Add plugin framework to LDAP updates.

There are two reasons for the plugin framework:
1. To provide a way of doing manual/complex LDAP changes without having
   to keep extending ldapupdate.py (like we did with managed entries).
2. Allows for better control of restarts.

There are two types of plugins, preop and postop. A preop plugin runs
before any file-based updates are loaded. A postop plugin runs after
all file-based updates are applied.

A preop plugin may update LDAP directly or craft update entries to be
applied with the file-based updates.

Either a preop or postop plugin may attempt to restart the dirsrv instance.
The instance is only restartable if ipa-ldap-updater is being executed
as root. A warning is printed if a restart is requested for a non-root
user.

Plugins are not executed by default. This is so we can use ldapupdate
to apply simple updates in commands like ipa-nis-manage.

https://fedorahosted.org/freeipa/ticket/1789
https://fedorahosted.org/freeipa/ticket/1790
https://fedorahosted.org/freeipa/ticket/2032

5 files changed, 426 insertions, 0 deletions

diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am
new file mode 100644
index 00000000..a96d0be5
--- /dev/null
+++ b/ipaserver/install/plugins/Makefile.am
@@ -0,0 +1,16 @@
+NULL =
+
+appdir = $(pythondir)/ipaserver/install
+app_PYTHON = 			\
+	__init__.py		\
+	baseupdate.py		\
+	rename_managed.py	\
+	updateclient.py		\
+	$(NULL)
+
+EXTRA_DIST =			\
+	$(NULL)
+
+MAINTAINERCLEANFILES =		\
+	*~			\
+	Makefile.in
diff --git a/ipaserver/install/plugins/__init__.py b/ipaserver/install/plugins/__init__.py
new file mode 100644
index 00000000..49bef4df
--- /dev/null
+++ b/ipaserver/install/plugins/__init__.py
@@ -0,0 +1,28 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Provide a separate api for updates.
+"""
+PRE_UPDATE = 1
+POST_UPDATE = 2
+
+FIRST = 1
+MIDDLE = 2
+LAST = 4
diff --git a/ipaserver/install/plugins/baseupdate.py b/ipaserver/install/plugins/baseupdate.py
new file mode 100644
index 00000000..227dc917
--- /dev/null
+++ b/ipaserver/install/plugins/baseupdate.py
@@ -0,0 +1,68 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from ipalib import api
+from ipalib import errors
+from ipalib import Updater, Object
+from ipaserver.install import service
+from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, MIDDLE
+
+class DSRestart(service.Service):
+    """
+    Restart the 389-ds service.
+    """
+    def __init__(self):
+        """
+        This class is present to provide ldapupdate the means to
+        restart 389-ds.
+        """
+        service.Service.__init__(self, "dirsrv")
+
+    def create_instance(self):
+        self.step("stopping directory server", self.stop)
+        self.step("starting directory server", self.start)
+        self.start_creation("Restarting Directory server to apply updates")
+
+class update(Object):
+    """
+    Generic object used to register all updates into a single namespace.
+    """
+    backend_name = 'ldap2'
+
+api.register(update)
+
+class PreUpdate(Updater):
+    """
+    Base class for updates that run prior to file processing.
+    """
+    updatetype = PRE_UPDATE
+    order = MIDDLE
+
+    def __init__(self):
+        super(PreUpdate, self).__init__()
+
+class PostUpdate(Updater):
+    """
+    Base class for updates that run after file processing.
+    """
+    updatetype = POST_UPDATE
+    order = MIDDLE
+
+    def __init__(self):
+        super(PostUpdate, self).__init__()
diff --git a/ipaserver/install/plugins/rename_managed.py b/ipaserver/install/plugins/rename_managed.py
new file mode 100644
index 00000000..a9eed0be
--- /dev/null
+++ b/ipaserver/install/plugins/rename_managed.py
@@ -0,0 +1,132 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, FIRST, LAST
+from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, FIRST, LAST
+from ipaserver.install.plugins.baseupdate import PreUpdate, PostUpdate
+from ipalib.frontend import Updater
+from ipaserver.install.plugins import baseupdate
+from ipalib import api, errors
+from ipapython import ipautil
+import ldap as _ldap
+
+def entry_to_update(entry):
+    """
+    Convert an entry into a name/value pair list that looks like an update.
+
+    An entry is a dict.
+
+    An update is a list of name/value pairs.
+    """
+    update = []
+    for attr in entry.keys():
+        if isinstance(entry[attr], list):
+            for i in xrange(len(entry[attr])):
+                update.append('%s:%s' % (str(attr), str(entry[attr][i])))
+        else:
+            update.append('%s:%s' % (str(attr), str(entry[attr])))
+
+    return update
+
+def generate_update(ldap, deletes=False):
+    """
+    We need to separate the deletes that need to happen from the
+    new entries that need to be added.
+    """
+    suffix = ipautil.realm_to_suffix(api.env.realm)
+    searchfilter = '(objectclass=*)'
+    definitions_managed_entries = []
+    old_template_container = 'cn=etc,%s' % suffix
+    old_definition_container = 'cn=managed entries,cn=plugins,cn=config'
+    new = 'cn=Managed Entries,cn=etc,%s' % suffix
+    sub = ['cn=Definitions,', 'cn=Templates,']
+    new_managed_entries = []
+    old_templates = []
+    template = None
+    restart = False
+
+    # If the old entries don't exist the server has already been updated.
+    try:
+        (definitions_managed_entries, truncated) = ldap.find_entries(
+            searchfilter, ['*'], old_definition_container, _ldap.SCOPE_ONELEVEL, normalize=False
+        )
+    except errors.NotFound, e:
+        return (False, new_managed_entries)
+
+    for entry in definitions_managed_entries:
+        new_definition = {}
+        definition_managed_entry_updates = {}
+        if deletes:
+            old_definition = {'dn': str(entry[0]), 'deleteentry': ['dn: %s' % str(entry[0])]}
+            old_template = str(entry[1]['managedtemplate'][0])
+            definition_managed_entry_updates[old_definition['dn']] = old_definition
+            old_templates.append(old_template)
+        else:
+            entry[1]['managedtemplate'] = str(entry[1]['managedtemplate'][0].replace(old_template_container, sub[1] + new))
+            new_definition['dn'] = str(entry[0].replace(old_definition_container, sub[0] + new))
+            new_definition['default'] = entry_to_update(entry[1])
+            definition_managed_entry_updates[new_definition['dn']] = new_definition
+            new_managed_entries.append(definition_managed_entry_updates)
+    for old_template in old_templates: # Only happens when deletes is True
+        try:
+            (dn, template) = ldap.get_entry(old_template, ['*'], normalize=False)
+            dn = str(dn)
+            new_template = {}
+            template_managed_entry_updates = {}
+            old_template = {'dn': dn, 'deleteentry': ['dn: %s' % dn]}
+            new_template['dn'] = str(dn.replace(old_template_container, sub[1] + new))
+            new_template['default'] = entry_to_update(template)
+            template_managed_entry_updates[new_template['dn']] = new_template
+            template_managed_entry_updates[old_template['dn']] = old_template
+            new_managed_entries.append(template_managed_entry_updates)
+        except errors.NotFound, e:
+            pass
+
+    if len(new_managed_entries) > 0:
+        restart = True
+        new_managed_entries.sort(reverse=True)
+
+    return (restart, new_managed_entries)
+
+class update_managed_post_first(PreUpdate):
+    """
+    Update managed entries
+    """
+    order=FIRST
+
+    def execute(self, **options):
+        # Never need to restart with the pre-update changes
+        (ignore, new_managed_entries) = generate_update(self.obj.backend, False)
+
+        return (False, True, new_managed_entries)
+
+api.register(update_managed_post_first)
+
+class update_managed_post(PostUpdate):
+    """
+    Update managed entries
+    """
+    order=LAST
+
+    def execute(self, **options):
+        (restart, new_managed_entries) = generate_update(self.obj.backend, True)
+
+        return (restart, True, new_managed_entries)
+
+api.register(update_managed_post)
diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py
new file mode 100644
index 00000000..8f463fa6
--- /dev/null
+++ b/ipaserver/install/plugins/updateclient.py
@@ -0,0 +1,182 @@
+# Authors: Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+from ipaserver.install import installutils
+from ipaserver.install.plugins import FIRST, MIDDLE, LAST
+from ipaserver.install.plugins import POST_UPDATE
+from ipaserver.install.plugins.baseupdate import DSRestart
+from ipaserver.install.ldapupdate import LDAPUpdate
+from ipalib import api
+from ipalib import backend
+import ldap as _ldap
+
+class updateclient(backend.Executioner):
+    """
+    Backend used for applying LDAP updates via plugins
+
+    An update plugin can be executed before the file-based plugins or
+    afterward. Each plugin returns three values:
+
+    1. restart: dirsrv needs to be restarted BEFORE this update is
+                 applied.
+    2. apply_now: when True the update is applied when the plugin
+                  returns. Otherwise the update is cached until all
+                  plugins of that update type are complete, then they
+                  are applied together.
+    3. updates: A dictionary of updates to be applied.
+
+    updates is a dictionary keyed on dn. The value of an update is a
+    dictionary with the following possible values:
+      - dn: str, duplicate of the key
+      - updates: list of updates against the dn
+      - default: list of the default entry to be added if it doesn't
+                 exist
+      - deleteentry: list of dn's to be deleted (typically single dn)
+
+    For example, this update file:
+
+      dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
+      replace:krbPwdLockoutDuration:10::600
+      replace: krbPwdMaxFailure:3::6
+
+    Generates this update dictionary:
+
+    dict('cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com':
+      dict(
+        'dn': 'cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
+        'updates': ['replace:krbPwdLockoutDuration:10::600',
+                    'replace:krbPwdMaxFailure:3::6']
+      )
+    )
+
+    Here is another example showing how a default entry is configured:
+
+      dn: cn=Managed Entries,cn=etc,$SUFFIX
+      default: objectClass: nsContainer
+      default: objectClass: top
+      default: cn: Managed Entries
+
+    This generates:
+
+    dict('cn=Managed Entries,cn=etc,dc=example,dc=com',
+      dict(
+        'dn': 'cn=Managed Entries,cn=etc,dc=example,dc=com',
+        'default': ['objectClass:nsContainer',
+                    'objectClass:top',
+                    'cn:Managed Entries'
+                   ]
+       )
+    )
+
+    Note that the variable substitution in both examples has been completed.
+
+    A PRE_UPDATE plugin is executed before file-based updates.
+
+    A POST_UPDATE plugin is executed after file-based updates.
+
+    Plugins are executed automatically when ipa-ldap-updater is run
+    in upgrade mode (--upgrade). They are not executed normally otherwise.
+    To execute plugins as well use the --plugins flag.
+
+    Either may make changes directly in LDAP or can return updates in
+    update format.
+    """
+    def create_context(self, dm_password):
+        if dm_password:
+            autobind = False
+        else:
+            autobind = True
+        self.Backend.ldap2.connect(bind_dn='cn=Directory Manager', bind_pw=dm_password, autobind=autobind)
+
+    def order(self, updatetype):
+        """
+        Calculate rough order of plugins.
+        """
+        order = []
+        for plugin in api.Updater(): #pylint: disable=E1101
+            if plugin.updatetype != updatetype:
+                continue
+            if plugin.order == FIRST:
+                order.insert(0, plugin)
+            elif plugin.order == MIDDLE:
+                order.insert(len(order)/2, plugin)
+            else:
+                order.append(plugin)
+
+        for o in order:
+            yield o
+
+    def update(self, updatetype, dm_password, ldapi, live_run):
+        """
+        Execute all update plugins of type updatetype.
+        """
+        self.create_context(dm_password)
+        kw = dict(live_run=live_run)
+        result = []
+        ld = LDAPUpdate(dm_password=dm_password, sub_dict={}, live_run=live_run, ldapi=ldapi)
+        for update in self.order(updatetype):
+            (restart, apply_now, res) = self.run(update.name, **kw)
+            if restart:
+                self.restart(dm_password, live_run)
+            dn_list = {}
+            for upd in res:
+                for dn in upd:
+                    dn_explode = _ldap.explode_dn(dn.lower())
+                    l = len(dn_explode)
+                    if dn_list.get(l):
+                        if dn not in dn_list[l]:
+                            dn_list[l].append(dn)
+                    else:
+                        dn_list[l] = [dn]
+            updates = {}
+            for entry in res:
+                updates.update(entry)
+
+            if apply_now:
+                ld.update_from_dict(dn_list, updates)
+            elif res:
+                result.extend(res)
+
+        self.destroy_context()
+
+        return result
+
+    def run(self, method, **kw):
+        """
+        Execute the update plugin.
+        """
+        return self.Updater[method](**kw) #pylint: disable=E1101
+
+    def restart(self, dm_password, live_run):
+        if os.getegid() != 0:
+            self.log.warn("Not root, skipping restart")
+            return
+        dsrestart = DSRestart()
+        socket_name = '/var/run/slapd-%s.socket' % \
+            api.env.realm.replace('.','-')
+        if live_run:
+            self.destroy_context()
+            dsrestart.create_instance()
+            installutils.wait_for_open_socket(socket_name)
+            self.create_context(dm_password)
+        else:
+            self.log.warn("Test mode, skipping restart")
+
+api.register(updateclient)