On 10.10.2014 16:38, Alexander Bokovoy wrote:
On Fri, 10 Oct 2014, Petr Vobornik wrote:
On 10.10.2014 15:36, Alexander Bokovoy wrote:
On Fri, 10 Oct 2014, Petr Vobornik wrote:
On 10.10.2014 10:39, Alexander Bokovoy wrote:
Hi!

I'm resending patches 0159 and 0160, and adding two more:

0161 -- support user SSH public keys in ID view user overrides
0162 -- support gidNumber in ID view user override

SSH public keys to work require support from SSSD and that one is
currently missing. At least, one add/remove the keys to/from the
override objects.

Compat tree does not support exporting SSH keys. When accessing the
tree
anonymously, the entry will be filtered out by ACIs but for
authenticated users we need to explicitly ignore ipaSshPubKey
attribute
in the override, so I'm resending updated slapi-nis patch that only
adds one more attribute to filter out.


I'm going to prepare Web UI for, 160, 161, 162.

Q: ipaUserOverride object class contains also 'gecos' attribute. Will
it be handled be CLI and Web UI as well?
I'll add another patch for that.


Comments for these 3 patches:

1. VERSION was not bumped

Patch 160:
Apart form #1, is OK (not sure if #1 is needed for ACK)
I wonder if I should bump it in a separate patch that would be the last
one in the series, to avoid proliferation of API version numbers? :)

IMHO it should be sufficient. Same outcome as if the patches were
squashed.
Yep.

One more update for patch 0161, Petr noticed we need to call super
post_callback() too.


idoverrideuser_find callback causes internal error. I've attached new version of the patch which fixes it. Basically it's this change:

diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index 25b9bcf..bfa8675 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -831,11 +831,12 @@ class idoverrideuser_find(baseidoverride_find):
     msg_summary = ngettext('%(count)d User ID override matched',
                            '%(count)d User ID overrides matched', 0)

-    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-        dn = super(idoverrideuser_find, self).post_callback(ldap, dn,
-                 entry_attrs, *keys, **options)
-        convert_sshpubkey_post(ldap, dn, entry_attrs)
-        return dn
+    def post_callback(self, ldap, entries, truncated, *args, **options):
+        truncated = super(idoverrideuser_find, self).post_callback(
+            ldap, entries, truncated, *args, **options)
+        for entry in entries:
+            convert_sshpubkey_post(ldap, entry.dn, entry)
+        return truncated

If you are OK with it, then ACK for patches 160, 161-3, 162-1, 164 and 165.

Patch 159 should be reviewed by somebody more versed in Compat tree. Btw. 10-schema_compat.update contains whitespace warning(git am) - additional blank line at the end of file.
--
Petr Vobornik
From fb1a6a6481d853d3e374ece5dc8cf013fef44863 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Fri, 10 Oct 2014 09:26:13 +0300
Subject: [PATCH] Allow user overrides to specify SSH public keys

Overrides for users can have SSH public keys. This, however, will not enable
SSH public keys from overrides to be actually used until SSSD gets fixed to
pull them in.

SSSD ticket for SSH public keys in overrides:
https://fedorahosted.org/sssd/ticket/2454

Resolves https://fedorahosted.org/freeipa/ticket/4509
---
 API.txt                   |  6 ++++--
 ipalib/plugins/idviews.py | 44 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/API.txt b/API.txt
index 226809e9e22c7e8ab851727b12bf0b93b4e5dcce..60fa32123d5e69c0cb63ed087f30fd9e03c7fa3e 100644
--- a/API.txt
+++ b/API.txt
@@ -2130,7 +2130,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: idoverrideuser_add
-args: 2,11,3
+args: 2,12,3
 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True)
 arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -2138,6 +2138,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False)
 option: Str('homedirectory', attribute=True, cli_name='homedir', multivalue=False, required=False)
 option: Str('ipaoriginaluid', attribute=True, cli_name='ipaoriginaluid', multivalue=False, required=False)
+option: Str('ipasshpubkey', attribute=True, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
 option: Str('loginshell', attribute=True, cli_name='shell', multivalue=False, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('setattr*', cli_name='setattr', exclude='webui')
@@ -2178,7 +2179,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('truncated', <type 'bool'>, None)
 command: idoverrideuser_mod
-args: 2,14,3
+args: 2,15,3
 arg: Str('idviewcn', cli_name='idview', multivalue=False, primary_key=True, query=True, required=True)
 arg: Str('ipaanchoruuid', attribute=True, cli_name='anchor', multivalue=False, primary_key=True, query=True, required=True)
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -2187,6 +2188,7 @@ option: Str('delattr*', cli_name='delattr', exclude='webui')
 option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, required=False)
 option: Str('homedirectory', attribute=True, autofill=False, cli_name='homedir', multivalue=False, required=False)
 option: Str('ipaoriginaluid', attribute=True, autofill=False, cli_name='ipaoriginaluid', multivalue=False, required=False)
+option: Str('ipasshpubkey', attribute=True, autofill=False, cli_name='sshpubkey', csv=True, multivalue=True, required=False)
 option: Str('loginshell', attribute=True, autofill=False, cli_name='shell', multivalue=False, required=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('rename', cli_name='rename', multivalue=False, primary_key=True, required=False)
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index dbbf082d03bfdf195f09eaf0c39aa8866fdcfefa..3ec6a15cc9a37af8b5b9c6ae0774ad5451bc185d 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -25,6 +25,8 @@ from ipalib.plugins.hostgroup import get_complete_hostgroup_member_list
 from ipalib import api, Str, Int, Flag, _, ngettext, errors, output
 from ipalib.constants import IPA_ANCHOR_PREFIX, SID_ANCHOR_PREFIX
 from ipalib.plugable import Registry
+from ipalib.util import (normalize_sshpubkey, validate_sshpubkey,
+    convert_sshpubkey_post)
 
 from ipapython.dn import DN
 
@@ -664,6 +666,7 @@ class idoverrideuser(baseidoverride):
     object_class = baseidoverride.object_class + ['ipaUserOverride']
     default_attributes = baseidoverride.default_attributes + [
        'homeDirectory', 'uidNumber', 'uid', 'ipaOriginalUid', 'loginShell',
+       'ipaSshPubkey',
     ]
 
     takes_params = baseidoverride.takes_params + (
@@ -692,6 +695,13 @@ class idoverrideuser(baseidoverride):
         Str('ipaoriginaluid?',
             flags=['no_option', 'no_output']
             ),
+        Str('ipasshpubkey*', validate_sshpubkey,
+            cli_name='sshpubkey',
+            label=_('SSH public key'),
+            normalizer=normalize_sshpubkey,
+            csv=True,
+            flags=['no_search'],
+        ),
     )
 
     override_object = 'user'
@@ -764,6 +774,13 @@ class idoverrideuser_add(baseidoverride_add):
         self.obj.update_original_uid_reference(entry_attrs)
         return dn
 
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        dn = super(idoverrideuser_add, self).post_callback(ldap, dn,
+                 entry_attrs, *keys, **options)
+        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        return dn
+
+
 
 @register()
 class idoverrideuser_del(baseidoverride_del):
@@ -783,6 +800,20 @@ class idoverrideuser_mod(baseidoverride_mod):
         # Update the ipaOriginalUid
         self.obj.set_anchoruuid_from_dn(dn, entry_attrs)
         self.obj.update_original_uid_reference(entry_attrs)
+        if 'objectclass' in entry_attrs:
+            obj_classes = entry_attrs['objectclass']
+        else:
+            _entry_attrs = ldap.get_entry(dn, ['objectclass'])
+            obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass']
+
+        if 'ipasshpubkey' in entry_attrs and 'ipasshuser' not in obj_classes:
+            obj_classes.append('ipasshuser')
+        return dn
+
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        dn = super(idoverrideuser_mod, self).post_callback(ldap, dn,
+                 entry_attrs, *keys, **options)
+        convert_sshpubkey_post(ldap, dn, entry_attrs)
         return dn
 
 
@@ -792,11 +823,24 @@ class idoverrideuser_find(baseidoverride_find):
     msg_summary = ngettext('%(count)d User ID override matched',
                            '%(count)d User ID overrides matched', 0)
 
+    def post_callback(self, ldap, entries, truncated, *args, **options):
+        truncated = super(idoverrideuser_find, self).post_callback(
+            ldap, entries, truncated, *args, **options)
+        for entry in entries:
+            convert_sshpubkey_post(ldap, entry.dn, entry)
+        return truncated
+
 
 @register()
 class idoverrideuser_show(baseidoverride_show):
     __doc__ = _('Display information about an User ID override.')
 
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        dn = super(idoverrideuser_show, self).post_callback(ldap, dn,
+                 entry_attrs, *keys, **options)
+        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        return dn
+
 
 @register()
 class idoverridegroup_add(baseidoverride_add):
-- 
1.9.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to