From e6a3656ab71faea8669af50ceeaf4d9a91fe0142 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Wed, 6 May 2015 11:47:46 -0400
Subject: [PATCH] SSSD info plugin is immutable if not preconfigured

The SSSD info plugin configures SSSD and modules in
Apache as root during installation. This cannot be
done in the UI so we must not allow users to modify
the state if it was not "preconfigured" during
install.

If it has been configured then users are allowed
to enable/disable the plugin.

This is controlled by a value stored in the
info_config table, preconfigured.

The plugin configuration is hidden from the UI by
overridding the get_config_object() method.

https://fedorahosted.org/ipsilon/ticket/111

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
---
 ipsilon/admin/common.py  | 10 ++++++++--
 ipsilon/info/common.py   |  8 +++++++-
 ipsilon/info/infosssd.py | 23 ++++++++++++++++++++++-
 3 files changed, 37 insertions(+), 4 deletions(-)

diff --git a/ipsilon/admin/common.py b/ipsilon/admin/common.py
index 743c71c..a85a15d 100644
--- a/ipsilon/admin/common.py
+++ b/ipsilon/admin/common.py
@@ -282,7 +282,10 @@ class AdminPlugins(AdminPage):
         except AdminError, e:
             return self.root_with_msg(str(e), ADMIN_STATUS_WARN)
         if not obj.is_enabled:
-            obj.enable()
+            try:
+                obj.enable()
+            except Exception as e:  # pylint: disable=broad-except
+                return self.root_with_msg(str(e), ADMIN_STATUS_WARN)
             obj.save_enabled_state()
             msg = "Plugin %s enabled" % obj.name
         return self.root_with_msg(msg, ADMIN_STATUS_OK,
@@ -297,7 +300,10 @@ class AdminPlugins(AdminPage):
         except AdminError, e:
             return self.root_with_msg(str(e), ADMIN_STATUS_WARN)
         if obj.is_enabled:
-            obj.disable()
+            try:
+                obj.disable()
+            except Exception as e:  # pylint: disable=broad-except
+                return self.root_with_msg(str(e), ADMIN_STATUS_WARN)
             obj.save_enabled_state()
             msg = "Plugin %s disabled" % obj.name
         return self.root_with_msg(msg, ADMIN_STATUS_OK,
diff --git a/ipsilon/info/common.py b/ipsilon/info/common.py
index a97d648..6907c72 100644
--- a/ipsilon/info/common.py
+++ b/ipsilon/info/common.py
@@ -65,7 +65,13 @@ class Info(Log):
             if item not in plugins.available:
                 self.debug('Info Plugin %s not found' % item)
                 continue
-            plugins.available[item].enable()
+            try:
+                plugins.available[item].enable()
+            except Exception as e:  # pylint: disable=broad-except
+                while item in plugins.enabled:
+                    plugins.enabled.remove(item)
+                self.debug("Info Plugin %s couldn't be enabled: %s" % (
+                    item, str(e)))
 
     def get_user_attrs(self, user, requested=None):
         plugins = self._site[FACILITY].available
diff --git a/ipsilon/info/infosssd.py b/ipsilon/info/infosssd.py
index 0dd78cc..559469a 100644
--- a/ipsilon/info/infosssd.py
+++ b/ipsilon/info/infosssd.py
@@ -9,6 +9,7 @@ from ipsilon.info.common import InfoProviderBase
 from ipsilon.info.common import InfoProviderInstaller
 from ipsilon.util.plugin import PluginObject
 from ipsilon.util.policy import Policy
+from ipsilon.util import config as pconfig
 from string import Template
 import cherrypy
 import time
@@ -46,7 +47,13 @@ class InfoProvider(InfoProviderBase):
         super(InfoProvider, self).__init__(*pargs)
         self.mapper = Policy(sssd_mapping)
         self.name = 'sssd'
-        self.new_config(self.name)
+        self.new_config(
+            self.name,
+            pconfig.Condition(
+                'preconfigured',
+                'SSSD can only be used when pre-configured',
+                False),
+        )
 
     def _get_user_data(self, user):
         reply = dict()
@@ -80,6 +87,18 @@ class InfoProvider(InfoProviderBase):
 
         return reply
 
+    def save_plugin_config(self, *args, **kwargs):
+        raise ValueError('Configuration cannot be modified live for SSSD')
+
+    def get_config_obj(self):
+        return None
+
+    def enable(self):
+        self.refresh_plugin_config()
+        if not self.get_config_value('preconfigured'):
+            raise Exception("SSSD Can be enabled only if pre-configured")
+        super(InfoProvider, self).enable()
+
 
 CONF_TEMPLATE = """
 LoadModule lookup_identity_module modules/mod_lookup_identity.so
@@ -192,6 +211,8 @@ class Installer(InfoProviderInstaller):
         po.name = 'sssd'
         po.wipe_data()
         po.wipe_config_values()
+        config = {'preconfigured': True}
+        po.save_plugin_config(config)
 
         # Update global config to add info plugin
         po.is_enabled = True
-- 
2.20.1