)\)\s+(.*)') +# Break the bind rule out +BindPat = re.compile(r'([a-zA-Z0-9;\.]+)\s*(\!?=)\s*(.*)') + +# Don't allow arbitrary attributes to be set in our __setattr__ implementation. +OBJECTATTRS = ["name", "orig_acistr", "target", "action", "permissions", + "bindrule"] +ACTIONS = ["allow", "deny"] + +PERMISSIONS = ["read", "write", "add", "delete", "search", "compare", + "selfwrite", "proxy", "all"] class ACI: """ @@ -36,23 +46,13 @@ class ACI: entry in LDAP. Has methods to parse an ACI string and export to an ACI String. """ - - # Don't allow arbitrary attributes to be set in our __setattr__ implementation. - _objectattrs = ["name", "orig_acistr", "target", "action", "permissions", - "bindrule"] - - __actions = ["allow", "deny"] - - __permissions = ["read", "write", "add", "delete", "search", "compare", - "selfwrite", "proxy", "all"] - def __init__(self,acistr=None): self.name = None self.orig_acistr = acistr self.target = {} self.action = "allow" self.permissions = ["write"] - self.bindrule = None + self.bindrule = {} if acistr is not None: self._parse_acistr(acistr) @@ -70,73 +70,21 @@ class ACI: """An alias for export_to_string()""" return self.export_to_string() - def __getattr__(self, name): - """ - Backward compatibility for the old ACI class. - - The following extra attributes are available: - - - source_group - - dest_group - - attrs - """ - if name == 'source_group': - group = '' - dn = self.bindrule.split('=',1) - if dn[0] == "groupdn": - group = self._remove_quotes(dn[1]) - if group.startswith("ldap:///"): - group = group[8:] - return group - if name == 'dest_group': - group = self.target.get('targetfilter', '') - if group: - g = group.split('=',1)[1] - if g.endswith(')'): - g = g[:-1] - return g - return '' - if name == 'attrs': - return self.target.get('targetattr', None) - raise AttributeError, "object has no attribute '%s'" % name - - def __setattr__(self, name, value): - """ - Backward compatibility for the old ACI class. - - The following extra attributes are available: - - source_group - - dest_group - - attrs - """ - if name == 'source_group': - self.__dict__['bindrule'] = 'groupdn="ldap:///%s"' % value - elif name == 'dest_group': - if value.startswith('('): - self.__dict__['target']['targetfilter'] = 'memberOf=%s' % value - else: - self.__dict__['target']['targetfilter'] = '(memberOf=%s)' % value - elif name == 'attrs': - self.__dict__['target']['targetattr'] = value - elif name in self._objectattrs: - self.__dict__[name] = value - else: - raise AttributeError, "object has no attribute '%s'" % name - def export_to_string(self): """Output a Directory Server-compatible ACI string""" self.validate() aci = "" for t in self.target: - if isinstance(self.target[t], list): + op = self.target[t]['operator'] + if isinstance(self.target[t]['expression'], list): target = "" - for l in self.target[t]: + for l in self.target[t]['expression']: target = target + l + " || " target = target[:-4] - aci = aci + "(%s=\"%s\")" % (t, target) + aci = aci + "(%s %s \"%s\")" % (t, op, target) else: - aci = aci + "(%s=\"%s\")" % (t, self.target[t]) - aci = aci + "(version 3.0;acl \"%s\";%s (%s) %s" % (self.name, self.action, ",".join(self.permissions), self.bindrule) + ";)" + aci = aci + "(%s %s \"%s\")" % (t, op, self.target[t]['expression']) + aci = aci + "(version 3.0;acl \"%s\";%s (%s) %s %s \"%s\"" % (self.name, self.action, ",".join(self.permissions), self.bindrule['keyword'], self.bindrule['operator'], self.bindrule['expression']) + ";)" return aci def _remove_quotes(self, s): @@ -154,13 +102,18 @@ class ACI: l = [] var = False + op = "=" for token in lexer: # We should have the form (a = b)(a = b)... if token == "(": var = lexer.next().strip() operator = lexer.next() if operator != "=" and operator != "!=": - raise SyntaxError('No operator in target, got %s' % operator) + # Peek at the next char before giving up + operator = operator + lexer.next() + if operator != "=" and operator != "!=": + raise SyntaxError("No operator in target, got '%s'" % operator) + op = operator val = lexer.next().strip() val = self._remove_quotes(val) end = lexer.next() @@ -169,10 +122,14 @@ class ACI: if var == 'targetattr': # Make a string of the form attr || attr || ... into a list - t = re.split('[\W]+', val) - self.target[var] = t + t = re.split('[^a-zA-Z0-9;\*]+', val) + self.target[var] = {} + self.target[var]['operator'] = op + self.target[var]['expression'] = t else: - self.target[var] = val + self.target[var] = {} + self.target[var]['operator'] = op + self.target[var]['expression'] = val def _parse_acistr(self, acistr): acimatch = ACIPat.match(acistr) @@ -184,8 +141,8 @@ class ACI: if not bindperms or len(bindperms.groups()) < 3: raise SyntaxError, "malformed ACI" self.action = bindperms.group(1) - self.permissions = bindperms.group(2).split(',') - self.bindrule = bindperms.group(3) + self.permissions = bindperms.group(2).replace(' ','').split(',') + self.set_bindrule(bindperms.group(3)) def validate(self): """Do some basic verification that this will produce a @@ -196,7 +153,7 @@ class ACI: if not isinstance(self.permissions, list): raise SyntaxError, "permissions must be a list" for p in self.permissions: - if not p.lower() in self.__permissions: + if not p.lower() in PERMISSIONS: raise SyntaxError, "invalid permission: '%s'" % p if not self.name: raise SyntaxError, "name must be set" @@ -204,14 +161,100 @@ class ACI: raise SyntaxError, "name must be a string" if not isinstance(self.target, dict) or len(self.target) == 0: raise SyntaxError, "target must be a non-empty dictionary" + if not isinstance(self.bindrule, dict): + raise SyntaxError, "bindrule must be a dictionary" + if not self.bindrule.get('operator') or not self.bindrule.get('keyword') or not self.bindrule.get('expression'): + raise SyntaxError, "bindrule is missing a component" + return True + + def set_target_filter(self, filter, operator="="): + self.target['targetfilter'] = {} + if not filter.startswith("("): + filter = "(" + filter + ")" + self.target['targetfilter']['expression'] = filter + self.target['targetfilter']['operator'] = operator + + def set_target_attr(self, attr, operator="="): + if not isinstance(attr, list): + attr = [attr] + self.target['targetattr'] = {} + self.target['targetattr']['expression'] = attr + self.target['targetattr']['operator'] = operator + + def set_target(self, target, operator="="): + assert target.startswith("ldap:///") + self.target['target'] = {} + self.target['target']['expression'] = target + self.target['target']['operator'] = operator + + def set_bindrule(self, bindrule): + match = BindPat.match(bindrule) + if not match or len(match.groups()) < 3: + raise SyntaxError, "malformed bind rule" + self.set_bindrule_keyword(match.group(1)) + self.set_bindrule_operator(match.group(2)) + self.set_bindrule_expression(match.group(3).replace('"','')) + + def set_bindrule_keyword(self, keyword): + self.bindrule['keyword'] = keyword + + def set_bindrule_operator(self, operator): + self.bindrule['operator'] = operator + + def set_bindrule_expression(self, expression): + self.bindrule['expression'] = expression + + def isequal(self, b): + """ + Compare the current ACI to another one to see if they are + the same. + + returns True if equal, False if not. + """ + try: + if self.name != b.name: + return False + + if set(self.permissions) != set(b.permissions): + return False + + if self.bindrule.get('keyword') != b.bindrule.get('keyword'): + return False + if self.bindrule.get('operator') != b.bindrule.get('operator'): + return False + if self.bindrule.get('expression') != b.bindrule.get('expression'): + return False + + if self.target.get('targetfilter',{}).get('expression') != b.target.get('targetfilter',{}).get('expression'): + return False + if self.target.get('targetfilter',{}).get('operator') != b.target.get('targetfilter',{}).get('operator'): + return False + + if set(self.target.get('targetattr',{}).get('expression')) != set(b.target.get('targetattr',{}).get('expression')): + return False + if self.target.get('targetattr',{}).get('operator') != b.target.get('targetattr',{}).get('operator'): + return False + + if self.target.get('target',{}).get('expression') != b.target.get('target',{}).get('expression'): + return False + if self.target.get('target',{}).get('operator') != b.target.get('target',{}).get('operator'): + return False + + except Exception: + # If anything throws up then they are not equal + return False + + # We got this far so lets declare them the same return True def extract_group_cns(aci_list, client): - """Extracts all the cn's from a list of aci's and returns them as a hash - from group_dn to group_cn. + """ + Extracts all the cn's from a list of aci's and returns them as a hash + from group_dn to group_cn. - It first tries to cheat by looking at the first rdn for the - group dn. If that's not cn for some reason, it looks up the group.""" + It first tries to cheat by looking at the first rdn for the + group dn. If that's not cn for some reason, it looks up the group. + """ group_dn_to_cn = {} for aci in aci_list: for dn in (aci.source_group, aci.dest_group): @@ -231,15 +274,49 @@ def extract_group_cns(aci_list, client): return group_dn_to_cn if __name__ == '__main__': - # Pass in an ACI as a string - a = ACI('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)') +# a = ACI('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)') +# print a +# a = ACI('(target="ldap:///uid=bjensen,dc=example,dc=com")(targetattr=*) (version 3.0;acl "aci1";allow (write) userdn="ldap:///self";)') +# print a +# a = ACI(' (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)') +# print a + + a = ACI('(target="ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user";allow (add) groupdn="ldap:///cn=add_user,cn=taskgroups,dc=example,dc=com";)') + print a + print "---" + + a = ACI('(targetattr=member)(target="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)') + print a + print "---" + + a = ACI('(targetattr!=member)(target="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)') print a + print "---" + + a = ACI('(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "change_password"; allow (write) groupdn = "ldap:///cn=change_password,cn=taskgroups,dc=example,dc=com";)') + print a + print "---" - # Create an ACI in pieces a = ACI() - a.name ="foobar" - a.source_group="cn=foo,cn=groups,dc=example,dc=org" - a.dest_group="cn=bar,cn=groups,dc=example,dc=org" - a.attrs = ['title'] + a.name ="foo" + a.set_target_attr(['title','givenname'], "!=") +# a.set_bindrule("groupdn = \"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") + a.set_bindrule_keyword("groupdn") + a.set_bindrule_operator("=") + a.set_bindrule_expression ("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") a.permissions = ['read','write','add'] print a + + b = ACI() + b.name ="foo" + b.set_target_attr(['givenname','title'], "!=") + b.set_bindrule_keyword("groupdn") + b.set_bindrule_operator("=") + b.set_bindrule_expression ("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"") + b.permissions = ['add','read','write'] + print b + + print a.isequal(b) + + a = ACI('(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)') + print a diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py new file mode 100644 index 00000000..6eb48264 --- /dev/null +++ b/ipalib/plugins/aci.py @@ -0,0 +1,438 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2009 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +""" +Frontend plugins for managing DS ACIs +""" + +from ipalib import api, crud, errors2 +from ipalib import Object, Command # Plugin base classes +from ipalib import Str, Flag, Int # Parameter types +from ipalib.aci import ACI + +def make_aci(current, aciname, kw): + try: + taskgroup = api.Command['taskgroup_show'](kw['taskgroup']) + except errors2.NotFound: + # The task group doesn't exist, let's be helpful and add it + tgkw = {'description':aciname} + taskgroup = api.Command['taskgroup_add'](kw['taskgroup'], **tgkw) + + a = ACI(current) + a.name = aciname + a.permissions = kw['permissions'].replace(' ','').split(',') + a.set_bindrule("groupdn = \"ldap:///%s\"" % taskgroup['dn']) + if kw.get('attrs', None): + a.set_target_attr(kw['attrs'].split()) + if kw.get('type', None): + a.set_target_attr(kw['attrs'].split()) + if kw.get('memberof', None): + group = api.Command['group_show'](kw['memberof']) + a.set_target_filter("memberOf=%s" % group['dn'].decode('UTF-8')) + return a + +def search_by_name(acis, aciname): + """ + Find an aci using the name field. + + Must be an exact match of the entire name. + """ + for a in acis: + try: + t = ACI(a) + if t.name == aciname: + return str(t) + except SyntaxError, e: + # FIXME: need to log syntax errors, ignore for now + pass + + raise errors2.NotFound() + +def search_by_attr(acis, attrlist): + """ + Find an aci by targetattr. + + Returns an ACI list of all acis the attribute appears in. + """ + results = [] + for a in acis: + try: + t = ACI(a) + for attr in attrlist: + attr = attr.lower() + for v in t.target['targetattr'].get('expression'): + if attr == v.lower(): + results.append(str(t)) + except SyntaxError, e: + # FIXME: need to log syntax errors, ignore for now + pass + + if results: + return results + + raise errors2.NotFound() + +def search_by_taskgroup(acis, tgdn): + """ + Find an aci by taskgroup. This searches the ACI bind rule. + + Returns an ACI list of all acis that match. + """ + results = [] + for a in acis: + try: + t = ACI(a) + if t.bindrule['expression'] == "ldap:///" + tgdn: + results.append(str(t)) + except SyntaxError, e: + # FIXME: need to log syntax errors, ignore for now + pass + + if results: + return results + + raise errors2.NotFound() + +def search_by_perm(acis, permlist): + """ + Find an aci by permissions + + Returns an ACI list of all acis the permission appears in. + """ + results = [] + for a in acis: + try: + t = ACI(a) + for perm in permlist: + if perm.lower() in t.permissions: + results.append(str(t)) + except SyntaxError, e: + # FIXME: need to log syntax errors, ignore for now + pass + + if results: + return results + + raise errors2.NotFound() + +def search_by_memberof(acis, memberoffilter): + """ + Find an aci by memberof + + Returns an ACI list of all acis that has a matching memberOf as a + targetfilter. + """ + results = [] + memberoffilter = memberoffilter.lower() + for a in acis: + try: + t = ACI(a) + try: + if memberoffilter == t.target['targetfilter'].get('expression').lower(): + results.append(str(t)) + except KeyError: + pass + except SyntaxError, e: + # FIXME: need to log syntax errors, ignore for now + pass + + if results: + return results + + raise errors2.NotFound() + +class aci(Object): + """ + ACI object. + """ + takes_params = ( + Str('aciname', + doc='Name of ACI', + primary_key=True, + ), + Str('taskgroup', + doc='Name of taskgroup this ACI grants access to', + ), + Str('permissions', + doc='Permissions to grant: read, write', + ), + Str('attrs?', + doc='Comma-separated list of attributes', + ), + Str('type?', + doc='type of IPA object: user, group, host', + ), + Str('memberof?', + doc='member of a group', + ), + Str('filter?', + doc='A legal LDAP filter (ou=Engineering)', + ), + Str('subtree?', + doc='A subtree to apply the ACI to', + ), + ) +api.register(aci) + + +class aci_add(crud.Create): + """ + Add a new aci. + """ + + def execute(self, aciname, **kw): + """ + Execute the aci-add operation. + + Returns the entry as it will be created in LDAP. + + :param aciname: The name of the ACI being added. + :param kw: Keyword arguments for the other LDAP attributes. + """ + assert 'aciname' not in kw + ldap = self.api.Backend.ldap + + newaci = make_aci(None, aciname, kw) + + currentaci = ldap.retrieve(self.api.env.basedn, ['aci']) + + acilist = currentaci.get('aci') + for a in acilist: + try: + b = ACI(a) + if newaci.isequal(b): + raise errors2.DuplicateEntry() + except SyntaxError: + pass + acilist.append(str(newaci)) + kwupdate = {'aci': acilist} + + return ldap.update(currentaci.get('dn'), **kwupdate) + +api.register(aci_add) + + +class aci_del(crud.Delete): + 'Delete an existing aci.' + """ + Remove an aci by name. + """ + + def execute(self, aciname, **kw): + """ + Execute the aci-del operation. + + :param aciname: The name of the ACI being added. + :param kw: unused + """ + assert 'aciname' not in kw + ldap = self.api.Backend.ldap + + currentaci = ldap.retrieve(self.api.env.basedn, ['aci']) + acilist = currentaci.get('aci') + a = search_by_name(acilist, aciname) + i = acilist.index(str(a)) + del acilist[i] + + kwupdate = {'aci': acilist} + + return ldap.update(currentaci.get('dn'), **kwupdate) + + def output_for_cli(self, textui, result, aciname): + """ + Output result of this command to command line interface. + """ + textui.print_plain('Deleted aci "%s"' % aciname) + +api.register(aci_del) + + +class aci_mod(crud.Update): + 'Edit an existing aci.' + def execute(self, aciname, **kw): + return "Not implemented" + def output_for_cli(self, textui, result, aciname, **options): + textui.print_plain(result) +api.register(aci_mod) + + +class aci_find(crud.Search): + 'Search for a aci.' + takes_options = ( + Str('bindrule?', + doc='The bindrule (e.g. ldap:///self)' + ), + Flag('and?', + doc='Consider multiple options to be \"and\" so all are required.') + ) + def execute(self, term, **kw): + ldap = self.api.Backend.ldap + currentaci = ldap.retrieve(self.api.env.basedn, ['aci']) + currentaci = currentaci.get('aci') + results = [] + + # aciname + if kw.get('aciname'): + try: + a = search_by_name(currentaci, kw.get('aciname')) + results = [a] + if kw.get('and'): + currentaci = results + except errors2.NotFound: + if kw.get('and'): + results = [] + currentaci = [] + pass + + # attributes + if kw.get('attrs'): + try: + attrs = kw.get('attrs') + attrs = attrs.replace(' ','').split(',') + a=search_by_attr(currentaci, attrs) + if kw.get('and'): + results = a + currentaci = results + else: + results = results + a + except errors2.NotFound: + if kw.get('and'): + results = [] + currentaci = [] + pass + + # taskgroup + if kw.get('taskgroup'): + try: + tg = api.Command['taskgroup_show'](kw.get('taskgroup')) + except errors2.NotFound: + # FIXME, need more precise error + raise + try: + a=search_by_taskgroup(currentaci, tg.get('dn')) + if kw.get('and'): + results = a + currentaci = results + else: + results = results + a + except errors2.NotFound: + if kw.get('and'): + results = [] + currentaci = [] + pass + + # permissions + if kw.get('permissions'): + try: + permissions = kw.get('permissions') + permissions = permissions.replace(' ','').split(',') + a=search_by_perm(currentaci, permissions) + if kw.get('and'): + results = a + currentaci = results + else: + results = results + a + except errors2.NotFound: + if kw.get('and'): + results = [] + currentaci = [] + pass + + # memberOf + if kw.get('memberof'): + try: + group = api.Command['group_show'](kw['memberof']) + memberof = "(memberOf=%s)" % group['dn'].decode('UTF-8') + a=search_by_memberof(currentaci, memberof) + results = results + a + if kw.get('and'): + currentaci = results + except errors2.NotFound: + if kw.get('and'): + results = [] + currentaci = [] + pass + +# TODO +# --type=STR type of IPA object: user, group, host +# --filter=STR A legal LDAP filter (ou=Engineering) +# --subtree=STR A subtree to apply the ACI to +# --bindrule=STR A subtree to apply the ACI to + + # Make sure we have no dupes in the list + results = list(set(results)) + + # the first entry contains the count + counter = len(results) + return [counter] + results + + def output_for_cli(self, textui, result, term, **options): + counter = result[0] + acis = result[1:] + if counter == 0 or len(acis) == 0: + textui.print_plain("No entries found") + return + textui.print_name(self.name) + for a in acis: + textui.print_plain(a) + textui.print_count(acis, '%d acis matched') + +api.register(aci_find) + + +class aci_show(crud.Retrieve): + 'Examine an existing aci.' + def execute(self, aciname, **kw): + """ + Execute the aci-show operation. + + Returns the entry + + :param uid: The login name of the user to retrieve. + :param kw: unused + """ + ldap = self.api.Backend.ldap + currentaci = ldap.retrieve(self.api.env.basedn, ['aci']) + + a = search_by_name(currentaci.get('aci'), aciname) + return str(a) + + def output_for_cli(self, textui, result, aciname, **options): + textui.print_plain(result) + +api.register(aci_show) + + +class aci_showall(Command): + 'Examine all existing acis.' + def execute(self): + """ + Execute the aci-show operation. + + Returns the entry + + :param uid: The login name of the user to retrieve. + :param kw: unused + """ + ldap = self.api.Backend.ldap + return ldap.retrieve(self.api.env.basedn, ['aci']) + def output_for_cli(self, textui, result, **options): + textui.print_entry(result) + +api.register(aci_showall) |