Source code for noggin.security.ipa_admin

from functools import wraps

from flask import current_app, session

from .ipa import Client, choose_server




[docs]
class IPAAdmin:
    __WRAPPED_METHODS = (
        "user_show",
        "user_mod",
        "stageuser_add",
        "stageuser_show",
        "stageuser_activate",
        "stageuser_mod",
        "ping",
    )
    __WRAPPED_METHODS_TESTING = (
        "user_add",
        "user_del",
        "group_add",
        "group_del",
        "group_find",
        "group_add_member",
        "group_add_member_manager",
        "group_remove_member",
        "pwpolicy_add",
        "pwpolicy_mod",
        "pwpolicy_show",
        "otptoken_add",
        "otptoken_del",
        "otptoken_find",
        "stageuser_del",
        "stageuser_mod",
        "batch",
        "fasagreement_add",
        "fasagreement_add_group",
        "fasagreement_del",
        "fasagreement_remove_group",
        "fasagreement_remove_user",
        "fasagreement_disable",
        "role_add",
        "role_del",
        "role_add_privilege",
        "role_add_member",
    )

    def __init__(self, app=None):
        if app is not None:
            self.init_app(app)



[docs]
    def init_app(self, app):
        # Move FreeIPA admin user and password values from the main configuration into the one for
        # the `ipa-admin` extension. Overwrite the values in the main configuration.
        app.extensions["ipa-admin"] = {
            "username": app.config['FREEIPA_ADMIN_USER'],
            "password": app.config['FREEIPA_ADMIN_PASSWORD'],
        }
        app.config['FREEIPA_ADMIN_USER'] = '***'
        app.config['FREEIPA_ADMIN_PASSWORD'] = '***'  # nosec



    # Attempt to obtain an administrative IPA session
    def __maybe_ipa_admin_session(self):
        username = current_app.extensions["ipa-admin"]["username"]
        password = current_app.extensions["ipa-admin"]["password"]
        client = Client(
            choose_server(current_app, session),
            verify_ssl=current_app.config['FREEIPA_CACERT'],
        )
        client.login(username, password)
        client.ping()
        return client

    def __wrap_method(self, method_name):
        @wraps(getattr(Client, method_name))
        def wrapper(*args, **kwargs):
            ipa = self.__maybe_ipa_admin_session()
            ipa_method = getattr(ipa, method_name)
            res = ipa_method(*args, **kwargs)
            ipa.logout()
            return res

        return wrapper

    def __getattr__(self, name):
        wrapped_methods = list(self.__WRAPPED_METHODS)
        if current_app.config.get('TESTING', False):  # pragma: no cover
            wrapped_methods.extend(self.__WRAPPED_METHODS_TESTING)
        if name in wrapped_methods:
            return self.__wrap_method(name)
        raise AttributeError(name)