diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-04-29 21:46:26 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-05-26 12:14:55 +0200 |
commit | 193ced0bd7a9a26e7b25f08b023ee21302acaac7 (patch) | |
tree | 994ad23b37d49ab451f65c52a54e71901cc3aedc /ipaserver/install/plugins/update_anonymous_aci.py | |
parent | 63becae88c6c270b98f0432dc474b661b82f3119 (diff) | |
download | freeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.tar.gz freeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.tar.xz freeipa-193ced0bd7a9a26e7b25f08b023ee21302acaac7.zip |
Remove the global anonymous read ACI
Also remove
- the deny ACIs that implemented exceptions to it:
- no anonymous access to roles
- no anonymous access to member information
- no anonymous access to hbac
- no anonymous access to sudo (2×)
- its updater plugin
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipaserver/install/plugins/update_anonymous_aci.py')
-rw-r--r-- | ipaserver/install/plugins/update_anonymous_aci.py | 96 |
1 files changed, 0 insertions, 96 deletions
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py deleted file mode 100644 index 943b24577..000000000 --- a/ipaserver/install/plugins/update_anonymous_aci.py +++ /dev/null @@ -1,96 +0,0 @@ -# Authors: -# Rob Crittenden <rcritten@redhat.com> -# -# Copyright (C) 2013 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -from copy import deepcopy -from ipaserver.install.plugins import FIRST, LAST -from ipaserver.install.plugins.baseupdate import PostUpdate -from ipalib import api, errors -from ipalib.aci import ACI -from ipalib.plugins import aci -from ipapython.ipa_log_manager import * - -class update_anonymous_aci(PostUpdate): - """ - Update the Anonymous ACI to ensure that all secrets are protected. - """ - order = FIRST - - def execute(self, **options): - aciname = u'Enable Anonymous access' - aciprefix = u'none' - ldap = self.obj.backend - targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))' - filter = None - - entry_attrs = ldap.get_entry(api.env.basedn, ['aci']) - - acistrs = entry_attrs.get('aci', []) - acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', [])) - try: - rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname) - except errors.NotFound: - root_logger.error('Anonymous ACI not found, cannot update it') - return False, False, [] - - attrs = rawaci.target['targetattr']['expression'] - rawfilter = rawaci.target.get('targetfilter', None) - if rawfilter is not None: - filter = rawfilter['expression'] - - update_attrs = deepcopy(attrs) - - needed_attrs = [] - for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'): - if attr not in attrs: - needed_attrs.append(attr) - - update_attrs.extend(needed_attrs) - if (len(attrs) == len(update_attrs) and - filter == targetfilter): - root_logger.debug("Anonymous ACI already update-to-date") - return (False, False, []) - - for tmpaci in acistrs: - candidate = ACI(tmpaci) - if rawaci.isequal(candidate): - acistrs.remove(tmpaci) - break - - if len(attrs) != len(update_attrs): - root_logger.debug("New Anonymous ACI attributes needed: %s", - needed_attrs) - - rawaci.target['targetattr']['expression'] = update_attrs - - if filter != targetfilter: - root_logger.debug("New Anonymous ACI targetfilter needed.") - - rawaci.set_target_filter(targetfilter) - - acistrs.append(unicode(rawaci)) - entry_attrs['aci'] = acistrs - - try: - ldap.update_entry(entry_attrs) - except Exception, e: - root_logger.error("Failed to update Anonymous ACI: %s" % e) - - return (False, False, []) - -api.register(update_anonymous_aci) |