Don't allow the SSSD info plugin to enabled/disabled in UIno_sssd_ui

This is due to the fact that it requires root to modify the
SSSD configuration, modify the Apache configuration and
restart those services.

This uses the call location (from the stack) to determine the
source of the caller. We want to let enable() happen when the
Ipsilon service starts but not when it is accessed via the
admin UI. Ideally this would be passed in via a flag but since
there is only one use-case right now I went with the hackish
method.

https://fedorahosted.org/ipsilon/ticket/111

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

2 files changed, 42 insertions, 8 deletions

diff --git a/ipsilon/admin/common.py b/ipsilon/admin/common.py
index 7484806..2364df7 100644
--- a/ipsilon/admin/common.py
+++ b/ipsilon/admin/common.py
@@ -273,30 +273,42 @@ class AdminPlugins(AdminPage):
     @admin_protect
     def enable(self, plugin):
         msg = None
+        status = ADMIN_STATUS_OK
         try:
             obj = self._get_plugin_obj(plugin)
         except AdminError, e:
             return self.root_with_msg(str(e), ADMIN_STATUS_WARN)
         if not obj.is_enabled:
-            obj.enable()
-            obj.save_enabled_state()
-            msg = "Plugin %s enabled" % obj.name
-        return self.root_with_msg(msg, ADMIN_STATUS_OK,
+            try:
+                obj.enable()
+                obj.save_enabled_state()
+            except AdminError as e:
+                msg = str(e)
+                status = ADMIN_STATUS_WARN
+            else:
+                msg = "Plugin %s enabled" % obj.name
+        return self.root_with_msg(msg, status,
                                   changed={obj.name: 'enabled'})
     enable.public_function = True
 
     @admin_protect
     def disable(self, plugin):
         msg = None
+        status = ADMIN_STATUS_OK
         try:
             obj = self._get_plugin_obj(plugin)
         except AdminError, e:
             return self.root_with_msg(str(e), ADMIN_STATUS_WARN)
         if obj.is_enabled:
-            obj.disable()
-            obj.save_enabled_state()
-            msg = "Plugin %s disabled" % obj.name
-        return self.root_with_msg(msg, ADMIN_STATUS_OK,
+            try:
+                obj.disable()
+                obj.save_enabled_state()
+            except AdminError as e:
+                msg = str(e)
+                status = ADMIN_STATUS_WARN
+            else:
+                msg = "Plugin %s disabled" % obj.name
+        return self.root_with_msg(msg, status,
                                   changed={obj.name: 'disabled'})
     disable.public_function = True
 
diff --git a/ipsilon/info/infosssd.py b/ipsilon/info/infosssd.py
index 0dd78cc..fec3a48 100644
--- a/ipsilon/info/infosssd.py
+++ b/ipsilon/info/infosssd.py
@@ -9,6 +9,7 @@ from ipsilon.info.common import InfoProviderBase
 from ipsilon.info.common import InfoProviderInstaller
 from ipsilon.util.plugin import PluginObject
 from ipsilon.util.policy import Policy
+from ipsilon.admin.common import AdminError
 from string import Template
 import cherrypy
 import time
@@ -80,6 +81,27 @@ class InfoProvider(InfoProviderBase):
 
         return reply
 
+    """
+    The SSSD plugin can only be properly enabled and disabled as root
+    so it isn't something that can be done in the UI. Use the hacky
+    location to determine where in the stack we are to know how the
+    call came in, either via initialization or the admin UI.
+    """
+
+    def enable(self):
+        location = self.call_location()
+        if 'ipsilon/admin/common.py' in location:
+            raise AdminError('sssd plugin cannot be enabled from the UI')
+        else:
+            super(InfoProvider, self).enable()
+
+    def disable(self):
+        location = self.call_location()
+        if 'ipsilon/admin/common.py' in location:
+            raise AdminError('sssd plugin cannot be disabled from the UI')
+        else:
+            super(InfoProvider, self).disable()
+
 
 CONF_TEMPLATE = """
 LoadModule lookup_identity_module modules/mod_lookup_identity.so