Source code for ipaserver.plugins.privilege

# Authors:
#   Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2010  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from .baseldap import (
    LDAPObject,
    LDAPCreate,
    LDAPDelete,
    LDAPUpdate,
    LDAPSearch,
    LDAPRetrieve,
    LDAPAddMember,
    LDAPRemoveMember,
    LDAPAddReverseMember,
    LDAPRemoveReverseMember)
from ipalib import api, _, ngettext, errors
from ipalib.plugable import Registry
from ipalib import Str
from ipalib import output
from ipapython.dn import DN

__doc__ = _("""
Privileges

A privilege combines permissions into a logical task. A permission provides
the rights to do a single task. There are some IPA operations that require
multiple permissions to succeed. A privilege is where permissions are
combined in order to perform a specific task.

For example, adding a user requires the following permissions:
 * Creating a new user entry
 * Resetting a user password
 * Adding the new user to the default IPA users group

Combining these three low-level tasks into a higher level task in the
form of a privilege named "Add User" makes it easier to manage Roles.

A privilege may not contain other privileges.

See role and permission for additional information.
""")

register = Registry()


[docs]def validate_permission_to_privilege(api, permission): ldap = api.Backend.ldap2 ldapfilter = ldap.combine_filters(rules='&', filters=[ '(objectClass=ipaPermissionV2)', '(!(ipaPermBindRuleType=permission))', ldap.make_filter_from_attr('cn', permission, rules='|')]) try: entries, _truncated = ldap.find_entries( filter=ldapfilter, attrs_list=['cn', 'ipapermbindruletype'], base_dn=DN(api.env.container_permission, api.env.basedn), size_limit=1) except errors.NotFound: pass else: entry = entries[0] message = _('cannot add permission "%(perm)s" with bindtype ' '"%(bindtype)s" to a privilege') raise errors.ValidationError( name='permission', error=message % { 'perm': entry.single_value['cn'], 'bindtype': entry.single_value.get( 'ipapermbindruletype', 'permission')})
[docs]def principal_has_privilege(api, principal, privilege): privilege_dn = api.Object.privilege.get_dn(privilege) ldap = api.Backend.ldap2 filter = ldap.make_filter({ 'krbprincipalname': principal, 'memberof': privilege_dn}, rules=ldap.MATCH_ALL) try: ldap.find_entries(base_dn=api.env.basedn, filter=filter) except errors.NotFound: return False return True
[docs]@register() class privilege(LDAPObject): """ Privilege object. """ container_dn = api.env.container_privilege object_name = _('privilege') object_name_plural = _('privileges') object_class = ['nestedgroup', 'groupofnames'] permission_filter_objectclasses = ['groupofnames'] default_attributes = ['cn', 'description', 'member', 'memberof'] attribute_members = { 'member': ['role'], 'memberof': ['permission'], } reverse_members = { 'member': ['permission'], } allow_rename = True managed_permissions = { 'System: Read Privileges': { 'replaces_global_anonymous_aci': True, 'ipapermright': {'read', 'search', 'compare'}, 'ipapermdefaultattr': { 'businesscategory', 'cn', 'description', 'member', 'memberof', 'o', 'objectclass', 'ou', 'owner', 'seealso', 'memberuser', 'memberhost', }, 'default_privileges': {'RBAC Readers'}, }, 'System: Add Privileges': { 'ipapermright': {'add'}, 'default_privileges': {'Delegation Administrator'}, }, 'System: Modify Privileges': { 'ipapermright': {'write'}, 'ipapermdefaultattr': { 'businesscategory', 'cn', 'description', 'o', 'ou', 'owner', 'seealso', }, 'default_privileges': {'Delegation Administrator'}, }, 'System: Remove Privileges': { 'ipapermright': {'delete'}, 'default_privileges': {'Delegation Administrator'}, }, } label = _('Privileges') label_singular = _('Privilege') takes_params = ( Str('cn', cli_name='name', label=_('Privilege name'), primary_key=True, ), Str('description?', cli_name='desc', label=_('Description'), doc=_('Privilege description'), ), )
[docs]@register() class privilege_add(LDAPCreate): __doc__ = _('Add a new privilege.') msg_summary = _('Added privilege "%(value)s"')
[docs]@register() class privilege_del(LDAPDelete): __doc__ = _('Delete a privilege.') msg_summary = _('Deleted privilege "%(value)s"')
[docs]@register() class privilege_mod(LDAPUpdate): __doc__ = _('Modify a privilege.') msg_summary = _('Modified privilege "%(value)s"')
[docs]@register() class privilege_find(LDAPSearch): __doc__ = _('Search for privileges.') msg_summary = ngettext( '%(count)d privilege matched', '%(count)d privileges matched', 0 )
[docs]@register() class privilege_show(LDAPRetrieve): __doc__ = _('Display information about a privilege.')
[docs]@register() class privilege_add_member(LDAPAddMember): __doc__ = _('Add members to a privilege.') NO_CLI=True
[docs]@register() class privilege_remove_member(LDAPRemoveMember): __doc__ = _('Remove members from a privilege') NO_CLI=True
[docs]@register() class privilege_add_permission(LDAPAddReverseMember): __doc__ = _('Add permissions to a privilege.') show_command = 'privilege_show' member_command = 'permission_add_member' reverse_attr = 'permission' member_attr = 'privilege' has_output = ( output.Entry('result'), output.Output('failed', type=dict, doc=_('Members that could not be added'), ), output.Output('completed', type=int, doc=_('Number of permissions added'), ), ) def pre_callback(self, ldap, dn, *keys, **options): if options.get('permission'): # We can only add permissions with bind rule type set to # "permission" (or old-style permissions) validate_permission_to_privilege(self.api, options['permission']) return dn
[docs]@register() class privilege_remove_permission(LDAPRemoveReverseMember): __doc__ = _('Remove permissions from a privilege.') show_command = 'privilege_show' member_command = 'permission_remove_member' reverse_attr = 'permission' member_attr = 'privilege' permission_count_out = ('%i permission removed.', '%i permissions removed.') has_output = ( output.Entry('result'), output.Output('failed', type=dict, doc=_('Members that could not be added'), ), output.Output( 'completed', type=int, doc=_('Number of permissions removed'), ), )