Add ACI.txt

The ACI.txt file is a list all managed permissions in ACI form. Similarly to API.txt, it ensures that changes are not made lightly, since modifications must be reflected in ACI.txt and committed to Git. Add a script, makeaci, which parallels makeapi: it recreates or validates ACI.txt. Call makeaci --validate before the build, just after API.txt is validated. Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Petr Viktorin <pviktori@redhat.com> 2014-06-09 19:12:46 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-06-11 13:21:29 +0200
commit: 6acaf73b0c6f7301d5a5d4292a4f9926cc370867 (patch)
tree: 0d4eced7f3b83eac3bb464efc3b846543bbd4a1d
parent: 13bcd03fcfd0cb830f57df905d8c934867c18b6c (diff)
download: freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.tar.gz
freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.tar.xz
freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.zip
3 files changed, 234 insertions, 0 deletions
diff --git a/ACI.txt b/ACI.txt
new file mode 100644
index 000000000..011b0aeae
--- /dev/null
+++ b/ACI.txt
@@ -0,0 +1,114 @@
+dn: cn=System: Read Automember Definitions,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "automemberdefaultgroup || automemberdisabled || automemberfilter || automembergroupingattr || automemberscope || cn || objectclass")(targetfilter = "(objectclass=automemberdefinition)")(version 3.0;acl "permission:System: Read Automember Definitions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Definitions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read Automember Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "automemberexclusiveregex || automemberinclusiveregex || automembertargetgroup || cn || description || objectclass")(targetfilter = "(objectclass=automemberregexrule)")(version 3.0;acl "permission:System: Read Automember Rules";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Rules,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read Automember Tasks,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///cn=*,cn=automember rebuild membership,cn=tasks,cn=config")(version 3.0;acl "permission:System: Read Automember Tasks";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Automember Tasks,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read Automount Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "automountinformation || automountkey || automountmapname || cn || description || objectclass")(version 3.0;acl "permission:System: Read Automount Configuration";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: cn=System: Read Global Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || ipacertificatesubjectbase || ipaconfigstring || ipacustomfields || ipadefaultemaildomain || ipadefaultloginshell || ipadefaultprimarygroup || ipagroupobjectclasses || ipagroupsearchfields || ipahomesrootdir || ipakrbauthzdata || ipamaxusernamelength || ipamigrationenabled || ipapwdexpadvnotify || ipasearchrecordslimit || ipasearchtimelimit || ipaselinuxusermapdefault || ipaselinuxusermaporder || ipauserauthtype || ipauserobjectclasses || ipausersearchfields || objectclass")(targetfilter = "(objectclass=ipaguiconfig)")(version 3.0;acl "permission:System: Read Global Configuration";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || cospriority || krbpwdpolicyreference || objectclass")(targetfilter = "(objectclass=costemplate)")(version 3.0;acl "permission:System: Read Group Password Policy costemplate";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy costemplate,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "member || memberof || memberuid")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: cn=System: Read HBAC Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || description || ipauniqueid || memberof || objectclass")(targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Read HBAC Services";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read HBAC Service Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahbacservicegroup)")(version 3.0;acl "permission:System: Read HBAC Service Groups";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Host Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "memberof")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Host Membership";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Hosts,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || description || enrolledby || fqdn || ipaclientversion || ipakrbauthzdata || ipasshpubkey || ipauniqueid || krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || l || macaddress || managedby || nshardwareplatform || nshostlocation || nsosversion || objectclass || serverhostname || usercertificate || userclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Read Hosts";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Hostgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "member || memberof")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Hostgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "businesscategory || cn || description || ipauniqueid || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipahostgroup)")(version 3.0;acl "permission:System: Read Hostgroups";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read ID Ranges,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "krbmaxrenewableage || krbmaxticketlife")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read User Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read Netgroup Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "externalhost || member || memberof || memberuser")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroup Membership";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || description || hostcategory || ipaenabledflag || ipauniqueid || nisdomainname || usercategory")(targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Read Netgroups";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read ACIs,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "aci")(version 3.0;acl "permission:System: Read ACIs";allow (compare,read,search) groupdn = "ldap:///cn=System: Read ACIs,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "businesscategory || cn || description || ipapermbindruletype || ipapermdefaultattr || ipapermexcludedattr || ipapermincludedattr || ipapermissiontype || ipapermlocation || ipapermright || ipapermtarget || ipapermtargetfilter || member || memberof || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Read Permissions";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "businesscategory || cn || description || member || memberof || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Privileges";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Privileges,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "businesscategory || cn || description || member || memberof || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=groupofnames)")(version 3.0;acl "permission:System: Read Roles";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Roles,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read SELinux User Maps,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "accesstime || cn || description || hostcategory || ipaenabledflag || ipaselinuxuser || ipauniqueid || memberhost || memberuser || objectclass || seealso || usercategory")(targetfilter = "(objectclass=ipaselinuxusermap)")(version 3.0;acl "permission:System: Read SELinux User Maps";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Services,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "ipakrbauthzdata || ipakrbprincipalalias || ipauniqueid || krbcanonicalname || krblastpwdchange || krbobjectreferences || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || managedby || memberof || objectclass || usercertificate")(targetfilter = "(objectclass=ipaservice)")(version 3.0;acl "permission:System: Read Services";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Sudo Commands,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "description || ipauniqueid || memberof || objectclass || sudocmd")(targetfilter = "(objectclass=ipasudocmd)")(version 3.0;acl "permission:System: Read Sudo Commands";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Sudo Command Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "businesscategory || cn || description || ipauniqueid || member || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipasudocmdgrp)")(version 3.0;acl "permission:System: Read Sudo Command Groups";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Add Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Add Sudo rule";allow (add) groupdn = "ldap:///cn=System: Add Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Delete Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Delete Sudo rule";allow (delete) groupdn = "ldap:///cn=System: Delete Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cmdcategory || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || memberallowcmd || memberdenycmd || memberhost || memberuser || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Modify Sudo rule";allow (write) groupdn = "ldap:///cn=System: Modify Sudo rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read Sudo Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cmdcategory || cn || description || externalhost || externaluser || hostcategory || hostmask || ipaenabledflag || ipasudoopt || ipasudorunas || ipasudorunasextgroup || ipasudorunasextuser || ipasudorunasgroup || ipasudorunasgroupcategory || ipasudorunasusercategory || ipauniqueid || memberallowcmd || memberdenycmd || memberhost || memberuser || objectclass || sudonotafter || sudonotbefore || sudoorder || usercategory")(targetfilter = "(objectclass=ipasudorule)")(version 3.0;acl "permission:System: Read Sudo Rules";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Sudoers compat tree,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || description || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read Trust Information,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || ipantflatname || ipantsecurityidentifier || ipanttrusteddomainsid || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example")(version 3.0;acl "permission:System: Add User to default group";allow (write) groupdn = "ldap:///cn=System: Add User to default group,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Add Users";allow (add) groupdn = "ldap:///cn=System: Add Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "krbprincipalkey || passwordhistory || sambalmpassword || sambantpassword || userpassword")(targetfilter = "(&(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipa,dc=example))(objectclass=posixaccount))")(version 3.0;acl "permission:System: Change User password";allow (write) groupdn = "ldap:///cn=System: Change User password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "ipasshpubkey")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Manage User SSH Public Keys";allow (write) groupdn = "ldap:///cn=System: Manage User SSH Public Keys,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "businesscategory || carlicense || cn || description || displayname || employeetype || facsimiletelephonenumber || gecos || givenname || homephone || inetuserhttpurl || initials || l || labeleduri || loginshell || manager || mepmanagedentry || mobile || objectclass || ou || pager || postalcode || preferredlanguage || roomnumber || secretary || seealso || sn || st || street || telephonenumber || title || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Modify Users";allow (write) groupdn = "ldap:///cn=System: Modify Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "*")(target = "ldap:///cn=UPG Definition,cn=Definitions,cn=Managed Entries,cn=etc,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read UPG Definition";allow (compare,read,search) groupdn = "ldap:///cn=System: Read UPG Definition,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read User Addressbook Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "audio || businesscategory || carlicense || departmentnumber || destinationindicator || employeenumber || employeetype || fax || homephone || homepostaladdress || inetuserhttpurl || inetuserstatus || internationalisdnnumber || jpegphoto || l || labeleduri || mail || mobile || o || ou || pager || photo || physicaldeliveryofficename || postaladdress || postalcode || postofficebox || preferreddeliverymethod || preferredlanguage || registeredaddress || roomnumber || secretary || seealso || st || street || telephonenumber || teletexterminalidentifier || telexnumber || usercertificate || usersmimecertificate || x121address || x500uniqueidentifier")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Addressbook Attributes";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read User IPA Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "ipasshpubkey || ipauniqueid || ipauserauthtype || userclass")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User IPA Attributes";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read User Kerberos Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "krbcanonicalname || krblastpwdchange || krbpasswordexpiration || krbprincipalaliases || krbprincipalexpiration || krbprincipalname || krbprincipaltype || nsaccountlock")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Kerberos Attributes";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "krblastadminunlock || krblastfailedauth || krblastpwdchange || krblastsuccessfulauth || krbloginfailedcount || krbpwdpolicyreference || krbticketpolicyreference || krbupenabled")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Kerberos Login Attributes";allow (compare,read,search) groupdn = "ldap:///cn=System: Read User Kerberos Login Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read User Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "memberof")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Membership";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read User Standard Attributes,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || description || displayname || gecos || gidnumber || givenname || homedirectory || initials || loginshell || manager || objectclass || sn || title || uid || uidnumber")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Read User Standard Attributes";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Remove Users";allow (delete) groupdn = "ldap:///cn=System: Remove Users,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "krblastadminunlock || krbloginfailedcount || nsaccountlock")(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:System: Unlock User";allow (write) groupdn = "ldap:///cn=System: Unlock User,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read AD Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || ipantdomainguid || ipantfallbackprimarygroup || ipantflatname || ipantsecurityidentifier || objectclass")(target = "ldap:///cn=ad,cn=etc,dc=ipa,dc=example")(targetfilter = "(objectclass=ipantdomainattrs)")(version 3.0;acl "permission:System: Read AD Domains";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read CA Certificate,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "authorityrevocationlist || cacertificate || certificaterevocationlist || cn || crosscertificatepair || objectclass")(targetfilter = "(objectclass=pkica)")(version 3.0;acl "permission:System: Read CA Certificate";allow (compare,read,search) userdn = "ldap:///anyone";)
+dn: cn=System: Read CA Renewal Information,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || objectclass || usercertificate")(targetfilter = "(objectclass=pkiuser)")(version 3.0;acl "permission:System: Read CA Renewal Information";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read DNA Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || dnahostname || dnaportnum || dnaremainingvalues || dnaremotebindmethod || dnaremoteconnprotocol || dnasecureportnum || objectclass")(targetfilter = "(objectclass=dnasharedconfig)")(version 3.0;acl "permission:System: Read DNA Configuration";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || ipaconfigstring || objectclass")(targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Read IPA Masters";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || description || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Read Replication Information,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "cn || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicachangecount || nsds5replicacleanruv || nsds5replicaid || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicatombstonepurgeinterval || nsds5replicatype || nsds5task || nsstate || objectclass")(targetfilter = "(objectclass=nsds5replica)")(version 3.0;acl "permission:System: Read Replication Information";allow (compare,read,search) userdn = "ldap:///all";)
diff --git a/Makefile b/Makefile
index 918c8e7f3..b8315fe0e 100644
--- a/Makefile
+++ b/Makefile
@@ -156,6 +156,7 @@ version-update: release-update
 
 	if [ "$(SKIP_API_VERSION_CHECK)" != "yes" ]; then \
 		./makeapi --validate; \
+		./makeaci --validate; \
 	fi
 
 server: version-update
diff --git a/makeaci b/makeaci
new file mode 100755
index 000000000..ab823558d
--- /dev/null
+++ b/makeaci
@@ -0,0 +1,119 @@
+#!/usr/bin/python2
+# Authors:
+#   Petr Viktorin <pviktori@redhat.com>
+#   John Dennis <jdennis@redhat.com>
+#   Martin Kosek <mkosek@redhat.com>
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Test the managed permission ACIs against a known-good ACI list
+# to ensure that changes aren't made lightly.
+# Can either regenerate ACI.txt, or validate against it.
+
+import sys
+import difflib
+from argparse import ArgumentParser
+
+from ipalib import api
+from ipapython.dn import DN
+from ipapython.ipaldap import LDAPEntry, IPASimpleLDAPObject, LDAPClient
+
+
+class FakeLDAPClient(LDAPClient):
+    """A LDAP client that can't do any LDAP operations
+
+    Used to create and manipulate entries without an LDAP connection.
+    """
+    def _init_connection(self):
+        self.conn = IPASimpleLDAPObject('', False, no_schema=True)
+
+
+def parse_options():
+    parser = ArgumentParser()
+    parser.add_argument('--validate', dest='validate', action='store_true',
+        default=False, help='Validate the API vs the stored API')
+    parser.add_argument('filename', nargs='?', default='ACI.txt',
+        help='File to create or validate, default: ACI.txt')
+
+    options = parser.parse_args()
+    return options
+
+
+def generate_aci_lines(api):
+    """Yields ACI lines as they appear in ACI.txt, with trailing newline"""
+    update_plugin = api.Updater['update_managed_permissions']
+    perm_plugin = api.Object['permission']
+    fake_ldap = FakeLDAPClient('')
+    for name, template, obj in update_plugin.get_templates():
+        dn = perm_plugin.get_dn(name)
+        entry = fake_ldap.make_entry(dn)
+        update_plugin.update_entry(
+            obj=obj,
+            entry=entry,
+            template=template,
+            anonymous_read_aci=None,
+            is_new=True,
+        )
+        aci = perm_plugin.make_aci(entry)
+        yield 'dn: %s\n' % dn
+        yield 'aci: %s\n' % aci
+
+
+def main(options):
+    api.bootstrap(
+        context='cli',
+        in_server=False,
+        debug=False,
+        verbose=0,
+        validate_api=True,
+        enable_ra=True,
+        mode='developer',
+        plugins_on_demand=False,
+        basedn=DN('dc=ipa,dc=example'),
+        realm='IPA.EXAMPLE',
+    )
+    from ipaserver.install.plugins.update_managed_permissions import (
+        update_managed_permissions)
+    from ipalib.plugins.permission import permission
+    api.finalize()
+
+    output_lines = list(generate_aci_lines(api))
+
+    if options.validate:
+        with open(options.filename) as file:
+            file_lines = file.readlines()
+        if file_lines != output_lines:
+            diff = list(difflib.unified_diff(
+                file_lines,
+                output_lines,
+                fromfile='existing %s' % options.filename,
+                tofile='new result',
+            ))
+            for line in diff:
+                print line,
+            print>>sys.stderr
+            print>>sys.stderr, 'Managed permission ACI validation failed.'
+            print>>sys.stderr, 'Re-check permission changes and run `makeaci`.'
+            exit('%s validation failed' % options.filename)
+    else:
+        with open(options.filename, 'w') as file:
+            file.writelines(output_lines)
+
+
+if __name__ == '__main__':
+    options = parse_options()
+    main(options)
author	Petr Viktorin <pviktori@redhat.com>	2014-06-09 19:12:46 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-06-11 13:21:29 +0200
commit	6acaf73b0c6f7301d5a5d4292a4f9926cc370867 (patch)
tree	0d4eced7f3b83eac3bb464efc3b846543bbd4a1d
parent	13bcd03fcfd0cb830f57df905d8c934867c18b6c (diff)
download	freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.tar.gz freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.tar.xz freeipa-6acaf73b0c6f7301d5a5d4292a4f9926cc370867.zip