Add Kerberos Ticket Policy management plugin.

2 files changed, 167 insertions, 27 deletions

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 98da3ed6..0e4eed1b 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -21,6 +21,7 @@ Base classes for LDAP plugins.
 """
 
 import re
+
 from ipalib import crud, errors, uuid
 from ipalib import Command, Method, Object
 from ipalib import Flag, List, Str
@@ -51,6 +52,7 @@ def get_attributes(attrs):
 
     return attrlist
 
+
 class LDAPObject(Object):
     """
     Object representing a LDAP entry.
@@ -75,9 +77,11 @@ class LDAPObject(Object):
             parent_dn = self.api.Object[self.parent_object].get_dn(*keys[:-1])
         else:
             parent_dn = self.container_dn
-        return self.backend.make_dn_from_attr(
-            self.primary_key.name, keys[-1], parent_dn
-        )
+        if self.primary_key and keys[-1] is not None:
+            return self.backend.make_dn_from_attr(
+                self.primary_key.name, keys[-1], parent_dn
+            )
+        return parent_dn
 
     def get_primary_key_from_dn(self, dn):
         return dn[len(self.primary_key.name) + 1:dn.find(',')]
@@ -109,7 +113,7 @@ class LDAPObject(Object):
             textui.print_attribute('dn', entry[0])
             textui.print_entry(entry[1], attr_order=self.attribute_order)
         else:
-            if self.primary_key:
+            if self.primary_key and keys[-1] is not None:
                 textui.print_attribute(
                     self.object_name.capitalize(), keys[-1], indent=0
                 )
@@ -192,10 +196,9 @@ class LDAPCreate(crud.Create):
         entry_attrs['dn'] = dn
 
         self.obj.convert_attribute_members(entry_attrs, *keys, **options)
-        return dict(
-            result=entry_attrs,
-            value=keys[0],
-        )
+        if self.obj.primary_key and keys[-1] is not None:
+            return dict(result=entry_attrs, value=keys[-1])
+        return dict(result=entry_attrs, value=u'')
 
     def dont_output_for_cli(self, textui, entry, *keys, **options):
         textui.print_name(self.name)
@@ -210,7 +213,7 @@ class LDAPCreate(crud.Create):
             )
         elif len(keys) == 1:
             textui.print_dashed(
-                'Created %s "%s".' % (self.obj.object_name, keys[0])
+                'Created %s "%s".' % (self.obj.object_name, keys[-1])
             )
         else:
             textui.print_dashed('Created %s.' % self.obj.object_name)
@@ -269,11 +272,9 @@ class LDAPRetrieve(LDAPQuery):
 
         self.obj.convert_attribute_members(entry_attrs, *keys, **options)
         entry_attrs['dn'] = dn
-        return dict(
-            result=entry_attrs,
-            value=keys[0],
-        )
-
+        if self.obj.primary_key and keys[-1] is not None:
+            return dict(result=entry_attrs, value=keys[-1])
+        return dict(result=entry_attrs, value=u'')
 
     def dont_output_for_cli(self, textui, entry, *keys, **options):
         textui.print_name(self.name)
@@ -355,10 +356,9 @@ class LDAPUpdate(LDAPQuery, crud.Update):
         dn = self.post_callback(ldap, dn, entry_attrs, *keys, **options)
 
         self.obj.convert_attribute_members(entry_attrs, *keys, **options)
-        return dict(
-            result=entry_attrs,
-            value=keys[0],
-        )
+        if self.obj.primary_key and keys[-1] is not None:
+            return dict(result=entry_attrs, value=keys[-1])
+        return dict(result=entry_attrs, value=u'')
 
     def dont_output_for_cli(self, textui, entry, *keys, **options):
         textui.print_name(self.name)
@@ -373,7 +373,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
             )
         elif len(keys) == 1:
             textui.print_dashed(
-                'Modified %s "%s".' % (self.obj.object_name, keys[0])
+                'Modified %s "%s".' % (self.obj.object_name, keys[-1])
             )
         else:
             textui.print_dashed('Modified %s.' % self.obj.object_name)
@@ -416,11 +416,9 @@ class LDAPDelete(LDAPQuery):
 
         result = self.post_callback(ldap, dn, *keys, **options)
 
-        return dict(
-            result=result,
-            value=keys[0],
-        )
-
+        if self.obj.primary_key and keys[-1] is not None:
+            return dict(result=result, value=keys[-1])
+        return dict(result=result, value=u'')
 
     def dont_output_for_cli(self, textui, result, *keys, **options):
         textui.print_name(self.name)
@@ -434,7 +432,7 @@ class LDAPDelete(LDAPQuery):
             )
         elif len(keys) == 1:
             textui.print_dashed(
-                'Deleted %s "%s".' % (self.obj.object_name, keys[0])
+                'Deleted %s "%s".' % (self.obj.object_name, keys[-1])
             )
         else:
             textui.print_dashed('Deleted %s.' % self.obj.object_name)
@@ -727,8 +725,6 @@ class LDAPSearch(crud.Search):
             truncated=truncated,
         )
 
-
-
     def dont_output_for_cli(self, textui, result, *args, **options):
         (entries, truncated) = result
 
diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py
new file mode 100644
index 00000000..8aa8f0c5
--- /dev/null
+++ b/ipalib/plugins/krbtpolicy.py
@@ -0,0 +1,144 @@
+# Authors:
+#   Pavel Zuna <pzuna@redhat.com>
+#
+# Copyright (C) 2010  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+"""
+Kerberos ticket policy
+"""
+
+from ipalib import api
+from ipalib import Int, Str
+from ipalib.plugins.baseldap import *
+
+
+# FIXME: load this from a config file?
+_default_values = {
+    'krbmaxticketlife': 86400,
+    'krbmaxrenewableage': 604800,
+}
+
+
+class krbtpolicy(LDAPObject):
+    """
+    Kerberos Ticket Policy object
+    """
+    container_dn = 'cn=%s,cn=kerberos' % api.env.realm
+    object_name = 'kerberos ticket policy settings'
+    default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage']
+    attribute_names = {
+        'krbmaxticketlife': 'maximum life',
+        'krbmaxrenewableage': 'maximum renewable age',
+    }
+
+    takes_params = (
+        Str('uid?',
+            cli_name='user',
+            doc='manage ticket policy for specific user',
+            primary_key=True,
+        ),
+        Int('krbmaxticketlife?',
+            cli_name='maxlife',
+            doc='maximum ticket life',
+        ),
+        Int('krbmaxrenewableage?',
+            cli_name='maxrenew',
+            doc='maximum renewable age',
+        ),
+    )
+
+    def get_dn(self, *keys, **kwargs):
+        if keys[-1] is not None:
+            return self.api.Object.user.get_dn(*keys, **kwargs)
+        return self.container_dn
+
+api.register(krbtpolicy)
+
+
+class krbtpolicy_mod(LDAPUpdate):
+    """
+    Modify kerberos ticket policy.
+    """
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        # disable all flag
+        #  ticket policies are attached to objects with unrelated attributes
+        if options.get('all'):
+            options['all'] = False
+        return dn
+
+api.register(krbtpolicy_mod)
+
+
+class krbtpolicy_show(LDAPRetrieve):
+    """
+    Display kerberos ticket policy.
+    """
+    def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
+        # disable all flag
+        #  ticket policies are attached to objects with unrelated attributes
+        if options.get('all'):
+            options['all'] = False
+        return dn
+
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        if keys[-1] is not None:
+            # if policy for a specific user isn't set, display global values
+            if 'krbmaxticketlife' not in entry_attrs or \
+                'krbmaxrenewableage' not in entry_attrs:
+                res = self.api.Command.krbtpolicy_show()
+                for a in self.obj.default_attributes:
+                    entry_attrs.setdefault(a, res['result'][a])
+        return dn
+
+api.register(krbtpolicy_show)
+
+
+class krbtpolicy_reset(LDAPQuery):
+    """
+    Reset kerberos ticket policy to default.
+    """
+    has_output = output.standard_entry
+
+    def execute(self, *keys, **options):
+        ldap = self.obj.backend
+
+        dn = self.obj.get_dn(*keys, **options)
+
+        def_values = {}
+        # if reseting policy for a user - just his values
+        if keys[-1] is not None:
+            for a in self.obj.default_attributes:
+                def_values[a] = None
+        # if reseting global policy - set values to default
+        else:
+            def_values = _default_values
+
+        try:
+            ldap.update_entry(dn, def_values)
+        except errors.EmptyModlist:
+            pass
+
+        if keys[-1] is not None:
+            # policy for user was deleted, retrieve global policy
+            dn = self.obj.get_dn(None)
+        (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes)
+
+        if keys[-1] is not None:
+            return dict(result=entry_attrs, value=keys[-1])
+        return dict(result=entry_attrs, value=u'')
+
+api.register(krbtpolicy_reset)
+