diff options
author | Adam Young <ayoung@redhat.com> | 2011-07-05 17:59:05 -0400 |
---|---|---|
committer | Endi S. Dewata <edewata@redhat.com> | 2011-07-06 21:52:00 +0000 |
commit | e4a444ba8159f890daa124d1c546b977a91b9f32 (patch) | |
tree | 3a8110eaff3d2d695c4a0592f0f920b361a6a4c3 /install/ui | |
parent | aca908e1e4d08d52a95edca2013c510abe2d1788 (diff) | |
download | freeipa-e4a444ba8159f890daa124d1c546b977a91b9f32.tar.gz freeipa-e4a444ba8159f890daa124d1c546b977a91b9f32.tar.xz freeipa-e4a444ba8159f890daa124d1c546b977a91b9f32.zip |
HBAC deny warning
shows dialog if there are any HBAC deny rules. Dialog provides option to navigate to the HBAC page. Deny rules have their rule type value show up in red.
Only shows up fro administrators, not for self service users.
https://fedorahosted.org/freeipa/ticket/1421
Diffstat (limited to 'install/ui')
-rw-r--r-- | install/ui/hbac.js | 53 | ||||
-rw-r--r-- | install/ui/ipa.css | 5 | ||||
-rw-r--r-- | install/ui/ipa.js | 9 | ||||
-rwxr-xr-x | install/ui/test/bin/update_ipa_init.sh | 2 | ||||
-rw-r--r-- | install/ui/test/data/hbacrule_find.json | 58 | ||||
-rw-r--r-- | install/ui/test/data/ipa_init.json | 64 | ||||
-rw-r--r-- | install/ui/webui.js | 6 | ||||
-rw-r--r-- | install/ui/widget.js | 5 |
8 files changed, 171 insertions, 31 deletions
diff --git a/install/ui/hbac.js b/install/ui/hbac.js index c082056bb..dc85d572b 100644 --- a/install/ui/hbac.js +++ b/install/ui/hbac.js @@ -26,7 +26,21 @@ IPA.entity_factories.hbacrule = function () { return IPA.entity_builder(). entity('hbacrule'). search_facet({ - columns:['cn','usercategory','hostcategory','ipaenabledflag', + columns:['cn', + { + factory: IPA.column, + name:'accessruletype', + setup : function(container,record){ + container.empty(); + var value = record[this.name]; + value = value ? value.toString() : ''; + if (value === 'deny'){ + container.addClass('hbac-deny-rule'); + } + container.append(value); + } + }, + 'usercategory','hostcategory','ipaenabledflag', 'servicecategory','sourcehostcategory'] }). details_facet({ @@ -996,3 +1010,40 @@ IPA.hbacrule_accesstime_widget = function (spec) { return that; }; + +IPA.hbac_deny_warning_dialog = function (container) { + var dialog = IPA.dialog({ + 'title': 'HBAC Deny Rules found' + }); + + var link_path = "config"; + if (IPA.use_static_files){ + link_path = "html"; + } + + dialog.create = function() { + dialog.container.append( + "HBAC rules with type deny have been found."+ + " These rules have been deprecated." + + " Please remove them, and restructure the HBAC rules." ); + $('<p/>').append($('<a/>',{ + text: 'Click here for more information', + href: '../' +link_path +'/hbac-deny-remove.html', + target: "_blank", + style: 'target: tab; color: blue; ' + })).appendTo(dialog.container); + }; + + dialog.add_button('Edit HBAC Rules', function() { + dialog.close(); + IPA.nav.show_page('hbacrule', 'search'); + }); + + dialog.add_button('Ignore for now', function() { + dialog.close(); + }); + + dialog.init(); + + dialog.open(); +}; diff --git a/install/ui/ipa.css b/install/ui/ipa.css index 38b5a9118..c3215ef35 100644 --- a/install/ui/ipa.css +++ b/install/ui/ipa.css @@ -645,6 +645,11 @@ div.tabs { padding-left: 0.5em; } +.hbac-deny-rule { + color: red; +} + + .search-table tfoot td { padding: 0.5em 0 0 1em; border-top: 1px solid #dfdfdf; diff --git a/install/ui/ipa.js b/install/ui/ipa.js index 4f194739b..4b505235b 100644 --- a/install/ui/ipa.js +++ b/install/ui/ipa.js @@ -123,6 +123,15 @@ var IPA = ( function () { } })); + batch.add_command(IPA.command({ + entity: 'hbacrule', + method: 'find', + options:{"accessruletype":"deny"}, + on_success: function(data, text_status, xhr) { + that.hbac_deny_rules = data; + } + })); + batch.execute(); }; diff --git a/install/ui/test/bin/update_ipa_init.sh b/install/ui/test/bin/update_ipa_init.sh index 5cdeacaa4..23852a269 100755 --- a/install/ui/test/bin/update_ipa_init.sh +++ b/install/ui/test/bin/update_ipa_init.sh @@ -17,4 +17,4 @@ fi -curl -v -H "Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u : --cacert /etc/ipa/ca.crt -d '{"method":"batch","params":[[ {"method":"json_metadata","params":[[],{}]}, {"method":"i18n_messages","params":[[],{}]}, {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]}, {"method":"env","params":[[],{}]}, {"method":"dns_is_enabled","params":[[],{}]} ],{}],"id":1}' -X POST https://`hostname`/ipa/json | sed 's/[ \t]*$//' > $INIT_FILE +curl -v -H "Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u : --cacert /etc/ipa/ca.crt -d '{"method":"batch","params":[[{"method":"json_metadata","params":[[],{}]},{"method":"i18n_messages","params":[[],{}]},{"method":"user_find","params":[[],{"whoami":true,"all":true}]},{"method":"env","params":[[],{}]},{"method":"dns_is_enabled","params":[[],{}]},{"method":"hbacrule_find","params":[[],{"accessruletype":"deny"}]}],{}]}' -X POST https://`hostname`/ipa/json | sed 's/[ \t]*$//' > $INIT_FILE diff --git a/install/ui/test/data/hbacrule_find.json b/install/ui/test/data/hbacrule_find.json index fd95d9f57..3801a7d44 100644 --- a/install/ui/test/data/hbacrule_find.json +++ b/install/ui/test/data/hbacrule_find.json @@ -1,54 +1,74 @@ { - "error": null, - "id": 0, + "error": null, + "id": null, "result": { - "count": 2, + "count": 4, "result": [ { "accessruletype": [ "allow" - ], + ], "cn": [ "allow_all" - ], + ], "description": [ "Allow all users to access any host from any host" - ], - "dn": "ipauniqueid=b7567b5a-e39311df-bfde9b13-2b28c216,cn=hbac,dc=dev,dc=example,dc=com", + ], + "dn": "ipauniqueid=ca842a42-a445-11e0-87ff-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "hostcategory": [ "all" - ], + ], "ipaenabledflag": [ "TRUE" - ], + ], "servicecategory": [ "all" - ], + ], "sourcehostcategory": [ "all" - ], + ], "usercategory": [ "all" ] }, { "accessruletype": [ - "allow" + "deny" + ], + "cn": [ + "deny1" ], - "accesstime": [ - "periodic daily 0800-1400", - "absolute 201012161032 ~ 201012161033" + "dn": "ipauniqueid=8af3e23c-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "ipaenabledflag": [ + "TRUE" + ] + }, + { + "accessruletype": [ + "deny" + ], + "cn": [ + "deny2" + ], + "dn": "ipauniqueid=8f05d042-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "ipaenabledflag": [ + "TRUE" + ] + }, + { + "accessruletype": [ + "deny" ], "cn": [ - "test" + "deny3" ], - "dn": "ipauniqueid=3b6d2a82-e3b511df-bfde9b13-2b28c216,cn=hbac,dc=dev,dc=example,dc=com", + "dn": "ipauniqueid=92dcf9fc-a7e2-11e0-8dac-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", "ipaenabledflag": [ "TRUE" ] } - ], - "summary": null, + ], + "summary": "4 HBAC rules matched", "truncated": false } } diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json index 5b4dadfca..a67002105 100644 --- a/install/ui/test/data/ipa_init.json +++ b/install/ui/test/data/ipa_init.json @@ -1,8 +1,8 @@ { "error": null, - "id": 1, + "id": null, "result": { - "count": 5, + "count": 6, "results": [ { "error": null, @@ -8266,7 +8266,8 @@ "ipausersearchfields", "ipagroupsearchfields", "ipamigrationenabled", - "ipacertificatesubjectbase" + "ipacertificatesubjectbase", + "ipapwdexpadvnotify" ], "hidden_attributes": [ "objectclass", @@ -12117,7 +12118,7 @@ "aciattrs": [], "attribute_members": {}, "bindable": false, - "container_dn": "cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos", + "container_dn": "cn=SERVER15.AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos", "default_attributes": [ "krbmaxticketlife", "krbmaxrenewableage" @@ -12962,7 +12963,7 @@ ], "attribute_members": {}, "bindable": false, - "container_dn": "cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos", + "container_dn": "cn=SERVER15.AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos", "default_attributes": [ "cn", "cospriority", @@ -15887,17 +15888,17 @@ ], "krbextradata": [ { - "__base64__": "AAL2bA5Ocm9vdC9hZG1pbkBTRVJWRVIxNS5BWU9VTkcuQk9TVE9OLkRFVkVMLlJFREhBVC5DT00A" + "__base64__": "AAgBAA==" }, { - "__base64__": "AAgBAA==" + "__base64__": "AAL2bA5Ocm9vdC9hZG1pbkBTRVJWRVIxNS5BWU9VTkcuQk9TVE9OLkRFVkVMLlJFREhBVC5DT00A" } ], "krblastpwdchange": [ "20110702005726Z" ], "krblastsuccessfulauth": [ - "20110705172822Z" + "20110705180548Z" ], "krbpasswordexpiration": [ "20110930005726Z" @@ -16017,6 +16018,53 @@ "result": true, "summary": null, "value": "" + }, + { + "count": 3, + "error": null, + "result": [ + { + "accessruletype": [ + "deny" + ], + "cn": [ + "deny1" + ], + "dn": "ipauniqueid=8af3e23c-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "ipaenabledflag": [ + "TRUE" + ], + "memberuser_user": [ + "abrown" + ] + }, + { + "accessruletype": [ + "deny" + ], + "cn": [ + "deny2" + ], + "dn": "ipauniqueid=8f05d042-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "ipaenabledflag": [ + "TRUE" + ] + }, + { + "accessruletype": [ + "deny" + ], + "cn": [ + "deny3" + ], + "dn": "ipauniqueid=92dcf9fc-a7e2-11e0-8dac-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "ipaenabledflag": [ + "TRUE" + ] + } + ], + "summary": "3 HBAC rules matched", + "truncated": false } ] } diff --git a/install/ui/webui.js b/install/ui/webui.js index 2c4451489..01d060fcf 100644 --- a/install/ui/webui.js +++ b/install/ui/webui.js @@ -158,6 +158,12 @@ $(function() { IPA.nav.update(); $('#login_header').html(IPA.messages.login.header); + + if (IPA.hbac_deny_rules && IPA.hbac_deny_rules.count > 0){ + if (IPA.nav.name === 'admin'){ + IPA.hbac_deny_warning_dialog(); + } + } } diff --git a/install/ui/widget.js b/install/ui/widget.js index cd3a5c60e..9142a26a9 100644 --- a/install/ui/widget.js +++ b/install/ui/widget.js @@ -1156,7 +1156,7 @@ IPA.column = function (spec) { } }; - that.setup = function(container, record) { + function setup(container, record) { container.empty(); var value = record[that.name]; @@ -1177,8 +1177,9 @@ IPA.column = function (spec) { } else { container.append(value); } + } - }; + that.setup = spec.setup || setup; that.link_handler = function(value) { return false; |