From 58fed697684931e66ed054d0d5899301fd47b04d Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 14 May 2010 09:37:54 -0400 Subject: Add groups of services to HBAC Replace serviceName with memberService so we can assign individual services or groups of services to an HBAC rule. 588574 --- ipalib/plugins/hbac.py | 65 ++++++++++++++++--- ipalib/plugins/hbacsvc.py | 103 +++++++++++++++++++++++++++++ ipalib/plugins/hbacsvcgroup.py | 144 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 303 insertions(+), 9 deletions(-) create mode 100644 ipalib/plugins/hbacsvc.py create mode 100644 ipalib/plugins/hbacsvcgroup.py (limited to 'ipalib/plugins') diff --git a/ipalib/plugins/hbac.py b/ipalib/plugins/hbac.py index 7a76f72cc..1438ea955 100644 --- a/ipalib/plugins/hbac.py +++ b/ipalib/plugins/hbac.py @@ -34,16 +34,18 @@ class hbac(LDAPObject): object_name_plural = 'HBAC rules' object_class = ['ipaassociation', 'ipahbacrule'] default_attributes = [ - 'cn', 'accessruletype', 'ipaenabledflag', 'servicename', + 'cn', 'accessruletype', 'ipaenabledflag', 'accesstime', 'description', 'usercategory', 'hostcategory', - 'sourcehostcategory', 'ipaenabledflag', - + 'sourcehostcategory', 'servicecategory', 'ipaenabledflag', + 'memberuser', 'sourcehost', 'memberhost', 'memberservice', + 'memberhostgroup', ] uuid_attribute = 'ipauniqueid' attribute_members = { 'memberuser': ['user', 'group'], 'memberhost': ['host', 'hostgroup'], 'sourcehost': ['host', 'hostgroup'], + 'memberservice': ['hbacsvc', 'hbacsvcgroup'], } label = _('HBAC') @@ -60,12 +62,7 @@ class hbac(LDAPObject): label=_('Rule type'), values=(u'allow', u'deny'), ), - Str('servicename?', - cli_name='service', - label=_('Service name'), - doc=_('Name of service the rule applies to (e.g. ssh)'), - ), - # FIXME: {user,host,sourcehost}categories should expand in the future + # FIXME: {user,host,sourcehost,service}categories should expand in the future StrEnum('usercategory?', cli_name='usercat', label=_('User category'), @@ -84,6 +81,12 @@ class hbac(LDAPObject): doc=_('Source host category the rule applies to'), values=(u'all', ), ), + StrEnum('servicecategory?', + cli_name='servicecat', + label=_('Service category'), + doc=_('Service category the rule applies to'), + values=(u'all', ), + ), AccessTime('accesstime?', cli_name='time', label=_('Access time'), @@ -96,6 +99,30 @@ class hbac(LDAPObject): label=_('Enabled'), flags=['no_create', 'no_update', 'no_search'], ), + Str('memberuser_user?', + label=_('Users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_host?', + label=_('Hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_hostgroup?', + label=_('Host Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('sourcehost_host?', + label=_('Source hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberservice_service?', + label=_('Services'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberservice_servicegroup?', + label=_('Service Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), ) def get_dn(self, *keys, **kwargs): @@ -351,3 +378,23 @@ class hbac_remove_sourcehost(LDAPRemoveMember): member_count_out = ('%i object removed.', '%i objects removed.') api.register(hbac_remove_sourcehost) + + +class hbac_add_service(LDAPAddMember): + """ + Add services affected by HBAC rule. + """ + member_attributes = ['memberservice'] + member_count_out = ('%i object added.', '%i objects added.') + +api.register(hbac_add_service) + + +class hbac_remove_service(LDAPRemoveMember): + """ + Remove source hosts and hostgroups affected by HBAC rule. + """ + member_attributes = ['memberservice'] + member_count_out = ('%i object removed.', '%i objects removed.') + +api.register(hbac_remove_service) diff --git a/ipalib/plugins/hbacsvc.py b/ipalib/plugins/hbacsvc.py new file mode 100644 index 000000000..a85d94019 --- /dev/null +++ b/ipalib/plugins/hbacsvc.py @@ -0,0 +1,103 @@ +# Authors: +# Rob Crittenden +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +HBAC Services +""" +import base64 + +from ipalib import api, errors +from ipalib import Str, Flag, Bytes +from ipalib.plugins.baseldap import * +from ipalib import x509 +from pyasn1.error import PyAsn1Error +from ipalib import _, ngettext + + +class hbacsvc(LDAPObject): + """ + HBAC Service object. + """ + container_dn = api.env.container_hbacservice + object_name = 'service' + object_name_plural = 'services' + object_class = [ + 'ipahbacservice', + ] + default_attributes = ['cn', 'description'] + + label = _('Services') + + takes_params = ( + Str('cn', + cli_name='service', + label=_('Service name'), + doc=_('HBAC Service'), + primary_key=True, + normalizer=lambda value: value.lower(), + ), + Str('description?', + cli_name='desc', + label=_('Description'), + doc=_('Description of service'), + ), + ) + +api.register(hbacsvc) + + +class hbacsvc_add(LDAPCreate): + """ + Add new HBAC service. + """ + msg_summary = _('Added service "%(value)s"') + +api.register(hbacsvc_add) + + +class hbacsvc_del(LDAPDelete): + """ + Delete an existing HBAC service. + """ + msg_summary = _('Deleted service "%(value)s"') + +api.register(hbacsvc_del) + + +class hbacsvc_mod(LDAPUpdate): + """ + Modify HBAC service. + """ + +api.register(hbacsvc_mod) + + +class hbacsvc_find(LDAPSearch): + """ + Search for HBAC services. + """ + +api.register(hbacsvc_find) + + +class hbacsvc_show(LDAPRetrieve): + """ + Display HBAC service. + """ + +api.register(hbacsvc_show) diff --git a/ipalib/plugins/hbacsvcgroup.py b/ipalib/plugins/hbacsvcgroup.py new file mode 100644 index 000000000..6e36f3a87 --- /dev/null +++ b/ipalib/plugins/hbacsvcgroup.py @@ -0,0 +1,144 @@ +# Authors: +# Rob Crittenden +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +HBAC Service Groups +""" + +from ipalib import api, errors +from ipalib.plugins.baseldap import * +from ipalib import _, ngettext + + +class hbacsvcgroup(LDAPObject): + """ + HBAC service group object. + """ + container_dn = api.env.container_hbacservicegroup + object_name = 'servicegroup' + object_name_plural = 'servicegroups' + object_class = ['ipahbacservicegroup'] + default_attributes = [ 'cn', 'description', 'member', 'memberof', ] + attribute_members = { + 'member': ['hbacsvc', 'hbacsvcgroup'], + 'memberof': ['hbacsvcgroup'], + } + + label = _('HBAC Service Groups') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('Service group name'), + primary_key=True, + normalizer=lambda value: value.lower(), + ), + Str('description', + cli_name='desc', + label=_('Description'), + doc=_('HBAC service group description'), + ), + Str('member_service?', + label=_('Member services'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('member_servicegroup?', + label=_('Member service groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberof_servicegroup?', + label='Member of service groups', + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + def get_dn(self, *keys, **kwargs): + try: + (dn, entry_attrs) = self.backend.find_entry_by_attr( + self.primary_key.name, keys[-1], self.object_class, [''], + self.container_dn + ) + except errors.NotFound: + dn = super(hbacsvcgroup, self).get_dn(*keys, **kwargs) + return dn + + def get_primary_key_from_dn(self, dn): + pkey = self.primary_key.name + (dn, entry_attrs) = self.backend.get_entry(dn, [pkey]) + try: + return entry_attrs[pkey][0] + except (KeyError, IndexError): + return '' + +api.register(hbacsvcgroup) + + +class hbacsvcgroup_add(LDAPCreate): + """ + Create new hbacsvcgroup. + """ + +api.register(hbacsvcgroup_add) + + +class hbacsvcgroup_del(LDAPDelete): + """ + Delete hbacsvcgroup. + """ + +api.register(hbacsvcgroup_del) + + +class hbacsvcgroup_mod(LDAPUpdate): + """ + Modify hbacsvcgroup. + """ + +api.register(hbacsvcgroup_mod) + + +class hbacsvcgroup_find(LDAPSearch): + """ + Search the groups. + """ + +api.register(hbacsvcgroup_find) + + +class hbacsvcgroup_show(LDAPRetrieve): + """ + Display hbacsvcgroup. + """ + +api.register(hbacsvcgroup_show) + + +class hbacsvcgroup_add_member(LDAPAddMember): + """ + Add members to hbacsvcgroup. + """ + +api.register(hbacsvcgroup_add_member) + + +class hbacsvcgroup_remove_member(LDAPRemoveMember): + """ + Remove members from hbacsvcgroup. + """ + +api.register(hbacsvcgroup_remove_member) -- cgit