7 files changed, 287 insertions, 20 deletions

diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
index f5f7a656..6f86f3af 100644
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@@ -11,8 +11,10 @@ attributeTypes: (2.16.840.1.113730.3.8.3.2 NAME 'ipaClientVersion' DESC 'Text st
 attributeTypes: (2.16.840.1.113730.3.8.3.3 NAME 'enrolledBy' DESC 'DN of administrator who performed manual enrollment of the host' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'fqdn' DESC 'FQDN' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.18 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2')
+attributeTypes: (2.16.840.1.113730.3.8.3.24 NAME 'ipaEntitlementId' DESC 'Entitlement Unique identifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.12 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.14 NAME 'ipaEntitlement' DESC 'IPA Entitlement object' AUXILIARY MUST ( ipaEntitlementId ) MAY ( userPKCS12 $ userCertificate ) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.15 NAME 'ipaPermission' DESC 'IPA Permission objectclass' AUXILIARY MAY ( ipaPermissionType ) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.3 NAME 'nestedGroup' DESC 'Group that supports nesting' SUP groupOfNames STRUCTURAL MAY memberOf X-ORIGIN 'IPA v2' )
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index e4f76705..7c0ae8bd 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -3,7 +3,7 @@
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
 aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";)
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
 aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 18d045d8..a15c9ec7 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -37,6 +37,23 @@ objectClass: nestedgroup
 cn: helpdesk
 description: Helpdesk
 
+dn: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: entitlements
+description: Entitlements administrator
+
+dn: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: Entitlement Compliance
+description: Verify entitlement compliance
+member: fqdn=$FQHN,cn=computers,cn=accounts,$SUFFIX
+
 ############################################
 # Add the default privileges
 ############################################
@@ -129,13 +146,23 @@ objectClass: nestedgroup
 cn: Host Enrollment
 description: Host Enrollment
 
-dn: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
+dn: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
 objectClass: nestedgroup
-cn: entitlementadmin
-description: Entitlement Administrators
+cn: Register and Write Entitlements
+member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX
+
+dn: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: nestedgroup
+cn: Read Entitlements
+member: cn=Entitlement Management,cn=roles,cn=accounts,$SUFFIX
+member: cn=Entitlement Compliance,cn=roles,cn=accounts,$SUFFIX
+
 
 ############################################
 # Default permissions.
@@ -486,30 +513,28 @@ member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
 
 # Entitlement management
 
-dn: cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
 objectClass: ipapermission
-cn: addentitlements
-description: Add Entitlements
-member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
+member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX
 
-dn: cn=removeentitlements,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
-cn: removeentitlements
-description: Remove Entitlements
-member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
+objectClass: ipapermission
+cn: Read Entitlements
+member: cn=Read Entitlements,cn=privileges,cn=pbac,$SUFFIX
 
-dn: cn=modifyentitlements,cn=permissions,cn=pbac,$SUFFIX
+dn: cn=Write Entitlements,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
 objectClass: groupofnames
-cn: modifyentitlements
-description: Modify Entitlements
-member: cn=entitlementadmin,cn=privileges,cn=pbac,$SUFFIX
+objectClass: ipapermission
+cn: Write Entitlements
+member: cn=Register and Write Entitlements,cn=privileges,cn=pbac,$SUFFIX
 
 ############################################
 # Default permissions (ACIs)
@@ -631,17 +656,17 @@ aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=comp
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:addentitlements";allow (add) groupdn = "ldap:///cn=addentitlements,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Register Entitlements";allow (add) groupdn = "ldap:///cn=Register Entitlements,cn=permissions,cn=pbac,$SUFFIX";)
 
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "usercertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:modifyentitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "usercertificate")(target = "ldap:///ipaentitlement=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Write Entitlements";allow (write) groupdn = "ldap:///cn=Write entitlements,cn=permissions,cn=pbac,$SUFFIX";)
 
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "permission:removeentitlements";allow (delete) groupdn = "ldap:///cn=removeentitlements,cn=permissions,cn=pbac,$SUFFIX";)
+aci: (targetattr = "userpkcs12")(target = "ldap:///ipaentitlementid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Read Entitlements";allow (read) groupdn = "ldap:///cn=Read Entitlements,cn=permissions,cn=pbac,$SUFFIX";)
 
 # Create virtual operations entry. This is used to control access to
 # operations that don't rely on LDAP directly.
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index 70e65ee7..055a32fc 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -17,6 +17,7 @@ sbin_SCRIPTS =			\
 	ipa-host-net-manage     \
 	ipa-ldap-updater	\
 	ipa-upgradeconfig	\
+	ipa-compliance		\
 	$(NULL)
 
 EXTRA_DIST =			\
diff --git a/install/tools/ipa-compliance b/install/tools/ipa-compliance
new file mode 100644
index 00000000..8b7ad776
--- /dev/null
+++ b/install/tools/ipa-compliance
@@ -0,0 +1,193 @@
+#!/usr/bin/env python
+#
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2010  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+# An LDAP client to count entitlements and log to syslog if the number is
+# exceeded.
+
+try:
+    import sys
+    import os
+    import syslog
+    import tempfile
+    import krbV
+    import base64
+    import shutil
+
+    from rhsm.certificate import EntitlementCertificate
+
+    from ipaserver.plugins.ldap2 import ldap2
+    from ipalib import api, errors, backend
+except ImportError, e:
+    # If python-rhsm isn't installed exit gracefully and quietly.
+    if e.args[0] == 'No module named rhsm.certificate':
+        sys.exit(0)
+    print >> sys.stderr, """\
+There was a problem importing one of the required Python modules. The
+error was:
+
+    %s
+""" % sys.exc_value
+    sys.exit(1)
+
+# Each IPA server comes with this many entitlements
+DEFAULT_ENTITLEMENTS = 25
+
+class client(backend.Executioner):
+    """
+    A simple-minded IPA client that can execute remote commands.
+    """
+
+    def run(self, method, **kw):
+        self.create_context()
+        result = self.execute(method, **kw)
+        return result
+
+def parse_options():
+    from optparse import OptionParser
+
+    parser = OptionParser()
+    parser.add_option("--debug", dest="debug", action="store_true",
+        default=False, help="enable debugging")
+
+    options, args = parser.parse_args()
+    return options, args
+
+def check_compliance(tmpdir, debug=False):
+    cfg = dict(
+        context='cli',
+        in_server=False,
+        debug=debug,
+        verbose=0,
+    )
+
+    api.bootstrap(**cfg)
+    api.register(client)
+    api.finalize()
+    from ipalib.plugins.service import normalize_certificate, make_pem
+
+    try:
+        # Create a new credentials cache for this tool. This executes
+        # using the systems host principal.
+        ccache_file = 'FILE:%s/ccache' % tmpdir
+        krbcontext = krbV.default_context()
+        principal = str('host/%s@%s' % (api.env.host, api.env.realm))
+        keytab = krbV.Keytab(name='/etc/krb5.keytab', context=krbcontext)
+        principal = krbV.Principal(name=principal, context=krbcontext)
+        os.environ['KRB5CCNAME'] = ccache_file
+        ccache = krbV.CCache(name=ccache_file, context=krbcontext, primary_principal=principal)
+        ccache.init(principal)
+        ccache.init_creds_keytab(keytab=keytab, principal=principal)
+    except krbV.Krb5Error, e:
+        raise StandardError('Error initializing principal %s in %s: %s' % (principal.name, '/etc/krb5.keytab', str(e)))
+
+    # entitle-sync doesn't return any information we want to see, it just
+    # needs to be done so the LDAP data is correct.
+    try:
+        result = api.Backend.client.run('entitle_sync')
+    except errors.NotRegisteredError:
+        # Even if not registered they have some default entitlements
+        pass
+
+    ldapuri = 'ldap://%s' % api.env.host
+    conn = ldap2(shared_instance=False, ldap_uri=ldapuri)
+
+    # Bind using GSSAPI
+    conn.connect(ccache=ccache_file)
+
+    hostcount = 0
+    # Get the hosts first
+    try:
+        (entries, truncated) = conn.find_entries('(krblastpwdchange=*)', ['dn'],
+            '%s,%s' % (api.env.container_host, api.env.basedn),
+            conn.SCOPE_ONELEVEL,
+            size_limit = -1)
+    except errors.NotFound:
+         # No hosts
+         pass
+
+    if not truncated:
+        hostcount = len(entries)
+    else:
+        # This will not happen unless we bump into a server-side limit.
+        msg = 'The host count result was truncated, they will be underreported'
+        syslog.syslog(syslog.LOG_ERR, msg)
+        if sys.stdin.isatty():
+            print msg
+
+    available = 0
+    try:
+        (entries, truncated) = conn.find_entries('(objectclass=ipaentitlement)',
+        ['dn', 'userCertificate'],
+        '%s,%s' % (api.env.container_entitlements, api.env.basedn),
+        conn.SCOPE_ONELEVEL,
+        size_limit = -1)
+
+        for entry in entries:
+            (dn, attrs) = entry
+            if 'usercertificate' in attrs:
+                rawcert = attrs['usercertificate'][0]
+                rawcert = normalize_certificate(rawcert)
+                cert = make_pem(base64.b64encode(rawcert))
+                cert = EntitlementCertificate(cert)
+                order = cert.getOrder()
+                available += int(order.getQuantityUsed())
+    except errors.NotFound:
+        pass
+
+    conn.disconnect()
+
+    available += DEFAULT_ENTITLEMENTS
+
+    if hostcount > available:
+        syslog.syslog(syslog.LOG_ERR, 'IPA is out of compliance: %d of %d entitlements used.' % (hostcount, available))
+        if sys.stdin.isatty():
+            print 'IPA is out of compliance: %d of %d entitlements used.' % (hostcount, available)
+    else:
+        if sys.stdin.isatty():
+            # If run from the command-line display some info
+            print 'IPA is in compliance: %d of %d entitlements used.' % (hostcount, available)
+
+def main():
+    if os.getegid() != 0:
+        sys.exit("Must be root to check compliance")
+
+    if not os.path.exists('/etc/ipa/default.conf'):
+        return 0
+
+    options, args = parse_options()
+
+    try:
+        tmpdir = tempfile.mkdtemp(prefix = "tmp-")
+        try:
+            check_compliance(tmpdir, options.debug)
+        finally:
+            shutil.rmtree(tmpdir)
+    except KeyboardInterrupt:
+        return 1
+    except (StandardError, errors.PublicError), e:
+        syslog.syslog(syslog.LOG_ERR, 'IPA compliance checking failed: %s' % str(e))
+        if sys.stdin.isatty():
+            print 'IPA compliance checking failed: %s' % str(e)
+        return 1
+
+    return 0
+
+sys.exit(main())
diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am
index 58959c1b..3fac378c 100644
--- a/install/tools/man/Makefile.am
+++ b/install/tools/man/Makefile.am
@@ -14,7 +14,8 @@ man1_MANS = 				\
 	ipa-ldap-updater.1		\
 	ipa-compat-manage.1		\
 	ipa-nis-manage.1		\
-	ipa-host-net-manage.1
+	ipa-host-net-manage.1		\
+	ipa-compliance.1
 
 man8_MANS =				\
 	ipactl.8			\
diff --git a/install/tools/man/ipa-compliance.1 b/install/tools/man/ipa-compliance.1
new file mode 100644
index 00000000..09ce02df
--- /dev/null
+++ b/install/tools/man/ipa-compliance.1
@@ -0,0 +1,45 @@
+.\" A man page for ipa-compliance
+.\" Copyright (C) 2010 Red Hat, Inc.
+.\"
+.\" This is free software; you can redistribute it and/or modify it under
+.\" the terms of the GNU Library General Public License as published by
+.\" the Free Software Foundation; version 2 only
+.\"
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\"
+.\" You should have received a copy of the GNU Library General Public
+.\" License along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\"
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\"
+.TH "ipa-compliance" "1" "Dec 14 2010" "freeipa" ""
+.SH "NAME"
+ipa\-compliance \- Check entitlement compliance
+.SH "SYNOPSIS"
+ipa\-compliance [\fIOPTION\fR]
+.SH "DESCRIPTION"
+Verify that the IPA installation is in compliance with the number of client entitlements it has.
+
+Entitlements are managed using the ipa entitle command.
+
+An enrolled host is an machine that has a host keytab in the IPA system.
+
+The entitlements take the form of x509v3 certificates. The certificates are examined and the quantities summed. This is compared to the number of enrolled hosts to determine compliance.
+
+The command logs to syslog and if run from a tty will log to the terminal as well.
+
+The IPA server provides 25 entitlements of its own.
+.SH "OPTIONS"
+.TP
+\fB\-\-\-debug\fR
+Enable debugging output in the command
+.SH "EXIT STATUS"
+0 if the command was successful
+
+1 if an error occurred
+.SH "NOTES"
+Entitlements are not checked if the python\-rhsm package is not installed.