diff options
Diffstat (limited to 'ipaclient/remote_plugins/2_156/caacl.py')
-rw-r--r-- | ipaclient/remote_plugins/2_156/caacl.py | 1155 |
1 files changed, 1155 insertions, 0 deletions
diff --git a/ipaclient/remote_plugins/2_156/caacl.py b/ipaclient/remote_plugins/2_156/caacl.py new file mode 100644 index 000000000..09cfc4b65 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/caacl.py @@ -0,0 +1,1155 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Manage CA ACL rules. + +This plugin is used to define rules governing which principals are +permitted to have certificates issued using a given certificate +profile. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Create a CA ACL "test" that grants all users access to the + "UserCert" profile: + ipa caacl-add test --usercat=all + ipa caacl-add-profile test --certprofiles UserCert + + Display the properties of a named CA ACL: + ipa caacl-show test + + Create a CA ACL to let user "alice" use the "DNP3" profile: + ipa caacl-add-profile alice_dnp3 --certprofiles DNP3 + ipa caacl-add-user alice_dnp3 --user=alice + + Disable a CA ACL: + ipa caacl-disable test + + Remove a CA ACL: + ipa caacl-del test +""") + +register = Registry() + + +@register() +class caacl(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'ACL name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'ipacertprofilecategory', + required=False, + label=_(u'Profile category'), + doc=_(u'Profile category the ACL applies to'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the ACL applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the ACL applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + label=_(u'Service category'), + doc=_(u'Service category the ACL applies to'), + ), + parameters.Str( + 'ipamembercertprofile_certprofile', + required=False, + label=_(u'Profiles'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + parameters.Str( + 'memberservice_service', + required=False, + label=_(u'Services'), + ), + ) + + +@register() +class caacl_add(Method): + __doc__ = _("Create a new CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipacertprofilecategory', + required=False, + cli_name='profilecat', + cli_metavar="['all']", + label=_(u'Profile category'), + doc=_(u'Profile category the ACL applies to'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the ACL applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the ACL applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the ACL applies to'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class caacl_add_host(Method): + __doc__ = _("Add target hosts and hostgroups to a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class caacl_add_profile(Method): + __doc__ = _("Add profiles to a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'certprofile', + required=False, + multivalue=True, + cli_name='certprofiles', + label=_(u'member Certificate Profile'), + doc=_(u'Certificate Profiles to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class caacl_add_service(Method): + __doc__ = _("Add services to a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + multivalue=True, + cli_name='services', + label=_(u'member service'), + doc=_(u'services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class caacl_add_user(Method): + __doc__ = _("Add users and groups to a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class caacl_del(Method): + __doc__ = _("Delete a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class caacl_disable(Method): + __doc__ = _("Disable a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class caacl_enable(Method): + __doc__ = _("Enable a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class caacl_find(Method): + __doc__ = _("Search for CA ACLs.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'ACL name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipacertprofilecategory', + required=False, + cli_name='profilecat', + cli_metavar="['all']", + label=_(u'Profile category'), + doc=_(u'Profile category the ACL applies to'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the ACL applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the ACL applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the ACL applies to'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class caacl_mod(Method): + __doc__ = _("Modify a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipacertprofilecategory', + required=False, + cli_name='profilecat', + cli_metavar="['all']", + label=_(u'Profile category'), + doc=_(u'Profile category the ACL applies to'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the ACL applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the ACL applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the ACL applies to'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class caacl_remove_host(Method): + __doc__ = _("Remove target hosts and hostgroups from a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class caacl_remove_profile(Method): + __doc__ = _("Remove profiles from a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'certprofile', + required=False, + multivalue=True, + cli_name='certprofiles', + label=_(u'member Certificate Profile'), + doc=_(u'Certificate Profiles to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class caacl_remove_service(Method): + __doc__ = _("Remove services from a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + multivalue=True, + cli_name='services', + label=_(u'member service'), + doc=_(u'services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class caacl_remove_user(Method): + __doc__ = _("Remove users and groups from a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class caacl_show(Method): + __doc__ = _("Display the properties of a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) |