Add ACI.txt

The ACI.txt file is a list all managed permissions in ACI form. Similarly to API.txt, it ensures that changes are not made lightly, since modifications must be reflected in ACI.txt and committed to Git. Add a script, makeaci, which parallels makeapi: it recreates or validates ACI.txt. Call makeaci --validate before the build, just after API.txt is validated. Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Petr Viktorin <pviktori@redhat.com> 2014-06-09 19:12:46 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-06-11 13:21:29 +0200
commit: 6acaf73b0c6f7301d5a5d4292a4f9926cc370867 (patch)
tree: 0d4eced7f3b83eac3bb464efc3b846543bbd4a1d /makeaci
parent: 13bcd03fcfd0cb830f57df905d8c934867c18b6c (diff)
download: freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.tar.gz
freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.tar.xz
freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.zip
1 files changed, 119 insertions, 0 deletions
diff --git a/makeaci b/makeaci
new file mode 100755
index 000000000..ab823558d
--- /dev/null
+++ b/makeaci
@@ -0,0 +1,119 @@
+#!/usr/bin/python2
+# Authors:
+#   Petr Viktorin <pviktori@redhat.com>
+#   John Dennis <jdennis@redhat.com>
+#   Martin Kosek <mkosek@redhat.com>
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Test the managed permission ACIs against a known-good ACI list
+# to ensure that changes aren't made lightly.
+# Can either regenerate ACI.txt, or validate against it.
+
+import sys
+import difflib
+from argparse import ArgumentParser
+
+from ipalib import api
+from ipapython.dn import DN
+from ipapython.ipaldap import LDAPEntry, IPASimpleLDAPObject, LDAPClient
+
+
+class FakeLDAPClient(LDAPClient):
+    """A LDAP client that can't do any LDAP operations
+
+    Used to create and manipulate entries without an LDAP connection.
+    """
+    def _init_connection(self):
+        self.conn = IPASimpleLDAPObject('', False, no_schema=True)
+
+
+def parse_options():
+    parser = ArgumentParser()
+    parser.add_argument('--validate', dest='validate', action='store_true',
+        default=False, help='Validate the API vs the stored API')
+    parser.add_argument('filename', nargs='?', default='ACI.txt',
+        help='File to create or validate, default: ACI.txt')
+
+    options = parser.parse_args()
+    return options
+
+
+def generate_aci_lines(api):
+    """Yields ACI lines as they appear in ACI.txt, with trailing newline"""
+    update_plugin = api.Updater['update_managed_permissions']
+    perm_plugin = api.Object['permission']
+    fake_ldap = FakeLDAPClient('')
+    for name, template, obj in update_plugin.get_templates():
+        dn = perm_plugin.get_dn(name)
+        entry = fake_ldap.make_entry(dn)
+        update_plugin.update_entry(
+            obj=obj,
+            entry=entry,
+            template=template,
+            anonymous_read_aci=None,
+            is_new=True,
+        )
+        aci = perm_plugin.make_aci(entry)
+        yield 'dn: %s\n' % dn
+        yield 'aci: %s\n' % aci
+
+
+def main(options):
+    api.bootstrap(
+        context='cli',
+        in_server=False,
+        debug=False,
+        verbose=0,
+        validate_api=True,
+        enable_ra=True,
+        mode='developer',
+        plugins_on_demand=False,
+        basedn=DN('dc=ipa,dc=example'),
+        realm='IPA.EXAMPLE',
+    )
+    from ipaserver.install.plugins.update_managed_permissions import (
+        update_managed_permissions)
+    from ipalib.plugins.permission import permission
+    api.finalize()
+
+    output_lines = list(generate_aci_lines(api))
+
+    if options.validate:
+        with open(options.filename) as file:
+            file_lines = file.readlines()
+        if file_lines != output_lines:
+            diff = list(difflib.unified_diff(
+                file_lines,
+                output_lines,
+                fromfile='existing %s' % options.filename,
+                tofile='new result',
+            ))
+            for line in diff:
+                print line,
+            print>>sys.stderr
+            print>>sys.stderr, 'Managed permission ACI validation failed.'
+            print>>sys.stderr, 'Re-check permission changes and run `makeaci`.'
+            exit('%s validation failed' % options.filename)
+    else:
+        with open(options.filename, 'w') as file:
+            file.writelines(output_lines)
+
+
+if __name__ == '__main__':
+    options = parse_options()
+    main(options)
author	Petr Viktorin <pviktori@redhat.com>	2014-06-09 19:12:46 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-06-11 13:21:29 +0200
commit	6acaf73b0c6f7301d5a5d4292a4f9926cc370867 (patch)
tree	0d4eced7f3b83eac3bb464efc3b846543bbd4a1d /makeaci
parent	13bcd03fcfd0cb830f57df905d8c934867c18b6c (diff)
download	freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.tar.gz freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.tar.xz freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.zip