From 7786ff694b098f44574f92b3bbf89db48438a20f Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Wed, 26 Mar 2014 14:19:44 +0100
Subject: Add managed read permissions to Sudo objects

Part of the work for: https://fedorahosted.org/freeipa/ticket/1313
and: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 ipalib/plugins/sudocmd.py      | 13 +++++++++++++
 ipalib/plugins/sudocmdgroup.py | 12 ++++++++++++
 ipalib/plugins/sudorule.py     | 31 +++++++++++++++++++++++++++++++
 3 files changed, 56 insertions(+)

(limited to 'ipalib/plugins')

diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py
index 35c01aa85..4c7ea7f88 100644
--- a/ipalib/plugins/sudocmd.py
+++ b/ipalib/plugins/sudocmd.py
@@ -51,6 +51,7 @@ class sudocmd(LDAPObject):
     object_name = _('sudo command')
     object_name_plural = _('sudo commands')
     object_class = ['ipaobject', 'ipasudocmd']
+    permission_filter_objectclasses = ['ipasudocmd']
     # object_class_config = 'ipahostobjectclasses'
     search_attributes = [
         'sudocmd', 'description',
@@ -63,6 +64,18 @@ class sudocmd(LDAPObject):
     }
     uuid_attribute = 'ipauniqueid'
     rdn_attribute = 'ipauniqueid'
+    managed_permissions = {
+        'System: Read Sudo Commands': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'description', 'ipauniqueid', 'memberof', 'objectclass',
+                'sudocmd',
+            },
+        },
+    }
+
     label = _('Sudo Commands')
     label_singular = _('Sudo Command')
 
diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
index 0afa45819..471c8b858 100644
--- a/ipalib/plugins/sudocmdgroup.py
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -55,6 +55,7 @@ class sudocmdgroup(LDAPObject):
     object_name = _('sudo command group')
     object_name_plural = _('sudo command groups')
     object_class = ['ipaobject', 'ipasudocmdgrp']
+    permission_filter_objectclasses = ['ipasudocmdgrp']
     default_attributes = [
         'cn', 'description', 'member',
     ]
@@ -62,6 +63,17 @@ class sudocmdgroup(LDAPObject):
     attribute_members = {
         'member': ['sudocmd'],
     }
+    managed_permissions = {
+        'System: Read Sudo Command Groups': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'businesscategory', 'cn', 'description', 'ipauniqueid',
+                'member', 'o', 'objectclass', 'ou', 'owner', 'seealso',
+            },
+        },
+    }
 
     label = _('Sudo Command Groups')
     label_singular = _('Sudo Command Group')
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 246332502..16611aede 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -96,6 +96,7 @@ class sudorule(LDAPObject):
     object_name = _('sudo rule')
     object_name_plural = _('sudo rules')
     object_class = ['ipaassociation', 'ipasudorule']
+    permission_filter_objectclasses = ['ipasudorule']
     default_attributes = [
         'cn', 'ipaenabledflag', 'externaluser',
         'description', 'usercategory', 'hostcategory',
@@ -115,6 +116,36 @@ class sudorule(LDAPObject):
         'ipasudorunas': ['user', 'group'],
         'ipasudorunasgroup': ['group'],
     }
+    managed_permissions = {
+        'System: Read Sudo Rules': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'cmdcategory', 'cn', 'description', 'externalhost',
+                'externaluser', 'hostcategory', 'hostmask', 'ipaenabledflag',
+                'ipasudoopt', 'ipasudorunas', 'ipasudorunasextgroup',
+                'ipasudorunasextuser', 'ipasudorunasgroup',
+                'ipasudorunasgroupcategory', 'ipasudorunasusercategory',
+                'ipauniqueid', 'memberallowcmd', 'memberdenycmd',
+                'memberhost', 'memberuser', 'sudonotafter', 'sudonotbefore',
+                'sudoorder', 'usercategory', 'objectclass',
+            },
+        },
+        'System: Read Sudoers compat tree': {
+            'non_object': True,
+            'ipapermlocation': api.env.basedn,
+            'ipapermtarget': DN('ou=sudoers', api.env.basedn),
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'objectclass', 'cn', 'ou',
+                'sudouser', 'sudohost', 'sudocommand', 'sudorunas',
+                'sudorunasuser', 'sudorunasgroup', 'sudooption',
+                'sudonotbefore', 'sudonotafter', 'sudoorder', 'description',
+            },
+        }
+    }
 
     label = _('Sudo Rules')
     label_singular = _('Sudo Rule')
-- 
cgit