diff options
Diffstat (limited to 'ipaclient/remote_plugins/2_156/hbactest.py')
-rw-r--r-- | ipaclient/remote_plugins/2_156/hbactest.py | 284 |
1 files changed, 284 insertions, 0 deletions
diff --git a/ipaclient/remote_plugins/2_156/hbactest.py b/ipaclient/remote_plugins/2_156/hbactest.py new file mode 100644 index 000000000..b0c49b71b --- /dev/null +++ b/ipaclient/remote_plugins/2_156/hbactest.py @@ -0,0 +1,284 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Simulate use of Host-based access controls + +HBAC rules control who can access what services on what hosts. +You can use HBAC to control which users or groups can access a service, +or group of services, on a target host. + +Since applying HBAC rules implies use of a production environment, +this plugin aims to provide simulation of HBAC rules evaluation without +having access to the production environment. + + Test user coming to a service on a named host against + existing enabled rules. + + ipa hbactest --user= --host= --service= + [--rules=rules-list] [--nodetail] [--enabled] [--disabled] + [--sizelimit= ] + + --user, --host, and --service are mandatory, others are optional. + + If --rules is specified simulate enabling of the specified rules and test + the login of the user using only these rules. + + If --enabled is specified, all enabled HBAC rules will be added to simulation + + If --disabled is specified, all disabled HBAC rules will be added to simulation + + If --nodetail is specified, do not return information about rules matched/not matched. + + If both --rules and --enabled are specified, apply simulation to --rules _and_ + all IPA enabled rules. + + If no --rules specified, simulation is run against all IPA enabled rules. + By default there is a IPA-wide limit to number of entries fetched, you can change it + with --sizelimit option. + +EXAMPLES: + + 1. Use all enabled HBAC rules in IPA database to simulate: + $ ipa hbactest --user=a1a --host=bar --service=sshd + -------------------- + Access granted: True + -------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + Matched rules: allow_all + + 2. Disable detailed summary of how rules were applied: + $ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail + -------------------- + Access granted: True + -------------------- + + 3. Test explicitly specified HBAC rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --rules=myrule --rules=my-second-rule + --------------------- + Access granted: False + --------------------- + Not matched rules: my-second-rule + Not matched rules: myrule + + 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --rules=myrule --rules=my-second-rule --enabled + -------------------- + Access granted: True + -------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + Matched rules: allow_all + + 5. Test all disabled HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd --disabled + --------------------- + Access granted: False + --------------------- + Not matched rules: new-rule + + 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --rules=myrule --rules=my-second-rule --disabled + --------------------- + Access granted: False + --------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + + 7. Test all (enabled and disabled) HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --enabled --disabled + -------------------- + Access granted: True + -------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + Not matched rules: new-rule + Matched rules: allow_all + + +HBACTEST AND TRUSTED DOMAINS + +When an external trusted domain is configured in IPA, HBAC rules are also applied +on users accessing IPA resources from the trusted domain. Trusted domain users and +groups (and their SIDs) can be then assigned to external groups which can be +members of POSIX groups in IPA which can be used in HBAC rules and thus allowing +access to resources protected by the HBAC system. + +hbactest plugin is capable of testing access for both local IPA users and users +from the trusted domains, either by a fully qualified user name or by user SID. +Such user names need to have a trusted domain specified as a short name +(DOMAIN\Administrator) or with a user principal name (UPN), Administrator@ad.test. + +Please note that hbactest executed with a trusted domain user as --user parameter +can be only run by members of "trust admins" group. + +EXAMPLES: + + 1. Test if a user from a trusted domain specified by its shortname matches any + rule: + + $ ipa hbactest --user 'DOMAIN\Administrator' --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Matched rules: can_login + + 2. Test if a user from a trusted domain specified by its domain name matches + any rule: + + $ ipa hbactest --user 'Administrator@domain.com' --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Matched rules: can_login + + 3. Test if a user from a trusted domain specified by its SID matches any rule: + + $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-500 \ + --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Matched rules: can_login + + 4. Test if other user from a trusted domain specified by its SID matches any rule: + + $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-1203 \ + --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Not matched rules: can_login + + 5. Test if other user from a trusted domain specified by its shortname matches + any rule: + + $ ipa hbactest --user 'DOMAIN\Otheruser' --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Not matched rules: can_login +""") + +register = Registry() + + +@register() +class hbactest(Command): + __doc__ = _("Simulate use of Host-based access controls") + + takes_options = ( + parameters.Str( + 'user', + label=_(u'User name'), + ), + parameters.Str( + 'sourcehost', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'targethost', + cli_name='host', + label=_(u'Target host'), + ), + parameters.Str( + 'service', + label=_(u'Service'), + ), + parameters.Str( + 'rules', + required=False, + multivalue=True, + label=_(u'Rules to test. If not specified, --enabled is assumed'), + ), + parameters.Flag( + 'nodetail', + required=False, + label=_(u'Hide details which rules are matched, not matched, or invalid'), + default=False, + autofill=True, + ), + parameters.Flag( + 'enabled', + required=False, + label=_(u'Include all enabled IPA rules into test [default]'), + default=False, + autofill=True, + ), + parameters.Flag( + 'disabled', + required=False, + label=_(u'Include all disabled IPA rules into test'), + default=False, + autofill=True, + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of rules to process when no --rules is specified'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'warning', + (list, tuple, type(None)), + doc=_(u'Warning'), + ), + output.Output( + 'matched', + (list, tuple, type(None)), + doc=_(u'Matched rules'), + ), + output.Output( + 'notmatched', + (list, tuple, type(None)), + doc=_(u'Not matched rules'), + ), + output.Output( + 'error', + (list, tuple, type(None)), + doc=_(u'Non-existent or invalid rules'), + ), + output.Output( + 'value', + bool, + doc=_(u'Result of simulation'), + ), + ) |