diff options
Diffstat (limited to 'Pivot.py')
| -rw-r--r-- | Pivot.py | 341 |
1 files changed, 281 insertions, 60 deletions
@@ -1,17 +1,20 @@ #!/usr/bin/env python -import ldap, ldap.dn, ldap.filter -import Backend, sets +import sys, os, sets +import ldap, ldap.dn, ldap.filter, ldif +import Backend HOST = "ldap://localhost:3890" -BINDDN = "cn=root,dc=fam" +ROOTDN = "cn=root,dc=fam" PASSWORD = "barn" BASE = "dc=fam" REF_ATTRIBUTE = "member" KEY_ATTRIBUTE = "uid" TAG_ATTRIBUTE = "memberOf" +ACCESS_ATTRIBUTE = "access" +FILENAME = "/tmp/pivot.ldif" -OBJECT_CLASS = "groupOfNames" +OBJECT_CLASS = "group" DN_ATTRIBUTE = "cn" # hasSubordinates: TRUE @@ -20,7 +23,7 @@ SCOPE_BASE = "0" SCOPE_ONE = "1" SCOPE_SUB = "2" -class Storage: +class Lookups: def __init__(self, url): self.url = url self.ldap = None @@ -32,7 +35,7 @@ class Storage: self.ldap.unbind() self.ldap = ldap.initialize(self.url) try: - self.ldap.simple_bind_s(BINDDN, PASSWORD) + self.ldap.simple_bind_s(ROOTDN, PASSWORD) except ldap.LDAPError, ex: raise Backend.Error(Backend.OPERATIONS_ERROR, "Couldn't do internal authenticate: %s" % ex.args[0]["desc"]) @@ -75,6 +78,88 @@ class Storage: self.__connect(True) self.modify(dn, mods, retries - 1) +class Storage: + + def __init__(self, filename): + self.filename = filename + self.entries = { } + self.load() + + def load(self): + if not os.path.exists(self.filename): + return + input = open(self.filename, 'r') + reader = ldif.LDIFRecordList(input) + reader.parse() + input.close() + self.entries = { } + for (dn, entry) in reader.all_records: + self.entries[dn] = entry + + def save(self): + output = open(self.filename, 'w') + print >> output, "# Overwritten automatically, do not edit\n" + + writer = ldif.LDIFWriter(output) + for (dn, entry) in self.entries.items(): + if (entry): + print + print dn + print repr(entry) + print + writer.unparse(dn, entry) + output.close() + + def __entry_for_dn(self, dn): + if not self.entries.has_key(dn): + self.entries[dn] = { } + return self.entries[dn] + + def store(self, dn, attribute, value): + if value is None: + return + entry = self.__entry_for_dn(dn) + if not entry.has_key(attribute): + entry[attribute] = [ ] + if value not in entry[attribute]: + entry[attribute].append(value) + + def remove(self, dn, attribute, value = None): + entry = self.__entry_for_dn(dn) + if entry.has_key(attribute): + if value is None: + del entry[attribute] + elif value in entry[attribute]: + entry[attribute] = [val for val in entry[attribute] if val != value] + + def has(self, dn, attribute, value = None): + entry = self.__entry_for_dn(dn) + if not entry.has_key(attribute): + return False + if value is None: + return True + return value in entry[attribute] + + def retrieve(self, dn, attribute): + entry = self.__entry_for_dn(dn) + if not entry.has_key(attribute): + return [ ] + return entry[attribute][:] # copy + + def list_attributes(self, dn): + entry = self.__entry_for_dn(dn) + return entry.keys()[:] # copy + + def list_dns(self): + return self.entries.keys()[:] # copy + + def exists(self, dn): + return dn in self.entries.keys() + + def delete(self, dn): + if self.entries.has_key(dn): + del self.entries[dn] + class Static: def __init__(self, func): @@ -89,7 +174,7 @@ class Tags: if not force and self.tags is not None: return try: - results = self.database.storage.search(BASE, "(%s=*)" % TAG_ATTRIBUTE, [TAG_ATTRIBUTE]) + results = self.database.lookups.search(BASE, "(%s=*)" % TAG_ATTRIBUTE, [TAG_ATTRIBUTE]) tags = { } for (dn, entry) in results: @@ -143,8 +228,16 @@ class Tags: from_database = Static(from_database) -def is_parsed_dn_parent (dn, parent): - if len(dn) <= len(parent): +def parse_dn(dn): + try: + return ldap.dn.str2dn(dn) + except: + raise Backend.Error(Backend.PROTOCOL_ERROR, "Invalid dn: %s" % dn) + +def is_parsed_dn_parent(dn, parent): + print dn + print parent + if len(dn) != len(parent) + 1: return False # Go backwards and validate each parent for i in range(-1, -1 - len(parent)): @@ -156,11 +249,9 @@ def is_parsed_dn_parent (dn, parent): class Database(Backend.Database): def __init__(self, suffix): Backend.Database.__init__(self, suffix) - self.storage = Storage(HOST) - try: - self.suffix_dn = ldap.dn.str2dn(self.suffix) - except ValueError: - raise Backend.Error(Backend.Error.PROTOCOL_ERROR, "invalid suffix dn") + self.lookups = Lookups(HOST) + self.suffix_dn = parse_dn(self.suffix) + self.storage = Storage(FILENAME) def __search_tag_keys(self, tags): @@ -176,7 +267,7 @@ class Database(Backend.Database): try: # Search for all those guys - results = self.storage.search(BASE, filter, [ KEY_ATTRIBUTE ]) + results = self.lookups.search(BASE, filter, [ KEY_ATTRIBUTE ]) except ldap.LDAPError, ex: raise Backend.Error(Backend.OPERATIONS_ERROR, @@ -192,7 +283,7 @@ class Database(Backend.Database): try: # Do the actual search - results = self.storage.search(BASE, filter) + results = self.lookups.search(BASE, filter) except ldap.LDAPError, ex: raise Backend.Error(Backend.OPERATIONS_ERROR, @@ -201,7 +292,7 @@ class Database(Backend.Database): return [dn for (dn, entry) in results if dn] - def __build_root_entry(self, tags, any_attrs = True): + def __build_root_entry(self, tags, with_attrs = True): attrs = { "objectClass" : [ "top" ], "hasSubordinates" : [ ] @@ -213,13 +304,13 @@ class Database(Backend.Database): attrs[typ].append(val) # Note that we don't access 'tags' unless attributes requested - if any_attrs: + if with_attrs: attrs["hasSubordinates"].append(tags and "TRUE" or "FALSE") return (self.suffix, attrs) - def __build_pivot_entry(self, tags, any_attrs = True): + def __build_pivot_entry(self, tags, with_attrs = True): attrs = { REF_ATTRIBUTE : [ ], "objectClass" : [ OBJECT_CLASS ], @@ -238,68 +329,118 @@ class Database(Backend.Database): dn = ldap.dn.dn2str(dn) # Get out all the attributes - if any_attrs: + if with_attrs: for key in self.__search_tag_keys(tags): attrs[REF_ATTRIBUTE].append(key) return (dn, attrs) + def __build_storage_entry(self, parsed_dn, with_attrs = True): + attrs = { } + + # Build up DN relevant attrs + for (typ, val, num) in parsed_dn[0]: + if not attrs.has_key(typ): + attrs[typ] = [ ] + attrs[typ].append(val) + + # All other storage attributes retrieved later if necessary + return (ldap.dn.dn2str(parsed_dn), attrs) + - def __limit_results(self, args, results): + def __complete_results(self, args, entries): # TODO: Support sizelimit # TODO: Support a filter # Only return the attribute names? - if args["attrsonly"] == "1": - for (dn, attrs) in results: - for attr in attrs: - attrs[attr] = [ "" ] + only_names = (args["attrsonly"] == "1") + which_attrs = args["attrs"] + all_attrs = (which_attrs == "all" or + which_attrs == "*" or + which_attrs == "+") + which_attrs = which_attrs.split(" ") - # Only return these attributes? - which = args["attrs"] - if which != "all" and which != "*" and which != "+": - which = which.split(" ") - for (dn, attrs) in results: - for attr in attrs.keys(): - if attr not in which: - del attrs[attr] + # Convert results from our map to a list with (dn, entry) tuples + results = [ ] + for (dn, entry) in entries.items(): - def search(self, dn, args): - results = [] + # Retrieve extra value names + extra = self.storage.list_attributes(dn) - try: - parsed = ldap.dn.str2dn(dn) - except: - raise Backend.Error(Backend.PROTOCOL_ERROR, "Invalid dn in search: %s" % dn) + # Only return attribute names + if only_names: + for attr in extra: + entry[attr] = [ "" ] + for attr in entry: + entry[attr] = [ "" ] + + # Return extra attribute names and values + else: + for attr in extra: + values = self.storage.retrieve(dn, attr) + if entry.has_key(attr): + entry[attr].extend(values) + else: + entry[attr] = values + # Remove all duplicates + entry[attr] = list(set(entry[attr])) + + # Limit to the attributes requested + if not all_attrs: + for attr in entry.keys(): + if attr not in which_attrs: + del entry[attr] + + results.append((dn, entry)) + + return results + + + def search(self, dn, args): + results = { } + parsed = parse_dn(dn) # Arguments sent scope = args["scope"] or SCOPE_BASE - any_attrs = len(args["attrs"].strip()) > 0 + with_attrs = len(args["attrs"].strip()) > 0 # Start at the root if parsed == self.suffix_dn: tags = Tags.from_database(self) if scope == SCOPE_BASE or scope == SCOPE_SUB: - results.append(self.__build_root_entry(tags, any_attrs)) + (dn, entry) = self.__build_root_entry(tags, with_attrs) + results[dn] = entry if scope == SCOPE_ONE or scope == SCOPE_SUB: # Process each tag individually, by default for (tag, typ) in tags.items(): - results.append(self.__build_pivot_entry({ tag : typ }, any_attrs)) + (child, entry) = self.__build_pivot_entry({ tag : typ }, with_attrs) + results[child] = entry + # Process all extra storage items + for child in self.storage.list_dns(): + if child not in results: + (child, entry) = self.__build_storage_entry(parse_dn(child)) + results[child] = entry # Start at a tag - elif is_parsed_dn_parent (parsed, self.suffix_dn): + elif is_parsed_dn_parent(parsed, self.suffix_dn): tags = Tags.from_parsed_dn(parsed) if scope == SCOPE_BASE or scope == SCOPE_SUB: - results.append(self.__build_pivot_entry(tags, any_attrs)) + (dn, entry) = self.__build_pivot_entry(tags, with_attrs) + results[dn] = entry + + # Something in the database + elif self.storage.exists(dn): + if scope == SCOPE_BASE or scope == SCOPE_SUB: + (dn, entry) = self.__build_storage_entry(parsed, with_attrs) + results[dn] = entry # We don't have that base else: raise Backend.Error(Backend.NO_SUCH_OBJECT, "DN '%s' does not exist" % dn) - self.__limit_results(args, results) - return results + return self.__complete_results(args, results) def __build_key_mods(self, key, tags, op, mods): @@ -313,23 +454,90 @@ class Database(Backend.Database): for tag in tags: mods[dn][1].append((op, TAG_ATTRIBUTE, tag)) - def modify(self, dn, mods): - try: - parsed = ldap.dn.str2dn(dn) - except: - raise Backend.Error(Backend.PROTOCOL_ERROR, "Invalid dn in modify: %s" % dn) + def __check_write_access(self, dn): + if self.binddn == ROOTDN: + return True + return self.storage.has(dn, ACCESS_ATTRIBUTE, self.binddn) - if dn == self.suffix: - raise Backend.Error(Backend.INSUFFICIENT_ACCESS, - "Cannot modify root dn of pivot area: %s" % dn) - if not is_parsed_dn_parent (parsed, self.suffix_dn): - raise Backend.Error(Backend.NO_SUCH_OBJECT, - "DN '%s' does not exist" % dn) + def add(self, dn, entry): + + parsed = parse_dn(dn) + tags = Tags.from_parsed_dn(parsed) + + if parsed == self.suffix_dn: + raise Backend.Error(Backend.ALREADY_EXISTS, "This entry already exists: %s" % dn) + if not is_parsed_dn_parent(parsed, self.suffix_dn): + raise Backend.Error(Backend.NO_SUCH_OBJECT, "Parent of '%s' does not exist or is not valid" % dn) + if self.storage.exists(dn): + raise Backend.Error(Backend.ALREADY_EXISTS, "This entry already exists: %s" % dn) + if len(self.__search_tag_keys(tags)): + raise Backend.Error(Backend.ALREADY_EXISTS, "This entry already exists: %s" % dn) + + # Everyone has implicit access to create a new group + + # Convert into a modify change set + mods = [] + for (attr, values) in entry.items(): + for value in values: + mods.append((ldap.MOD_ADD, attr, value)) + + # Add an access attribute for the creator + if self.binddn and not ACCESS_ATTRIBUTE in entry : + mods.append((ldap.MOD_ADD, ACCESS_ATTRIBUTE, self.binddn)) + + # Make the actual changes + self.__change(parsed, mods, tags) + + # Save extra attributes to storage + self.storage.save() + + + def delete(self, dn, args): + parsed = parse_dn(dn) + tags = Tags.from_parsed_dn(parsed) + + if parsed == self.suffix_dn: + raise Backend.Error(Backend.NOT_ALLOWED_ON_NONLEAF, "Cannot delete the root entry: %s" % dn) + if not is_parsed_dn_parent(parsed, self.suffix_dn): + raise Backend.Error(Backend.NO_SUCH_OBJECT, "Entry does not exist: %s" % dn) + + if not self.__check_write_access(dn): + raise Backend.Error(Backend.INSUFFICIENT_ACCESS, "Access denied to delete entry: %s" % dn) + + mods = [] + mods.append((ldap.MOD_DELETE, REF_ATTRIBUTE, None)) + + # Make the actual changes + self.__change(parsed, mods, tags) + # Delete extra attributes from storage + self.storage.delete(dn) + self.storage.save() + + + def modify(self, dn, mods): + parsed = parse_dn(dn) tags = Tags.from_parsed_dn(parsed) + if dn == self.suffix: + raise Backend.Error(Backend.INSUFFICIENT_ACCESS, "Cannot modify root dn of pivot area: %s" % dn) + if not is_parsed_dn_parent (parsed, self.suffix_dn): + raise Backend.Error(Backend.NO_SUCH_OBJECT, "DN '%s' does not exist" % dn) + + if not self.__check_write_access(dn): + raise Backend.Error(Backend.INSUFFICIENT_ACCESS, "Access denied to modify entry: %s" % dn) + + # Make the actual changes + self.__change(parsed, mods, tags) + + # Save extra attributes to storage + self.storage.save() + + + def __change(self, parsed, mods, tags): + add_keys = sets.Set() remove_keys = sets.Set() remove_all = False @@ -337,9 +545,9 @@ class Database(Backend.Database): # Parse out all the adds and removes for (op, attr, value) in mods: + # Process access attributes later if attr != REF_ATTRIBUTE: - raise Backend.Error(Backend.CONSTRAINT_VIOLATION, - "Cannot modify '%s' attribute" % attr) + continue if op == ldap.MOD_ADD: if value: @@ -380,7 +588,7 @@ class Database(Backend.Database): for (dn, (key, mod)) in keys_and_mods_by_dn.items(): try: print dn, mod - self.storage.modify(dn, mod) + self.lookups.modify(dn, mod) except (ldap.TYPE_OR_VALUE_EXISTS, ldap.NO_SUCH_ATTRIBUTE): continue except ldap.NO_SUCH_OBJECT: @@ -394,4 +602,17 @@ class Database(Backend.Database): raise Backend.Error(Backend.CONSTRAINT_VIOLATION, "Couldn't change %s for %s" % (KEY_ATTRIBUTE, ", ".join(errors))) + # Process other attributes now + dn = ldap.dn.dn2str(parsed) + for (op, attr, value) in mods: + if attr == REF_ATTRIBUTE: + continue + if op == ldap.MOD_ADD: + self.storage.store(dn, attr, value) + elif op == ldap.MOD_REPLACE: + self.storage.remove(dn, attr) + self.storage.add(dn, attr, value) + elif op == ldap.MOD_DELETE: + self.storage.remove(dn, attr, value) + |