diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-06-09 19:12:46 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-11 13:21:29 +0200 |
commit | 6acaf73b0c6f7301d5a5d4292a4f9926cc370867 (patch) | |
tree | 0d4eced7f3b83eac3bb464efc3b846543bbd4a1d /makeaci | |
parent | 13bcd03fcfd0cb830f57df905d8c934867c18b6c (diff) | |
download | freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.tar.gz freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.tar.xz freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.zip |
Add ACI.txt
The ACI.txt file is a list all managed permissions in ACI form.
Similarly to API.txt, it ensures that changes are not made lightly,
since modifications must be reflected in ACI.txt and committed to Git.
Add a script, makeaci, which parallels makeapi: it recreates or
validates ACI.txt.
Call makeaci --validate before the build, just after API.txt is validated.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'makeaci')
-rwxr-xr-x | makeaci | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/makeaci b/makeaci new file mode 100755 index 000000000..ab823558d --- /dev/null +++ b/makeaci @@ -0,0 +1,119 @@ +#!/usr/bin/python2 +# Authors: +# Petr Viktorin <pviktori@redhat.com> +# John Dennis <jdennis@redhat.com> +# Martin Kosek <mkosek@redhat.com> +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +# Test the managed permission ACIs against a known-good ACI list +# to ensure that changes aren't made lightly. +# Can either regenerate ACI.txt, or validate against it. + +import sys +import difflib +from argparse import ArgumentParser + +from ipalib import api +from ipapython.dn import DN +from ipapython.ipaldap import LDAPEntry, IPASimpleLDAPObject, LDAPClient + + +class FakeLDAPClient(LDAPClient): + """A LDAP client that can't do any LDAP operations + + Used to create and manipulate entries without an LDAP connection. + """ + def _init_connection(self): + self.conn = IPASimpleLDAPObject('', False, no_schema=True) + + +def parse_options(): + parser = ArgumentParser() + parser.add_argument('--validate', dest='validate', action='store_true', + default=False, help='Validate the API vs the stored API') + parser.add_argument('filename', nargs='?', default='ACI.txt', + help='File to create or validate, default: ACI.txt') + + options = parser.parse_args() + return options + + +def generate_aci_lines(api): + """Yields ACI lines as they appear in ACI.txt, with trailing newline""" + update_plugin = api.Updater['update_managed_permissions'] + perm_plugin = api.Object['permission'] + fake_ldap = FakeLDAPClient('') + for name, template, obj in update_plugin.get_templates(): + dn = perm_plugin.get_dn(name) + entry = fake_ldap.make_entry(dn) + update_plugin.update_entry( + obj=obj, + entry=entry, + template=template, + anonymous_read_aci=None, + is_new=True, + ) + aci = perm_plugin.make_aci(entry) + yield 'dn: %s\n' % dn + yield 'aci: %s\n' % aci + + +def main(options): + api.bootstrap( + context='cli', + in_server=False, + debug=False, + verbose=0, + validate_api=True, + enable_ra=True, + mode='developer', + plugins_on_demand=False, + basedn=DN('dc=ipa,dc=example'), + realm='IPA.EXAMPLE', + ) + from ipaserver.install.plugins.update_managed_permissions import ( + update_managed_permissions) + from ipalib.plugins.permission import permission + api.finalize() + + output_lines = list(generate_aci_lines(api)) + + if options.validate: + with open(options.filename) as file: + file_lines = file.readlines() + if file_lines != output_lines: + diff = list(difflib.unified_diff( + file_lines, + output_lines, + fromfile='existing %s' % options.filename, + tofile='new result', + )) + for line in diff: + print line, + print>>sys.stderr + print>>sys.stderr, 'Managed permission ACI validation failed.' + print>>sys.stderr, 'Re-check permission changes and run `makeaci`.' + exit('%s validation failed' % options.filename) + else: + with open(options.filename, 'w') as file: + file.writelines(output_lines) + + +if __name__ == '__main__': + options = parse_options() + main(options) |