Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

# Authors: 

#   Rob Crittenden <rcritten@redhat.com> 

# 

# Copyright (C) 2013  Red Hat 

# see file 'COPYING' for use and warranty information 

# 

# This program is free software; you can redistribute it and/or modify 

# it under the terms of the GNU General Public License as published by 

# the Free Software Foundation, either version 3 of the License, or 

# (at your option) any later version. 

# 

# This program is distributed in the hope that it will be useful, 

# but WITHOUT ANY WARRANTY; without even the implied warranty of 

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 

# GNU General Public License for more details. 

# 

# You should have received a copy of the GNU General Public License 

# along with this program.  If not, see <http://www.gnu.org/licenses/>. 

 

from copy import deepcopy 

from ipaserver.install.plugins import FIRST, LAST 

from ipaserver.install.plugins.baseupdate import PostUpdate 

from ipalib import api 

from ipalib.aci import ACI 

from ipalib.plugins import aci 

from ipapython.ipa_log_manager import * 

 

class update_anonymous_aci(PostUpdate): 

    """ 

    Update the Anonymous ACI to ensure that all secrets are protected. 

    """ 

    order = FIRST 

 

    def execute(self, **options): 

        aciname = u'Enable Anonymous access' 

        aciprefix = u'none' 

        ldap = self.obj.backend 

        targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenRadiusProxyUser))(!(objectClass=ipatokenRadiusConfiguration)))' 

        filter = None 

 

        (dn, entry_attrs) = ldap.get_entry(api.env.basedn, ['aci']) 

 

        acistrs = entry_attrs.get('aci', []) 

        acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', [])) 

        rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname) 

 

        attrs = rawaci.target['targetattr']['expression'] 

        rawfilter = rawaci.target.get('targetfilter', None) 

        if rawfilter is not None: 

            filter = rawfilter['expression'] 

 

        update_attrs = deepcopy(attrs) 

 

        needed_attrs = [] 

        for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'): 

            if attr not in attrs: 

                needed_attrs.append(attr) 

 

        update_attrs.extend(needed_attrs) 

        if (len(attrs) == len(update_attrs) and 

            filter == targetfilter): 

            root_logger.debug("Anonymous ACI already update-to-date") 

            return (False, False, []) 

 

        for tmpaci in acistrs: 

            candidate = ACI(tmpaci) 

            if rawaci.isequal(candidate): 

                acistrs.remove(tmpaci) 

                break 

 

        if len(attrs) != len(update_attrs): 

            root_logger.debug("New Anonymous ACI attributes needed: %s", 

                needed_attrs) 

 

            rawaci.target['targetattr']['expression'] = update_attrs 

 

        if filter != targetfilter: 

            root_logger.debug("New Anonymous ACI targetfilter needed.") 

 

            rawaci.set_target_filter(targetfilter) 

 

        acistrs.append(unicode(rawaci)) 

        entry_attrs['aci'] = acistrs 

 

        try: 

            ldap.update_entry(dn, entry_attrs) 

        except Exception, e: 

            root_logger.error("Failed to update Anonymous ACI: %s" % e) 

 

        return (False, False, []) 

 

api.register(update_anonymous_aci)