Add hbactest command. https://fedorahosted.org/freeipa/ticket/386

HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

 Test user coming from source host to a service on a named host against
 existing enabled rules.

 ipa hbactest --user= --srchost= --host= --service=
              [--rules=rules-list] [--nodetail] [--enabled] [--disabled]

 --user, --srchost, --host, and --service are mandatory, others are optional.

 If --rules is specified simulate enabling of the specified rules and test
 the login of the user using only these rules.

 If --enabled is specified, all enabled HBAC rules will be added to simulation

 If --disabled is specified, all disabled HBAC rules will be added to simulation

 If --nodetail is specified, do not return information about rules matched/not matched.

 If both --rules and --enabled are specified, apply simulation to --rules _and_
 all IPA enabled rules.

 If no --rules specified, simulation is run against all IPA enabled rules.

EXAMPLES:

    1. Use all enabled HBAC rules in IPA database to simulate:
    $ ipa  hbactest --user=a1a --srchost=foo --host=bar --service=ssh
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    2. Disable detailed summary of how rules were applied:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
    --------------------
    Access granted: True
    --------------------

    3. Test explicitly specified HBAC rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: myrule

    4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    5. Test all disabled HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: new-rule

    6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule

    7. Test all (enabled and disabled) HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      notmatched: new-rule
      matched: allow_all

Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.

Specifying them through --rules option explicitly enables them only in
simulation run.

Specifying non-existing rules will not grant access and report non-existing
rules in output.

1 files changed, 15 insertions, 0 deletions

diff --git a/API.txt b/API.txt
index 42a212b1e..5c4a7fe93 100644
--- a/API.txt
+++ b/API.txt
@@ -1321,6 +1321,21 @@ option: Str('version?', exclude='webui', flags=['no_option', 'no_output'])
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly description of action performed')
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
+command: hbactest
+args: 0,8,5
+option: Str('user', cli_name='user', label=Gettext('User name', domain='ipa', localedir=None), primary_key=True)
+option: Str('sourcehost', cli_name='srchost', label=Gettext('Source host', domain='ipa', localedir=None))
+option: Str('targethost', cli_name='host', label=Gettext('Target host', domain='ipa', localedir=None))
+option: Str('service', cli_name='service', label=Gettext('Service', domain='ipa', localedir=None))
+option: List('rules?', cli_name='rules', label=Gettext('Rules to test. If not specified, --enabled is assumed', domain='ipa', localedir=None), multivalue=True)
+option: Flag('nodetail?', autofill=True, cli_name='nodetail', default=False, label=Gettext('Hide details which rules are matched, not matched, or invalid', domain='ipa', localedir=None))
+option: Flag('enabled?', autofill=True, cli_name='enabled', default=False, label=Gettext('Include all enabled IPA rules into test [default]', domain='ipa', localedir=None))
+option: Flag('disabled?', autofill=True, cli_name='disabled', default=False, label=Gettext('Include all disabled IPA rules into test', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly description of action performed')
+output: Output('matched', (<type 'list'>, <type 'tuple'>, <type 'NoneType'>), Gettext('Matched rules', domain='ipa', localedir=None))
+output: Output('notmatched', (<type 'list'>, <type 'tuple'>, <type 'NoneType'>), Gettext('Not matched rules', domain='ipa', localedir=None))
+output: Output('error', (<type 'list'>, <type 'tuple'>, <type 'NoneType'>), Gettext('Non-existent or invalid rules', domain='ipa', localedir=None))
+output: Output('value', <type 'bool'>, Gettext('Result of simulation', domain='ipa', localedir=None))
 command: host_add
 args: 1,14,3
 arg: Str('fqdn', validate_host, attribute=True, cli_name='hostname', label=Gettext('Host name', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, required=True)