diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2008-02-27 15:14:52 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2008-02-27 15:14:52 -0500 |
| commit | 999bd4fb1e4f601759b9eb7d40c27ec983c99329 (patch) | |
| tree | 57e792bcca31472414f9e9e771834d53afce6769 | |
| parent | ad8096b51f1f8de2c05a5c53952fcb2cb5bbd116 (diff) | |
| download | freeipa.git-999bd4fb1e4f601759b9eb7d40c27ec983c99329.tar.gz freeipa.git-999bd4fb1e4f601759b9eb7d40c27ec983c99329.tar.xz freeipa.git-999bd4fb1e4f601759b9eb7d40c27ec983c99329.zip | |
In the UI we don't want to display Edit links unless someone can actually
edit things. We use the 'editors' group for this. This group itself grants
no permission other than displaying certain things in the UI.
In order to be in the editors group a user must be a member of a group that
is the source group in a delegation. The memberof plugin will do all the
hard work to be sure that a user's memberof contains cn=editors if they
are in a delegated group.
432874
| -rw-r--r-- | ipa-admintools/ipa-adddelegation | 8 | ||||
| -rw-r--r-- | ipa-admintools/ipa-deldelegation | 17 | ||||
| -rw-r--r-- | ipa-admintools/ipa-moddelegation | 29 | ||||
| -rw-r--r-- | ipa-server/ipa-gui/ipagui/proxyprovider.py | 23 | ||||
| -rw-r--r-- | ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py | 51 | ||||
| -rw-r--r-- | ipa-server/xmlrpc-server/funcs.py | 9 |
6 files changed, 121 insertions, 16 deletions
diff --git a/ipa-admintools/ipa-adddelegation b/ipa-admintools/ipa-adddelegation index b29c9671..e2254fd2 100644 --- a/ipa-admintools/ipa-adddelegation +++ b/ipa-admintools/ipa-adddelegation @@ -139,6 +139,14 @@ def main(): client.update_entry(aci_entry) + # Now add to the editors group so they can make changes in the UI + try: + group = client.get_entry_by_cn("editors") + client.add_group_to_group(new_aci.source_group, group.dn) + except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST): + # This is ok, ignore it + pass + print "Delegation %s successfully added" % args[1] return 0 diff --git a/ipa-admintools/ipa-deldelegation b/ipa-admintools/ipa-deldelegation index ac0ae798..bc05b283 100644 --- a/ipa-admintools/ipa-deldelegation +++ b/ipa-admintools/ipa-deldelegation @@ -51,12 +51,15 @@ def main(): aci_str_list = [aci_str_list] acistr = None + aci_list = [] for aci_str in aci_str_list: try: aci = ipa.aci.ACI(aci_str) if aci.name == args[1]: acistr = aci_str - break + source_group = aci.source_group + else: + aci_list.append(aci) except SyntaxError: # ignore aci_str's that ACI can't parse pass @@ -72,6 +75,18 @@ def main(): aci_entry.setValue('aci', new_aci_str_list) client.update_entry(aci_entry) + + last = True + # If this is the last delegation for a group, remove it from editors + for a in aci_list: + if source_group == a.source_group: + last = False + break + + if last: + group = client.get_entry_by_cn("editors") + client.remove_member_from_group(source_group, group.dn) + print "Delegation removed." return 0 diff --git a/ipa-admintools/ipa-moddelegation b/ipa-admintools/ipa-moddelegation index 773c784d..61aab5e1 100644 --- a/ipa-admintools/ipa-moddelegation +++ b/ipa-admintools/ipa-moddelegation @@ -49,9 +49,9 @@ def main(): if options.list: client = ipaclient.IPAClient() - list = client.get_all_attrs() + l = client.get_all_attrs() - for x in list: + for x in l: print x return 0 @@ -124,12 +124,15 @@ def main(): old_aci = None acistr = None + aci_list = [] for aci_str in aci_str_list: try: old_aci = ipa.aci.ACI(aci_str) if old_aci.name == args[1]: acistr = aci_str - break + orig_group = old_aci.source_group + else: + aci_list.append(old_aci) except SyntaxError: # ignore aci_str's that ACI can't parse pass @@ -162,6 +165,26 @@ def main(): client.update_entry(aci_entry) + if options.source: + last = True + # If this is the last delegation for a group, remove it from editors + for a in aci_list: + if orig_group == a.source_group: + last = False + break + + if last: + group = client.get_entry_by_cn("editors") + client.remove_member_from_group(orig_group, group.dn) + + # Now add to the editors group so they can make changes in the UI + try: + group = client.get_entry_by_cn("editors") + client.add_group_to_group(new_aci.source_group, group.dn) + except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST): + # This is ok, ignore it + pass + print "Delegation %s successfully updated" % args[1] return 0 diff --git a/ipa-server/ipa-gui/ipagui/proxyprovider.py b/ipa-server/ipa-gui/ipagui/proxyprovider.py index ab45a6db..5a145de1 100644 --- a/ipa-server/ipa-gui/ipagui/proxyprovider.py +++ b/ipa-server/ipa-gui/ipagui/proxyprovider.py @@ -24,6 +24,7 @@ from ipaserver import funcs import ipa.config import ipa.group import ipa.user +import ldap log = logging.getLogger("turbogears.identity") @@ -41,18 +42,18 @@ class IPA_User(object): client = ipa.ipaclient.IPAClient(transport) client.set_krbccache(os.environ["KRB5CCNAME"]) try: - user = client.get_user_by_principal(user_name, ['dn']) + # Use memberof so we can see recursive group memberships as well. + user = client.get_user_by_principal(user_name, ['dn', 'memberof']) self.groups = [] - groups = client.get_groups_by_member(user.dn, ['dn', 'cn']) - if isinstance(groups, str): - groups = [groups] - for ginfo in groups: - # cn may be multi-valued, add them all just in case - cn = ginfo.getValue('cn') - if isinstance(cn, str): - cn = [cn] - for c in cn: - self.groups.append(c) + memberof = user.getValues('memberof') + if isinstance(memberof, str): + memberof = [memberof] + for mo in memberof: + rdn_list = ldap.explode_dn(mo, 0) + first_rdn = rdn_list[0] + (type,value) = first_rdn.split('=') + if type == "cn": + self.groups.append(value) except: raise diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py index 9b7e9305..73b0cbe6 100644 --- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py +++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py @@ -134,6 +134,15 @@ class DelegationController(IPAController): aci_entry.setValue('aci', new_aci.export_to_string()) client.update_entry(aci_entry) + + # Now add to the editors group so they can make changes in the UI + try: + group = client.get_entry_by_cn("editors") + client.add_group_to_group(new_aci.source_group, group.dn) + except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST): + # This is ok, ignore it + pass + except ipaerror.IPAError, e: turbogears.flash("Delgate add failed: " + str(e) + "<br/>" + e.detail[0]['desc']) return dict(form=delegate_form, delegate=kw, @@ -216,11 +225,37 @@ class DelegationController(IPAController): new_aci_str = new_aci.export_to_string() new_aci_str_list = copy.copy(aci_str_list) + old_aci = ipa.aci.ACI(new_aci_str_list[old_aci_index]) new_aci_str_list[old_aci_index] = new_aci_str aci_entry.setValue('aci', new_aci_str_list) client.update_entry(aci_entry) + if new_aci.source_group != old_aci.source_group: + aci_list = [] + last = True + for aci_str in new_aci_str_list: + try: + aci = ipa.aci.ACI(aci_str) + if aci.source_group == old_aci.source_group: + last = False + break + except SyntaxError: + # ignore aci_str's that ACI can't parse + pass + if last: + group = client.get_entry_by_cn("editors") + client.remove_member_from_group(old_aci.source_group, group.dn) + + # Now add to the editors group so they can make changes in the UI + try: + group = client.get_entry_by_cn("editors") + client.add_group_to_group(new_aci.source_group, group.dn) + except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST): + # This is ok, ignore it + pass + + turbogears.flash("delegate updated") raise turbogears.redirect('/delegate/list') except (SyntaxError, ipaerror.IPAError), e: @@ -291,12 +326,28 @@ class DelegationController(IPAController): "concurrently modified.") raise turbogears.redirect('/delegate/list') + old_aci = ipa.aci.ACI(aci_str_list[old_aci_index]) new_aci_str_list = copy.copy(aci_str_list) del new_aci_str_list[old_aci_index] aci_entry.setValue('aci', new_aci_str_list) client.update_entry(aci_entry) + aci_list = [] + last = True + for aci_str in new_aci_str_list: + try: + aci = ipa.aci.ACI(aci_str) + if aci.source_group == old_aci.source_group: + last = False + break + except SyntaxError: + # ignore aci_str's that ACI can't parse + pass + if last: + group = client.get_entry_by_cn("editors") + client.remove_member_from_group(old_aci.source_group, group.dn) + turbogears.flash("delegate deleted") raise turbogears.redirect('/delegate/list') except (SyntaxError, ipaerror.IPAError), e: diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py index 6bd40401..d4cbb3ef 100644 --- a/ipa-server/xmlrpc-server/funcs.py +++ b/ipa-server/xmlrpc-server/funcs.py @@ -1123,7 +1123,14 @@ class IPAServer: return True def get_groups_by_member (self, member_dn, sattrs, opts=None): - """Get a specific group's entry. Return as a dict of values. + """Get all of the groups an object is explicitly a member of. + + This does not include groups an entry may be a member of as a + result of recursion (being a group that is a member of another + group). In other words, this searches on 'member' and not + 'memberof'. + + Return as a dict of values. Multi-valued fields are represented as lists. """ if not member_dn: |