From 193ced0bd7a9a26e7b25f08b023ee21302acaac7 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Tue, 29 Apr 2014 21:46:26 +0200 Subject: Remove the global anonymous read ACI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also remove - the deny ACIs that implemented exceptions to it: - no anonymous access to roles - no anonymous access to member information - no anonymous access to hbac - no anonymous access to sudo (2×) - its updater plugin Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek --- ipaserver/install/plugins/update_anonymous_aci.py | 96 ----------------------- 1 file changed, 96 deletions(-) delete mode 100644 ipaserver/install/plugins/update_anonymous_aci.py (limited to 'ipaserver/install/plugins/update_anonymous_aci.py') diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py deleted file mode 100644 index 943b24577..000000000 --- a/ipaserver/install/plugins/update_anonymous_aci.py +++ /dev/null @@ -1,96 +0,0 @@ -# Authors: -# Rob Crittenden -# -# Copyright (C) 2013 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -from copy import deepcopy -from ipaserver.install.plugins import FIRST, LAST -from ipaserver.install.plugins.baseupdate import PostUpdate -from ipalib import api, errors -from ipalib.aci import ACI -from ipalib.plugins import aci -from ipapython.ipa_log_manager import * - -class update_anonymous_aci(PostUpdate): - """ - Update the Anonymous ACI to ensure that all secrets are protected. - """ - order = FIRST - - def execute(self, **options): - aciname = u'Enable Anonymous access' - aciprefix = u'none' - ldap = self.obj.backend - targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))' - filter = None - - entry_attrs = ldap.get_entry(api.env.basedn, ['aci']) - - acistrs = entry_attrs.get('aci', []) - acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', [])) - try: - rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname) - except errors.NotFound: - root_logger.error('Anonymous ACI not found, cannot update it') - return False, False, [] - - attrs = rawaci.target['targetattr']['expression'] - rawfilter = rawaci.target.get('targetfilter', None) - if rawfilter is not None: - filter = rawfilter['expression'] - - update_attrs = deepcopy(attrs) - - needed_attrs = [] - for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'): - if attr not in attrs: - needed_attrs.append(attr) - - update_attrs.extend(needed_attrs) - if (len(attrs) == len(update_attrs) and - filter == targetfilter): - root_logger.debug("Anonymous ACI already update-to-date") - return (False, False, []) - - for tmpaci in acistrs: - candidate = ACI(tmpaci) - if rawaci.isequal(candidate): - acistrs.remove(tmpaci) - break - - if len(attrs) != len(update_attrs): - root_logger.debug("New Anonymous ACI attributes needed: %s", - needed_attrs) - - rawaci.target['targetattr']['expression'] = update_attrs - - if filter != targetfilter: - root_logger.debug("New Anonymous ACI targetfilter needed.") - - rawaci.set_target_filter(targetfilter) - - acistrs.append(unicode(rawaci)) - entry_attrs['aci'] = acistrs - - try: - ldap.update_entry(entry_attrs) - except Exception, e: - root_logger.error("Failed to update Anonymous ACI: %s" % e) - - return (False, False, []) - -api.register(update_anonymous_aci) -- cgit