5 files changed, 426 insertions, 0 deletions
diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am
new file mode 100644
index 000000000..a96d0be5c
--- /dev/null
+++ b/ipaserver/install/plugins/Makefile.am
@@ -0,0 +1,16 @@
+NULL =
+
+appdir = $(pythondir)/ipaserver/install
+app_PYTHON = 			\
+	__init__.py		\
+	baseupdate.py		\
+	rename_managed.py	\
+	updateclient.py		\
+	$(NULL)
+
+EXTRA_DIST =			\
+	$(NULL)
+
+MAINTAINERCLEANFILES =		\
+	*~			\
+	Makefile.in
diff --git a/ipaserver/install/plugins/__init__.py b/ipaserver/install/plugins/__init__.py
new file mode 100644
index 000000000..49bef4df8
--- /dev/null
+++ b/ipaserver/install/plugins/__init__.py
@@ -0,0 +1,28 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Provide a separate api for updates.
+"""
+PRE_UPDATE = 1
+POST_UPDATE = 2
+
+FIRST = 1
+MIDDLE = 2
+LAST = 4
diff --git a/ipaserver/install/plugins/baseupdate.py b/ipaserver/install/plugins/baseupdate.py
new file mode 100644
index 000000000..227dc917a
--- /dev/null
+++ b/ipaserver/install/plugins/baseupdate.py
@@ -0,0 +1,68 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from ipalib import api
+from ipalib import errors
+from ipalib import Updater, Object
+from ipaserver.install import service
+from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, MIDDLE
+
+class DSRestart(service.Service):
+    """
+    Restart the 389-ds service.
+    """
+    def __init__(self):
+        """
+        This class is present to provide ldapupdate the means to
+        restart 389-ds.
+        """
+        service.Service.__init__(self, "dirsrv")
+
+    def create_instance(self):
+        self.step("stopping directory server", self.stop)
+        self.step("starting directory server", self.start)
+        self.start_creation("Restarting Directory server to apply updates")
+
+class update(Object):
+    """
+    Generic object used to register all updates into a single namespace.
+    """
+    backend_name = 'ldap2'
+
+api.register(update)
+
+class PreUpdate(Updater):
+    """
+    Base class for updates that run prior to file processing.
+    """
+    updatetype = PRE_UPDATE
+    order = MIDDLE
+
+    def __init__(self):
+        super(PreUpdate, self).__init__()
+
+class PostUpdate(Updater):
+    """
+    Base class for updates that run after file processing.
+    """
+    updatetype = POST_UPDATE
+    order = MIDDLE
+
+    def __init__(self):
+        super(PostUpdate, self).__init__()
diff --git a/ipaserver/install/plugins/rename_managed.py b/ipaserver/install/plugins/rename_managed.py
new file mode 100644
index 000000000..a9eed0be3
--- /dev/null
+++ b/ipaserver/install/plugins/rename_managed.py
@@ -0,0 +1,132 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, FIRST, LAST
+from ipaserver.install.plugins import PRE_UPDATE, POST_UPDATE, FIRST, LAST
+from ipaserver.install.plugins.baseupdate import PreUpdate, PostUpdate
+from ipalib.frontend import Updater
+from ipaserver.install.plugins import baseupdate
+from ipalib import api, errors
+from ipapython import ipautil
+import ldap as _ldap
+
+def entry_to_update(entry):
+    """
+    Convert an entry into a name/value pair list that looks like an update.
+
+    An entry is a dict.
+
+    An update is a list of name/value pairs.
+    """
+    update = []
+    for attr in entry.keys():
+        if isinstance(entry[attr], list):
+            for i in xrange(len(entry[attr])):
+                update.append('%s:%s' % (str(attr), str(entry[attr][i])))
+        else:
+            update.append('%s:%s' % (str(attr), str(entry[attr])))
+
+    return update
+
+def generate_update(ldap, deletes=False):
+    """
+    We need to separate the deletes that need to happen from the
+    new entries that need to be added.
+    """
+    suffix = ipautil.realm_to_suffix(api.env.realm)
+    searchfilter = '(objectclass=*)'
+    definitions_managed_entries = []
+    old_template_container = 'cn=etc,%s' % suffix
+    old_definition_container = 'cn=managed entries,cn=plugins,cn=config'
+    new = 'cn=Managed Entries,cn=etc,%s' % suffix
+    sub = ['cn=Definitions,', 'cn=Templates,']
+    new_managed_entries = []
+    old_templates = []
+    template = None
+    restart = False
+
+    # If the old entries don't exist the server has already been updated.
+    try:
+        (definitions_managed_entries, truncated) = ldap.find_entries(
+            searchfilter, ['*'], old_definition_container, _ldap.SCOPE_ONELEVEL, normalize=False
+        )
+    except errors.NotFound, e:
+        return (False, new_managed_entries)
+
+    for entry in definitions_managed_entries:
+        new_definition = {}
+        definition_managed_entry_updates = {}
+        if deletes:
+            old_definition = {'dn': str(entry[0]), 'deleteentry': ['dn: %s' % str(entry[0])]}
+            old_template = str(entry[1]['managedtemplate'][0])
+            definition_managed_entry_updates[old_definition['dn']] = old_definition
+            old_templates.append(old_template)
+        else:
+            entry[1]['managedtemplate'] = str(entry[1]['managedtemplate'][0].replace(old_template_container, sub[1] + new))
+            new_definition['dn'] = str(entry[0].replace(old_definition_container, sub[0] + new))
+            new_definition['default'] = entry_to_update(entry[1])
+            definition_managed_entry_updates[new_definition['dn']] = new_definition
+            new_managed_entries.append(definition_managed_entry_updates)
+    for old_template in old_templates: # Only happens when deletes is True
+        try:
+            (dn, template) = ldap.get_entry(old_template, ['*'], normalize=False)
+            dn = str(dn)
+            new_template = {}
+            template_managed_entry_updates = {}
+            old_template = {'dn': dn, 'deleteentry': ['dn: %s' % dn]}
+            new_template['dn'] = str(dn.replace(old_template_container, sub[1] + new))
+            new_template['default'] = entry_to_update(template)
+            template_managed_entry_updates[new_template['dn']] = new_template
+            template_managed_entry_updates[old_template['dn']] = old_template
+            new_managed_entries.append(template_managed_entry_updates)
+        except errors.NotFound, e:
+            pass
+
+    if len(new_managed_entries) > 0:
+        restart = True
+        new_managed_entries.sort(reverse=True)
+
+    return (restart, new_managed_entries)
+
+class update_managed_post_first(PreUpdate):
+    """
+    Update managed entries
+    """
+    order=FIRST
+
+    def execute(self, **options):
+        # Never need to restart with the pre-update changes
+        (ignore, new_managed_entries) = generate_update(self.obj.backend, False)
+
+        return (False, True, new_managed_entries)
+
+api.register(update_managed_post_first)
+
+class update_managed_post(PostUpdate):
+    """
+    Update managed entries
+    """
+    order=LAST
+
+    def execute(self, **options):
+        (restart, new_managed_entries) = generate_update(self.obj.backend, True)
+
+        return (restart, True, new_managed_entries)
+
+api.register(update_managed_post)
diff --git a/ipaserver/install/plugins/updateclient.py b/ipaserver/install/plugins/updateclient.py
new file mode 100644
index 000000000..8f463fa69
--- /dev/null
+++ b/ipaserver/install/plugins/updateclient.py
@@ -0,0 +1,182 @@
+# Authors: Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+from ipaserver.install import installutils
+from ipaserver.install.plugins import FIRST, MIDDLE, LAST
+from ipaserver.install.plugins import POST_UPDATE
+from ipaserver.install.plugins.baseupdate import DSRestart
+from ipaserver.install.ldapupdate import LDAPUpdate
+from ipalib import api
+from ipalib import backend
+import ldap as _ldap
+
+class updateclient(backend.Executioner):
+    """
+    Backend used for applying LDAP updates via plugins
+
+    An update plugin can be executed before the file-based plugins or
+    afterward. Each plugin returns three values:
+
+    1. restart: dirsrv needs to be restarted BEFORE this update is
+                 applied.
+    2. apply_now: when True the update is applied when the plugin
+                  returns. Otherwise the update is cached until all
+                  plugins of that update type are complete, then they
+                  are applied together.
+    3. updates: A dictionary of updates to be applied.
+
+    updates is a dictionary keyed on dn. The value of an update is a
+    dictionary with the following possible values:
+      - dn: str, duplicate of the key
+      - updates: list of updates against the dn
+      - default: list of the default entry to be added if it doesn't
+                 exist
+      - deleteentry: list of dn's to be deleted (typically single dn)
+
+    For example, this update file:
+
+      dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
+      replace:krbPwdLockoutDuration:10::600
+      replace: krbPwdMaxFailure:3::6
+
+    Generates this update dictionary:
+
+    dict('cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com':
+      dict(
+        'dn': 'cn=global_policy,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com',
+        'updates': ['replace:krbPwdLockoutDuration:10::600',
+                    'replace:krbPwdMaxFailure:3::6']
+      )
+    )
+
+    Here is another example showing how a default entry is configured:
+
+      dn: cn=Managed Entries,cn=etc,$SUFFIX
+      default: objectClass: nsContainer
+      default: objectClass: top
+      default: cn: Managed Entries
+
+    This generates:
+
+    dict('cn=Managed Entries,cn=etc,dc=example,dc=com',
+      dict(
+        'dn': 'cn=Managed Entries,cn=etc,dc=example,dc=com',
+        'default': ['objectClass:nsContainer',
+                    'objectClass:top',
+                    'cn:Managed Entries'
+                   ]
+       )
+    )
+
+    Note that the variable substitution in both examples has been completed.
+
+    A PRE_UPDATE plugin is executed before file-based updates.
+
+    A POST_UPDATE plugin is executed after file-based updates.
+
+    Plugins are executed automatically when ipa-ldap-updater is run
+    in upgrade mode (--upgrade). They are not executed normally otherwise.
+    To execute plugins as well use the --plugins flag.
+
+    Either may make changes directly in LDAP or can return updates in
+    update format.
+    """
+    def create_context(self, dm_password):
+        if dm_password:
+            autobind = False
+        else:
+            autobind = True
+        self.Backend.ldap2.connect(bind_dn='cn=Directory Manager', bind_pw=dm_password, autobind=autobind)
+
+    def order(self, updatetype):
+        """
+        Calculate rough order of plugins.
+        """
+        order = []
+        for plugin in api.Updater(): #pylint: disable=E1101
+            if plugin.updatetype != updatetype:
+                continue
+            if plugin.order == FIRST:
+                order.insert(0, plugin)
+            elif plugin.order == MIDDLE:
+                order.insert(len(order)/2, plugin)
+            else:
+                order.append(plugin)
+
+        for o in order:
+            yield o
+
+    def update(self, updatetype, dm_password, ldapi, live_run):
+        """
+        Execute all update plugins of type updatetype.
+        """
+        self.create_context(dm_password)
+        kw = dict(live_run=live_run)
+        result = []
+        ld = LDAPUpdate(dm_password=dm_password, sub_dict={}, live_run=live_run, ldapi=ldapi)
+        for update in self.order(updatetype):
+            (restart, apply_now, res) = self.run(update.name, **kw)
+            if restart:
+                self.restart(dm_password, live_run)
+            dn_list = {}
+            for upd in res:
+                for dn in upd:
+                    dn_explode = _ldap.explode_dn(dn.lower())
+                    l = len(dn_explode)
+                    if dn_list.get(l):
+                        if dn not in dn_list[l]:
+                            dn_list[l].append(dn)
+                    else:
+                        dn_list[l] = [dn]
+            updates = {}
+            for entry in res:
+                updates.update(entry)
+
+            if apply_now:
+                ld.update_from_dict(dn_list, updates)
+            elif res:
+                result.extend(res)
+
+        self.destroy_context()
+
+        return result
+
+    def run(self, method, **kw):
+        """
+        Execute the update plugin.
+        """
+        return self.Updater[method](**kw) #pylint: disable=E1101
+
+    def restart(self, dm_password, live_run):
+        if os.getegid() != 0:
+            self.log.warn("Not root, skipping restart")
+            return
+        dsrestart = DSRestart()
+        socket_name = '/var/run/slapd-%s.socket' % \
+            api.env.realm.replace('.','-')
+        if live_run:
+            self.destroy_context()
+            dsrestart.create_instance()
+            installutils.wait_for_open_socket(socket_name)
+            self.create_context(dm_password)
+        else:
+            self.log.warn("Test mode, skipping restart")
+
+api.register(updateclient)