Added vault access control.

New LDAP ACIs have been added to allow vault owners to manage the vaults and to allow members to access the vaults. New CLIs have been added to manage the owner and member list. The LDAP schema has been updated as well. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
author: Endi S. Dewata <edewata@redhat.com> 2014-10-17 12:05:34 -0400
committer: Jan Cholasta <jcholast@redhat.com> 2015-07-08 06:30:23 +0000
commit: bf6df3df9b388753a52a0040d9c15b1eabce41ca (patch)
tree: 9fa7083c38dc5b0a80ffda26cbb36c7463a18163 /ipalib
parent: 5017726ebaf6eea3dedb1325efe00c0d6c4b6187 (diff)
download: freeipa-bf6df3df9b388753a52a0040d9c15b1eabce41ca.tar.gz
freeipa-bf6df3df9b388753a52a0040d9c15b1eabce41ca.tar.xz
freeipa-bf6df3df9b388753a52a0040d9c15b1eabce41ca.zip
1 files changed, 112 insertions, 6 deletions
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 9fcd619d1..37a32282e 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -42,7 +42,8 @@ from ipalib import output
 from ipalib.crud import PKQuery, Retrieve, Update
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
-    LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value
+    LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember,\
+    pkey_to_value
 from ipalib.request import context
 from ipalib.plugins.user import split_principal
 from ipalib import _, ngettext
@@ -195,6 +196,18 @@ EXAMPLES:
 """) + _("""
  Retrieve data from asymmetric vault:
    ipa vault-retrieve <name> --out data.bin --private-key-file private.pem
+""") + _("""
+ Add a vault owner:
+   ipa vault-add-owner <name> --users <usernames>
+""") + _("""
+ Delete a vault owner:
+   ipa vault-remove-owner <name> --users <usernames>
+""") + _("""
+ Add a vault member:
+   ipa vault-add-member <name> --users <usernames>
+""") + _("""
+ Delete a vault member:
+   ipa vault-remove-member <name> --users <usernames>
 """)
 
 register = Registry()
@@ -210,7 +223,8 @@ vault_options = (
         doc=_('Shared vault'),
     ),
     Str(
-        'user?',
+        'username?',
+        cli_name='user',
         doc=_('Username of the user vault'),
     ),
 )
@@ -234,12 +248,18 @@ class vault(LDAPObject):
         'ipavaulttype',
         'ipavaultsalt',
         'ipavaultpublickey',
+        'owner',
+        'member',
     ]
     search_display_attributes = [
         'cn',
         'description',
         'ipavaulttype',
     ]
+    attribute_members = {
+        'owner': ['user', 'group'],
+        'member': ['user', 'group'],
+    }
 
     label = _('Vaults')
     label_singular = _('Vault')
@@ -282,6 +302,16 @@ class vault(LDAPObject):
             doc=_('Vault public key'),
             flags=['no_search'],
         ),
+        Str(
+            'owner_user?',
+            label=_('Owner users'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
+        Str(
+            'owner_group?',
+            label=_('Owner groups'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
     )
 
     def get_dn(self, *keys, **options):
@@ -291,7 +321,7 @@ class vault(LDAPObject):
 
         service = options.get('service')
         shared = options.get('shared')
-        user = options.get('user')
+        user = options.get('username')
 
         count = 0
         if service:
@@ -337,7 +367,7 @@ class vault(LDAPObject):
 
         return DN(rdns, parent_dn)
 
-    def create_container(self, dn):
+    def create_container(self, dn, owner_dn):
         """
         Creates vault container and its parents.
         """
@@ -354,8 +384,9 @@ class vault(LDAPObject):
             entry = self.backend.make_entry(
                 dn,
                 {
-                    'objectclass': ['nsContainer'],
+                    'objectclass': ['ipaVaultContainer'],
                     'cn': rdn['cn'],
+                    'owner': [owner_dn],
                 })
 
             # if entry can be added, return
@@ -631,12 +662,21 @@ class vault_add_internal(LDAPCreate):
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
+        principal = getattr(context, 'principal')
+        (name, realm) = split_principal(principal)
+        if '/' in name:
+            owner_dn = self.api.Object.service.get_dn(name)
+        else:
+            owner_dn = self.api.Object.user.get_dn(name)
+
         try:
             parent_dn = DN(*dn[1:])
-            self.obj.create_container(parent_dn)
+            self.obj.create_container(parent_dn, owner_dn)
         except errors.DuplicateEntry, e:
             pass
 
+        entry_attrs['owner'] = owner_dn
+
         return dn
 
 
@@ -687,6 +727,8 @@ class vault_find(LDAPSearch):
 
     takes_options = LDAPSearch.takes_options + vault_options
 
+    has_output_params = LDAPSearch.has_output_params
+
     msg_summary = ngettext(
         '%(count)d vault matched',
         '%(count)d vaults matched',
@@ -742,6 +784,8 @@ class vault_show(LDAPRetrieve):
 
     takes_options = LDAPRetrieve.takes_options + vault_options
 
+    has_output_params = LDAPRetrieve.has_output_params
+
     def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
 
@@ -1329,6 +1373,68 @@ class vault_retrieve_internal(PKQuery):
 
 
 @register()
+class vault_add_owner(LDAPAddMember):
+    __doc__ = _('Add owners to a vault.')
+
+    takes_options = LDAPAddMember.takes_options + vault_options
+
+    member_attributes = ['owner']
+    member_count_out = ('%i owner added.', '%i owners added.')
+
+    has_output = (
+        output.Entry('result'),
+        output.Output(
+            'failed',
+            type=dict,
+            doc=_('Owners that could not be added'),
+        ),
+        output.Output(
+            'completed',
+            type=int,
+            doc=_('Number of owners added'),
+        ),
+    )
+
+
+@register()
+class vault_remove_owner(LDAPRemoveMember):
+    __doc__ = _('Remove owners from a vault.')
+
+    takes_options = LDAPRemoveMember.takes_options + vault_options
+
+    member_attributes = ['owner']
+    member_count_out = ('%i owner removed.', '%i owners removed.')
+
+    has_output = (
+        output.Entry('result'),
+        output.Output(
+            'failed',
+            type=dict,
+            doc=_('Owners that could not be removed'),
+        ),
+        output.Output(
+            'completed',
+            type=int,
+            doc=_('Number of owners removed'),
+        ),
+    )
+
+
+@register()
+class vault_add_member(LDAPAddMember):
+    __doc__ = _('Add members to a vault.')
+
+    takes_options = LDAPAddMember.takes_options + vault_options
+
+
+@register()
+class vault_remove_member(LDAPRemoveMember):
+    __doc__ = _('Remove members from a vault.')
+
+    takes_options = LDAPRemoveMember.takes_options + vault_options
+
+
+@register()
 class kra_is_enabled(Command):
     NO_CLI = True
author	Endi S. Dewata <edewata@redhat.com>	2014-10-17 12:05:34 -0400
committer	Jan Cholasta <jcholast@redhat.com>	2015-07-08 06:30:23 +0000
commit	bf6df3df9b388753a52a0040d9c15b1eabce41ca (patch)
tree	9fa7083c38dc5b0a80ffda26cbb36c7463a18163 /ipalib
parent	5017726ebaf6eea3dedb1325efe00c0d6c4b6187 (diff)
download	freeipa-bf6df3df9b388753a52a0040d9c15b1eabce41ca.tar.gz freeipa-bf6df3df9b388753a52a0040d9c15b1eabce41ca.tar.xz freeipa-bf6df3df9b388753a52a0040d9c15b1eabce41ca.zip