diff options
| author | Adam Young <ayoung@redhat.com> | 2010-10-25 19:55:57 -0400 |
|---|---|---|
| committer | Adam Young <ayoung@redhat.com> | 2010-12-20 23:32:06 -0500 |
| commit | 07ace112afeaadade0ca372fe23a9432c2c9780f (patch) | |
| tree | 6442a26960fd1d07087a90f28292f419cc3dbd71 | |
| parent | fc4ce7dc8c2102561396e4987ff6357bb79bf524 (diff) | |
| download | freeipa.git-07ace112afeaadade0ca372fe23a9432c2c9780f.tar.gz freeipa.git-07ace112afeaadade0ca372fe23a9432c2c9780f.tar.xz freeipa.git-07ace112afeaadade0ca372fe23a9432c2c9780f.zip | |
aci ui
Implements the role, privilege, permission, delegation and selfservice entities ui.
Targetgroup has been added to the object types.
The groups lists need to be filter. The filter is currently hidden, with a
hyperlink that reads 'filter' to unhide it. Each keystroke in this filter
performs an AJAX request to the server.
There are bugs on the server side that block some of the functionality from
completing
Creating a Permission requires one of 4 target types. The add dialog in this
version assumes the user will want to create a filter type. They can change
this on the edit page.
Most search results come back with the values as arrays, but ACIs seem not to.
Search and details both required special code to handle non-arrays.
The unit tests now make use of the 'module' aspect of QUnit. This means that
future unit test will also need to specify the module. The advantage is that
multiple tests can share a common setup and teardown.
Bugs that need to be fixed before this works 100% are
https://fedorahosted.org/freeipa/ticket/634
https://fedorahosted.org/freeipa/ticket/633
43 files changed, 3160 insertions, 371 deletions
diff --git a/install/static/Makefile.am b/install/static/Makefile.am index 8e498198..40d3b521 100644 --- a/install/static/Makefile.am +++ b/install/static/Makefile.am @@ -8,6 +8,7 @@ SUBDIRS = \ appdir = $(IPA_DATA_DIR)/static app_DATA = \ + aci.js \ add.js \ associate.js \ ipa_logo_180x50.png \ diff --git a/install/static/aci.js b/install/static/aci.js new file mode 100644 index 00000000..d536e34f --- /dev/null +++ b/install/static/aci.js @@ -0,0 +1,868 @@ +/* Authors: + * Adam Young <ayoung@redhat.com> + * + * Copyright (C) 2010 Red Hat + * see file 'COPYING' for use and warranty information + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; version 2 only + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/* REQUIRES: ipa.js, details.js, search.js, add.js, entity.js */ + + +/*TODO Merge this code into the attribtue table widget */ +IPA.populate_attribute_table = function (table, entity){ + var attr_per_col = 400; + var aciattrs = IPA.metadata[entity].aciattrs; + var col_span = aciattrs.length / attr_per_col + 1; + + $('tbody tr', table).remove(); + + var tbody = $('tbody',table); + var td; + for (var a = 0; a < aciattrs.length ; a += 1){ + var aci_tr = $('<tr/>').appendTo(tbody); + + td = $('<td/>').appendTo(aci_tr); + td.append($('<input/>',{ + type:"checkbox", + id:'aciattr-'+aciattrs[a].toLowerCase(), + "class":'aci-attribute' + })); + td.append($('<label/>',{ + text:aciattrs[a].toLowerCase()})); + } +} + + +IPA.attribute_table_widget= function (spec){ + var id = spec.name; + var that = ipa_widget(spec); + var object_type = spec.objecttype || 'user'; + var table; + + that.create = function(container){ + + var dd = $('<dd/>').appendTo(container); + table = $('<table/>',{ + id:id, + 'class':'search-table'}). + append('<thead/>'). + append($('<tbody/>',{ + style:"height:30em; overflow:auto;" + })). + appendTo(dd); + + $('<tr></tr>'). + append($('<th/>',{ + style:"height:2em; vertical-align:bottom;", + html:$('<input/>',{ + type: "checkbox", + click: function(){ + $('.aci-attribute'). + attr('checked', $(this).attr('checked')); + }}). + after('<label>Attribute</lable>') + })). + appendTo($('thead', table)); + IPA.populate_attribute_table(table, object_type); + }; + + that.save = function(){ + var attrs_boxes = $('table#'+id+" td :checked"); + if (!attrs_boxes.length){ + return []; + } + var retval = ""; + for (var i = 0; i < attrs_boxes.length; i += 1){ + if (i > 0){ + retval += ','; + } + retval += attrs_boxes[i].id.substring("aciattr-".length); + } + + return [retval]; + } + + var attrs = []; + that.reset =function(){ + $('input[type=checkbox]', table).attr('checked',''); + for (var i = 0; i < attrs.length; i+=1){ + $(attrs[i], table).attr('checked','checked'); + } + } + + that.load = function(record){ + if (!record.attrs) return; + attrs = []; + for (var i = 0; i < record.attrs.length; i+=1){ + attrs.push('#aciattr-' +record.attrs[i]); + } + that.reset(); + } + + return that; +} + + + +IPA.entity_select_widget = function(spec){ + + var that = ipa_widget(spec); + var entity = spec.entity || 'group'; + + function populate_select(value){ + var selected = value; + function find_success(result){ + $('option', that.entity_select).remove(); + var entities = result.result.result; + for (var i =0; i < result.result.count; i +=1){ + var option = + that.entity_select.append($('<option/>',{ + text:entities[i].cn[0], + value:entities[i].cn[0] + })); + if (selected === entities[i].cn[0]){ + option.attr('selected','selected'); + } + } + } + function find_error(err){ + } + ipa_command({ + method: entity+'_find', + args:[that.entity_filter.val()], + options:{}, + on_success:find_success, + on_error:find_error, + }).execute(); + } + + that.create = function(container){ + var dd = $('<dd/>').appendTo(container); + + that.entity_select = $('<select/>', { + id: that.name + '-entity-select', + change: function(){ + + } + }).appendTo(dd); + + + that.entity_filter = $('<input/>',{ + size:10, + type: 'text', + id: 'entity_filter', + style: 'display: none;', + keypress: function(){ + populate_select(); + } + }).appendTo(dd); + + $('<a />',{ + href:"", + text: 'filter: ', + click:function(){ + that.entity_filter.css('display','inline'); + $(this).css('display','none'); + return false; + } + }).appendTo(dd); + + } + var value = ''; + that.reset = function(){ + that.entity_filter.val(value ); + populate_select(value); + + } + that.load = function(record){ + value = record[that.name]; + that.reset(); + } + + that.save = function(){ + return [$('option:selected', that.entity_select).val()]; + } + + return that; +} + +IPA.rights_widget = function(spec){ + var rights = ['write','add','delete']; + + var that = ipa_widget({name:'permissions',label:'Permissions'}); + that.id = spec.id; + + that.create = function(container){ + for (var i =0; i < rights.length; i += 1){ + $("<dd/>"). + append($('<input/>',{ + type:'checkbox', + 'class':that.entity_name +"_"+ that.name, + 'id':rights[i], + value:rights[i] + })). + append($('<label/>',{ + text:rights[i] + })). + appendTo(container); + } + + } + var values = []; + + that.reset = function(){ + var selector = '.'+ that.entity_name +"_"+ that.name; + + var checkboxes = $(selector); + + for (var i = 0; i < checkboxes.length; i +=1){ + checkboxes.attr('checked',''); + } + + for (var i = 0; i < values.length; i +=1){ + var value = values[i]; + var cb = $('#'+value+ selector); + cb.attr('checked', 'checked'); + } + + } + + that.load = function(record) { + values = record[that.name] || []; + that.reset(); + } + + that.save = function(){ + var rights_input = $('.'+ that.entity_name +"_"+ that.name); + var retval = ""; + for (var i =0; i < rights_input.length; i+=1){ + if (i > 0) { + retval += ','; + } + retval += rights_input[i].value; + } + return [retval]; + } + + return that; +} + + + + +function ipa_rights_section() { + var spec = {'name':'rights', + 'label': 'Rights'} + var that = ipa_details_section(spec); + that.add_field(IPA.rights_widget({name:'permissions'})); + + return that; +} + +function ipa_target_section() { + var spec = {'name':'target', + 'label': 'Target'} + + var that = ipa_details_section(spec); + var groupings = ['aci_by_type', 'aci_by_query', 'aci_by_group', + 'aci_by_filter' ]; + var inputs = ['input', 'select', 'textarea']; + + function disable_inputs(){ + for (var g = 0; g < groupings.length; g += 1 ){ + for (var t = 0 ; t < inputs.length; t += 1){ + $('.' + groupings[g] + ' '+ inputs[t]). + attr('disabled', 'disabled'); + } + } + } + function enable_by(grouping){ + for (var t = 0 ; t < inputs.length; t += 1){ + $('.' + grouping + ' '+ inputs[t]). + attr('disabled', ''); + } + } + + function display_filter_target(dl){ + $("<dt/>"). + append($("<label/>",{ + text: "Filter", + })). + append($('<input/>',{ + type:"radio", + name:"type", + checked:"true", + id:"aci_by_filter" + })).appendTo(dl); + + $('<dd/>',{ + 'class': 'aci_by_filter first'}). + append($('<input />',{ + + disabled:'true', + type:'text', + id:'aci_filter' + })). + appendTo(dl); + } + + + function display_type_target(dl){ + $("<dt/>"). + append($("<label/>",{ + text: "Object By Type ", + })). + append($('<input/>',{ + type:"radio", + name:"type", + checked:"true", + id:"aci_by_type" + })).appendTo(dl); + + var dd = $('<dd/>',{ + "class":"aci_by_type first", + }).appendTo(dl); + + var type_select = $('<select/>', { + id: 'object_type_select', + change: function(){ + var attribute_table = $('#aci_attributes_table'); + IPA.populate_attribute_table( + attribute_table, this.options[this.selectedIndex].value); + } + }).appendTo(dd); + var type_params=ipa_get_param_info("permission","type"); + for (var pc =0; pc < type_params.values.length; pc += 1){ + type_select.append($('<option/>',{ + value: type_params.values[pc], + text: type_params.values[pc] + })); + } + dd = $('<dd />',{ + "class":"aci_by_type other"}).appendTo(dl); + + var attribute_table = IPA.attribute_table_widget( + {name:'aci_attributes_table',object_type:'user'}); + + attribute_table.create(dl); + + + } + + function display_query_target(dl){ + $('<dt/>'). + append($('<label />',{ html: 'By Subtree'} )). + append($('<input />',{ + type:"radio", + name:"type", + id:"aci_by_query" })). + appendTo(dl); + + $("<dd/>",{ + "class":'aci_by_query first'}).append($('<textarea />',{ + id: 'aci_query_text', + cols:'30', + rows:'1'})) .appendTo(dl); + } + + function populate_target_group_select(){ + function find_success(result){ + var groups = result.result.result; + for (var i =0; i < result.result.count; i +=1){ + var option = groups[i].cn[0]; + that.group_select.append($('<option/>',{ + text:groups[i].cn[0], + value:groups[i].cn[0] + })); + } + } + function find_error(err){ + } + + $('option', that.group_select).remove(); + ipa_command({ + method:'group_find', + args:[that.group_filter.val()], + options:{}, + on_success:find_success, + on_error:find_error}).execute(); + } + + function display_group_target(dl){ + $('<dt/>' ). + append($('<label />',{ + html: 'Target Group'} )). + append($('<input />',{ + type:"radio", + name:"type", + id:"aci_by_group" })). + appendTo(dl); + + that.group_filter = $('<input/>',{ + type: 'text', + id: 'group_filter', + }); + that.group_select = $('<select/>', { + id: 'aci_target_group_select', + change: function(){ + } + }); + + $("<dd/>",{ + 'class':'aci_by_group first' + }). + append(that.group_filter). + append($('<label>Group Filter</label>')). + appendTo(dl); + + $("<dd/>",{ + 'class':'aci_by_group other' + }). + append(that.group_select). + appendTo(dl); + } + + + + + that.create = function(container) { + dl = $('<dl class="entryattrs"/>').appendTo(container); + + display_filter_target(dl); + display_query_target(dl); + display_group_target(dl); + display_type_target(dl); + + $('#aci_by_filter', dl).click(function (){ + disable_inputs(); + enable_by(groupings[3]); + }); + + $('#aci_by_type', dl).click(function (){ + disable_inputs(); + enable_by(groupings[0]); + }); + + $('#aci_by_query', dl).click(function (){ + disable_inputs(); + enable_by(groupings[1]); + }); + + $('#aci_by_group', dl).click(function (){ + disable_inputs(); + enable_by(groupings[2]); + populate_target_group_select(); + }); + + $('#aci_by_query', dl).click(); + + + }; + + that.setup = function(container) { + + } + + that.load = function(result) { + if(result.subtree){ + $('#aci_query_text').val(result.subtree); + $('#aci_by_query').click(); + }else if(result.type){ + $('#aci_by_type').click(); + $('#object_type_select').val(result.type); + IPA.populate_attribute_table($('#aci_attributes_table'), + result.type); + if (result.attrs){ + for (var a = 0; a < result.attrs.length; a += 1){ + var cb = $('#aciattr-'+result.attrs[a]); + if (!cb.length){ + alert('unmatched:'+result.attrs[a]); + } + cb.attr('checked',true); + } + } + }else if (result.targetgroup){ + var segments = result.targetgroup.split(/,/); + var targetgroup=segments[0].split(/=/)[1]; + that.group_filter.val( targetgroup); + $('#aci_by_group').click(); + }else if (result.filter){ + $('#aci_by_filter').click(); + $('#aci_filter').val(result.filter); + }else{ + alert('permission with invalid target specification'); + } + + } + + that.reset = function() { + }; + + that.save = function (record){ + + var record_type = $("input[name='type']:checked").attr('id'); + + if (record_type === 'aci_by_group'){ + record.targetgroup = + $('#aci_target_group_select option:selected').val(); + }else if (record_type === 'aci_by_type'){ + record.type = $('#object_type_select option:selected').val(); + }else if (record_type === 'aci_by_query'){ + record.subtree = $('#aci_query_text').val(); + }else if (record_type === 'aci_by_filter'){ + var filter = $('#aci_filter').val(); + record.filter = filter; + } + + var attrs = $('.aci-attribute:checked').each(function(){ + var id = this.id.split('-')[1]; + + if (!record.attributes){ + record.attributes = ""; + }else{ + record.attributes += ","; + } + record.attributes += id; + }); + } + + + return that; +} + + + + +function ipa_permission() { + + var that = ipa_entity({ + 'name': 'permission' + }); + + that.init = function() { + + var dialog = ipa_permission_add_dialog({ + name: 'add', + title: 'Add New Permission', + entity_name: 'permission' + }); + that.add_dialog(dialog); + dialog.init(); + + var facet = ipa_permission_search_facet({ + name: 'search', + label: 'Search' + }); + that.add_facet(facet); + + facet = ipa_permission_details_facet(); + that.add_facet(facet); + + that.entity_init(); + }; + + return that; +} + +IPA.add_entity(ipa_permission()); + + + +function ipa_permission_add_dialog(spec) { + + spec = spec || {}; + + var that = ipa_add_dialog(spec); + + that.init = function() { + + that.add_field(ipa_text_widget({ + name: 'cn', + undo: false + })); + + that.add_field(ipa_text_widget({ + name: 'description', + undo: false + })); + + that.add_field(IPA.rights_widget({name:'permissions'})); + that.add_field(ipa_text_widget({name:'filter'})); + that.add_dialog_init(); + + }; + + + return that; +} + + +function ipa_permission_search_facet(spec) { + + spec = spec || {}; + var that = ipa_search_facet(spec); + that.init = function() { + that.create_column({name:'cn'}); + that.create_column({name:'description'}); + that.search_facet_init(); + } + + return that; +} + + +function ipa_permission_details_facet() { + + var spec = { + name: 'details', + label: 'Details' + }; + var that = ipa_details_facet(spec); + + that.init = function() { + + var section = that.add_section(ipa_details_list_section({ + name:'identity',label:'Identity' })); + section.create_field({ name: 'cn', 'read_only': true }); + section.create_field({ name: 'description'}); + + that.rights_section = ipa_rights_section(); + that.add_section(that.rights_section); + + that.target_section = ipa_target_section(); + + that.add_section(that.target_section); + that.details_facet_init(); + }; + + that.superior_load = that.load; + + that.load = function(result) { + that.superior_load(result); + } + + that.superior_update = that.update; + that.update = function(on_win, on_fail){ + that.superior_update(on_win, on_fail); + } + + return that; +} + +IPA.add_entity( function() { + var that = ipa_entity({ + 'name': 'privilege' + }); + that.init = function() { + + var search_facet = ipa_search_facet({ + name: 'search', + label: 'Search', + entity_name: that.name + }); + search_facet.create_column({name:'cn'}); + search_facet.create_column({name:'description'}); + that.add_facet(search_facet); + + that.add_facet(function() { + var that = ipa_details_facet({name:'details',label:'Details'}); + that.add_section( + ipa_stanza({name:'identity', label:'Privilege Details'}). + input({name:'cn'}). + input({name: 'description'})); + return that; + }()); + + + var dialog = ipa_add_dialog({ + name: 'add', + title: 'Add Privilege', + entity_name: that.entity + }); + that.add_dialog(dialog); + + dialog.add_field(ipa_text_widget({ name: 'cn', undo: false})); + dialog.add_field(ipa_text_widget({ name: 'description', undo: false})); + dialog.init(); + + that.create_association_facets(); + that.entity_init(); + }; + return that; +}()); + + +IPA.add_entity( function() { + var that = ipa_entity({ + 'name': 'role' + }); + that.init = function() { + var search_facet = ipa_search_facet({ + name: 'search', + label: 'Search', + entity_name: that.name + }); + search_facet.create_column({name:'cn'}); + search_facet.create_column({name:'description'}); + that.add_facet(search_facet); + + that.add_facet(function() { + var that = ipa_details_facet({name:'details',label:'Details'}); + that.add_section( + ipa_stanza({name:'identity', label:'Role Details'}). + input({name:'cn'}). + input({name: 'description'})); + return that; + }()); + + var dialog = ipa_add_dialog({ + name: 'add', + title: 'Add Role' + }); + that.add_dialog(dialog); + + dialog.add_field(ipa_text_widget({ name: 'cn', undo: false})); + dialog.add_field(ipa_text_widget({ name: 'description', undo: false})); + dialog.init(); + + that.create_association_facets(); + + that.entity_init(); + }; + return that; +}()); + + +IPA.add_entity( function() { + var that = ipa_entity({ + 'name': 'selfservice' + }); + + that.add_facet(function () { + var spec = { + name: 'search', + label: 'Search' + }; + var that = ipa_search_facet(spec); + that.init = function() { + that.create_column({name:'aciname'}); + that.search_facet_init(); + } + return that; + }()); + + + that.add_facet(function(){ + var that = ipa_details_facet({'name':'details',label:'Details'}); + + that.init = function() { + that.add_section( + ipa_stanza({name:'general', label:'General'}). + input({name:'aciname'}). + custom_input(IPA.rights_widget({name:'permissions'})). + custom_input(IPA.attribute_table_widget({ + object_type:'user', + name:'attrs' + })) + ); + + } + + + + return that; + }()); + + + that.parent_init = that.init; + that.init = function(){ + that.parent_init(); + var dialog = ipa_add_dialog({ + name: 'add', + title: 'Add Self Service Definition' + }); + that.add_dialog(dialog); + dialog.add_field(ipa_text_widget({ name: 'aciname', undo: false})); + dialog.add_field(IPA.rights_widget({name:'permissions'})); + dialog.add_field(IPA.attribute_table_widget({ + object_type:'user', + name:'attrs' + })); + dialog.init(); + } + + return that; +}()); + + +IPA.add_entity( function() { + var that = ipa_entity({ + 'name': 'delegation' + }); + + that.add_facet(function () { + var spec = { + name: 'search', + label: 'Search' + }; + var that = ipa_search_facet(spec); + that.init = function() { + that.create_column({name:'aciname'}); + that.search_facet_init(); + } + return that; + }()); + that.add_facet(function(){ + var that = ipa_details_facet({'name':'details',label:'Details'}); + var section = + ipa_stanza({name:'general', label:'General'}). + input({name:'aciname'}). + custom_input(IPA.entity_select_widget( + {name:'group', entity:'group'})). + custom_input(IPA.entity_select_widget( + {name:'memberof', entity:'group'})). + custom_input( + IPA.rights_widget({ + id:'delegation_rights'})). + custom_input( + IPA.attribute_table_widget({ + name:'attrs'})); + that.add_section(section); + return that; + }()); + + that.super_init = that.init; + that.init = function(){ + that.super_init(); + var dialog = ipa_add_dialog({ + name: 'add', + title: 'Add Delegation', + entity_name: that.entity + }); + that.add_dialog(dialog); + dialog.add_field(ipa_text_widget({ name: 'aciname', undo: false})); + dialog.add_field(IPA.entity_select_widget({name:'group', + entity:'group'})); + dialog.add_field(IPA.entity_select_widget({name:'memberof', + entity:'group'})); + dialog.add_field(IPA.attribute_table_widget({ name: 'attrs'})); + + dialog.init(); + that.create_association_facets(); + } + + return that; +}());
\ No newline at end of file diff --git a/install/static/add.js b/install/static/add.js index ef08ba32..782bb185 100644 --- a/install/static/add.js +++ b/install/static/add.js @@ -88,24 +88,34 @@ function ipa_add_dialog(spec) { that.dialog_init(); }; - that.add = function(record, on_success, on_error) { - + /* Fields that are not displayed directly, but that are managed by + another mechanism, such as the ACI permissions*/ + that.additional_fields = []; + that.additional_field = function(field) { + that.additional_fields.push(field); + } + + function save_field(field, record, args, options){ var pkey_name = IPA.metadata[that.entity_name].primary_key; + var value = record[field.name]; + if (!value) return; + if (field.name == pkey_name) { + args.push(value); + } else { + options[field.name] = value; + } + } + + that.add = function(record, on_success, on_error) { var args = []; var options = {}; for (var i=0; i<that.fields.length; i++) { - var field = that.fields[i]; - - var value = record[field.name]; - if (!value) continue; - - if (field.name == pkey_name) { - args.push(value); - } else { - options[field.name] = value; - } + save_field(that.fields[i], record, args, options); + } + for (var i=0; i<that.additional_fields.length; i++) { + save_field(that.additional_fields[i], record, args, options); } ipa_cmd('add', args, options, on_success, on_error, that.entity_name); diff --git a/install/static/details.js b/install/static/details.js index 28de8975..1aeffb1d 100644 --- a/install/static/details.js +++ b/install/static/details.js @@ -79,6 +79,15 @@ function ipa_details_field(spec) { } if (that.values) { + /* + Too much logic currently assumes an array. + This is true everywhere but ACIs. */ + + if (!(that.values instanceof Array)){ + that.values = [that.values]; + } + + dd = ipa_create_first_dd(that.name); dd.append(ipa_details_field_create_input.call(that, that.values[0], hint_span, rights, 0)); dd.appendTo(that.container); @@ -165,6 +174,7 @@ function ipa_details_section(spec){ field.entity_name = that.entity_name; that.fields.push(field); that.fields_by_name[field.name] = field; + return field; }; that.create_field = function(spec) { @@ -396,6 +406,7 @@ function ipa_details_facet(spec) { section.entity_name = that.entity_name; that.sections.push(section); that.sections_by_name[section.name] = section; + return section; }; that.create_section = function(spec) { @@ -413,7 +424,11 @@ function ipa_details_facet(spec) { that.get_primary_key = function() { var pkey_name = IPA.metadata[that.entity_name].primary_key; - return that.record[pkey_name][0]; + if (that.record[pkey_name] instanceof Array){ + return that.record[pkey_name][0]; + }else{ + return that.record[pkey_name]; + } }; that.get_section_header_prefix = function(visible) { @@ -631,6 +646,11 @@ function ipa_details_update(on_win, on_fail) for (var i=0; i<that.sections.length; i++) { var section = that.sections[i]; + if (section.save){ + section.save(modlist); + continue; + } + var div = $('#'+that.entity_name+'-'+that.name+'-'+section.name, that.container); for (var j=0; j<section.fields.length; j++) { diff --git a/install/static/hbac.js b/install/static/hbac.js index 29db3aa8..264b7c5a 100755 --- a/install/static/hbac.js +++ b/install/static/hbac.js @@ -121,15 +121,6 @@ function ipa_hbac_search_facet(spec) { that.search_facet_create(container); - - container.children().last().prepend( - $('<h2/>', { 'html': IPA.metadata.hbac.label })); - container.children().last().prepend('<br/><br/>'); - - }; - - that.setup = function(container) { - that.search_facet_setup(container); }; return that; diff --git a/install/static/hbacsvc.js b/install/static/hbacsvc.js index 7f5793e2..dd2efee8 100755 --- a/install/static/hbacsvc.js +++ b/install/static/hbacsvc.js @@ -86,36 +86,6 @@ function ipa_hbacsvc_search_facet(spec) { that.search_facet_init(); }; - that.create = function(container) { - that.search_facet_create(container); - container.children().last().prepend( - $('<h2/>', { 'html': IPA.metadata.hbacsvc.label })); - container.children().last().prepend('<br/><br/>'); - }; - - that.setup = function(container) { - - that.search_facet_setup(container); - - var action_panel = that.get_action_panel(); - - var li = $('li[title=hbac]', action_panel); - li.click(function() { - var state = {}; - state['hbac-entity'] = 'hbac'; - nav_push_state(state); - return false; - }); - - li = $('li[title=hbacsvcgroup]', action_panel); - li.click(function() { - var state = {}; - state['hbac-entity'] = 'hbacsvcgroup'; - nav_push_state(state); - return false; - }); - }; - return that; } diff --git a/install/static/hbacsvcgroup.js b/install/static/hbacsvcgroup.js index 7db55713..e4b1eeac 100755 --- a/install/static/hbacsvcgroup.js +++ b/install/static/hbacsvcgroup.js @@ -92,35 +92,6 @@ function ipa_hbacsvcgroup_search_facet(spec) { that.search_facet_init(); }; - that.create = function(container) { - that.search_facet_create(container); - container.children().last().prepend( - $('<h2/>', { 'html':IPA.metadata.hbacsvcgroup.label })); - container.children().last().prepend('<br/><br/>'); - }; - - that.setup = function(container) { - - that.search_facet_setup(container); - - var action_panel = that.get_action_panel(); - - var li = $('li[title=hbac]', action_panel); - li.click(function() { - var state = {}; - state['hbac-entity'] = 'hbac'; - nav_push_state(state); - return false; - }); - - li = $('li[title=hbacsvc]', action_panel); - li.click(function() { - var state = {}; - state['hbac-entity'] = 'hbacsvc'; - nav_push_state(state); - return false; - }); - }; return that; } diff --git a/install/static/index.html b/install/static/index.html index a2720103..1142000f 100644 --- a/install/static/index.html +++ b/install/static/index.html @@ -35,6 +35,7 @@ <script type="text/javascript" src="sudocmd.js"></script> <script type="text/javascript" src="sudocmdgroup.js"></script> <script type="text/javascript" src="policy.js"></script> + <script type="text/javascript" src="aci.js"></script> <script type="text/javascript" src="develop.js"></script> diff --git a/install/static/search.js b/install/static/search.js index d5638697..061824cc 100644 --- a/install/static/search.js +++ b/install/static/search.js @@ -352,6 +352,11 @@ function ipa_search_facet(spec) { var span = $('<span/>', { 'name': 'search' }).appendTo(container); that.table.create(span); + + container.children().last().prepend( + $('<h2/>', { 'html': IPA.metadata[that.entity_name].label })); + container.children().last().prepend('<br/>'); + } function setup(container) { diff --git a/install/static/serverconfig.js b/install/static/serverconfig.js index e83274a8..bf5b5c81 100644 --- a/install/static/serverconfig.js +++ b/install/static/serverconfig.js @@ -23,30 +23,6 @@ -/* ACI */ -ipa_entity_set_search_definition('aci', [ - ['cn', 'ACI name', null] -]); - -ipa_entity_set_add_definition('aci', [ - 'dialog-add-aci', 'Add New Aci', [ - ['cn', 'Name', null], - ['description', 'Description', null], - ] -]); - -ipa_entity_set_details_definition('aci', [ - ipa_stanza({name:'ipaserver', label:'Aci Details'}). - input({name:'cn', label:'Name'}). - input({name:'description', label:'Description'}) -]); - - - - - - - /* Configuration */ ipa_entity_set_details_definition('config',[ diff --git a/install/static/sudocmd.js b/install/static/sudocmd.js index edfc27d0..864063f6 100755 --- a/install/static/sudocmd.js +++ b/install/static/sudocmd.js @@ -86,38 +86,6 @@ function ipa_sudocmd_search_facet(spec) { that.search_facet_init(); }; - that.create = function(container) { - - that.search_facet_create(container); - - container.children().last().prepend( - $('<h2/>', { 'html': IPA.metadata.sudocmd.label })); - container.children().last().prepend('<br/><br/>'); - }; - - that.setup = function(container) { - - that.search_facet_setup(container); - - var action_panel = that.get_action_panel(); - - var li = $('li[title=sudorule]', action_panel); - li.click(function() { - var state = {}; - state['sudorule-entity'] = 'sudorule'; - nav_push_state(state); - return false; - }); - - li = $('li[title=sudocmdgroup]', action_panel); - li.click(function() { - var state = {}; - state['sudorule-entity'] = 'sudocmdgroup'; - nav_push_state(state); - return false; - }); - }; - return that; } diff --git a/install/static/sudocmdgroup.js b/install/static/sudocmdgroup.js index 6ebe8b1c..1fb5e189 100755 --- a/install/static/sudocmdgroup.js +++ b/install/static/sudocmdgroup.js @@ -92,39 +92,6 @@ function ipa_sudocmdgroup_search_facet(spec) { that.search_facet_init(); }; - that.create = function(container) { - - that.search_facet_create(container); - - container.children().last().prepend( - $('<h2/>', { 'html': IPA.metadata.sudocmdgroup.label })); - container.children().last().prepend('<br/><br/>'); - - }; - - that.setup = function(container) { - - that.search_facet_setup(container); - - var action_panel = that.get_action_panel(); - - var li = $('li[title=sudorule]', action_panel); - li.click(function() { - var state = {}; - state['sudorule-entity'] = 'sudorule'; - nav_push_state(state); - return false; - }); - - li = $('li[title=sudocmd]', action_panel); - li.click(function() { - var state = {}; - state['sudorule-entity'] = 'sudocmd'; - nav_push_state(state); - return false; - }); - }; - return that; } diff --git a/install/static/sudorule.js b/install/static/sudorule.js index 66c010ed..c314ccd0 100755 --- a/install/static/sudorule.js +++ b/install/static/sudorule.js @@ -86,19 +86,6 @@ function ipa_sudorule_search_facet(spec) { that.search_facet_init(); }; - that.create = function(container) { - that.search_facet_create(container); - - container.children().last().prepend( - $('<h2/>', { 'html': IPA.metadata.sudorule.label })); - container.children().last().prepend('<br/><br/>'); - - }; - - that.setup = function(container) { - that.search_facet_setup(container); - }; - return that; } diff --git a/install/static/test/aci_tests.html b/install/static/test/aci_tests.html new file mode 100755 index 00000000..7cdbeffa --- /dev/null +++ b/install/static/test/aci_tests.html @@ -0,0 +1,33 @@ +<!DOCTYPE html> +<html> +<head> + <title>Access Control Interface Test Suite</title> + <link rel="stylesheet" href="qunit.css" type="text/css" media="screen"> + <script type="text/javascript" src="qunit.js"></script> + + + + <script type="text/javascript" src="../jquery.js"></script> + <script type="text/javascript" src="../jquery.ba-bbq.js"></script> + <script type="text/javascript" src="../jquery-ui.js"></script> + <script type="text/javascript" src="../ipa.js"></script> + <script type="text/javascript" src="../widget.js"></script> + <script type="text/javascript" src="../details.js"></script> + <script type="text/javascript" src="../search.js"></script> + <script type="text/javascript" src="../add.js"></script> + <script type="text/javascript" src="../entity.js"></script> + <script type="text/javascript" src="../associate.js"></script> + <script type="text/javascript" src="../navigation.js"></script> + <script type="text/javascript" src="../aci.js"></script> + + <script type="text/javascript" src="aci_tests.js"></script> +</head> +<body> + <h1 id="qunit-header">Certificate Test Suite</h1> + <h2 id="qunit-banner"></h2> + <div id="qunit-testrunner-toolbar"></div> + <h2 id="qunit-userAgent"></h2> + <ol id="qunit-tests"></ol> + <div id="qunit-fixture"></div> +</body> +</html> diff --git a/install/static/test/aci_tests.js b/install/static/test/aci_tests.js new file mode 100644 index 00000000..76bff355 --- /dev/null +++ b/install/static/test/aci_tests.js @@ -0,0 +1,81 @@ +/* Authors: + * Endi Sukma Dewata <edewata@redhat.com> + * + * Copyright (C) 2010 Red Hat + * see file 'COPYING' for use and warranty information + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; version 2 only + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +var target_section; +var aci_container; + +module('aci',{ + setup: function() { + IPA.ajax_options.async = false; + IPA.init( + "data", + true, + function(data, text_status, xhr) { + ok(true, "ipa_init() succeeded."); + }, + function(xhr, text_status, error_thrown) { + ok(false, "ipa_init() failed: "+error_thrown); + } + ); + aci_container = $('<div id="aci"/>').appendTo(document.body); + target_section = ipa_target_section(); + target_section.create(aci_container); + }, + teardown: function() { + aci_container.remove(); + }} +); + + +test("Testing aci grouptarget.", function() { + var sample_data_filter_only = {"targetgroup":"ipausers"}; + target_section.load(sample_data_filter_only); + ok($('#aci_by_group')[0].checked, 'aci_by_group control selected'); + ok ($('#aci_target_group_select option').length > 2,'group select populated'); + +}); + + + +test("Testing aci object type.", function() { + var sample_data_filter_only = {"type":"hostgroup"}; + target_section.load(sample_data_filter_only); + ok($('.aci-attribute', aci_container).length > 4); + ok($('#aci_by_type')[0].checked, 'aci_by_type control selected'); + +}); + + +test("Testing aci filter only.", function() { + + var sample_data_filter_only = {"filter":"somevalue"}; + + target_section.load(sample_data_filter_only); + + var filter_radio = $('#aci_by_filter'); + + ok(filter_radio.length,'find "filter_only_radio" control'); + ok(filter_radio[0].checked,'filter_only_radio control is checked'); + +}); + + + diff --git a/install/static/test/all_tests.html b/install/static/test/all_tests.html index 64412b01..6a29daff 100644 --- a/install/static/test/all_tests.html +++ b/install/static/test/all_tests.html @@ -16,12 +16,14 @@ <script type="text/javascript" src="../associate.js"></script> <script type="text/javascript" src="../navigation.js"></script> <script type="text/javascript" src="../certificate.js"></script> + <script type="text/javascript" src="../aci.js"></script> <script type="text/javascript" src="ipa_tests.js"></script> <script type="text/javascript" src="details_tests.js"></script> <script type="text/javascript" src="entity_tests.js"></script> <script type="text/javascript" src="association_tests.js"></script> <script type="text/javascript" src="navigation_tests.js"></script> <script type="text/javascript" src="certificate_tests.js"></script> + <script type="text/javascript" src="aci_tests.js"></script> </head> <body> <h1 id="qunit-header">Complete Test Suite</h1> diff --git a/install/static/test/certificate_tests.html b/install/static/test/certificate_tests.html index 90f09b21..5b411ff1 100755 --- a/install/static/test/certificate_tests.html +++ b/install/static/test/certificate_tests.html @@ -5,6 +5,8 @@ <link rel="stylesheet" href="qunit.css" type="text/css" media="screen"> <script type="text/javascript" src="qunit.js"></script> <script type="text/javascript" src="../jquery.js"></script> + <script type="text/javascript" src="../jquery.ba-bbq.js"></script> + <script type="text/javascript" src="../jquery-ui.js"></script> <script type="text/javascript" src="../ipa.js"></script> <script type="text/javascript" src="../details.js"></script> <script type="text/javascript" src="../search.js"></script> diff --git a/install/static/test/certificate_tests.js b/install/static/test/certificate_tests.js index cfa96b2b..c50ec186 100755 --- a/install/static/test/certificate_tests.js +++ b/install/static/test/certificate_tests.js @@ -18,6 +18,8 @@ * along with this program. If not, see <http://www.gnu.org/licenses/>. */ +module('certificate'); + test("Testing certificate_parse_dn().", function() { same( diff --git a/install/static/test/data/aci_find.json b/install/static/test/data/aci_find.json index 3f0018c8..23077876 100644 --- a/install/static/test/data/aci_find.json +++ b/install/static/test/data/aci_find.json @@ -1,64 +1,63 @@ { - "error": null, - "id": 0, + "error": null, + "id": 6, "result": { - "count": 54, + "count": 53, "result": [ - "(targetattr != \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey\")(version 3.0;acl \"Enable Anonymous access\";allow (read,search,compare) userdn = \"ldap:///anyone\";)", - "(targetattr != \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || ipaUniqueId\")(version 3.0;acl \"Admin can manage any entry\";allow (all) groupdn = \"ldap:///cn=admins,cn=groupss,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword\")(version 3.0;acl \"Self can write own password\";allow (write) userdn = \"ldap:///self\";)", - "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"Admins can write passwords\";allow (add,delete,write) groupdn = \"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"Password change service can read/write passwords\";allow (read,write) userdn = \"ldap:///krbprincipalname=kadmin/changepw@AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"KDC System Account can access passwords\";allow (all) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount\")(version 3.0;acl \"KDC System Account can update some fields\";allow (write) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount\")(version 3.0;acl \"Only the KDC System Account has access to kerberos material\";allow (read,search,compare) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr != \"aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || ipaUniqueId\")(targetfilter = \"(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))\")(version 3.0;acl \"Account Admins can manage Users and Groups\";allow (add,delete,read,write) groupdn = \"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength\")(targetfilter = \"(objectClass=krbPwdPolicy)\")(version 3.0;acl \"Admins can write password policies\";allow (read,search,compare,write) groupdn = \"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou\")(version 3.0;acl \"Self service\";allow (write) userdn = \"ldap:///self\";)", - "(targetattr = \"objectClass\")(target = \"ldap:///cn=certificate status,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Get Certificates status from the CA\";allow (write) groupdn = \"ldap:///cn=certificate_status,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add Hosts\";allow (add) groupdn = \"ldap:///cn=addhostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove Users\";allow (delete) groupdn = \"ldap:///cn=removeusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"member\")(target = \"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify group membership\";allow (write) groupdn = \"ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add Services\";allow (add) groupdn = \"ldap:///cn=addservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"cn || description\")(target = \"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify Hosts\";allow (write) groupdn = \"ldap:///cn=modifyhostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add Hosts\";allow (add) groupdn = \"ldap:///cn=addhosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add Groups\";allow (add) groupdn = \"ldap:///cn=addgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"cn || description\")(target = \"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify Roles\";allow (write) groupdn = \"ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"memberhost || externalhost || memberuser || member\")(target = \"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify netgroup membership\";allow (write) groupdn = \"ldap:///cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"userCertificate\")(target = \"ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify Services\";allow (write) groupdn = \"ldap:///cn=modifyservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove automount maps\";allow (delete) groupdn = \"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove automount keys\";allow (delete) groupdn = \"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove Services\";allow (delete) groupdn = \"ldap:///cn=removeservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add Users\";allow (add) groupdn = \"ldap:///cn=addusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry || objectclass\")(target = \"ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify Users\";allow (write) groupdn = \"ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"member\")(target = \"ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add user to default group\";allow (write) groupdn = \"ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add automount keys\";allow (add) groupdn = \"ldap:///cn=addautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com\")(version 3.0;acl \"Remove entitlement entries\";allow (delete) groupdn = \"ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com\";)", - "(targetattr = \"krbPrincipalName || enrolledBy || objectClass\")(target = \"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Enroll a host\";allow (write) groupdn = \"ldap:///cn=enroll_host,cn=taskgroups, cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"change_password\";allow (write) groupdn = \"ldap:///cn=change_password,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove netgroups\";allow (delete) groupdn = \"ldap:///cn=removenetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"description\")(target = \"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify netgroups\";allow (write) groupdn = \"ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"member\")(target = \"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify role group membership\";allow (write) groupdn = \"ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"objectClass\")(target = \"ldap:///cn=request certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Request Certificates from the CA\";allow (write) groupdn = \"ldap:///cn=request_certs,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"userCertificate\")(target = \"ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com\")(version 3.0;acl \"Modify entitlements\";allow (write) groupdn = \"ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com\";)", - "(targetattr = \"member\")(target = \"ldap:///cn=*,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify task group membership\";allow (write) groupdn = \"ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add Roles\";allow (add) groupdn = \"ldap:///cn=addroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"objectClass\")(target = \"ldap:///cn=certificate remove hold,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Certificate Remove Hold\";allow (write) groupdn = \"ldap:///cn=certificate_remove_hold,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove Roles\";allow (delete) groupdn = \"ldap:///cn=removeroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add automount maps\";allow (add) groupdn = \"ldap:///cn=addautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"cn || description || l || location || nshardwareplatform || nsosversion\")(target = \"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify Hosts\";allow (write) groupdn = \"ldap:///cn=modifyhosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove Hosts\";allow (delete) groupdn = \"ldap:///cn=removehostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add netgroups\";allow (add) groupdn = \"ldap:///cn=addnetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove Hosts\";allow (delete) groupdn = \"ldap:///cn=removehosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(target = \"ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com\")(version 3.0;acl \"Add entitlements\";allow (add) groupdn = \"ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com\";)", - "(target = \"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove Groups\";allow (delete) groupdn = \"ldap:///cn=removegroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"objectClass\")(target = \"ldap:///cn=retrieve certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Retrieve Certificates from the CA\";allow (write) groupdn = \"ldap:///cn=retrieve_certs,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"objectClass\")(target = \"ldap:///cn=revoke certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Revoke Certificate\";allow (write) groupdn = \"ldap:///cn=revoke_certificate,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"krbPrincipalKey || krbLastPwdChange\")(target = \"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Manage host keytab\";allow (write) groupdn = \"ldap:///cn=manage_host_keytab,cn=taskgroups, cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"cn || description || gidnumber || objectclass || mepManagedBy\")(target = \"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify Groups\";allow (write) groupdn = \"ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", - "(targetattr = \"member\")(target = \"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify host group membership\";allow (write) groupdn = \"ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr != \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey\")(version 3.0;acl \"Enable Anonymous access\";allow (read,search,compare) userdn = \"ldap:///anyone\";)", + "(targetattr != \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || ipaUniqueId || memberOf || serverHostName || enrolledBy\")(version 3.0;acl \"Admin can manage any entry\";allow (all) groupdn = \"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword\")(version 3.0;acl \"Self can write own password\";allow (write) userdn = \"ldap:///self\";)", + "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"Admins can write passwords\";allow (add,delete,write) groupdn = \"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"Password change service can read/write passwords\";allow (read,write) userdn = \"ldap:///krbprincipalname=kadmin/changepw@AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"KDC System Account can access passwords\";allow (all) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount\")(version 3.0;acl \"KDC System Account can update some fields\";allow (write) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"krbPrincipalName || krbCanonicalName || krbUPEnabled || krbMKey || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount\")(version 3.0;acl \"Only the KDC System Account has access to kerberos material\";allow (read,search,compare) userdn = \"ldap:///uid=kdc,cn=sysaccounts,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"krbMaxPwdLife || krbMinPwdLife || krbPwdMinDiffChars || krbPwdMinLength || krbPwdHistoryLength\")(targetfilter = \"(objectClass=krbPwdPolicy)\")(version 3.0;acl \"Admins can write password policies\";allow (read,search,compare,write) groupdn = \"ldap:///cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou\")(version 3.0;acl \"Self service\";allow (write) userdn = \"ldap:///self\";)", + "(targetattr = \"objectClass\")(target = \"ldap:///cn=certificate status,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Get Certificates status from the CA\";allow (write) groupdn = \"ldap:///cn=certificate_status,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove Users\";allow (delete) groupdn = \"ldap:///cn=removeusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"member\")(target = \"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify group membership\";allow (write) groupdn = \"ldap:///cn=modifygroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add Services\";allow (add) groupdn = \"ldap:///cn=addservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory\")(version 3.0;acl \"change_password\";allow (write) groupdn = \"ldap:///cn=change_password,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add Groups\";allow (add) groupdn = \"ldap:///cn=addgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"cn || description\")(target = \"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify Hostgroups\";allow (write) groupdn = \"ldap:///cn=modifyhostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"cn || description\")(target = \"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify Roles\";allow (write) groupdn = \"ldap:///cn=modifyroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"memberhost || externalhost || memberuser || member\")(target = \"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify netgroup membership\";allow (write) groupdn = \"ldap:///cn=modifynetgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"userCertificate\")(target = \"ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify Services\";allow (write) groupdn = \"ldap:///cn=modifyservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add Hostgroups\";allow (add) groupdn = \"ldap:///cn=addhostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove automount maps\";allow (delete) groupdn = \"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove automount keys\";allow (delete) groupdn = \"ldap:///cn=removeautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///krbprincipalname=*,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove Services\";allow (delete) groupdn = \"ldap:///cn=removeservices,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add Users\";allow (add) groupdn = \"ldap:///cn=addusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"cn || description || l || location || nshardwareplatform || nsosversion\")(target = \"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify Hosts\";allow (write) groupdn = \"ldap:///cn=modifyhosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"member\")(target = \"ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add user to default group\";allow (write) groupdn = \"ldap:///cn=add_user_to_default_group,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove Hostgroups\";allow (delete) groupdn = \"ldap:///cn=removehostgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com\")(version 3.0;acl \"Remove entitlement entries\";allow (delete) groupdn = \"ldap:///cn=removeentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com\";)", + "(targetattr = \"krbPrincipalName || enrolledBy || objectClass\")(target = \"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Enroll a host\";allow (write) groupdn = \"ldap:///cn=enroll_host,cn=taskgroups, cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add Hosts\";allow (add) groupdn = \"ldap:///cn=addhosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove netgroups\";allow (delete) groupdn = \"ldap:///cn=removenetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"description\")(target = \"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify netgroups\";allow (write) groupdn = \"ldap:///cn=modifynetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"member\")(target = \"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify role group membership\";allow (write) groupdn = \"ldap:///cn=modifyrolegroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"objectClass\")(target = \"ldap:///cn=request certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Request Certificates from the CA\";allow (write) groupdn = \"ldap:///cn=request_certs,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"userCertificate\")(target = \"ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com\")(version 3.0;acl \"Modify entitlements\";allow (write) groupdn = \"ldap:///cn=modifyentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com\";)", + "(targetattr = \"member\")(target = \"ldap:///cn=*,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify task group membership\";allow (write) groupdn = \"ldap:///cn=modifytaskgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add Roles\";allow (add) groupdn = \"ldap:///cn=addroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"objectClass\")(target = \"ldap:///cn=certificate remove hold,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Certificate Remove Hold\";allow (write) groupdn = \"ldap:///cn=certificate_remove_hold,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///cn=*,cn=rolegroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove Roles\";allow (delete) groupdn = \"ldap:///cn=removeroles,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add automount maps\";allow (add) groupdn = \"ldap:///cn=addautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry || objectclass\")(target = \"ldap:///uid=*,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify Users\";allow (write) groupdn = \"ldap:///cn=modifyusers,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///ipauniqueid=*,cn=ng,cn=alt,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add netgroups\";allow (add) groupdn = \"ldap:///cn=addnetgroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove Hosts\";allow (delete) groupdn = \"ldap:///cn=removehosts,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=greyoak,dc=com\")(version 3.0;acl \"Add entitlements\";allow (add) groupdn = \"ldap:///cn=addentitlements,cn=taskgroups,cn=accounts,dc=greyoak,dc=com\";)", + "(target = \"ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Add automount keys\";allow (add) groupdn = \"ldap:///cn=addautomount,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(target = \"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Remove Groups\";allow (delete) groupdn = \"ldap:///cn=removegroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"objectClass\")(target = \"ldap:///cn=retrieve certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Retrieve Certificates from the CA\";allow (write) groupdn = \"ldap:///cn=retrieve_certs,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"objectClass\")(target = \"ldap:///cn=revoke certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Revoke Certificate\";allow (write) groupdn = \"ldap:///cn=revoke_certificate,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"krbPrincipalKey || krbLastPwdChange\")(target = \"ldap:///fqdn=*,cn=computers,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Manage host keytab\";allow (write) groupdn = \"ldap:///cn=manage_host_keytab,cn=taskgroups, cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"cn || description || gidnumber || objectclass || mepManagedBy\")(target = \"ldap:///cn=*,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify Groups\";allow (write) groupdn = \"ldap:///cn=modifygroups,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", + "(targetattr = \"member\")(target = \"ldap:///cn=*,cn=hostgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Modify host group membership\";allow (write) groupdn = \"ldap:///cn=modifyhostgroupmembership,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)", "(targetattr = \"objectClass\")(target = \"ldap:///cn=request certificate different host,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\")(version 3.0;acl \"Request Certificates from a different host\";allow (write) groupdn = \"ldap:///cn=request_cert_different_host,cn=taskgroups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com\";)" - ], - "summary": "54 ACIs matched" + ], + "summary": "53 ACIs matched" } }
\ No newline at end of file diff --git a/install/static/test/data/delegation_find.json b/install/static/test/data/delegation_find.json new file mode 100644 index 00000000..82b31fc5 --- /dev/null +++ b/install/static/test/data/delegation_find.json @@ -0,0 +1,35 @@ +{ + "error": null, + "id": 0, + "result": { + "count": 2, + "result": [ + { + "aciname": "delegme", + "attrs": [ + "cn" + ], + "filter": "(memberOf=cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com)", + "group": "muppets", + "membergroup": "cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "permissions": [ + "write" + ] + }, + { + "aciname": "m2m", + "attrs": [ + "title" + ], + "filter": "(memberOf=cn=monsters,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com)", + "group": "muppets", + "membergroup": "cn=monsters,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "permissions": [ + "write" + ] + } + ], + "summary": "2 delegations matched", + "truncated": false + } +}
\ No newline at end of file diff --git a/install/static/test/data/delegation_list.json b/install/static/test/data/delegation_list.json new file mode 100644 index 00000000..d4d9fc06 --- /dev/null +++ b/install/static/test/data/delegation_list.json @@ -0,0 +1,35 @@ +{ + "error": null, + "id": 0, + "result": { + "count": 2, + "result": [ + { + "aciname": "delegme", + "attrs": [ + "cn" + ], + "filter": "(memberOf=cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com)", + "group": "muppets", + "membergroup": "cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "permissions": [ + "write" + ] + }, + { + "aciname": "m2m", + "attrs": [ + "title" + ], + "filter": "(memberOf=cn=monsters,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com)", + "group": "muppets", + "membergroup": "cn=monsters,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "permissions": [ + "write" + ] + } + ], + "summary": "2 delegations matched", + "truncated": false + } +}
\ No newline at end of file diff --git a/install/static/test/data/delegation_mod.json b/install/static/test/data/delegation_mod.json new file mode 100644 index 00000000..9f7da68b --- /dev/null +++ b/install/static/test/data/delegation_mod.json @@ -0,0 +1,21 @@ +{ + "error": null, + "id": 0, + "result": { + "result": { + "aciname": "m2m", + "attrs": [ + "title" + ], + "filter": "(memberOf=cn=monsters,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com)", + "group": "muppets", + "membergroup": "cn=monsters,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "permissions": [ + "add", + "delete" + ] + }, + "summary": "Modified delegation \"m2m\"", + "value": "m2m" + } +}
\ No newline at end of file diff --git a/install/static/test/data/delegation_show.json b/install/static/test/data/delegation_show.json new file mode 100644 index 00000000..9444c875 --- /dev/null +++ b/install/static/test/data/delegation_show.json @@ -0,0 +1,20 @@ +{ + "error": null, + "id": 0, + "result": { + "result": { + "aciname": "delegme", + "attrs": [ + "cn" + ], + "filter": "(memberOf=cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com)", + "group": "muppets", + "membergroup": "cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "permissions": [ + "write" + ] + }, + "summary": null, + "value": "delegme" + } +}
\ No newline at end of file diff --git a/install/static/test/data/ipa_init.json b/install/static/test/data/ipa_init.json index 606f8482..3a5301e8 100644 --- a/install/static/test/data/ipa_init.json +++ b/install/static/test/data/ipa_init.json @@ -52,7 +52,7 @@ "alwaysask": false, "attribute": false, "autofill": false, - "class": "Str", + "class": "IA5Str", "cli_name": "key", "cli_short_name": null, "default": null, @@ -78,7 +78,7 @@ "alwaysask": false, "attribute": false, "autofill": false, - "class": "Str", + "class": "IA5Str", "cli_name": "info", "cli_short_name": null, "default": null, @@ -234,7 +234,7 @@ "alwaysask": false, "attribute": false, "autofill": false, - "class": "Str", + "class": "IA5Str", "cli_name": "map", "cli_short_name": null, "default": null, @@ -295,7 +295,7 @@ "ipahomesrootdir", "ipadefaultloginshell", "ipadefaultprimarygroup", - "ipadefaultdomain", + "ipadefaultemaildomain", "ipasearchtimelimit", "ipasearchrecordslimit", "ipausersearchfields", @@ -347,7 +347,7 @@ "alwaysask": false, "attribute": false, "autofill": false, - "class": "Str", + "class": "IA5Str", "cli_name": "homedirectory", "cli_short_name": null, "default": null, @@ -497,7 +497,7 @@ "alwaysask": false, "attribute": false, "autofill": false, - "class": "Str", + "class": "IA5Str", "cli_name": "usersearch", "cli_short_name": null, "default": null, @@ -523,7 +523,7 @@ "alwaysask": false, "attribute": false, "autofill": false, - "class": "Str", + "class": "IA5Str", "cli_name": "groupsearch", "cli_short_name": null, "default": null, @@ -586,7 +586,9 @@ "default": null, "doc": "Base for certificate subjects (OU=Test,O=Example)", "exclude": null, - "flags": [], + "flags": [ + "no_update" + ], "hint": null, "include": null, "label": "Certificate Subject base", @@ -601,6 +603,103 @@ "query": false, "required": false, "type": "unicode" + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "List", + "cli_name": "groupobjectclasses", + "cli_short_name": null, + "default": null, + "doc": "Default group objectclassses (comma-separated list)", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "Default group objectclasses", + "multivalue": true, + "name": "ipagroupobjectclasses", + "primary_key": false, + "query": false, + "required": false, + "separator": ",", + "skipspace": true, + "type": "tuple" + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "List", + "cli_name": "userobjectclasses", + "cli_short_name": null, + "default": null, + "doc": "Default user objectclassses (comma-separated list)", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "Default user objectclasses", + "multivalue": true, + "name": "ipauserobjectclasses", + "primary_key": false, + "query": false, + "required": false, + "separator": ",", + "skipspace": true, + "type": "tuple" + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "Int", + "cli_name": "pwdexpnotify", + "cli_short_name": null, + "default": null, + "doc": "Password Expiration Notification (days)", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "Password Expiration Notification", + "maxvalue": null, + "minvalue": 0, + "multivalue": false, + "name": "ipapwdexpadvnotify", + "primary_key": false, + "query": false, + "required": false, + "type": "int" + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "Str", + "cli_name": "ipaconfigstring", + "cli_short_name": null, + "default": null, + "doc": "Extra hashes to generate in password plugin", + "exclude": null, + "flags": [ + "no_update" + ], + "hint": null, + "include": null, + "label": "Password plugin features", + "length": null, + "maxlength": null, + "minlength": null, + "multivalue": false, + "name": "ipaconfigstring", + "pattern": null, + "pattern_errmsg": null, + "primary_key": false, + "query": false, + "required": false, + "type": "unicode" } ], "uuid_attribute": "" @@ -1614,6 +1713,151 @@ ], "uuid_attribute": "" }, + "delegation": { + "bindable": false, + "label": "Delegation", + "methods": [ + "add", + "del", + "find", + "mod", + "show" + ], + "name": "delegation", + "object_name": [ + "delegation" + ], + "object_name_plural": [ + "delegation" + ], + "primary_key": "aciname", + "takes_params": [ + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "Str", + "cli_name": "name", + "cli_short_name": null, + "default": null, + "doc": "Delegation name", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "Delegation name", + "length": null, + "maxlength": null, + "minlength": null, + "multivalue": false, + "name": "aciname", + "pattern": null, + "pattern_errmsg": null, + "primary_key": true, + "query": false, + "required": true, + "type": "unicode" + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "List", + "cli_name": "permissions", + "cli_short_name": null, + "default": null, + "doc": "Comma-separated list of permissions to grant (read, write). Default is write.", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "Permissions", + "multivalue": true, + "name": "permissions", + "primary_key": false, + "query": false, + "required": false, + "separator": ",", + "skipspace": true, + "type": "tuple" + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "List", + "cli_name": "attrs", + "cli_short_name": null, + "default": null, + "doc": "Comma-separated list of attributes", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "Attributes", + "multivalue": true, + "name": "attrs", + "primary_key": false, + "query": false, + "required": true, + "separator": ",", + "skipspace": true, + "type": "tuple" + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "Str", + "cli_name": "membergroup", + "cli_short_name": null, + "default": null, + "doc": "User group to apply delegation to", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "Member user group", + "length": null, + "maxlength": null, + "minlength": null, + "multivalue": false, + "name": "memberof", + "pattern": null, + "pattern_errmsg": null, + "primary_key": false, + "query": false, + "required": true, + "type": "unicode" + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "Str", + "cli_name": "group", + "cli_short_name": null, + "default": null, + "doc": "User group ACI grants access to", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "User group", + "length": null, + "maxlength": null, + "minlength": null, + "multivalue": false, + "name": "group", + "pattern": null, + "pattern_errmsg": null, + "primary_key": false, + "query": false, + "required": true, + "type": "unicode" + } + ] + }, "dns": { "default_attributes": [ "idnsname", @@ -4887,7 +5131,7 @@ "objectclass", "aci" ], - "label": "Role Groups", + "label": "Role", "methods": [ "add", "add_member", @@ -4966,6 +5210,99 @@ ], "uuid_attribute": "" }, + "selfservice": { + "bindable": false, + "label": "Self Service Permissions", + "methods": [ + "add", + "del", + "find", + "mod", + "show" + ], + "name": "selfservice", + "object_name": [ + "selfservice" + ], + "object_name_plural": [ + "selfservice" + ], + "primary_key": "aciname", + "takes_params": [ + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "Str", + "cli_name": "name", + "cli_short_name": null, + "default": null, + "doc": "Self-Service name", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "Self-Service name", + "length": null, + "maxlength": null, + "minlength": null, + "multivalue": false, + "name": "aciname", + "pattern": null, + "pattern_errmsg": null, + "primary_key": true, + "query": false, + "required": true, + "type": "unicode" + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "List", + "cli_name": "permissions", + "cli_short_name": null, + "default": null, + "doc": "Comma-separated list of permissions to grant (read, write). Default is write.", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "Permissions", + "multivalue": true, + "name": "permissions", + "primary_key": false, + "query": false, + "required": false, + "separator": ",", + "skipspace": true, + "type": "tuple" + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "List", + "cli_name": "attrs", + "cli_short_name": null, + "default": null, + "doc": "Comma-separated list of attributes", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "Attributes", + "multivalue": true, + "name": "attrs", + "primary_key": false, + "query": false, + "required": true, + "separator": ",", + "skipspace": true, + "type": "tuple" + } + ] + }, "service": { "aciattrs": [ "ipaUniqueID", @@ -5388,6 +5725,12 @@ "memberUser" ], "attribute_members": { + "ipasudorunas": [ + "user" + ], + "ipasudorunasgroup": [ + "group" + ], "memberallowcmd": [ "sudocmd", "sudocmdgroup" @@ -5409,7 +5752,15 @@ "container_dn": "cn=sudorules", "default_attributes": [ "cn", - "description" + "ipaenabledflag", + "description", + "usercategory", + "hostcategory", + "cmdcategory", + "memberuser", + "memberhost", + "memberallowcmd", + "memberdenycmd" ], "hidden_attributes": [ "objectclass", @@ -5421,13 +5772,19 @@ "add_allow_command", "add_deny_command", "add_host", + "add_runasgroup", + "add_runasuser", "add_user", "del", + "disable", + "enable", "find", "mod", "remove_allow_command", "remove_deny_command", "remove_host", + "remove_runasgroup", + "remove_runasuser", "remove_user", "show" ], @@ -5498,6 +5855,89 @@ { "alwaysask": false, "attribute": false, + "autofill": true, + "class": "Flag", + "cli_name": "ipaenabledflag", + "cli_short_name": null, + "default": false, + "doc": "Enabled", + "exclude": null, + "falsehoods": [ + 0, + "0", + "false" + ], + "flags": [ + "no_update", + "no_create", + "no_search" + ], + "hint": null, + "include": null, + "label": "Enabled", + "multivalue": false, + "name": "ipaenabledflag", + "primary_key": false, + "query": false, + "required": false, + "truths": [ + "1", + 1, + "true" + ], + "type": "bool" + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "StrEnum", + "cli_name": "usercat", + "cli_short_name": null, + "default": null, + "doc": "User category the rule applies to", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "User category", + "multivalue": false, + "name": "usercategory", + "primary_key": false, + "query": false, + "required": false, + "type": "unicode", + "values": [ + "all" + ] + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "StrEnum", + "cli_name": "hostcat", + "cli_short_name": null, + "default": null, + "doc": "Host category the rule applies to", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "Host category", + "multivalue": false, + "name": "hostcategory", + "primary_key": false, + "query": false, + "required": false, + "type": "unicode", + "values": [ + "all" + ] + }, + { + "alwaysask": false, + "attribute": false, "autofill": false, "class": "StrEnum", "cli_name": "cmdcat", @@ -5523,6 +5963,54 @@ "alwaysask": false, "attribute": false, "autofill": false, + "class": "StrEnum", + "cli_name": "runasusercat", + "cli_short_name": null, + "default": null, + "doc": "Run As User category the rule applies to", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "Run As User category", + "multivalue": false, + "name": "ipasudorunasusercategory", + "primary_key": false, + "query": false, + "required": false, + "type": "unicode", + "values": [ + "all" + ] + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "StrEnum", + "cli_name": "runasgroupcat", + "cli_short_name": null, + "default": null, + "doc": "Run As Group category the rule applies to", + "exclude": null, + "flags": [], + "hint": null, + "include": null, + "label": "Run As Group category", + "multivalue": false, + "name": "ipasudorunasgroupcategory", + "primary_key": false, + "query": false, + "required": false, + "type": "unicode", + "values": [ + "all" + ] + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, "class": "Str", "cli_name": "memberuser_user", "cli_short_name": null, @@ -5728,6 +6216,66 @@ "query": false, "required": false, "type": "unicode" + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "Str", + "cli_name": "ipasudorunas_user", + "cli_short_name": null, + "default": null, + "doc": "Run As User", + "exclude": null, + "flags": [ + "no_update", + "no_create", + "no_search" + ], + "hint": null, + "include": null, + "label": "Run As User", + "length": null, + "maxlength": null, + "minlength": null, + "multivalue": false, + "name": "ipasudorunas_user", + "pattern": null, + "pattern_errmsg": null, + "primary_key": false, + "query": false, + "required": false, + "type": "unicode" + }, + { + "alwaysask": false, + "attribute": false, + "autofill": false, + "class": "Str", + "cli_name": "ipasudorunasgroup_group", + "cli_short_name": null, + "default": null, + "doc": "Run As Group", + "exclude": null, + "flags": [ + "no_update", + "no_create", + "no_search" + ], + "hint": null, + "include": null, + "label": "Run As Group", + "length": null, + "maxlength": null, + "minlength": null, + "multivalue": false, + "name": "ipasudorunasgroup_group", + "pattern": null, + "pattern_errmsg": null, + "primary_key": false, + "query": false, + "required": false, + "type": "unicode" } ], "uuid_attribute": "ipauniqueid" @@ -5742,139 +6290,77 @@ "gidNumber", "uidNumber", "homeDirectory", - "radiusRealm", - "radiusSimultaneousUse", - "radiusProxyToRealm", - "radiusReplicateToRealm", - "radiusStripUserName", - "dialupAccess", - "radiusLoginTime", - "radiusUserCategory", - "radiusExpiration", - "radiusCheckItem", - "roomNumber", - "photo", - "mail", - "krbLastPwdChange", + "manager", + "userCertificate", + "homePostalAddress", "krbLoginFailedCount", + "krbLastSuccessfulAuth", + "title", "userSMIMECertificate", - "radiusNASIpAddress", - "radiusReplyItem", - "jpegPhoto", - "krbPrincipalAliases", - "telexNumber", - "telephoneNumber", - "facsimileTelephoneNumber", - "teletexTerminalIdentifier", - "internationalISDNNumber", - "x121Address", - "destinationIndicator", - "registeredAddress", - "radiusTunnelType", - "krbPrincipalKey", - "radiusTunnelClientEndpoint", - "radiusVSA", + "krbPrincipalExpiration", + "roomNumber", + "photo", + "description", "krbPrincipalName", - "displayName", - "preferredDeliveryMethod", - "audio", - "preferredLanguage", - "krbExtraData", - "krbCanonicalName", - "radiusLoginIPHost", - "krbTicketFlags", + "mail", + "employeeType", "krbPwdHistory", - "pager", - "mobile", + "carLicense", + "departmentNumber", + "employeeNumber", + "inetUserHttpURL", "memberOf", - "krbUPEnabled", - "krbPrincipalType", - "krbTicketPolicyReference", - "x500UniqueIdentifier", - "krbMaxTicketLife", - "givenName", - "homePostalAddress", - "radiusReplyMessage", - "krbPrincipalExpiration", - "userPKCS12", - "radiusFramedProtocol", - "radiusFramedRoute", - "radiusFramedIPXNetwork", - "radiusFramedMTU", - "radiusFramedIPAddress", - "radiusFramedIPNetmask", - "radiusFramedAppleTalkZone", - "radiusFramedCompression", - "radiusFramedAppleTalkLink", - "radiusFramedAppleTalkNetwork", + "displayName", "st", "street", "l", - "inetUserHttpURL", - "inetUserStatus", + "krbMaxRenewableAge", + "jpegPhoto", + "audio", + "pager", + "secretary", + "preferredLanguage", + "krbExtraData", + "krbCanonicalName", "o", "ou", - "title", - "description", + "seeAlso", + "userPassword", "businessCategory", "postalAddress", "postalCode", "postOfficeBox", "physicalDeliveryOfficeName", + "mobile", "krbPwdPolicyReference", - "secretary", - "homePhone", - "radiusLoginLATGroup", - "krbLastFailedAuth", - "radiusIdleTimeout", - "radiusFramedRouting", - "radiusLoginService", - "radiusLoginLATService", - "radiusLoginLATPort", - "radiusLoginLATNode", - "radiusPasswordRetry", - "radiusLoginTCPPort", - "radiusPortLimit", - "manager", - "radiusTerminationAction", - "radiusTunnelAssignmentId", - "radiusTunnelMediumType", - "radiusTunnelPassword", "labeledURI", - "radiusPrompt", - "radiusServiceType", - "radiusSessionTimeout", - "employeeType", - "radiusTunnelPreference", - "carLicense", - "departmentNumber", - "employeeNumber", - "radiusTunnelPrivateGroupId", - "userCertificate", - "radiusTunnelServerEndpoint", - "seeAlso", - "userPassword", - "radiusClientIPAddress", - "radiusAuthType", - "radiusHint", - "radiusGroupName", - "radiusProfileDn", - "radiusHuntgroupName", - "krbMaxRenewableAge", + "homePhone", "krbPasswordExpiration", - "krbLastSuccessfulAuth", + "inetUserStatus", + "krbLastPwdChange", + "krbMaxTicketLife", + "krbUPEnabled", "loginShell", + "x500UniqueIdentifier", + "krbLastFailedAuth", "gecos", - "radiusCallbackId", - "radiusCallbackNumber", - "radiusCalledStationId", - "radiusCallingStationId", - "radiusArapFeatures", - "radiusArapSecurity", - "radiusArapZoneAccess", + "krbPrincipalKey", + "krbTicketFlags", + "krbPrincipalType", + "userPKCS12", "initials", - "radiusClass", - "radiusFilterId" + "krbTicketPolicyReference", + "givenName", + "preferredDeliveryMethod", + "krbPrincipalAliases", + "telexNumber", + "telephoneNumber", + "facsimileTelephoneNumber", + "teletexTerminalIdentifier", + "internationalISDNNumber", + "x121Address", + "destinationIndicator", + "registeredAddress" ], "attribute_members": { "memberof": [ @@ -6683,19 +7169,19 @@ "Administrator" ], "gidnumber": [ - "2120898932" + "66000000" ], "homedirectory": [ "/home/admin" ], "ipauniqueid": [ - "cc2d5b64-fe52-11df-a795-525400674dcd" + "c9e61ada-0703-11e0-addd-525400674dcd" ], "krblastpwdchange": [ - "20101202203134Z" + "20101213215751Z" ], "krbpasswordexpiration": [ - "20110302203134Z" + "20110313215751Z" ], "krbprincipalname": [ "admin@AYOUNG.BOSTON.DEVEL.REDHAT.COM" @@ -6729,7 +7215,7 @@ "admin" ], "uidnumber": [ - "2120898932" + "66000000" ] } ], diff --git a/install/static/test/data/permission_add.json b/install/static/test/data/permission_add.json new file mode 100644 index 00000000..2235b74c --- /dev/null +++ b/install/static/test/data/permission_add.json @@ -0,0 +1,26 @@ +{ + "error": null, + "id": 0, + "result": { + "result": { + "cn": [ + "testperm" + ], + "description": [ + "description" + ], + "dn": "cn=testperm,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "objectclass": [ + "groupofnames", + "top" + ], + "permissions": [ + "read", + "write" + ], + "targetgroup": "ipausers" + }, + "summary": "Added permission \"testperm\"", + "value": "testperm" + } +}
\ No newline at end of file diff --git a/install/static/test/data/permission_del b/install/static/test/data/permission_del new file mode 100644 index 00000000..c1136898 --- /dev/null +++ b/install/static/test/data/permission_del @@ -0,0 +1,9 @@ +{ + "error": null, + "id": 0, + "result": { + "result": true, + "summary": "Deleted permission \"testperm\"", + "value": "testperm" + } +}
\ No newline at end of file diff --git a/install/static/test/data/permission_find.json b/install/static/test/data/permission_find.json new file mode 100644 index 00000000..0cd4d988 --- /dev/null +++ b/install/static/test/data/permission_find.json @@ -0,0 +1,887 @@ +{ + "error": null, + "id": 0, + "result": { + "count": 47, + "result": [ + { + "cn": [ + "addusers" + ], + "description": [ + "Add Users" + ], + "dn": "cn=addusers,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "useradmin" + ], + "permissions": [ + "add" + ], + "type": "user" + }, + { + "attrs": [ + "userPassword", + "krbPrincipalKey", + "sambaLMPassword", + "sambaNTPassword", + "passwordHistory" + ], + "cn": [ + "change_password" + ], + "description": [ + "Change a user password" + ], + "dn": "cn=change_password,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "useradmin" + ], + "permissions": [ + "write" + ] + }, + { + "attrs": [ + "member" + ], + "cn": [ + "add_user_to_default_group" + ], + "description": [ + "Add user to default group" + ], + "dn": "cn=add_user_to_default_group,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "useradmin" + ], + "permissions": [ + "write" + ], + "targetgroup": "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "cn": [ + "removeusers" + ], + "description": [ + "Remove Users" + ], + "dn": "cn=removeusers,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "useradmin" + ], + "permissions": [ + "delete" + ], + "type": "user" + }, + { + "attrs": [ + "givenName", + "sn", + "cn", + "displayName", + "title", + "initials", + "loginShell", + "gecos", + "homePhone", + "mobile", + "pager", + "facsimileTelephoneNumber", + "telephoneNumber", + "street", + "roomNumber", + "l", + "st", + "postalCode", + "manager", + "secretary", + "description", + "carLicense", + "labeledURI", + "inetUserHTTPURL", + "seeAlso", + "employeeType", + "businessCategory", + "ou", + "mepManagedEntry", + "objectclass" + ], + "cn": [ + "modifyusers" + ], + "description": [ + "Modify Users" + ], + "dn": "cn=modifyusers,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "useradmin" + ], + "permissions": [ + "write" + ], + "type": "user" + }, + { + "cn": [ + "addgroups" + ], + "description": [ + "Add Groups" + ], + "dn": "cn=addgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "groupadmin" + ], + "permissions": [ + "add" + ], + "type": "group" + }, + { + "cn": [ + "removegroups" + ], + "description": [ + "Remove Groups" + ], + "dn": "cn=removegroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "groupadmin" + ], + "permissions": [ + "delete" + ], + "type": "group" + }, + { + "attrs": [ + "cn", + "description", + "gidnumber", + "objectclass", + "mepManagedBy", + "ipaUniqueId" + ], + "cn": [ + "modifygroups" + ], + "description": [ + "Modify Groups" + ], + "dn": "cn=modifygroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "groupadmin" + ], + "permissions": [ + "write" + ], + "type": "group" + }, + { + "attrs": [ + "member" + ], + "cn": [ + "modifygroupmembership" + ], + "description": [ + "Modify Group membership" + ], + "dn": "cn=modifygroupmembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "groupadmin" + ], + "permissions": [ + "write" + ], + "type": "group" + }, + { + "cn": [ + "addhosts" + ], + "description": [ + "Add Hosts" + ], + "dn": "cn=addhosts,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "hostadmin" + ], + "permissions": [ + "add" + ], + "type": "host" + }, + { + "cn": [ + "removehosts" + ], + "description": [ + "Remove Hosts" + ], + "dn": "cn=removehosts,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "hostadmin" + ], + "permissions": [ + "delete" + ], + "type": "host" + }, + { + "attrs": [ + "description", + "l", + "nshostlocation", + "nshardwareplatform", + "nsosversion" + ], + "cn": [ + "modifyhosts" + ], + "description": [ + "Modify Hosts" + ], + "dn": "cn=modifyhosts,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "hostadmin" + ], + "permissions": [ + "write" + ], + "type": "host" + }, + { + "cn": [ + "addhostgroups" + ], + "description": [ + "Add Hostgroups" + ], + "dn": "cn=addhostgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "hostgroupadmin" + ], + "permissions": [ + "add" + ], + "type": "hostgroup" + }, + { + "cn": [ + "removehostgroups" + ], + "description": [ + "Remove Hostgroups" + ], + "dn": "cn=removehostgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "hostgroupadmin" + ], + "permissions": [ + "delete" + ], + "type": "hostgroup" + }, + { + "attrs": [ + "cn", + "description" + ], + "cn": [ + "modifyhostgroups" + ], + "description": [ + "Modify Hostgroups" + ], + "dn": "cn=modifyhostgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "hostgroupadmin" + ], + "permissions": [ + "write" + ], + "type": "hostgroup" + }, + { + "attrs": [ + "member" + ], + "cn": [ + "modifyhostgroupmembership" + ], + "description": [ + "Modify Hostgroup membership" + ], + "dn": "cn=modifyhostgroupmembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "hostgroupadmin" + ], + "permissions": [ + "write" + ], + "type": "hostgroup" + }, + { + "cn": [ + "addservices" + ], + "description": [ + "Add Services" + ], + "dn": "cn=addservices,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "serviceadmin" + ], + "permissions": [ + "add" + ], + "type": "service" + }, + { + "cn": [ + "removeservices" + ], + "description": [ + "Remove Services" + ], + "dn": "cn=removeservices,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "serviceadmin" + ], + "permissions": [ + "delete" + ], + "type": "service" + }, + { + "attrs": [ + "userCertificate" + ], + "cn": [ + "modifyservices" + ], + "description": [ + "Modify Services" + ], + "dn": "cn=modifyservices,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "serviceadmin" + ], + "permissions": [ + "write" + ], + "type": "service" + }, + { + "cn": [ + "addroles" + ], + "description": [ + "Add Roles" + ], + "dn": "cn=addroles,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "delegationadmin" + ], + "permissions": [ + "add" + ], + "subtree": "ldap:///cn=*,cn=roles,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "cn": [ + "removeroles" + ], + "description": [ + "Remove Roles" + ], + "dn": "cn=removeroles,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "delegationadmin" + ], + "permissions": [ + "delete" + ], + "subtree": "ldap:///cn=*,cn=roles,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "attrs": [ + "cn", + "description" + ], + "cn": [ + "modifyroles" + ], + "description": [ + "Modify Roles" + ], + "dn": "cn=modifyroles,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "delegationadmin" + ], + "permissions": [ + "write" + ], + "subtree": "ldap:///cn=*,cn=roles,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "attrs": [ + "member" + ], + "cn": [ + "modifyrolemembership" + ], + "description": [ + "Modify Role Group membership" + ], + "dn": "cn=modifyrolemembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "delegationadmin" + ], + "permissions": [ + "write" + ], + "subtree": "ldap:///cn=*,cn=roles,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "attrs": [ + "member" + ], + "cn": [ + "modifyprivilegemembership" + ], + "description": [ + "Modify privilege membership" + ], + "dn": "cn=modifyprivilegemembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "delegationadmin" + ], + "permissions": [ + "write" + ], + "subtree": "ldap:///cn=*,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "cn": [ + "addautomountmaps" + ], + "description": [ + "Add Automount maps" + ], + "dn": "cn=addautomountmaps,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "automountadmin" + ], + "permissions": [ + "add" + ], + "subtree": "ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "cn": [ + "removeautomountmaps" + ], + "description": [ + "Remove Automount maps" + ], + "dn": "cn=removeautomountmaps,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "automountadmin" + ], + "permissions": [ + "delete" + ], + "subtree": "ldap:///automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "cn": [ + "addautomountkeys" + ], + "description": [ + "Add Automount keys" + ], + "dn": "cn=addautomountkeys,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "automountadmin" + ], + "permissions": [ + "add" + ], + "subtree": "ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "cn": [ + "removeautomountkeys" + ], + "description": [ + "Remove Automount keys" + ], + "dn": "cn=removeautomountkeys,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "automountadmin" + ], + "permissions": [ + "delete" + ], + "subtree": "ldap:///automountkey=*,automountmapname=*,cn=automount,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "cn": [ + "addnetgroups" + ], + "description": [ + "Add netgroups" + ], + "dn": "cn=addnetgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "netgroupadmin" + ], + "permissions": [ + "add" + ], + "type": "netgroup" + }, + { + "cn": [ + "removenetgroups" + ], + "description": [ + "Remove netgroups" + ], + "dn": "cn=removenetgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "netgroupadmin" + ], + "permissions": [ + "delete" + ], + "type": "netgroup" + }, + { + "attrs": [ + "description" + ], + "cn": [ + "modifynetgroups" + ], + "description": [ + "Modify netgroups" + ], + "dn": "cn=modifynetgroups,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "netgroupadmin" + ], + "permissions": [ + "write" + ], + "type": "netgroup" + }, + { + "attrs": [ + "memberhost", + "externalhost", + "memberuser", + "member" + ], + "cn": [ + "modifynetgroupmembership" + ], + "description": [ + "Modify netgroup membership" + ], + "dn": "cn=modifynetgroupmembership,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "netgroupadmin" + ], + "permissions": [ + "write" + ], + "type": "netgroup" + }, + { + "attrs": [ + "krbPrincipalKey", + "krbLastPwdChange" + ], + "cn": [ + "manage_host_keytab" + ], + "description": [ + "Manage host keytab" + ], + "dn": "cn=manage_host_keytab,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "hostadmin", + "enrollhost" + ], + "permissions": [ + "write" + ], + "type": "host" + }, + { + "attrs": [ + "krbPrincipalKey", + "krbLastPwdChange" + ], + "cn": [ + "manage_service_keytab" + ], + "description": [ + "Manage service keytab" + ], + "dn": "cn=manage_service_keytab,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "serviceadmin", + "admins" + ], + "permissions": [ + "write" + ], + "type": "service" + }, + { + "attrs": [ + "enrolledBy", + "objectClass" + ], + "cn": [ + "enroll_host" + ], + "description": [ + "Enroll a host" + ], + "dn": "cn=enroll_host,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "hostadmin", + "enrollhost" + ], + "permissions": [ + "write" + ], + "type": "host" + }, + { + "cn": [ + "managereplica" + ], + "description": [ + "Manage Replication Agreements" + ], + "dn": "cn=managereplica,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "replicaadmin" + ], + "memberindirect": [ + "uid=admin,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + ] + }, + { + "cn": [ + "deletereplica" + ], + "description": [ + "Delete Replication Agreements" + ], + "dn": "cn=deletereplica,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "replicaadmin" + ], + "memberindirect": [ + "uid=admin,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "cn=admins,cn=groups,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + ] + }, + { + "cn": [ + "addentitlements" + ], + "description": [ + "Add Entitlements" + ], + "dn": "cn=addentitlements,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "entitlementadmin" + ], + "permissions": [ + "add" + ], + "subtree": "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "cn": [ + "removeentitlements" + ], + "description": [ + "Remove Entitlements" + ], + "dn": "cn=removeentitlements,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "entitlementadmin" + ], + "permissions": [ + "delete" + ], + "subtree": "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "attrs": [ + "userCertificate" + ], + "cn": [ + "modifyentitlements" + ], + "description": [ + "Modify Entitlements" + ], + "dn": "cn=modifyentitlements,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "entitlementadmin" + ], + "permissions": [ + "write" + ], + "subtree": "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "attrs": [ + "objectClass" + ], + "cn": [ + "retrieve_certs" + ], + "description": [ + "Retrieve Certificates from the CA" + ], + "dn": "cn=retrieve_certs,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "certadmin" + ], + "permissions": [ + "write" + ], + "subtree": "ldap:///cn=retrieve certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "attrs": [ + "objectClass" + ], + "cn": [ + "request_certs" + ], + "description": [ + "Request Certificates from the CA" + ], + "dn": "cn=request_certs,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "certadmin" + ], + "permissions": [ + "write" + ], + "subtree": "ldap:///cn=request certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "attrs": [ + "objectClass" + ], + "cn": [ + "request_cert_different_host" + ], + "description": [ + "Request Certificates from a different host" + ], + "dn": "cn=request_cert_different_host,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "certadmin" + ], + "permissions": [ + "write" + ], + "subtree": "ldap:///cn=request certificate different host,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "attrs": [ + "objectClass" + ], + "cn": [ + "certificate_status" + ], + "description": [ + "Get Certificates status from the CA" + ], + "dn": "cn=certificate_status,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "certadmin" + ], + "permissions": [ + "write" + ], + "subtree": "ldap:///cn=certificate status,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "attrs": [ + "objectClass" + ], + "cn": [ + "revoke_certificate" + ], + "description": [ + "Revoke Certificate" + ], + "dn": "cn=revoke_certificate,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "certadmin" + ], + "permissions": [ + "write" + ], + "subtree": "ldap:///cn=revoke certificate,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "attrs": [ + "objectClass" + ], + "cn": [ + "certificate_remove_hold" + ], + "description": [ + "Certificate Remove Hold" + ], + "dn": "cn=certificate_remove_hold,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "certadmin" + ], + "permissions": [ + "write" + ], + "subtree": "ldap:///cn=certificate remove hold,cn=virtual operations,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "cn": [ + "update_dns" + ], + "description": [ + "DNS Servers Updates" + ], + "dn": "cn=update_dns,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member_privilege": [ + "dnsadmin", + "dnsserver" + ], + "memberindirect": [ + "krbprincipalname=dns/ipa.ayoung.boston.devel.redhat.com@ayoung.boston.devel.redhat.com,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + ] + } + ], + "summary": "47 permissions matched", + "truncated": false + } +}
\ No newline at end of file diff --git a/install/static/test/data/permission_show.json b/install/static/test/data/permission_show.json new file mode 100644 index 00000000..ac12ef0e --- /dev/null +++ b/install/static/test/data/permission_show.json @@ -0,0 +1,41 @@ +{ + "error": null, + "id": 6, + "result": { + "result": { + "attributelevelrights": { + "aci": "rscwo", + "businesscategory": "rscwo", + "cn": "rscwo", + "description": "rscwo", + "member": "rscwo", + "nsaccountlock": "rscwo", + "o": "rscwo", + "objectclass": "rscwo", + "ou": "rscwo", + "owner": "rscwo", + "seealso": "rscwo" + }, + "cn": [ + "addusers" + ], + "description": [ + "Add Users" + ], + "dn": "cn=addusers,cn=permissions,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "member": [ + "cn=useradmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + ], + "objectclass": [ + "top", + "groupofnames" + ], + "permissions": [ + "add" + ], + "type": "user" + }, + "summary": null, + "value": "addusers" + } +}
\ No newline at end of file diff --git a/install/static/test/data/privilege_find.json b/install/static/test/data/privilege_find.json new file mode 100644 index 00000000..c48c4a0e --- /dev/null +++ b/install/static/test/data/privilege_find.json @@ -0,0 +1,215 @@ +{ + "error": null, + "id": 0, + "result": { + "count": 14, + "result": [ + { + "cn": [ + "useradmin" + ], + "description": [ + "User Administrators" + ], + "dn": "cn=useradmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberof_permission": [ + "addusers", + "change_password", + "add_user_to_default_group", + "removeusers", + "modifyusers" + ] + }, + { + "cn": [ + "groupadmin" + ], + "description": [ + "Group Administrators" + ], + "dn": "cn=groupadmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberof_permission": [ + "addgroups", + "removegroups", + "modifygroups", + "modifygroupmembership" + ] + }, + { + "cn": [ + "hostadmin" + ], + "description": [ + "Host Administrators" + ], + "dn": "cn=hostadmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberof_permission": [ + "addhosts", + "removehosts", + "modifyhosts", + "manage_host_keytab", + "enroll_host" + ] + }, + { + "cn": [ + "hostgroupadmin" + ], + "description": [ + "Host Group Administrators" + ], + "dn": "cn=hostgroupadmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberof_permission": [ + "addhostgroups", + "removehostgroups", + "modifyhostgroups", + "modifyhostgroupmembership" + ] + }, + { + "cn": [ + "delegationadmin" + ], + "description": [ + "Role administration" + ], + "dn": "cn=delegationadmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberof_permission": [ + "addroles", + "removeroles", + "modifyroles", + "modifyrolemembership", + "modifyprivilegemembership" + ] + }, + { + "cn": [ + "serviceadmin" + ], + "description": [ + "Service Administrators" + ], + "dn": "cn=serviceadmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberof_permission": [ + "addservices", + "removeservices", + "modifyservices", + "manage_service_keytab" + ] + }, + { + "cn": [ + "automountadmin" + ], + "description": [ + "Automount Administrators" + ], + "dn": "cn=automountadmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberof_permission": [ + "addautomountmaps", + "removeautomountmaps", + "addautomountkeys", + "removeautomountkeys" + ] + }, + { + "cn": [ + "netgroupadmin" + ], + "description": [ + "Netgroups Administrators" + ], + "dn": "cn=netgroupadmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberof_permission": [ + "addnetgroups", + "removenetgroups", + "modifynetgroups", + "modifynetgroupmembership" + ] + }, + { + "cn": [ + "certadmin" + ], + "description": [ + "Certificate Administrators" + ], + "dn": "cn=certadmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberof_permission": [ + "retrieve_certs", + "request_certs", + "request_cert_different_host", + "certificate_status", + "revoke_certificate", + "certificate_remove_hold" + ] + }, + { + "cn": [ + "replicaadmin" + ], + "description": [ + "Replication Administrators" + ], + "dn": "cn=replicaadmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberindirect": [ + "uid=admin,cn=users,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + ], + "memberof_permission": [ + "managereplica", + "deletereplica" + ] + }, + { + "cn": [ + "enrollhost" + ], + "description": [ + "Host Enrollment" + ], + "dn": "cn=enrollhost,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberof_permission": [ + "manage_host_keytab", + "enroll_host" + ] + }, + { + "cn": [ + "entitlementadmin" + ], + "description": [ + "Entitlement Administrators" + ], + "dn": "cn=entitlementadmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberof_permission": [ + "addentitlements", + "removeentitlements", + "modifyentitlements" + ] + }, + { + "cn": [ + "dnsadmin" + ], + "description": [ + "DNS Administrators" + ], + "dn": "cn=dnsadmin,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + }, + { + "cn": [ + "dnsserver" + ], + "description": [ + "DNS Servers" + ], + "dn": "cn=dnsserver,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberindirect": [ + "krbprincipalname=dns/ipa.ayoung.boston.devel.redhat.com@ayoung.boston.devel.redhat.com,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + ] + } + ], + "summary": "14 privileges matched", + "truncated": false + } +}
\ No newline at end of file diff --git a/install/static/test/data/privilege_show.json b/install/static/test/data/privilege_show.json new file mode 100644 index 00000000..7d9328aa --- /dev/null +++ b/install/static/test/data/privilege_show.json @@ -0,0 +1,39 @@ +{ + "error": null, + "id": 0, + "result": { + "result": { + "attributelevelrights": { + "aci": "rscwo", + "businesscategory": "rscwo", + "cn": "rscwo", + "description": "rscwo", + "member": "rscwo", + "memberof": "rsc", + "nsaccountlock": "rscwo", + "o": "rscwo", + "objectclass": "rscwo", + "ou": "rscwo", + "owner": "rscwo", + "seealso": "rscwo" + }, + "cn": [ + "dnsserver" + ], + "description": [ + "DNS Servers" + ], + "dn": "cn=dnsserver,cn=privileges,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "memberindirect": [ + "krbprincipalname=dns/ipa.ayoung.boston.devel.redhat.com@ayoung.boston.devel.redhat.com,cn=services,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + ], + "objectclass": [ + "top", + "groupofnames", + "nestedgroup" + ] + }, + "summary": null, + "value": "dnsserver" + } +}
\ No newline at end of file diff --git a/install/static/test/data/role_find.json b/install/static/test/data/role_find.json new file mode 100644 index 00000000..af013803 --- /dev/null +++ b/install/static/test/data/role_find.json @@ -0,0 +1,20 @@ +{ + "error": null, + "id": 0, + "result": { + "count": 1, + "result": [ + { + "cn": [ + "helpdesk" + ], + "description": [ + "Helpdesk" + ], + "dn": "cn=helpdesk,cn=roles,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com" + } + ], + "summary": "1 role matched", + "truncated": false + } +}
\ No newline at end of file diff --git a/install/static/test/data/role_show.json b/install/static/test/data/role_show.json new file mode 100644 index 00000000..9ad8dd68 --- /dev/null +++ b/install/static/test/data/role_show.json @@ -0,0 +1,36 @@ +{ + "error": null, + "id": 0, + "result": { + "result": { + "attributelevelrights": { + "aci": "rscwo", + "businesscategory": "rscwo", + "cn": "rscwo", + "description": "rscwo", + "member": "rscwo", + "memberof": "rsc", + "nsaccountlock": "rscwo", + "o": "rscwo", + "objectclass": "rscwo", + "ou": "rscwo", + "owner": "rscwo", + "seealso": "rscwo" + }, + "cn": [ + "helpdesk" + ], + "description": [ + "Helpdesk" + ], + "dn": "cn=helpdesk,cn=roles,cn=accounts,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com", + "objectclass": [ + "top", + "groupofnames", + "nestedgroup" + ] + }, + "summary": null, + "value": "helpdesk" + } +}
\ No newline at end of file diff --git a/install/static/test/data/selfservice_find.json b/install/static/test/data/selfservice_find.json new file mode 100644 index 00000000..91db6e40 --- /dev/null +++ b/install/static/test/data/selfservice_find.json @@ -0,0 +1,24 @@ +{ + "error": null, + "id": 0, + "result": { + "count": 1, + "result": [ + { + "aciname": "Self can write own password", + "attrs": [ + "userPassword", + "krbPrincipalKey", + "sambaLMPassword", + "sambaNTPassword" + ], + "permissions": [ + "write" + ], + "selfaci": true + } + ], + "summary": "1 selfservice matched", + "truncated": false + } +}
\ No newline at end of file diff --git a/install/static/test/data/selfservice_show.json b/install/static/test/data/selfservice_show.json new file mode 100644 index 00000000..358e6592 --- /dev/null +++ b/install/static/test/data/selfservice_show.json @@ -0,0 +1,21 @@ +{ + "error": null, + "id": 0, + "result": { + "result": { + "aciname": "Self can write own password", + "attrs": [ + "userPassword", + "krbPrincipalKey", + "sambaLMPassword", + "sambaNTPassword" + ], + "permissions": [ + "write" + ], + "selfaci": true + }, + "summary": null, + "value": "Self can write own password" + } +}
\ No newline at end of file diff --git a/install/static/test/details_tests.js b/install/static/test/details_tests.js index f0b8e15c..baed80ce 100644 --- a/install/static/test/details_tests.js +++ b/install/static/test/details_tests.js @@ -19,6 +19,8 @@ */ +module('details'); + test("Testing ipa_details_section.create().", function() { IPA.ajax_options.async = false; diff --git a/install/static/test/entity_tests.js b/install/static/test/entity_tests.js index 78fb5f4b..4b60c3e9 100644 --- a/install/static/test/entity_tests.js +++ b/install/static/test/entity_tests.js @@ -18,6 +18,8 @@ * along with this program. If not, see <http://www.gnu.org/licenses/>. */ +module('entity'); + test('Testing ipa_entity_set_search_definition().', function() { var uid_callback = function() { diff --git a/install/static/test/index.html b/install/static/test/index.html index 5467a683..78b41e9b 100644 --- a/install/static/test/index.html +++ b/install/static/test/index.html @@ -30,6 +30,7 @@ <li><a href="association_tests.html">Association Test Suite</a> <li><a href="navigation_tests.html">Navigation Test Suite</a> <li><a href="certificate_tests.html">Certificate Test Suite</a> + <li><a href="aci_tests.html">Access Control Interface Test Suite</a> </ul> </div> diff --git a/install/static/test/ipa_tests.js b/install/static/test/ipa_tests.js index ec95f686..23190c1f 100644 --- a/install/static/test/ipa_tests.js +++ b/install/static/test/ipa_tests.js @@ -18,6 +18,8 @@ * along with this program. If not, see <http://www.gnu.org/licenses/>. */ +module('ipa'); + test("Testing ipa_init().", function() { expect(1); diff --git a/install/static/test/navigation_tests.js b/install/static/test/navigation_tests.js index f8e58026..4321939f 100644 --- a/install/static/test/navigation_tests.js +++ b/install/static/test/navigation_tests.js @@ -19,7 +19,7 @@ */ - +module('navigation'); test("Testing nav_create().", function() { diff --git a/install/static/webui.js b/install/static/webui.js index 47d4f3cb..de90b72f 100644 --- a/install/static/webui.js +++ b/install/static/webui.js @@ -47,6 +47,12 @@ var admin_tab_set = [ {name:'krbtpolicy', entity:'krbtpolicy'} ]}, {name:'ipaserver', children: [ + {name:'role',entity:'role' ,children:[ + {name:'privilege',entity:'privilege' }, + {name:'permission', entity:'permission'} + ]}, + {name:'selfservice' ,entity:'selfservice'}, + {name:'delegation' ,entity:'delegation'}, {name:'config', entity:'config'} ]} ]; diff --git a/install/static/widget.js b/install/static/widget.js index 322bdd1a..07973c7f 100755 --- a/install/static/widget.js +++ b/install/static/widget.js @@ -686,7 +686,11 @@ function ipa_table_widget(spec) { var name = that.columns[i].name; var values = result[name]; if (!values) continue; - record[name] = values[index]; + if (values instanceof Array){ + record[name] = values[index]; + }else{ + record[name] = values; + } } return record; }; diff --git a/ipalib/plugins/delegation.py b/ipalib/plugins/delegation.py index f68e7799..6ed22442 100644 --- a/ipalib/plugins/delegation.py +++ b/ipalib/plugins/delegation.py @@ -138,6 +138,8 @@ class delegation(Object): json_dict = dict( (a, getattr(self, a)) for a in json_friendly_attributes ) + json_dict['primary_key'] = self.primary_key.name + json_dict['methods'] = [m for m in self.methods] return json_dict diff --git a/ipalib/plugins/selfservice.py b/ipalib/plugins/selfservice.py index bf1eccfd..9152895a 100644 --- a/ipalib/plugins/selfservice.py +++ b/ipalib/plugins/selfservice.py @@ -70,7 +70,7 @@ class selfservice(Object): bindable = False object_name = 'selfservice', object_name_plural = 'selfservice', - label = _('Permissions') + label = _('Self Service Permissions') takes_params = ( Str('aciname', @@ -101,6 +101,7 @@ class selfservice(Object): json_dict = dict( (a, getattr(self, a)) for a in json_friendly_attributes ) + json_dict['primary_key'] = self.primary_key.name json_dict['methods'] = [m for m in self.methods] return json_dict |