diff options
Diffstat (limited to 'ipaclient/remote_plugins/2_164/servicedelegation.py')
| -rw-r--r-- | ipaclient/remote_plugins/2_164/servicedelegation.py | 907 |
1 files changed, 907 insertions, 0 deletions
diff --git a/ipaclient/remote_plugins/2_164/servicedelegation.py b/ipaclient/remote_plugins/2_164/servicedelegation.py new file mode 100644 index 000000000..d96462d91 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/servicedelegation.py @@ -0,0 +1,907 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Service Constrained Delegation + +Manage rules to allow constrained delegation of credentials so +that a service can impersonate a user when communicating with another +service without requiring the user to actually forward their TGT. +This makes for a much better method of delegating credentials as it +prevents exposure of the short term secret of the user. + +The naming convention is to append the word "target" or "targets" to +a matching rule name. This is not mandatory but helps conceptually +to associate rules and targets. + +A rule consists of two things: + - A list of targets the rule applies to + - A list of memberPrincipals that are allowed to delegate for + those targets + +A target consists of a list of principals that can be delegated. + +In English, a rule says that this principal can delegate as this +list of principals, as defined by these targets. + +EXAMPLES: + + Add a new constrained delegation rule: + ipa servicedelegationrule-add ftp-delegation + + Add a new constrained delegation target: + ipa servicedelegationtarget-add ftp-delegation-target + + Add a principal to the rule: + ipa servicedelegationrule-add-member --principals=ftp/ipa.example.com ftp-delegation + + Add our target to the rule: + ipa servicedelegationrule-add-target --servicedelegationtargets=ftp-delegation-target ftp-delegation + + Add a principal to the target: + ipa servicedelegationtarget-add-member --principals=ldap/ipa.example.com ftp-delegation-target + + Display information about a named delegation rule and target: + ipa servicedelegationrule_show ftp-delegation + ipa servicedelegationtarget_show ftp-delegation-target + + Remove a constrained delegation: + ipa servicedelegationrule-del ftp-delegation-target + ipa servicedelegationtarget-del ftp-delegation + +In this example the ftp service can get a TGT for the ldap service on +the bound user's behalf. + +It is strongly discouraged to modify the delegations that ship with +IPA, ipa-http-delegation and its targets ipa-cifs-delegation-targets and +ipa-ldap-delegation-targets. Incorrect changes can remove the ability +to delegate, causing the framework to stop functioning. +""") + +register = Registry() + + +@register() +class servicedelegationrule(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Delegation name'), + ), + parameters.Str( + 'ipaallowedtarget_servicedelegationtarget', + label=_(u'Allowed Target'), + ), + ) + + +@register() +class servicedelegationtarget(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Delegation name'), + ), + ) + + +@register() +class servicedelegationrule_add(Method): + __doc__ = _("Create a new service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class servicedelegationrule_add_member(Method): + __doc__ = _("Add member to a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'principal', + required=False, + multivalue=True, + cli_name='principals', + label=_(u'member principal'), + doc=_(u'principal to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class servicedelegationrule_add_target(Method): + __doc__ = _("Add target to a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'servicedelegationtarget', + required=False, + multivalue=True, + cli_name='servicedelegationtargets', + label=_(u'member service delegation target'), + doc=_(u'service delegation targets to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class servicedelegationrule_del(Method): + __doc__ = _("Delete service delegation.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class servicedelegationrule_find(Method): + __doc__ = _("Search for service delegations rule.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("delegation-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class servicedelegationrule_remove_member(Method): + __doc__ = _("Remove member from a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'principal', + required=False, + multivalue=True, + cli_name='principals', + label=_(u'member principal'), + doc=_(u'principal to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class servicedelegationrule_remove_target(Method): + __doc__ = _("Remove target from a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'servicedelegationtarget', + required=False, + multivalue=True, + cli_name='servicedelegationtargets', + label=_(u'member service delegation target'), + doc=_(u'service delegation targets to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class servicedelegationrule_show(Method): + __doc__ = _("Display information about a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class servicedelegationtarget_add(Method): + __doc__ = _("Create a new service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class servicedelegationtarget_add_member(Method): + __doc__ = _("Add member to a named service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'principal', + required=False, + multivalue=True, + cli_name='principals', + label=_(u'member principal'), + doc=_(u'principal to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class servicedelegationtarget_del(Method): + __doc__ = _("Delete service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class servicedelegationtarget_find(Method): + __doc__ = _("Search for service delegation target.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("delegation-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class servicedelegationtarget_remove_member(Method): + __doc__ = _("Remove member from a named service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'principal', + required=False, + multivalue=True, + cli_name='principals', + label=_(u'member principal'), + doc=_(u'principal to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class servicedelegationtarget_show(Method): + __doc__ = _("Display information about a named service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) |