9:55 p.m.
This is an automated email from the git hooks/post-receive script.
firstyear pushed a change to branch master
in repository lib389.
from 2a50b9d Ticket 88 - python install and remove for tests
new 1f1d32d Issue 93 - Fix test cases in ctl_dbtasks_test.py
new d304445 Issue 92 - display_attr() should return str not bytes in py3
new 3ad1f7f Issue 74 - Advice users to set referint-update-delay to 0
new 3a8bfe8 Issue 46 - dsconf support for dynamic schema reload
new 709d572 Issue 45 - Add support for Rootdn Access Control plugin
The 5 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "adds" were already present in the repository and have only
been added to this reference.
Summary of changes:
cli/dsconf | 2 +
lib389/__init__.py | 2 +-
lib389/_mapped_object.py | 8 +-
lib389/cli_conf/health.py | 2 +
lib389/cli_conf/plugins/rootdn_ac.py | 229 +++++++++++++++++++
lib389/cli_conf/schema.py | 17 +-
lib389/lint.py | 20 ++
lib389/plugins.py | 179 +++++++++++++++
lib389/schema.py | 24 +-
lib389/tasks.py | 7 +
lib389/tests/cli/conf_plugins/rootdn_ac_test.py | 281 ++++++++++++++++++++++++
lib389/tests/cli/ctl_dbtasks_test.py | 4 +-
lib389/tests/healthcheck_test.py | 19 ++
lib389/tests/schema_test.py | 13 +-
14 files changed, 795 insertions(+), 12 deletions(-)
create mode 100644 lib389/cli_conf/plugins/rootdn_ac.py
mode change 100644 => 100755 lib389/schema.py
create mode 100644 lib389/tests/cli/conf_plugins/rootdn_ac_test.py
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
9:55 p.m.
New subject: [lib389] 01/05: Issue 93 - Fix test cases in ctl_dbtasks_test.py
This is an automated email from the git hooks/post-receive script.
firstyear pushed a commit to branch master
in repository lib389.
commit 1f1d32d54c8d90397fe9899b11e1702a49c63a83
Author: Ilias Stamatis <stamatis.iliass(a)gmail.com>
Date: Mon Aug 14 19:35:33 2017 +0300
Issue 93 - Fix test cases in ctl_dbtasks_test.py
Description: There's a typo in ctl_dbtasks_test.py making 2 test cases
to fail.
https://pagure.io/lib389/issue/93
Author: Ilias95
Review by: spichugi, wibrown (Thanks!)
---
lib389/tests/cli/ctl_dbtasks_test.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib389/tests/cli/ctl_dbtasks_test.py b/lib389/tests/cli/ctl_dbtasks_test.py
index f8abb53..f2c31e5 100644
--- a/lib389/tests/cli/ctl_dbtasks_test.py
+++ b/lib389/tests/cli/ctl_dbtasks_test.py
@@ -39,7 +39,7 @@ def test_ldif2db_db2ldif_no_repl(topology_be_latest):
args = FakeArgs()
args.backend = 'userRoot'
args.ldif = os.path.join(standalone.get_ldif_dir(), "test.ldif")
- args.encrypt = False
+ args.encrypted = False
args.replication = False
# Stop the instance
dbtasks_db2ldif(standalone, topology_be_latest.logcap.log, args)
@@ -57,7 +57,7 @@ def test_ldif2db_db2ldif_repl(topology_be_latest):
args = FakeArgs()
args.backend = 'userRoot'
args.ldif = os.path.join(standalone.get_ldif_dir(), "test.ldif")
- args.encrypt = False
+ args.encrypted = False
args.replication = False
args.archive = os.path.join(standalone.get_ldif_dir(), "test.ldif")
# Stop the instance
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
9:55 p.m.
New subject: [lib389] 02/05: Issue 92 - display_attr() should return str not bytes in py3
This is an automated email from the git hooks/post-receive script.
firstyear pushed a commit to branch master
in repository lib389.
commit d304445ad9007dc892a4d6dcbed1b1cfece2a24c
Author: Ilias Stamatis <stamatis.iliass(a)gmail.com>
Date: Sun Aug 13 22:13:29 2017 +0300
Issue 92 - display_attr() should return str not bytes in py3
Bug Description: display_attr method of mapped object returns
bytes in python3. Since we use this function to display display
data to the end user we don't want this.
There is also a bug in get_attr_vals_type() methods. These
methods call a non-existing function due to a typo.
Fix Description: Call get_attr_valus_utf8 instead of get_attr_vals
from within display_attr method. Also fix the bug with the
get_attr_vals_type by correcting the method's name.
https://pagure.io/lib389/issue/92
Author: Ilias95
Review by: wibrown (Thanks!)
---
lib389/_mapped_object.py | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib389/_mapped_object.py b/lib389/_mapped_object.py
index d4bfd0a..6b50f83 100644
--- a/lib389/_mapped_object.py
+++ b/lib389/_mapped_object.py
@@ -127,7 +127,7 @@ class DSLdapObject(DSLogging):
def display_attr(self, attr):
out = ""
- for v in self.get_attr_vals(attr):
+ for v in self.get_attr_vals_utf8(attr):
out += "%s: %s\n" % (attr, v)
return out
@@ -349,19 +349,19 @@ class DSLdapObject(DSLogging):
return ensure_bytes(self.get_attr_val(key))
def get_attr_vals_bytes(self, key):
- return ensure_list_bytes(self.get_attrs_val(key))
+ return ensure_list_bytes(self.get_attr_vals(key))
def get_attr_val_utf8(self, key):
return ensure_str(self.get_attr_val(key))
def get_attr_vals_utf8(self, key):
- return ensure_list_str(self.get_attrs_val(key))
+ return ensure_list_str(self.get_attr_vals(key))
def get_attr_val_int(self, key):
return ensure_int(self.get_attr_val(key))
def get_attr_vals_int(self, key):
- return ensure_list_int(self.get_attrs_val(key))
+ return ensure_list_int(self.get_attr_vals(key))
# Duplicate, but with many values. IE a dict api.
# This
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
9:55 p.m.
New subject: [lib389] 03/05: Issue 74 - Advice users to set referint-update-delay to 0
This is an automated email from the git hooks/post-receive script.
firstyear pushed a commit to branch master
in repository lib389.
commit 3ad1f7f8f760314c1f14e6dedb59b34d253c68ac
Author: Ilias Stamatis <stamatis.iliass(a)gmail.com>
Date: Fri Jul 7 03:37:16 2017 +0300
Issue 74 - Advice users to set referint-update-delay to 0
Bug Description: Support for asynchronous referential integrity updates
might be dropped in the future and the referint-update-delay attribute
might become deprecated. We need to warn the users.
Fix Description: Display a warning when the healthcheck command is
issued and advise the user to set this attribute to 0.
https://pagure.io/lib389/issue/74
Author: Ilias95
Review by: wibrown (Thanks!)
---
lib389/cli_conf/health.py | 2 ++
lib389/lint.py | 20 ++++++++++++++++++++
lib389/plugins.py | 8 ++++++++
lib389/tests/healthcheck_test.py | 19 +++++++++++++++++++
4 files changed, 49 insertions(+)
diff --git a/lib389/cli_conf/health.py b/lib389/cli_conf/health.py
index 02aef14..21c41bc 100644
--- a/lib389/cli_conf/health.py
+++ b/lib389/cli_conf/health.py
@@ -10,6 +10,7 @@ import argparse
from lib389.backend import Backend, Backends
from lib389.config import Encryption, Config
+from lib389 import plugins
# These get all instances, then check them all.
CHECK_MANY_OBJECTS = [
@@ -20,6 +21,7 @@ CHECK_MANY_OBJECTS = [
CHECK_OBJECTS = [
Config,
Encryption,
+ plugins.ReferentialIntegrityPlugin
]
def _format_check_output(log, result):
diff --git a/lib389/lint.py b/lib389/lint.py
index 404cff8..8c4b4de 100644
--- a/lib389/lint.py
+++ b/lib389/lint.py
@@ -108,4 +108,24 @@ set cn=encryption,cn=config sslVersionMin to a version greater than
TLS1.0
"""
}
+DSRILE0001 = {
+ 'dsle': 'DSRLE0001',
+ 'severity': 'LOW',
+ 'items' : ['cn=referential integrity
postoperation,cn=plugins,cn=config', ],
+ 'detail': """
+The referential integrity plugin has an asynchronous processing mode. This is controlled
by the update-delay flag.
+
+When this value is 0, referential integrity plugin processes these changes inside of the
operation that modified the entry - ie these are synchronous.
+
+However, when this is > 0, these are performed asynchronously.
+
+This leads to only having refint enabled on one master in MMR to prevent replication
conflicts and loops.
+Additionally, because these are performed in the background these updates may cause
spurious update
+delays to your server by batching changes rather than smaller updates during sync
processing.
+We advise that you set this value to 0, and enable refint on all masters as it provides a
more predictable behaviour.
+ """,
+ 'fix' : """
+Set referint-update-delay to 0.
+ """
+}
diff --git a/lib389/plugins.py b/lib389/plugins.py
index 6bbf164..944d130 100644
--- a/lib389/plugins.py
+++ b/lib389/plugins.py
@@ -12,6 +12,7 @@ import copy
from lib389 import tasks
from lib389._mapped_object import DSLdapObjects, DSLdapObject
from lib389.exceptions import Error
+from lib389.lint import DSRILE0001
from lib389._constants import DN_PLUGIN
from lib389.properties import (
PLUGINS_OBJECTCLASS_VALUE, PLUGIN_PROPNAME_TO_ATTRNAME,
@@ -119,6 +120,13 @@ class ManagedEntriesPlugin(Plugin):
class ReferentialIntegrityPlugin(Plugin):
def __init__(self, instance, dn="cn=referential integrity
postoperation,cn=plugins,cn=config", batch=False):
super(ReferentialIntegrityPlugin, self).__init__(instance, dn, batch)
+ self._lint_functions = [self._lint_update_delay]
+
+ def _lint_update_delay(self):
+ if self.status():
+ delay = self.get_attr_val_int("referint-update-delay")
+ if delay is not None and delay != 0:
+ return DSRILE0001
# referint-update-delay: 0
# referint-logfile: /opt/dirsrv/var/log/dirsrv/slapd-standalone_2/referint
diff --git a/lib389/tests/healthcheck_test.py b/lib389/tests/healthcheck_test.py
index 94711eb..a36e6fb 100644
--- a/lib389/tests/healthcheck_test.py
+++ b/lib389/tests/healthcheck_test.py
@@ -11,6 +11,7 @@ import pytest
import ldap
from lib389.topologies import topology_st
+from lib389.plugins import ReferentialIntegrityPlugin
from lib389.lint import *
@@ -40,3 +41,21 @@ def test_hc_config(topology_st):
result = topology_st.standalone.config._lint_passwordscheme()
assert result == DSCLE0002
+def test_hc_referint(topology_st):
+ plugin = ReferentialIntegrityPlugin(topology_st.standalone)
+ plugin.enable()
+
+ # Assert we don't get an error when delay is 0.
+ plugin.set('referint-update-delay', '0')
+ result = plugin._lint_update_delay()
+ assert result is None
+
+ # Assert we get an error when delay is not 0.
+ plugin.set('referint-update-delay', '10')
+ result = plugin._lint_update_delay()
+ assert result == DSRILE0001
+
+ # Assert we don't get an error when plugin is disabled.
+ plugin.disable()
+ result = plugin._lint_update_delay()
+ assert result is None
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
9:55 p.m.
New subject: [lib389] 04/05: Issue 46 - dsconf support for dynamic schema reload
This is an automated email from the git hooks/post-receive script.
firstyear pushed a commit to branch master
in repository lib389.
commit 3a8bfe88405590a4f51da1edb1a241904a131ab1
Author: Ilias Stamatis <stamatis.iliass(a)gmail.com>
Date: Thu Aug 10 14:04:10 2017 +0300
Issue 46 - dsconf support for dynamic schema reload
Description: Add dsconf support for dynamically reloading schema.
Notes: Renamed old-style Schema class to SchemaLegacy.
https://pagure.io/lib389/issue/46
Author: Ilias95
Review by: wibrown (thanks!)
---
lib389/__init__.py | 2 +-
lib389/cli_conf/schema.py | 17 ++++++++++++++---
lib389/schema.py | 24 +++++++++++++++++++++++-
lib389/tasks.py | 7 +++++++
lib389/tests/schema_test.py | 13 ++++++++++++-
5 files changed, 57 insertions(+), 6 deletions(-)
diff --git a/lib389/__init__.py b/lib389/__init__.py
index 6a96089..0b0a1fa 100644
--- a/lib389/__init__.py
+++ b/lib389/__init__.py
@@ -305,7 +305,7 @@ class DirSrv(SimpleLDAPObject, object):
from lib389.replica import Replicas
from lib389.changelog import Changelog
from lib389.agreement import Agreement
- from lib389.schema import Schema
+ from lib389.schema import SchemaLegacy as Schema
from lib389.plugins import Plugins
from lib389.tasks import Tasks
from lib389.index import IndexLegacy as Index
diff --git a/lib389/cli_conf/schema.py b/lib389/cli_conf/schema.py
index 0e1f2a4..49596b5 100644
--- a/lib389/cli_conf/schema.py
+++ b/lib389/cli_conf/schema.py
@@ -6,9 +6,9 @@
# See LICENSE for details.
# --- END COPYRIGHT BLOCK ---
-import argparse
-
from lib389.cli_base import _get_arg
+from lib389.schema import Schema
+
def list_attributetype(inst, basedn, log, args):
for attributetype in inst.schema.get_attributetypes():
@@ -16,7 +16,7 @@ def list_attributetype(inst, basedn, log, args):
def query_attributetype(inst, basedn, log, args):
# Need the query type
- attr = _get_arg( args.attr , msg="Enter attribute to query" )
+ attr = _get_arg(args.attr, msg="Enter attribute to query")
attributetype, must, may = inst.schema.query_attributetype(attr)
print(attributetype)
print("")
@@ -28,6 +28,14 @@ def query_attributetype(inst, basedn, log, args):
for oc in may:
print(oc)
+def reload_schema(inst, basedn, log, args):
+ schema = Schema(inst)
+ log.info('Attempting to add task entry... This will fail if Schema Reload plug-in
is not enabled.')
+ task = schema.reload(args.schemadir)
+ log.info('Successfully added task entry ' + task.dn)
+ log.info("To verify that the schema reload operation was successful, please
check the error logs.")
+
+
def create_parser(subparsers):
schema_parser = subparsers.add_parser('schema', help='Query and
manipulate schema')
@@ -40,3 +48,6 @@ def create_parser(subparsers):
query_attributetype_parser.set_defaults(func=query_attributetype)
query_attributetype_parser.add_argument('attr', nargs='?',
help='Attribute type to query')
+ reload_parser = subcommands.add_parser('reload', help='Dynamically reload
schema while server is running')
+ reload_parser.set_defaults(func=reload_schema)
+ reload_parser.add_argument('-d', '--schemadir', help="directory
where schema files are located")
diff --git a/lib389/schema.py b/lib389/schema.py
old mode 100644
new mode 100755
index 6e7f65c..6003093
--- a/lib389/schema.py
+++ b/lib389/schema.py
@@ -13,11 +13,33 @@
import glob
import ldap
from ldap.schema.models import AttributeType, ObjectClass, MatchingRule
+
from lib389._constants import *
+from lib389._constants import DN_SCHEMA
from lib389.utils import ds_is_newer
+from lib389._mapped_object import DSLdapObject
+from lib389.tasks import SchemaReloadTask
+
+
+class Schema(DSLdapObject):
+ def __init__(self, instance, batch=False):
+ super(Schema, self).__init__(instance=instance, batch=batch)
+ self._dn = DN_SCHEMA
+ self._rdn_attribute = 'cn'
+
+ def reload(self, schema_dir=None):
+ task = SchemaReloadTask(self._instance)
+
+ task_properties = {}
+ if schema_dir is not None:
+ task_properties['schemadir'] = schema_dir
+
+ task.create(properties=task_properties)
+
+ return task
-class Schema(object):
+class SchemaLegacy(object):
def __init__(self, conn):
"""@param conn - a DirSrv instance"""
diff --git a/lib389/tasks.py b/lib389/tasks.py
index 7deb87b..44b191f 100644
--- a/lib389/tasks.py
+++ b/lib389/tasks.py
@@ -90,6 +90,13 @@ class USNTombstoneCleanupTask(Task):
return super(USNTombstoneCleanupTask, self)._validate(rdn, properties, basedn)
+class SchemaReloadTask(Task):
+ def __init__(self, instance, dn=None, batch=False):
+ self.cn = 'schema_reload_' + Task._get_task_date()
+ dn = "cn=" + self.cn + ",cn=schema reload task," + DN_TASKS
+
+ super(SchemaReloadTask, self).__init__(instance, dn, batch)
+
class Tasks(object):
proxied_methods = 'search_s getEntry'.split()
diff --git a/lib389/tests/schema_test.py b/lib389/tests/schema_test.py
index 20c5a13..28daefe 100644
--- a/lib389/tests/schema_test.py
+++ b/lib389/tests/schema_test.py
@@ -7,8 +7,10 @@
# --- END COPYRIGHT BLOCK ---
#
import pytest
-from lib389._constants import *
+
from lib389 import DirSrv
+from lib389._constants import SER_HOST, SER_PORT, SER_SERVERID_PROP, LOCALHOST
+from lib389.schema import Schema
INSTANCE_PORT = 54321
INSTANCE_SERVERID = 'standalone'
@@ -53,9 +55,18 @@ def test_schema(topology):
assert topology.instance.schema.query_objectclass('account').names == \
('account', )
+def test_schema_reload(topology):
+ """Test that the appropriate task entry is created when reloading
schema."""
+ schema = Schema(topology.instance)
+ task = schema.reload()
+ assert task.exists()
+ task.wait()
+ assert task.get_exit_code() == 0
+
if __name__ == '__main__':
# Run isolated
# -s for DEBUG mode
+ import os
CURRENT_FILE = os.path.realpath(__file__)
pytest.main("-s %s" % CURRENT_FILE)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
9:55 p.m.
New subject: [lib389] 05/05: Issue 45 - Add support for Rootdn Access Control plugin
This is an automated email from the git hooks/post-receive script.
firstyear pushed a commit to branch master
in repository lib389.
commit 709d57247eef82d92d6e05d661ff6f575a25a6cd
Author: Ilias Stamatis <stamatis.iliass(a)gmail.com>
Date: Sun Aug 13 23:00:31 2017 +0300
Issue 45 - Add support for Rootdn Access Control plugin
Description: Add dsconf support for configuring the Rootdn Access
Control plugin from the command line.
https://pagure.io/lib389/issue/45
Author: Ilias95
Review by: wibrown (Thanks!)
---
cli/dsconf | 2 +
lib389/cli_conf/plugins/rootdn_ac.py | 229 +++++++++++++++++++
lib389/plugins.py | 171 ++++++++++++++
lib389/tests/cli/conf_plugins/rootdn_ac_test.py | 281 ++++++++++++++++++++++++
4 files changed, 683 insertions(+)
diff --git a/cli/dsconf b/cli/dsconf
index 765b4e5..73d12a2 100755
--- a/cli/dsconf
+++ b/cli/dsconf
@@ -24,6 +24,7 @@ from lib389.cli_conf import schema as cli_schema
from lib389.cli_conf import health as cli_health
from lib389.cli_conf.plugins import memberof as cli_memberof
from lib389.cli_conf.plugins import usn as cli_usn
+from lib389.cli_conf.plugins import rootdn_ac as cli_rootdn_ac
from lib389.cli_conf.plugins import whoami as cli_whoami
from lib389.cli_base import disconnect_instance, connect_instance
@@ -68,6 +69,7 @@ if __name__ == '__main__':
cli_plugin.create_parser(subparsers)
cli_memberof.create_parser(subparsers)
cli_usn.create_parser(subparsers)
+ cli_rootdn_ac.create_parser(subparsers)
cli_whoami.create_parser(subparsers)
args = parser.parse_args()
diff --git a/lib389/cli_conf/plugins/rootdn_ac.py b/lib389/cli_conf/plugins/rootdn_ac.py
new file mode 100644
index 0000000..1e11504
--- /dev/null
+++ b/lib389/cli_conf/plugins/rootdn_ac.py
@@ -0,0 +1,229 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2017 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+
+import ldap
+
+from lib389.plugins import RootDNAccessControlPlugin
+from lib389.cli_conf.plugin import add_generic_plugin_parsers
+
+
+def display_time(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+ val = plugin.get_open_time_formatted()
+ if not val:
+ log.info("rootdn-open-time is not set")
+ else:
+ log.info(val)
+ val = plugin.get_close_time_formatted()
+ if not val:
+ log.info("rootdn-close-time is not set")
+ else:
+ log.info(val)
+
+def set_open_time(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+ plugin.set_open_time(args.value)
+ log.info('rootdn-open-time set to "{}"'.format(args.value))
+
+def set_close_time(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+ plugin.set_close_time(args.value)
+ log.info('rootdn-close-time set to "{}"'.format(args.value))
+
+def clear_time(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+ plugin.remove_open_time()
+ plugin.remove_close_time()
+ log.info('time-based policy was cleared')
+
+def display_ips(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+ allowed_ips = plugin.get_allow_ip_formatted()
+ denied_ips = plugin.get_deny_ip_formatted()
+ if not allowed_ips and not denied_ips:
+ log.info("No ip-based access control policy has been configured")
+ else:
+ log.info(allowed_ips)
+ log.info(denied_ips)
+
+def allow_ip(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+
+ # remove ip from denied ips
+ try:
+ plugin.remove_deny_ip(args.value)
+ except ldap.NO_SUCH_ATTRIBUTE:
+ pass
+
+ try:
+ plugin.add_allow_ip(args.value)
+ except ldap.TYPE_OR_VALUE_EXISTS:
+ pass
+ log.info('{} added to rootdn-allow-ip'.format(args.value))
+
+def deny_ip(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+
+ # remove ip from allowed ips
+ try:
+ plugin.remove_allow_ip(args.value)
+ except ldap.NO_SUCH_ATTRIBUTE:
+ pass
+
+ try:
+ plugin.add_deny_ip(args.value)
+ except ldap.TYPE_OR_VALUE_EXISTS:
+ pass
+ log.info('{} added to rootdn-deny-ip'.format(args.value))
+
+def clear_all_ips(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+ plugin.remove_all_allow_ip()
+ plugin.remove_all_deny_ip()
+ log.info('ip-based policy was cleared')
+
+def display_hosts(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+ allowed_hosts = plugin.get_allow_host_formatted()
+ denied_hosts = plugin.get_deny_host_formatted()
+ if not allowed_hosts and not denied_hosts:
+ log.info("No host-based access control policy has been configured")
+ else:
+ log.info(allowed_hosts)
+ log.info(denied_hosts)
+
+def allow_host(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+
+ # remove host from denied hosts
+ try:
+ plugin.remove_deny_host(args.value)
+ except ldap.NO_SUCH_ATTRIBUTE:
+ pass
+
+ try:
+ plugin.add_allow_host(args.value)
+ except ldap.TYPE_OR_VALUE_EXISTS:
+ pass
+ log.info('{} added to rootdn-allow-host'.format(args.value))
+
+def deny_host(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+
+ # remove host from allowed hosts
+ try:
+ plugin.remove_allow_host(args.value)
+ except ldap.NO_SUCH_ATTRIBUTE:
+ pass
+
+ try:
+ plugin.add_deny_host(args.value)
+ except ldap.TYPE_OR_VALUE_EXISTS:
+ pass
+ log.info('{} added to rootdn-deny-host'.format(args.value))
+
+def clear_all_hosts(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+ plugin.remove_all_allow_host()
+ plugin.remove_all_deny_host()
+ log.info('host-based policy was cleared')
+
+def display_days(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+ days = plugin.get_days_allowed_formatted()
+ if not days:
+ log.info("No day-based access control policy has been configured")
+ else:
+ log.info(days)
+
+def allow_day(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+ args.value = args.value[0:3]
+ plugin.add_allow_day(args.value)
+ log.info('{} added to rootdn-days-allowed'.format(args.value))
+
+def deny_day(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+ args.value = args.value[0:3]
+ plugin.remove_allow_day(args.value)
+ log.info('{} removed from rootdn-days-allowed'.format(args.value))
+
+def clear_all_days(inst, basedn, log, args):
+ plugin = RootDNAccessControlPlugin(inst)
+ plugin.remove_days_allowed()
+ log.info('day-based policy was cleared')
+
+
+def create_parser(subparsers):
+ rootdnac_parser = subparsers.add_parser('rootdn', help='Manage and
configure RootDN Access Control plugin')
+ subcommands = rootdnac_parser.add_subparsers(help='action')
+ add_generic_plugin_parsers(subcommands, RootDNAccessControlPlugin)
+
+ time_parser = subcommands.add_parser('time', help='get or set rootdn open
and close times')
+ time_parser.set_defaults(func=display_time)
+
+ time_subcommands = time_parser.add_subparsers(help='action')
+
+ open_time_parser = time_subcommands.add_parser('open', help='set open
time value')
+ open_time_parser.set_defaults(func=set_open_time)
+ open_time_parser.add_argument('value', help='Value to set as open
time')
+
+ close_time_parser = time_subcommands.add_parser('close', help='set close
time value')
+ close_time_parser.set_defaults(func=set_close_time)
+ close_time_parser.add_argument('value', help='Value to set as close
time')
+
+ time_clear_parser = time_subcommands.add_parser('clear', help='reset
time-based access policy')
+ time_clear_parser.set_defaults(func=clear_time)
+
+ ip_parser = subcommands.add_parser('ip', help='get or set ip access
policy')
+ ip_parser.set_defaults(func=display_ips)
+
+ ip_subcommands = ip_parser.add_subparsers(help='action')
+
+ ip_allow_parser = ip_subcommands.add_parser('allow', help='allow IP addr
or IP addr range')
+ ip_allow_parser.set_defaults(func=allow_ip)
+ ip_allow_parser.add_argument('value', help='IP addr or IP addr
range')
+
+ ip_deny_parser = ip_subcommands.add_parser('deny', help='deny IP addr or
IP addr range')
+ ip_deny_parser.set_defaults(func=deny_ip)
+ ip_deny_parser.add_argument('value', help='IP addr or IP addr
range')
+
+ ip_clear_parser = ip_subcommands.add_parser('clear', help='reset IP-based
access policy')
+ ip_clear_parser.set_defaults(func=clear_all_ips)
+
+ host_parser = subcommands.add_parser('host', help='get or set host access
policy')
+ host_parser.set_defaults(func=display_hosts)
+
+ host_subcommands = host_parser.add_subparsers(help='action')
+
+ host_allow_parser = host_subcommands.add_parser('allow', help='allow host
address')
+ host_allow_parser.set_defaults(func=allow_host)
+ host_allow_parser.add_argument('value', help='host address')
+
+ host_deny_parser = host_subcommands.add_parser('deny', help='deny host
address')
+ host_deny_parser.set_defaults(func=deny_host)
+ host_deny_parser.add_argument('value', help='host address')
+
+ host_clear_parser = host_subcommands.add_parser('clear', help='reset
host-based access policy')
+ host_clear_parser.set_defaults(func=clear_all_hosts)
+
+ day_parser = subcommands.add_parser('day', help='get or set days access
policy')
+ day_parser.set_defaults(func=display_days)
+
+ day_subcommands = day_parser.add_subparsers(help='action')
+
+ day_allow_parser = day_subcommands.add_parser('allow', help='allow day of
the week')
+ day_allow_parser.set_defaults(func=allow_day)
+ day_allow_parser.add_argument('value', type=str.capitalize, help='day of
the week')
+
+ day_deny_parser = day_subcommands.add_parser('deny', help='deny day of
the week')
+ day_deny_parser.set_defaults(func=deny_day)
+ day_deny_parser.add_argument('value', type=str.capitalize, help='day of
the week')
+
+ day_clear_parser = day_subcommands.add_parser('clear', help='reset
day-based access policy')
+ day_clear_parser.set_defaults(func=clear_all_days)
diff --git a/lib389/plugins.py b/lib389/plugins.py
index 944d130..61567fe 100644
--- a/lib389/plugins.py
+++ b/lib389/plugins.py
@@ -383,8 +383,179 @@ class WhoamiPlugin(Plugin):
super(WhoamiPlugin, self).__init__(instance, dn, batch)
class RootDNAccessControlPlugin(Plugin):
+ _plugin_properties = {
+ 'cn' : 'RootDN Access Control',
+ 'nsslapd-pluginEnabled' : 'off',
+ 'nsslapd-pluginPath' : 'librootdn-access-plugin',
+ 'nsslapd-pluginInitfunc' : 'rootdn_init',
+ 'nsslapd-pluginType' : 'internalpreoperation',
+ 'nsslapd-plugin-depends-on-type' : 'database',
+ 'nsslapd-pluginId' : 'RootDN Access Control',
+ 'nsslapd-pluginVendor' : '389 Project',
+ 'nsslapd-pluginVersion' : '1.3.6',
+ 'nsslapd-pluginDescription' : 'RootDN Access Control plugin',
+ }
+
def __init__(self, instance, dn="cn=RootDN Access
Control,cn=plugins,cn=config", batch=False):
super(RootDNAccessControlPlugin, self).__init__(instance, dn, batch)
+ self._create_objectclasses.extend(['rootDNPluginConfig'])
+
+ def get_open_time(self):
+ return self.get_attr_val_utf8('rootdn-open-time')
+
+ def get_open_time_formatted(self):
+ return self.display_attr('rootdn-open-time')
+
+ def set_open_time(self, attr):
+ self.set('rootdn-open-time', attr)
+
+ def remove_open_time(self):
+ self.remove_all('rootdn-open-time')
+
+ def get_close_time(self):
+ return self.get_attr_val_utf8('rootdn-close-time')
+
+ def get_close_time_formatted(self):
+ return self.display_attr('rootdn-close-time')
+
+ def set_close_time(self, attr):
+ self.set('rootdn-close-time', attr)
+
+ def remove_close_time(self):
+ self.remove_all('rootdn-close-time')
+
+ def get_days_allowed(self):
+ return self.get_attr_val_utf8('rootdn-days-allowed')
+
+ def get_days_allowed_formatted(self):
+ return self.display_attr('rootdn-days-allowed')
+
+ def set_days_allowed(self, attr):
+ self.set('rootdn-days-allowed', attr)
+
+ def remove_days_allowed(self):
+ self.remove_all('rootdn-days-allowed')
+
+ def add_allow_day(self, day):
+ days = self.get_days_allowed()
+ if days is None:
+ days = ""
+ days = self.add_day_to_days(days, day)
+ if days:
+ self.set_days_allowed(days)
+ else:
+ self.remove_days_allowed()
+
+ def remove_allow_day(self, day):
+ days = self.get_days_allowed()
+ if days is None:
+ days = ""
+ days = self.remove_day_from_days(days, day)
+ if days:
+ self.set_days_allowed(days)
+ else:
+ self.remove_days_allowed()
+
+ def get_allow_host(self):
+ return self.get_attr_val_utf8('rootdn-allow-host')
+
+ def get_allow_host_formatted(self):
+ return self.display_attr('rootdn-allow-host')
+
+ def add_allow_host(self, attr):
+ self.add('rootdn-allow-host', attr)
+
+ def remove_allow_host(self, attr):
+ self.remove('rootdn-allow-host', attr)
+
+ def remove_all_allow_host(self):
+ self.remove_all('rootdn-allow-host')
+
+ def get_deny_host(self):
+ return self.get_attr_val_utf8('rootdn-deny-host')
+
+ def get_deny_host_formatted(self):
+ return self.display_attr('rootdn-deny-host')
+
+ def add_deny_host(self, attr):
+ self.add('rootdn-deny-host', attr)
+
+ def remove_deny_host(self, attr):
+ self.remove('rootdn-deny-host', attr)
+
+ def remove_all_deny_host(self):
+ self.remove_all('rootdn-deny-host')
+
+ def get_allow_ip(self):
+ return self.get_attr_val_utf8('rootdn-allow-ip')
+
+ def get_allow_ip_formatted(self):
+ return self.display_attr('rootdn-allow-ip')
+
+ def add_allow_ip(self, attr):
+ self.add('rootdn-allow-ip', attr)
+
+ def remove_allow_ip(self, attr):
+ self.remove('rootdn-allow-ip', attr)
+
+ def remove_all_allow_ip(self):
+ self.remove_all('rootdn-allow-ip')
+
+ def get_deny_ip(self):
+ return self.get_attr_val_utf8('rootdn-deny-ip')
+
+ def get_deny_ip_formatted(self):
+ return self.display_attr('rootdn-deny-ip')
+
+ def add_deny_ip(self, attr):
+ self.add('rootdn-deny-ip', attr)
+
+ def remove_deny_ip(self, attr):
+ self.remove('rootdn-deny-ip', attr)
+
+ def remove_all_deny_ip(self):
+ self.remove_all('rootdn-deny-ip')
+
+ @staticmethod
+ def add_day_to_days(string_of_days, day):
+ """
+ Append a day in a string of comma seperated days and return the string.
+ If day already exists in the string, return processed string.
+
+ Keyword arguments:
+ string_of_days -- a string of comma seperated days
+ examples:
+ Mon
+ Tue, Wed, Thu
+ day -- a day, e.g. Mon, Tue, etc.
+ """
+ days = [i.strip() for i in string_of_days.split(',') if i]
+
+ if not day in days:
+ days.append(day)
+
+ return ", ".join(days)
+
+ @staticmethod
+ def remove_day_from_days(string_of_days, day):
+ """
+ Remove a day from a string of comma seperated days and return the string.
+ If day does not exists in the string, return processed string.
+
+ Keyword arguments:
+ string_of_days -- a string of comma seperated days
+ examples:
+ Mon
+ Tue, Wed, Thu
+ day -- a day, e.g. Mon, Tue, etc.
+ """
+ days = [i.strip() for i in string_of_days.split(',') if i]
+
+ if day in days:
+ days.remove(day)
+
+ return ", ".join(days)
+
class LDBMBackendPlugin(Plugin):
def __init__(self, instance, dn="cn=ldbm database,cn=plugins,cn=config",
batch=False):
diff --git a/lib389/tests/cli/conf_plugins/rootdn_ac_test.py
b/lib389/tests/cli/conf_plugins/rootdn_ac_test.py
new file mode 100644
index 0000000..76650b2
--- /dev/null
+++ b/lib389/tests/cli/conf_plugins/rootdn_ac_test.py
@@ -0,0 +1,281 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2016-2017 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+
+import pytest
+
+from lib389.tests.cli import topology as default_topology
+from lib389.cli_base import LogCapture, FakeArgs
+from lib389.plugins import RootDNAccessControlPlugin
+from lib389.cli_conf.plugins import rootdn_ac as rootdn_cli
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ topology = default_topology(request)
+
+ plugin = RootDNAccessControlPlugin(topology.standalone)
+ if not plugin.exists():
+ plugin.create()
+
+ # we need to restart the server after enabling the plugin
+ plugin.enable()
+ topology.standalone.restart()
+ topology.logcap.flush()
+
+ return topology
+
+def test_set_open_time(topology):
+ args = FakeArgs()
+
+ args.value = "1030"
+ rootdn_cli.set_open_time(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-open-time set to")
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_time(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-open-time: 1030")
+ topology.logcap.flush()
+
+def test_set_close_time(topology):
+ args = FakeArgs()
+
+ args.value = "1545"
+ rootdn_cli.set_close_time(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-close-time set to")
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_time(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-close-time: 1545")
+ topology.logcap.flush()
+
+def test_clear_time(topology):
+ args = FakeArgs()
+
+ rootdn_cli.clear_time(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("time-based policy was cleared")
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_time(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-open-time is not set")
+ assert topology.logcap.contains("rootdn-close-time is not set")
+ topology.logcap.flush()
+
+def test_allow_ip(topology):
+ args = FakeArgs()
+
+ args.value = "127.0.0.1"
+ rootdn_cli.allow_ip(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("{} added to
rootdn-allow-ip".format(args.value))
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_ips(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-allow-ip: 127.0.0.1")
+ topology.logcap.flush()
+
+def test_deny_ip(topology):
+ args = FakeArgs()
+
+ args.value = "127.0.0.2"
+ rootdn_cli.deny_ip(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("{} added to
rootdn-deny-ip".format(args.value))
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_ips(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-deny-ip: 127.0.0.2")
+ topology.logcap.flush()
+
+def test_when_ip_is_allowed_its_not_denied(topology):
+ args = FakeArgs()
+
+ args.value = "127.0.0.3"
+ rootdn_cli.deny_ip(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("{} added to
rootdn-deny-ip".format(args.value))
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_ips(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-deny-ip: 127.0.0.3")
+ topology.logcap.flush()
+
+ args.value = "127.0.0.3"
+ rootdn_cli.allow_ip(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("{} added to
rootdn-allow-ip".format(args.value))
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_ips(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-allow-ip: 127.0.0.3")
+ assert not topology.logcap.contains("rootdn-deny-ip: 127.0.0.3")
+ topology.logcap.flush()
+
+def test_when_ip_is_denied_its_not_allowed(topology):
+ args = FakeArgs()
+
+ args.value = "127.0.0.4"
+ rootdn_cli.allow_ip(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("{} added to
rootdn-allow-ip".format(args.value))
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_ips(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-allow-ip: 127.0.0.4")
+ topology.logcap.flush()
+
+ args.value = "127.0.0.4"
+ rootdn_cli.deny_ip(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("{} added to
rootdn-deny-ip".format(args.value))
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_ips(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-deny-ip: 127.0.0.4")
+ assert not topology.logcap.contains("rootdn-allow-ip: 127.0.0.4")
+ topology.logcap.flush()
+
+def test_clear_ips(topology):
+ args = FakeArgs()
+
+ rootdn_cli.clear_all_ips(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("ip-based policy was cleared")
+ topology.logcap.flush()
+
+def test_allow_host(topology):
+ args = FakeArgs()
+
+ args.value = "example1.com"
+ rootdn_cli.allow_host(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("{} added to
rootdn-allow-host".format(args.value))
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_hosts(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-allow-host: example1.com")
+ topology.logcap.flush()
+
+def test_deny_host(topology):
+ args = FakeArgs()
+
+ args.value = "example2.com"
+ rootdn_cli.deny_host(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("{} added to
rootdn-deny-host".format(args.value))
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_hosts(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-deny-host: example2.com")
+ topology.logcap.flush()
+
+def test_when_host_is_allowed_its_not_denied(topology):
+ args = FakeArgs()
+
+ args.value = "example3.com"
+ rootdn_cli.deny_host(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("{} added to
rootdn-deny-host".format(args.value))
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_hosts(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-deny-host: example3.com")
+ topology.logcap.flush()
+
+ args.value = "example3.com"
+ rootdn_cli.allow_host(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("{} added to
rootdn-allow-host".format(args.value))
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_hosts(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-allow-host: example3.com")
+ assert not topology.logcap.contains("rootdn-deny-host: example3.com")
+ topology.logcap.flush()
+
+def test_when_host_is_denied_its_not_allowed(topology):
+ args = FakeArgs()
+
+ args.value = "example4.com"
+ rootdn_cli.allow_host(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("{} added to
rootdn-allow-host".format(args.value))
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_hosts(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-allow-host: example4.com")
+ topology.logcap.flush()
+
+ args.value = "example4.com"
+ rootdn_cli.deny_host(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("{} added to
rootdn-deny-host".format(args.value))
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_hosts(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-deny-host: example4.com")
+ assert not topology.logcap.contains("rootdn-allow-host: example4.com")
+ topology.logcap.flush()
+
+def test_clear_hosts(topology):
+ args = FakeArgs()
+
+ rootdn_cli.clear_all_hosts(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("host-based policy was cleared")
+ topology.logcap.flush()
+
+def test_allow_and_deny_days(topology):
+ args = FakeArgs()
+
+ args.value = "Mon".capitalize()
+ rootdn_cli.allow_day(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("{} added to
rootdn-days-allowed".format(args.value))
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_days(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-days-allowed: Mon")
+ topology.logcap.flush()
+
+ args.value = "friday".capitalize()
+ rootdn_cli.allow_day(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("Fri added to rootdn-days-allowed")
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_days(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-days-allowed: Mon, Fri")
+ topology.logcap.flush()
+
+ args.value = "MONDAY".capitalize()
+ rootdn_cli.deny_day(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("Mon removed from rootdn-days-allowed")
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_days(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("rootdn-days-allowed: Fri")
+ topology.logcap.flush()
+
+ args.value = "fri".capitalize()
+ rootdn_cli.deny_day(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("Fri removed from rootdn-days-allowed")
+ topology.logcap.flush()
+
+ args.value = None
+ rootdn_cli.display_days(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("No day-based access control policy has been
configured")
+ topology.logcap.flush()
+
+def test_clear_days(topology):
+ args = FakeArgs()
+
+ rootdn_cli.clear_all_days(topology.standalone, None, topology.logcap.log, args)
+ assert topology.logcap.contains("day-based policy was cleared")
+ topology.logcap.flush()
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
2438
days inactive
2438
days old
389-commits@lists.fedoraproject.org
5 comments
1 participants
participants (1)
-
git repository hosting