Add plugins for Sudo Commands, Command Groups and Rules

3 files changed, 493 insertions, 0 deletions

diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py
new file mode 100644
index 000000000..a7ccd325d
--- /dev/null
+++ b/ipalib/plugins/sudocmd.py
@@ -0,0 +1,137 @@
+# Authors:
+#   Jr Aquino <jr.aquino@citrixonline.com>
+#
+# Copyright (C) 2010  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+"""
+Sudo Commands
+
+Commands used as building blocks for sudo
+
+EXAMPLES:
+
+ Create a new commnad
+   ipa sudocmd-add --description='For reading log files' /usr/bin/less
+
+ Remove a command
+   ipa sudocmd-del /usr/bin/less
+
+"""
+
+import platform
+import os
+import sys
+
+from ipalib import api, errors, util
+from ipalib import Str
+from ipalib.plugins.baseldap import *
+from ipalib import _, ngettext
+
+
+class sudocmd(LDAPObject):
+    """
+    Sudo Command object.
+    """
+    container_dn = api.env.container_sudocmd
+    object_name = 'sudocmd'
+    object_name_plural = 'sudocmds'
+    object_class = ['ipaobject', 'ipasudocmd']
+    # object_class_config = 'ipahostobjectclasses'
+    search_attributes = [
+        'cn', 'description',
+    ]
+    default_attributes = [
+        'cn', 'description',
+    ]
+    uuid_attribute = 'ipauniqueid'
+    label = _('SudoCmds')
+
+    takes_params = (
+        Str('cn',
+            cli_name='command',
+            label=_('Sudo Command'),
+            primary_key=True,
+            #normalizer=lambda value: value.lower(),
+        ),
+        Str('description?',
+            cli_name='desc',
+            label=_('Description'),
+            doc=_('A description of this command'),
+        ),
+    )
+
+    def get_dn(self, *keys, **options):
+        if keys[-1].endswith('.'):
+            keys[-1] = keys[-1][:-1]
+        dn = super(sudocmd, self).get_dn(*keys, **options)
+        try:
+            self.backend.get_entry(dn, [''])
+        except errors.NotFound:
+            try:
+                (dn, entry_attrs) = self.backend.find_entry_by_attr(
+                    'cn', keys[-1], self.object_class, [''],
+                    self.container_dn
+                )
+            except errors.NotFound:
+                pass
+        return dn
+
+api.register(sudocmd)
+
+class sudocmd_add(LDAPCreate):
+    """
+    Create new sudo command.
+    """
+
+    msg_summary = _('Added sudo command "%(value)s"')
+
+api.register(sudocmd_add)
+
+class sudocmd_del(LDAPDelete):
+    """
+    Delete sudo command.
+    """
+
+    msg_summary = _('Deleted sudo command "%(value)s"')
+
+api.register(sudocmd_del)
+
+class sudocmd_mod(LDAPUpdate):
+    """
+    Modify command.
+    """
+
+    msg_summary = _('Modified sudo command "%(value)s"')
+
+api.register(sudocmd_mod)
+
+class sudocmd_find(LDAPSearch):
+    """
+    Search for commands.
+    """
+
+    msg_summary = ngettext(
+        '%(count)d sudo command matched', '%(count)d sudo command matched'
+    )
+
+api.register(sudocmd_find)
+
+class sudocmd_show(LDAPRetrieve):
+    """
+    Display sudo command.
+    """
+
+api.register(sudocmd_show)
diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
new file mode 100644
index 000000000..75b3efbdb
--- /dev/null
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -0,0 +1,157 @@
+# Authors:
+#   Jr Aquino <jr.aquino@citrixonline.com>
+#
+# Copyright (C) 2010  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+"""
+Groups of sudo commands
+
+Manage groups of sudo commands.
+Every group must have a description.
+
+EXAMPLES:
+
+ Add a new sudo command group:
+   ipa sudocmdgroup-add --desc='administrators commands' admincmds
+
+ Remove a sudo command group:
+   ipa sudocmdgroup-del admincmds
+
+ Manage sudo command group membership, commands:
+   ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less,/usr/bin/vim admincmds
+
+ Manage sudo command group membership, commands:
+   ipa group-remove-member --sudocmds=/usr/bin/less admincmds
+
+ Show a sudo command group:
+   ipa group-show localadmins
+"""
+
+from ipalib import api
+from ipalib import Str
+from ipalib.plugins.baseldap import *
+from ipalib import _, ngettext
+
+
+class sudocmdgroup(LDAPObject):
+    """
+    Sudo Group object.
+    """
+    container_dn = api.env.container_sudocmdgroup
+    object_name = 'sudocmdgroup'
+    object_name_plural = 'sudocmdgroups'
+    object_class = ['ipaobject', 'ipasudocmdgrp']
+    default_attributes = [
+        'cn', 'description', 'member', 'memberof'
+    ]
+    uuid_attribute = 'ipauniqueid'
+    attribute_members = {
+        'member': ['sudocmd', 'sudocmdgroup'],
+        'memberof': ['sudocmdgroup'],
+    }
+
+    label = _('Sudo Command Groups')
+
+    takes_params = (
+        Str('cn',
+            cli_name='name',
+            label=_('Sudo Command Group name'),
+            primary_key=True,
+            normalizer=lambda value: value.lower(),
+        ),
+        Str('description',
+            cli_name='desc',
+            label=_('Description'),
+            doc=_('Group description'),
+        ),
+        Str('membercmd_sudocmd?',
+            label=_('Commands'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
+        Str('membercmd_sudocmdgroup?',
+            label=_('Sudo Command Groups'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
+    )
+
+api.register(sudocmdgroup)
+
+
+class sudocmdgroup_add(LDAPCreate):
+    """
+    Create new sudo command group.
+    """
+
+    msg_summary = _('Added sudo command group "%(value)s"')
+
+api.register(sudocmdgroup_add)
+
+
+class sudocmdgroup_del(LDAPDelete):
+    """
+    Delete sudo command group.
+    """
+
+    msg_summary = _('Deleted sudo command group "%(value)s"')
+
+api.register(sudocmdgroup_del)
+
+
+class sudocmdgroup_mod(LDAPUpdate):
+    """
+    Modify group.
+    """
+
+    msg_summary = _('Modified sudo command group "%(value)s"')
+
+api.register(sudocmdgroup_mod)
+
+
+class sudocmdgroup_find(LDAPSearch):
+    """
+    Search for sudo command groups.
+    """
+
+    msg_summary = ngettext(
+        '%(count)d sudo command group matched',
+        '%(count)d sudo command groups matched', 0
+    )
+
+api.register(sudocmdgroup_find)
+
+
+class sudocmdgroup_show(LDAPRetrieve):
+    """
+    Display sudo command group.
+    """
+
+api.register(sudocmdgroup_show)
+
+
+class sudocmdgroup_add_member(LDAPAddMember):
+    """
+    Add members to sudo command group.
+    """
+
+api.register(sudocmdgroup_add_member)
+
+
+class sudocmdgroup_remove_member(LDAPRemoveMember):
+    """
+    Remove members from sudo command group.
+    """
+
+api.register(sudocmdgroup_remove_member)
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
new file mode 100644
index 000000000..3e7038605
--- /dev/null
+++ b/ipalib/plugins/sudorule.py
@@ -0,0 +1,199 @@
+# Authors:
+#   Jr Aquino <jr.aquino@citrixonline.com>
+#
+# Copyright (C) 2010  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+"""
+Sudo Rule
+"""
+
+from ipalib import api, errors
+from ipalib import Str, StrEnum
+from ipalib.plugins.baseldap import *
+from ipalib import _, ngettext
+
+class sudorule(LDAPObject):
+    """
+    Sudo Rule.
+    """
+    container_dn = api.env.container_sudorule
+    object_name = 'Sudo Rule'
+    object_name_plural = 'Sudo Rules'
+    object_class = ['ipaassociation', 'ipasudorule']
+    default_attributes = [
+        'cn', 'accessruletype', 'description',
+
+    ]
+    uuid_attribute = 'ipauniqueid'
+    attribute_members = {
+        'memberuser': ['user', 'group'],
+        'memberhost': ['host', 'hostgroup'],
+        'membercmd': ['sudocmd', 'sudocmdgroup'],
+    }
+
+    label = _('SudoRule')
+
+    takes_params = (
+        Str('cn',
+            cli_name='name',
+            label=_('Rule name'),
+            primary_key=True,
+        ),
+        Str('description?',
+            cli_name='desc',
+            label=_('Description'),
+        ),
+        StrEnum('accessruletype',
+            cli_name='type',
+            doc=_('Rule type (allow or deny)'),
+            label=_('Rule type'),
+            values=(u'allow', u'deny'),
+        ),
+            Str('memberuser_user?',
+            label=_('Users'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
+        Str('memberhost_host?',
+            label=_('Hosts'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
+        Str('memberhost_hostgroup?',
+            label=_('Host Groups'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
+        Str('membercmd_sudocmd?',
+            label=_('Sudo Commands'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
+        Str('membercmd_sudocmdgroup?',
+            label=_('Sudo Command Groups'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
+    )
+
+    def get_dn(self, *keys, **kwargs):
+        try:
+            (dn, entry_attrs) = self.backend.find_entry_by_attr(
+                self.primary_key.name, keys[-1], self.object_class, [''],
+                self.container_dn
+            )
+        except errors.NotFound:
+            dn = super(sudorule, self).get_dn(*keys, **kwargs)
+        return dn
+
+api.register(sudorule)
+
+
+class sudorule_add(LDAPCreate):
+    """
+    Create new Sudo Rule.
+    """
+
+    msg_summary = _('Added sudo rule "%(value)s"')
+
+api.register(sudorule_add)
+
+
+class sudorule_del(LDAPDelete):
+    """
+    Delete Sudo Rule.
+    """
+
+api.register(sudorule_del)
+
+
+class sudorule_mod(LDAPUpdate):
+    """
+    Modify Sudo Rule.
+    """
+
+api.register(sudorule_mod)
+
+
+class sudorule_find(LDAPSearch):
+    """
+    Search for Sudo Rule.
+    """
+
+api.register(sudorule_find)
+
+
+class sudorule_show(LDAPRetrieve):
+    """
+    Dispaly Sudo Rule.
+    """
+
+api.register(sudorule_show)
+
+
+class sudorule_add_command(LDAPAddMember):
+    """
+    Add commands and sudo command groups affected by Sudo Rule.
+    """
+    member_attributes = ['membercmd']
+    member_count_out = ('%i object added.', '%i objects added.')
+
+api.register(sudorule_add_command)
+
+
+class sudorule_remove_command(LDAPRemoveMember):
+    """
+    Remove commands and sudo command groups affected by Sudo Rule.
+    """
+    member_attributes = ['membercmd']
+    member_count_out = ('%i object removed.', '%i objects removed.')
+
+api.register(sudorule_remove_command)
+
+
+class sudorule_add_user(LDAPAddMember):
+    """
+    Add users and groups affected by Sudo Rule.
+    """
+    member_attributes = ['memberuser']
+    member_count_out = ('%i object added.', '%i objects added.')
+
+api.register(sudorule_add_user)
+
+
+class sudorule_remove_user(LDAPRemoveMember):
+    """
+    Remove users and groups affected by Sudo Rule.
+    """
+    member_attributes = ['memberuser']
+    member_count_out = ('%i object removed.', '%i objects removed.')
+
+api.register(sudorule_remove_user)
+
+
+class sudorule_add_host(LDAPAddMember):
+    """
+    Add hosts and hostgroups affected by Sudo Rule.
+    """
+    member_attributes = ['memberhost']
+    member_count_out = ('%i object added.', '%i objects added.')
+
+api.register(sudorule_add_host)
+
+
+class sudorule_remove_host(LDAPRemoveMember):
+    """
+    Remove hosts and hostgroups affected by Sudo Rule.
+    """
+    member_attributes = ['memberhost']
+    member_count_out = ('%i object removed.', '%i objects removed.')
+
+api.register(sudorule_remove_host)