summaryrefslogtreecommitdiffstats
path: root/install/ui
diff options
context:
space:
mode:
authorAdam Young <ayoung@redhat.com>2011-07-05 17:59:05 -0400
committerEndi S. Dewata <edewata@redhat.com>2011-07-06 21:52:00 +0000
commite4a444ba8159f890daa124d1c546b977a91b9f32 (patch)
tree3a8110eaff3d2d695c4a0592f0f920b361a6a4c3 /install/ui
parentaca908e1e4d08d52a95edca2013c510abe2d1788 (diff)
downloadfreeipa-e4a444ba8159f890daa124d1c546b977a91b9f32.tar.gz
freeipa-e4a444ba8159f890daa124d1c546b977a91b9f32.tar.xz
freeipa-e4a444ba8159f890daa124d1c546b977a91b9f32.zip
HBAC deny warning
shows dialog if there are any HBAC deny rules. Dialog provides option to navigate to the HBAC page. Deny rules have their rule type value show up in red. Only shows up fro administrators, not for self service users. https://fedorahosted.org/freeipa/ticket/1421
Diffstat (limited to 'install/ui')
-rw-r--r--install/ui/hbac.js53
-rw-r--r--install/ui/ipa.css5
-rw-r--r--install/ui/ipa.js9
-rwxr-xr-xinstall/ui/test/bin/update_ipa_init.sh2
-rw-r--r--install/ui/test/data/hbacrule_find.json58
-rw-r--r--install/ui/test/data/ipa_init.json64
-rw-r--r--install/ui/webui.js6
-rw-r--r--install/ui/widget.js5
8 files changed, 171 insertions, 31 deletions
diff --git a/install/ui/hbac.js b/install/ui/hbac.js
index c082056bb..dc85d572b 100644
--- a/install/ui/hbac.js
+++ b/install/ui/hbac.js
@@ -26,7 +26,21 @@ IPA.entity_factories.hbacrule = function () {
return IPA.entity_builder().
entity('hbacrule').
search_facet({
- columns:['cn','usercategory','hostcategory','ipaenabledflag',
+ columns:['cn',
+ {
+ factory: IPA.column,
+ name:'accessruletype',
+ setup : function(container,record){
+ container.empty();
+ var value = record[this.name];
+ value = value ? value.toString() : '';
+ if (value === 'deny'){
+ container.addClass('hbac-deny-rule');
+ }
+ container.append(value);
+ }
+ },
+ 'usercategory','hostcategory','ipaenabledflag',
'servicecategory','sourcehostcategory']
}).
details_facet({
@@ -996,3 +1010,40 @@ IPA.hbacrule_accesstime_widget = function (spec) {
return that;
};
+
+IPA.hbac_deny_warning_dialog = function (container) {
+ var dialog = IPA.dialog({
+ 'title': 'HBAC Deny Rules found'
+ });
+
+ var link_path = "config";
+ if (IPA.use_static_files){
+ link_path = "html";
+ }
+
+ dialog.create = function() {
+ dialog.container.append(
+ "HBAC rules with type deny have been found."+
+ " These rules have been deprecated." +
+ " Please remove them, and restructure the HBAC rules." );
+ $('<p/>').append($('<a/>',{
+ text: 'Click here for more information',
+ href: '../' +link_path +'/hbac-deny-remove.html',
+ target: "_blank",
+ style: 'target: tab; color: blue; '
+ })).appendTo(dialog.container);
+ };
+
+ dialog.add_button('Edit HBAC Rules', function() {
+ dialog.close();
+ IPA.nav.show_page('hbacrule', 'search');
+ });
+
+ dialog.add_button('Ignore for now', function() {
+ dialog.close();
+ });
+
+ dialog.init();
+
+ dialog.open();
+};
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 38b5a9118..c3215ef35 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -645,6 +645,11 @@ div.tabs {
padding-left: 0.5em;
}
+.hbac-deny-rule {
+ color: red;
+}
+
+
.search-table tfoot td {
padding: 0.5em 0 0 1em;
border-top: 1px solid #dfdfdf;
diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index 4f194739b..4b505235b 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -123,6 +123,15 @@ var IPA = ( function () {
}
}));
+ batch.add_command(IPA.command({
+ entity: 'hbacrule',
+ method: 'find',
+ options:{"accessruletype":"deny"},
+ on_success: function(data, text_status, xhr) {
+ that.hbac_deny_rules = data;
+ }
+ }));
+
batch.execute();
};
diff --git a/install/ui/test/bin/update_ipa_init.sh b/install/ui/test/bin/update_ipa_init.sh
index 5cdeacaa4..23852a269 100755
--- a/install/ui/test/bin/update_ipa_init.sh
+++ b/install/ui/test/bin/update_ipa_init.sh
@@ -17,4 +17,4 @@ fi
-curl -v -H "Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u : --cacert /etc/ipa/ca.crt -d '{"method":"batch","params":[[ {"method":"json_metadata","params":[[],{}]}, {"method":"i18n_messages","params":[[],{}]}, {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]}, {"method":"env","params":[[],{}]}, {"method":"dns_is_enabled","params":[[],{}]} ],{}],"id":1}' -X POST https://`hostname`/ipa/json | sed 's/[ \t]*$//' > $INIT_FILE
+curl -v -H "Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u : --cacert /etc/ipa/ca.crt -d '{"method":"batch","params":[[{"method":"json_metadata","params":[[],{}]},{"method":"i18n_messages","params":[[],{}]},{"method":"user_find","params":[[],{"whoami":true,"all":true}]},{"method":"env","params":[[],{}]},{"method":"dns_is_enabled","params":[[],{}]},{"method":"hbacrule_find","params":[[],{"accessruletype":"deny"}]}],{}]}' -X POST https://`hostname`/ipa/json | sed 's/[ \t]*$//' > $INIT_FILE
diff --git a/install/ui/test/data/hbacrule_find.json b/install/ui/test/data/hbacrule_find.json
index fd95d9f57..3801a7d44 100644
--- a/install/ui/test/data/hbacrule_find.json
+++ b/install/ui/test/data/hbacrule_find.json
@@ -1,54 +1,74 @@
{
- "error": null,
- "id": 0,
+ "error": null,
+ "id": null,
"result": {
- "count": 2,
+ "count": 4,
"result": [
{
"accessruletype": [
"allow"
- ],
+ ],
"cn": [
"allow_all"
- ],
+ ],
"description": [
"Allow all users to access any host from any host"
- ],
- "dn": "ipauniqueid=b7567b5a-e39311df-bfde9b13-2b28c216,cn=hbac,dc=dev,dc=example,dc=com",
+ ],
+ "dn": "ipauniqueid=ca842a42-a445-11e0-87ff-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"hostcategory": [
"all"
- ],
+ ],
"ipaenabledflag": [
"TRUE"
- ],
+ ],
"servicecategory": [
"all"
- ],
+ ],
"sourcehostcategory": [
"all"
- ],
+ ],
"usercategory": [
"all"
]
},
{
"accessruletype": [
- "allow"
+ "deny"
+ ],
+ "cn": [
+ "deny1"
],
- "accesstime": [
- "periodic daily 0800-1400",
- "absolute 201012161032 ~ 201012161033"
+ "dn": "ipauniqueid=8af3e23c-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+ "ipaenabledflag": [
+ "TRUE"
+ ]
+ },
+ {
+ "accessruletype": [
+ "deny"
+ ],
+ "cn": [
+ "deny2"
+ ],
+ "dn": "ipauniqueid=8f05d042-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+ "ipaenabledflag": [
+ "TRUE"
+ ]
+ },
+ {
+ "accessruletype": [
+ "deny"
],
"cn": [
- "test"
+ "deny3"
],
- "dn": "ipauniqueid=3b6d2a82-e3b511df-bfde9b13-2b28c216,cn=hbac,dc=dev,dc=example,dc=com",
+ "dn": "ipauniqueid=92dcf9fc-a7e2-11e0-8dac-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"ipaenabledflag": [
"TRUE"
]
}
- ],
- "summary": null,
+ ],
+ "summary": "4 HBAC rules matched",
"truncated": false
}
}
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 5b4dadfca..a67002105 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -1,8 +1,8 @@
{
"error": null,
- "id": 1,
+ "id": null,
"result": {
- "count": 5,
+ "count": 6,
"results": [
{
"error": null,
@@ -8266,7 +8266,8 @@
"ipausersearchfields",
"ipagroupsearchfields",
"ipamigrationenabled",
- "ipacertificatesubjectbase"
+ "ipacertificatesubjectbase",
+ "ipapwdexpadvnotify"
],
"hidden_attributes": [
"objectclass",
@@ -12117,7 +12118,7 @@
"aciattrs": [],
"attribute_members": {},
"bindable": false,
- "container_dn": "cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos",
+ "container_dn": "cn=SERVER15.AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos",
"default_attributes": [
"krbmaxticketlife",
"krbmaxrenewableage"
@@ -12962,7 +12963,7 @@
],
"attribute_members": {},
"bindable": false,
- "container_dn": "cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos",
+ "container_dn": "cn=SERVER15.AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos",
"default_attributes": [
"cn",
"cospriority",
@@ -15887,17 +15888,17 @@
],
"krbextradata": [
{
- "__base64__": "AAL2bA5Ocm9vdC9hZG1pbkBTRVJWRVIxNS5BWU9VTkcuQk9TVE9OLkRFVkVMLlJFREhBVC5DT00A"
+ "__base64__": "AAgBAA=="
},
{
- "__base64__": "AAgBAA=="
+ "__base64__": "AAL2bA5Ocm9vdC9hZG1pbkBTRVJWRVIxNS5BWU9VTkcuQk9TVE9OLkRFVkVMLlJFREhBVC5DT00A"
}
],
"krblastpwdchange": [
"20110702005726Z"
],
"krblastsuccessfulauth": [
- "20110705172822Z"
+ "20110705180548Z"
],
"krbpasswordexpiration": [
"20110930005726Z"
@@ -16017,6 +16018,53 @@
"result": true,
"summary": null,
"value": ""
+ },
+ {
+ "count": 3,
+ "error": null,
+ "result": [
+ {
+ "accessruletype": [
+ "deny"
+ ],
+ "cn": [
+ "deny1"
+ ],
+ "dn": "ipauniqueid=8af3e23c-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+ "ipaenabledflag": [
+ "TRUE"
+ ],
+ "memberuser_user": [
+ "abrown"
+ ]
+ },
+ {
+ "accessruletype": [
+ "deny"
+ ],
+ "cn": [
+ "deny2"
+ ],
+ "dn": "ipauniqueid=8f05d042-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+ "ipaenabledflag": [
+ "TRUE"
+ ]
+ },
+ {
+ "accessruletype": [
+ "deny"
+ ],
+ "cn": [
+ "deny3"
+ ],
+ "dn": "ipauniqueid=92dcf9fc-a7e2-11e0-8dac-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+ "ipaenabledflag": [
+ "TRUE"
+ ]
+ }
+ ],
+ "summary": "3 HBAC rules matched",
+ "truncated": false
}
]
}
diff --git a/install/ui/webui.js b/install/ui/webui.js
index 2c4451489..01d060fcf 100644
--- a/install/ui/webui.js
+++ b/install/ui/webui.js
@@ -158,6 +158,12 @@ $(function() {
IPA.nav.update();
$('#login_header').html(IPA.messages.login.header);
+
+ if (IPA.hbac_deny_rules && IPA.hbac_deny_rules.count > 0){
+ if (IPA.nav.name === 'admin'){
+ IPA.hbac_deny_warning_dialog();
+ }
+ }
}
diff --git a/install/ui/widget.js b/install/ui/widget.js
index cd3a5c60e..9142a26a9 100644
--- a/install/ui/widget.js
+++ b/install/ui/widget.js
@@ -1156,7 +1156,7 @@ IPA.column = function (spec) {
}
};
- that.setup = function(container, record) {
+ function setup(container, record) {
container.empty();
var value = record[that.name];
@@ -1177,8 +1177,9 @@ IPA.column = function (spec) {
} else {
container.append(value);
}
+ }
- };
+ that.setup = spec.setup || setup;
that.link_handler = function(value) {
return false;
generated by cgit (git 2.34.1) at 2024-05-04 11:29:21 +0000