diff options
Diffstat (limited to 'ipaclient/remote_plugins/2_49')
40 files changed, 26539 insertions, 0 deletions
diff --git a/ipaclient/remote_plugins/2_49/__init__.py b/ipaclient/remote_plugins/2_49/__init__.py new file mode 100644 index 000000000..4ef04a772 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/__init__.py @@ -0,0 +1,15 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ..compat import CompatCommand, CompatMethod, CompatObject + +Object = CompatObject + + +class Command(CompatCommand): + api_version = u'2.49' + + +class Method(Command, CompatMethod): + pass diff --git a/ipaclient/remote_plugins/2_49/aci.py b/ipaclient/remote_plugins/2_49/aci.py new file mode 100644 index 000000000..b2d6d88a7 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/aci.py @@ -0,0 +1,811 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Directory Server Access Control Instructions (ACIs) + +ACIs are used to allow or deny access to information. This module is +currently designed to allow, not deny, access. + +The aci commands are designed to grant permissions that allow updating +existing entries or adding or deleting new ones. The goal of the ACIs +that ship with IPA is to provide a set of low-level permissions that +grant access to special groups called taskgroups. These low-level +permissions can be combined into roles that grant broader access. These +roles are another type of group, roles. + +For example, if you have taskgroups that allow adding and modifying users you +could create a role, useradmin. You would assign users to the useradmin +role to allow them to do the operations defined by the taskgroups. + +You can create ACIs that delegate permission so users in group A can write +attributes on group B. + +The type option is a map that applies to all entries in the users, groups or +host location. It is primarily designed to be used when granting add +permissions (to write new entries). + +An ACI consists of three parts: +1. target +2. permissions +3. bind rules + +The target is a set of rules that define which LDAP objects are being +targeted. This can include a list of attributes, an area of that LDAP +tree or an LDAP filter. + +The targets include: +- attrs: list of attributes affected +- type: an object type (user, group, host, service, etc) +- memberof: members of a group +- targetgroup: grant access to modify a specific group. This is primarily + designed to enable users to add or remove members of a specific group. +- filter: A legal LDAP filter used to narrow the scope of the target. +- subtree: Used to apply a rule across an entire set of objects. For example, + to allow adding users you need to grant "add" permission to the subtree + ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option + is a fail-safe for objects that may not be covered by the type option. + +The permissions define what the ACI is allowed to do, and are one or +more of: +1. write - write one or more attributes +2. read - read one or more attributes +3. add - add a new entry to the tree +4. delete - delete an existing entry +5. all - all permissions are granted + +Note the distinction between attributes and entries. The permissions are +independent, so being able to add a user does not mean that the user will +be editable. + +The bind rule defines who this ACI grants permissions to. The LDAP server +allows this to be any valid LDAP entry but we encourage the use of +taskgroups so that the rights can be easily shared through roles. + +For a more thorough description of access controls see +http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html + +EXAMPLES: + +NOTE: ACIs are now added via the permission plugin. These examples are to +demonstrate how the various options work but this is done via the permission +command-line now (see last example). + + Add an ACI so that the group "secretaries" can update the address on any user: + ipa group-add --desc="Office secretaries" secretaries + ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses" + + Show the new ACI: + ipa aci-show --prefix=none "Secretaries write addresses" + + Add an ACI that allows members of the "addusers" permission to add new users: + ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users" + + Add an ACI that allows members of the editors manage members of the admins group: + ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins" + + Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode --prefix=none "admins edit the address of editors" + + Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss: + ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss" + + Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: + ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange + + +The show command shows the raw 389-ds ACI. + +IMPORTANT: When modifying the target attributes of an existing ACI you +must include all existing attributes as well. When doing an aci-mod the +targetattr REPLACES the current attributes, it does not add to them. +""") + +register = Registry() + + +@register() +class aci(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'ACI name'), + ), + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + ), + ) + + +@register() +class aci_add(Method): + __doc__ = _("Create new ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'test', + required=False, + doc=_(u"Test the ACI syntax but don't write anything"), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_del(Method): + __doc__ = _("Delete ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_find(Method): + __doc__ = _(""" +Search for ACIs. + + Returns a list of ACIs + + EXAMPLES: + + To find all ACIs that apply directly to members of the group ipausers: + ipa aci-find --memberof=ipausers + + To find all ACIs that grant add access: + ipa aci-find --permissions=add + + Note that the find command only looks for the given text in the set of + ACIs, it does not evaluate the ACIs to see if something would apply. + For example, searching on memberof=ipausers will find all ACIs that + have ipausers as a memberof. There may be other ACIs that apply to + members of that group indirectly. + """) + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'ACI name'), + ), + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Bool( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + ), + parameters.Str( + 'aciprefix', + required=False, + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class aci_mod(Method): + __doc__ = _("Modify ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_rename(Method): + __doc__ = _("Rename an ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Str( + 'newname', + doc=_(u'New ACI name'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_show(Method): + __doc__ = _("Display a single ACI given an ACI name.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/automember.py b/ipaclient/remote_plugins/2_49/automember.py new file mode 100644 index 000000000..39cdac0b4 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/automember.py @@ -0,0 +1,758 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Auto Membership Rule. + +Bring clarity to the membership of hosts and users by configuring inclusive +or exclusive regex patterns, you can automatically assign a new entries into +a group or hostgroup based upon attribute information. + +A rule is directly associated with a group by name, so you cannot create +a rule without an accompanying group or hostgroup. + +A condition is a regular expression used by 389-ds to match a new incoming +entry with an automember rule. If it matches an inclusive rule then the +entry is added to the appropriate group or hostgroup. + +A default group or hostgroup could be specified for entries that do not +match any rule. In case of user entries this group will be a fallback group +because all users are by default members of group specified in IPA config. + + +EXAMPLES: + + Add the initial group or hostgroup: + ipa hostgroup-add --desc="Web Servers" webservers + ipa group-add --desc="Developers" devel + + Add the initial rule: + ipa automember-add --type=hostgroup webservers + ipa automember-add --type=group devel + + Add a condition to the rule: + ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers + ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel + + Add an exclusive condition to the rule to prevent auto assignment: + ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers + + Add a host: + ipa host-add web1.example.com + + Add a user: + ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott + + Verify automembership: + ipa hostgroup-show webservers + Host-group: webservers + Description: Web Servers + Member hosts: web1.example.com + + ipa group-show devel + Group name: devel + Description: Developers + GID: 1004200000 + Member users: tuser + + Remove a condition from the rule: + ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers + + Modify the automember rule: + ipa automember-mod + + Set the default (fallback) target group: + ipa automember-default-group-set --default-group=webservers --type=hostgroup + ipa automember-default-group-set --default-group=ipausers --type=group + + Remove the default (fallback) target group: + ipa automember-default-group-remove --type=hostgroup + ipa automember-default-group-remove --type=group + + Show the default (fallback) target group: + ipa automember-default-group-show --type=hostgroup + ipa automember-default-group-show --type=group + + Find all of the automember rules: + ipa automember-find + + Display a automember rule: + ipa automember-show --type=hostgroup webservers + ipa automember-show --type=group devel + + Delete an automember rule: + ipa automember-del --type=hostgroup webservers + ipa automember-del --type=group devel +""") + +register = Registry() + + +@register() +class automember(Object): + takes_params = ( + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberdefaultgroup', + required=False, + label=_(u'Default (fallback) Group'), + doc=_(u'Default group for entries to land'), + ), + ) + + +@register() +class automember_add(Method): + __doc__ = _("Add an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_add_condition(Method): + __doc__ = _("Add conditions to an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberinclusiveregex', + required=False, + multivalue=True, + cli_name='inclusive_regex', + label=_(u'Inclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'automemberexclusiveregex', + required=False, + multivalue=True, + cli_name='exclusive_regex', + label=_(u'Exclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'key', + label=_(u'Attribute Key'), + doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + output.Output( + 'failed', + dict, + doc=_(u'Conditions that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of conditions added'), + ), + ) + + +@register() +class automember_default_group_remove(Method): + __doc__ = _("Remove default (fallback) group for all unmatched entries.") + + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_default_group_set(Method): + __doc__ = _("Set default (fallback) group for all unmatched entries.") + + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberdefaultgroup', + cli_name='default_group', + label=_(u'Default (fallback) Group'), + doc=_(u'Default (fallback) group for entries to land'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_default_group_show(Method): + __doc__ = _("Display information about the default (fallback) automember groups.") + + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_del(Method): + __doc__ = _("Delete an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_find(Method): + __doc__ = _("Search for automember rules.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automember_mod(Method): + __doc__ = _("Modify an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_remove_condition(Method): + __doc__ = _("Remove conditions from an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberinclusiveregex', + required=False, + multivalue=True, + cli_name='inclusive_regex', + label=_(u'Inclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'automemberexclusiveregex', + required=False, + multivalue=True, + cli_name='exclusive_regex', + label=_(u'Exclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'key', + label=_(u'Attribute Key'), + doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + output.Output( + 'failed', + dict, + doc=_(u'Conditions that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of conditions removed'), + ), + ) + + +@register() +class automember_show(Method): + __doc__ = _("Display information about an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/automount.py b/ipaclient/remote_plugins/2_49/automount.py new file mode 100644 index 000000000..4c7a2c65d --- /dev/null +++ b/ipaclient/remote_plugins/2_49/automount.py @@ -0,0 +1,1225 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Automount + +Stores automount(8) configuration for autofs(8) in IPA. + +The base of an automount configuration is the configuration file auto.master. +This is also the base location in IPA. Multiple auto.master configurations +can be stored in separate locations. A location is implementation-specific +with the default being a location named 'default'. For example, you can have +locations by geographic region, by floor, by type, etc. + +Automount has three basic object types: locations, maps and keys. + +A location defines a set of maps anchored in auto.master. This allows you +to store multiple automount configurations. A location in itself isn't +very interesting, it is just a point to start a new automount map. + +A map is roughly equivalent to a discrete automount file and provides +storage for keys. + +A key is a mount point associated with a map. + +When a new location is created, two maps are automatically created for +it: auto.master and auto.direct. auto.master is the root map for all +automount maps for the location. auto.direct is the default map for +direct mounts and is mounted on /-. + +An automount map may contain a submount key. This key defines a mount +location within the map that references another map. This can be done +either using automountmap-add-indirect --parentmap or manually +with automountkey-add and setting info to "-type=autofs :<mapname>". + +EXAMPLES: + +Locations: + + Create a named location, "Baltimore": + ipa automountlocation-add baltimore + + Display the new location: + ipa automountlocation-show baltimore + + Find available locations: + ipa automountlocation-find + + Remove a named automount location: + ipa automountlocation-del baltimore + + Show what the automount maps would look like if they were in the filesystem: + ipa automountlocation-tofiles baltimore + + Import an existing configuration into a location: + ipa automountlocation-import baltimore /etc/auto.master + + The import will fail if any duplicate entries are found. For + continuous operation where errors are ignored, use the --continue + option. + +Maps: + + Create a new map, "auto.share": + ipa automountmap-add baltimore auto.share + + Display the new map: + ipa automountmap-show baltimore auto.share + + Find maps in the location baltimore: + ipa automountmap-find baltimore + + Create an indirect map with auto.share as a submount: + ipa automountmap-add-indirect baltimore --parentmap=auto.share --mount=sub auto.man + + This is equivalent to: + + ipa automountmap-add-indirect baltimore --mount=/man auto.man + ipa automountkey-add baltimore auto.man --key=sub --info="-fstype=autofs ldap:auto.share" + + Remove the auto.share map: + ipa automountmap-del baltimore auto.share + +Keys: + + Create a new key for the auto.share map in location baltimore. This ties + the map we previously created to auto.master: + ipa automountkey-add baltimore auto.master --key=/share --info=auto.share + + Create a new key for our auto.share map, an NFS mount for man pages: + ipa automountkey-add baltimore auto.share --key=man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man" + + Find all keys for the auto.share map: + ipa automountkey-find baltimore auto.share + + Find all direct automount keys: + ipa automountkey-find baltimore --key=/- + + Remove the man key from the auto.share map: + ipa automountkey-del baltimore auto.share --key=man +""") + +register = Registry() + + +@register() +class automountkey(Object): + takes_params = ( + parameters.Str( + 'automountkey', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + label=_(u'Mount information'), + ), + parameters.Str( + 'description', + required=False, + primary_key=True, + label=_(u'description'), + exclude=('webui', 'cli'), + ), + ) + + +@register() +class automountlocation(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + + +@register() +class automountmap(Object): + takes_params = ( + parameters.Str( + 'automountmapname', + primary_key=True, + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + ) + + +@register() +class automountkey_add(Method): + __doc__ = _("Create a new automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountkey_del(Method): + __doc__ = _("Delete an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountkey_find(Method): + __doc__ = _("Search for an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + required=False, + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountkey_mod(Method): + __doc__ = _("Modify an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'newautomountinformation', + required=False, + cli_name='newinfo', + label=_(u'New mount information'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the automount key object'), + exclude=('webui',), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountkey_show(Method): + __doc__ = _("Display an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_add(Method): + __doc__ = _("Create a new automount location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_del(Method): + __doc__ = _("Delete an automount location.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_find(Method): + __doc__ = _("Search for an automount location.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("location")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountlocation_show(Method): + __doc__ = _("Display an automount location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_tofiles(Method): + __doc__ = _("Generate automount files for a specific location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class automountmap_add(Method): + __doc__ = _("Create a new automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_add_indirect(Method): + __doc__ = _("Create a new indirect mount point.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'key', + cli_name='mount', + label=_(u'Mount point'), + ), + parameters.Str( + 'parentmap', + required=False, + label=_(u'Parent map'), + doc=_(u'Name of parent automount map (default: auto.master).'), + default=u'auto.master', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_del(Method): + __doc__ = _("Delete an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapname', + multivalue=True, + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_find(Method): + __doc__ = _("Search for an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'automountmapname', + required=False, + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("map")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountmap_mod(Method): + __doc__ = _("Modify an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_show(Method): + __doc__ = _("Display an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/batch.py b/ipaclient/remote_plugins/2_49/batch.py new file mode 100644 index 000000000..a1f351d33 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/batch.py @@ -0,0 +1,69 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Plugin to make multiple ipa calls via one remote procedure call + +To run this code in the lite-server + +curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d @batch_request.json -X POST http://localhost:8888/ipa/json + +where the contents of the file batch_request.json follow the below example + +{"method":"batch","params":[[ + {"method":"group_find","params":[[],{}]}, + {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]}, + {"method":"user_show","params":[["admin"],{"all":true}]} + ],{}],"id":1} + +The format of the response is nested the same way. At the top you will see + "error": null, + "id": 1, + "result": { + "count": 3, + "results": [ + + +And then a nested response for each IPA command method sent in the request +""") + +register = Registry() + + +@register() +class batch(Command): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'methods', + required=False, + multivalue=True, + doc=_(u'Nested Methods to execute'), + ), + ) + has_output = ( + output.Output( + 'count', + int, + ), + output.Output( + 'results', + (list, tuple), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/cert.py b/ipaclient/remote_plugins/2_49/cert.py new file mode 100644 index 000000000..0e029ff19 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/cert.py @@ -0,0 +1,209 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +IPA certificate operations + +Implements a set of commands for managing server SSL certificates. + +Certificate requests exist in the form of a Certificate Signing Request (CSR) +in PEM format. + +If using the selfsign back end then the subject in the CSR needs to match +the subject configured in the server. The dogtag CA uses just the CN +value of the CSR and forces the rest of the subject. + +A certificate is stored with a service principal and a service principal +needs a host. + +In order to request a certificate: + +* The host must exist +* The service must exist (or you use the --add option to automatically add it) + +EXAMPLES: + + Request a new certificate and add the principal: + ipa cert-request --add --principal=HTTP/lion.example.com example.csr + + Retrieve an existing certificate: + ipa cert-show 1032 + + Revoke a certificate (see RFC 5280 for reason details): + ipa cert-revoke --revocation-reason=6 1032 + + Remove a certificate from revocation hold status: + ipa cert-remove-hold 1032 + + Check the status of a signing request: + ipa cert-status 10 + +IPA currently immediately issues (or declines) all certificate requests so +the status of a request is not normally useful. This is for future use +or the case where a CA does not immediately issue a certificate. + +The following revocation reasons are supported: + + * 0 - unspecified + * 1 - keyCompromise + * 2 - cACompromise + * 3 - affiliationChanged + * 4 - superseded + * 5 - cessationOfOperation + * 6 - certificateHold + * 8 - removeFromCRL + * 9 - privilegeWithdrawn + * 10 - aACompromise + +Note that reason code 7 is not used. See RFC 5280 for more details: + +http://www.ietf.org/rfc/rfc5280.txt +""") + +register = Registry() + + +@register() +class cert_remove_hold(Command): + __doc__ = _("Take a revoked certificate off hold.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_request(Command): + __doc__ = _("Submit a certificate signing request.") + + takes_args = ( + parameters.Str( + 'csr', + cli_name='csr_file', + label=_(u'CSR'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'principal', + label=_(u'Principal'), + doc=_(u'Service principal for this certificate (e.g. HTTP/test.example.com)'), + ), + parameters.Str( + 'request_type', + default=u'pkcs10', + autofill=True, + ), + parameters.Flag( + 'add', + doc=_(u"automatically add the principal if it doesn't exist"), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + ) + + +@register() +class cert_revoke(Command): + __doc__ = _("Revoke a certificate.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Int( + 'revocation_reason', + label=_(u'Reason'), + doc=_(u'Reason for revoking the certificate (0-10)'), + default=0, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_show(Command): + __doc__ = _("Retrieve an existing certificate.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'out', + required=False, + label=_(u'Output filename'), + doc=_(u'File to store the certificate in.'), + exclude=('webui',), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_status(Command): + __doc__ = _("Check the status of a certificate signing request.") + + takes_args = ( + parameters.Str( + 'request_id', + label=_(u'Request id'), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_49/config.py b/ipaclient/remote_plugins/2_49/config.py new file mode 100644 index 000000000..41abee8fe --- /dev/null +++ b/ipaclient/remote_plugins/2_49/config.py @@ -0,0 +1,394 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Server configuration + +Manage the default values that IPA uses and some of its tuning parameters. + +NOTES: + +The password notification value (--pwdexpnotify) is stored here so it will +be replicated. It is not currently used to notify users in advance of an +expiring password. + +Some attributes are read-only, provided only for information purposes. These +include: + +Certificate Subject base: the configured certificate subject base, + e.g. O=EXAMPLE.COM. This is configurable only at install time. +Password plug-in features: currently defines additional hashes that the + password will generate (there may be other conditions). + +When setting the order list for mapping SELinux users you may need to +quote the value so it isn't interpreted by the shell. + +EXAMPLES: + + Show basic server configuration: + ipa config-show + + Show all configuration options: + ipa config-show --all + + Change maximum username length to 99 characters: + ipa config-mod --maxusername=99 + + Increase default time and size limits for maximum IPA server search: + ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000 + + Set default user e-mail domain: + ipa config-mod --emaildomain=example.com + + Enable migration mode to make "ipa migrate-ds" command operational: + ipa config-mod --enable-migration=TRUE + + Define SELinux user map order: + ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' +""") + +register = Registry() + + +@register() +class config(Object): + takes_params = ( + parameters.Int( + 'ipamaxusernamelength', + label=_(u'Maximum username length'), + ), + parameters.Str( + 'ipahomesrootdir', + label=_(u'Home directory base'), + doc=_(u'Default location of home directories'), + ), + parameters.Str( + 'ipadefaultloginshell', + label=_(u'Default shell'), + doc=_(u'Default shell for new users'), + ), + parameters.Str( + 'ipadefaultprimarygroup', + label=_(u'Default users group'), + doc=_(u'Default group for new users'), + ), + parameters.Str( + 'ipadefaultemaildomain', + required=False, + label=_(u'Default e-mail domain'), + ), + parameters.Int( + 'ipasearchtimelimit', + label=_(u'Search time limit'), + doc=_(u'Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)'), + ), + parameters.Int( + 'ipasearchrecordslimit', + label=_(u'Search size limit'), + doc=_(u'Maximum number of records to search (-1 is unlimited)'), + ), + parameters.Str( + 'ipausersearchfields', + label=_(u'User search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for users'), + ), + parameters.Str( + 'ipagroupsearchfields', + label=_(u'Group search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for groups'), + ), + parameters.Bool( + 'ipamigrationenabled', + label=_(u'Enable migration mode'), + ), + parameters.DNParam( + 'ipacertificatesubjectbase', + label=_(u'Certificate Subject base'), + doc=_(u'Base for certificate subjects (OU=Test,O=Example)'), + ), + parameters.Str( + 'ipagroupobjectclasses', + multivalue=True, + label=_(u'Default group objectclasses'), + doc=_(u'Default group objectclasses (comma-separated list)'), + ), + parameters.Str( + 'ipauserobjectclasses', + multivalue=True, + label=_(u'Default user objectclasses'), + doc=_(u'Default user objectclasses (comma-separated list)'), + ), + parameters.Int( + 'ipapwdexpadvnotify', + label=_(u'Password Expiration Notification (days)'), + doc=_(u"Number of days's notice of impending password expiration"), + ), + parameters.Str( + 'ipaconfigstring', + required=False, + multivalue=True, + label=_(u'Password plugin features'), + doc=_(u'Extra hashes to generate in password plug-in'), + ), + parameters.Str( + 'ipaselinuxusermaporder', + label=_(u'SELinux user map order'), + doc=_(u'Order in increasing priority of SELinux users, delimited by $'), + ), + parameters.Str( + 'ipaselinuxusermapdefault', + required=False, + label=_(u'Default SELinux user'), + doc=_(u'Default SELinux user when no match is found in SELinux map rule'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + label=_(u'Default PAC types'), + doc=_(u'Default types of PAC supported for services'), + ), + ) + + +@register() +class config_mod(Method): + __doc__ = _("Modify configuration options.") + + takes_options = ( + parameters.Int( + 'ipamaxusernamelength', + required=False, + cli_name='maxusername', + label=_(u'Maximum username length'), + ), + parameters.Str( + 'ipahomesrootdir', + required=False, + cli_name='homedirectory', + label=_(u'Home directory base'), + doc=_(u'Default location of home directories'), + ), + parameters.Str( + 'ipadefaultloginshell', + required=False, + cli_name='defaultshell', + label=_(u'Default shell'), + doc=_(u'Default shell for new users'), + ), + parameters.Str( + 'ipadefaultprimarygroup', + required=False, + cli_name='defaultgroup', + label=_(u'Default users group'), + doc=_(u'Default group for new users'), + ), + parameters.Str( + 'ipadefaultemaildomain', + required=False, + cli_name='emaildomain', + label=_(u'Default e-mail domain'), + ), + parameters.Int( + 'ipasearchtimelimit', + required=False, + cli_name='searchtimelimit', + label=_(u'Search time limit'), + doc=_(u'Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)'), + ), + parameters.Int( + 'ipasearchrecordslimit', + required=False, + cli_name='searchrecordslimit', + label=_(u'Search size limit'), + doc=_(u'Maximum number of records to search (-1 is unlimited)'), + ), + parameters.Str( + 'ipausersearchfields', + required=False, + cli_name='usersearch', + label=_(u'User search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for users'), + ), + parameters.Str( + 'ipagroupsearchfields', + required=False, + cli_name='groupsearch', + label=_(u'Group search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for groups'), + ), + parameters.Bool( + 'ipamigrationenabled', + required=False, + cli_name='enable_migration', + label=_(u'Enable migration mode'), + ), + parameters.Str( + 'ipagroupobjectclasses', + required=False, + multivalue=True, + cli_name='groupobjectclasses', + label=_(u'Default group objectclasses'), + doc=_(u'Default group objectclasses (comma-separated list)'), + ), + parameters.Str( + 'ipauserobjectclasses', + required=False, + multivalue=True, + cli_name='userobjectclasses', + label=_(u'Default user objectclasses'), + doc=_(u'Default user objectclasses (comma-separated list)'), + ), + parameters.Int( + 'ipapwdexpadvnotify', + required=False, + cli_name='pwdexpnotify', + label=_(u'Password Expiration Notification (days)'), + doc=_(u"Number of days's notice of impending password expiration"), + ), + parameters.Str( + 'ipaconfigstring', + required=False, + multivalue=True, + cli_metavar="['AllowLMhash', 'AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout']", + label=_(u'Password plugin features'), + doc=_(u'Extra hashes to generate in password plug-in'), + ), + parameters.Str( + 'ipaselinuxusermaporder', + required=False, + label=_(u'SELinux user map order'), + doc=_(u'Order in increasing priority of SELinux users, delimited by $'), + ), + parameters.Str( + 'ipaselinuxusermapdefault', + required=False, + label=_(u'Default SELinux user'), + doc=_(u'Default SELinux user when no match is found in SELinux map rule'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD']", + label=_(u'Default PAC types'), + doc=_(u'Default types of PAC supported for services'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class config_show(Method): + __doc__ = _("Show the current configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/delegation.py b/ipaclient/remote_plugins/2_49/delegation.py new file mode 100644 index 000000000..352f6350e --- /dev/null +++ b/ipaclient/remote_plugins/2_49/delegation.py @@ -0,0 +1,384 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Group to Group Delegation + +A permission enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to permissions to perform +given tasks such as adding a user, modifying a group, etc. + +Group to Group Delegations grants the members of one group to update a set +of attributes of members of another group. + +EXAMPLES: + + Add a delegation rule to allow managers to edit employee's addresses: + ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street" + + When managing the list of attributes you need to include all attributes + in the list, including existing ones. Add postalCode to the list: + ipa delegation-mod --attrs=street,postalCode --group=managers --membergroup=employees "managers edit employees' street" + + Display our updated rule: + ipa delegation-show "managers edit employees' street" + + Delete a rule: + ipa delegation-del "managers edit employees' street" +""") + +register = Registry() + + +@register() +class delegation(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'Delegation name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'memberof', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + ) + + +@register() +class delegation_add(Method): + __doc__ = _("Add a new delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Str( + 'memberof', + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_del(Method): + __doc__ = _("Delete a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_find(Method): + __doc__ = _("Search for delegations.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'Delegation name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Str( + 'memberof', + required=False, + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class delegation_mod(Method): + __doc__ = _("Modify a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Str( + 'memberof', + required=False, + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_show(Method): + __doc__ = _("Display information about a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/dns.py b/ipaclient/remote_plugins/2_49/dns.py new file mode 100644 index 000000000..07cef75c2 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/dns.py @@ -0,0 +1,5063 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Domain Name System (DNS) + +Manage DNS zone and resource records. + + +USING STRUCTURED PER-TYPE OPTIONS + +There are many structured DNS RR types where DNS data stored in LDAP server +is not just a scalar value, for example an IP address or a domain name, but +a data structure which may be often complex. A good example is a LOC record +[RFC1876] which consists of many mandatory and optional parts (degrees, +minutes, seconds of latitude and longitude, altitude or precision). + +It may be difficult to manipulate such DNS records without making a mistake +and entering an invalid value. DNS module provides an abstraction over these +raw records and allows to manipulate each RR type with specific options. For +each supported RR type, DNS module provides a standard option to manipulate +a raw records with format --<rrtype>-rec, e.g. --mx-rec, and special options +for every part of the RR structure with format --<rrtype>-<partname>, e.g. +--mx-preference and --mx-exchanger. + +When adding a record, either RR specific options or standard option for a raw +value can be used, they just should not be combined in one add operation. When +modifying an existing entry, new RR specific options can be used to change +one part of a DNS record, where the standard option for raw value is used +to specify the modified value. The following example demonstrates +a modification of MX record preference from 0 to 1 in a record without +modifying the exchanger: +ipa dnsrecord-mod --mx-rec="0 mx.example.com." --mx-preference=1 + + +EXAMPLES: + + Add new zone: + ipa dnszone-add example.com --name-server=ns \ + --admin-email=admin@example.com \ + --ip-address=10.0.0.1 + + Add system permission that can be used for per-zone privilege delegation: + ipa dnszone-add-permission example.com + + Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM: + ipa dnszone-mod example.com --dynamic-update=TRUE + + This is the equivalent of: + ipa dnszone-mod example.com --dynamic-update=TRUE \ + --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;" + + Modify the zone to allow zone transfers for local network only: + ipa dnszone-mod example.com --allow-transfer=10.0.0.0/8 + + Add new reverse zone specified by network IP address: + ipa dnszone-add --name-from-ip=80.142.15.0/24 \ + --name-server=ns.example.com. + + Add second nameserver for example.com: + ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com + + Add a mail server for example.com: + ipa dnsrecord-add example.com @ --mx-rec="10 mail1" + + Add another record using MX record specific options: + ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2 + + Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod, + or dnsrecord-del are executed with no options): + ipa dnsrecord-add example.com @ + Please choose a type of DNS resource record to be added + The most common types for this type of zone are: NS, MX, LOC + + DNS resource record type: MX + MX Preference: 30 + MX Exchanger: mail3 + Record name: example.com + MX record: 10 mail1, 20 mail2, 30 mail3 + NS record: nameserver.example.com., nameserver2.example.com. + + Delete previously added nameserver from example.com: + ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com. + + Add LOC record for example.com: + ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m" + + Add new A record for www.example.com. Create a reverse record in appropriate + reverse zone as well. In this case a PTR record "2" pointing to www.example.com + will be created in zone 15.142.80.in-addr.arpa. + ipa dnsrecord-add example.com www --a-rec=80.142.15.2 --a-create-reverse + + Add new PTR record for www.example.com + ipa dnsrecord-add 15.142.80.in-addr.arpa. 2 --ptr-rec=www.example.com. + + Add new SRV records for LDAP servers. Three quarters of the requests + should go to fast.example.com, one quarter to slow.example.com. If neither + is available, switch to backup.example.com. + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com" + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com" + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com" + + The interactive mode can be used for easy modification: + ipa dnsrecord-mod example.com _ldap._tcp + No option to modify specific record provided. + Current DNS record contents: + + SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com + + Modify SRV record '0 3 389 fast.example.com'? Yes/No (default No): + Modify SRV record '0 1 389 slow.example.com'? Yes/No (default No): y + SRV Priority [0]: (keep the default value) + SRV Weight [1]: 2 (modified value) + SRV Port [389]: (keep the default value) + SRV Target [slow.example.com]: (keep the default value) + 1 SRV record skipped. Only one value per DNS record type can be modified at one time. + Record name: _ldap._tcp + SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com + + After this modification, three fifths of the requests should go to + fast.example.com and two fifths to slow.example.com. + + An example of the interactive mode for dnsrecord-del command: + ipa dnsrecord-del example.com www + No option to delete specific record provided. + Delete all? Yes/No (default No): (do not delete all records) + Current DNS record contents: + + A record: 1.2.3.4, 11.22.33.44 + + Delete A record '1.2.3.4'? Yes/No (default No): + Delete A record '11.22.33.44'? Yes/No (default No): y + Record name: www + A record: 1.2.3.4 (A record 11.22.33.44 has been deleted) + + Show zone example.com: + ipa dnszone-show example.com + + Find zone with "example" in its domain name: + ipa dnszone-find example + + Find records for resources with "www" in their name in zone example.com: + ipa dnsrecord-find example.com www + + Find A records with value 10.10.0.1 in zone example.com + ipa dnsrecord-find example.com --a-rec=10.10.0.1 + + Show records for resource www in zone example.com + ipa dnsrecord-show example.com www + + Delegate zone sub.example to another nameserver: + ipa dnsrecord-add example.com ns.sub --a-rec=10.0.100.5 + ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com. + + If global forwarder is configured, all requests to sub.example.com will be + routed through the global forwarder. To change the behavior for example.com + zone only and forward the request directly to ns.sub.example.com., global + forwarding may be disabled per-zone: + ipa dnszone-mod example.com --forward-policy=none + + Forward all requests for the zone external.com to another nameserver using + a "first" policy (it will send the queries to the selected forwarder and if + not answered it will use global resolvers): + ipa dnszone-add external.com + ipa dnszone-mod external.com --forwarder=10.20.0.1 \ + --forward-policy=first + + Delete zone example.com with all resource records: + ipa dnszone-del example.com + + Resolve a host name to see if it exists (will add default IPA domain + if one is not included): + ipa dns-resolve www.example.com + ipa dns-resolve www + + +GLOBAL DNS CONFIGURATION + +DNS configuration passed to command line install script is stored in a local +configuration file on each IPA server where DNS service is configured. These +local settings can be overridden with a common configuration stored in LDAP +server: + + Show global DNS configuration: + ipa dnsconfig-show + + Modify global DNS configuration and set a list of global forwarders: + ipa dnsconfig-mod --forwarder=10.0.0.1 +""") + +register = Registry() + + +@register() +class dnsconfig(Object): + takes_params = ( + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + label=_(u'Global forwarders'), + doc=_(u'A list of global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + label=_(u'Forward policy'), + doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'), + ), + parameters.Int( + 'idnszonerefresh', + required=False, + label=_(u'Zone refresh interval'), + doc=_(u'An interval between regular polls of the name server for new DNS zones'), + ), + ) + + +@register() +class dnsrecord(Object): + takes_params = ( + parameters.Str( + 'idnsname', + primary_key=True, + label=_(u'Record name'), + ), + parameters.Int( + 'dnsttl', + required=False, + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + label=_(u'Class'), + doc=_(u'DNS class'), + ), + parameters.Str( + 'dnsrecords', + required=False, + label=_(u'Records'), + ), + parameters.Str( + 'dnstype', + required=False, + label=_(u'Record type'), + ), + parameters.Str( + 'dnsdata', + required=False, + label=_(u'Record data'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + label=_(u'A record'), + doc=_(u'Comma-separated list of raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'a_extra_create_reverse', + required=False, + label=_(u'A Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + label=_(u'AAAA record'), + doc=_(u'Comma-separated list of raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'aaaa_extra_create_reverse', + required=False, + label=_(u'AAAA Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + label=_(u'A6 record'), + doc=_(u'Comma-separated list of raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + label=_(u'AFSDB record'), + doc=_(u'Comma-separated list of raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.Str( + 'afsdb_part_hostname', + required=False, + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + label=_(u'APL record'), + doc=_(u'Comma-separated list of raw APL records'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + label=_(u'CERT record'), + doc=_(u'Comma-separated list of raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + label=_(u'CNAME record'), + doc=_(u'Comma-separated list of raw CNAME records'), + ), + parameters.Str( + 'cname_part_hostname', + required=False, + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + label=_(u'DHCID record'), + doc=_(u'Comma-separated list of raw DHCID records'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + label=_(u'DLV record'), + doc=_(u'Comma-separated list of raw DLV records'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + label=_(u'DNAME record'), + doc=_(u'Comma-separated list of raw DNAME records'), + ), + parameters.Str( + 'dname_part_target', + required=False, + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + label=_(u'DNSKEY record'), + doc=_(u'Comma-separated list of raw DNSKEY records'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + label=_(u'DS record'), + doc=_(u'Comma-separated list of raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + label=_(u'HIP record'), + doc=_(u'Comma-separated list of raw HIP records'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + label=_(u'IPSECKEY record'), + doc=_(u'Comma-separated list of raw IPSECKEY records'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + label=_(u'KEY record'), + doc=_(u'Comma-separated list of raw KEY records'), + ), + parameters.Int( + 'key_part_flags', + required=False, + label=_(u'KEY Flags'), + doc=_(u'Flags'), + ), + parameters.Int( + 'key_part_protocol', + required=False, + label=_(u'KEY Protocol'), + doc=_(u'Protocol'), + ), + parameters.Int( + 'key_part_algorithm', + required=False, + label=_(u'KEY Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'key_part_public_key', + required=False, + label=_(u'KEY Public Key'), + doc=_(u'Public Key'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + label=_(u'KX record'), + doc=_(u'Comma-separated list of raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.Str( + 'kx_part_exchanger', + required=False, + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + label=_(u'LOC record'), + doc=_(u'Comma-separated list of raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + ), + parameters.Decimal( + 'loc_part_size', + required=False, + label=_(u'LOC Size'), + doc=_(u'Size'), + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + label=_(u'MX record'), + doc=_(u'Comma-separated list of raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.Str( + 'mx_part_exchanger', + required=False, + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + label=_(u'NAPTR record'), + doc=_(u'Comma-separated list of raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + ), + parameters.Str( + 'naptr_part_service', + required=False, + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + label=_(u'NS record'), + doc=_(u'Comma-separated list of raw NS records'), + ), + parameters.Str( + 'ns_part_hostname', + required=False, + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + label=_(u'NSEC record'), + doc=_(u'Comma-separated list of raw NSEC records'), + ), + parameters.Str( + 'nsec_part_next', + required=False, + label=_(u'NSEC Next Domain Name'), + doc=_(u'Next Domain Name'), + ), + parameters.Str( + 'nsec_part_types', + required=False, + multivalue=True, + label=_(u'NSEC Type Map'), + doc=_(u'Type Map'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + label=_(u'NSEC3 record'), + doc=_(u'Comma-separated list of raw NSEC3 records'), + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + multivalue=True, + label=_(u'NSEC3PARAM record'), + doc=_(u'Comma-separated list of raw NSEC3PARAM records'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + label=_(u'PTR record'), + doc=_(u'Comma-separated list of raw PTR records'), + ), + parameters.Str( + 'ptr_part_hostname', + required=False, + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + label=_(u'RRSIG record'), + doc=_(u'Comma-separated list of raw RRSIG records'), + ), + parameters.Str( + 'rrsig_part_type_covered', + required=False, + label=_(u'RRSIG Type Covered'), + doc=_(u'Type Covered'), + ), + parameters.Int( + 'rrsig_part_algorithm', + required=False, + label=_(u'RRSIG Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'rrsig_part_labels', + required=False, + label=_(u'RRSIG Labels'), + doc=_(u'Labels'), + ), + parameters.Int( + 'rrsig_part_original_ttl', + required=False, + label=_(u'RRSIG Original TTL'), + doc=_(u'Original TTL'), + ), + parameters.Str( + 'rrsig_part_signature_expiration', + required=False, + label=_(u'RRSIG Signature Expiration'), + doc=_(u'Signature Expiration'), + ), + parameters.Str( + 'rrsig_part_signature_inception', + required=False, + label=_(u'RRSIG Signature Inception'), + doc=_(u'Signature Inception'), + ), + parameters.Int( + 'rrsig_part_key_tag', + required=False, + label=_(u'RRSIG Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Str( + 'rrsig_part_signers_name', + required=False, + label=_(u"RRSIG Signer's Name"), + doc=_(u"Signer's Name"), + ), + parameters.Str( + 'rrsig_part_signature', + required=False, + label=_(u'RRSIG Signature'), + doc=_(u'Signature'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + label=_(u'RP record'), + doc=_(u'Comma-separated list of raw RP records'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + label=_(u'SIG record'), + doc=_(u'Comma-separated list of raw SIG records'), + ), + parameters.Str( + 'sig_part_type_covered', + required=False, + label=_(u'SIG Type Covered'), + doc=_(u'Type Covered'), + ), + parameters.Int( + 'sig_part_algorithm', + required=False, + label=_(u'SIG Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sig_part_labels', + required=False, + label=_(u'SIG Labels'), + doc=_(u'Labels'), + ), + parameters.Int( + 'sig_part_original_ttl', + required=False, + label=_(u'SIG Original TTL'), + doc=_(u'Original TTL'), + ), + parameters.Str( + 'sig_part_signature_expiration', + required=False, + label=_(u'SIG Signature Expiration'), + doc=_(u'Signature Expiration'), + ), + parameters.Str( + 'sig_part_signature_inception', + required=False, + label=_(u'SIG Signature Inception'), + doc=_(u'Signature Inception'), + ), + parameters.Int( + 'sig_part_key_tag', + required=False, + label=_(u'SIG Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Str( + 'sig_part_signers_name', + required=False, + label=_(u"SIG Signer's Name"), + doc=_(u"Signer's Name"), + ), + parameters.Str( + 'sig_part_signature', + required=False, + label=_(u'SIG Signature'), + doc=_(u'Signature'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + label=_(u'SPF record'), + doc=_(u'Comma-separated list of raw SPF records'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + label=_(u'SRV record'), + doc=_(u'Comma-separated list of raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.Str( + 'srv_part_target', + required=False, + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + label=_(u'SSHFP record'), + doc=_(u'Comma-separated list of raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + label=_(u'TA record'), + doc=_(u'Comma-separated list of raw TA records'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + label=_(u'TKEY record'), + doc=_(u'Comma-separated list of raw TKEY records'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + label=_(u'TSIG record'), + doc=_(u'Comma-separated list of raw TSIG records'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + label=_(u'TXT record'), + doc=_(u'Comma-separated list of raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + ) + + +@register() +class dnszone(Object): + takes_params = ( + parameters.Str( + 'idnsname', + primary_key=True, + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnssoamname', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.Str( + 'idnssoarname', + label=_(u'Administrator e-mail address'), + ), + parameters.Int( + 'idnssoaserial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + ), + parameters.Int( + 'idnssoarefresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + ), + parameters.Int( + 'idnssoaretry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + ), + parameters.Int( + 'idnssoaexpire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + ), + parameters.Int( + 'idnssoaminimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + ), + parameters.Int( + 'dnsttl', + required=False, + label=_(u'SOA time to live'), + doc=_(u'SOA record time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + label=_(u'SOA class'), + doc=_(u'SOA record class'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + label=_(u'BIND update policy'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + ), + parameters.Str( + 'idnsallowquery', + required=False, + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + label=_(u'Zone forwarders'), + doc=_(u'A list of per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + ) + + +@register() +class dns_is_enabled(Command): + __doc__ = _("Checks if any of the servers has the DNS service enabled.") + + NO_CLI = True + + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dns_resolve(Command): + __doc__ = _("Resolve a host name in DNS.") + + takes_args = ( + parameters.Str( + 'hostname', + label=_(u'Hostname'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsconfig_mod(Method): + __doc__ = _("Modify global DNS configuration.") + + takes_options = ( + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Global forwarders'), + doc=_(u'A list of global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'), + ), + parameters.Int( + 'idnszonerefresh', + required=False, + cli_name='zone_refresh', + label=_(u'Zone refresh interval'), + doc=_(u'An interval between regular polls of the name server for new DNS zones'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsconfig_show(Method): + __doc__ = _("Show the current global DNS configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_add(Method): + __doc__ = _("Add new DNS resource record.") + + takes_args = ( + parameters.Str( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + ), + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'Class'), + doc=_(u'DNS class'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + option_group=u'A Record', + label=_(u'A record'), + doc=_(u'Comma-separated list of raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + cli_name='a_ip_address', + option_group=u'A Record', + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'a_extra_create_reverse', + required=False, + cli_name='a_create_reverse', + option_group=u'A Record', + label=_(u'A Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + default=False, + autofill=True, + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + option_group=u'AAAA Record', + label=_(u'AAAA record'), + doc=_(u'Comma-separated list of raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + cli_name='aaaa_ip_address', + option_group=u'AAAA Record', + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'aaaa_extra_create_reverse', + required=False, + cli_name='aaaa_create_reverse', + option_group=u'AAAA Record', + label=_(u'AAAA Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + default=False, + autofill=True, + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + option_group=u'A6 Record', + label=_(u'A6 record'), + doc=_(u'Comma-separated list of raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + cli_name='a6_data', + option_group=u'A6 Record', + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + option_group=u'AFSDB Record', + label=_(u'AFSDB record'), + doc=_(u'Comma-separated list of raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + cli_name='afsdb_subtype', + option_group=u'AFSDB Record', + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.Str( + 'afsdb_part_hostname', + required=False, + cli_name='afsdb_hostname', + option_group=u'AFSDB Record', + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + option_group=u'APL Record', + label=_(u'APL record'), + doc=_(u'Comma-separated list of raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + option_group=u'CERT Record', + label=_(u'CERT record'), + doc=_(u'Comma-separated list of raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + cli_name='cert_type', + option_group=u'CERT Record', + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + cli_name='cert_key_tag', + option_group=u'CERT Record', + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + cli_name='cert_algorithm', + option_group=u'CERT Record', + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + cli_name='cert_certificate_or_crl', + option_group=u'CERT Record', + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + option_group=u'CNAME Record', + label=_(u'CNAME record'), + doc=_(u'Comma-separated list of raw CNAME records'), + ), + parameters.Str( + 'cname_part_hostname', + required=False, + cli_name='cname_hostname', + option_group=u'CNAME Record', + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + option_group=u'DHCID Record', + label=_(u'DHCID record'), + doc=_(u'Comma-separated list of raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + option_group=u'DLV Record', + label=_(u'DLV record'), + doc=_(u'Comma-separated list of raw DLV records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + option_group=u'DNAME Record', + label=_(u'DNAME record'), + doc=_(u'Comma-separated list of raw DNAME records'), + ), + parameters.Str( + 'dname_part_target', + required=False, + cli_name='dname_target', + option_group=u'DNAME Record', + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + cli_name='dnskey_rec', + option_group=u'DNSKEY Record', + label=_(u'DNSKEY record'), + doc=_(u'Comma-separated list of raw DNSKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + option_group=u'DS Record', + label=_(u'DS record'), + doc=_(u'Comma-separated list of raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + cli_name='ds_key_tag', + option_group=u'DS Record', + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + cli_name='ds_algorithm', + option_group=u'DS Record', + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + cli_name='ds_digest_type', + option_group=u'DS Record', + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + cli_name='ds_digest', + option_group=u'DS Record', + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + option_group=u'HIP Record', + label=_(u'HIP record'), + doc=_(u'Comma-separated list of raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + option_group=u'IPSECKEY Record', + label=_(u'IPSECKEY record'), + doc=_(u'Comma-separated list of raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + option_group=u'KEY Record', + label=_(u'KEY record'), + doc=_(u'Comma-separated list of raw KEY records'), + ), + parameters.Int( + 'key_part_flags', + required=False, + cli_name='key_flags', + option_group=u'KEY Record', + label=_(u'KEY Flags'), + doc=_(u'Flags'), + ), + parameters.Int( + 'key_part_protocol', + required=False, + cli_name='key_protocol', + option_group=u'KEY Record', + label=_(u'KEY Protocol'), + doc=_(u'Protocol'), + ), + parameters.Int( + 'key_part_algorithm', + required=False, + cli_name='key_algorithm', + option_group=u'KEY Record', + label=_(u'KEY Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'key_part_public_key', + required=False, + cli_name='key_public_key', + option_group=u'KEY Record', + label=_(u'KEY Public Key'), + doc=_(u'Public Key'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + option_group=u'KX Record', + label=_(u'KX record'), + doc=_(u'Comma-separated list of raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + cli_name='kx_preference', + option_group=u'KX Record', + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.Str( + 'kx_part_exchanger', + required=False, + cli_name='kx_exchanger', + option_group=u'KX Record', + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + option_group=u'LOC Record', + label=_(u'LOC record'), + doc=_(u'Comma-separated list of raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + cli_name='loc_lat_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + cli_name='loc_lat_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + cli_name='loc_lat_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + cli_name='loc_lat_dir', + option_group=u'LOC Record', + cli_metavar="['N', 'S']", + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + cli_name='loc_lon_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + cli_name='loc_lon_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + cli_name='loc_lon_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + cli_name='loc_lon_dir', + option_group=u'LOC Record', + cli_metavar="['E', 'W']", + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + cli_name='loc_altitude', + option_group=u'LOC Record', + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_size', + required=False, + cli_name='loc_size', + option_group=u'LOC Record', + label=_(u'LOC Size'), + doc=_(u'Size'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + cli_name='loc_h_precision', + option_group=u'LOC Record', + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + cli_name='loc_v_precision', + option_group=u'LOC Record', + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + no_convert=True, + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + option_group=u'MX Record', + label=_(u'MX record'), + doc=_(u'Comma-separated list of raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + cli_name='mx_preference', + option_group=u'MX Record', + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.Str( + 'mx_part_exchanger', + required=False, + cli_name='mx_exchanger', + option_group=u'MX Record', + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + option_group=u'NAPTR Record', + label=_(u'NAPTR record'), + doc=_(u'Comma-separated list of raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + cli_name='naptr_order', + option_group=u'NAPTR Record', + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + cli_name='naptr_preference', + option_group=u'NAPTR Record', + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + cli_name='naptr_flags', + option_group=u'NAPTR Record', + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + no_convert=True, + ), + parameters.Str( + 'naptr_part_service', + required=False, + cli_name='naptr_service', + option_group=u'NAPTR Record', + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + cli_name='naptr_regexp', + option_group=u'NAPTR Record', + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + cli_name='naptr_replacement', + option_group=u'NAPTR Record', + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + option_group=u'NS Record', + label=_(u'NS record'), + doc=_(u'Comma-separated list of raw NS records'), + ), + parameters.Str( + 'ns_part_hostname', + required=False, + cli_name='ns_hostname', + option_group=u'NS Record', + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + option_group=u'NSEC Record', + label=_(u'NSEC record'), + doc=_(u'Comma-separated list of raw NSEC records'), + ), + parameters.Str( + 'nsec_part_next', + required=False, + cli_name='nsec_next', + option_group=u'NSEC Record', + label=_(u'NSEC Next Domain Name'), + doc=_(u'Next Domain Name'), + ), + parameters.Str( + 'nsec_part_types', + required=False, + multivalue=True, + cli_name='nsec_types', + option_group=u'NSEC Record', + cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SIG', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']", + label=_(u'NSEC Type Map'), + doc=_(u'Type Map'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + cli_name='nsec3_rec', + option_group=u'NSEC3 Record', + label=_(u'NSEC3 record'), + doc=_(u'Comma-separated list of raw NSEC3 records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + multivalue=True, + cli_name='nsec3param_rec', + option_group=u'NSEC3PARAM Record', + label=_(u'NSEC3PARAM record'), + doc=_(u'Comma-separated list of raw NSEC3PARAM records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + option_group=u'PTR Record', + label=_(u'PTR record'), + doc=_(u'Comma-separated list of raw PTR records'), + ), + parameters.Str( + 'ptr_part_hostname', + required=False, + cli_name='ptr_hostname', + option_group=u'PTR Record', + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + no_convert=True, + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + option_group=u'RRSIG Record', + label=_(u'RRSIG record'), + doc=_(u'Comma-separated list of raw RRSIG records'), + ), + parameters.Str( + 'rrsig_part_type_covered', + required=False, + cli_name='rrsig_type_covered', + option_group=u'RRSIG Record', + cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']", + label=_(u'RRSIG Type Covered'), + doc=_(u'Type Covered'), + ), + parameters.Int( + 'rrsig_part_algorithm', + required=False, + cli_name='rrsig_algorithm', + option_group=u'RRSIG Record', + label=_(u'RRSIG Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'rrsig_part_labels', + required=False, + cli_name='rrsig_labels', + option_group=u'RRSIG Record', + label=_(u'RRSIG Labels'), + doc=_(u'Labels'), + ), + parameters.Int( + 'rrsig_part_original_ttl', + required=False, + cli_name='rrsig_original_ttl', + option_group=u'RRSIG Record', + label=_(u'RRSIG Original TTL'), + doc=_(u'Original TTL'), + ), + parameters.Str( + 'rrsig_part_signature_expiration', + required=False, + cli_name='rrsig_signature_expiration', + option_group=u'RRSIG Record', + label=_(u'RRSIG Signature Expiration'), + doc=_(u'Signature Expiration'), + ), + parameters.Str( + 'rrsig_part_signature_inception', + required=False, + cli_name='rrsig_signature_inception', + option_group=u'RRSIG Record', + label=_(u'RRSIG Signature Inception'), + doc=_(u'Signature Inception'), + ), + parameters.Int( + 'rrsig_part_key_tag', + required=False, + cli_name='rrsig_key_tag', + option_group=u'RRSIG Record', + label=_(u'RRSIG Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Str( + 'rrsig_part_signers_name', + required=False, + cli_name='rrsig_signers_name', + option_group=u'RRSIG Record', + label=_(u"RRSIG Signer's Name"), + doc=_(u"Signer's Name"), + ), + parameters.Str( + 'rrsig_part_signature', + required=False, + cli_name='rrsig_signature', + option_group=u'RRSIG Record', + label=_(u'RRSIG Signature'), + doc=_(u'Signature'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + option_group=u'RP Record', + label=_(u'RP record'), + doc=_(u'Comma-separated list of raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + option_group=u'SIG Record', + label=_(u'SIG record'), + doc=_(u'Comma-separated list of raw SIG records'), + ), + parameters.Str( + 'sig_part_type_covered', + required=False, + cli_name='sig_type_covered', + option_group=u'SIG Record', + cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']", + label=_(u'SIG Type Covered'), + doc=_(u'Type Covered'), + ), + parameters.Int( + 'sig_part_algorithm', + required=False, + cli_name='sig_algorithm', + option_group=u'SIG Record', + label=_(u'SIG Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sig_part_labels', + required=False, + cli_name='sig_labels', + option_group=u'SIG Record', + label=_(u'SIG Labels'), + doc=_(u'Labels'), + ), + parameters.Int( + 'sig_part_original_ttl', + required=False, + cli_name='sig_original_ttl', + option_group=u'SIG Record', + label=_(u'SIG Original TTL'), + doc=_(u'Original TTL'), + ), + parameters.Str( + 'sig_part_signature_expiration', + required=False, + cli_name='sig_signature_expiration', + option_group=u'SIG Record', + label=_(u'SIG Signature Expiration'), + doc=_(u'Signature Expiration'), + ), + parameters.Str( + 'sig_part_signature_inception', + required=False, + cli_name='sig_signature_inception', + option_group=u'SIG Record', + label=_(u'SIG Signature Inception'), + doc=_(u'Signature Inception'), + ), + parameters.Int( + 'sig_part_key_tag', + required=False, + cli_name='sig_key_tag', + option_group=u'SIG Record', + label=_(u'SIG Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Str( + 'sig_part_signers_name', + required=False, + cli_name='sig_signers_name', + option_group=u'SIG Record', + label=_(u"SIG Signer's Name"), + doc=_(u"Signer's Name"), + ), + parameters.Str( + 'sig_part_signature', + required=False, + cli_name='sig_signature', + option_group=u'SIG Record', + label=_(u'SIG Signature'), + doc=_(u'Signature'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + option_group=u'SPF Record', + label=_(u'SPF record'), + doc=_(u'Comma-separated list of raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + option_group=u'SRV Record', + label=_(u'SRV record'), + doc=_(u'Comma-separated list of raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + cli_name='srv_priority', + option_group=u'SRV Record', + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + cli_name='srv_weight', + option_group=u'SRV Record', + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + cli_name='srv_port', + option_group=u'SRV Record', + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.Str( + 'srv_part_target', + required=False, + cli_name='srv_target', + option_group=u'SRV Record', + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + option_group=u'SSHFP Record', + label=_(u'SSHFP record'), + doc=_(u'Comma-separated list of raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + cli_name='sshfp_algorithm', + option_group=u'SSHFP Record', + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + cli_name='sshfp_fp_type', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + cli_name='sshfp_fingerprint', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + cli_name='ta_rec', + option_group=u'TA Record', + label=_(u'TA record'), + doc=_(u'Comma-separated list of raw TA records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + cli_name='tkey_rec', + option_group=u'TKEY Record', + label=_(u'TKEY record'), + doc=_(u'Comma-separated list of raw TKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + cli_name='tsig_rec', + option_group=u'TSIG Record', + label=_(u'TSIG record'), + doc=_(u'Comma-separated list of raw TSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + option_group=u'TXT Record', + label=_(u'TXT record'), + doc=_(u'Comma-separated list of raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + cli_name='txt_data', + option_group=u'TXT Record', + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force NS record creation even if its hostname is not in DNS'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_del(Method): + __doc__ = _("Delete DNS resource record.") + + takes_args = ( + parameters.Str( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + ), + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'Class'), + doc=_(u'DNS class'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + label=_(u'A record'), + doc=_(u'Comma-separated list of raw A records'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + label=_(u'AAAA record'), + doc=_(u'Comma-separated list of raw AAAA records'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + label=_(u'A6 record'), + doc=_(u'Comma-separated list of raw A6 records'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + label=_(u'AFSDB record'), + doc=_(u'Comma-separated list of raw AFSDB records'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + label=_(u'APL record'), + doc=_(u'Comma-separated list of raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + label=_(u'CERT record'), + doc=_(u'Comma-separated list of raw CERT records'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + label=_(u'CNAME record'), + doc=_(u'Comma-separated list of raw CNAME records'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + label=_(u'DHCID record'), + doc=_(u'Comma-separated list of raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + label=_(u'DLV record'), + doc=_(u'Comma-separated list of raw DLV records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + label=_(u'DNAME record'), + doc=_(u'Comma-separated list of raw DNAME records'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + cli_name='dnskey_rec', + label=_(u'DNSKEY record'), + doc=_(u'Comma-separated list of raw DNSKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + label=_(u'DS record'), + doc=_(u'Comma-separated list of raw DS records'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + label=_(u'HIP record'), + doc=_(u'Comma-separated list of raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + label=_(u'IPSECKEY record'), + doc=_(u'Comma-separated list of raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + label=_(u'KEY record'), + doc=_(u'Comma-separated list of raw KEY records'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + label=_(u'KX record'), + doc=_(u'Comma-separated list of raw KX records'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + label=_(u'LOC record'), + doc=_(u'Comma-separated list of raw LOC records'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + label=_(u'MX record'), + doc=_(u'Comma-separated list of raw MX records'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + label=_(u'NAPTR record'), + doc=_(u'Comma-separated list of raw NAPTR records'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + label=_(u'NS record'), + doc=_(u'Comma-separated list of raw NS records'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + label=_(u'NSEC record'), + doc=_(u'Comma-separated list of raw NSEC records'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + cli_name='nsec3_rec', + label=_(u'NSEC3 record'), + doc=_(u'Comma-separated list of raw NSEC3 records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + multivalue=True, + cli_name='nsec3param_rec', + label=_(u'NSEC3PARAM record'), + doc=_(u'Comma-separated list of raw NSEC3PARAM records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + label=_(u'PTR record'), + doc=_(u'Comma-separated list of raw PTR records'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + label=_(u'RRSIG record'), + doc=_(u'Comma-separated list of raw RRSIG records'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + label=_(u'RP record'), + doc=_(u'Comma-separated list of raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + label=_(u'SIG record'), + doc=_(u'Comma-separated list of raw SIG records'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + label=_(u'SPF record'), + doc=_(u'Comma-separated list of raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + label=_(u'SRV record'), + doc=_(u'Comma-separated list of raw SRV records'), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + label=_(u'SSHFP record'), + doc=_(u'Comma-separated list of raw SSHFP records'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + cli_name='ta_rec', + label=_(u'TA record'), + doc=_(u'Comma-separated list of raw TA records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + cli_name='tkey_rec', + label=_(u'TKEY record'), + doc=_(u'Comma-separated list of raw TKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + cli_name='tsig_rec', + label=_(u'TSIG record'), + doc=_(u'Comma-separated list of raw TSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + label=_(u'TXT record'), + doc=_(u'Comma-separated list of raw TXT records'), + ), + parameters.Flag( + 'del_all', + label=_(u'Delete all associated records'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_delentry(Method): + __doc__ = _("Delete DNS record entry.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + ), + parameters.Str( + 'idnsname', + multivalue=True, + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_find(Method): + __doc__ = _("Search for DNS resources.") + + takes_args = ( + parameters.Str( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'idnsname', + required=False, + cli_name='name', + label=_(u'Record name'), + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'Class'), + doc=_(u'DNS class'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + label=_(u'A record'), + doc=_(u'Comma-separated list of raw A records'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + label=_(u'AAAA record'), + doc=_(u'Comma-separated list of raw AAAA records'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + label=_(u'A6 record'), + doc=_(u'Comma-separated list of raw A6 records'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + label=_(u'AFSDB record'), + doc=_(u'Comma-separated list of raw AFSDB records'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + label=_(u'APL record'), + doc=_(u'Comma-separated list of raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + label=_(u'CERT record'), + doc=_(u'Comma-separated list of raw CERT records'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + label=_(u'CNAME record'), + doc=_(u'Comma-separated list of raw CNAME records'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + label=_(u'DHCID record'), + doc=_(u'Comma-separated list of raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + label=_(u'DLV record'), + doc=_(u'Comma-separated list of raw DLV records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + label=_(u'DNAME record'), + doc=_(u'Comma-separated list of raw DNAME records'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + cli_name='dnskey_rec', + label=_(u'DNSKEY record'), + doc=_(u'Comma-separated list of raw DNSKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + label=_(u'DS record'), + doc=_(u'Comma-separated list of raw DS records'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + label=_(u'HIP record'), + doc=_(u'Comma-separated list of raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + label=_(u'IPSECKEY record'), + doc=_(u'Comma-separated list of raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + label=_(u'KEY record'), + doc=_(u'Comma-separated list of raw KEY records'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + label=_(u'KX record'), + doc=_(u'Comma-separated list of raw KX records'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + label=_(u'LOC record'), + doc=_(u'Comma-separated list of raw LOC records'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + label=_(u'MX record'), + doc=_(u'Comma-separated list of raw MX records'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + label=_(u'NAPTR record'), + doc=_(u'Comma-separated list of raw NAPTR records'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + label=_(u'NS record'), + doc=_(u'Comma-separated list of raw NS records'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + label=_(u'NSEC record'), + doc=_(u'Comma-separated list of raw NSEC records'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + cli_name='nsec3_rec', + label=_(u'NSEC3 record'), + doc=_(u'Comma-separated list of raw NSEC3 records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + multivalue=True, + cli_name='nsec3param_rec', + label=_(u'NSEC3PARAM record'), + doc=_(u'Comma-separated list of raw NSEC3PARAM records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + label=_(u'PTR record'), + doc=_(u'Comma-separated list of raw PTR records'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + label=_(u'RRSIG record'), + doc=_(u'Comma-separated list of raw RRSIG records'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + label=_(u'RP record'), + doc=_(u'Comma-separated list of raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + label=_(u'SIG record'), + doc=_(u'Comma-separated list of raw SIG records'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + label=_(u'SPF record'), + doc=_(u'Comma-separated list of raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + label=_(u'SRV record'), + doc=_(u'Comma-separated list of raw SRV records'), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + label=_(u'SSHFP record'), + doc=_(u'Comma-separated list of raw SSHFP records'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + cli_name='ta_rec', + label=_(u'TA record'), + doc=_(u'Comma-separated list of raw TA records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + cli_name='tkey_rec', + label=_(u'TKEY record'), + doc=_(u'Comma-separated list of raw TKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + cli_name='tsig_rec', + label=_(u'TSIG record'), + doc=_(u'Comma-separated list of raw TSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + label=_(u'TXT record'), + doc=_(u'Comma-separated list of raw TXT records'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class dnsrecord_mod(Method): + __doc__ = _("Modify a DNS resource record.") + + takes_args = ( + parameters.Str( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + ), + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'Class'), + doc=_(u'DNS class'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + option_group=u'A Record', + label=_(u'A record'), + doc=_(u'Comma-separated list of raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + cli_name='a_ip_address', + option_group=u'A Record', + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + option_group=u'AAAA Record', + label=_(u'AAAA record'), + doc=_(u'Comma-separated list of raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + cli_name='aaaa_ip_address', + option_group=u'AAAA Record', + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + option_group=u'A6 Record', + label=_(u'A6 record'), + doc=_(u'Comma-separated list of raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + cli_name='a6_data', + option_group=u'A6 Record', + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + option_group=u'AFSDB Record', + label=_(u'AFSDB record'), + doc=_(u'Comma-separated list of raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + cli_name='afsdb_subtype', + option_group=u'AFSDB Record', + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.Str( + 'afsdb_part_hostname', + required=False, + cli_name='afsdb_hostname', + option_group=u'AFSDB Record', + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + option_group=u'APL Record', + label=_(u'APL record'), + doc=_(u'Comma-separated list of raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + option_group=u'CERT Record', + label=_(u'CERT record'), + doc=_(u'Comma-separated list of raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + cli_name='cert_type', + option_group=u'CERT Record', + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + cli_name='cert_key_tag', + option_group=u'CERT Record', + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + cli_name='cert_algorithm', + option_group=u'CERT Record', + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + cli_name='cert_certificate_or_crl', + option_group=u'CERT Record', + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + option_group=u'CNAME Record', + label=_(u'CNAME record'), + doc=_(u'Comma-separated list of raw CNAME records'), + ), + parameters.Str( + 'cname_part_hostname', + required=False, + cli_name='cname_hostname', + option_group=u'CNAME Record', + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + option_group=u'DHCID Record', + label=_(u'DHCID record'), + doc=_(u'Comma-separated list of raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + option_group=u'DLV Record', + label=_(u'DLV record'), + doc=_(u'Comma-separated list of raw DLV records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + option_group=u'DNAME Record', + label=_(u'DNAME record'), + doc=_(u'Comma-separated list of raw DNAME records'), + ), + parameters.Str( + 'dname_part_target', + required=False, + cli_name='dname_target', + option_group=u'DNAME Record', + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + cli_name='dnskey_rec', + option_group=u'DNSKEY Record', + label=_(u'DNSKEY record'), + doc=_(u'Comma-separated list of raw DNSKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + option_group=u'DS Record', + label=_(u'DS record'), + doc=_(u'Comma-separated list of raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + cli_name='ds_key_tag', + option_group=u'DS Record', + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + cli_name='ds_algorithm', + option_group=u'DS Record', + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + cli_name='ds_digest_type', + option_group=u'DS Record', + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + cli_name='ds_digest', + option_group=u'DS Record', + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + option_group=u'HIP Record', + label=_(u'HIP record'), + doc=_(u'Comma-separated list of raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + option_group=u'IPSECKEY Record', + label=_(u'IPSECKEY record'), + doc=_(u'Comma-separated list of raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + option_group=u'KEY Record', + label=_(u'KEY record'), + doc=_(u'Comma-separated list of raw KEY records'), + ), + parameters.Int( + 'key_part_flags', + required=False, + cli_name='key_flags', + option_group=u'KEY Record', + label=_(u'KEY Flags'), + doc=_(u'Flags'), + ), + parameters.Int( + 'key_part_protocol', + required=False, + cli_name='key_protocol', + option_group=u'KEY Record', + label=_(u'KEY Protocol'), + doc=_(u'Protocol'), + ), + parameters.Int( + 'key_part_algorithm', + required=False, + cli_name='key_algorithm', + option_group=u'KEY Record', + label=_(u'KEY Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'key_part_public_key', + required=False, + cli_name='key_public_key', + option_group=u'KEY Record', + label=_(u'KEY Public Key'), + doc=_(u'Public Key'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + option_group=u'KX Record', + label=_(u'KX record'), + doc=_(u'Comma-separated list of raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + cli_name='kx_preference', + option_group=u'KX Record', + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.Str( + 'kx_part_exchanger', + required=False, + cli_name='kx_exchanger', + option_group=u'KX Record', + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + option_group=u'LOC Record', + label=_(u'LOC record'), + doc=_(u'Comma-separated list of raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + cli_name='loc_lat_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + cli_name='loc_lat_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + cli_name='loc_lat_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + cli_name='loc_lat_dir', + option_group=u'LOC Record', + cli_metavar="['N', 'S']", + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + cli_name='loc_lon_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + cli_name='loc_lon_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + cli_name='loc_lon_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + cli_name='loc_lon_dir', + option_group=u'LOC Record', + cli_metavar="['E', 'W']", + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + cli_name='loc_altitude', + option_group=u'LOC Record', + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_size', + required=False, + cli_name='loc_size', + option_group=u'LOC Record', + label=_(u'LOC Size'), + doc=_(u'Size'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + cli_name='loc_h_precision', + option_group=u'LOC Record', + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + cli_name='loc_v_precision', + option_group=u'LOC Record', + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + no_convert=True, + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + option_group=u'MX Record', + label=_(u'MX record'), + doc=_(u'Comma-separated list of raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + cli_name='mx_preference', + option_group=u'MX Record', + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.Str( + 'mx_part_exchanger', + required=False, + cli_name='mx_exchanger', + option_group=u'MX Record', + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + option_group=u'NAPTR Record', + label=_(u'NAPTR record'), + doc=_(u'Comma-separated list of raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + cli_name='naptr_order', + option_group=u'NAPTR Record', + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + cli_name='naptr_preference', + option_group=u'NAPTR Record', + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + cli_name='naptr_flags', + option_group=u'NAPTR Record', + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + no_convert=True, + ), + parameters.Str( + 'naptr_part_service', + required=False, + cli_name='naptr_service', + option_group=u'NAPTR Record', + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + cli_name='naptr_regexp', + option_group=u'NAPTR Record', + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + cli_name='naptr_replacement', + option_group=u'NAPTR Record', + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + option_group=u'NS Record', + label=_(u'NS record'), + doc=_(u'Comma-separated list of raw NS records'), + ), + parameters.Str( + 'ns_part_hostname', + required=False, + cli_name='ns_hostname', + option_group=u'NS Record', + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + option_group=u'NSEC Record', + label=_(u'NSEC record'), + doc=_(u'Comma-separated list of raw NSEC records'), + ), + parameters.Str( + 'nsec_part_next', + required=False, + cli_name='nsec_next', + option_group=u'NSEC Record', + label=_(u'NSEC Next Domain Name'), + doc=_(u'Next Domain Name'), + ), + parameters.Str( + 'nsec_part_types', + required=False, + multivalue=True, + cli_name='nsec_types', + option_group=u'NSEC Record', + cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SIG', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']", + label=_(u'NSEC Type Map'), + doc=_(u'Type Map'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + cli_name='nsec3_rec', + option_group=u'NSEC3 Record', + label=_(u'NSEC3 record'), + doc=_(u'Comma-separated list of raw NSEC3 records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + multivalue=True, + cli_name='nsec3param_rec', + option_group=u'NSEC3PARAM Record', + label=_(u'NSEC3PARAM record'), + doc=_(u'Comma-separated list of raw NSEC3PARAM records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + option_group=u'PTR Record', + label=_(u'PTR record'), + doc=_(u'Comma-separated list of raw PTR records'), + ), + parameters.Str( + 'ptr_part_hostname', + required=False, + cli_name='ptr_hostname', + option_group=u'PTR Record', + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + no_convert=True, + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + option_group=u'RRSIG Record', + label=_(u'RRSIG record'), + doc=_(u'Comma-separated list of raw RRSIG records'), + ), + parameters.Str( + 'rrsig_part_type_covered', + required=False, + cli_name='rrsig_type_covered', + option_group=u'RRSIG Record', + cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']", + label=_(u'RRSIG Type Covered'), + doc=_(u'Type Covered'), + ), + parameters.Int( + 'rrsig_part_algorithm', + required=False, + cli_name='rrsig_algorithm', + option_group=u'RRSIG Record', + label=_(u'RRSIG Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'rrsig_part_labels', + required=False, + cli_name='rrsig_labels', + option_group=u'RRSIG Record', + label=_(u'RRSIG Labels'), + doc=_(u'Labels'), + ), + parameters.Int( + 'rrsig_part_original_ttl', + required=False, + cli_name='rrsig_original_ttl', + option_group=u'RRSIG Record', + label=_(u'RRSIG Original TTL'), + doc=_(u'Original TTL'), + ), + parameters.Str( + 'rrsig_part_signature_expiration', + required=False, + cli_name='rrsig_signature_expiration', + option_group=u'RRSIG Record', + label=_(u'RRSIG Signature Expiration'), + doc=_(u'Signature Expiration'), + ), + parameters.Str( + 'rrsig_part_signature_inception', + required=False, + cli_name='rrsig_signature_inception', + option_group=u'RRSIG Record', + label=_(u'RRSIG Signature Inception'), + doc=_(u'Signature Inception'), + ), + parameters.Int( + 'rrsig_part_key_tag', + required=False, + cli_name='rrsig_key_tag', + option_group=u'RRSIG Record', + label=_(u'RRSIG Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Str( + 'rrsig_part_signers_name', + required=False, + cli_name='rrsig_signers_name', + option_group=u'RRSIG Record', + label=_(u"RRSIG Signer's Name"), + doc=_(u"Signer's Name"), + ), + parameters.Str( + 'rrsig_part_signature', + required=False, + cli_name='rrsig_signature', + option_group=u'RRSIG Record', + label=_(u'RRSIG Signature'), + doc=_(u'Signature'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + option_group=u'RP Record', + label=_(u'RP record'), + doc=_(u'Comma-separated list of raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + option_group=u'SIG Record', + label=_(u'SIG record'), + doc=_(u'Comma-separated list of raw SIG records'), + ), + parameters.Str( + 'sig_part_type_covered', + required=False, + cli_name='sig_type_covered', + option_group=u'SIG Record', + cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']", + label=_(u'SIG Type Covered'), + doc=_(u'Type Covered'), + ), + parameters.Int( + 'sig_part_algorithm', + required=False, + cli_name='sig_algorithm', + option_group=u'SIG Record', + label=_(u'SIG Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sig_part_labels', + required=False, + cli_name='sig_labels', + option_group=u'SIG Record', + label=_(u'SIG Labels'), + doc=_(u'Labels'), + ), + parameters.Int( + 'sig_part_original_ttl', + required=False, + cli_name='sig_original_ttl', + option_group=u'SIG Record', + label=_(u'SIG Original TTL'), + doc=_(u'Original TTL'), + ), + parameters.Str( + 'sig_part_signature_expiration', + required=False, + cli_name='sig_signature_expiration', + option_group=u'SIG Record', + label=_(u'SIG Signature Expiration'), + doc=_(u'Signature Expiration'), + ), + parameters.Str( + 'sig_part_signature_inception', + required=False, + cli_name='sig_signature_inception', + option_group=u'SIG Record', + label=_(u'SIG Signature Inception'), + doc=_(u'Signature Inception'), + ), + parameters.Int( + 'sig_part_key_tag', + required=False, + cli_name='sig_key_tag', + option_group=u'SIG Record', + label=_(u'SIG Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Str( + 'sig_part_signers_name', + required=False, + cli_name='sig_signers_name', + option_group=u'SIG Record', + label=_(u"SIG Signer's Name"), + doc=_(u"Signer's Name"), + ), + parameters.Str( + 'sig_part_signature', + required=False, + cli_name='sig_signature', + option_group=u'SIG Record', + label=_(u'SIG Signature'), + doc=_(u'Signature'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + option_group=u'SPF Record', + label=_(u'SPF record'), + doc=_(u'Comma-separated list of raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + option_group=u'SRV Record', + label=_(u'SRV record'), + doc=_(u'Comma-separated list of raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + cli_name='srv_priority', + option_group=u'SRV Record', + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + cli_name='srv_weight', + option_group=u'SRV Record', + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + cli_name='srv_port', + option_group=u'SRV Record', + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.Str( + 'srv_part_target', + required=False, + cli_name='srv_target', + option_group=u'SRV Record', + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + option_group=u'SSHFP Record', + label=_(u'SSHFP record'), + doc=_(u'Comma-separated list of raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + cli_name='sshfp_algorithm', + option_group=u'SSHFP Record', + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + cli_name='sshfp_fp_type', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + cli_name='sshfp_fingerprint', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + cli_name='ta_rec', + option_group=u'TA Record', + label=_(u'TA record'), + doc=_(u'Comma-separated list of raw TA records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + cli_name='tkey_rec', + option_group=u'TKEY Record', + label=_(u'TKEY record'), + doc=_(u'Comma-separated list of raw TKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + cli_name='tsig_rec', + option_group=u'TSIG Record', + label=_(u'TSIG record'), + doc=_(u'Comma-separated list of raw TSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + option_group=u'TXT Record', + label=_(u'TXT record'), + doc=_(u'Comma-separated list of raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + cli_name='txt_data', + option_group=u'TXT Record', + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the DNS resource record object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_show(Method): + __doc__ = _("Display DNS resource.") + + takes_args = ( + parameters.Str( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + ), + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_add(Method): + __doc__ = _("Create new DNS zone (SOA record).") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnssoamname', + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + no_convert=True, + ), + parameters.Str( + 'idnssoarname', + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default_from=DefaultFrom(lambda idnsname: 'hostmaster.%s' % idnsname, 'name_from_ip'), + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + autofill=True, + ), + parameters.Int( + 'idnssoarefresh', + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + autofill=True, + ), + parameters.Int( + 'idnssoaretry', + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + autofill=True, + ), + parameters.Int( + 'idnssoaexpire', + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + autofill=True, + ), + parameters.Int( + 'idnssoaminimum', + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + autofill=True, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'SOA time to live'), + doc=_(u'SOA record time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'SOA class'), + doc=_(u'SOA record class'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + autofill=True, + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + autofill=True, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + autofill=True, + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + autofill=True, + no_convert=True, + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'A list of per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'Force DNS zone creation even if nameserver is not resolvable.'), + default=False, + autofill=True, + ), + parameters.Str( + 'ip_address', + required=False, + doc=_(u'Add forward record for nameserver located in the created zone'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_add_permission(Method): + __doc__ = _("Add a permission for per-zone access delegation.") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_del(Method): + __doc__ = _("Delete DNS zone (SOA record).") + + takes_args = ( + parameters.Str( + 'idnsname', + multivalue=True, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_disable(Method): + __doc__ = _("Disable DNS Zone.") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_enable(Method): + __doc__ = _("Enable DNS Zone.") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_find(Method): + __doc__ = _("Search for DNS zones (SOA records).") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'idnsname', + required=False, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnssoamname', + required=False, + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + no_convert=True, + ), + parameters.Str( + 'idnssoarname', + required=False, + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default_from=DefaultFrom(lambda idnsname: 'hostmaster.%s' % idnsname, 'name_from_ip'), + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + required=False, + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + ), + parameters.Int( + 'idnssoarefresh', + required=False, + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + ), + parameters.Int( + 'idnssoaretry', + required=False, + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + ), + parameters.Int( + 'idnssoaexpire', + required=False, + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + ), + parameters.Int( + 'idnssoaminimum', + required=False, + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'SOA time to live'), + doc=_(u'SOA record time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'SOA class'), + doc=_(u'SOA record class'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + ), + parameters.Bool( + 'idnszoneactive', + required=False, + cli_name='zone_active', + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + no_convert=True, + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'A list of per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'forward_only', + label=_(u'Forward zones only'), + doc=_(u'Search for forward zones only'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class dnszone_mod(Method): + __doc__ = _("Modify DNS zone (SOA record).") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnssoamname', + required=False, + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + no_convert=True, + ), + parameters.Str( + 'idnssoarname', + required=False, + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default_from=DefaultFrom(lambda idnsname: 'hostmaster.%s' % idnsname, 'name_from_ip'), + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + required=False, + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + ), + parameters.Int( + 'idnssoarefresh', + required=False, + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + ), + parameters.Int( + 'idnssoaretry', + required=False, + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + ), + parameters.Int( + 'idnssoaexpire', + required=False, + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + ), + parameters.Int( + 'idnssoaminimum', + required=False, + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'SOA time to live'), + doc=_(u'SOA record time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'SOA class'), + doc=_(u'SOA record class'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + no_convert=True, + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'A list of per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'Force nameserver change even if nameserver not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_remove_permission(Method): + __doc__ = _("Remove a permission for per-zone access delegation.") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_show(Method): + __doc__ = _("Display information about a DNS zone (SOA record).") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/entitle.py b/ipaclient/remote_plugins/2_49/entitle.py new file mode 100644 index 000000000..f527939bf --- /dev/null +++ b/ipaclient/remote_plugins/2_49/entitle.py @@ -0,0 +1,383 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Entitlements + +Manage entitlements for client machines + +Entitlements can be managed either by registering with an entitlement +server with a username and password or by manually importing entitlement +certificates. An entitlement certificate contains embedded information +such as the product being entitled, the quantity and the validity dates. + +An entitlement server manages the number of client entitlements available. +To mark these entitlements as used by the IPA server you provide a quantity +and they are marked as consumed on the entitlement server. + + Register with an entitlement server: + ipa entitle-register consumer + + Import an entitlement certificate: + ipa entitle-import /home/user/ipaclient.pem + + Display current entitlements: + ipa entitle-status + + Retrieve details on entitlement certificates: + ipa entitle-get + + Consume some entitlements from the entitlement server: + ipa entitle-consume 50 + +The registration ID is a Unique Identifier (UUID). This ID will be +IMPORTED if you have used entitle-import. + +Changes to /etc/rhsm/rhsm.conf require a restart of the httpd service. +""") + +register = Registry() + + +@register() +class entitle(Object): + takes_params = ( + ) + + +@register() +class entitle_consume(Method): + __doc__ = _("Consume an entitlement.") + + takes_args = ( + parameters.Int( + 'quantity', + label=_(u'Quantity'), + ), + ) + takes_options = ( + parameters.Int( + 'hidden', + label=_(u'Quantity'), + exclude=('cli', 'webui'), + default=1, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class entitle_find(Method): + __doc__ = _("Search for entitlement accounts.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class entitle_get(Command): + __doc__ = _("Retrieve the entitlement certs.") + + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class entitle_import(Method): + __doc__ = _("Import an entitlement certificate.") + + takes_args = ( + parameters.Str( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate_file', + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'uuid', + required=False, + label=_(u'UUID'), + doc=_(u'Enrollment UUID'), + default=u'IMPORTED', + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + ) + + +@register() +class entitle_register(Method): + __doc__ = _("Register to the entitlement system.") + + takes_args = ( + parameters.Str( + 'username', + label=_(u'Username'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'ipaentitlementid', + required=False, + label=_(u'UUID'), + doc=_(u'Enrollment UUID (not implemented)'), + ), + parameters.Password( + 'password', + label=_(u'Password'), + doc=_(u'Registration password'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class entitle_status(Command): + __doc__ = _("Display current entitlements.") + + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + ) + + +@register() +class entitle_sync(Method): + __doc__ = _("Re-sync the local entitlement cache with the entitlement server.") + + takes_options = ( + parameters.Int( + 'hidden', + label=_(u'Quantity'), + exclude=('cli', 'webui'), + default=1, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/group.py b/ipaclient/remote_plugins/2_49/group.py new file mode 100644 index 000000000..940a113df --- /dev/null +++ b/ipaclient/remote_plugins/2_49/group.py @@ -0,0 +1,854 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of users + +Manage groups of users. By default, new groups are POSIX groups. You +can add the --nonposix option to the group-add command to mark a new group +as non-POSIX. You can use the --posix argument with the group-mod command +to convert a non-POSIX group into a POSIX group. POSIX groups cannot be +converted to non-POSIX groups. + +Every group must have a description. + +POSIX groups must have a Group ID (GID) number. Changing a GID is +supported but can have an impact on your file permissions. It is not necessary +to supply a GID when creating a group. IPA will generate one automatically +if it is not provided. + +EXAMPLES: + + Add a new group: + ipa group-add --desc='local administrators' localadmins + + Add a new non-POSIX group: + ipa group-add --nonposix --desc='remote administrators' remoteadmins + + Convert a non-POSIX group to posix: + ipa group-mod --posix remoteadmins + + Add a new POSIX group with a specific Group ID number: + ipa group-add --gid=500 --desc='unix admins' unixadmins + + Add a new POSIX group and let IPA assign a Group ID number: + ipa group-add --desc='printer admins' printeradmins + + Remove a group: + ipa group-del unixadmins + + To add the "remoteadmins" group to the "localadmins" group: + ipa group-add-member --groups=remoteadmins localadmins + + Add a list of users to the "localadmins" group: + ipa group-add-member --users=test1,test2 localadmins + + Remove a user from the "localadmins" group: + ipa group-remove-member --users=test2 localadmins + + Display information about a named group. + ipa group-show localadmins + +External group membership is designed to allow users from trusted domains +to be mapped to local POSIX groups in order to actually use IPA resources. +External members should be added to groups that specifically created as +external and non-POSIX. Such group later should be included into one of POSIX +groups. + +An external group member is currently a Security Identifier (SID) as defined by +the trusted domain. When adding external group members, it is possible to +specify them in either SID, or DOM\name, or name@domain format. IPA will attempt +to resolve passed name to SID with the use of Global Catalog of the trusted domain. + +Example: + +1. Create group for the trusted domain admins' mapping and their local POSIX group: + + ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external + ipa group-add --desc='<ad.domain> admins' ad_admins + +2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external + group: + + ipa group-add-member ad_admins_external --external 'AD\Domain Admins' + +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: + + ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external +""") + +register = Registry() + + +@register() +class group(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Group name'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'member_user', + required=False, + label=_(u'Member users'), + ), + parameters.Str( + 'member_group', + required=False, + label=_(u'Member groups'), + ), + parameters.Str( + 'memberof_group', + required=False, + label=_(u'Member of groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberindirect_user', + required=False, + label=_(u'Indirect Member users'), + ), + parameters.Str( + 'memberindirect_group', + required=False, + label=_(u'Indirect Member groups'), + ), + parameters.Str( + 'memberofindirect_group', + required=False, + label=_(u'Indirect Member of group'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + ) + + +@register() +class group_add(Method): + __doc__ = _("Create a new group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'nonposix', + doc=_(u'Create as a non-POSIX group'), + default=False, + autofill=True, + ), + parameters.Flag( + 'external', + doc=_(u'Allow adding external non-IPA members from trusted domains'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_add_member(Method): + __doc__ = _("Add members to a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'ipaexternalmember', + required=False, + multivalue=True, + cli_name='external', + label=_(u'External member'), + doc=_(u'comma-separated list of members of a trusted domain in DOM\\name or name@domain form'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class group_del(Method): + __doc__ = _("Delete group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_detach(Method): + __doc__ = _("Detach a managed group from a user.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_find(Method): + __doc__ = _("Search for groups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'private', + doc=_(u'search for private groups'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("group-name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'user'), + doc=_(u'Search for groups with these member users.'), + ), + parameters.Str( + 'no_user', + required=False, + multivalue=True, + cli_name='no_users', + label=_(u'user'), + doc=_(u'Search for groups without these member users.'), + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'group'), + doc=_(u'Search for groups with these member groups.'), + ), + parameters.Str( + 'no_group', + required=False, + multivalue=True, + cli_name='no_groups', + label=_(u'group'), + doc=_(u'Search for groups without these member groups.'), + ), + parameters.Str( + 'in_group', + required=False, + multivalue=True, + cli_name='in_groups', + label=_(u'group'), + doc=_(u'Search for groups with these member of groups.'), + ), + parameters.Str( + 'not_in_group', + required=False, + multivalue=True, + cli_name='not_in_groups', + label=_(u'group'), + doc=_(u'Search for groups without these member of groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for groups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for groups without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for groups with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for groups without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for groups with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for groups without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for groups with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for groups without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class group_mod(Method): + __doc__ = _("Modify a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'posix', + doc=_(u'change to a POSIX group'), + default=False, + autofill=True, + ), + parameters.Flag( + 'external', + doc=_(u'change to support external non-IPA members from trusted domains'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the group object'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_remove_member(Method): + __doc__ = _("Remove members from a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'ipaexternalmember', + required=False, + multivalue=True, + cli_name='external', + label=_(u'External member'), + doc=_(u'comma-separated list of members of a trusted domain in DOM\\name or name@domain form'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class group_show(Method): + __doc__ = _("Display information about a named group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/hbacrule.py b/ipaclient/remote_plugins/2_49/hbacrule.py new file mode 100644 index 000000000..64e195797 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/hbacrule.py @@ -0,0 +1,1198 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Host-based access control + +Control who can access what services on what hosts and from where. You +can use HBAC to control which users or groups on a source host can +access a service, or group of services, on a target host. + +You can also specify a category of users, target hosts, and source +hosts. This is currently limited to "all", but might be expanded in the +future. + +Target hosts and source hosts in HBAC rules must be hosts managed by IPA. + +The available services and groups of services are controlled by the +hbacsvc and hbacsvcgroup plug-ins respectively. + +EXAMPLES: + + Create a rule, "test1", that grants all users access to the host "server" from + anywhere: + ipa hbacrule-add --usercat=all --srchostcat=all test1 + ipa hbacrule-add-host --hosts=server.example.com test1 + + Display the properties of a named HBAC rule: + ipa hbacrule-show test1 + + Create a rule for a specific service. This lets the user john access + the sshd service on any machine from any machine: + ipa hbacrule-add --hostcat=all --srchostcat=all john_sshd + ipa hbacrule-add-user --users=john john_sshd + ipa hbacrule-add-service --hbacsvcs=sshd john_sshd + + Create a rule for a new service group. This lets the user john access + the FTP service on any machine from any machine: + ipa hbacsvcgroup-add ftpers + ipa hbacsvc-add sftp + ipa hbacsvcgroup-add-member --hbacsvcs=ftp,sftp ftpers + ipa hbacrule-add --hostcat=all --srchostcat=all john_ftp + ipa hbacrule-add-user --users=john john_ftp + ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp + + Disable a named HBAC rule: + ipa hbacrule-disable test1 + + Remove a named HBAC rule: + ipa hbacrule-del allow_server +""") + +register = Registry() + + +@register() +class hbacrule(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'accessruletype', + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + label=_(u'Source host category'), + doc=_(u'Source host category the rule applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + label=_(u'Source Hosts'), + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + label=_(u'Source Host Groups'), + ), + parameters.Str( + 'memberservice_hbacsvc', + required=False, + label=_(u'Services'), + ), + parameters.Str( + 'memberservice_hbacsvcgroup', + required=False, + label=_(u'Service Groups'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + ) + + +@register() +class hbacrule_add(Method): + __doc__ = _("Create a new HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'accessruletype', + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + autofill=True, + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + cli_name='srchostcat', + cli_metavar="['all']", + label=_(u'Source host category'), + doc=_(u'Source host category the rule applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_add_host(Method): + __doc__ = _("Add target hosts and hostgroups to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_service(Method): + __doc__ = _("Add services to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'comma-separated list of HBAC services to add'), + alwaysask=True, + ), + parameters.Str( + 'hbacsvcgroup', + required=False, + multivalue=True, + cli_name='hbacsvcgroups', + label=_(u'member HBAC service group'), + doc=_(u'comma-separated list of HBAC service groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_sourcehost(Method): + __doc__ = _("Add source hosts and hostgroups from a HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_user(Method): + __doc__ = _("Add users and groups to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_del(Method): + __doc__ = _("Delete an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_disable(Method): + __doc__ = _("Disable an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_enable(Method): + __doc__ = _("Enable an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_find(Method): + __doc__ = _("Search for HBAC rules.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Rule name'), + ), + parameters.Str( + 'accessruletype', + required=False, + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + cli_name='srchostcat', + cli_metavar="['all']", + label=_(u'Source host category'), + doc=_(u'Source host category the rule applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacrule_mod(Method): + __doc__ = _("Modify an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'accessruletype', + required=False, + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + cli_name='srchostcat', + cli_metavar="['all']", + label=_(u'Source host category'), + doc=_(u'Source host category the rule applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_remove_host(Method): + __doc__ = _("Remove target hosts and hostgroups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_service(Method): + __doc__ = _("Remove service and service groups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'comma-separated list of HBAC services to remove'), + alwaysask=True, + ), + parameters.Str( + 'hbacsvcgroup', + required=False, + multivalue=True, + cli_name='hbacsvcgroups', + label=_(u'member HBAC service group'), + doc=_(u'comma-separated list of HBAC service groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_sourcehost(Method): + __doc__ = _("Remove source hosts and hostgroups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_user(Method): + __doc__ = _("Remove users and groups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_show(Method): + __doc__ = _("Display the properties of an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/hbacsvc.py b/ipaclient/remote_plugins/2_49/hbacsvc.py new file mode 100644 index 000000000..89d57b512 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/hbacsvc.py @@ -0,0 +1,390 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +HBAC Services + +The PAM services that HBAC can control access to. The name used here +must match the service name that PAM is evaluating. + +EXAMPLES: + + Add a new HBAC service: + ipa hbacsvc-add tftp + + Modify an existing HBAC service: + ipa hbacsvc-mod --desc="TFTP service" tftp + + Search for HBAC services. This example will return two results, the FTP + service and the newly-added tftp service: + ipa hbacsvc-find ftp + + Delete an HBAC service: + ipa hbacsvc-del tftp +""") + +register = Registry() + + +@register() +class hbacsvc(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Service name'), + doc=_(u'HBAC service'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'memberof_hbacsvcgroup', + required=False, + label=_(u'Member of HBAC service groups'), + ), + ) + + +@register() +class hbacsvc_add(Method): + __doc__ = _("Add a new HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvc_del(Method): + __doc__ = _("Delete an existing HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvc_find(Method): + __doc__ = _("Search for HBAC services.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("service")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacsvc_mod(Method): + __doc__ = _("Modify an HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvc_show(Method): + __doc__ = _("Display information about an HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/hbacsvcgroup.py b/ipaclient/remote_plugins/2_49/hbacsvcgroup.py new file mode 100644 index 000000000..4949ddc4c --- /dev/null +++ b/ipaclient/remote_plugins/2_49/hbacsvcgroup.py @@ -0,0 +1,493 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +HBAC Service Groups + +HBAC service groups can contain any number of individual services, +or "members". Every group must have a description. + +EXAMPLES: + + Add a new HBAC service group: + ipa hbacsvcgroup-add --desc="login services" login + + Add members to an HBAC service group: + ipa hbacsvcgroup-add-member --hbacsvcs=sshd,login login + + Display information about a named group: + ipa hbacsvcgroup-show login + + Add a new group to the "login" group: + ipa hbacsvcgroup-add --desc="switch users" login + ipa hbacsvcgroup-add-member --hbacsvcs=su,su-l login + + Delete an HBAC service group: + ipa hbacsvcgroup-del login +""") + +register = Registry() + + +@register() +class hbacsvcgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Service group name'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'member_hbacsvc', + required=False, + label=_(u'Member HBAC service'), + ), + ) + + +@register() +class hbacsvcgroup_add(Method): + __doc__ = _("Add a new HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvcgroup_add_member(Method): + __doc__ = _("Add members to an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'comma-separated list of HBAC services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacsvcgroup_del(Method): + __doc__ = _("Delete an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvcgroup_find(Method): + __doc__ = _("Search for an HBAC service group.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacsvcgroup_mod(Method): + __doc__ = _("Modify an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvcgroup_remove_member(Method): + __doc__ = _("Remove members from an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'comma-separated list of HBAC services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacsvcgroup_show(Method): + __doc__ = _("Display information about an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/hbactest.py b/ipaclient/remote_plugins/2_49/hbactest.py new file mode 100644 index 000000000..e13093df0 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/hbactest.py @@ -0,0 +1,213 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Simulate use of Host-based access controls + +HBAC rules control who can access what services on what hosts and from where. +You can use HBAC to control which users or groups can access a service, +or group of services, on a target host. + +Since applying HBAC rules implies use of a production environment, +this plugin aims to provide simulation of HBAC rules evaluation without +having access to the production environment. + + Test user coming to a service on a named host against + existing enabled rules. + + ipa hbactest --user= --host= --service= + [--rules=rules-list] [--nodetail] [--enabled] [--disabled] + [--srchost= ] [--sizelimit= ] + + --user, --host, and --service are mandatory, others are optional. + + If --rules is specified simulate enabling of the specified rules and test + the login of the user using only these rules. + + If --enabled is specified, all enabled HBAC rules will be added to simulation + + If --disabled is specified, all disabled HBAC rules will be added to simulation + + If --nodetail is specified, do not return information about rules matched/not matched. + + If both --rules and --enabled are specified, apply simulation to --rules _and_ + all IPA enabled rules. + + If no --rules specified, simulation is run against all IPA enabled rules. + By default there is a IPA-wide limit to number of entries fetched, you can change it + with --sizelimit option. + + If --srchost is specified, it will be ignored. It is left because of compatibility reasons only. + +EXAMPLES: + + 1. Use all enabled HBAC rules in IPA database to simulate: + $ ipa hbactest --user=a1a --host=bar --service=sshd + -------------------- + Access granted: True + -------------------- + notmatched: my-second-rule + notmatched: my-third-rule + notmatched: myrule + matched: allow_all + + 2. Disable detailed summary of how rules were applied: + $ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail + -------------------- + Access granted: True + -------------------- + + 3. Test explicitly specified HBAC rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule + --------------------- + Access granted: False + --------------------- + notmatched: my-second-rule + notmatched: myrule + + 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule --enabled + -------------------- + Access granted: True + -------------------- + notmatched: my-second-rule + notmatched: my-third-rule + notmatched: myrule + matched: allow_all + + 5. Test all disabled HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd --disabled + --------------------- + Access granted: False + --------------------- + notmatched: new-rule + + 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule --disabled + --------------------- + Access granted: False + --------------------- + notmatched: my-second-rule + notmatched: my-third-rule + notmatched: myrule + + 7. Test all (enabled and disabled) HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd --enabled --disabled + -------------------- + Access granted: True + -------------------- + notmatched: my-second-rule + notmatched: my-third-rule + notmatched: myrule + notmatched: new-rule + matched: allow_all +""") + +register = Registry() + + +@register() +class hbactest(Command): + __doc__ = _("Simulate use of Host-based access controls") + + takes_options = ( + parameters.Str( + 'user', + label=_(u'User name'), + ), + parameters.Str( + 'sourcehost', + required=False, + cli_name='srchost', + label=_(u'Source host'), + ), + parameters.Str( + 'targethost', + cli_name='host', + label=_(u'Target host'), + ), + parameters.Str( + 'service', + label=_(u'Service'), + ), + parameters.Str( + 'rules', + required=False, + multivalue=True, + label=_(u'Rules to test. If not specified, --enabled is assumed'), + ), + parameters.Flag( + 'nodetail', + required=False, + label=_(u'Hide details which rules are matched, not matched, or invalid'), + default=False, + autofill=True, + ), + parameters.Flag( + 'enabled', + required=False, + label=_(u'Include all enabled IPA rules into test [default]'), + default=False, + autofill=True, + ), + parameters.Flag( + 'disabled', + required=False, + label=_(u'Include all disabled IPA rules into test'), + default=False, + autofill=True, + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of rules to process when no --rules is specified'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'warning', + (list, tuple, type(None)), + doc=_(u'Warning'), + ), + output.Output( + 'matched', + (list, tuple, type(None)), + doc=_(u'Matched rules'), + ), + output.Output( + 'notmatched', + (list, tuple, type(None)), + doc=_(u'Not matched rules'), + ), + output.Output( + 'error', + (list, tuple, type(None)), + doc=_(u'Non-existent or invalid rules'), + ), + output.Output( + 'value', + bool, + doc=_(u'Result of simulation'), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/host.py b/ipaclient/remote_plugins/2_49/host.py new file mode 100644 index 000000000..988a83b2d --- /dev/null +++ b/ipaclient/remote_plugins/2_49/host.py @@ -0,0 +1,1030 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Hosts/Machines + +A host represents a machine. It can be used in a number of contexts: +- service entries are associated with a host +- a host stores the host/ service principal +- a host can be used in Host-based Access Control (HBAC) rules +- every enrolled client generates a host entry + +ENROLLMENT: + +There are three enrollment scenarios when enrolling a new client: + +1. You are enrolling as a full administrator. The host entry may exist + or not. A full administrator is a member of the hostadmin role + or the admins group. +2. You are enrolling as a limited administrator. The host must already + exist. A limited administrator is a member a role with the + Host Enrollment privilege. +3. The host has been created with a one-time password. + +A host can only be enrolled once. If a client has enrolled and needs to +be re-enrolled, the host entry must be removed and re-created. Note that +re-creating the host entry will result in all services for the host being +removed, and all SSL certificates associated with those services being +revoked. + +A host can optionally store information such as where it is located, +the OS that it runs, etc. + +EXAMPLES: + + Add a new host: + ipa host-add --location="3rd floor lab" --locality=Dallas test.example.com + + Delete a host: + ipa host-del test.example.com + + Add a new host with a one-time password: + ipa host-add --os='Fedora 12' --password=Secret123 test.example.com + + Add a new host with a random one-time password: + ipa host-add --os='Fedora 12' --random test.example.com + + Modify information about a host: + ipa host-mod --os='Fedora 12' test.example.com + + Remove SSH public keys of a host and update DNS to reflect this change: + ipa host-mod --sshpubkey= --updatedns test.example.com + + Disable the host Kerberos key, SSL certificate and all of its services: + ipa host-disable test.example.com + + Add a host that can manage this host's keytab and certificate: + ipa host-add-managedby --hosts=test2 test +""") + +register = Registry() + + +@register() +class host(Object): + takes_params = ( + parameters.Str( + 'fqdn', + primary_key=True, + label=_(u'Host name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + ), + parameters.Str( + 'randompassword', + required=False, + label=_(u'Random password'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + label=_(u'Principal name'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + parameters.Flag( + 'has_password', + label=_(u'Password'), + ), + parameters.Str( + 'memberof_hostgroup', + required=False, + label=_(u'Member of host-groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_hostgroup', + required=False, + label=_(u'Indirect Member of host-group'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Keytab'), + ), + parameters.Str( + 'managedby_host', + label=_(u'Managed by'), + ), + parameters.Str( + 'managing_host', + label=_(u'Managing'), + ), + ) + + +@register() +class host_add(Method): + __doc__ = _("Add a new host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force host name even if not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_reverse', + doc=_(u'skip reverse DNS detection'), + default=False, + autofill=True, + ), + parameters.Str( + 'ip_address', + required=False, + label=_(u'IP Address'), + doc=_(u'Add the host to DNS with this IP address'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_add_managedby(Method): + __doc__ = _("Add hosts that can manage this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class host_del(Method): + __doc__ = _("Delete a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + multivalue=True, + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'updatedns', + required=False, + doc=_(u'Remove entries from DNS'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_disable(Method): + __doc__ = _("Disable the Kerberos key, SSL certificate and all services of a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_find(Method): + __doc__ = _("Search for hosts.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'fqdn', + required=False, + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("hostname")'), + default=False, + autofill=True, + ), + parameters.Str( + 'in_hostgroup', + required=False, + multivalue=True, + cli_name='in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for hosts with these member of host groups.'), + ), + parameters.Str( + 'not_in_hostgroup', + required=False, + multivalue=True, + cli_name='not_in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for hosts without these member of host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for hosts with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for hosts without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for hosts with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for hosts without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for hosts with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for hosts without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for hosts with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for hosts without these member of sudo rules.'), + ), + parameters.Str( + 'enroll_by_user', + required=False, + multivalue=True, + cli_name='enroll_by_users', + label=_(u'user'), + doc=_(u'Search for hosts with these enrolled by users.'), + ), + parameters.Str( + 'not_enroll_by_user', + required=False, + multivalue=True, + cli_name='not_enroll_by_users', + label=_(u'user'), + doc=_(u'Search for hosts without these enrolled by users.'), + ), + parameters.Str( + 'man_by_host', + required=False, + multivalue=True, + cli_name='man_by_hosts', + label=_(u'host'), + doc=_(u'Search for hosts with these managed by hosts.'), + ), + parameters.Str( + 'not_man_by_host', + required=False, + multivalue=True, + cli_name='not_man_by_hosts', + label=_(u'host'), + doc=_(u'Search for hosts without these managed by hosts.'), + ), + parameters.Str( + 'man_host', + required=False, + multivalue=True, + cli_name='man_hosts', + label=_(u'host'), + doc=_(u'Search for hosts with these managing hosts.'), + ), + parameters.Str( + 'not_man_host', + required=False, + multivalue=True, + cli_name='not_man_hosts', + label=_(u'host'), + doc=_(u'Search for hosts without these managing hosts.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class host_mod(Method): + __doc__ = _("Modify information about a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principalname', + label=_(u'Principal name'), + doc=_(u'Kerberos principal name for this host'), + ), + parameters.Flag( + 'updatedns', + required=False, + doc=_(u'Update DNS entries'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_remove_managedby(Method): + __doc__ = _("Remove hosts that can manage this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class host_show(Method): + __doc__ = _("Display information about a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'file to store certificate in'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/hostgroup.py b/ipaclient/remote_plugins/2_49/hostgroup.py new file mode 100644 index 000000000..2ff646db5 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/hostgroup.py @@ -0,0 +1,670 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of hosts. + +Manage groups of hosts. This is useful for applying access control to a +number of hosts by using Host-based Access Control. + +EXAMPLES: + + Add a new host group: + ipa hostgroup-add --desc="Baltimore hosts" baltimore + + Add another new host group: + ipa hostgroup-add --desc="Maryland hosts" maryland + + Add members to the hostgroup: + ipa hostgroup-add-member --hosts=box1,box2,box3 baltimore + + Add a hostgroup as a member of another hostgroup: + ipa hostgroup-add-member --hostgroups=baltimore maryland + + Remove a host from the hostgroup: + ipa hostgroup-remove-member --hosts=box2 baltimore + + Display a host group: + ipa hostgroup-show baltimore + + Delete a hostgroup: + ipa hostgroup-del baltimore +""") + +register = Registry() + + +@register() +class hostgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'member_host', + required=False, + label=_(u'Member hosts'), + ), + parameters.Str( + 'member_hostgroup', + required=False, + label=_(u'Member host-groups'), + ), + parameters.Str( + 'memberof_hostgroup', + required=False, + label=_(u'Member of host-groups'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberindirect_host', + required=False, + label=_(u'Indirect Member hosts'), + ), + parameters.Str( + 'memberindirect_hostgroup', + required=False, + label=_(u'Indirect Member host-groups'), + ), + parameters.Str( + 'memberofindirect_hostgroup', + required=False, + label=_(u'Indirect Member of host-group'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + ) + + +@register() +class hostgroup_add(Method): + __doc__ = _("Add a new hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hostgroup_add_member(Method): + __doc__ = _("Add members to a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hostgroup_del(Method): + __doc__ = _("Delete a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hostgroup_find(Method): + __doc__ = _("Search for hostgroups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("hostgroup-name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'host'), + doc=_(u'Search for host groups with these member hosts.'), + ), + parameters.Str( + 'no_host', + required=False, + multivalue=True, + cli_name='no_hosts', + label=_(u'host'), + doc=_(u'Search for host groups without these member hosts.'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups with these member host groups.'), + ), + parameters.Str( + 'no_hostgroup', + required=False, + multivalue=True, + cli_name='no_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups without these member host groups.'), + ), + parameters.Str( + 'in_hostgroup', + required=False, + multivalue=True, + cli_name='in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups with these member of host groups.'), + ), + parameters.Str( + 'not_in_hostgroup', + required=False, + multivalue=True, + cli_name='not_in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups without these member of host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for host groups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for host groups without these member of netgroups.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for host groups with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for host groups without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for host groups with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for host groups without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hostgroup_mod(Method): + __doc__ = _("Modify a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hostgroup_remove_member(Method): + __doc__ = _("Remove members from a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hostgroup_show(Method): + __doc__ = _("Display information about a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/idrange.py b/ipaclient/remote_plugins/2_49/idrange.py new file mode 100644 index 000000000..5b2c1096d --- /dev/null +++ b/ipaclient/remote_plugins/2_49/idrange.py @@ -0,0 +1,609 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +ID ranges + +Manage ID ranges used to map Posix IDs to SIDs and back. + +There are two type of ID ranges which are both handled by this utility: + + - the ID ranges of the local domain + - the ID ranges of trusted remote domains + +Both types have the following attributes in common: + + - base-id: the first ID of the Posix ID range + - range-size: the size of the range + +With those two attributes a range object can reserve the Posix IDs starting +with base-id up to but not including base-id+range-size exclusively. + +Additionally an ID range of the local domain may set + - rid-base: the first RID(*) of the corresponding RID range + - secondary-rid-base: first RID of the secondary RID range + +and an ID range of a trusted domain must set + - rid-base: the first RID of the corresponding RID range + - dom_sid: domain SID of the trusted domain + + + +EXAMPLE: Add a new ID range for a trusted domain + +Since there might be more than one trusted domain the domain SID must be given +while creating the ID range. + + ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=0 \ + --dom-sid=S-1-5-21-123-456-789 trusted_dom_range + +This ID range is then used by the IPA server and the SSSD IPA provider to +assign Posix UIDs to users from the trusted domain. + +If e.g a range for a trusted domain is configured with the following values: + base-id = 1200000 + range-size = 200000 + rid-base = 0 +the RIDs 0 to 199999 are mapped to the Posix ID from 1200000 to 13999999. So +RID 1000 <-> Posix ID 1201000 + + + +EXAMPLE: Add a new ID range for the local domain + +To create an ID range for the local domain it is not necessary to specify a +domain SID. But since it is possible that a user and a group can have the same +value as Posix ID a second RID interval is needed to handle conflicts. + + ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=1000 \ + --secondary-rid-base=1000000 local_range + +The data from the ID ranges of the local domain are used by the IPA server +internally to assign SIDs to IPA users and groups. The SID will then be stored +in the user or group objects. + +If e.g. the ID range for the local domain is configured with the values from +the example above then a new user with the UID 1200007 will get the RID 1007. +If this RID is already used by a group the RID will be 1000007. This can only +happen if a user or a group object was created with a fixed ID because the +automatic assignment will not assign the same ID twice. Since there are only +users and groups sharing the same ID namespace it is sufficient to have only +one fallback range to handle conflicts. + +To find the Posix ID for a given RID from the local domain it has to be +checked first if the RID falls in the primary or secondary RID range and +the rid-base or the secondary-rid-base has to be subtracted, respectively, +and the base-id has to be added to get the Posix ID. + +Typically the creation of ID ranges happens behind the scenes and this CLI +must not be used at all. The ID range for the local domain will be created +during installation or upgrade from an older version. The ID range for a +trusted domain will be created together with the trust by 'ipa trust-add ...'. + +USE CASES: + + Add an ID range from a transitively trusted domain + + If the trusted domain (A) trusts another domain (B) as well and this trust + is transitive 'ipa trust-add domain-A' will only create a range for + domain A. The ID range for domain B must be added manually. + + Add an additional ID range for the local domain + + If the ID range of the local domain is exhausted, i.e. no new IDs can be + assigned to Posix users or groups by the DNA plugin, a new range has to be + created to allow new users and groups to be added. (Currently there is no + connection between this range CLI and the DNA plugin, but a future version + might be able to modify the configuration of the DNS plugin as well) + +In general it is not necessary to modify or delete ID ranges. If there is no +other way to achieve a certain configuration than to modify or delete an ID +range it should be done with great care. Because UIDs are stored in the file +system and are used for access control it might be possible that users are +allowed to access files of other users if an ID range got deleted and reused +for a different domain. + +(*) The RID is typically the last integer of a user or group SID which follows +the domain SID. E.g. if the domain SID is S-1-5-21-123-456-789 and a user from +this domain has the SID S-1-5-21-123-456-789-1010 then 1010 id the RID of the +user. RIDs are unique in a domain, 32bit values and are used for users and +groups. + +WARNING: + +DNA plugin in 389-ds will allocate IDs based on the ranges configured for the +local domain. Currently the DNA plugin *cannot* be reconfigured itself based +on the local ranges set via this family of commands. + +Manual configuration change has to be done in the DNA plugin configuration for +the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix +IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be +modified to match the new range. +""") + +register = Registry() + + +@register() +class idrange(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Range name'), + ), + parameters.Int( + 'ipabaseid', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + label=_(u'Range type'), + ), + ) + + +@register() +class idrange_add(Method): + __doc__ = _(""" +Add new ID range. + + To add a new ID range you always have to specify + + --base-id + --range-size + + Additionally + + --rid-base + --secondary-rid-base + + may be given for a new ID range for the local domain while + + --rid-bas + --dom-sid + + must be given to add a new range for a trusted AD domain. + + WARNING: + + DNA plugin in 389-ds will allocate IDs based on the ranges configured for the + local domain. Currently the DNA plugin *cannot* be reconfigured itself based + on the local ranges set via this family of commands. + + Manual configuration change has to be done in the DNA plugin configuration for + the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix + IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be + modified to match the new range. + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Int( + 'ipabaseid', + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='dom_sid', + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + label=_(u'Range type'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idrange_del(Method): + __doc__ = _("Delete an ID range.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idrange_find(Method): + __doc__ = _("Search for ranges.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Range name'), + ), + parameters.Int( + 'ipabaseid', + required=False, + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + required=False, + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='dom_sid', + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + label=_(u'Range type'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idrange_mod(Method): + __doc__ = _("Modify ID range.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Int( + 'ipabaseid', + required=False, + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + required=False, + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='dom_sid', + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + label=_(u'Range type'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idrange_show(Method): + __doc__ = _("Display information about a range.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/internal.py b/ipaclient/remote_plugins/2_49/internal.py new file mode 100644 index 000000000..63a4adca1 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/internal.py @@ -0,0 +1,90 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Plugins not accessible directly through the CLI, commands used internally +""") + +register = Registry() + + +@register() +class i18n_messages(Command): + NO_CLI = True + + has_output = ( + output.Output( + 'messages', + dict, + doc=_(u'Dict of I18N messages'), + ), + ) + + +@register() +class json_metadata(Command): + __doc__ = _("Export plugin meta-data for the webUI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'objname', + required=False, + doc=_(u'Name of object to export'), + ), + parameters.Str( + 'methodname', + required=False, + doc=_(u'Name of method to export'), + ), + ) + takes_options = ( + parameters.Str( + 'object', + required=False, + doc=_(u'Name of object to export'), + ), + parameters.Str( + 'method', + required=False, + doc=_(u'Name of method to export'), + ), + parameters.Str( + 'command', + required=False, + doc=_(u'Name of command to export'), + ), + ) + has_output = ( + output.Output( + 'objects', + dict, + doc=_(u'Dict of JSON encoded IPA Objects'), + ), + output.Output( + 'methods', + dict, + doc=_(u'Dict of JSON encoded IPA Methods'), + ), + output.Output( + 'commands', + dict, + doc=_(u'Dict of JSON encoded IPA Commands'), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/join.py b/ipaclient/remote_plugins/2_49/join.py new file mode 100644 index 000000000..dc0904dc4 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/join.py @@ -0,0 +1,64 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Joining an IPA domain +""") + +register = Registry() + + +@register() +class join(Command): + __doc__ = _("Join an IPA domain") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostname', + doc=_(u'The hostname to register as'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: unicode(installutils.get_fqdn()) + autofill=True, + ), + ) + takes_options = ( + parameters.Str( + 'realm', + doc=_(u'The IPA realm'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: get_realm() + autofill=True, + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + doc=_(u'Hardware platform of the host (e.g. Lenovo T61)'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + doc=_(u'Operating System and version of the host (e.g. Fedora 9)'), + ), + ) + has_output = ( + ) diff --git a/ipaclient/remote_plugins/2_49/krbtpolicy.py b/ipaclient/remote_plugins/2_49/krbtpolicy.py new file mode 100644 index 000000000..9765c4cd8 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/krbtpolicy.py @@ -0,0 +1,269 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Kerberos ticket policy + +There is a single Kerberos ticket policy. This policy defines the +maximum ticket lifetime and the maximum renewal age, the period during +which the ticket is renewable. + +You can also create a per-user ticket policy by specifying the user login. + +For changes to the global policy to take effect, restarting the KDC service +is required, which can be achieved using: + +service krb5kdc restart + +Changes to per-user policies take effect immediately for newly requested +tickets (e.g. when the user next runs kinit). + +EXAMPLES: + + Display the current Kerberos ticket policy: + ipa krbtpolicy-show + + Reset the policy to the default: + ipa krbtpolicy-reset + + Modify the policy to 8 hours max life, 1-day max renewal: + ipa krbtpolicy-mod --maxlife=28800 --maxrenew=86400 + + Display effective Kerberos ticket policy for user 'admin': + ipa krbtpolicy-show admin + + Reset per-user policy for user 'admin': + ipa krbtpolicy-reset admin + + Modify per-user policy for user 'admin': + ipa krbtpolicy-mod admin --maxlife=3600 +""") + +register = Registry() + + +@register() +class krbtpolicy(Object): + takes_params = ( + parameters.Str( + 'uid', + required=False, + primary_key=True, + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + parameters.Int( + 'krbmaxticketlife', + required=False, + label=_(u'Max life'), + doc=_(u'Maximum ticket life (seconds)'), + ), + parameters.Int( + 'krbmaxrenewableage', + required=False, + label=_(u'Max renew'), + doc=_(u'Maximum renewable age (seconds)'), + ), + ) + + +@register() +class krbtpolicy_mod(Method): + __doc__ = _("Modify Kerberos ticket policy.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxticketlife', + required=False, + cli_name='maxlife', + label=_(u'Max life'), + doc=_(u'Maximum ticket life (seconds)'), + ), + parameters.Int( + 'krbmaxrenewableage', + required=False, + cli_name='maxrenew', + label=_(u'Max renew'), + doc=_(u'Maximum renewable age (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class krbtpolicy_reset(Method): + __doc__ = _("Reset Kerberos ticket policy to the default values.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class krbtpolicy_show(Method): + __doc__ = _("Display the current Kerberos ticket policy.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/migration.py b/ipaclient/remote_plugins/2_49/migration.py new file mode 100644 index 000000000..753f23a16 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/migration.py @@ -0,0 +1,295 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Migration to IPA + +Migrate users and groups from an LDAP server to IPA. + +This performs an LDAP query against the remote server searching for +users and groups in a container. In order to migrate passwords you need +to bind as a user that can read the userPassword attribute on the remote +server. This is generally restricted to high-level admins such as +cn=Directory Manager in 389-ds (this is the default bind user). + +The default user container is ou=People. + +The default group container is ou=Groups. + +Users and groups that already exist on the IPA server are skipped. + +Two LDAP schemas define how group members are stored: RFC2307 and +RFC2307bis. RFC2307bis uses member and uniquemember to specify group +members, RFC2307 uses memberUid. The default schema is RFC2307bis. + +The schema compat feature allows IPA to reformat data for systems that +do not support RFC2307bis. It is recommended that this feature is disabled +during migration to reduce system overhead. It can be re-enabled after +migration. To migrate with it enabled use the "--with-compat" option. + +Migrated users do not have Kerberos credentials, they have only their +LDAP password. To complete the migration process, users need to go +to http://ipa.example.com/ipa/migration and authenticate using their +LDAP password in order to generate their Kerberos credentials. + +Migration is disabled by default. Use the command ipa config-mod to +enable it: + + ipa config-mod --enable-migration=TRUE + +If a base DN is not provided with --basedn then IPA will use either +the value of defaultNamingContext if it is set or the first value +in namingContexts set in the root of the remote LDAP server. + +Users are added as members to the default user group. This can be a +time-intensive task so during migration this is done in a batch +mode for every 100 users. As a result there will be a window in which +users will be added to IPA but will not be members of the default +user group. + +EXAMPLES: + + The simplest migration, accepting all defaults: + ipa migrate-ds ldap://ds.example.com:389 + + Specify the user and group container. This can be used to migrate user + and group data from an IPA v1 server: + ipa migrate-ds --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + ldap://ds.example.com:389 + + Since IPA v2 server already contain predefined groups that may collide with + groups in migrated (IPA v1) server (for example admins, ipausers), users + having colliding group as their primary group may happen to belong to + an unknown group on new IPA v2 server. + Use --group-overwrite-gid option to overwrite GID of already existing groups + to prevent this issue: + ipa migrate-ds --group-overwrite-gid \ + --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + ldap://ds.example.com:389 + + Migrated users or groups may have object class and accompanied attributes + unknown to the IPA v2 server. These object classes and attributes may be + left out of the migration process: + ipa migrate-ds --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + --user-ignore-objectclass=radiusprofile \ + --user-ignore-attribute=radiusgroupname \ + ldap://ds.example.com:389 + +LOGGING + +Migration will log warnings and errors to the Apache error log. This +file should be evaluated post-migration to correct or investigate any +issues that were discovered. + +For every 100 users migrated an info-level message will be displayed to +give the current progress and duration to make it possible to track +the progress of migration. + +If the log level is debug, either by setting debug = True in +/etc/ipa/default.conf or /etc/ipa/server.conf, then an entry will be printed +for each user added plus a summary when the default user group is +updated. +""") + +register = Registry() + + +@register() +class migrate_ds(Command): + __doc__ = _("Migrate users and groups from DS to IPA.") + + takes_args = ( + parameters.Str( + 'ldapuri', + cli_name='ldap_uri', + label=_(u'LDAP URI'), + doc=_(u'LDAP URI of DS server to migrate from'), + ), + parameters.Password( + 'bindpw', + cli_name='password', + label=_(u'Password'), + doc=_(u'bind password'), + ), + ) + takes_options = ( + parameters.DNParam( + 'binddn', + required=False, + cli_name='bind_dn', + label=_(u'Bind DN'), + default=DN(u'cn=directory manager'), + autofill=True, + ), + parameters.DNParam( + 'usercontainer', + cli_name='user_container', + label=_(u'User container'), + doc=_(u'DN of container for users in DS relative to base DN'), + default=DN(u'ou=people'), + autofill=True, + ), + parameters.DNParam( + 'groupcontainer', + cli_name='group_container', + label=_(u'Group container'), + doc=_(u'DN of container for groups in DS relative to base DN'), + default=DN(u'ou=groups'), + autofill=True, + ), + parameters.Str( + 'userobjectclass', + multivalue=True, + cli_name='user_objectclass', + label=_(u'User object class'), + doc=_(u'Comma-separated list of objectclasses used to search for user entries in DS'), + default=(u'person',), + autofill=True, + ), + parameters.Str( + 'groupobjectclass', + multivalue=True, + cli_name='group_objectclass', + label=_(u'Group object class'), + doc=_(u'Comma-separated list of objectclasses used to search for group entries in DS'), + default=(u'groupOfUniqueNames', u'groupOfNames'), + autofill=True, + ), + parameters.Str( + 'userignoreobjectclass', + required=False, + multivalue=True, + cli_name='user_ignore_objectclass', + label=_(u'Ignore user object class'), + doc=_(u'Comma-separated list of objectclasses to be ignored for user entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'userignoreattribute', + required=False, + multivalue=True, + cli_name='user_ignore_attribute', + label=_(u'Ignore user attribute'), + doc=_(u'Comma-separated list of attributes to be ignored for user entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'groupignoreobjectclass', + required=False, + multivalue=True, + cli_name='group_ignore_objectclass', + label=_(u'Ignore group object class'), + doc=_(u'Comma-separated list of objectclasses to be ignored for group entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'groupignoreattribute', + required=False, + multivalue=True, + cli_name='group_ignore_attribute', + label=_(u'Ignore group attribute'), + doc=_(u'Comma-separated list of attributes to be ignored for group entries in DS'), + default=(), + autofill=True, + ), + parameters.Flag( + 'groupoverwritegid', + cli_name='group_overwrite_gid', + label=_(u'Overwrite GID'), + doc=_(u'When migrating a group already existing in IPA domain overwrite the group GID and report as success'), + default=False, + autofill=True, + ), + parameters.Str( + 'schema', + required=False, + cli_metavar="['RFC2307bis', 'RFC2307']", + label=_(u'LDAP schema'), + doc=_(u'The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis'), + default=u'RFC2307bis', + autofill=True, + ), + parameters.Flag( + 'continue', + required=False, + label=_(u'Continue'), + doc=_(u'Continuous operation mode. Errors are reported but the process continues'), + default=False, + autofill=True, + ), + parameters.DNParam( + 'basedn', + required=False, + cli_name='base_dn', + label=_(u'Base DN'), + doc=_(u'Base DN on remote LDAP server'), + ), + parameters.Flag( + 'compat', + required=False, + cli_name='with_compat', + label=_(u'Ignore compat plugin'), + doc=_(u'Allows migration despite the usage of compat plugin'), + default=False, + autofill=True, + ), + parameters.Str( + 'exclude_groups', + required=False, + multivalue=True, + doc=_(u'comma-separated list of groups to exclude from migration'), + default=(), + autofill=True, + ), + parameters.Str( + 'exclude_users', + required=False, + multivalue=True, + doc=_(u'comma-separated list of users to exclude from migration'), + default=(), + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Lists of objects migrated; categorized by type.'), + ), + output.Output( + 'failed', + dict, + doc=_(u'Lists of objects that could not be migrated; categorized by type.'), + ), + output.Output( + 'enabled', + bool, + doc=_(u'False if migration mode was disabled.'), + ), + output.Output( + 'compat', + bool, + doc=_(u'False if migration fails because the compatibility plug-in is enabled.'), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/misc.py b/ipaclient/remote_plugins/2_49/misc.py new file mode 100644 index 000000000..4889e666b --- /dev/null +++ b/ipaclient/remote_plugins/2_49/misc.py @@ -0,0 +1,113 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Misc plug-ins +""") + +register = Registry() + + +@register() +class env(Command): + __doc__ = _("Show environment variables.") + + takes_args = ( + parameters.Str( + 'variables', + required=False, + multivalue=True, + ), + ) + takes_options = ( + parameters.Flag( + 'server', + required=False, + doc=_(u'Forward to server instead of running locally'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=True, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + output.Output( + 'total', + int, + doc=_(u'Total number of variables env (>= count)'), + ), + output.Output( + 'count', + int, + doc=_(u'Number of variables returned (<= total)'), + ), + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) + + +@register() +class plugins(Command): + __doc__ = _("Show all loaded plugins.") + + takes_options = ( + parameters.Flag( + 'server', + required=False, + doc=_(u'Forward to server instead of running locally'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=True, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping plugin names to bases'), + ), + output.Output( + 'count', + int, + doc=_(u'Number of plugins loaded'), + ), + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/netgroup.py b/ipaclient/remote_plugins/2_49/netgroup.py new file mode 100644 index 000000000..ea2936270 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/netgroup.py @@ -0,0 +1,826 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Netgroups + +A netgroup is a group used for permission checking. It can contain both +user and host values. + +EXAMPLES: + + Add a new netgroup: + ipa netgroup-add --desc="NFS admins" admins + + Add members to the netgroup: + ipa netgroup-add-member --users=tuser1,tuser2 admins + + Remove a member from the netgroup: + ipa netgroup-remove-member --users=tuser2 admins + + Display information about a netgroup: + ipa netgroup-show admins + + Delete a netgroup: + ipa netgroup-del admins +""") + +register = Registry() + + +@register() +class netgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Netgroup name'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + label=_(u'NIS domain name'), + ), + parameters.Str( + 'ipauniqueid', + required=False, + label=_(u'IPA unique ID'), + doc=_(u'IPA unique ID'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + parameters.Str( + 'member_netgroup', + required=False, + label=_(u'Member netgroups'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberindirect_netgroup', + required=False, + label=_(u'Indirect Member netgroups'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Member User'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'Member Group'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Member Host'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Member Hostgroup'), + ), + ) + + +@register() +class netgroup_add(Method): + __doc__ = _("Add a new netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class netgroup_add_member(Method): + __doc__ = _("Add members to a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'member netgroup'), + doc=_(u'comma-separated list of netgroups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class netgroup_del(Method): + __doc__ = _("Delete a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class netgroup_find(Method): + __doc__ = _("Search for a netgroup.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'ipauniqueid', + required=False, + cli_name='uuid', + label=_(u'IPA unique ID'), + doc=_(u'IPA unique ID'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'private', + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'managed', + doc=_(u'search for managed groups'), + default=False, + default_from=DefaultFrom(lambda private: private), + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups with these member netgroups.'), + ), + parameters.Str( + 'no_netgroup', + required=False, + multivalue=True, + cli_name='no_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups without these member netgroups.'), + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'user'), + doc=_(u'Search for netgroups with these member users.'), + ), + parameters.Str( + 'no_user', + required=False, + multivalue=True, + cli_name='no_users', + label=_(u'user'), + doc=_(u'Search for netgroups without these member users.'), + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'group'), + doc=_(u'Search for netgroups with these member groups.'), + ), + parameters.Str( + 'no_group', + required=False, + multivalue=True, + cli_name='no_groups', + label=_(u'group'), + doc=_(u'Search for netgroups without these member groups.'), + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'host'), + doc=_(u'Search for netgroups with these member hosts.'), + ), + parameters.Str( + 'no_host', + required=False, + multivalue=True, + cli_name='no_hosts', + label=_(u'host'), + doc=_(u'Search for netgroups without these member hosts.'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'host group'), + doc=_(u'Search for netgroups with these member host groups.'), + ), + parameters.Str( + 'no_hostgroup', + required=False, + multivalue=True, + cli_name='no_hostgroups', + label=_(u'host group'), + doc=_(u'Search for netgroups without these member host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups without these member of netgroups.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class netgroup_mod(Method): + __doc__ = _("Modify a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class netgroup_remove_member(Method): + __doc__ = _("Remove members from a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'member netgroup'), + doc=_(u'comma-separated list of netgroups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class netgroup_show(Method): + __doc__ = _("Display information about a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/passwd.py b/ipaclient/remote_plugins/2_49/passwd.py new file mode 100644 index 000000000..34385df6d --- /dev/null +++ b/ipaclient/remote_plugins/2_49/passwd.py @@ -0,0 +1,86 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Set a user's password + +If someone other than a user changes that user's password (e.g., Helpdesk +resets it) then the password will need to be changed the first time it +is used. This is so the end-user is the only one who knows the password. + +The IPA password policy controls how often a password may be changed, +what strength requirements exist, and the length of the password history. + +EXAMPLES: + + To reset your own password: + ipa passwd + + To change another user's password: + ipa passwd tuser1 +""") + +register = Registry() + + +@register() +class passwd(Command): + __doc__ = _("Set a user's password.") + + takes_args = ( + parameters.Str( + 'principal', + cli_name='user', + label=_(u'User name'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: util.get_current_principal() + autofill=True, + no_convert=True, + ), + parameters.Password( + 'password', + label=_(u'New Password'), + confirm=True, + ), + parameters.Password( + 'current_password', + label=_(u'Current Password'), + default_from=DefaultFrom(lambda principal: None, 'principal'), + # FIXME: + # lambda principal: get_current_password(principal) + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/permission.py b/ipaclient/remote_plugins/2_49/permission.py new file mode 100644 index 000000000..bce582fdd --- /dev/null +++ b/ipaclient/remote_plugins/2_49/permission.py @@ -0,0 +1,751 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Permissions + +A permission enables fine-grained delegation of rights. A permission is +a human-readable form of a 389-ds Access Control Rule, or instruction (ACI). +A permission grants the right to perform a specific task such as adding a +user, modifying a group, etc. + +A permission may not contain other permissions. + +* A permission grants access to read, write, add or delete. +* A privilege combines similar permissions (for example all the permissions + needed to add a user). +* A role grants a set of privileges to users, groups, hosts or hostgroups. + +A permission is made up of a number of different parts: + +1. The name of the permission. +2. The target of the permission. +3. The rights granted by the permission. + +Rights define what operations are allowed, and may be one or more +of the following: +1. write - write one or more attributes +2. read - read one or more attributes +3. add - add a new entry to the tree +4. delete - delete an existing entry +5. all - all permissions are granted + +Read permission is granted for most attributes by default so the read +permission is not expected to be used very often. + +Note the distinction between attributes and entries. The permissions are +independent, so being able to add a user does not mean that the user will +be editable. + +There are a number of allowed targets: +1. type: a type of object (user, group, etc). +2. memberof: a member of a group or hostgroup +3. filter: an LDAP filter +4. subtree: an LDAP filter specifying part of the LDAP DIT. This is a + super-set of the "type" target. +5. targetgroup: grant access to modify a specific group (such as granting + the rights to manage group membership) + +EXAMPLES: + + Add a permission that grants the creation of users: + ipa permission-add --type=user --permissions=add "Add Users" + + Add a permission that grants the ability to manage group membership: + ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members" +""") + +register = Registry() + + +@register() +class permission(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Permission name'), + ), + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of group'), + doc=_(u'Target members of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to'), + ), + parameters.Str( + 'member_privilege', + required=False, + label=_(u'Granted to Privilege'), + ), + parameters.Str( + 'memberindirect_role', + required=False, + label=_(u'Indirect Member of roles'), + ), + ) + + +@register() +class permission_add(Method): + __doc__ = _("Add a new permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + alwaysask=True, + no_convert=True, + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'), + alwaysask=True, + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of group'), + doc=_(u'Target members of a group'), + alwaysask=True, + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + alwaysask=True, + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + alwaysask=True, + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to'), + alwaysask=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_add_member(Method): + __doc__ = _("Add members to a permission.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'member privilege'), + doc=_(u'comma-separated list of privileges to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class permission_add_noaci(Method): + __doc__ = _("Add a system permission without an ACI") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissiontype', + required=False, + cli_metavar="['SYSTEM']", + label=_(u'Permission type'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_del(Method): + __doc__ = _("Delete a permission.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force delete of SYSTEM permissions'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_find(Method): + __doc__ = _("Search for permissions.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Permission name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of group'), + doc=_(u'Target members of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class permission_mod(Method): + __doc__ = _("Modify a permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of group'), + doc=_(u'Target members of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the permission object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_remove_member(Method): + __doc__ = _("Remove members from a permission.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'member privilege'), + doc=_(u'comma-separated list of privileges to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class permission_show(Method): + __doc__ = _("Display information about a permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/ping.py b/ipaclient/remote_plugins/2_49/ping.py new file mode 100644 index 000000000..83917fbb7 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/ping.py @@ -0,0 +1,60 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Ping the remote IPA server to ensure it is running. + +The ping command sends an echo request to an IPA server. The server +returns its version information. This is used by an IPA client +to confirm that the server is available and accepting requests. + +The server from xmlrpc_uri in /etc/ipa/default.conf is contacted first. +If it does not respond then the client will contact any servers defined +by ldap SRV records in DNS. + +EXAMPLES: + + Ping an IPA server: + ipa ping + ------------------------------------------ + IPA server version 2.1.9. API version 2.20 + ------------------------------------------ + + Ping an IPA server verbosely: + ipa -v ping + ipa: INFO: trying https://ipa.example.com/ipa/xml + ipa: INFO: Forwarding 'ping' to server u'https://ipa.example.com/ipa/xml' + ----------------------------------------------------- + IPA server version 2.1.9. API version 2.20 + ----------------------------------------------------- +""") + +register = Registry() + + +@register() +class ping(Command): + __doc__ = _("Ping a remote server.") + + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/pkinit.py b/ipaclient/remote_plugins/2_49/pkinit.py new file mode 100644 index 000000000..9b06c2ef0 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/pkinit.py @@ -0,0 +1,61 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Kerberos pkinit options + +Enable or disable anonymous pkinit using the principal +WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with +pkinit support. + +EXAMPLES: + + Enable anonymous pkinit: + ipa pkinit-anonymous enable + + Disable anonymous pkinit: + ipa pkinit-anonymous disable + +For more information on anonymous pkinit see: + +http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit +""") + +register = Registry() + + +@register() +class pkinit(Object): + takes_params = ( + ) + + +@register() +class pkinit_anonymous(Command): + __doc__ = _("Enable or Disable Anonymous PKINIT.") + + takes_args = ( + parameters.Str( + 'action', + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_49/privilege.py b/ipaclient/remote_plugins/2_49/privilege.py new file mode 100644 index 000000000..f450c20f1 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/privilege.py @@ -0,0 +1,603 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Privileges + +A privilege combines permissions into a logical task. A permission provides +the rights to do a single task. There are some IPA operations that require +multiple permissions to succeed. A privilege is where permissions are +combined in order to perform a specific task. + +For example, adding a user requires the following permissions: + * Creating a new user entry + * Resetting a user password + * Adding the new user to the default IPA users group + +Combining these three low-level tasks into a higher level task in the +form of a privilege named "Add User" makes it easier to manage Roles. + +A privilege may not contain other privileges. + +See role and permission for additional information. +""") + +register = Registry() + + +@register() +class privilege(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Privilege name'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'memberof_permission', + required=False, + label=_(u'Permissions'), + ), + parameters.Str( + 'member_role', + required=False, + label=_(u'Granting privilege to roles'), + ), + ) + + +@register() +class privilege_add(Method): + __doc__ = _("Add a new privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class privilege_add_member(Method): + __doc__ = _("Add members to a privilege.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'role', + required=False, + multivalue=True, + cli_name='roles', + label=_(u'member role'), + doc=_(u'comma-separated list of roles to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class privilege_add_permission(Method): + __doc__ = _("Add permissions to a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'permission', + required=False, + multivalue=True, + cli_name='permissions', + label=_(u'permission'), + doc=_(u'comma-separated list of permissions'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of permissions added'), + ), + ) + + +@register() +class privilege_del(Method): + __doc__ = _("Delete a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class privilege_find(Method): + __doc__ = _("Search for privileges.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Privilege name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class privilege_mod(Method): + __doc__ = _("Modify a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the privilege object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class privilege_remove_member(Method): + __doc__ = _("Remove members from a privilege") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'role', + required=False, + multivalue=True, + cli_name='roles', + label=_(u'member role'), + doc=_(u'comma-separated list of roles to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class privilege_remove_permission(Method): + __doc__ = _("Remove permissions from a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'permission', + required=False, + multivalue=True, + cli_name='permissions', + label=_(u'permission'), + doc=_(u'comma-separated list of permissions'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of permissions removed'), + ), + ) + + +@register() +class privilege_show(Method): + __doc__ = _("Display information about a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/pwpolicy.py b/ipaclient/remote_plugins/2_49/pwpolicy.py new file mode 100644 index 000000000..99e494548 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/pwpolicy.py @@ -0,0 +1,947 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Password policy + +A password policy sets limitations on IPA passwords, including maximum +lifetime, minimum lifetime, the number of passwords to save in +history, the number of character classes required (for stronger passwords) +and the minimum password length. + +By default there is a single, global policy for all users. You can also +create a password policy to apply to a group. Each user is only subject +to one password policy, either the group policy or the global policy. A +group policy stands alone; it is not a super-set of the global policy plus +custom settings. + +Each group password policy requires a unique priority setting. If a user +is in multiple groups that have password policies, this priority determines +which password policy is applied. A lower value indicates a higher priority +policy. + +Group password policies are automatically removed when the groups they +are associated with are removed. + +EXAMPLES: + + Modify the global policy: + ipa pwpolicy-mod --minlength=10 + + Add a new group password policy: + ipa pwpolicy-add --maxlife=90 --minlife=1 --history=10 --minclasses=3 --minlength=8 --priority=10 localadmins + + Display the global password policy: + ipa pwpolicy-show + + Display a group password policy: + ipa pwpolicy-show localadmins + + Display the policy that would be applied to a given user: + ipa pwpolicy-show --user=tuser1 + + Modify a group password policy: + ipa pwpolicy-mod --minclasses=2 localadmins +""") + +register = Registry() + + +@register() +class cosentry(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + ), + parameters.DNParam( + 'krbpwdpolicyreference', + ), + parameters.Int( + 'cospriority', + ), + ) + + +@register() +class pwpolicy(Object): + takes_params = ( + parameters.Str( + 'cn', + required=False, + primary_key=True, + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + parameters.Int( + 'krbmaxpwdlife', + required=False, + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + ) + + +@register() +class cosentry_add(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.DNParam( + 'krbpwdpolicyreference', + ), + parameters.Int( + 'cospriority', + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cosentry_del(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cosentry_find(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + ), + parameters.DNParam( + 'krbpwdpolicyreference', + required=False, + ), + parameters.Int( + 'cospriority', + required=False, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("cn")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class cosentry_mod(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.DNParam( + 'krbpwdpolicyreference', + required=False, + ), + parameters.Int( + 'cospriority', + required=False, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cosentry_show(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_add(Method): + __doc__ = _("Add a new group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_del(Method): + __doc__ = _("Delete a group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_find(Method): + __doc__ = _("Search for group password policies.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + required=False, + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("group")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class pwpolicy_mod(Method): + __doc__ = _("Modify a group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + required=False, + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_show(Method): + __doc__ = _("Display information about password policy.") + + takes_args = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + label=_(u'User'), + doc=_(u'Display effective policy for a specific user'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/role.py b/ipaclient/remote_plugins/2_49/role.py new file mode 100644 index 000000000..e7ac59b7f --- /dev/null +++ b/ipaclient/remote_plugins/2_49/role.py @@ -0,0 +1,682 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Roles + +A role is used for fine-grained delegation. A permission grants the ability +to perform given low-level tasks (add a user, modify a group, etc.). A +privilege combines one or more permissions into a higher-level abstraction +such as useradmin. A useradmin would be able to add, delete and modify users. + +Privileges are assigned to Roles. + +Users, groups, hosts and hostgroups may be members of a Role. + +Roles can not contain other roles. + +EXAMPLES: + + Add a new role: + ipa role-add --desc="Junior-level admin" junioradmin + + Add some privileges to this role: + ipa role-add-privilege --privileges=addusers junioradmin + ipa role-add-privilege --privileges=change_password junioradmin + ipa role-add-privilege --privileges=add_user_to_default_group junioradmin + + Add a group of users to this role: + ipa group-add --desc="User admins" useradmins + ipa role-add-member --groups=useradmins junioradmin + + Display information about a role: + ipa role-show junioradmin + + The result of this is that any users in the group 'junioradmin' can + add users, reset passwords or add a user to the default IPA user group. +""") + +register = Registry() + + +@register() +class role(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Role name'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'member_user', + required=False, + label=_(u'Member users'), + ), + parameters.Str( + 'member_group', + required=False, + label=_(u'Member groups'), + ), + parameters.Str( + 'member_host', + required=False, + label=_(u'Member hosts'), + ), + parameters.Str( + 'member_hostgroup', + required=False, + label=_(u'Member host-groups'), + ), + parameters.Str( + 'memberof_privilege', + required=False, + label=_(u'Privileges'), + ), + ) + + +@register() +class role_add(Method): + __doc__ = _("Add a new role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class role_add_member(Method): + __doc__ = _("Add members to a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class role_add_privilege(Method): + __doc__ = _("Add privileges to a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'privilege'), + doc=_(u'comma-separated list of privileges'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of privileges added'), + ), + ) + + +@register() +class role_del(Method): + __doc__ = _("Delete a role.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class role_find(Method): + __doc__ = _("Search for roles.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Role name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class role_mod(Method): + __doc__ = _("Modify a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the role object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class role_remove_member(Method): + __doc__ = _("Remove members from a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class role_remove_privilege(Method): + __doc__ = _("Remove privileges from a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'privilege'), + doc=_(u'comma-separated list of privileges'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of privileges removed'), + ), + ) + + +@register() +class role_show(Method): + __doc__ = _("Display information about a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/selfservice.py b/ipaclient/remote_plugins/2_49/selfservice.py new file mode 100644 index 000000000..76bb84ca4 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/selfservice.py @@ -0,0 +1,337 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Self-service Permissions + +A permission enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to permissions to perform +given tasks such as adding a user, modifying a group, etc. + +A Self-service permission defines what an object can change in its own entry. + + +EXAMPLES: + + Add a self-service rule to allow users to manage their address: + ipa selfservice-add --permissions=write --attrs=street,postalCode,l,c,st "Users manage their own address" + + When managing the list of attributes you need to include all attributes + in the list, including existing ones. Add telephoneNumber to the list: + ipa selfservice-mod --attrs=street,postalCode,l,c,st,telephoneNumber "Users manage their own address" + + Display our updated rule: + ipa selfservice-show "Users manage their own address" + + Delete a rule: + ipa selfservice-del "Users manage their own address" +""") + +register = Registry() + + +@register() +class selfservice(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'Self-service name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + ) + + +@register() +class selfservice_add(Method): + __doc__ = _("Add a new self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_del(Method): + __doc__ = _("Delete a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_find(Method): + __doc__ = _("Search for a self-service permission.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'Self-service name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class selfservice_mod(Method): + __doc__ = _("Modify a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_show(Method): + __doc__ = _("Display information about a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/selinuxusermap.py b/ipaclient/remote_plugins/2_49/selinuxusermap.py new file mode 100644 index 000000000..eaa98412a --- /dev/null +++ b/ipaclient/remote_plugins/2_49/selinuxusermap.py @@ -0,0 +1,852 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +SELinux User Mapping + +Map IPA users to SELinux users by host. + +Hosts, hostgroups, users and groups can be either defined within +the rule or it may point to an existing HBAC rule. When using +--hbacrule option to selinuxusermap-find an exact match is made on the +HBAC rule name, so only one or zero entries will be returned. + +EXAMPLES: + + Create a rule, "test1", that sets all users to xguest_u:s0 on the host "server": + ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1 + ipa selinuxusermap-add-host --hosts=server.example.com test1 + + Create a rule, "test2", that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts: + ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2 + + Display the properties of a rule: + ipa selinuxusermap-show test2 + + Create a rule for a specific user. This sets the SELinux context for + user john to unconfined_u:s0-s0:c0.c1023 on any machine: + ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined + ipa selinuxusermap-add-user --users=john john_unconfined + + Disable a rule: + ipa selinuxusermap-disable test1 + + Enable a rule: + ipa selinuxusermap-enable test1 + + Find a rule referencing a specific HBAC rule: + ipa selinuxusermap-find --hbacrule=allow_some + + Remove a rule: + ipa selinuxusermap-del john_unconfined + +SEEALSO: + + The list controlling the order in which the SELinux user map is applied + and the default SELinux user are available in the config-show command. +""") + +register = Registry() + + +@register() +class selinuxusermap(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'ipaselinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + ) + + +@register() +class selinuxusermap_add(Method): + __doc__ = _("Create a new SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaselinuxuser', + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_add_host(Method): + __doc__ = _("Add target hosts and hostgroups to an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class selinuxusermap_add_user(Method): + __doc__ = _("Add users and groups to an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class selinuxusermap_del(Method): + __doc__ = _("Delete a SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_disable(Method): + __doc__ = _("Disable an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_enable(Method): + __doc__ = _("Enable an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_find(Method): + __doc__ = _("Search for SELinux User Maps.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Rule name'), + ), + parameters.Str( + 'ipaselinuxuser', + required=False, + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class selinuxusermap_mod(Method): + __doc__ = _("Modify a SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaselinuxuser', + required=False, + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_remove_host(Method): + __doc__ = _("Remove target hosts and hostgroups from an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class selinuxusermap_remove_user(Method): + __doc__ = _("Remove users and groups from an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class selinuxusermap_show(Method): + __doc__ = _("Display the properties of a SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/service.py b/ipaclient/remote_plugins/2_49/service.py new file mode 100644 index 000000000..b0d6da055 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/service.py @@ -0,0 +1,621 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Services + +A IPA service represents a service that runs on a host. The IPA service +record can store a Kerberos principal, an SSL certificate, or both. + +An IPA service can be managed directly from a machine, provided that +machine has been given the correct permission. This is true even for +machines other than the one the service is associated with. For example, +requesting an SSL certificate using the host service principal credentials +of the host. To manage a service using host credentials you need to +kinit as the host: + + # kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM + +Adding an IPA service allows the associated service to request an SSL +certificate or keytab, but this is performed as a separate step; they +are not produced as a result of adding the service. + +Only the public aspect of a certificate is stored in a service record; +the private key is not stored. + +EXAMPLES: + + Add a new IPA service: + ipa service-add HTTP/web.example.com + + Allow a host to manage an IPA service certificate: + ipa service-add-host --hosts=web.example.com HTTP/web.example.com + ipa role-add-member --hosts=web.example.com certadmin + + Override a default list of supported PAC types for the service: + ipa service-mod HTTP/web.example.com --pac-type=MS-PAC + + Delete an IPA service: + ipa service-del HTTP/web.example.com + + Find all IPA services associated with a host: + ipa service-find web.example.com + + Find all HTTP services: + ipa service-find HTTP + + Disable the service Kerberos key and SSL certificate: + ipa service-disable HTTP/web.example.com + + Request a certificate for an IPA service: + ipa cert-request --principal=HTTP/web.example.com example.csr + + Generate and retrieve a keytab for an IPA service: + ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab +""") + +register = Registry() + + +@register() +class service(Object): + takes_params = ( + parameters.Str( + 'krbprincipalname', + primary_key=True, + label=_(u'Principal'), + doc=_(u'Service principal'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Keytab'), + ), + parameters.Str( + 'managedby_host', + label=_(u'Managed by'), + ), + ) + + +@register() +class service_add(Method): + __doc__ = _("Add a new IPA new service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force principal name even if not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_add_host(Method): + __doc__ = _("Add hosts that can manage this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class service_del(Method): + __doc__ = _("Delete an IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + multivalue=True, + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_disable(Method): + __doc__ = _("Disable the Kerberos key and SSL certificate of a service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_find(Method): + __doc__ = _("Search for IPA services.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("principal")'), + default=False, + autofill=True, + ), + parameters.Str( + 'man_by_host', + required=False, + multivalue=True, + cli_name='man_by_hosts', + label=_(u'host'), + doc=_(u'Search for services with these managed by hosts.'), + ), + parameters.Str( + 'not_man_by_host', + required=False, + multivalue=True, + cli_name='not_man_by_hosts', + label=_(u'host'), + doc=_(u'Search for services without these managed by hosts.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class service_mod(Method): + __doc__ = _("Modify an existing IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_remove_host(Method): + __doc__ = _("Remove hosts that can manage this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class service_show(Method): + __doc__ = _("Display information about an IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'file to store certificate in'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/session.py b/ipaclient/remote_plugins/2_49/session.py new file mode 100644 index 000000000..af56cd688 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/session.py @@ -0,0 +1,624 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Session Support for IPA +John Dennis <jdennis@redhat.com> + +Goals +===== + +Provide per-user session data caching which persists between +requests. Desired features are: + +* Integrates cleanly with minimum impact on existing infrastructure. + +* Provides maximum security balanced against real-world performance + demands. + +* Sessions must be able to be revoked (flushed). + +* Should be flexible and easy to use for developers. + +* Should leverage existing technology and code to the maximum extent + possible to avoid re-invention, excessive implementation time and to + benefit from robustness in field proven components commonly shared + in the open source community. + +* Must support multiple independent processes which share session + data. + +* System must function correctly if session data is available or not. + +* Must be high performance. + +* Should not be tied to specific web servers or browsers. Should + integrate with our chosen WSGI model. + +Issues +====== + +Cookies +------- + +Most session implementations are based on the use of cookies. Cookies +have some inherent problems. + +* User has the option to disable cookies. + +* User stored cookie data is not secure. Can be mitigated by setting + flags indicating the cookie is only to be used with SSL secured HTTP + connections to specific web resources and setting the cookie to + expire at session termination. Most modern browsers enforce these. + +Where to store session data? +---------------------------- + +Session data may be stored on either on the client or on the +server. Storing session data on the client addresses the problem of +session data availability when requests are serviced by independent web +servers because the session data travels with the request. However +there are data size limitations. Storing session data on the client +also exposes sensitive data but this can be mitigated by encrypting +the session data such that only the server can decrypt it. + +The more conventional approach is to bind session data to a unique +name, the session ID. The session ID is transmitted to the client and +the session data is paired with the session ID on the server in a +associative data store. The session data is retrieved by the server +using the session ID when the receiving the request. This eliminates +exposing sensitive session data on the client along with limitations +on data size. It however introduces the issue of session data +availability when requests are serviced by more than one server +process. + +Multi-process session data availability +--------------------------------------- + +Apache (and other web servers) fork child processes to handle requests +in parallel. Also web servers may be deployed in a farm where requests +are load balanced in round robin fashion across different nodes. In +both cases session data cannot be stored in the memory of a server +process because it is not available to other processes, either sibling +children of a master server process or server processes on distinct +nodes. + +Typically this is addressed by storing session data in a SQL +database. When a request is received by a server process containing a +session ID in it's cookie data the session ID is used to perform a SQL +query and the resulting data is then attached to the request as it +proceeds through the request processing pipeline. This of course +introduces coherency issues. + +For IPA the introduction of a SQL database dependency is undesired and +should be avoided. + +Session data may also be shared by independent processes by storing +the session data in files. + +An alternative solution which has gained considerable popularity +recently is the use of a fast memory based caching server. Data is +stored in a single process memory and may be queried and set via a +light weight protocol using standard socket mechanisms, memcached is +one example. A typical use is to optimize SQL queries by storing a SQL +result in shared memory cache avoiding the more expensive SQL +operation. But the memory cache has distinct advantages in non-SQL +situations as well. + +Possible implementations for use by IPA +======================================= + +Apache Sessions +--------------- + +Apache has 2.3 has implemented session support via these modules: + + mod_session + Overarching session support based on cookies. + + See: http://httpd.apache.org/docs/2.3/mod/mod_session.html + + mod_session_cookie + Stores session data in the client. + + See: http://httpd.apache.org/docs/2.3/mod/mod_session_cookie.html + + mod_session_crypto + Encrypts session data for security. Encryption key is shared + configuration parameter visible to all Apache processes and is + stored in a configuration file. + + See: http://httpd.apache.org/docs/2.3/mod/mod_session_crypto.html + + mod_session_dbd + Stores session data in a SQL database permitting multiple + processes to access and share the same session data. + + See: http://httpd.apache.org/docs/2.3/mod/mod_session_dbd.html + +Issues with Apache sessions +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Although Apache has implemented generic session support and Apache is +our web server of preference it nonetheless introduces issues for IPA. + + * Session support is only available in httpd >= 2.3 which at the + time of this writing is currently only available as a Beta release + from upstream. We currently only ship httpd 2.2, the same is true + for other distributions. + + * We could package and ship the sessions modules as a temporary + package in httpd 2.2 environments. But this has the following + consequences: + + - The code has to be backported. the module API has changed + slightly between httpd 2.2 and 2.3. The backporting is not + terribly difficult and a proof of concept has been + implemented. + + - We would then be on the hook to package and maintain a special + case Apache package. This is maintenance burden as well as a + distribution packaging burden. Both of which would be best + avoided if possible. + + * The design of the Apache session modules is such that they can + only be manipulated by other Apache modules. The ability of + consumers of the session data to control the session data is + simplistic, constrained and static during the period the request + is processed. Request handlers which are not native Apache modules + (e.g. IPA via WSGI) can only examine the session data + via request headers and reset it in response headers. + + * Shared session data is available exclusively via SQL. + +However using the 2.3 Apache session modules would give us robust +session support implemented in C based on standardized Apache +interfaces which are widely used. + +Python Web Frameworks +--------------------- + +Virtually every Python web framework supports cookie based sessions, +e.g. Django, Twisted, Zope, Turbogears etc. Early on in IPA we decided +to avoid the use of these frameworks. Trying to pull in just one part +of these frameworks just to get session support would be problematic +because the code does not function outside it's framework. + +IPA implemented sessions +------------------------ + +Originally it was believed the path of least effort was to utilize +existing session support, most likely what would be provided by +Apache. However there are enough basic modular components available in +native Python and other standard packages it should be possible to +provide session support meeting the aforementioned goals with a modest +implementation effort. Because we're leveraging existing components +the implementation difficulties are subsumed by other components which +have already been field proven and have community support. This is a +smart strategy. + +Proposed Solution +================= + +Our interface to the web server is via WSGI which invokes a callback +per request passing us an environmental context for the request. For +this discussion we'll name the WSGI callback "application()", a +conventional name in WSGI parlance. + +Shared session data will be handled by memcached. We will create one +instance of memcached on each server node dedicated to IPA +exclusively. Communication with memcached will be via a UNIX socket +located in the file system under /var/run/ipa_memcached. It will be +protected by file permissions and optionally SELinux policy. + +In application() we examine the request cookies and if there is an IPA +session cookie with a session ID we retrieve the session data from our +memcached instance. + +The session data will be a Python dict. IPA components will read or +write their session information by using a pre-agreed upon name +(e.g. key) in the dict. This is a very flexible system and consistent +with how we pass data in most parts of IPA. + +If the session data is not available an empty session data dict will +be created. + +How does this session data travel with the request in the IPA +pipeline? In IPA we use the HTTP request/response to implement RPC. In +application() we convert the request into a procedure call passing it +arguments derived from the HTTP request. The passed parameters are +specific to the RPC method being invoked. The context the RPC call is +executing in is not passed as an RPC parameter. + +How would the contextual information such as session data be bound to +the request and hence the RPC call? + +In IPA when a RPC invocation is being prepared from a request we +recognize this will only ever be processed serially by one Python +thread. A thread local dict called "context" is allocated for each +thread. The context dict is cleared in between requests (e.g. RPC method +invocations). The per-thread context dict is populated during the +lifetime of the request and is used as a global data structure unique to +the request that various IPA component can read from and write to with +the assurance the data is unique to the current request and/or method +call. + +The session data dict will be written into the context dict under the +session key before the RPC method begins execution. Thus session data +can be read and written by any IPA component by accessing +``context.session``. + +When the RPC method finishes execution the session data bound to the +request/method is retrieved from the context and written back to the +memcached instance. The session ID is set in the response sent back to +the client in the ``Set-Cookie`` header along with the flags +controlling it's usage. + +Issues and details +------------------ + +IPA code cannot depend on session data being present, however it +should always update session data with the hope it will be available +in the future. Session data may not be available because: + + * This is the first request from the user and no session data has + been created yet. + + * The user may have cookies disabled. + + * The session data may have been flushed. memcached operates with + a fixed memory allocation and will flush entries on a LRU basis, + like with any cache there is no guarantee of persistence. + + Also we may have have deliberately expired or deleted session + data, see below. + +Cookie manipulation is done via the standard Python Cookie module. + +Session cookies will be set to only persist as long as the browser has +the session open. They will be tagged so the browser only returns +the session ID on SSL secured HTTP requests. They will not be visible +to Javascript in the browser. + +Session ID's will be created by using 48 bits of random data and +converted to 12 hexadecimal digits. Newly generated session ID's will +be checked for prior existence to handle the unlikely case the random +number repeats. + +memcached will have significantly higher performance than a SQL or file +based storage solution. Communication is effectively though a pipe +(UNIX socket) using a very simple protocol and the data is held +entirely in process memory. memcached also scales easily, it is easy +to add more memcached processes and distribute the load across them. +At this point in time we don't anticipate the need for this. + +A very nice feature of the Python memcached module is that when a data +item is written to the cache it is done with standard Python pickling +(pickling is a standard Python mechanism to marshal and unmarshal +Python objects). We adopt the convention the object written to cache +will be a dict to meet our internal data handling conventions. The +pickling code will recursively handle nested objects in the dict. Thus +we gain a lot of flexibility using standard Python data structures to +store and retrieve our session data without having to author and debug +code to marshal and unmarshal the data if some other storage mechanism +had been used. This is a significant implementation win. Of course +some common sense limitations need to observed when deciding on what +is written to the session cache keeping in mind the data is shared +between processes and it should not be excessively large (a +configurable option) + +We can set an expiration on memcached entries. We may elect to do that +to force session data to be refreshed periodically. For example we may +wish the client to present fresh credentials on a periodic basis even +if the cached credentials are otherwise within their validity period. + +We can explicitly delete session data if for some reason we believe it +is stale, invalid or compromised. + +memcached also gives us certain facilities to prevent race conditions +between different processes utilizing the cache. For example you can +check of the entry has been modified since you last read it or use CAS +(Check And Set) semantics. What has to be protected in terms of cache +coherency will likely have to be determined as the session support is +utilized and different data items are added to the cache. This is very +much data and context specific. Fortunately memcached operations are +atomic. + +Controlling the memcached process +--------------------------------- + +We need a mechanism to start the memcached process and secure it so +that only IPA components can access it. + +Although memcached ships with both an initscript and systemd unit +files those are for generic instances. We want a memcached instance +dedicated exclusively to IPA usage. To accomplish this we would install +a systemd unit file or an SysV initscript to control the IPA specific +memcached service. ipactl would be extended to know about this +additional service. systemd's cgroup facility would give us additional +mechanisms to integrate the IPA memcached service within a larger IPA +process group. + +Protecting the memcached data would be done via file permissions (and +optionally SELinux policy) on the UNIX domain socket. Although recent +implementations of memcached support authentication via SASL this +introduces a performance and complexity burden not warranted when +cached is dedicated to our exclusive use and access controlled by OS +mechanisms. + +Conventionally daemons are protected by assigning a system uid and/or +gid to the daemon. A daemon launched by root will drop it's privileges +by assuming the effective uid:gid assigned to it. File system access +is controlled by the OS via the effective identity and SELinux policy +can be crafted based on the identity. Thus the memcached UNIX socket +would be protected by having it owned by a specific system user and/or +membership in a restricted system group (discounting for the moment +SELinux). + +Unfortunately we currently do not have an IPA system uid whose +identity our processes operate under nor do we have an IPA system +group. IPA does manage a collection of related processes (daemons) and +historically each has been assigned their own uid. When these +unrelated processes communicate they mutually authenticate via other +mechanisms. We do not have much of a history of using shared file +system objects across identities. When file objects are created they +are typically assigned the identity of daemon needing to access the +object and are not accessed by other daemons, or they carry root +identity. + +When our WSGI application runs in Apache it is run as a WSGI +daemon. This means when Apache starts up it forks off WSGI processes +for us and we are independent of other Apache processes. When WSGI is +run in this mode there is the ability to set the uid:gid of the WSGI +process hosting us, however we currently do not take advantage of this +option. WSGI can be run in other modes as well, only in daemon mode +can the uid:gid be independently set from the rest of Apache. All +processes started by Apache can be set to a common uid:gid specified +in the global Apache configuration, by default it's +apache:apache. Thus when our IPA code executes it is running as +apache:apache. + +To protect our memcached UNIX socket we can do one of two things: + +1. Assign it's uid:gid as apache:apache. This would limit access to + our cache only to processes running under httpd. It's somewhat + restricted but far from ideal. Any code running in the web server + could potentially access our cache. It's difficult to control what the + web server runs and admins may not understand the consequences of + configuring httpd to serve other things besides IPA. + +2. Create an IPA specific uid:gid, for example ipa:ipa. We then configure + our WSGI application to run as the ipa:ipa user and group. We also + configure our memcached instance to run as the ipa:ipa user and + group. In this configuration we are now fully protected, only our WSGI + code can read & write to our memcached UNIX socket. + +However there may be unforeseen issues by converting our code to run as +something other than apache:apache. This would require some +investigation and testing. + +IPA is dependent on other system daemons, specifically Directory +Server (ds) and Certificate Server (cs). Currently we configure ds to +run under the dirsrv:dirsrv user and group, an identity of our +creation. We allow cs to default to it's pkiuser:pkiuser user and +group. Should these other cooperating daemons also run under the +common ipa:ipa user and group identities? At first blush there would +seem to be an advantage to coalescing all process identities under a +common IPA user and group identity. However these other processes do +not depend on user and group permissions when working with external +agents, processes, etc. Rather they are designed to be stand-alone +network services which authenticate their clients via other +mechanisms. They do depend on user and group permission to manage +their own file system objects. If somehow the ipa user and/or group +were compromised or malicious code somehow executed under the ipa +identity there would be an advantage in having the cooperating +processes cordoned off under their own identities providing one extra +layer of protection. (Note, these cooperating daemons may not even be +co-located on the same node in which case the issue is moot) + +The UNIX socket behavior (ldapi) with Directory Server is as follows: + + * The socket ownership is: root:root + + * The socket permissions are: 0666 + + * When connecting via ldapi you must authenticate as you would + normally with a TCP socket, except ... + + * If autobind is enabled and the uid:gid is available via + SO_PEERCRED and the uid:gid can be found in the set of users known + to the Directory Server then that connection will be bound as that + user. + + * Otherwise an anonymous bind will occur. + +memcached UNIX socket behavior is as follows: + + * memcached can be invoked with a user argument, no group may be + specified. The effective uid is the uid of the user argument and + the effective gid is the primary group of the user, let's call + this euid:egid + + * The socket ownership is: euid:egid + + * The socket permissions are 0700 by default, but this can be + modified by the -a mask command line arg which sets the umask + (defaults to 0700). + +Overview of authentication in IPA +================================= + +This describes how we currently authenticate and how we plan to +improve authentication performance. First some definitions. + +There are 4 major players: + + 1. client + 2. mod_auth_kerb (in Apache process) + 3. wsgi handler (in IPA wsgi python process) + 4. ds (directory server) + +There are several resources: + + 1. /ipa/ui (unprotected, web UI static resources) + 2. /ipa/xml (protected, xmlrpc RPC used by command line clients) + 3. /ipa/json (protected, json RPC used by javascript in web UI) + 4. ds (protected, wsgi acts as proxy, our LDAP server) + +Current Model +------------- + +This describes how things work in our current system for the web UI. + + 1. Client requests /ipa/ui, this is unprotected, is static and + contains no sensitive information. Apache replies with html and + javascript. The javascript requests /ipa/json. + + 2. Client sends post to /ipa/json. + + 3. mod_auth_kerb is configured to protect /ipa/json, replies 401 + authenticate negotiate. + + 4. Client resends with credentials + + 5. mod_auth_kerb validates credentials + + a. if invalid replies 403 access denied (stops here) + + b. if valid creates temporary ccache, adds KRB5CCNAME to request + headers + + 6. Request passed to wsgi handler + + a. validates request, KRB5CCNAME must be present, referrer, etc. + + b. ccache saved and used to bind to ds + + c. routes to specified RPC handler. + + 7. wsgi handler replies to client + +Proposed new session based optimization +--------------------------------------- + +The round trip negotiate and credential validation in steps 3,4,5 is +expensive. This can be avoided if we can cache the client +credentials. With client sessions we can store the client credentials +in the session bound to the client. + +A few notes about the session implementation. + + * based on session cookies, cookies must be enabled + + * session cookie is secure, only passed on secure connections, only + passed to our URL resource, never visible to client javascript + etc. + + * session cookie has a session id which is used by wsgi handler to + retrieve client session data from shared multi-process cache. + +Changes to Apache's resource protection +--------------------------------------- + + * /ipa/json is no longer protected by mod_auth_kerb. This is + necessary to avoid the negotiate expense in steps 3,4,5 + above. Instead the /ipa/json resource will be protected in our wsgi + handler via the session cookie. + + * A new protected URI is introduced, /ipa/login. This resource + does no serve any data, it is used exclusively for authentication. + +The new sequence is: + + 1. Client requests /ipa/ui, this is unprotected. Apache replies with + html and javascript. The javascript requests /ipa/json. + + 2. Client sends post to /ipa/json, which is unprotected. + + 3. wsgi handler obtains session data from session cookie. + + a. if ccache is present in session data and is valid + + - request is further validated + + - ccache is established for bind to ds + + - request is routed to RPC handler + + - wsgi handler eventually replies to client + + b. if ccache is not present or not valid processing continues ... + + 4. wsgi handler replies with 401 Unauthorized + + 5. client sends request to /ipa/login to obtain session credentials + + 6. mod_auth_kerb replies 401 negotiate on /ipa/login + + 7. client sends credentials to /ipa/login + + 8. mod_auth_kerb validates credentials + + a. if valid + + - mod_auth_kerb permits access to /ipa/login. wsgi handler is + invoked and does the following: + + * establishes session for client + + * retrieves the ccache from KRB5CCNAME and stores it + + a. if invalid + + - mod_auth_kerb sends 403 access denied (processing stops) + + 9. client now posts the same data again to /ipa/json including + session cookie. Processing repeats starting at step 2 and since + the session data now contains a valid ccache step 3a executes, a + successful reply is sent to client. + +Command line client using xmlrpc +-------------------------------- + +The above describes the web UI utilizing the json RPC mechanism. The +IPA command line tools utilize a xmlrpc RPC mechanism on the same +HTTP server. Access to the xmlrpc is via the /ipa/xml URI. The json +and xmlrpc API's are the same, they differ only on how their procedure +calls are marshalled and unmarshalled. + +Under the new scheme /ipa/xml will continue to be Kerberos protected +at all times. Apache's mod_auth_kerb will continue to require the +client provides valid Kerberos credentials. + +When the WSGI handler routes to /ipa/xml the Kerberos credentials will +be extracted from the KRB5CCNAME environment variable as provided by +mod_auth_kerb. Everything else remains the same. +""") + +register = Registry() + + +@register() +class session_logout(Command): + __doc__ = _("RPC command used to log the current user out of their session.") + + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_49/sudocmd.py b/ipaclient/remote_plugins/2_49/sudocmd.py new file mode 100644 index 000000000..5df9f792d --- /dev/null +++ b/ipaclient/remote_plugins/2_49/sudocmd.py @@ -0,0 +1,371 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Sudo Commands + +Commands used as building blocks for sudo + +EXAMPLES: + + Create a new command + ipa sudocmd-add --desc='For reading log files' /usr/bin/less + + Remove a command + ipa sudocmd-del /usr/bin/less +""") + +register = Registry() + + +@register() +class sudocmd(Object): + takes_params = ( + parameters.Str( + 'sudocmd', + primary_key=True, + label=_(u'Sudo Command'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'memberof_sudocmdgroup', + required=False, + label=_(u'Sudo Command Groups'), + ), + ) + + +@register() +class sudocmd_add(Method): + __doc__ = _("Create new Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmd_del(Method): + __doc__ = _("Delete Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + multivalue=True, + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmd_find(Method): + __doc__ = _("Search for Sudo Commands.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'sudocmd', + required=False, + cli_name='command', + label=_(u'Sudo Command'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("command")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudocmd_mod(Method): + __doc__ = _("Modify Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmd_show(Method): + __doc__ = _("Display Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/sudocmdgroup.py b/ipaclient/remote_plugins/2_49/sudocmdgroup.py new file mode 100644 index 000000000..4bad860c6 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/sudocmdgroup.py @@ -0,0 +1,501 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of Sudo Commands + +Manage groups of Sudo Commands. + +EXAMPLES: + + Add a new Sudo Command Group: + ipa sudocmdgroup-add --desc='administrators commands' admincmds + + Remove a Sudo Command Group: + ipa sudocmdgroup-del admincmds + + Manage Sudo Command Group membership, commands: + ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less,/usr/bin/vim admincmds + + Manage Sudo Command Group membership, commands: + ipa group-remove-member --sudocmds=/usr/bin/less admincmds + + Show a Sudo Command Group: + ipa group-show localadmins +""") + +register = Registry() + + +@register() +class sudocmdgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Sudo Command Group'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'membercmd_sudocmd', + required=False, + label=_(u'Commands'), + ), + parameters.Str( + 'membercmd_sudocmdgroup', + required=False, + label=_(u'Sudo Command Groups'), + ), + parameters.Str( + 'member_sudocmd', + required=False, + label=_(u'Member Sudo commands'), + ), + ) + + +@register() +class sudocmdgroup_add(Method): + __doc__ = _("Create new Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmdgroup_add_member(Method): + __doc__ = _("Add members to Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'comma-separated list of sudo commands to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudocmdgroup_del(Method): + __doc__ = _("Delete Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmdgroup_find(Method): + __doc__ = _("Search for Sudo Command Groups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("sudocmdgroup-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudocmdgroup_mod(Method): + __doc__ = _("Modify Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmdgroup_remove_member(Method): + __doc__ = _("Remove members from Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'comma-separated list of sudo commands to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudocmdgroup_show(Method): + __doc__ = _("Display Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/sudorule.py b/ipaclient/remote_plugins/2_49/sudorule.py new file mode 100644 index 000000000..3d01ecdf2 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/sudorule.py @@ -0,0 +1,1561 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Sudo Rules + +Sudo (su "do") allows a system administrator to delegate authority to +give certain users (or groups of users) the ability to run some (or all) +commands as root or another user while providing an audit trail of the +commands and their arguments. + +FreeIPA provides a means to configure the various aspects of Sudo: + Users: The user(s)/group(s) allowed to invoke Sudo. + Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo. + Allow Command: The specific command(s) permitted to be run via Sudo. + Deny Command: The specific command(s) prohibited to be run via Sudo. + RunAsUser: The user(s) or group(s) of users whose rights Sudo will be invoked with. + RunAsGroup: The group(s) whose gid rights Sudo will be invoked with. + Options: The various Sudoers Options that can modify Sudo's behavior. + +An order can be added to a sudorule to control the order in which they +are evaluated (if the client supports it). This order is an integer and +must be unique. + +FreeIPA provides a designated binddn to use with Sudo located at: +uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +To enable the binddn run the following command to set the password: +LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +For more information, see the FreeIPA Documentation to Sudo. +""") + +register = Registry() + + +@register() +class sudorule(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + parameters.Str( + 'memberallowcmd_sudocmd', + required=False, + label=_(u'Sudo Allow Commands'), + ), + parameters.Str( + 'memberdenycmd_sudocmd', + required=False, + label=_(u'Sudo Deny Commands'), + ), + parameters.Str( + 'memberallowcmd_sudocmdgroup', + required=False, + label=_(u'Sudo Allow Command Groups'), + ), + parameters.Str( + 'memberdenycmd_sudocmdgroup', + required=False, + label=_(u'Sudo Deny Command Groups'), + ), + parameters.Str( + 'ipasudorunas_user', + required=False, + label=_(u'RunAs Users'), + doc=_(u'Run as a user'), + ), + parameters.Str( + 'ipasudorunas_group', + required=False, + label=_(u'Groups of RunAs Users'), + doc=_(u'Run as any user within a specified group'), + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudoopt', + required=False, + label=_(u'Sudo Option'), + ), + parameters.Str( + 'ipasudorunasgroup_group', + required=False, + label=_(u'RunAs Groups'), + doc=_(u'Run with the gid of a specified POSIX group'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + ) + + +@register() +class sudorule_add(Method): + __doc__ = _("Create new Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_add_allow_command(Method): + __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'comma-separated list of sudo commands to add'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'comma-separated list of sudo command groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_deny_command(Method): + __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'comma-separated list of sudo commands to add'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'comma-separated list of sudo command groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_host(Method): + __doc__ = _("Add hosts and hostgroups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_option(Method): + __doc__ = _("Add an option to the Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipasudoopt', + cli_name='sudooption', + label=_(u'Sudo Option'), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_add_runasgroup(Method): + __doc__ = _("Add group for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_runasuser(Method): + __doc__ = _("Add users and groups for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_user(Method): + __doc__ = _("Add users and groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_del(Method): + __doc__ = _("Delete Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_disable(Method): + __doc__ = _("Disable a Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_enable(Method): + __doc__ = _("Enable a Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_find(Method): + __doc__ = _("Search for Sudo Rule.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("sudorule-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudorule_mod(Method): + __doc__ = _("Modify Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_remove_allow_command(Method): + __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'comma-separated list of sudo commands to remove'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'comma-separated list of sudo command groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_deny_command(Method): + __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'comma-separated list of sudo commands to remove'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'comma-separated list of sudo command groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_host(Method): + __doc__ = _("Remove hosts and hostgroups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_option(Method): + __doc__ = _("Remove an option from Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipasudoopt', + cli_name='sudooption', + label=_(u'Sudo Option'), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_remove_runasgroup(Method): + __doc__ = _("Remove group for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_runasuser(Method): + __doc__ = _("Remove users and groups for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_user(Method): + __doc__ = _("Remove users and groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_show(Method): + __doc__ = _("Display Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/trust.py b/ipaclient/remote_plugins/2_49/trust.py new file mode 100644 index 000000000..e3ef33459 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/trust.py @@ -0,0 +1,685 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Cross-realm trusts + +Manage trust relationship between IPA and Active Directory domains. + +In order to allow users from a remote domain to access resources in IPA +domain, trust relationship needs to be established. Currently IPA supports +only trusts between IPA and Active Directory domains under control of Windows +Server 2008 or later, with functional level 2008 or later. + +Please note that DNS on both IPA and Active Directory domain sides should be +configured properly to discover each other. Trust relationship relies on +ability to discover special resources in the other domain via DNS records. + +Examples: + +1. Establish cross-realm trust with Active Directory using AD administrator + credentials: + + ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> --password + +2. List all existing trust relationships: + + ipa trust-find + +3. Show details of the specific trust relationship: + + ipa trust-show <ad.domain> + +4. Delete existing trust relationship: + + ipa trust-del <ad.domain> + +Once trust relationship is established, remote users will need to be mapped +to local POSIX groups in order to actually use IPA resources. The mapping should +be done via use of external membership of non-POSIX group and then this group +should be included into one of local POSIX groups. + +Example: + +1. Create group for the trusted domain admins' mapping and their local POSIX group: + + ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external + ipa group-add --desc='<ad.domain> admins' ad_admins + +2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external + group: + + ipa group-add-member ad_admins_external --external 'AD\Domain Admins' + +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: + + ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external + + +GLOBAL TRUST CONFIGURATION + +When IPA AD trust subpackage is installed and ipa-adtrust-install is run, +a local domain configuration (SID, GUID, NetBIOS name) is generated. These +identifiers are then used when communicating with a trusted domain of the +particular type. + +1. Show global trust configuration for Active Directory type of trusts: + + ipa trustconfig-show --type ad + +2. Modify global configuration for all trusts of Active Directory type and set + a different fallback primary group (fallback primary group GID is used as + a primary user GID if user authenticating to IPA domain does not have any other + primary GID already set): + + ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group" + +3. Change primary fallback group back to default hidden group (any group with + posixGroup object class is allowed): + + ipa trustconfig-mod --type ad --fallback-primary-group "Default SMB Group" +""") + +register = Registry() + + +@register() +class trust(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Realm name'), + ), + parameters.Str( + 'ipantflatname', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + label=_(u'SID blacklist outgoing'), + ), + ) + + +@register() +class trustconfig(Object): + takes_params = ( + parameters.Str( + 'cn', + label=_(u'Domain'), + ), + parameters.Str( + 'ipantsecurityidentifier', + label=_(u'Security Identifier'), + ), + parameters.Str( + 'ipantflatname', + label=_(u'NetBIOS name'), + ), + parameters.Str( + 'ipantdomainguid', + label=_(u'Domain GUID'), + ), + parameters.Str( + 'ipantfallbackprimarygroup', + label=_(u'Fallback primary group'), + ), + ) + + +@register() +class trust_add(Method): + __doc__ = _(""" +Add new trust to use. + +This command establishes trust relationship to another domain +which becomes 'trusted'. As result, users of the trusted domain +may access resources of this domain. + +Only trusts to Active Directory domains are supported right now. + +The command can be safely run multiple times against the same domain, +this will cause change to trust relationship credentials on both +sides. + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Str( + 'realm_admin', + required=False, + cli_name='admin', + label=_(u'Active Directory domain administrator'), + ), + parameters.Password( + 'realm_passwd', + required=False, + cli_name='password', + label=_(u"Active directory domain administrator's password"), + ), + parameters.Str( + 'realm_server', + required=False, + cli_name='server', + label=_(u'Domain controller for the Active Directory domain (optional)'), + ), + parameters.Password( + 'trust_secret', + required=False, + label=_(u'Shared secret for the trust'), + ), + parameters.Int( + 'base_id', + required=False, + label=_(u'First Posix ID of the range reserved for the trusted domain'), + ), + parameters.Int( + 'range_size', + required=False, + label=_(u'Size of the ID range reserved for the trusted domain'), + default=200000, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trust_del(Method): + __doc__ = _("Delete a trust.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trust_find(Method): + __doc__ = _("Search for trusts.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='realm', + label=_(u'Realm name'), + ), + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + cli_name='sid_blacklist_incoming', + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + cli_name='sid_blacklist_outgoing', + label=_(u'SID blacklist outgoing'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("realm")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class trust_mod(Method): + __doc__ = _(""" +Modify a trust (for future use). + + Currently only the default option to modify the LDAP attributes is + available. More specific options will be added in coming releases. + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + cli_name='sid_blacklist_incoming', + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + cli_name='sid_blacklist_outgoing', + label=_(u'SID blacklist outgoing'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trust_show(Method): + __doc__ = _("Display information about a trust.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustconfig_mod(Method): + __doc__ = _("Modify global trust configuration.") + + takes_options = ( + parameters.Str( + 'ipantfallbackprimarygroup', + required=False, + cli_name='fallback_primary_group', + label=_(u'Fallback primary group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustconfig_show(Method): + __doc__ = _("Show global trust configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/user.py b/ipaclient/remote_plugins/2_49/user.py new file mode 100644 index 000000000..e5d7713bc --- /dev/null +++ b/ipaclient/remote_plugins/2_49/user.py @@ -0,0 +1,1372 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Users + +Manage user entries. All users are POSIX users. + +IPA supports a wide range of username formats, but you need to be aware of any +restrictions that may apply to your particular environment. For example, +usernames that start with a digit or usernames that exceed a certain length +may cause problems for some UNIX systems. +Use 'ipa config-mod' to change the username format allowed by IPA tools. + +Disabling a user account prevents that user from obtaining new Kerberos +credentials. It does not invalidate any credentials that have already +been issued. + +Password management is not a part of this module. For more information +about this topic please see: ipa help passwd + +Account lockout on password failure happens per IPA master. The user-status +command can be used to identify which master the user is locked out on. +It is on that master the administrator must unlock the user. + +EXAMPLES: + + Add a new user: + ipa user-add --first=Tim --last=User --password tuser1 + + Find all users whose entries include the string "Tim": + ipa user-find Tim + + Find all users with "Tim" as the first name: + ipa user-find --first=Tim + + Disable a user account: + ipa user-disable tuser1 + + Enable a user account: + ipa user-enable tuser1 + + Delete a user: + ipa user-del tuser1 +""") + +register = Registry() + + +@register() +class user(Object): + takes_params = ( + parameters.Str( + 'uid', + primary_key=True, + label=_(u'User login'), + ), + parameters.Str( + 'givenname', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + ), + parameters.Str( + 'homedirectory', + required=False, + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS field'), + ), + parameters.Str( + 'loginshell', + required=False, + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + label=_(u'Kerberos principal'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + ), + parameters.Str( + 'randompassword', + required=False, + label=_(u'Random password'), + ), + parameters.Int( + 'uidnumber', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + label=_(u'Car License'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + parameters.Flag( + 'has_password', + label=_(u'Password'), + ), + parameters.Str( + 'memberof_group', + required=False, + label=_(u'Member of groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberofindirect_group', + required=False, + label=_(u'Indirect Member of group'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Kerberos keys available'), + ), + ) + + +@register() +class user_add(Method): + __doc__ = _("Add a new user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + autofill=True, + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS field'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'), + autofill=True, + no_convert=True, + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + default=999, + autofill=True, + ), + parameters.Int( + 'gidnumber', + label=_(u'GID'), + doc=_(u'Group ID Number'), + default=999, + autofill=True, + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + label=_(u'Car License'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'noprivate', + doc=_(u"Don't create user private group"), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_del(Method): + __doc__ = _("Delete a user.") + + takes_args = ( + parameters.Str( + 'uid', + multivalue=True, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_disable(Method): + __doc__ = _("Disable a user account.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_enable(Method): + __doc__ = _("Enable a user account.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_find(Method): + __doc__ = _("Search for users.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS field'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'), + no_convert=True, + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + default=999, + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + default=999, + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + label=_(u'Car License'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'whoami', + label=_(u'Self'), + doc=_(u'Display user record for current Kerberos principal'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("login")'), + default=False, + autofill=True, + ), + parameters.Str( + 'in_group', + required=False, + multivalue=True, + cli_name='in_groups', + label=_(u'group'), + doc=_(u'Search for users with these member of groups.'), + ), + parameters.Str( + 'not_in_group', + required=False, + multivalue=True, + cli_name='not_in_groups', + label=_(u'group'), + doc=_(u'Search for users without these member of groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for users with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for users without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for users with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for users without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for users with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for users without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for users with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for users without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class user_mod(Method): + __doc__ = _("Modify a user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS field'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + default=999, + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + default=999, + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + label=_(u'Car License'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the user object'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_show(Method): + __doc__ = _("Display information about a user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_status(Method): + __doc__ = _(""" +Lockout status of a user account + + An account may become locked if the password is entered incorrectly too + many times within a specific time period as controlled by password + policy. A locked account is a temporary condition and may be unlocked by + an administrator. + + This connects to each IPA master and displays the lockout status on + each one. + + To determine whether an account is locked on a given server you need + to compare the number of failed logins and the time of the last failure. + For an account to be locked it must exceed the maxfail failures within + the failinterval duration as specified in the password policy associated + with the user. + + The failed login counter is modified only when a user attempts a log in + so it is possible that an account may appear locked but the last failed + login attempt is older than the lockouttime of the password policy. This + means that the user may attempt a login again. + """) + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class user_unlock(Method): + __doc__ = _(""" +Unlock a user account + + An account may become locked if the password is entered incorrectly too + many times within a specific time period as controlled by password + policy. A locked account is a temporary condition and may be unlocked by + an administrator. + """) + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) |