diff options
author | Endi S. Dewata <edewata@redhat.com> | 2014-10-17 12:05:34 -0400 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-07-08 06:30:23 +0000 |
commit | bf6df3df9b388753a52a0040d9c15b1eabce41ca (patch) | |
tree | 9fa7083c38dc5b0a80ffda26cbb36c7463a18163 /ipalib | |
parent | 5017726ebaf6eea3dedb1325efe00c0d6c4b6187 (diff) | |
download | freeipa-bf6df3df9b388753a52a0040d9c15b1eabce41ca.tar.gz freeipa-bf6df3df9b388753a52a0040d9c15b1eabce41ca.tar.xz freeipa-bf6df3df9b388753a52a0040d9c15b1eabce41ca.zip |
Added vault access control.
New LDAP ACIs have been added to allow vault owners to manage the
vaults and to allow members to access the vaults. New CLIs have
been added to manage the owner and member list. The LDAP schema
has been updated as well.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/vault.py | 118 |
1 files changed, 112 insertions, 6 deletions
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 9fcd619d1..37a32282e 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -42,7 +42,8 @@ from ipalib import output from ipalib.crud import PKQuery, Retrieve, Update from ipalib.plugable import Registry from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ - LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value + LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember,\ + pkey_to_value from ipalib.request import context from ipalib.plugins.user import split_principal from ipalib import _, ngettext @@ -195,6 +196,18 @@ EXAMPLES: """) + _(""" Retrieve data from asymmetric vault: ipa vault-retrieve <name> --out data.bin --private-key-file private.pem +""") + _(""" + Add a vault owner: + ipa vault-add-owner <name> --users <usernames> +""") + _(""" + Delete a vault owner: + ipa vault-remove-owner <name> --users <usernames> +""") + _(""" + Add a vault member: + ipa vault-add-member <name> --users <usernames> +""") + _(""" + Delete a vault member: + ipa vault-remove-member <name> --users <usernames> """) register = Registry() @@ -210,7 +223,8 @@ vault_options = ( doc=_('Shared vault'), ), Str( - 'user?', + 'username?', + cli_name='user', doc=_('Username of the user vault'), ), ) @@ -234,12 +248,18 @@ class vault(LDAPObject): 'ipavaulttype', 'ipavaultsalt', 'ipavaultpublickey', + 'owner', + 'member', ] search_display_attributes = [ 'cn', 'description', 'ipavaulttype', ] + attribute_members = { + 'owner': ['user', 'group'], + 'member': ['user', 'group'], + } label = _('Vaults') label_singular = _('Vault') @@ -282,6 +302,16 @@ class vault(LDAPObject): doc=_('Vault public key'), flags=['no_search'], ), + Str( + 'owner_user?', + label=_('Owner users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str( + 'owner_group?', + label=_('Owner groups'), + flags=['no_create', 'no_update', 'no_search'], + ), ) def get_dn(self, *keys, **options): @@ -291,7 +321,7 @@ class vault(LDAPObject): service = options.get('service') shared = options.get('shared') - user = options.get('user') + user = options.get('username') count = 0 if service: @@ -337,7 +367,7 @@ class vault(LDAPObject): return DN(rdns, parent_dn) - def create_container(self, dn): + def create_container(self, dn, owner_dn): """ Creates vault container and its parents. """ @@ -354,8 +384,9 @@ class vault(LDAPObject): entry = self.backend.make_entry( dn, { - 'objectclass': ['nsContainer'], + 'objectclass': ['ipaVaultContainer'], 'cn': rdn['cn'], + 'owner': [owner_dn], }) # if entry can be added, return @@ -631,12 +662,21 @@ class vault_add_internal(LDAPCreate): raise errors.InvocationError( format=_('KRA service is not enabled')) + principal = getattr(context, 'principal') + (name, realm) = split_principal(principal) + if '/' in name: + owner_dn = self.api.Object.service.get_dn(name) + else: + owner_dn = self.api.Object.user.get_dn(name) + try: parent_dn = DN(*dn[1:]) - self.obj.create_container(parent_dn) + self.obj.create_container(parent_dn, owner_dn) except errors.DuplicateEntry, e: pass + entry_attrs['owner'] = owner_dn + return dn @@ -687,6 +727,8 @@ class vault_find(LDAPSearch): takes_options = LDAPSearch.takes_options + vault_options + has_output_params = LDAPSearch.has_output_params + msg_summary = ngettext( '%(count)d vault matched', '%(count)d vaults matched', @@ -742,6 +784,8 @@ class vault_show(LDAPRetrieve): takes_options = LDAPRetrieve.takes_options + vault_options + has_output_params = LDAPRetrieve.has_output_params + def pre_callback(self, ldap, dn, attrs_list, *keys, **options): assert isinstance(dn, DN) @@ -1329,6 +1373,68 @@ class vault_retrieve_internal(PKQuery): @register() +class vault_add_owner(LDAPAddMember): + __doc__ = _('Add owners to a vault.') + + takes_options = LDAPAddMember.takes_options + vault_options + + member_attributes = ['owner'] + member_count_out = ('%i owner added.', '%i owners added.') + + has_output = ( + output.Entry('result'), + output.Output( + 'failed', + type=dict, + doc=_('Owners that could not be added'), + ), + output.Output( + 'completed', + type=int, + doc=_('Number of owners added'), + ), + ) + + +@register() +class vault_remove_owner(LDAPRemoveMember): + __doc__ = _('Remove owners from a vault.') + + takes_options = LDAPRemoveMember.takes_options + vault_options + + member_attributes = ['owner'] + member_count_out = ('%i owner removed.', '%i owners removed.') + + has_output = ( + output.Entry('result'), + output.Output( + 'failed', + type=dict, + doc=_('Owners that could not be removed'), + ), + output.Output( + 'completed', + type=int, + doc=_('Number of owners removed'), + ), + ) + + +@register() +class vault_add_member(LDAPAddMember): + __doc__ = _('Add members to a vault.') + + takes_options = LDAPAddMember.takes_options + vault_options + + +@register() +class vault_remove_member(LDAPRemoveMember): + __doc__ = _('Remove members from a vault.') + + takes_options = LDAPRemoveMember.takes_options + vault_options + + +@register() class kra_is_enabled(Command): NO_CLI = True |