summaryrefslogtreecommitdiffstats
path: root/install
diff options
context:
space:
mode:
authorEndi S. Dewata <edewata@redhat.com>2011-10-24 18:18:10 -0500
committerEndi S. Dewata <edewata@redhat.com>2011-10-26 12:53:28 +0000
commitf168afbeb6e88e6ba66d7472529c35ed78dc6bc0 (patch)
treeebadbb98c5c688c9c7bb00f81598868fb7678057 /install
parent0450934e366c37d01fe84a2c23ed196bf8dd6f89 (diff)
downloadfreeipa-f168afbeb6e88e6ba66d7472529c35ed78dc6bc0.tar.gz
freeipa-f168afbeb6e88e6ba66d7472529c35ed78dc6bc0.tar.xz
freeipa-f168afbeb6e88e6ba66d7472529c35ed78dc6bc0.zip
Removed HBAC deny rule warning.
The HBAC deny rule is no longer supported so it's no longer necessary to show the warning. Ticket #1444
Diffstat (limited to 'install')
-rw-r--r--install/html/Makefile.am1
-rw-r--r--install/html/hbac-deny-remove.html83
-rw-r--r--install/ui/hbac.js44
-rw-r--r--install/ui/ipa.css5
-rw-r--r--install/ui/ipa.js9
-rwxr-xr-xinstall/ui/test/bin/update_ipa_init.sh27
-rw-r--r--install/ui/test/data/hbacrule_find.json40
-rw-r--r--install/ui/test/data/hbacrule_show.json2
-rw-r--r--install/ui/test/data/ipa_init.json11
-rw-r--r--install/ui/webui.js6
10 files changed, 29 insertions, 199 deletions
diff --git a/install/html/Makefile.am b/install/html/Makefile.am
index c310be6d2..46e8683c8 100644
--- a/install/html/Makefile.am
+++ b/install/html/Makefile.am
@@ -5,7 +5,6 @@ app_DATA = \
ssbrowser.html \
browserconfig.html \
unauthorized.html \
- hbac-deny-remove.html \
ipa_error.css \
$(NULL)
diff --git a/install/html/hbac-deny-remove.html b/install/html/hbac-deny-remove.html
deleted file mode 100644
index 7debfea76..000000000
--- a/install/html/hbac-deny-remove.html
+++ /dev/null
@@ -1,83 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<meta charset="utf-8">
- <title>IPA: Identity Policy Audit</title>
-
- <script type="text/javascript" src="../ui/jquery.js"></script>
-
- <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
- <link rel="stylesheet" type="text/css" href="../ui/ipa.css" />
- <link rel="stylesheet" type="text/css" href="ipa_error.css" />
-
-
-</head>
-
-<body class="info-page">
-
- <div class="container_1">
- <div class="header-logo">
- <img src="../ui/ipalogo.png" /><img src="../ui/ipabanner.png" />
- </div>
- <div class="textblockkrb">
- <h1>Removal of HBAC Deny Rules.</h1>
- <p>FreeIPA has dropped support for DENY rules from the HBAC
- specification. </p>
- <p>The former design of HBAC specifies that<p>
- <ol>
- <li> If no ALLOW rules match, access is denied</li>
- <li> If one or more ALLOW rules match and no DENY rules match,
- access is allowed</li>
- <li>If one or more DENY rules match, access is denied</li>
- </ol>
- <p>Thus, DENY rules exist only to provide exceptions from the ALLOW
- rules. There exists no ALLOW+DENY combination that cannot be
- constructed from ALLOW rules only.[1]</P>
-
- <p>DENY rules introduce a lot of edge-cases for evaluation. The most
- important of which is the availability of the group membership for
- the user logging in. Depending on the mechanism used to log in (for
- example, GSSAPI over SSH or cross-realm Kerberos trust where the
- user is provided by the PAC), SSSD's cache may not have a complete
- list of groups for this user. If the login is occurring during
- offline mode (where SSSD cannot contact the LDAP server to refresh
- the user's groups), SSSD cannot determine whether DENY rules would
- match for the user. This therefore translates into a potential
- security issue.</p>
-
- <p>We implemented a workaround in the SSSD evaluator to resolve this by
- guaranteeing that we do a full lookup of all groups referenced by
- rules while we are retrieving the rules from FreeIPA. However, this
- requires at least one additional lookup against the LDAP server
- (possibly many if there is need to resolve nestings). This results
- in a significantly slower login while online.</p>
-
- <p>We also have issues related to source host evaluation. Some
- applications will provide an IP address instead of a hostname in the
- pam_rhost attribute. Our only recourse here is to perform a
- reverse-DNS lookup to try and identify the real hostname(s) of the
- server. However, in many real-world environments, reverse DNS is
- unavailable or misconfigured. In the case of ALLOW rules, this would
- lead to a match failure and an implicit denial. However, a failure
- to properly match a DENY rule can result in unexpected access being
- granted. This is a potentially serious security issue.</p>
-
- <p>Given these edge cases (and performance issues of the noted
- workaround), The FreeIPA team decided to drop DENY rules from the
- HBAC specification and limit HBAC only to ALLOW rules (which are
- much safer). Beyond the obvious advantages for our implementation,
- this should make it less complex for users to write their rules.</p>
-
- <p>[1] Some rules are complex to simulate, such as "Allow access from
- all PAM services EXCEPT telnet". But a safer and clearer
- implementation approach does all access via whitelist. If a FreeIPA
- implementation is using an exception rule, the administrators
- should re-evaluate the justification.
- </p>
- </div>
-
- </div>
-
-</body>
-
-</html>
diff --git a/install/ui/hbac.js b/install/ui/hbac.js
index fb57dd158..e05e43f6b 100644
--- a/install/ui/hbac.js
+++ b/install/ui/hbac.js
@@ -554,47 +554,3 @@ IPA.hbacrule_details_facet = function(spec) {
return that;
};
-
-
-IPA.hbac_deny_warning_dialog = function(container) {
- var dialog = IPA.dialog({
- 'title': 'HBAC Deny Rules found'
- });
-
- var link_path = "config";
- if (IPA.use_static_files){
- link_path = "html";
- }
-
- dialog.create = function() {
- dialog.container.append(
- "HBAC rules with type deny have been found."+
- " These rules have been deprecated." +
- " Please remove them, and restructure the HBAC rules." );
- $('<p/>').append($('<a/>',{
- text: 'Click here for more information',
- href: '../' +link_path +'/hbac-deny-remove.html',
- target: "_blank",
- style: 'target: tab; color: blue; '
- })).appendTo(dialog.container);
- };
-
- dialog.create_button({
- name: 'edit',
- label: 'Edit HBAC Rules',
- click: function() {
- dialog.close();
- IPA.nav.show_page('hbacrule', 'search');
- }
- });
-
- dialog.create_button({
- name: 'ignore',
- label: 'Ignore for now',
- click: function() {
- dialog.close();
- }
- });
-
- dialog.open();
-};
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 0652b375a..86d3b9db5 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -696,11 +696,6 @@ span.main-nav-off > a:visited {
padding-left: 0.5em;
}
-.hbac-deny-rule {
- color: red;
-}
-
-
.search-table tfoot td {
padding: 0.5em 0 0 1em;
border-top: 1px solid #dfdfdf;
diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index 381f128c2..15088f61a 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -169,15 +169,6 @@ var IPA = ( function () {
}
}));
- batch.add_command(IPA.command({
- entity: 'hbacrule',
- method: 'find',
- options:{"accessruletype":"deny"},
- on_success: function(data, text_status, xhr) {
- that.hbac_deny_rules = data;
- }
- }));
-
batch.execute();
};
diff --git a/install/ui/test/bin/update_ipa_init.sh b/install/ui/test/bin/update_ipa_init.sh
index 2fc9c2170..26cbc9679 100755
--- a/install/ui/test/bin/update_ipa_init.sh
+++ b/install/ui/test/bin/update_ipa_init.sh
@@ -15,7 +15,30 @@ then
exit 1
fi
-
+json="{
+ \"method\": \"batch\",
+ \"params\": [
+ [
+ {
+ \"method\": \"i18n_messages\",
+ \"params\": [[], {}]
+ },
+ {
+ \"method\": \"user_find\",
+ \"params\":[[], { \"whoami\": true, \"all\": true }]
+ },
+ {
+ \"method\": \"env\",
+ \"params\": [[], {}]
+ },
+ {
+ \"method\": \"dns_is_enabled\",
+ \"params\": [[], {}]
+ }
+ ],
+ {}
+ ]
+}"
curl -v\
-H "Content-Type: application/json"\
@@ -24,6 +47,6 @@ curl -v\
--delegation always\
-u :\
--cacert /etc/ipa/ca.crt\
- -d '{"method":"batch","params":[[{"method":"json_metadata","params":[[],{}]},{"method":"i18n_messages","params":[[],{}]},{"method":"user_find","params":[[],{"whoami":true,"all":true}]},{"method":"env","params":[[],{}]},{"method":"dns_is_enabled","params":[[],{}]},{"method":"hbacrule_find","params":[[],{"accessruletype":"deny"}]}],{}]}'\
+ -d "$json"\
-X POST\
https://`hostname`/ipa/json | sed 's/[ \t]*$//' > $INIT_FILE
diff --git a/install/ui/test/data/hbacrule_find.json b/install/ui/test/data/hbacrule_find.json
index 3801a7d44..1775119c8 100644
--- a/install/ui/test/data/hbacrule_find.json
+++ b/install/ui/test/data/hbacrule_find.json
@@ -2,7 +2,7 @@
"error": null,
"id": null,
"result": {
- "count": 4,
+ "count": 1,
"result": [
{
"accessruletype": [
@@ -30,45 +30,9 @@
"usercategory": [
"all"
]
- },
- {
- "accessruletype": [
- "deny"
- ],
- "cn": [
- "deny1"
- ],
- "dn": "ipauniqueid=8af3e23c-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
- "ipaenabledflag": [
- "TRUE"
- ]
- },
- {
- "accessruletype": [
- "deny"
- ],
- "cn": [
- "deny2"
- ],
- "dn": "ipauniqueid=8f05d042-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
- "ipaenabledflag": [
- "TRUE"
- ]
- },
- {
- "accessruletype": [
- "deny"
- ],
- "cn": [
- "deny3"
- ],
- "dn": "ipauniqueid=92dcf9fc-a7e2-11e0-8dac-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
- "ipaenabledflag": [
- "TRUE"
- ]
}
],
- "summary": "4 HBAC rules matched",
+ "summary": "1 HBAC rule matched",
"truncated": false
}
}
diff --git a/install/ui/test/data/hbacrule_show.json b/install/ui/test/data/hbacrule_show.json
index 2c0b64b39..293ed0031 100644
--- a/install/ui/test/data/hbacrule_show.json
+++ b/install/ui/test/data/hbacrule_show.json
@@ -4,7 +4,7 @@
"result": {
"result": {
"accessruletype": [
- "deny"
+ "allow"
],
"accesstime": [
"periodic daily 0800-1400",
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 78b18ee11..dfd1fa68a 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -2,7 +2,7 @@
"error": null,
"id": null,
"result": {
- "count": 5,
+ "count": 4,
"results": [
{
"error": null,
@@ -204,11 +204,9 @@
},
"hbacrule": {
"active": "Active",
- "allow": "Allow",
"any_host": "Any Host",
"any_service": "Any Service",
"anyone": "Anyone",
- "deny": "Deny",
"host": "Accessing",
"inactive": "Inactive",
"ipaenabledflag": "Rule status",
@@ -533,13 +531,6 @@
"result": true,
"summary": null,
"value": ""
- },
- {
- "count": 0,
- "error": null,
- "result": [],
- "summary": "0 HBAC rules matched",
- "truncated": false
}
]
}
diff --git a/install/ui/webui.js b/install/ui/webui.js
index 189cddda1..daa22b22a 100644
--- a/install/ui/webui.js
+++ b/install/ui/webui.js
@@ -167,12 +167,6 @@ $(function() {
IPA.nav.update();
$('#login_header').html(IPA.messages.login.header);
-
- if (IPA.hbac_deny_rules && IPA.hbac_deny_rules.count > 0){
- if (IPA.nav.name === 'admin'){
- IPA.hbac_deny_warning_dialog();
- }
- }
}