summaryrefslogtreecommitdiffstats
path: root/install/ui
diff options
context:
space:
mode:
authorAdam Young <ayoung@redhat.com>2011-07-05 17:59:05 -0400
committerEndi S. Dewata <edewata@redhat.com>2011-07-06 21:52:00 +0000
commite4a444ba8159f890daa124d1c546b977a91b9f32 (patch)
tree3a8110eaff3d2d695c4a0592f0f920b361a6a4c3 /install/ui
parentaca908e1e4d08d52a95edca2013c510abe2d1788 (diff)
downloadfreeipa.git-e4a444ba8159f890daa124d1c546b977a91b9f32.tar.gz
freeipa.git-e4a444ba8159f890daa124d1c546b977a91b9f32.tar.xz
freeipa.git-e4a444ba8159f890daa124d1c546b977a91b9f32.zip
HBAC deny warning
shows dialog if there are any HBAC deny rules. Dialog provides option to navigate to the HBAC page. Deny rules have their rule type value show up in red. Only shows up fro administrators, not for self service users. https://fedorahosted.org/freeipa/ticket/1421
Diffstat (limited to 'install/ui')
-rw-r--r--install/ui/hbac.js53
-rw-r--r--install/ui/ipa.css5
-rw-r--r--install/ui/ipa.js9
-rwxr-xr-xinstall/ui/test/bin/update_ipa_init.sh2
-rw-r--r--install/ui/test/data/hbacrule_find.json58
-rw-r--r--install/ui/test/data/ipa_init.json64
-rw-r--r--install/ui/webui.js6
-rw-r--r--install/ui/widget.js5
8 files changed, 171 insertions, 31 deletions
diff --git a/install/ui/hbac.js b/install/ui/hbac.js
index c082056b..dc85d572 100644
--- a/install/ui/hbac.js
+++ b/install/ui/hbac.js
@@ -26,7 +26,21 @@ IPA.entity_factories.hbacrule = function () {
return IPA.entity_builder().
entity('hbacrule').
search_facet({
- columns:['cn','usercategory','hostcategory','ipaenabledflag',
+ columns:['cn',
+ {
+ factory: IPA.column,
+ name:'accessruletype',
+ setup : function(container,record){
+ container.empty();
+ var value = record[this.name];
+ value = value ? value.toString() : '';
+ if (value === 'deny'){
+ container.addClass('hbac-deny-rule');
+ }
+ container.append(value);
+ }
+ },
+ 'usercategory','hostcategory','ipaenabledflag',
'servicecategory','sourcehostcategory']
}).
details_facet({
@@ -996,3 +1010,40 @@ IPA.hbacrule_accesstime_widget = function (spec) {
return that;
};
+
+IPA.hbac_deny_warning_dialog = function (container) {
+ var dialog = IPA.dialog({
+ 'title': 'HBAC Deny Rules found'
+ });
+
+ var link_path = "config";
+ if (IPA.use_static_files){
+ link_path = "html";
+ }
+
+ dialog.create = function() {
+ dialog.container.append(
+ "HBAC rules with type deny have been found."+
+ " These rules have been deprecated." +
+ " Please remove them, and restructure the HBAC rules." );
+ $('<p/>').append($('<a/>',{
+ text: 'Click here for more information',
+ href: '../' +link_path +'/hbac-deny-remove.html',
+ target: "_blank",
+ style: 'target: tab; color: blue; '
+ })).appendTo(dialog.container);
+ };
+
+ dialog.add_button('Edit HBAC Rules', function() {
+ dialog.close();
+ IPA.nav.show_page('hbacrule', 'search');
+ });
+
+ dialog.add_button('Ignore for now', function() {
+ dialog.close();
+ });
+
+ dialog.init();
+
+ dialog.open();
+};
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 38b5a911..c3215ef3 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -645,6 +645,11 @@ div.tabs {
padding-left: 0.5em;
}
+.hbac-deny-rule {
+ color: red;
+}
+
+
.search-table tfoot td {
padding: 0.5em 0 0 1em;
border-top: 1px solid #dfdfdf;
diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index 4f194739..4b505235 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -123,6 +123,15 @@ var IPA = ( function () {
}
}));
+ batch.add_command(IPA.command({
+ entity: 'hbacrule',
+ method: 'find',
+ options:{"accessruletype":"deny"},
+ on_success: function(data, text_status, xhr) {
+ that.hbac_deny_rules = data;
+ }
+ }));
+
batch.execute();
};
diff --git a/install/ui/test/bin/update_ipa_init.sh b/install/ui/test/bin/update_ipa_init.sh
index 5cdeacaa..23852a26 100755
--- a/install/ui/test/bin/update_ipa_init.sh
+++ b/install/ui/test/bin/update_ipa_init.sh
@@ -17,4 +17,4 @@ fi
-curl -v -H "Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u : --cacert /etc/ipa/ca.crt -d '{"method":"batch","params":[[ {"method":"json_metadata","params":[[],{}]}, {"method":"i18n_messages","params":[[],{}]}, {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]}, {"method":"env","params":[[],{}]}, {"method":"dns_is_enabled","params":[[],{}]} ],{}],"id":1}' -X POST https://`hostname`/ipa/json | sed 's/[ \t]*$//' > $INIT_FILE
+curl -v -H "Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u : --cacert /etc/ipa/ca.crt -d '{"method":"batch","params":[[{"method":"json_metadata","params":[[],{}]},{"method":"i18n_messages","params":[[],{}]},{"method":"user_find","params":[[],{"whoami":true,"all":true}]},{"method":"env","params":[[],{}]},{"method":"dns_is_enabled","params":[[],{}]},{"method":"hbacrule_find","params":[[],{"accessruletype":"deny"}]}],{}]}' -X POST https://`hostname`/ipa/json | sed 's/[ \t]*$//' > $INIT_FILE
diff --git a/install/ui/test/data/hbacrule_find.json b/install/ui/test/data/hbacrule_find.json
index fd95d9f5..3801a7d4 100644
--- a/install/ui/test/data/hbacrule_find.json
+++ b/install/ui/test/data/hbacrule_find.json
@@ -1,54 +1,74 @@
{
- "error": null,
- "id": 0,
+ "error": null,
+ "id": null,
"result": {
- "count": 2,
+ "count": 4,
"result": [
{
"accessruletype": [
"allow"
- ],
+ ],
"cn": [
"allow_all"
- ],
+ ],
"description": [
"Allow all users to access any host from any host"
- ],
- "dn": "ipauniqueid=b7567b5a-e39311df-bfde9b13-2b28c216,cn=hbac,dc=dev,dc=example,dc=com",
+ ],
+ "dn": "ipauniqueid=ca842a42-a445-11e0-87ff-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"hostcategory": [
"all"
- ],
+ ],
"ipaenabledflag": [
"TRUE"
- ],
+ ],
"servicecategory": [
"all"
- ],
+ ],
"sourcehostcategory": [
"all"
- ],
+ ],
"usercategory": [
"all"
]
},
{
"accessruletype": [
- "allow"
+ "deny"
+ ],
+ "cn": [
+ "deny1"
],
- "accesstime": [
- "periodic daily 0800-1400",
- "absolute 201012161032 ~ 201012161033"
+ "dn": "ipauniqueid=8af3e23c-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+ "ipaenabledflag": [
+ "TRUE"
+ ]
+ },
+ {
+ "accessruletype": [
+ "deny"
+ ],
+ "cn": [
+ "deny2"
+ ],
+ "dn": "ipauniqueid=8f05d042-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+ "ipaenabledflag": [
+ "TRUE"
+ ]
+ },
+ {
+ "accessruletype": [
+ "deny"
],
"cn": [
- "test"
+ "deny3"
],
- "dn": "ipauniqueid=3b6d2a82-e3b511df-bfde9b13-2b28c216,cn=hbac,dc=dev,dc=example,dc=com",
+ "dn": "ipauniqueid=92dcf9fc-a7e2-11e0-8dac-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"ipaenabledflag": [
"TRUE"
]
}
- ],
- "summary": null,
+ ],
+ "summary": "4 HBAC rules matched",
"truncated": false
}
}
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 5b4dadfc..a6700210 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -1,8 +1,8 @@
{
"error": null,
- "id": 1,
+ "id": null,
"result": {
- "count": 5,
+ "count": 6,
"results": [
{
"error": null,
@@ -8266,7 +8266,8 @@
"ipausersearchfields",
"ipagroupsearchfields",
"ipamigrationenabled",
- "ipacertificatesubjectbase"
+ "ipacertificatesubjectbase",
+ "ipapwdexpadvnotify"
],
"hidden_attributes": [
"objectclass",
@@ -12117,7 +12118,7 @@
"aciattrs": [],
"attribute_members": {},
"bindable": false,
- "container_dn": "cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos",
+ "container_dn": "cn=SERVER15.AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos",
"default_attributes": [
"krbmaxticketlife",
"krbmaxrenewableage"
@@ -12962,7 +12963,7 @@
],
"attribute_members": {},
"bindable": false,
- "container_dn": "cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos",
+ "container_dn": "cn=SERVER15.AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos",
"default_attributes": [
"cn",
"cospriority",
@@ -15887,17 +15888,17 @@
],
"krbextradata": [
{
- "__base64__": "AAL2bA5Ocm9vdC9hZG1pbkBTRVJWRVIxNS5BWU9VTkcuQk9TVE9OLkRFVkVMLlJFREhBVC5DT00A"
+ "__base64__": "AAgBAA=="
},
{
- "__base64__": "AAgBAA=="
+ "__base64__": "AAL2bA5Ocm9vdC9hZG1pbkBTRVJWRVIxNS5BWU9VTkcuQk9TVE9OLkRFVkVMLlJFREhBVC5DT00A"
}
],
"krblastpwdchange": [
"20110702005726Z"
],
"krblastsuccessfulauth": [
- "20110705172822Z"
+ "20110705180548Z"
],
"krbpasswordexpiration": [
"20110930005726Z"
@@ -16017,6 +16018,53 @@
"result": true,
"summary": null,
"value": ""
+ },
+ {
+ "count": 3,
+ "error": null,
+ "result": [
+ {
+ "accessruletype": [
+ "deny"
+ ],
+ "cn": [
+ "deny1"
+ ],
+ "dn": "ipauniqueid=8af3e23c-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+ "ipaenabledflag": [
+ "TRUE"
+ ],
+ "memberuser_user": [
+ "abrown"
+ ]
+ },
+ {
+ "accessruletype": [
+ "deny"
+ ],
+ "cn": [
+ "deny2"
+ ],
+ "dn": "ipauniqueid=8f05d042-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+ "ipaenabledflag": [
+ "TRUE"
+ ]
+ },
+ {
+ "accessruletype": [
+ "deny"
+ ],
+ "cn": [
+ "deny3"
+ ],
+ "dn": "ipauniqueid=92dcf9fc-a7e2-11e0-8dac-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+ "ipaenabledflag": [
+ "TRUE"
+ ]
+ }
+ ],
+ "summary": "3 HBAC rules matched",
+ "truncated": false
}
]
}
diff --git a/install/ui/webui.js b/install/ui/webui.js
index 2c445148..01d060fc 100644
--- a/install/ui/webui.js
+++ b/install/ui/webui.js
@@ -158,6 +158,12 @@ $(function() {
IPA.nav.update();
$('#login_header').html(IPA.messages.login.header);
+
+ if (IPA.hbac_deny_rules && IPA.hbac_deny_rules.count > 0){
+ if (IPA.nav.name === 'admin'){
+ IPA.hbac_deny_warning_dialog();
+ }
+ }
}
diff --git a/install/ui/widget.js b/install/ui/widget.js
index cd3a5c60..9142a26a 100644
--- a/install/ui/widget.js
+++ b/install/ui/widget.js
@@ -1156,7 +1156,7 @@ IPA.column = function (spec) {
}
};
- that.setup = function(container, record) {
+ function setup(container, record) {
container.empty();
var value = record[that.name];
@@ -1177,8 +1177,9 @@ IPA.column = function (spec) {
} else {
container.append(value);
}
+ }
- };
+ that.setup = spec.setup || setup;
that.link_handler = function(value) {
return false;
generated by cgit (git 2.34.1) at 2025-09-03 07:50:49 +0000