diff options
author | Rob Crittenden <rcritten@redhat.com> | 2015-04-22 15:38:55 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2015-04-22 15:38:55 -0400 |
commit | f6d2225ec4325275f1eeb0b8089f1d598a7e7fc4 (patch) | |
tree | 435a4afb2b666b6231c126b28fb129ef9406fe3c | |
parent | bf5398120e33ff3e88d7b3794c9437e7e75ee369 (diff) | |
download | ipsilon.git-f6d2225ec4325275f1eeb0b8089f1d598a7e7fc4.tar.gz ipsilon.git-f6d2225ec4325275f1eeb0b8089f1d598a7e7fc4.tar.xz ipsilon.git-f6d2225ec4325275f1eeb0b8089f1d598a7e7fc4.zip |
Don't allow the SSSD info plugin to enabled/disabled in UIno_sssd_ui
This is due to the fact that it requires root to modify the
SSSD configuration, modify the Apache configuration and
restart those services.
This uses the call location (from the stack) to determine the
source of the caller. We want to let enable() happen when the
Ipsilon service starts but not when it is accessed via the
admin UI. Ideally this would be passed in via a flag but since
there is only one use-case right now I went with the hackish
method.
https://fedorahosted.org/ipsilon/ticket/111
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-rw-r--r-- | ipsilon/admin/common.py | 28 | ||||
-rw-r--r-- | ipsilon/info/infosssd.py | 22 |
2 files changed, 42 insertions, 8 deletions
diff --git a/ipsilon/admin/common.py b/ipsilon/admin/common.py index 7484806..2364df7 100644 --- a/ipsilon/admin/common.py +++ b/ipsilon/admin/common.py @@ -273,30 +273,42 @@ class AdminPlugins(AdminPage): @admin_protect def enable(self, plugin): msg = None + status = ADMIN_STATUS_OK try: obj = self._get_plugin_obj(plugin) except AdminError, e: return self.root_with_msg(str(e), ADMIN_STATUS_WARN) if not obj.is_enabled: - obj.enable() - obj.save_enabled_state() - msg = "Plugin %s enabled" % obj.name - return self.root_with_msg(msg, ADMIN_STATUS_OK, + try: + obj.enable() + obj.save_enabled_state() + except AdminError as e: + msg = str(e) + status = ADMIN_STATUS_WARN + else: + msg = "Plugin %s enabled" % obj.name + return self.root_with_msg(msg, status, changed={obj.name: 'enabled'}) enable.public_function = True @admin_protect def disable(self, plugin): msg = None + status = ADMIN_STATUS_OK try: obj = self._get_plugin_obj(plugin) except AdminError, e: return self.root_with_msg(str(e), ADMIN_STATUS_WARN) if obj.is_enabled: - obj.disable() - obj.save_enabled_state() - msg = "Plugin %s disabled" % obj.name - return self.root_with_msg(msg, ADMIN_STATUS_OK, + try: + obj.disable() + obj.save_enabled_state() + except AdminError as e: + msg = str(e) + status = ADMIN_STATUS_WARN + else: + msg = "Plugin %s disabled" % obj.name + return self.root_with_msg(msg, status, changed={obj.name: 'disabled'}) disable.public_function = True diff --git a/ipsilon/info/infosssd.py b/ipsilon/info/infosssd.py index 0dd78cc..fec3a48 100644 --- a/ipsilon/info/infosssd.py +++ b/ipsilon/info/infosssd.py @@ -9,6 +9,7 @@ from ipsilon.info.common import InfoProviderBase from ipsilon.info.common import InfoProviderInstaller from ipsilon.util.plugin import PluginObject from ipsilon.util.policy import Policy +from ipsilon.admin.common import AdminError from string import Template import cherrypy import time @@ -80,6 +81,27 @@ class InfoProvider(InfoProviderBase): return reply + """ + The SSSD plugin can only be properly enabled and disabled as root + so it isn't something that can be done in the UI. Use the hacky + location to determine where in the stack we are to know how the + call came in, either via initialization or the admin UI. + """ + + def enable(self): + location = self.call_location() + if 'ipsilon/admin/common.py' in location: + raise AdminError('sssd plugin cannot be enabled from the UI') + else: + super(InfoProvider, self).enable() + + def disable(self): + location = self.call_location() + if 'ipsilon/admin/common.py' in location: + raise AdminError('sssd plugin cannot be disabled from the UI') + else: + super(InfoProvider, self).disable() + CONF_TEMPLATE = """ LoadModule lookup_identity_module modules/mod_lookup_identity.so |