I didn't test this as much as I'd like to, but it might come in handy
when testing my earlier patches.
The ACI is removed in the managed permissions plugin because I want to
make sure it's done after all the managed permission updates, which
query it.
--
PetrĀ³
From 5d1bdbf5b84cb4dc286b72274edfc03d9158dc20 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Tue, 29 Apr 2014 21:46:26 +0200
Subject: [PATCH] Remove the global anonymous read ACI
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
install/share/default-aci.ldif | 1 -
install/updates/60-trusts.update | 1 -
ipaserver/install/plugins/update_anonymous_aci.py | 96 ----------------------
.../install/plugins/update_managed_permissions.py | 19 +++++
4 files changed, 19 insertions(+), 98 deletions(-)
delete mode 100644 ipaserver/install/plugins/update_anonymous_aci.py
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 480facf3294c593c6a2bcf326e20c32157d6d3c6..78a1b1f40cdff3e216bdb3d6b3d22e22d49e29aa 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -3,7 +3,6 @@
dn: $SUFFIX
changetype: modify
add: aci
-aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";;)
aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";;)
aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX";)(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 77c2104ffa62462634438f7b729cdfd71cd27eb3..371bf656fcdea6b7ec54aeb42c5afd25ef1b90f9 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -34,7 +34,6 @@ dn: cn=trusts,$SUFFIX
dn: $SUFFIX
add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
-replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)::(target != "ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)'
# Add the default PAC type to configuration
dn: cn=ipaConfig,cn=etc,$SUFFIX
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
deleted file mode 100644
index 943b2457774c964fa66d97496bb66ef1f4e80f1c..0000000000000000000000000000000000000000
--- a/ipaserver/install/plugins/update_anonymous_aci.py
+++ /dev/null
@@ -1,96 +0,0 @@
-# Authors:
-# Rob Crittenden <rcrit...@redhat.com>
-#
-# Copyright (C) 2013 Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-
-from copy import deepcopy
-from ipaserver.install.plugins import FIRST, LAST
-from ipaserver.install.plugins.baseupdate import PostUpdate
-from ipalib import api, errors
-from ipalib.aci import ACI
-from ipalib.plugins import aci
-from ipapython.ipa_log_manager import *
-
-class update_anonymous_aci(PostUpdate):
- """
- Update the Anonymous ACI to ensure that all secrets are protected.
- """
- order = FIRST
-
- def execute(self, **options):
- aciname = u'Enable Anonymous access'
- aciprefix = u'none'
- ldap = self.obj.backend
- targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))'
- filter = None
-
- entry_attrs = ldap.get_entry(api.env.basedn, ['aci'])
-
- acistrs = entry_attrs.get('aci', [])
- acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', []))
- try:
- rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
- except errors.NotFound:
- root_logger.error('Anonymous ACI not found, cannot update it')
- return False, False, []
-
- attrs = rawaci.target['targetattr']['expression']
- rawfilter = rawaci.target.get('targetfilter', None)
- if rawfilter is not None:
- filter = rawfilter['expression']
-
- update_attrs = deepcopy(attrs)
-
- needed_attrs = []
- for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'):
- if attr not in attrs:
- needed_attrs.append(attr)
-
- update_attrs.extend(needed_attrs)
- if (len(attrs) == len(update_attrs) and
- filter == targetfilter):
- root_logger.debug("Anonymous ACI already update-to-date")
- return (False, False, [])
-
- for tmpaci in acistrs:
- candidate = ACI(tmpaci)
- if rawaci.isequal(candidate):
- acistrs.remove(tmpaci)
- break
-
- if len(attrs) != len(update_attrs):
- root_logger.debug("New Anonymous ACI attributes needed: %s",
- needed_attrs)
-
- rawaci.target['targetattr']['expression'] = update_attrs
-
- if filter != targetfilter:
- root_logger.debug("New Anonymous ACI targetfilter needed.")
-
- rawaci.set_target_filter(targetfilter)
-
- acistrs.append(unicode(rawaci))
- entry_attrs['aci'] = acistrs
-
- try:
- ldap.update_entry(entry_attrs)
- except Exception, e:
- root_logger.error("Failed to update Anonymous ACI: %s" % e)
-
- return (False, False, [])
-
-api.register(update_anonymous_aci)
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 91686e1108303d19358886934c98926a8d57ed5c..1d48f866cdab9c50e304a474da50e4a3c5d9af41 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -81,6 +81,7 @@
from ipalib.plugable import Registry
from ipalib.plugins import aci
from ipalib.plugins.permission import permission
+from ipalib.aci import ACI
from ipaserver.plugins.ldap2 import ldap2
from ipaserver.install.plugins import LAST
from ipaserver.install.plugins.baseupdate import PostUpdate
@@ -189,6 +190,21 @@ def get_anonymous_read_aci(self, ldap):
except errors.NotFound:
return None
+ def remove_anonymous_read_aci(self, ldap, anonymous_read_aci):
+ base_entry = ldap.get_entry(self.api.env.basedn, ['aci'])
+
+ acistrs = base_entry.get('aci', [])
+
+ for acistr in acistrs:
+ if ACI(acistr).isequal(anonymous_read_aci):
+ self.log.info('Removing anonymous ACI: %s', acistr)
+ acistrs.remove(acistr)
+ break
+ else:
+ return
+
+ ldap.update_entry(base_entry)
+
def execute(self, **options):
ldap = self.api.Backend[ldap2]
@@ -215,6 +231,9 @@ def execute(self, **options):
self.update_permission(ldap, None, unicode(name), template,
anonymous_read_aci)
+ if anonymous_read_aci:
+ self.remove_anonymous_read_aci(ldap, anonymous_read_aci)
+
return False, False, ()
def update_permission(self, ldap, obj, name, template, anonymous_read_aci):
--
1.9.0
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
