diff options
Diffstat (limited to 'ipalib/plugins/hbac.py')
| -rw-r--r-- | ipalib/plugins/hbac.py | 506 |
1 files changed, 0 insertions, 506 deletions
diff --git a/ipalib/plugins/hbac.py b/ipalib/plugins/hbac.py deleted file mode 100644 index 2c5d171b..00000000 --- a/ipalib/plugins/hbac.py +++ /dev/null @@ -1,506 +0,0 @@ -# Authors: -# Pavel Zuna <pzuna@redhat.com> -# -# Copyright (C) 2009 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. -""" -Host-based access control - -Control who can access what services on what hosts and from where. You -can use HBAC to control which users or groups on a source host can -access a service, or group of services, on a target host. - -You can also specify a category of users, target hosts, and source -hosts. This is currently limited to "all", but might be expanded in the -future. - -Target hosts and source hosts in HBAC rules must be hosts managed by IPA. - -The available services and groups of services are controlled by the -hbacsvc and hbacsvcgroup plug-ins respectively. - -EXAMPLES: - - Create a rule, "test1", that grants all users access to the host "server" from - anywhere: - ipa hbac-add --type=allow --usercat=all --srchostcat=all test1 - ipa hbac-add-host --hosts=server.example.com test1 - - Display the properties of a named HBAC rule: - ipa hbac-show test1 - - Create a rule for a specific service. This lets the user john access - the sshd service on any machine from any machine: - ipa hbac-add --type=allow --hostcat=all --srchostcat=all john_sshd - ipa hbac-add-user --users=john john_sshd - ipa hbac-add-service --hbacsvcs=sshd john_sshd - - Create a rule for a new service group. This lets the user john access - the any FTP service on any machine from any machine: - ipa hbacsvcgroup-add ftpers - ipa hbacsvc-add sftp - ipa hbacsvcgroup-add-member --hbacsvcs=ftp,sftp ftpers - ipa hbac-add --type=allow --hostcat=all --srchostcat=all john_ftp - ipa hbac-add-user --users=john john_ftp - ipa hbac-add-service --hbacsvcgroups=ftpers john_ftp - - Disable a named HBAC rule: - ipa hbac-disable test1 - - Remove a named HBAC rule: - ipa hbac-del allow_server -""" - - -# AccessTime support is being removed for now. -# -# You can also control the times that the rule is active. -# -# The access time(s) of a host are cumulative and are not guaranteed to be -# applied in the order displayed. -# -# Specify that the rule "test1" be active every day between 0800 and 1400: -# ipa hbac-add-accesstime --time='periodic daily 0800-1400' test1 -# -# Specify that the rule "test1" be active once, from 10:32 until 10:33 on -# December 16, 2010: -# ipa hbac-add-accesstime --time='absolute 201012161032 ~ 201012161033' test1 - - -from ipalib import api, errors -from ipalib import AccessTime, Password, Str, StrEnum -from ipalib.plugins.baseldap import * -from ipalib import _, ngettext - -def is_all(options, attribute): - """ - See if options[attribute] is lower-case 'all' in a safe way. - """ - if attribute in options and \ - options[attribute] is not None and \ - options[attribute].lower() == 'all': - return True - else: - return False - - -class hbac(LDAPObject): - """ - HBAC object. - """ - container_dn = api.env.container_hbac - object_name = 'HBAC rule' - object_name_plural = 'HBAC rules' - object_class = ['ipaassociation', 'ipahbacrule'] - default_attributes = [ - 'cn', 'accessruletype', 'ipaenabledflag', - 'description', 'usercategory', 'hostcategory', - 'sourcehostcategory', 'servicecategory', 'ipaenabledflag', - 'memberuser', 'sourcehost', 'memberhost', 'memberservice', - 'memberhostgroup', - ] - uuid_attribute = 'ipauniqueid' - rdn_attribute = 'ipauniqueid' - attribute_members = { - 'memberuser': ['user', 'group'], - 'memberhost': ['host', 'hostgroup'], - 'sourcehost': ['host', 'hostgroup'], - 'memberservice': ['hbacsvc', 'hbacsvcgroup'], - } - - label = _('HBAC') - - takes_params = ( - Str('cn', - cli_name='name', - label=_('Rule name'), - primary_key=True, - ), - StrEnum('accessruletype', - cli_name='type', - doc=_('Rule type (allow or deny)'), - label=_('Rule type'), - values=(u'allow', u'deny'), - ), - # FIXME: {user,host,sourcehost,service}categories should expand in the future - StrEnum('usercategory?', - cli_name='usercat', - label=_('User category'), - doc=_('User category the rule applies to'), - values=(u'all', ), - ), - StrEnum('hostcategory?', - cli_name='hostcat', - label=_('Host category'), - doc=_('Host category the rule applies to'), - values=(u'all', ), - ), - StrEnum('sourcehostcategory?', - cli_name='srchostcat', - label=_('Source host category'), - doc=_('Source host category the rule applies to'), - values=(u'all', ), - ), - StrEnum('servicecategory?', - cli_name='servicecat', - label=_('Service category'), - doc=_('Service category the rule applies to'), - values=(u'all', ), - ), -# AccessTime('accesstime?', -# cli_name='time', -# label=_('Access time'), -# ), - Str('description?', - cli_name='desc', - label=_('Description'), - ), - Flag('ipaenabledflag?', - label=_('Enabled'), - flags=['no_create', 'no_update', 'no_search'], - ), - Str('memberuser_user?', - label=_('Users'), - flags=['no_create', 'no_update', 'no_search'], - ), - Str('memberuser_group?', - label=_('Groups'), - flags=['no_create', 'no_update', 'no_search'], - ), - Str('memberhost_host?', - label=_('Hosts'), - flags=['no_create', 'no_update', 'no_search'], - ), - Str('memberhost_hostgroup?', - label=_('Host Groups'), - flags=['no_create', 'no_update', 'no_search'], - ), - Str('sourcehost_host?', - label=_('Source hosts'), - flags=['no_create', 'no_update', 'no_search'], - ), - Str('memberservice_hbacsvc?', - label=_('Services'), - flags=['no_create', 'no_update', 'no_search'], - ), - Str('memberservice_hbacsvcgroup?', - label=_('Service Groups'), - flags=['no_create', 'no_update', 'no_search'], - ), - ) - -api.register(hbac) - - -class hbac_add(LDAPCreate): - """ - Create a new HBAC rule. - """ - def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - # HBAC rules are enabled by default - entry_attrs['ipaenabledflag'] = 'TRUE' - return dn - -api.register(hbac_add) - - -class hbac_del(LDAPDelete): - """ - Delete an HBAC rule. - """ - -api.register(hbac_del) - - -class hbac_mod(LDAPUpdate): - """ - Modify an HBAC rule. - """ - - def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): - try: - (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) - except errors.NotFound: - self.obj.handle_not_found(*keys) - - if is_all(options, 'usercategory') and 'memberuser' in entry_attrs: - raise errors.MutuallyExclusiveError(reason="user category cannot be set to 'all' while there are allowed users") - if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs: - raise errors.MutuallyExclusiveError(reason="host category cannot be set to 'all' while there are allowed hosts") - if is_all(options, 'sourcehostcategory') and 'sourcehost' in entry_attrs: - raise errors.MutuallyExclusiveError(reason="sourcehost category cannot be set to 'all' while there are allowed source hosts") - if is_all(options, 'servicecategory') and 'memberservice' in entry_attrs: - raise errors.MutuallyExclusiveError(reason="service category cannot be set to 'all' while there are allowed services") - return dn - -api.register(hbac_mod) - - -class hbac_find(LDAPSearch): - """ - Search for HBAC rules. - """ - -api.register(hbac_find) - - -class hbac_show(LDAPRetrieve): - """ - Display the properties of an HBAC rule. - """ - -api.register(hbac_show) - - -class hbac_enable(LDAPQuery): - """ - Enable an HBAC rule. - """ - def execute(self, cn): - ldap = self.obj.backend - - dn = self.obj.get_dn(cn) - entry_attrs = {'ipaenabledflag': 'TRUE'} - - try: - ldap.update_entry(dn, entry_attrs) - except errors.EmptyModlist: - pass - except errors.NotFound: - self.obj.handle_not_found(cn) - - return dict(result=True) - - def output_for_cli(self, textui, result, cn): - textui.print_name(self.name) - textui.print_dashed('Enabled HBAC rule "%s".' % cn) - -api.register(hbac_enable) - - -class hbac_disable(LDAPQuery): - """ - Disable an HBAC rule. - """ - def execute(self, cn): - ldap = self.obj.backend - - dn = self.obj.get_dn(cn) - entry_attrs = {'ipaenabledflag': 'FALSE'} - - try: - ldap.update_entry(dn, entry_attrs) - except errors.EmptyModlist: - pass - except errors.NotFound: - self.obj.handle_not_found(cn) - - return dict(result=True) - - def output_for_cli(self, textui, result, cn): - textui.print_name(self.name) - textui.print_dashed('Disabled HBAC rule "%s".' % cn) - -api.register(hbac_disable) - - -class hbac_add_accesstime(LDAPQuery): - """ - Add an access time to an HBAC rule. - """ - - takes_options = ( - AccessTime('accesstime', - cli_name='time', - label=_('Access time'), - ), - ) - - def execute(self, cn, **options): - ldap = self.obj.backend - - dn = self.obj.get_dn(cn) - - (dn, entry_attrs) = ldap.get_entry(dn, ['accesstime']) - entry_attrs.setdefault('accesstime', []).append( - options['accesstime'] - ) - try: - ldap.update_entry(dn, entry_attrs) - except errors.EmptyModlist: - pass - except errors.NotFound: - self.obj.handle_not_found(cn) - - return dict(result=True) - - def output_for_cli(self, textui, result, cn, **options): - textui.print_name(self.name) - textui.print_dashed( - 'Added access time "%s" to HBAC rule "%s"' % ( - options['accesstime'], cn - ) - ) - -#api.register(hbac_add_accesstime) - - -class hbac_remove_accesstime(LDAPQuery): - """ - Remove access time to HBAC rule. - """ - takes_options = ( - AccessTime('accesstime?', - cli_name='time', - label=_('Access time'), - ), - ) - - def execute(self, cn, **options): - ldap = self.obj.backend - - dn = self.obj.get_dn(cn) - - (dn, entry_attrs) = ldap.get_entry(dn, ['accesstime']) - try: - entry_attrs.setdefault('accesstime', []).remove( - options['accesstime'] - ) - ldap.update_entry(dn, entry_attrs) - except (ValueError, errors.EmptyModlist): - pass - except errors.NotFound: - self.obj.handle_not_found(cn) - - return dict(result=True) - - def output_for_cli(self, textui, result, cn, **options): - textui.print_name(self.name) - textui.print_dashed( - 'Removed access time "%s" from HBAC rule "%s"' % ( - options['accesstime'], cn - ) - ) - -#api.register(hbac_remove_accesstime) - - -class hbac_add_user(LDAPAddMember): - """ - Add users and groups to an HBAC rule. - """ - member_attributes = ['memberuser'] - member_count_out = ('%i object added.', '%i objects added.') - - def pre_callback(self, ldap, dn, found, not_found, *keys, **options): - (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) - if 'usercategory' in entry_attrs and \ - entry_attrs['usercategory'][0].lower() == 'all': - raise errors.MutuallyExclusiveError(reason="users cannot be added when user category='all'") - return dn - -api.register(hbac_add_user) - - -class hbac_remove_user(LDAPRemoveMember): - """ - Remove users and groups from an HBAC rule. - """ - member_attributes = ['memberuser'] - member_count_out = ('%i object removed.', '%i objects removed.') - -api.register(hbac_remove_user) - - -class hbac_add_host(LDAPAddMember): - """ - Add target hosts and hostgroups to an HBAC rule - """ - member_attributes = ['memberhost'] - member_count_out = ('%i object added.', '%i objects added.') - - def pre_callback(self, ldap, dn, found, not_found, *keys, **options): - (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) - if 'hostcategory' in entry_attrs and \ - entry_attrs['hostcategory'][0].lower() == 'all': - raise errors.MutuallyExclusiveError(reason="hosts cannot be added when host category='all'") - return dn - -api.register(hbac_add_host) - - -class hbac_remove_host(LDAPRemoveMember): - """ - Remove target hosts and hostgroups from a HBAC rule. - """ - member_attributes = ['memberhost'] - member_count_out = ('%i object removed.', '%i objects removed.') - -api.register(hbac_remove_host) - - -class hbac_add_sourcehost(LDAPAddMember): - """ - Add source hosts and hostgroups from a HBAC rule. - """ - member_attributes = ['sourcehost'] - member_count_out = ('%i object added.', '%i objects added.') - - def pre_callback(self, ldap, dn, found, not_found, *keys, **options): - (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) - if 'sourcehostcategory' in entry_attrs and \ - entry_attrs['sourcehostcategory'][0].lower() == 'all': - raise errors.MutuallyExclusiveError(reason="source hosts cannot be added when sourcehost category='all'") - return dn - -api.register(hbac_add_sourcehost) - - -class hbac_remove_sourcehost(LDAPRemoveMember): - """ - Remove source hosts and hostgroups from an HBAC rule. - """ - member_attributes = ['sourcehost'] - member_count_out = ('%i object removed.', '%i objects removed.') - -api.register(hbac_remove_sourcehost) - - -class hbac_add_service(LDAPAddMember): - """ - Add services to an HBAC rule. - """ - member_attributes = ['memberservice'] - member_count_out = ('%i object added.', '%i objects added.') - - def pre_callback(self, ldap, dn, found, not_found, *keys, **options): - (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) - if 'servicecategory' in entry_attrs and \ - entry_attrs['servicecategory'][0].lower() == 'all': - raise errors.MutuallyExclusiveError(reason="services cannot be added when service category='all'") - return dn - -api.register(hbac_add_service) - - -class hbac_remove_service(LDAPRemoveMember): - """ - Remove source hosts and hostgroups from an HBAC rule. - """ - member_attributes = ['memberservice'] - member_count_out = ('%i object removed.', '%i objects removed.') - -api.register(hbac_remove_service) |