/freeipa-3.0.0.pre1/ipalib/aci.py
Python | 332 lines | 284 code | 11 blank | 37 comment | 9 complexity | bdba47f848eae93e713638e8e533063b MD5 | raw file
Possible License(s): GPL-3.0
- # Authors:
- # Rob Crittenden <rcritten@redhat.com>
- #
- # Copyright (C) 2008 Red Hat
- # see file 'COPYING' for use and warranty information
- #
- # This program is free software; you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation, either version 3 of the License, or
- # (at your option) any later version.
- #
- # This program is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
- import shlex
- import re
- import ldap
- # The Python re module doesn't do nested parenthesis
- # Break the ACI into 3 pieces: target, name, permissions/bind_rules
- ACIPat = re.compile(r'\(version\s+3.0\s*;\s*acl\s+\"([^\"]*)\"\s*;\s*([^;]*);\s*\)', re.UNICODE)
- # Break the permissions/bind_rules out
- PermPat = re.compile(r'(\w+)\s*\((.*)\)\s+(.*)', re.UNICODE)
- # Break the bind rule out
- BindPat = re.compile(r'([a-zA-Z0-9;\.]+)\s*(\!?=)\s*(.*)', re.UNICODE)
- ACTIONS = ["allow", "deny"]
- PERMISSIONS = ["read", "write", "add", "delete", "search", "compare",
- "selfwrite", "proxy", "all"]
- class ACI:
- """
- Holds the basic data for an ACI entry, as stored in the cn=accounts
- entry in LDAP. Has methods to parse an ACI string and export to an
- ACI String.
- """
- def __init__(self,acistr=None):
- self.name = None
- self.source_group = None
- self.dest_group = None
- self.orig_acistr = acistr
- self.target = {}
- self.action = "allow"
- self.permissions = ["write"]
- self.bindrule = {}
- if acistr is not None:
- self._parse_acistr(acistr)
- def __getitem__(self,key):
- """Fake getting attributes by key for sorting"""
- if key == 0:
- return self.name
- if key == 1:
- return self.source_group
- if key == 2:
- return self.dest_group
- raise TypeError("Unknown key value %s" % key)
- def __repr__(self):
- """An alias for export_to_string()"""
- return self.export_to_string()
- def export_to_string(self):
- """Output a Directory Server-compatible ACI string"""
- self.validate()
- aci = ""
- for t in self.target:
- op = self.target[t]['operator']
- if type(self.target[t]['expression']) in (tuple, list):
- target = ""
- for l in self.target[t]['expression']:
- target = target + l + " || "
- target = target[:-4]
- aci = aci + "(%s %s \"%s\")" % (t, op, target)
- else:
- aci = aci + "(%s %s \"%s\")" % (t, op, self.target[t]['expression'])
- aci = aci + "(version 3.0;acl \"%s\";%s (%s) %s %s \"%s\"" % (self.name, self.action, ",".join(self.permissions), self.bindrule['keyword'], self.bindrule['operator'], self.bindrule['expression']) + ";)"
- return aci
- def _remove_quotes(self, s):
- # Remove leading and trailing quotes
- if s.startswith('"'):
- s = s[1:]
- if s.endswith('"'):
- s = s[:-1]
- return s
- def _parse_target(self, aci):
- lexer = shlex.shlex(aci.encode('utf-8'))
- lexer.wordchars = lexer.wordchars + "."
- l = []
- var = False
- op = "="
- for token in lexer:
- # We should have the form (a = b)(a = b)...
- if token == "(":
- var = lexer.next().strip()
- operator = lexer.next()
- if operator != "=" and operator != "!=":
- # Peek at the next char before giving up
- operator = operator + lexer.next()
- if operator != "=" and operator != "!=":
- raise SyntaxError("No operator in target, got '%s'" % operator)
- op = operator
- val = lexer.next().strip()
- val = self._remove_quotes(val)
- end = lexer.next()
- if end != ")":
- raise SyntaxError('No end parenthesis in target, got %s' % end)
- if var == 'targetattr':
- # Make a string of the form attr || attr || ... into a list
- t = re.split('[^a-zA-Z0-9;\*]+', val)
- self.target[var] = {}
- self.target[var]['operator'] = op
- self.target[var]['expression'] = t
- else:
- self.target[var] = {}
- self.target[var]['operator'] = op
- self.target[var]['expression'] = val
- def _parse_acistr(self, acistr):
- vstart = acistr.find('version 3.0')
- if vstart < 0:
- raise SyntaxError, "malformed ACI, unable to find version %s" % acistr
- acimatch = ACIPat.match(acistr[vstart-1:])
- if not acimatch or len(acimatch.groups()) < 2:
- raise SyntaxError, "malformed ACI, match for version and bind rule failed %s" % acistr
- self._parse_target(acistr[:vstart-1])
- self.name = acimatch.group(1)
- bindperms = PermPat.match(acimatch.group(2))
- if not bindperms or len(bindperms.groups()) < 3:
- raise SyntaxError, "malformed ACI, permissions match failed %s" % acistr
- self.action = bindperms.group(1)
- self.permissions = bindperms.group(2).replace(' ','').split(',')
- self.set_bindrule(bindperms.group(3))
- def validate(self):
- """Do some basic verification that this will produce a
- valid LDAP ACI.
- returns True if valid
- """
- if not type(self.permissions) in (tuple, list):
- raise SyntaxError, "permissions must be a list"
- for p in self.permissions:
- if not p.lower() in PERMISSIONS:
- raise SyntaxError, "invalid permission: '%s'" % p
- if not self.name:
- raise SyntaxError, "name must be set"
- if not isinstance(self.name, basestring):
- raise SyntaxError, "name must be a string"
- if not isinstance(self.target, dict) or len(self.target) == 0:
- raise SyntaxError, "target must be a non-empty dictionary"
- if not isinstance(self.bindrule, dict):
- raise SyntaxError, "bindrule must be a dictionary"
- if not self.bindrule.get('operator') or not self.bindrule.get('keyword') or not self.bindrule.get('expression'):
- raise SyntaxError, "bindrule is missing a component"
- return True
- def set_target_filter(self, filter, operator="="):
- self.target['targetfilter'] = {}
- if not filter.startswith("("):
- filter = "(" + filter + ")"
- self.target['targetfilter']['expression'] = filter
- self.target['targetfilter']['operator'] = operator
- def set_target_attr(self, attr, operator="="):
- if not attr:
- if 'targetattr' in self.target:
- del self.target['targetattr']
- return
- if not type(attr) in (tuple, list):
- attr = [attr]
- self.target['targetattr'] = {}
- self.target['targetattr']['expression'] = attr
- self.target['targetattr']['operator'] = operator
- def set_target(self, target, operator="="):
- assert target.startswith("ldap:///")
- self.target['target'] = {}
- self.target['target']['expression'] = target
- self.target['target']['operator'] = operator
- def set_bindrule(self, bindrule):
- match = BindPat.match(bindrule)
- if not match or len(match.groups()) < 3:
- raise SyntaxError, "malformed bind rule"
- self.set_bindrule_keyword(match.group(1))
- self.set_bindrule_operator(match.group(2))
- self.set_bindrule_expression(match.group(3).replace('"',''))
- def set_bindrule_keyword(self, keyword):
- self.bindrule['keyword'] = keyword
- def set_bindrule_operator(self, operator):
- self.bindrule['operator'] = operator
- def set_bindrule_expression(self, expression):
- self.bindrule['expression'] = expression
- def isequal(self, b):
- """
- Compare the current ACI to another one to see if they are
- the same.
- returns True if equal, False if not.
- """
- assert isinstance(b, ACI)
- try:
- if self.name.lower() != b.name.lower():
- return False
- if set(self.permissions) != set(b.permissions):
- return False
- if self.bindrule.get('keyword') != b.bindrule.get('keyword'):
- return False
- if self.bindrule.get('operator') != b.bindrule.get('operator'):
- return False
- if self.bindrule.get('expression') != b.bindrule.get('expression'):
- return False
- if self.target.get('targetfilter',{}).get('expression') != b.target.get('targetfilter',{}).get('expression'):
- return False
- if self.target.get('targetfilter',{}).get('operator') != b.target.get('targetfilter',{}).get('operator'):
- return False
- if set(self.target.get('targetattr', {}).get('expression', ())) != set(b.target.get('targetattr',{}).get('expression', ())):
- return False
- if self.target.get('targetattr',{}).get('operator') != b.target.get('targetattr',{}).get('operator'):
- return False
- if self.target.get('target',{}).get('expression') != b.target.get('target',{}).get('expression'):
- return False
- if self.target.get('target',{}).get('operator') != b.target.get('target',{}).get('operator'):
- return False
- except Exception:
- # If anything throws up then they are not equal
- return False
- # We got this far so lets declare them the same
- return True
- def extract_group_cns(aci_list, client):
- """
- Extracts all the cn's from a list of aci's and returns them as a hash
- from group_dn to group_cn.
- It first tries to cheat by looking at the first rdn for the
- group dn. If that's not cn for some reason, it looks up the group.
- """
- group_dn_to_cn = {}
- for aci in aci_list:
- for dn in (aci.source_group, aci.dest_group):
- if not group_dn_to_cn.has_key(dn):
- rdn_list = ldap.explode_dn(dn, 0)
- first_rdn = rdn_list[0]
- (type,value) = first_rdn.split('=')
- if type == "cn":
- group_dn_to_cn[dn] = value
- else:
- try:
- group = client.get_entry_by_dn(dn, ['cn'])
- group_dn_to_cn[dn] = group.getValue('cn')
- except Exception:
- group_dn_to_cn[dn] = 'unknown'
- return group_dn_to_cn
- if __name__ == '__main__':
- # a = ACI('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)')
- # print a
- # a = ACI('(target="ldap:///uid=bjensen,dc=example,dc=com")(targetattr=*) (version 3.0;acl "aci1";allow (write) userdn="ldap:///self";)')
- # print a
- # a = ACI(' (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)')
- # print a
- a = ACI('(target="ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user";allow (add) groupdn="ldap:///cn=add_user,cn=taskgroups,dc=example,dc=com";)')
- print a
- print "---"
- a = ACI('(targetattr=member)(target="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)')
- print a
- print "---"
- a = ACI('(targetattr!=member)(target="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)')
- print a
- print "---"
- a = ACI('(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "change_password"; allow (write) groupdn = "ldap:///cn=change_password,cn=taskgroups,dc=example,dc=com";)')
- print a
- print "---"
- a = ACI()
- a.name ="foo"
- a.set_target_attr(['title','givenname'], "!=")
- # a.set_bindrule("groupdn = \"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"")
- a.set_bindrule_keyword("groupdn")
- a.set_bindrule_operator("=")
- a.set_bindrule_expression ("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"")
- a.permissions = ['read','write','add']
- print a
- b = ACI()
- b.name ="foo"
- b.set_target_attr(['givenname','title'], "!=")
- b.set_bindrule_keyword("groupdn")
- b.set_bindrule_operator("=")
- b.set_bindrule_expression ("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"")
- b.permissions = ['add','read','write']
- print b
- print a.isequal(b)
- a = ACI('(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)')
- print a
- a = ACI('(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)')
- print a