diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2016-06-23 18:54:49 +0200 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-07-01 09:37:25 +0200 |
commit | c2af032c0333f7e210c54369159d1d9f5e3fec74 (patch) | |
tree | 5aae121cbe6be08755e8b4c6484a316b99eb997e /ipaserver/plugins/baseuser.py | |
parent | 974eb7b5efd20ad2195b0ad578637ab31f4c1df4 (diff) | |
download | freeipa-c2af032c0333f7e210c54369159d1d9f5e3fec74.tar.gz freeipa-c2af032c0333f7e210c54369159d1d9f5e3fec74.tar.xz freeipa-c2af032c0333f7e210c54369159d1d9f5e3fec74.zip |
Migrate management framework plugins to use Principal parameter
All plugins will now use this parameter and common code for all operations on
Kerberos principals. Additional semantic validators and normalizers were
added to determine or append a correct realm so that the previous behavior is
kept intact.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/plugins/baseuser.py')
-rw-r--r-- | ipaserver/plugins/baseuser.py | 57 |
1 files changed, 16 insertions, 41 deletions
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 9c4af66f9..cbb04aaad 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -23,13 +23,16 @@ import six from ipalib import api, errors from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime, Bytes +from ipalib.parameters import Principal from ipalib.plugable import Registry from .baseldap import ( DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember) -from .service import validate_certificate +from ipaserver.plugins.service import ( + validate_certificate, validate_realm, normalize_principal) from ipalib.request import context from ipalib import _ +from ipapython import kerberos from ipapython.ipautil import ipa_generate_password from ipapython.ipavalidate import Email from ipalib.util import ( @@ -93,45 +96,14 @@ def convert_nsaccountlock(entry_attrs): nsaccountlock = Bool('temp') entry_attrs['nsaccountlock'] = nsaccountlock.convert(entry_attrs['nsaccountlock'][0]) -def split_principal(principal): - """ - Split the principal into its components and do some basic validation. - - Automatically append our realm if it wasn't provided. - """ - realm = None - parts = principal.split('@') - user = parts[0].lower() - if len(parts) > 2: - raise errors.MalformedUserPrincipal(principal=principal) - - if len(parts) == 2: - realm = parts[1].upper() - # At some point we'll support multiple realms - if realm != api.env.realm: - raise errors.RealmMismatch() - else: - realm = api.env.realm - - return (user, realm) -def validate_principal(ugettext, principal): - """ - All the real work is done in split_principal. - """ - (user, realm) = split_principal(principal) - return None - -def normalize_principal(principal): - """ - Ensure that the name in the principal is lower-case. The realm is - upper-case by convention but it isn't required. - - The principal is validated at this point. - """ - (user, realm) = split_principal(principal) - return unicode('%s@%s' % (user, realm)) +def normalize_user_principal(value): + principal = kerberos.Principal(normalize_principal(value)) + lowercase_components = ((principal.username.lower(),) + + principal.components[1:]) + return unicode( + kerberos.Principal(lowercase_components, realm=principal.realm)) def fix_addressbook_permission_bindrule(name, template, is_new, @@ -239,13 +211,16 @@ class baseuser(LDAPObject): cli_name='shell', label=_('Login shell'), ), - Str('krbprincipalname?', validate_principal, + Principal( + 'krbprincipalname?', + validate_realm, cli_name='principal', label=_('Kerberos principal'), - default_from=lambda uid: '%s@%s' % (uid.lower(), api.env.realm), + default_from=lambda uid: kerberos.Principal.from_text( + uid.lower(), realm=api.env.realm), autofill=True, flags=['no_update'], - normalizer=lambda value: normalize_principal(value), + normalizer=normalize_user_principal, ), DateTime('krbprincipalexpiration?', cli_name='principal_expiration', |