diff options
Diffstat (limited to 'ipaclient/remote_plugins/2_49/hbactest.py')
| -rw-r--r-- | ipaclient/remote_plugins/2_49/hbactest.py | 213 |
1 files changed, 213 insertions, 0 deletions
diff --git a/ipaclient/remote_plugins/2_49/hbactest.py b/ipaclient/remote_plugins/2_49/hbactest.py new file mode 100644 index 000000000..e13093df0 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/hbactest.py @@ -0,0 +1,213 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Simulate use of Host-based access controls + +HBAC rules control who can access what services on what hosts and from where. +You can use HBAC to control which users or groups can access a service, +or group of services, on a target host. + +Since applying HBAC rules implies use of a production environment, +this plugin aims to provide simulation of HBAC rules evaluation without +having access to the production environment. + + Test user coming to a service on a named host against + existing enabled rules. + + ipa hbactest --user= --host= --service= + [--rules=rules-list] [--nodetail] [--enabled] [--disabled] + [--srchost= ] [--sizelimit= ] + + --user, --host, and --service are mandatory, others are optional. + + If --rules is specified simulate enabling of the specified rules and test + the login of the user using only these rules. + + If --enabled is specified, all enabled HBAC rules will be added to simulation + + If --disabled is specified, all disabled HBAC rules will be added to simulation + + If --nodetail is specified, do not return information about rules matched/not matched. + + If both --rules and --enabled are specified, apply simulation to --rules _and_ + all IPA enabled rules. + + If no --rules specified, simulation is run against all IPA enabled rules. + By default there is a IPA-wide limit to number of entries fetched, you can change it + with --sizelimit option. + + If --srchost is specified, it will be ignored. It is left because of compatibility reasons only. + +EXAMPLES: + + 1. Use all enabled HBAC rules in IPA database to simulate: + $ ipa hbactest --user=a1a --host=bar --service=sshd + -------------------- + Access granted: True + -------------------- + notmatched: my-second-rule + notmatched: my-third-rule + notmatched: myrule + matched: allow_all + + 2. Disable detailed summary of how rules were applied: + $ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail + -------------------- + Access granted: True + -------------------- + + 3. Test explicitly specified HBAC rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule + --------------------- + Access granted: False + --------------------- + notmatched: my-second-rule + notmatched: myrule + + 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule --enabled + -------------------- + Access granted: True + -------------------- + notmatched: my-second-rule + notmatched: my-third-rule + notmatched: myrule + matched: allow_all + + 5. Test all disabled HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd --disabled + --------------------- + Access granted: False + --------------------- + notmatched: new-rule + + 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule --disabled + --------------------- + Access granted: False + --------------------- + notmatched: my-second-rule + notmatched: my-third-rule + notmatched: myrule + + 7. Test all (enabled and disabled) HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd --enabled --disabled + -------------------- + Access granted: True + -------------------- + notmatched: my-second-rule + notmatched: my-third-rule + notmatched: myrule + notmatched: new-rule + matched: allow_all +""") + +register = Registry() + + +@register() +class hbactest(Command): + __doc__ = _("Simulate use of Host-based access controls") + + takes_options = ( + parameters.Str( + 'user', + label=_(u'User name'), + ), + parameters.Str( + 'sourcehost', + required=False, + cli_name='srchost', + label=_(u'Source host'), + ), + parameters.Str( + 'targethost', + cli_name='host', + label=_(u'Target host'), + ), + parameters.Str( + 'service', + label=_(u'Service'), + ), + parameters.Str( + 'rules', + required=False, + multivalue=True, + label=_(u'Rules to test. If not specified, --enabled is assumed'), + ), + parameters.Flag( + 'nodetail', + required=False, + label=_(u'Hide details which rules are matched, not matched, or invalid'), + default=False, + autofill=True, + ), + parameters.Flag( + 'enabled', + required=False, + label=_(u'Include all enabled IPA rules into test [default]'), + default=False, + autofill=True, + ), + parameters.Flag( + 'disabled', + required=False, + label=_(u'Include all disabled IPA rules into test'), + default=False, + autofill=True, + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of rules to process when no --rules is specified'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'warning', + (list, tuple, type(None)), + doc=_(u'Warning'), + ), + output.Output( + 'matched', + (list, tuple, type(None)), + doc=_(u'Matched rules'), + ), + output.Output( + 'notmatched', + (list, tuple, type(None)), + doc=_(u'Not matched rules'), + ), + output.Output( + 'error', + (list, tuple, type(None)), + doc=_(u'Non-existent or invalid rules'), + ), + output.Output( + 'value', + bool, + doc=_(u'Result of simulation'), + ), + ) |