diff options
author | Jan Cholasta <jcholast@redhat.com> | 2016-04-28 10:30:05 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2016-06-03 09:00:34 +0200 |
commit | 6e44557b601f769d23ee74555a72e8b5cc62c0c9 (patch) | |
tree | eedd3e054b0709341b9f58c190ea54f999f7d13a /ipaserver/plugins/sudocmd.py | |
parent | ec841e5d7ab29d08de294b3fa863a631cd50e30a (diff) | |
download | freeipa-6e44557b601f769d23ee74555a72e8b5cc62c0c9.tar.gz freeipa-6e44557b601f769d23ee74555a72e8b5cc62c0c9.tar.xz freeipa-6e44557b601f769d23ee74555a72e8b5cc62c0c9.zip |
ipalib: move server-side plugins to ipaserver
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.
Remove the now unused ipalib.plugins package.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'ipaserver/plugins/sudocmd.py')
-rw-r--r-- | ipaserver/plugins/sudocmd.py | 203 |
1 files changed, 203 insertions, 0 deletions
diff --git a/ipaserver/plugins/sudocmd.py b/ipaserver/plugins/sudocmd.py new file mode 100644 index 000000000..e3ae33a84 --- /dev/null +++ b/ipaserver/plugins/sudocmd.py @@ -0,0 +1,203 @@ +# Authors: +# Jr Aquino <jr.aquino@citrixonline.com> +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. + +from ipalib import api, errors +from ipalib import Str +from ipalib.plugable import Registry +from .baseldap import ( + LDAPObject, + LDAPCreate, + LDAPDelete, + LDAPUpdate, + LDAPSearch, + LDAPRetrieve) +from ipalib import _, ngettext +from ipapython.dn import DN + +__doc__ = _(""" +Sudo Commands + +Commands used as building blocks for sudo + +EXAMPLES: + + Create a new command + ipa sudocmd-add --desc='For reading log files' /usr/bin/less + + Remove a command + ipa sudocmd-del /usr/bin/less + +""") + +register = Registry() + +topic = 'sudo' + +@register() +class sudocmd(LDAPObject): + """ + Sudo Command object. + """ + container_dn = api.env.container_sudocmd + object_name = _('sudo command') + object_name_plural = _('sudo commands') + object_class = ['ipaobject', 'ipasudocmd'] + permission_filter_objectclasses = ['ipasudocmd'] + # object_class_config = 'ipahostobjectclasses' + search_attributes = [ + 'sudocmd', 'description', + ] + default_attributes = [ + 'sudocmd', 'description', 'memberof', + ] + attribute_members = { + 'memberof': ['sudocmdgroup'], + } + uuid_attribute = 'ipauniqueid' + rdn_attribute = 'ipauniqueid' + managed_permissions = { + 'System: Read Sudo Commands': { + 'replaces_global_anonymous_aci': True, + 'ipapermbindruletype': 'all', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'description', 'ipauniqueid', 'memberof', 'objectclass', + 'sudocmd', + }, + }, + 'System: Add Sudo Command': { + 'ipapermright': {'add'}, + 'replaces': [ + '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,$SUFFIX";)', + '(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Add Sudo command";allow (add) groupdn = "ldap:///cn=Add Sudo command,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Sudo Administrator'}, + }, + 'System: Delete Sudo Command': { + 'ipapermright': {'delete'}, + 'replaces': [ + '(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,$SUFFIX";)', + '(targetfilter = "(objectclass=ipasudocmd)")(target = "ldap:///cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Delete Sudo command";allow (delete) groupdn = "ldap:///cn=Delete Sudo command,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Sudo Administrator'}, + }, + 'System: Modify Sudo Command': { + 'ipapermright': {'write'}, + 'ipapermdefaultattr': {'description'}, + 'replaces': [ + '(targetattr = "description")(target = "ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,$SUFFIX";)', + '(targetfilter = "(objectclass=ipasudocmd)")(targetattr = "description")(target = "ldap:///cn=sudocmds,cn=sudo,$SUFFIX")(version 3.0;acl "permission:Modify Sudo command";allow (write) groupdn = "ldap:///cn=Modify Sudo command,cn=permissions,cn=pbac,$SUFFIX";)', + ], + 'default_privileges': {'Sudo Administrator'}, + }, + } + + label = _('Sudo Commands') + label_singular = _('Sudo Command') + + takes_params = ( + Str('sudocmd', + cli_name='command', + label=_('Sudo Command'), + primary_key=True, + ), + Str('description?', + cli_name='desc', + label=_('Description'), + doc=_('A description of this command'), + ), + ) + + def get_dn(self, *keys, **options): + if keys[-1].endswith('.'): + keys[-1] = keys[-1][:-1] + dn = super(sudocmd, self).get_dn(*keys, **options) + try: + self.backend.get_entry(dn, ['']) + except errors.NotFound: + try: + entry_attrs = self.backend.find_entry_by_attr( + 'sudocmd', keys[-1], self.object_class, [''], + DN(self.container_dn, api.env.basedn)) + dn = entry_attrs.dn + except errors.NotFound: + pass + return dn + + +@register() +class sudocmd_add(LDAPCreate): + __doc__ = _('Create new Sudo Command.') + + msg_summary = _('Added Sudo Command "%(value)s"') + + +@register() +class sudocmd_del(LDAPDelete): + __doc__ = _('Delete Sudo Command.') + + msg_summary = _('Deleted Sudo Command "%(value)s"') + + def pre_callback(self, ldap, dn, *keys, **options): + filters = [ + ldap.make_filter_from_attr(attr, dn) + for attr in ('memberallowcmd', 'memberdenycmd')] + filter = ldap.combine_filters(filters, ldap.MATCH_ANY) + filter = ldap.combine_filters( + (filter, ldap.make_filter_from_attr('objectClass', 'ipasudorule')), + ldap.MATCH_ALL) + dependent_sudorules = [] + try: + entries, truncated = ldap.find_entries( + filter, ['cn'], + base_dn=DN(api.env.container_sudorule, api.env.basedn)) + except errors.NotFound: + pass + else: + for entry_attrs in entries: + [cn] = entry_attrs['cn'] + dependent_sudorules.append(cn) + + if dependent_sudorules: + raise errors.DependentEntry( + key=keys[0], label='sudorule', + dependent=', '.join(dependent_sudorules)) + return dn + + +@register() +class sudocmd_mod(LDAPUpdate): + __doc__ = _('Modify Sudo Command.') + + msg_summary = _('Modified Sudo Command "%(value)s"') + + +@register() +class sudocmd_find(LDAPSearch): + __doc__ = _('Search for Sudo Commands.') + + msg_summary = ngettext( + '%(count)d Sudo Command matched', '%(count)d Sudo Commands matched', 0 + ) + + +@register() +class sudocmd_show(LDAPRetrieve): + __doc__ = _('Display Sudo Command.') + |