diff options
author | Jr Aquino <jr.aquino@citrixonline.com> | 2010-09-27 13:51:28 -0700 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2010-09-27 22:38:06 -0400 |
commit | af48654cbcd6c0bdb3c5c6f5b35a4e69fbde77b5 (patch) | |
tree | 27f82d74a23346d38017c0de773220778aede8b2 /ipalib | |
parent | c187702bfe2c2dbc9614175db5cfa060936159bf (diff) | |
download | freeipa-af48654cbcd6c0bdb3c5c6f5b35a4e69fbde77b5.tar.gz freeipa-af48654cbcd6c0bdb3c5c6f5b35a4e69fbde77b5.tar.xz freeipa-af48654cbcd6c0bdb3c5c6f5b35a4e69fbde77b5.zip |
Add plugins for Sudo Commands, Command Groups and Rules
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/constants.py | 3 | ||||
-rw-r--r-- | ipalib/plugins/sudocmd.py | 137 | ||||
-rw-r--r-- | ipalib/plugins/sudocmdgroup.py | 157 | ||||
-rw-r--r-- | ipalib/plugins/sudorule.py | 199 |
4 files changed, 496 insertions, 0 deletions
diff --git a/ipalib/constants.py b/ipalib/constants.py index 26ff6236c..77a30aa57 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -99,6 +99,9 @@ DEFAULT_CONFIG = ( ('container_hbacservicegroup', 'cn=hbacservicegroups,cn=accounts'), ('container_dns', 'cn=dns'), ('container_virtual', 'cn=virtual operations'), + ('container_sudorule', 'cn=sudorules'), + ('container_sudocmd', 'cn=sudocmds,cn=accounts'), + ('container_sudocmdgroup', 'cn=sudocmdgroups,cn=accounts'), # Ports, hosts, and URIs: # FIXME: let's renamed xmlrpc_uri to rpc_xml_uri diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py new file mode 100644 index 000000000..a7ccd325d --- /dev/null +++ b/ipalib/plugins/sudocmd.py @@ -0,0 +1,137 @@ +# Authors: +# Jr Aquino <jr.aquino@citrixonline.com> +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +Sudo Commands + +Commands used as building blocks for sudo + +EXAMPLES: + + Create a new commnad + ipa sudocmd-add --description='For reading log files' /usr/bin/less + + Remove a command + ipa sudocmd-del /usr/bin/less + +""" + +import platform +import os +import sys + +from ipalib import api, errors, util +from ipalib import Str +from ipalib.plugins.baseldap import * +from ipalib import _, ngettext + + +class sudocmd(LDAPObject): + """ + Sudo Command object. + """ + container_dn = api.env.container_sudocmd + object_name = 'sudocmd' + object_name_plural = 'sudocmds' + object_class = ['ipaobject', 'ipasudocmd'] + # object_class_config = 'ipahostobjectclasses' + search_attributes = [ + 'cn', 'description', + ] + default_attributes = [ + 'cn', 'description', + ] + uuid_attribute = 'ipauniqueid' + label = _('SudoCmds') + + takes_params = ( + Str('cn', + cli_name='command', + label=_('Sudo Command'), + primary_key=True, + #normalizer=lambda value: value.lower(), + ), + Str('description?', + cli_name='desc', + label=_('Description'), + doc=_('A description of this command'), + ), + ) + + def get_dn(self, *keys, **options): + if keys[-1].endswith('.'): + keys[-1] = keys[-1][:-1] + dn = super(sudocmd, self).get_dn(*keys, **options) + try: + self.backend.get_entry(dn, ['']) + except errors.NotFound: + try: + (dn, entry_attrs) = self.backend.find_entry_by_attr( + 'cn', keys[-1], self.object_class, [''], + self.container_dn + ) + except errors.NotFound: + pass + return dn + +api.register(sudocmd) + +class sudocmd_add(LDAPCreate): + """ + Create new sudo command. + """ + + msg_summary = _('Added sudo command "%(value)s"') + +api.register(sudocmd_add) + +class sudocmd_del(LDAPDelete): + """ + Delete sudo command. + """ + + msg_summary = _('Deleted sudo command "%(value)s"') + +api.register(sudocmd_del) + +class sudocmd_mod(LDAPUpdate): + """ + Modify command. + """ + + msg_summary = _('Modified sudo command "%(value)s"') + +api.register(sudocmd_mod) + +class sudocmd_find(LDAPSearch): + """ + Search for commands. + """ + + msg_summary = ngettext( + '%(count)d sudo command matched', '%(count)d sudo command matched' + ) + +api.register(sudocmd_find) + +class sudocmd_show(LDAPRetrieve): + """ + Display sudo command. + """ + +api.register(sudocmd_show) diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py new file mode 100644 index 000000000..75b3efbdb --- /dev/null +++ b/ipalib/plugins/sudocmdgroup.py @@ -0,0 +1,157 @@ +# Authors: +# Jr Aquino <jr.aquino@citrixonline.com> +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +Groups of sudo commands + +Manage groups of sudo commands. +Every group must have a description. + +EXAMPLES: + + Add a new sudo command group: + ipa sudocmdgroup-add --desc='administrators commands' admincmds + + Remove a sudo command group: + ipa sudocmdgroup-del admincmds + + Manage sudo command group membership, commands: + ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less,/usr/bin/vim admincmds + + Manage sudo command group membership, commands: + ipa group-remove-member --sudocmds=/usr/bin/less admincmds + + Show a sudo command group: + ipa group-show localadmins +""" + +from ipalib import api +from ipalib import Str +from ipalib.plugins.baseldap import * +from ipalib import _, ngettext + + +class sudocmdgroup(LDAPObject): + """ + Sudo Group object. + """ + container_dn = api.env.container_sudocmdgroup + object_name = 'sudocmdgroup' + object_name_plural = 'sudocmdgroups' + object_class = ['ipaobject', 'ipasudocmdgrp'] + default_attributes = [ + 'cn', 'description', 'member', 'memberof' + ] + uuid_attribute = 'ipauniqueid' + attribute_members = { + 'member': ['sudocmd', 'sudocmdgroup'], + 'memberof': ['sudocmdgroup'], + } + + label = _('Sudo Command Groups') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('Sudo Command Group name'), + primary_key=True, + normalizer=lambda value: value.lower(), + ), + Str('description', + cli_name='desc', + label=_('Description'), + doc=_('Group description'), + ), + Str('membercmd_sudocmd?', + label=_('Commands'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('membercmd_sudocmdgroup?', + label=_('Sudo Command Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + ) + +api.register(sudocmdgroup) + + +class sudocmdgroup_add(LDAPCreate): + """ + Create new sudo command group. + """ + + msg_summary = _('Added sudo command group "%(value)s"') + +api.register(sudocmdgroup_add) + + +class sudocmdgroup_del(LDAPDelete): + """ + Delete sudo command group. + """ + + msg_summary = _('Deleted sudo command group "%(value)s"') + +api.register(sudocmdgroup_del) + + +class sudocmdgroup_mod(LDAPUpdate): + """ + Modify group. + """ + + msg_summary = _('Modified sudo command group "%(value)s"') + +api.register(sudocmdgroup_mod) + + +class sudocmdgroup_find(LDAPSearch): + """ + Search for sudo command groups. + """ + + msg_summary = ngettext( + '%(count)d sudo command group matched', + '%(count)d sudo command groups matched', 0 + ) + +api.register(sudocmdgroup_find) + + +class sudocmdgroup_show(LDAPRetrieve): + """ + Display sudo command group. + """ + +api.register(sudocmdgroup_show) + + +class sudocmdgroup_add_member(LDAPAddMember): + """ + Add members to sudo command group. + """ + +api.register(sudocmdgroup_add_member) + + +class sudocmdgroup_remove_member(LDAPRemoveMember): + """ + Remove members from sudo command group. + """ + +api.register(sudocmdgroup_remove_member) diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py new file mode 100644 index 000000000..3e7038605 --- /dev/null +++ b/ipalib/plugins/sudorule.py @@ -0,0 +1,199 @@ +# Authors: +# Jr Aquino <jr.aquino@citrixonline.com> +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +Sudo Rule +""" + +from ipalib import api, errors +from ipalib import Str, StrEnum +from ipalib.plugins.baseldap import * +from ipalib import _, ngettext + +class sudorule(LDAPObject): + """ + Sudo Rule. + """ + container_dn = api.env.container_sudorule + object_name = 'Sudo Rule' + object_name_plural = 'Sudo Rules' + object_class = ['ipaassociation', 'ipasudorule'] + default_attributes = [ + 'cn', 'accessruletype', 'description', + + ] + uuid_attribute = 'ipauniqueid' + attribute_members = { + 'memberuser': ['user', 'group'], + 'memberhost': ['host', 'hostgroup'], + 'membercmd': ['sudocmd', 'sudocmdgroup'], + } + + label = _('SudoRule') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('Rule name'), + primary_key=True, + ), + Str('description?', + cli_name='desc', + label=_('Description'), + ), + StrEnum('accessruletype', + cli_name='type', + doc=_('Rule type (allow or deny)'), + label=_('Rule type'), + values=(u'allow', u'deny'), + ), + Str('memberuser_user?', + label=_('Users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_host?', + label=_('Hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_hostgroup?', + label=_('Host Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('membercmd_sudocmd?', + label=_('Sudo Commands'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('membercmd_sudocmdgroup?', + label=_('Sudo Command Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + def get_dn(self, *keys, **kwargs): + try: + (dn, entry_attrs) = self.backend.find_entry_by_attr( + self.primary_key.name, keys[-1], self.object_class, [''], + self.container_dn + ) + except errors.NotFound: + dn = super(sudorule, self).get_dn(*keys, **kwargs) + return dn + +api.register(sudorule) + + +class sudorule_add(LDAPCreate): + """ + Create new Sudo Rule. + """ + + msg_summary = _('Added sudo rule "%(value)s"') + +api.register(sudorule_add) + + +class sudorule_del(LDAPDelete): + """ + Delete Sudo Rule. + """ + +api.register(sudorule_del) + + +class sudorule_mod(LDAPUpdate): + """ + Modify Sudo Rule. + """ + +api.register(sudorule_mod) + + +class sudorule_find(LDAPSearch): + """ + Search for Sudo Rule. + """ + +api.register(sudorule_find) + + +class sudorule_show(LDAPRetrieve): + """ + Dispaly Sudo Rule. + """ + +api.register(sudorule_show) + + +class sudorule_add_command(LDAPAddMember): + """ + Add commands and sudo command groups affected by Sudo Rule. + """ + member_attributes = ['membercmd'] + member_count_out = ('%i object added.', '%i objects added.') + +api.register(sudorule_add_command) + + +class sudorule_remove_command(LDAPRemoveMember): + """ + Remove commands and sudo command groups affected by Sudo Rule. + """ + member_attributes = ['membercmd'] + member_count_out = ('%i object removed.', '%i objects removed.') + +api.register(sudorule_remove_command) + + +class sudorule_add_user(LDAPAddMember): + """ + Add users and groups affected by Sudo Rule. + """ + member_attributes = ['memberuser'] + member_count_out = ('%i object added.', '%i objects added.') + +api.register(sudorule_add_user) + + +class sudorule_remove_user(LDAPRemoveMember): + """ + Remove users and groups affected by Sudo Rule. + """ + member_attributes = ['memberuser'] + member_count_out = ('%i object removed.', '%i objects removed.') + +api.register(sudorule_remove_user) + + +class sudorule_add_host(LDAPAddMember): + """ + Add hosts and hostgroups affected by Sudo Rule. + """ + member_attributes = ['memberhost'] + member_count_out = ('%i object added.', '%i objects added.') + +api.register(sudorule_add_host) + + +class sudorule_remove_host(LDAPRemoveMember): + """ + Remove hosts and hostgroups affected by Sudo Rule. + """ + member_attributes = ['memberhost'] + member_count_out = ('%i object removed.', '%i objects removed.') + +api.register(sudorule_remove_host) |