From 2cf7c7b4ac2a71457d026d6312cf4fd57b55062b Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 30 Jun 2016 15:51:29 +0200 Subject: client: add support for pre-schema servers Bundle remote plugin interface definitions for servers which lack API schema support. These server API versions are included: * 2.49: IPA 3.1.0 on RHEL/CentOS 6.5+, * 2.114: IPA 4.1.4 on Fedora 22, * 2.156: IPA 4.2.0 on RHEL/CentOS 7.2 and IPA 4.2.4 on Fedora 23, * 2.164: IPA 4.3.1 on Fedora 23. For servers with other API versions, the closest lower API version is used. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka --- freeipa.spec.in | 3 + ipaclient/frontend.py | 106 + ipaclient/remote_plugins/2_114/__init__.py | 15 + ipaclient/remote_plugins/2_114/aci.py | 812 +++ ipaclient/remote_plugins/2_114/automember.py | 827 +++ ipaclient/remote_plugins/2_114/automount.py | 1228 +++++ ipaclient/remote_plugins/2_114/batch.py | 71 + ipaclient/remote_plugins/2_114/cert.py | 376 ++ ipaclient/remote_plugins/2_114/config.py | 408 ++ ipaclient/remote_plugins/2_114/delegation.py | 383 ++ ipaclient/remote_plugins/2_114/dns.py | 5373 ++++++++++++++++++++ ipaclient/remote_plugins/2_114/group.py | 912 ++++ ipaclient/remote_plugins/2_114/hbacrule.py | 1305 +++++ ipaclient/remote_plugins/2_114/hbacsvc.py | 413 ++ ipaclient/remote_plugins/2_114/hbacsvcgroup.py | 528 ++ ipaclient/remote_plugins/2_114/hbactest.py | 284 ++ ipaclient/remote_plugins/2_114/host.py | 1556 ++++++ ipaclient/remote_plugins/2_114/hostgroup.py | 709 +++ ipaclient/remote_plugins/2_114/idrange.py | 620 +++ ipaclient/remote_plugins/2_114/idviews.py | 1411 +++++ ipaclient/remote_plugins/2_114/internal.py | 92 + ipaclient/remote_plugins/2_114/join.py | 64 + ipaclient/remote_plugins/2_114/krbtpolicy.py | 266 + ipaclient/remote_plugins/2_114/migration.py | 302 ++ ipaclient/remote_plugins/2_114/misc.py | 113 + ipaclient/remote_plugins/2_114/netgroup.py | 865 ++++ ipaclient/remote_plugins/2_114/otpconfig.py | 206 + ipaclient/remote_plugins/2_114/otptoken.py | 893 ++++ ipaclient/remote_plugins/2_114/otptoken_yubikey.py | 33 + ipaclient/remote_plugins/2_114/passwd.py | 93 + ipaclient/remote_plugins/2_114/permission.py | 1045 ++++ ipaclient/remote_plugins/2_114/ping.py | 62 + ipaclient/remote_plugins/2_114/pkinit.py | 63 + ipaclient/remote_plugins/2_114/privilege.py | 656 +++ ipaclient/remote_plugins/2_114/pwpolicy.py | 937 ++++ ipaclient/remote_plugins/2_114/radiusproxy.py | 521 ++ ipaclient/remote_plugins/2_114/realmdomains.py | 195 + ipaclient/remote_plugins/2_114/role.py | 758 +++ ipaclient/remote_plugins/2_114/selfservice.py | 338 ++ ipaclient/remote_plugins/2_114/selinuxusermap.py | 905 ++++ ipaclient/remote_plugins/2_114/service.py | 1100 ++++ ipaclient/remote_plugins/2_114/session.py | 626 +++ ipaclient/remote_plugins/2_114/sudocmd.py | 394 ++ ipaclient/remote_plugins/2_114/sudocmdgroup.py | 540 ++ ipaclient/remote_plugins/2_114/sudorule.py | 1774 +++++++ ipaclient/remote_plugins/2_114/trust.py | 1250 +++++ ipaclient/remote_plugins/2_114/user.py | 1623 ++++++ ipaclient/remote_plugins/2_156/__init__.py | 15 + ipaclient/remote_plugins/2_156/aci.py | 812 +++ ipaclient/remote_plugins/2_156/automember.py | 827 +++ ipaclient/remote_plugins/2_156/automount.py | 1228 +++++ ipaclient/remote_plugins/2_156/batch.py | 71 + ipaclient/remote_plugins/2_156/caacl.py | 1155 +++++ ipaclient/remote_plugins/2_156/cert.py | 382 ++ ipaclient/remote_plugins/2_156/certprofile.py | 431 ++ ipaclient/remote_plugins/2_156/config.py | 408 ++ ipaclient/remote_plugins/2_156/delegation.py | 383 ++ ipaclient/remote_plugins/2_156/dns.py | 5148 +++++++++++++++++++ ipaclient/remote_plugins/2_156/domainlevel.py | 64 + ipaclient/remote_plugins/2_156/group.py | 912 ++++ ipaclient/remote_plugins/2_156/hbacrule.py | 1305 +++++ ipaclient/remote_plugins/2_156/hbacsvc.py | 413 ++ ipaclient/remote_plugins/2_156/hbacsvcgroup.py | 528 ++ ipaclient/remote_plugins/2_156/hbactest.py | 284 ++ ipaclient/remote_plugins/2_156/host.py | 1680 ++++++ ipaclient/remote_plugins/2_156/hostgroup.py | 709 +++ ipaclient/remote_plugins/2_156/idrange.py | 639 +++ ipaclient/remote_plugins/2_156/idviews.py | 1491 ++++++ ipaclient/remote_plugins/2_156/internal.py | 92 + ipaclient/remote_plugins/2_156/join.py | 64 + ipaclient/remote_plugins/2_156/krbtpolicy.py | 266 + ipaclient/remote_plugins/2_156/migration.py | 319 ++ ipaclient/remote_plugins/2_156/misc.py | 113 + ipaclient/remote_plugins/2_156/netgroup.py | 865 ++++ ipaclient/remote_plugins/2_156/otpconfig.py | 206 + ipaclient/remote_plugins/2_156/otptoken.py | 893 ++++ ipaclient/remote_plugins/2_156/otptoken_yubikey.py | 33 + ipaclient/remote_plugins/2_156/passwd.py | 93 + ipaclient/remote_plugins/2_156/permission.py | 1099 ++++ ipaclient/remote_plugins/2_156/ping.py | 62 + ipaclient/remote_plugins/2_156/pkinit.py | 63 + ipaclient/remote_plugins/2_156/privilege.py | 656 +++ ipaclient/remote_plugins/2_156/pwpolicy.py | 937 ++++ ipaclient/remote_plugins/2_156/radiusproxy.py | 521 ++ ipaclient/remote_plugins/2_156/realmdomains.py | 195 + ipaclient/remote_plugins/2_156/role.py | 758 +++ ipaclient/remote_plugins/2_156/selfservice.py | 338 ++ ipaclient/remote_plugins/2_156/selinuxusermap.py | 905 ++++ ipaclient/remote_plugins/2_156/server.py | 246 + ipaclient/remote_plugins/2_156/service.py | 1225 +++++ .../remote_plugins/2_156/servicedelegation.py | 907 ++++ ipaclient/remote_plugins/2_156/session.py | 34 + ipaclient/remote_plugins/2_156/stageuser.py | 1492 ++++++ ipaclient/remote_plugins/2_156/sudocmd.py | 394 ++ ipaclient/remote_plugins/2_156/sudocmdgroup.py | 540 ++ ipaclient/remote_plugins/2_156/sudorule.py | 1774 +++++++ ipaclient/remote_plugins/2_156/topology.py | 1026 ++++ ipaclient/remote_plugins/2_156/trust.py | 1264 +++++ ipaclient/remote_plugins/2_156/user.py | 1869 +++++++ ipaclient/remote_plugins/2_156/vault.py | 1680 ++++++ ipaclient/remote_plugins/2_164/__init__.py | 15 + ipaclient/remote_plugins/2_164/aci.py | 812 +++ ipaclient/remote_plugins/2_164/automember.py | 827 +++ ipaclient/remote_plugins/2_164/automount.py | 1228 +++++ ipaclient/remote_plugins/2_164/batch.py | 71 + ipaclient/remote_plugins/2_164/caacl.py | 1155 +++++ ipaclient/remote_plugins/2_164/cert.py | 382 ++ ipaclient/remote_plugins/2_164/certprofile.py | 431 ++ ipaclient/remote_plugins/2_164/config.py | 408 ++ ipaclient/remote_plugins/2_164/delegation.py | 383 ++ ipaclient/remote_plugins/2_164/dns.py | 5167 +++++++++++++++++++ ipaclient/remote_plugins/2_164/domainlevel.py | 60 + ipaclient/remote_plugins/2_164/group.py | 912 ++++ ipaclient/remote_plugins/2_164/hbacrule.py | 1305 +++++ ipaclient/remote_plugins/2_164/hbacsvc.py | 413 ++ ipaclient/remote_plugins/2_164/hbacsvcgroup.py | 528 ++ ipaclient/remote_plugins/2_164/hbactest.py | 284 ++ ipaclient/remote_plugins/2_164/host.py | 1680 ++++++ ipaclient/remote_plugins/2_164/hostgroup.py | 709 +++ ipaclient/remote_plugins/2_164/idrange.py | 639 +++ ipaclient/remote_plugins/2_164/idviews.py | 1491 ++++++ ipaclient/remote_plugins/2_164/internal.py | 92 + ipaclient/remote_plugins/2_164/join.py | 62 + ipaclient/remote_plugins/2_164/krbtpolicy.py | 266 + ipaclient/remote_plugins/2_164/migration.py | 319 ++ ipaclient/remote_plugins/2_164/misc.py | 113 + ipaclient/remote_plugins/2_164/netgroup.py | 865 ++++ ipaclient/remote_plugins/2_164/otpconfig.py | 206 + ipaclient/remote_plugins/2_164/otptoken.py | 893 ++++ ipaclient/remote_plugins/2_164/otptoken_yubikey.py | 33 + ipaclient/remote_plugins/2_164/passwd.py | 93 + ipaclient/remote_plugins/2_164/permission.py | 1099 ++++ ipaclient/remote_plugins/2_164/ping.py | 62 + ipaclient/remote_plugins/2_164/pkinit.py | 63 + ipaclient/remote_plugins/2_164/privilege.py | 656 +++ ipaclient/remote_plugins/2_164/pwpolicy.py | 937 ++++ ipaclient/remote_plugins/2_164/radiusproxy.py | 521 ++ ipaclient/remote_plugins/2_164/realmdomains.py | 195 + ipaclient/remote_plugins/2_164/role.py | 758 +++ ipaclient/remote_plugins/2_164/selfservice.py | 338 ++ ipaclient/remote_plugins/2_164/selinuxusermap.py | 905 ++++ ipaclient/remote_plugins/2_164/server.py | 317 ++ ipaclient/remote_plugins/2_164/service.py | 1225 +++++ .../remote_plugins/2_164/servicedelegation.py | 907 ++++ ipaclient/remote_plugins/2_164/session.py | 34 + ipaclient/remote_plugins/2_164/stageuser.py | 1616 ++++++ ipaclient/remote_plugins/2_164/sudocmd.py | 394 ++ ipaclient/remote_plugins/2_164/sudocmdgroup.py | 540 ++ ipaclient/remote_plugins/2_164/sudorule.py | 1774 +++++++ ipaclient/remote_plugins/2_164/topology.py | 1055 ++++ ipaclient/remote_plugins/2_164/trust.py | 1264 +++++ ipaclient/remote_plugins/2_164/user.py | 1993 ++++++++ ipaclient/remote_plugins/2_164/vault.py | 1680 ++++++ ipaclient/remote_plugins/2_49/__init__.py | 15 + ipaclient/remote_plugins/2_49/aci.py | 811 +++ ipaclient/remote_plugins/2_49/automember.py | 758 +++ ipaclient/remote_plugins/2_49/automount.py | 1225 +++++ ipaclient/remote_plugins/2_49/batch.py | 69 + ipaclient/remote_plugins/2_49/cert.py | 209 + ipaclient/remote_plugins/2_49/config.py | 394 ++ ipaclient/remote_plugins/2_49/delegation.py | 384 ++ ipaclient/remote_plugins/2_49/dns.py | 5063 ++++++++++++++++++ ipaclient/remote_plugins/2_49/entitle.py | 383 ++ ipaclient/remote_plugins/2_49/group.py | 854 ++++ ipaclient/remote_plugins/2_49/hbacrule.py | 1198 +++++ ipaclient/remote_plugins/2_49/hbacsvc.py | 390 ++ ipaclient/remote_plugins/2_49/hbacsvcgroup.py | 493 ++ ipaclient/remote_plugins/2_49/hbactest.py | 213 + ipaclient/remote_plugins/2_49/host.py | 1030 ++++ ipaclient/remote_plugins/2_49/hostgroup.py | 670 +++ ipaclient/remote_plugins/2_49/idrange.py | 609 +++ ipaclient/remote_plugins/2_49/internal.py | 90 + ipaclient/remote_plugins/2_49/join.py | 64 + ipaclient/remote_plugins/2_49/krbtpolicy.py | 269 + ipaclient/remote_plugins/2_49/migration.py | 295 ++ ipaclient/remote_plugins/2_49/misc.py | 113 + ipaclient/remote_plugins/2_49/netgroup.py | 826 +++ ipaclient/remote_plugins/2_49/passwd.py | 86 + ipaclient/remote_plugins/2_49/permission.py | 751 +++ ipaclient/remote_plugins/2_49/ping.py | 60 + ipaclient/remote_plugins/2_49/pkinit.py | 61 + ipaclient/remote_plugins/2_49/privilege.py | 603 +++ ipaclient/remote_plugins/2_49/pwpolicy.py | 947 ++++ ipaclient/remote_plugins/2_49/role.py | 682 +++ ipaclient/remote_plugins/2_49/selfservice.py | 337 ++ ipaclient/remote_plugins/2_49/selinuxusermap.py | 852 ++++ ipaclient/remote_plugins/2_49/service.py | 621 +++ ipaclient/remote_plugins/2_49/session.py | 624 +++ ipaclient/remote_plugins/2_49/sudocmd.py | 371 ++ ipaclient/remote_plugins/2_49/sudocmdgroup.py | 501 ++ ipaclient/remote_plugins/2_49/sudorule.py | 1561 ++++++ ipaclient/remote_plugins/2_49/trust.py | 685 +++ ipaclient/remote_plugins/2_49/user.py | 1372 +++++ ipaclient/remote_plugins/__init__.py | 12 +- ipaclient/remote_plugins/compat.py | 76 + ipaclient/remote_plugins/schema.py | 120 +- ipaclient/setup.py.in | 4 + ipalib/frontend.py | 6 +- 198 files changed, 139695 insertions(+), 105 deletions(-) create mode 100644 ipaclient/remote_plugins/2_114/__init__.py create mode 100644 ipaclient/remote_plugins/2_114/aci.py create mode 100644 ipaclient/remote_plugins/2_114/automember.py create mode 100644 ipaclient/remote_plugins/2_114/automount.py create mode 100644 ipaclient/remote_plugins/2_114/batch.py create mode 100644 ipaclient/remote_plugins/2_114/cert.py create mode 100644 ipaclient/remote_plugins/2_114/config.py create mode 100644 ipaclient/remote_plugins/2_114/delegation.py create mode 100644 ipaclient/remote_plugins/2_114/dns.py create mode 100644 ipaclient/remote_plugins/2_114/group.py create mode 100644 ipaclient/remote_plugins/2_114/hbacrule.py create mode 100644 ipaclient/remote_plugins/2_114/hbacsvc.py create mode 100644 ipaclient/remote_plugins/2_114/hbacsvcgroup.py create mode 100644 ipaclient/remote_plugins/2_114/hbactest.py create mode 100644 ipaclient/remote_plugins/2_114/host.py create mode 100644 ipaclient/remote_plugins/2_114/hostgroup.py create mode 100644 ipaclient/remote_plugins/2_114/idrange.py create mode 100644 ipaclient/remote_plugins/2_114/idviews.py create mode 100644 ipaclient/remote_plugins/2_114/internal.py create mode 100644 ipaclient/remote_plugins/2_114/join.py create mode 100644 ipaclient/remote_plugins/2_114/krbtpolicy.py create mode 100644 ipaclient/remote_plugins/2_114/migration.py create mode 100644 ipaclient/remote_plugins/2_114/misc.py create mode 100644 ipaclient/remote_plugins/2_114/netgroup.py create mode 100644 ipaclient/remote_plugins/2_114/otpconfig.py create mode 100644 ipaclient/remote_plugins/2_114/otptoken.py create mode 100644 ipaclient/remote_plugins/2_114/otptoken_yubikey.py create mode 100644 ipaclient/remote_plugins/2_114/passwd.py create mode 100644 ipaclient/remote_plugins/2_114/permission.py create mode 100644 ipaclient/remote_plugins/2_114/ping.py create mode 100644 ipaclient/remote_plugins/2_114/pkinit.py create mode 100644 ipaclient/remote_plugins/2_114/privilege.py create mode 100644 ipaclient/remote_plugins/2_114/pwpolicy.py create mode 100644 ipaclient/remote_plugins/2_114/radiusproxy.py create mode 100644 ipaclient/remote_plugins/2_114/realmdomains.py create mode 100644 ipaclient/remote_plugins/2_114/role.py create mode 100644 ipaclient/remote_plugins/2_114/selfservice.py create mode 100644 ipaclient/remote_plugins/2_114/selinuxusermap.py create mode 100644 ipaclient/remote_plugins/2_114/service.py create mode 100644 ipaclient/remote_plugins/2_114/session.py create mode 100644 ipaclient/remote_plugins/2_114/sudocmd.py create mode 100644 ipaclient/remote_plugins/2_114/sudocmdgroup.py create mode 100644 ipaclient/remote_plugins/2_114/sudorule.py create mode 100644 ipaclient/remote_plugins/2_114/trust.py create mode 100644 ipaclient/remote_plugins/2_114/user.py create mode 100644 ipaclient/remote_plugins/2_156/__init__.py create mode 100644 ipaclient/remote_plugins/2_156/aci.py create mode 100644 ipaclient/remote_plugins/2_156/automember.py create mode 100644 ipaclient/remote_plugins/2_156/automount.py create mode 100644 ipaclient/remote_plugins/2_156/batch.py create mode 100644 ipaclient/remote_plugins/2_156/caacl.py create mode 100644 ipaclient/remote_plugins/2_156/cert.py create mode 100644 ipaclient/remote_plugins/2_156/certprofile.py create mode 100644 ipaclient/remote_plugins/2_156/config.py create mode 100644 ipaclient/remote_plugins/2_156/delegation.py create mode 100644 ipaclient/remote_plugins/2_156/dns.py create mode 100644 ipaclient/remote_plugins/2_156/domainlevel.py create mode 100644 ipaclient/remote_plugins/2_156/group.py create mode 100644 ipaclient/remote_plugins/2_156/hbacrule.py create mode 100644 ipaclient/remote_plugins/2_156/hbacsvc.py create mode 100644 ipaclient/remote_plugins/2_156/hbacsvcgroup.py create mode 100644 ipaclient/remote_plugins/2_156/hbactest.py create mode 100644 ipaclient/remote_plugins/2_156/host.py create mode 100644 ipaclient/remote_plugins/2_156/hostgroup.py create mode 100644 ipaclient/remote_plugins/2_156/idrange.py create mode 100644 ipaclient/remote_plugins/2_156/idviews.py create mode 100644 ipaclient/remote_plugins/2_156/internal.py create mode 100644 ipaclient/remote_plugins/2_156/join.py create mode 100644 ipaclient/remote_plugins/2_156/krbtpolicy.py create mode 100644 ipaclient/remote_plugins/2_156/migration.py create mode 100644 ipaclient/remote_plugins/2_156/misc.py create mode 100644 ipaclient/remote_plugins/2_156/netgroup.py create mode 100644 ipaclient/remote_plugins/2_156/otpconfig.py create mode 100644 ipaclient/remote_plugins/2_156/otptoken.py create mode 100644 ipaclient/remote_plugins/2_156/otptoken_yubikey.py create mode 100644 ipaclient/remote_plugins/2_156/passwd.py create mode 100644 ipaclient/remote_plugins/2_156/permission.py create mode 100644 ipaclient/remote_plugins/2_156/ping.py create mode 100644 ipaclient/remote_plugins/2_156/pkinit.py create mode 100644 ipaclient/remote_plugins/2_156/privilege.py create mode 100644 ipaclient/remote_plugins/2_156/pwpolicy.py create mode 100644 ipaclient/remote_plugins/2_156/radiusproxy.py create mode 100644 ipaclient/remote_plugins/2_156/realmdomains.py create mode 100644 ipaclient/remote_plugins/2_156/role.py create mode 100644 ipaclient/remote_plugins/2_156/selfservice.py create mode 100644 ipaclient/remote_plugins/2_156/selinuxusermap.py create mode 100644 ipaclient/remote_plugins/2_156/server.py create mode 100644 ipaclient/remote_plugins/2_156/service.py create mode 100644 ipaclient/remote_plugins/2_156/servicedelegation.py create mode 100644 ipaclient/remote_plugins/2_156/session.py create mode 100644 ipaclient/remote_plugins/2_156/stageuser.py create mode 100644 ipaclient/remote_plugins/2_156/sudocmd.py create mode 100644 ipaclient/remote_plugins/2_156/sudocmdgroup.py create mode 100644 ipaclient/remote_plugins/2_156/sudorule.py create mode 100644 ipaclient/remote_plugins/2_156/topology.py create mode 100644 ipaclient/remote_plugins/2_156/trust.py create mode 100644 ipaclient/remote_plugins/2_156/user.py create mode 100644 ipaclient/remote_plugins/2_156/vault.py create mode 100644 ipaclient/remote_plugins/2_164/__init__.py create mode 100644 ipaclient/remote_plugins/2_164/aci.py create mode 100644 ipaclient/remote_plugins/2_164/automember.py create mode 100644 ipaclient/remote_plugins/2_164/automount.py create mode 100644 ipaclient/remote_plugins/2_164/batch.py create mode 100644 ipaclient/remote_plugins/2_164/caacl.py create mode 100644 ipaclient/remote_plugins/2_164/cert.py create mode 100644 ipaclient/remote_plugins/2_164/certprofile.py create mode 100644 ipaclient/remote_plugins/2_164/config.py create mode 100644 ipaclient/remote_plugins/2_164/delegation.py create mode 100644 ipaclient/remote_plugins/2_164/dns.py create mode 100644 ipaclient/remote_plugins/2_164/domainlevel.py create mode 100644 ipaclient/remote_plugins/2_164/group.py create mode 100644 ipaclient/remote_plugins/2_164/hbacrule.py create mode 100644 ipaclient/remote_plugins/2_164/hbacsvc.py create mode 100644 ipaclient/remote_plugins/2_164/hbacsvcgroup.py create mode 100644 ipaclient/remote_plugins/2_164/hbactest.py create mode 100644 ipaclient/remote_plugins/2_164/host.py create mode 100644 ipaclient/remote_plugins/2_164/hostgroup.py create mode 100644 ipaclient/remote_plugins/2_164/idrange.py create mode 100644 ipaclient/remote_plugins/2_164/idviews.py create mode 100644 ipaclient/remote_plugins/2_164/internal.py create mode 100644 ipaclient/remote_plugins/2_164/join.py create mode 100644 ipaclient/remote_plugins/2_164/krbtpolicy.py create mode 100644 ipaclient/remote_plugins/2_164/migration.py create mode 100644 ipaclient/remote_plugins/2_164/misc.py create mode 100644 ipaclient/remote_plugins/2_164/netgroup.py create mode 100644 ipaclient/remote_plugins/2_164/otpconfig.py create mode 100644 ipaclient/remote_plugins/2_164/otptoken.py create mode 100644 ipaclient/remote_plugins/2_164/otptoken_yubikey.py create mode 100644 ipaclient/remote_plugins/2_164/passwd.py create mode 100644 ipaclient/remote_plugins/2_164/permission.py create mode 100644 ipaclient/remote_plugins/2_164/ping.py create mode 100644 ipaclient/remote_plugins/2_164/pkinit.py create mode 100644 ipaclient/remote_plugins/2_164/privilege.py create mode 100644 ipaclient/remote_plugins/2_164/pwpolicy.py create mode 100644 ipaclient/remote_plugins/2_164/radiusproxy.py create mode 100644 ipaclient/remote_plugins/2_164/realmdomains.py create mode 100644 ipaclient/remote_plugins/2_164/role.py create mode 100644 ipaclient/remote_plugins/2_164/selfservice.py create mode 100644 ipaclient/remote_plugins/2_164/selinuxusermap.py create mode 100644 ipaclient/remote_plugins/2_164/server.py create mode 100644 ipaclient/remote_plugins/2_164/service.py create mode 100644 ipaclient/remote_plugins/2_164/servicedelegation.py create mode 100644 ipaclient/remote_plugins/2_164/session.py create mode 100644 ipaclient/remote_plugins/2_164/stageuser.py create mode 100644 ipaclient/remote_plugins/2_164/sudocmd.py create mode 100644 ipaclient/remote_plugins/2_164/sudocmdgroup.py create mode 100644 ipaclient/remote_plugins/2_164/sudorule.py create mode 100644 ipaclient/remote_plugins/2_164/topology.py create mode 100644 ipaclient/remote_plugins/2_164/trust.py create mode 100644 ipaclient/remote_plugins/2_164/user.py create mode 100644 ipaclient/remote_plugins/2_164/vault.py create mode 100644 ipaclient/remote_plugins/2_49/__init__.py create mode 100644 ipaclient/remote_plugins/2_49/aci.py create mode 100644 ipaclient/remote_plugins/2_49/automember.py create mode 100644 ipaclient/remote_plugins/2_49/automount.py create mode 100644 ipaclient/remote_plugins/2_49/batch.py create mode 100644 ipaclient/remote_plugins/2_49/cert.py create mode 100644 ipaclient/remote_plugins/2_49/config.py create mode 100644 ipaclient/remote_plugins/2_49/delegation.py create mode 100644 ipaclient/remote_plugins/2_49/dns.py create mode 100644 ipaclient/remote_plugins/2_49/entitle.py create mode 100644 ipaclient/remote_plugins/2_49/group.py create mode 100644 ipaclient/remote_plugins/2_49/hbacrule.py create mode 100644 ipaclient/remote_plugins/2_49/hbacsvc.py create mode 100644 ipaclient/remote_plugins/2_49/hbacsvcgroup.py create mode 100644 ipaclient/remote_plugins/2_49/hbactest.py create mode 100644 ipaclient/remote_plugins/2_49/host.py create mode 100644 ipaclient/remote_plugins/2_49/hostgroup.py create mode 100644 ipaclient/remote_plugins/2_49/idrange.py create mode 100644 ipaclient/remote_plugins/2_49/internal.py create mode 100644 ipaclient/remote_plugins/2_49/join.py create mode 100644 ipaclient/remote_plugins/2_49/krbtpolicy.py create mode 100644 ipaclient/remote_plugins/2_49/migration.py create mode 100644 ipaclient/remote_plugins/2_49/misc.py create mode 100644 ipaclient/remote_plugins/2_49/netgroup.py create mode 100644 ipaclient/remote_plugins/2_49/passwd.py create mode 100644 ipaclient/remote_plugins/2_49/permission.py create mode 100644 ipaclient/remote_plugins/2_49/ping.py create mode 100644 ipaclient/remote_plugins/2_49/pkinit.py create mode 100644 ipaclient/remote_plugins/2_49/privilege.py create mode 100644 ipaclient/remote_plugins/2_49/pwpolicy.py create mode 100644 ipaclient/remote_plugins/2_49/role.py create mode 100644 ipaclient/remote_plugins/2_49/selfservice.py create mode 100644 ipaclient/remote_plugins/2_49/selinuxusermap.py create mode 100644 ipaclient/remote_plugins/2_49/service.py create mode 100644 ipaclient/remote_plugins/2_49/session.py create mode 100644 ipaclient/remote_plugins/2_49/sudocmd.py create mode 100644 ipaclient/remote_plugins/2_49/sudocmdgroup.py create mode 100644 ipaclient/remote_plugins/2_49/sudorule.py create mode 100644 ipaclient/remote_plugins/2_49/trust.py create mode 100644 ipaclient/remote_plugins/2_49/user.py create mode 100644 ipaclient/remote_plugins/compat.py diff --git a/freeipa.spec.in b/freeipa.spec.in index b04f819a9..6893d704e 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1300,6 +1300,7 @@ fi %{python_sitelib}/ipaclient/*.py* %{python_sitelib}/ipaclient/plugins/*.py* %{python_sitelib}/ipaclient/remote_plugins/*.py* +%{python_sitelib}/ipaclient/remote_plugins/2_*/*.py* %{python_sitelib}/ipaclient-*.egg-info @@ -1316,6 +1317,8 @@ fi %{python3_sitelib}/ipaclient/plugins/__pycache__/*.py* %{python3_sitelib}/ipaclient/remote_plugins/*.py %{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py* +%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py +%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py* %{python3_sitelib}/ipaclient-*.egg-info %endif # with_python3 diff --git a/ipaclient/frontend.py b/ipaclient/frontend.py index 94d694631..e8eacc068 100644 --- a/ipaclient/frontend.py +++ b/ipaclient/frontend.py @@ -3,6 +3,104 @@ # from ipalib.frontend import Command, Method +from ipalib.parameters import Str +from ipalib.text import _ + + +class ClientCommand(Command): + def get_options(self): + skip = set() + for option in super(ClientCommand, self).get_options(): + if option.name in skip: + continue + if option.name in ('all', 'raw'): + skip.add(option.name) + yield option + + +class ClientMethod(ClientCommand, Method): + _failed_member_output_params = ( + # baseldap + Str( + 'member', + label=_("Failed members"), + ), + Str( + 'sourcehost', + label=_("Failed source hosts/hostgroups"), + ), + Str( + 'memberhost', + label=_("Failed hosts/hostgroups"), + ), + Str( + 'memberuser', + label=_("Failed users/groups"), + ), + Str( + 'memberservice', + label=_("Failed service/service groups"), + ), + Str( + 'failed', + label=_("Failed to remove"), + flags=['suppress_empty'], + ), + Str( + 'ipasudorunas', + label=_("Failed RunAs"), + ), + Str( + 'ipasudorunasgroup', + label=_("Failed RunAsGroup"), + ), + # caacl + Str( + 'ipamembercertprofile', + label=_("Failed profiles"), + ), + Str( + 'ipamemberca', + label=_("Failed CAs"), + ), + # host + Str( + 'managedby', + label=_("Failed managedby"), + ), + # service + Str( + 'ipaallowedtoperform_read_keys', + label=_("Failed allowed to retrieve keytab"), + ), + Str( + 'ipaallowedtoperform_write_keys', + label=_("Failed allowed to create keytab"), + ), + # servicedelegation + Str( + 'failed_memberprincipal', + label=_("Failed members"), + ), + Str( + 'ipaallowedtarget', + label=_("Failed targets"), + ), + # vault + Str( + 'owner?', + label=_("Failed owners"), + ), + ) + + def get_output_params(self): + seen = set() + for output_param in super(ClientMethod, self).get_output_params(): + seen.add(output_param.name) + yield output_param + for output_param in self._failed_member_output_params: + if output_param.name not in seen: + yield output_param class CommandOverride(Command): @@ -24,6 +122,14 @@ class CommandOverride(Command): def topic(self): return self.next.topic + @property + def forwarded_name(self): + return self.next.forwarded_name + + @property + def api_version(self): + return self.next.api_version + def _on_finalize(self): self.next.finalize() diff --git a/ipaclient/remote_plugins/2_114/__init__.py b/ipaclient/remote_plugins/2_114/__init__.py new file mode 100644 index 000000000..f1e2d03e8 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/__init__.py @@ -0,0 +1,15 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ..compat import CompatCommand, CompatMethod, CompatObject + +Object = CompatObject + + +class Command(CompatCommand): + api_version = u'2.114' + + +class Method(Command, CompatMethod): + pass diff --git a/ipaclient/remote_plugins/2_114/aci.py b/ipaclient/remote_plugins/2_114/aci.py new file mode 100644 index 000000000..316abeb46 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/aci.py @@ -0,0 +1,812 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Directory Server Access Control Instructions (ACIs) + +ACIs are used to allow or deny access to information. This module is +currently designed to allow, not deny, access. + +The aci commands are designed to grant permissions that allow updating +existing entries or adding or deleting new ones. The goal of the ACIs +that ship with IPA is to provide a set of low-level permissions that +grant access to special groups called taskgroups. These low-level +permissions can be combined into roles that grant broader access. These +roles are another type of group, roles. + +For example, if you have taskgroups that allow adding and modifying users you +could create a role, useradmin. You would assign users to the useradmin +role to allow them to do the operations defined by the taskgroups. + +You can create ACIs that delegate permission so users in group A can write +attributes on group B. + +The type option is a map that applies to all entries in the users, groups or +host location. It is primarily designed to be used when granting add +permissions (to write new entries). + +An ACI consists of three parts: +1. target +2. permissions +3. bind rules + +The target is a set of rules that define which LDAP objects are being +targeted. This can include a list of attributes, an area of that LDAP +tree or an LDAP filter. + +The targets include: +- attrs: list of attributes affected +- type: an object type (user, group, host, service, etc) +- memberof: members of a group +- targetgroup: grant access to modify a specific group. This is primarily + designed to enable users to add or remove members of a specific group. +- filter: A legal LDAP filter used to narrow the scope of the target. +- subtree: Used to apply a rule across an entire set of objects. For example, + to allow adding users you need to grant "add" permission to the subtree + ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option + is a fail-safe for objects that may not be covered by the type option. + +The permissions define what the ACI is allowed to do, and are one or +more of: +1. write - write one or more attributes +2. read - read one or more attributes +3. add - add a new entry to the tree +4. delete - delete an existing entry +5. all - all permissions are granted + +Note the distinction between attributes and entries. The permissions are +independent, so being able to add a user does not mean that the user will +be editable. + +The bind rule defines who this ACI grants permissions to. The LDAP server +allows this to be any valid LDAP entry but we encourage the use of +taskgroups so that the rights can be easily shared through roles. + +For a more thorough description of access controls see +http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html + +EXAMPLES: + +NOTE: ACIs are now added via the permission plugin. These examples are to +demonstrate how the various options work but this is done via the permission +command-line now (see last example). + + Add an ACI so that the group "secretaries" can update the address on any user: + ipa group-add --desc="Office secretaries" secretaries + ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses" + + Show the new ACI: + ipa aci-show --prefix=none "Secretaries write addresses" + + Add an ACI that allows members of the "addusers" permission to add new users: + ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users" + + Add an ACI that allows members of the editors manage members of the admins group: + ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins" + + Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street --attrs=postalcode --prefix=none "admins edit the address of editors" + + Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss: + ipa aci-add --permissions=write --group=admins --attrs=street --attrs=postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss" + + Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: + ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange + + +The show command shows the raw 389-ds ACI. + +IMPORTANT: When modifying the target attributes of an existing ACI you +must include all existing attributes as well. When doing an aci-mod the +targetattr REPLACES the current attributes, it does not add to them. +""") + +register = Registry() + + +@register() +class aci(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'ACI name'), + ), + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + ), + ) + + +@register() +class aci_add(Method): + __doc__ = _("Create new ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'test', + required=False, + doc=_(u"Test the ACI syntax but don't write anything"), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_del(Method): + __doc__ = _("Delete ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_find(Method): + __doc__ = _(""" +Search for ACIs. + + Returns a list of ACIs + + EXAMPLES: + + To find all ACIs that apply directly to members of the group ipausers: + ipa aci-find --memberof=ipausers + + To find all ACIs that grant add access: + ipa aci-find --permissions=add + + Note that the find command only looks for the given text in the set of + ACIs, it does not evaluate the ACIs to see if something would apply. + For example, searching on memberof=ipausers will find all ACIs that + have ipausers as a memberof. There may be other ACIs that apply to + members of that group indirectly. + """) + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'ACI name'), + ), + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Bool( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + ), + parameters.Str( + 'aciprefix', + required=False, + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class aci_mod(Method): + __doc__ = _("Modify ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_rename(Method): + __doc__ = _("Rename an ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Str( + 'newname', + doc=_(u'New ACI name'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_show(Method): + __doc__ = _("Display a single ACI given an ACI name.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.DNParam( + 'location', + required=False, + label=_(u'Location of the ACI'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/automember.py b/ipaclient/remote_plugins/2_114/automember.py new file mode 100644 index 000000000..09b5a8d01 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/automember.py @@ -0,0 +1,827 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Auto Membership Rule. + +Bring clarity to the membership of hosts and users by configuring inclusive +or exclusive regex patterns, you can automatically assign a new entries into +a group or hostgroup based upon attribute information. + +A rule is directly associated with a group by name, so you cannot create +a rule without an accompanying group or hostgroup. + +A condition is a regular expression used by 389-ds to match a new incoming +entry with an automember rule. If it matches an inclusive rule then the +entry is added to the appropriate group or hostgroup. + +A default group or hostgroup could be specified for entries that do not +match any rule. In case of user entries this group will be a fallback group +because all users are by default members of group specified in IPA config. + +The automember-rebuild command can be used to retroactively run automember rules +against existing entries, thus rebuilding their membership. + +EXAMPLES: + + Add the initial group or hostgroup: + ipa hostgroup-add --desc="Web Servers" webservers + ipa group-add --desc="Developers" devel + + Add the initial rule: + ipa automember-add --type=hostgroup webservers + ipa automember-add --type=group devel + + Add a condition to the rule: + ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers + ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel + + Add an exclusive condition to the rule to prevent auto assignment: + ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers + + Add a host: + ipa host-add web1.example.com + + Add a user: + ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott + + Verify automembership: + ipa hostgroup-show webservers + Host-group: webservers + Description: Web Servers + Member hosts: web1.example.com + + ipa group-show devel + Group name: devel + Description: Developers + GID: 1004200000 + Member users: tuser + + Remove a condition from the rule: + ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers + + Modify the automember rule: + ipa automember-mod + + Set the default (fallback) target group: + ipa automember-default-group-set --default-group=webservers --type=hostgroup + ipa automember-default-group-set --default-group=ipausers --type=group + + Remove the default (fallback) target group: + ipa automember-default-group-remove --type=hostgroup + ipa automember-default-group-remove --type=group + + Show the default (fallback) target group: + ipa automember-default-group-show --type=hostgroup + ipa automember-default-group-show --type=group + + Find all of the automember rules: + ipa automember-find + + Display a automember rule: + ipa automember-show --type=hostgroup webservers + ipa automember-show --type=group devel + + Delete an automember rule: + ipa automember-del --type=hostgroup webservers + ipa automember-del --type=group devel + + Rebuild membership for all users: + ipa automember-rebuild --type=group + + Rebuild membership for all hosts: + ipa automember-rebuild --type=hostgroup + + Rebuild membership for specified users: + ipa automember-rebuild --users=tuser1 --users=tuser2 + + Rebuild membership for specified hosts: + ipa automember-rebuild --hosts=web1.example.com --hosts=web2.example.com +""") + +register = Registry() + + +@register() +class automember(Object): + takes_params = ( + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberdefaultgroup', + required=False, + label=_(u'Default (fallback) Group'), + doc=_(u'Default group for entries to land'), + ), + ) + + +@register() +class automember_add(Method): + __doc__ = _("Add an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_add_condition(Method): + __doc__ = _("Add conditions to an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberinclusiveregex', + required=False, + multivalue=True, + cli_name='inclusive_regex', + label=_(u'Inclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'automemberexclusiveregex', + required=False, + multivalue=True, + cli_name='exclusive_regex', + label=_(u'Exclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'key', + label=_(u'Attribute Key'), + doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + output.Output( + 'failed', + dict, + doc=_(u'Conditions that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of conditions added'), + ), + ) + + +@register() +class automember_default_group_remove(Method): + __doc__ = _("Remove default (fallback) group for all unmatched entries.") + + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_default_group_set(Method): + __doc__ = _("Set default (fallback) group for all unmatched entries.") + + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberdefaultgroup', + cli_name='default_group', + label=_(u'Default (fallback) Group'), + doc=_(u'Default (fallback) group for entries to land'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_default_group_show(Method): + __doc__ = _("Display information about the default (fallback) automember groups.") + + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_del(Method): + __doc__ = _("Delete an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class automember_find(Method): + __doc__ = _("Search for automember rules.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automember_mod(Method): + __doc__ = _("Modify an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_rebuild(Command): + __doc__ = _("Rebuild auto membership.") + + takes_options = ( + parameters.Str( + 'type', + required=False, + cli_metavar="['group', 'hostgroup']", + label=_(u'Rebuild membership for all members of a grouping'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Str( + 'users', + required=False, + multivalue=True, + label=_(u'Users'), + doc=_(u'Rebuild membership for specified users'), + ), + parameters.Str( + 'hosts', + required=False, + multivalue=True, + label=_(u'Hosts'), + doc=_(u'Rebuild membership for specified hosts'), + ), + parameters.Flag( + 'no_wait', + required=False, + label=_(u'No wait'), + doc=_(u"Don't wait for rebuilding membership"), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_remove_condition(Method): + __doc__ = _("Remove conditions from an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberinclusiveregex', + required=False, + multivalue=True, + cli_name='inclusive_regex', + label=_(u'Inclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'automemberexclusiveregex', + required=False, + multivalue=True, + cli_name='exclusive_regex', + label=_(u'Exclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'key', + label=_(u'Attribute Key'), + doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + output.Output( + 'failed', + dict, + doc=_(u'Conditions that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of conditions removed'), + ), + ) + + +@register() +class automember_show(Method): + __doc__ = _("Display information about an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/automount.py b/ipaclient/remote_plugins/2_114/automount.py new file mode 100644 index 000000000..c2fcd6cca --- /dev/null +++ b/ipaclient/remote_plugins/2_114/automount.py @@ -0,0 +1,1228 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Automount + +Stores automount(8) configuration for autofs(8) in IPA. + +The base of an automount configuration is the configuration file auto.master. +This is also the base location in IPA. Multiple auto.master configurations +can be stored in separate locations. A location is implementation-specific +with the default being a location named 'default'. For example, you can have +locations by geographic region, by floor, by type, etc. + +Automount has three basic object types: locations, maps and keys. + +A location defines a set of maps anchored in auto.master. This allows you +to store multiple automount configurations. A location in itself isn't +very interesting, it is just a point to start a new automount map. + +A map is roughly equivalent to a discrete automount file and provides +storage for keys. + +A key is a mount point associated with a map. + +When a new location is created, two maps are automatically created for +it: auto.master and auto.direct. auto.master is the root map for all +automount maps for the location. auto.direct is the default map for +direct mounts and is mounted on /-. + +An automount map may contain a submount key. This key defines a mount +location within the map that references another map. This can be done +either using automountmap-add-indirect --parentmap or manually +with automountkey-add and setting info to "-type=autofs :". + +EXAMPLES: + +Locations: + + Create a named location, "Baltimore": + ipa automountlocation-add baltimore + + Display the new location: + ipa automountlocation-show baltimore + + Find available locations: + ipa automountlocation-find + + Remove a named automount location: + ipa automountlocation-del baltimore + + Show what the automount maps would look like if they were in the filesystem: + ipa automountlocation-tofiles baltimore + + Import an existing configuration into a location: + ipa automountlocation-import baltimore /etc/auto.master + + The import will fail if any duplicate entries are found. For + continuous operation where errors are ignored, use the --continue + option. + +Maps: + + Create a new map, "auto.share": + ipa automountmap-add baltimore auto.share + + Display the new map: + ipa automountmap-show baltimore auto.share + + Find maps in the location baltimore: + ipa automountmap-find baltimore + + Create an indirect map with auto.share as a submount: + ipa automountmap-add-indirect baltimore --parentmap=auto.share --mount=sub auto.man + + This is equivalent to: + + ipa automountmap-add-indirect baltimore --mount=/man auto.man + ipa automountkey-add baltimore auto.man --key=sub --info="-fstype=autofs ldap:auto.share" + + Remove the auto.share map: + ipa automountmap-del baltimore auto.share + +Keys: + + Create a new key for the auto.share map in location baltimore. This ties + the map we previously created to auto.master: + ipa automountkey-add baltimore auto.master --key=/share --info=auto.share + + Create a new key for our auto.share map, an NFS mount for man pages: + ipa automountkey-add baltimore auto.share --key=man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man" + + Find all keys for the auto.share map: + ipa automountkey-find baltimore auto.share + + Find all direct automount keys: + ipa automountkey-find baltimore --key=/- + + Remove the man key from the auto.share map: + ipa automountkey-del baltimore auto.share --key=man +""") + +register = Registry() + + +@register() +class automountkey(Object): + takes_params = ( + parameters.Str( + 'automountkey', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + label=_(u'Mount information'), + ), + parameters.Str( + 'description', + required=False, + primary_key=True, + label=_(u'description'), + exclude=('webui', 'cli'), + ), + ) + + +@register() +class automountlocation(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + + +@register() +class automountmap(Object): + takes_params = ( + parameters.Str( + 'automountmapname', + primary_key=True, + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + ) + + +@register() +class automountkey_add(Method): + __doc__ = _("Create a new automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountkey_del(Method): + __doc__ = _("Delete an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class automountkey_find(Method): + __doc__ = _("Search for an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + required=False, + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountkey_mod(Method): + __doc__ = _("Modify an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'newautomountinformation', + required=False, + cli_name='newinfo', + label=_(u'New mount information'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the automount key object'), + exclude=('webui',), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountkey_show(Method): + __doc__ = _("Display an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_add(Method): + __doc__ = _("Create a new automount location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_del(Method): + __doc__ = _("Delete an automount location.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class automountlocation_find(Method): + __doc__ = _("Search for an automount location.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("location")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountlocation_show(Method): + __doc__ = _("Display an automount location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_tofiles(Method): + __doc__ = _("Generate automount files for a specific location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class automountmap_add(Method): + __doc__ = _("Create a new automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_add_indirect(Method): + __doc__ = _("Create a new indirect mount point.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'key', + cli_name='mount', + label=_(u'Mount point'), + ), + parameters.Str( + 'parentmap', + required=False, + label=_(u'Parent map'), + doc=_(u'Name of parent automount map (default: auto.master).'), + default=u'auto.master', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_del(Method): + __doc__ = _("Delete an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + multivalue=True, + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class automountmap_find(Method): + __doc__ = _("Search for an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'automountmapname', + required=False, + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("map")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountmap_mod(Method): + __doc__ = _("Modify an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_show(Method): + __doc__ = _("Display an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/batch.py b/ipaclient/remote_plugins/2_114/batch.py new file mode 100644 index 000000000..4a613b677 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/batch.py @@ -0,0 +1,71 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Plugin to make multiple ipa calls via one remote procedure call + +To run this code in the lite-server + +curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d @batch_request.json -X POST http://localhost:8888/ipa/json + +where the contents of the file batch_request.json follow the below example + +{"method":"batch","params":[[ + {"method":"group_find","params":[[],{}]}, + {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]}, + {"method":"user_show","params":[["admin"],{"all":true}]} + ],{}],"id":1} + +The format of the response is nested the same way. At the top you will see + "error": null, + "id": 1, + "result": { + "count": 3, + "results": [ + + +And then a nested response for each IPA command method sent in the request +""") + +register = Registry() + + +@register() +class batch(Command): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'methods', + required=False, + multivalue=True, + doc=_(u'Nested Methods to execute'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'count', + int, + ), + output.Output( + 'results', + (list, tuple), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/cert.py b/ipaclient/remote_plugins/2_114/cert.py new file mode 100644 index 000000000..763f63e37 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/cert.py @@ -0,0 +1,376 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +IPA certificate operations + +Implements a set of commands for managing server SSL certificates. + +Certificate requests exist in the form of a Certificate Signing Request (CSR) +in PEM format. + +The dogtag CA uses just the CN value of the CSR and forces the rest of the +subject to values configured in the server. + +A certificate is stored with a service principal and a service principal +needs a host. + +In order to request a certificate: + +* The host must exist +* The service must exist (or you use the --add option to automatically add it) + +SEARCHING: + +Certificates may be searched on by certificate subject, serial number, +revocation reason, validity dates and the issued date. + +When searching on dates the _from date does a >= search and the _to date +does a <= search. When combined these are done as an AND. + +Dates are treated as GMT to match the dates in the certificates. + +The date format is YYYY-mm-dd. + +EXAMPLES: + + Request a new certificate and add the principal: + ipa cert-request --add --principal=HTTP/lion.example.com example.csr + + Retrieve an existing certificate: + ipa cert-show 1032 + + Revoke a certificate (see RFC 5280 for reason details): + ipa cert-revoke --revocation-reason=6 1032 + + Remove a certificate from revocation hold status: + ipa cert-remove-hold 1032 + + Check the status of a signing request: + ipa cert-status 10 + + Search for certificates by hostname: + ipa cert-find --subject=ipaserver.example.com + + Search for revoked certificates by reason: + ipa cert-find --revocation-reason=5 + + Search for certificates based on issuance date + ipa cert-find --issuedon-from=2013-02-01 --issuedon-to=2013-02-07 + +IPA currently immediately issues (or declines) all certificate requests so +the status of a request is not normally useful. This is for future use +or the case where a CA does not immediately issue a certificate. + +The following revocation reasons are supported: + + * 0 - unspecified + * 1 - keyCompromise + * 2 - cACompromise + * 3 - affiliationChanged + * 4 - superseded + * 5 - cessationOfOperation + * 6 - certificateHold + * 8 - removeFromCRL + * 9 - privilegeWithdrawn + * 10 - aACompromise + +Note that reason code 7 is not used. See RFC 5280 for more details: + +http://www.ietf.org/rfc/rfc5280.txt +""") + +register = Registry() + + +@register() +class ca_is_enabled(Command): + __doc__ = _("Checks if any of the servers has the CA service enabled.") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cert_find(Command): + __doc__ = _("Search for existing certificates.") + + takes_options = ( + parameters.Str( + 'subject', + required=False, + label=_(u'Subject'), + ), + parameters.Int( + 'revocation_reason', + required=False, + label=_(u'Reason'), + doc=_(u'Reason for revoking the certificate (0-10)'), + ), + parameters.Int( + 'min_serial_number', + required=False, + doc=_(u'minimum serial number'), + ), + parameters.Int( + 'max_serial_number', + required=False, + doc=_(u'maximum serial number'), + ), + parameters.Flag( + 'exactly', + required=False, + doc=_(u'match the common name exactly'), + default=False, + autofill=True, + ), + parameters.Str( + 'validnotafter_from', + required=False, + doc=_(u'Valid not after from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'validnotafter_to', + required=False, + doc=_(u'Valid not after to this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'validnotbefore_from', + required=False, + doc=_(u'Valid not before from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'validnotbefore_to', + required=False, + doc=_(u'Valid not before to this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'issuedon_from', + required=False, + doc=_(u'Issued on from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'issuedon_to', + required=False, + doc=_(u'Issued on to this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'revokedon_from', + required=False, + doc=_(u'Revoked on from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'revokedon_to', + required=False, + doc=_(u'Revoked on to this date (YYYY-mm-dd)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of certs returned'), + default=100, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class cert_remove_hold(Command): + __doc__ = _("Take a revoked certificate off hold.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_request(Command): + __doc__ = _("Submit a certificate signing request.") + + takes_args = ( + parameters.Str( + 'csr', + cli_name='csr_file', + label=_(u'CSR'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'principal', + label=_(u'Principal'), + doc=_(u'Service principal for this certificate (e.g. HTTP/test.example.com)'), + ), + parameters.Str( + 'request_type', + default=u'pkcs10', + autofill=True, + ), + parameters.Flag( + 'add', + doc=_(u"automatically add the principal if it doesn't exist"), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + ) + + +@register() +class cert_revoke(Command): + __doc__ = _("Revoke a certificate.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Int( + 'revocation_reason', + label=_(u'Reason'), + doc=_(u'Reason for revoking the certificate (0-10)'), + default=0, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_show(Command): + __doc__ = _("Retrieve an existing certificate.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'out', + required=False, + label=_(u'Output filename'), + doc=_(u'File to store the certificate in.'), + exclude=('webui',), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_status(Command): + __doc__ = _("Check the status of a certificate signing request.") + + takes_args = ( + parameters.Str( + 'request_id', + label=_(u'Request id'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_114/config.py b/ipaclient/remote_plugins/2_114/config.py new file mode 100644 index 000000000..b55951602 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/config.py @@ -0,0 +1,408 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Server configuration + +Manage the default values that IPA uses and some of its tuning parameters. + +NOTES: + +The password notification value (--pwdexpnotify) is stored here so it will +be replicated. It is not currently used to notify users in advance of an +expiring password. + +Some attributes are read-only, provided only for information purposes. These +include: + +Certificate Subject base: the configured certificate subject base, + e.g. O=EXAMPLE.COM. This is configurable only at install time. +Password plug-in features: currently defines additional hashes that the + password will generate (there may be other conditions). + +When setting the order list for mapping SELinux users you may need to +quote the value so it isn't interpreted by the shell. + +EXAMPLES: + + Show basic server configuration: + ipa config-show + + Show all configuration options: + ipa config-show --all + + Change maximum username length to 99 characters: + ipa config-mod --maxusername=99 + + Increase default time and size limits for maximum IPA server search: + ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000 + + Set default user e-mail domain: + ipa config-mod --emaildomain=example.com + + Enable migration mode to make "ipa migrate-ds" command operational: + ipa config-mod --enable-migration=TRUE + + Define SELinux user map order: + ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' +""") + +register = Registry() + + +@register() +class config(Object): + takes_params = ( + parameters.Int( + 'ipamaxusernamelength', + label=_(u'Maximum username length'), + ), + parameters.Str( + 'ipahomesrootdir', + label=_(u'Home directory base'), + doc=_(u'Default location of home directories'), + ), + parameters.Str( + 'ipadefaultloginshell', + label=_(u'Default shell'), + doc=_(u'Default shell for new users'), + ), + parameters.Str( + 'ipadefaultprimarygroup', + label=_(u'Default users group'), + doc=_(u'Default group for new users'), + ), + parameters.Str( + 'ipadefaultemaildomain', + required=False, + label=_(u'Default e-mail domain'), + ), + parameters.Int( + 'ipasearchtimelimit', + label=_(u'Search time limit'), + doc=_(u'Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)'), + ), + parameters.Int( + 'ipasearchrecordslimit', + label=_(u'Search size limit'), + doc=_(u'Maximum number of records to search (-1 is unlimited)'), + ), + parameters.Str( + 'ipausersearchfields', + label=_(u'User search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for users'), + ), + parameters.Str( + 'ipagroupsearchfields', + label=_(u'Group search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for groups'), + ), + parameters.Bool( + 'ipamigrationenabled', + label=_(u'Enable migration mode'), + ), + parameters.DNParam( + 'ipacertificatesubjectbase', + label=_(u'Certificate Subject base'), + doc=_(u'Base for certificate subjects (OU=Test,O=Example)'), + ), + parameters.Str( + 'ipagroupobjectclasses', + multivalue=True, + label=_(u'Default group objectclasses'), + doc=_(u'Default group objectclasses (comma-separated list)'), + ), + parameters.Str( + 'ipauserobjectclasses', + multivalue=True, + label=_(u'Default user objectclasses'), + doc=_(u'Default user objectclasses (comma-separated list)'), + ), + parameters.Int( + 'ipapwdexpadvnotify', + label=_(u'Password Expiration Notification (days)'), + doc=_(u"Number of days's notice of impending password expiration"), + ), + parameters.Str( + 'ipaconfigstring', + required=False, + multivalue=True, + label=_(u'Password plugin features'), + doc=_(u'Extra hashes to generate in password plug-in'), + ), + parameters.Str( + 'ipaselinuxusermaporder', + label=_(u'SELinux user map order'), + doc=_(u'Order in increasing priority of SELinux users, delimited by $'), + ), + parameters.Str( + 'ipaselinuxusermapdefault', + required=False, + label=_(u'Default SELinux user'), + doc=_(u'Default SELinux user when no match is found in SELinux map rule'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + label=_(u'Default PAC types'), + doc=_(u'Default types of PAC supported for services'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + label=_(u'Default user authentication types'), + doc=_(u'Default types of supported user authentication'), + ), + ) + + +@register() +class config_mod(Method): + __doc__ = _("Modify configuration options.") + + takes_options = ( + parameters.Int( + 'ipamaxusernamelength', + required=False, + cli_name='maxusername', + label=_(u'Maximum username length'), + ), + parameters.Str( + 'ipahomesrootdir', + required=False, + cli_name='homedirectory', + label=_(u'Home directory base'), + doc=_(u'Default location of home directories'), + ), + parameters.Str( + 'ipadefaultloginshell', + required=False, + cli_name='defaultshell', + label=_(u'Default shell'), + doc=_(u'Default shell for new users'), + ), + parameters.Str( + 'ipadefaultprimarygroup', + required=False, + cli_name='defaultgroup', + label=_(u'Default users group'), + doc=_(u'Default group for new users'), + ), + parameters.Str( + 'ipadefaultemaildomain', + required=False, + cli_name='emaildomain', + label=_(u'Default e-mail domain'), + ), + parameters.Int( + 'ipasearchtimelimit', + required=False, + cli_name='searchtimelimit', + label=_(u'Search time limit'), + doc=_(u'Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)'), + ), + parameters.Int( + 'ipasearchrecordslimit', + required=False, + cli_name='searchrecordslimit', + label=_(u'Search size limit'), + doc=_(u'Maximum number of records to search (-1 is unlimited)'), + ), + parameters.Str( + 'ipausersearchfields', + required=False, + cli_name='usersearch', + label=_(u'User search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for users'), + ), + parameters.Str( + 'ipagroupsearchfields', + required=False, + cli_name='groupsearch', + label=_(u'Group search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for groups'), + ), + parameters.Bool( + 'ipamigrationenabled', + required=False, + cli_name='enable_migration', + label=_(u'Enable migration mode'), + ), + parameters.Str( + 'ipagroupobjectclasses', + required=False, + multivalue=True, + cli_name='groupobjectclasses', + label=_(u'Default group objectclasses'), + doc=_(u'Default group objectclasses (comma-separated list)'), + ), + parameters.Str( + 'ipauserobjectclasses', + required=False, + multivalue=True, + cli_name='userobjectclasses', + label=_(u'Default user objectclasses'), + doc=_(u'Default user objectclasses (comma-separated list)'), + ), + parameters.Int( + 'ipapwdexpadvnotify', + required=False, + cli_name='pwdexpnotify', + label=_(u'Password Expiration Notification (days)'), + doc=_(u"Number of days's notice of impending password expiration"), + ), + parameters.Str( + 'ipaconfigstring', + required=False, + multivalue=True, + cli_metavar="['AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout']", + label=_(u'Password plugin features'), + doc=_(u'Extra hashes to generate in password plug-in'), + ), + parameters.Str( + 'ipaselinuxusermaporder', + required=False, + label=_(u'SELinux user map order'), + doc=_(u'Order in increasing priority of SELinux users, delimited by $'), + ), + parameters.Str( + 'ipaselinuxusermapdefault', + required=False, + label=_(u'Default SELinux user'), + doc=_(u'Default SELinux user when no match is found in SELinux map rule'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'nfs:NONE']", + label=_(u'Default PAC types'), + doc=_(u'Default types of PAC supported for services'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'Default user authentication types'), + doc=_(u'Default types of supported user authentication'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class config_show(Method): + __doc__ = _("Show the current configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/delegation.py b/ipaclient/remote_plugins/2_114/delegation.py new file mode 100644 index 000000000..87496117f --- /dev/null +++ b/ipaclient/remote_plugins/2_114/delegation.py @@ -0,0 +1,383 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Group to Group Delegation + +A permission enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to permissions to perform +given tasks such as adding a user, modifying a group, etc. + +Group to Group Delegations grants the members of one group to update a set +of attributes of members of another group. + +EXAMPLES: + + Add a delegation rule to allow managers to edit employee's addresses: + ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street" + + When managing the list of attributes you need to include all attributes + in the list, including existing ones. Add postalCode to the list: + ipa delegation-mod --attrs=street --attrs=postalCode --group=managers --membergroup=employees "managers edit employees' street" + + Display our updated rule: + ipa delegation-show "managers edit employees' street" + + Delete a rule: + ipa delegation-del "managers edit employees' street" +""") + +register = Registry() + + +@register() +class delegation(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'Delegation name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the delegation applies'), + ), + parameters.Str( + 'memberof', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + ) + + +@register() +class delegation_add(Method): + __doc__ = _("Add a new delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the delegation applies'), + no_convert=True, + ), + parameters.Str( + 'memberof', + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_del(Method): + __doc__ = _("Delete a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_find(Method): + __doc__ = _("Search for delegations.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'Delegation name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the delegation applies'), + no_convert=True, + ), + parameters.Str( + 'memberof', + required=False, + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class delegation_mod(Method): + __doc__ = _("Modify a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the delegation applies'), + no_convert=True, + ), + parameters.Str( + 'memberof', + required=False, + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_show(Method): + __doc__ = _("Display information about a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/dns.py b/ipaclient/remote_plugins/2_114/dns.py new file mode 100644 index 000000000..5d91dbcb3 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/dns.py @@ -0,0 +1,5373 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Domain Name System (DNS) + +Manage DNS zone and resource records. + +SUPPORTED ZONE TYPES + + * Master zone (dnszone-*), contains authoritative data. + * Forward zone (dnsforwardzone-*), forwards queries to configured forwarders + (a set of DNS servers). + +USING STRUCTURED PER-TYPE OPTIONS + +There are many structured DNS RR types where DNS data stored in LDAP server +is not just a scalar value, for example an IP address or a domain name, but +a data structure which may be often complex. A good example is a LOC record +[RFC1876] which consists of many mandatory and optional parts (degrees, +minutes, seconds of latitude and longitude, altitude or precision). + +It may be difficult to manipulate such DNS records without making a mistake +and entering an invalid value. DNS module provides an abstraction over these +raw records and allows to manipulate each RR type with specific options. For +each supported RR type, DNS module provides a standard option to manipulate +a raw records with format ---rec, e.g. --mx-rec, and special options +for every part of the RR structure with format ---, e.g. +--mx-preference and --mx-exchanger. + +When adding a record, either RR specific options or standard option for a raw +value can be used, they just should not be combined in one add operation. When +modifying an existing entry, new RR specific options can be used to change +one part of a DNS record, where the standard option for raw value is used +to specify the modified value. The following example demonstrates +a modification of MX record preference from 0 to 1 in a record without +modifying the exchanger: +ipa dnsrecord-mod --mx-rec="0 mx.example.com." --mx-preference=1 + + +EXAMPLES: + + Add new zone: + ipa dnszone-add example.com --admin-email=admin@example.com + + Add system permission that can be used for per-zone privilege delegation: + ipa dnszone-add-permission example.com + + Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM: + ipa dnszone-mod example.com --dynamic-update=TRUE + + This is the equivalent of: + ipa dnszone-mod example.com --dynamic-update=TRUE \ + --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;" + + Modify the zone to allow zone transfers for local network only: + ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24 + + Add new reverse zone specified by network IP address: + ipa dnszone-add --name-from-ip=192.0.2.0/24 + + Add second nameserver for example.com: + ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com + + Add a mail server for example.com: + ipa dnsrecord-add example.com @ --mx-rec="10 mail1" + + Add another record using MX record specific options: + ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2 + + Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod, + or dnsrecord-del are executed with no options): + ipa dnsrecord-add example.com @ + Please choose a type of DNS resource record to be added + The most common types for this type of zone are: NS, MX, LOC + + DNS resource record type: MX + MX Preference: 30 + MX Exchanger: mail3 + Record name: example.com + MX record: 10 mail1, 20 mail2, 30 mail3 + NS record: nameserver.example.com., nameserver2.example.com. + + Delete previously added nameserver from example.com: + ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com. + + Add LOC record for example.com: + ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m" + + Add new A record for www.example.com. Create a reverse record in appropriate + reverse zone as well. In this case a PTR record "2" pointing to www.example.com + will be created in zone 2.0.192.in-addr.arpa. + ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse + + Add new PTR record for www.example.com + ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com. + + Add new SRV records for LDAP servers. Three quarters of the requests + should go to fast.example.com, one quarter to slow.example.com. If neither + is available, switch to backup.example.com. + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com" + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com" + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com" + + The interactive mode can be used for easy modification: + ipa dnsrecord-mod example.com _ldap._tcp + No option to modify specific record provided. + Current DNS record contents: + + SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com + + Modify SRV record '0 3 389 fast.example.com'? Yes/No (default No): + Modify SRV record '0 1 389 slow.example.com'? Yes/No (default No): y + SRV Priority [0]: (keep the default value) + SRV Weight [1]: 2 (modified value) + SRV Port [389]: (keep the default value) + SRV Target [slow.example.com]: (keep the default value) + 1 SRV record skipped. Only one value per DNS record type can be modified at one time. + Record name: _ldap._tcp + SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com + + After this modification, three fifths of the requests should go to + fast.example.com and two fifths to slow.example.com. + + An example of the interactive mode for dnsrecord-del command: + ipa dnsrecord-del example.com www + No option to delete specific record provided. + Delete all? Yes/No (default No): (do not delete all records) + Current DNS record contents: + + A record: 192.0.2.2, 192.0.2.3 + + Delete A record '192.0.2.2'? Yes/No (default No): + Delete A record '192.0.2.3'? Yes/No (default No): y + Record name: www + A record: 192.0.2.2 (A record 192.0.2.3 has been deleted) + + Show zone example.com: + ipa dnszone-show example.com + + Find zone with "example" in its domain name: + ipa dnszone-find example + + Find records for resources with "www" in their name in zone example.com: + ipa dnsrecord-find example.com www + + Find A records with value 192.0.2.2 in zone example.com + ipa dnsrecord-find example.com --a-rec=192.0.2.2 + + Show records for resource www in zone example.com + ipa dnsrecord-show example.com www + + Delegate zone sub.example to another nameserver: + ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1 + ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com. + + Delete zone example.com with all resource records: + ipa dnszone-del example.com + + If a global forwarder is configured, all queries for which this server is not + authoritative (e.g. sub.example.com) will be routed to the global forwarder. + Global forwarding configuration can be overridden per-zone. + + Semantics of forwarding in IPA matches BIND semantics and depends on the type + of zone: + * Master zone: local BIND replies authoritatively to queries for data in + the given zone (including authoritative NXDOMAIN answers) and forwarding + affects only queries for names below zone cuts (NS records) of locally + served zones. + + * Forward zone: forward zone contains no authoritative data. BIND forwards + queries, which cannot be answered from its local cache, to configured + forwarders. + + Semantics of the --forwarder-policy option: + * none - disable forwarding for the given zone. + * first - forward all queries to configured forwarders. If they fail, + do resolution using DNS root servers. + * only - forward all queries to configured forwarders and if they fail, + return failure. + + Disable global forwarding for given sub-tree: + ipa dnszone-mod example.com --forward-policy=none + + This configuration forwards all queries for names outside the example.com + sub-tree to global forwarders. Normal recursive resolution process is used + for names inside the example.com sub-tree (i.e. NS records are followed etc.). + + Forward all requests for the zone external.example.com to another forwarder + using a "first" policy (it will send the queries to the selected forwarder + and if not answered it will use global root servers): + ipa dnsforwardzone-add external.example.com --forward-policy=first \ + --forwarder=203.0.113.1 + + Change forward-policy for external.example.com: + ipa dnsforwardzone-mod external.example.com --forward-policy=only + + Show forward zone external.example.com: + ipa dnsforwardzone-show external.example.com + + List all forward zones: + ipa dnsforwardzone-find + + Delete forward zone external.example.com: + ipa dnsforwardzone-del external.example.com + + Resolve a host name to see if it exists (will add default IPA domain + if one is not included): + ipa dns-resolve www.example.com + ipa dns-resolve www + + +GLOBAL DNS CONFIGURATION + +DNS configuration passed to command line install script is stored in a local +configuration file on each IPA server where DNS service is configured. These +local settings can be overridden with a common configuration stored in LDAP +server: + + Show global DNS configuration: + ipa dnsconfig-show + + Modify global DNS configuration and set a list of global forwarders: + ipa dnsconfig-mod --forwarder=203.0.113.113 +""") + +register = Registry() + + +@register() +class dnsconfig(Object): + takes_params = ( + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + label=_(u'Global forwarders'), + doc=_(u'Global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + label=_(u'Forward policy'), + doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'), + ), + parameters.Int( + 'idnszonerefresh', + required=False, + label=_(u'Zone refresh interval'), + ), + ) + + +@register() +class dnsforwardzone(Object): + takes_params = ( + parameters.DNSNameParam( + 'idnsname', + primary_key=True, + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + ) + + +@register() +class dnsrecord(Object): + takes_params = ( + parameters.DNSNameParam( + 'idnsname', + primary_key=True, + label=_(u'Record name'), + ), + parameters.Int( + 'dnsttl', + required=False, + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + ), + parameters.Str( + 'dnsrecords', + required=False, + label=_(u'Records'), + ), + parameters.Str( + 'dnstype', + required=False, + label=_(u'Record type'), + ), + parameters.Str( + 'dnsdata', + required=False, + label=_(u'Record data'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'a_extra_create_reverse', + required=False, + label=_(u'A Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'aaaa_extra_create_reverse', + required=False, + label=_(u'AAAA Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.DNSNameParam( + 'afsdb_part_hostname', + required=False, + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + label=_(u'APL record'), + doc=_(u'Raw APL records'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.DNSNameParam( + 'cname_part_hostname', + required=False, + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Int( + 'dlv_part_key_tag', + required=False, + label=_(u'DLV Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'dlv_part_algorithm', + required=False, + label=_(u'DLV Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'dlv_part_digest_type', + required=False, + label=_(u'DLV Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'dlv_part_digest', + required=False, + label=_(u'DLV Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.DNSNameParam( + 'dname_part_target', + required=False, + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + label=_(u'DNSKEY record'), + doc=_(u'Raw DNSKEY records'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'kx_part_exchanger', + required=False, + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + ), + parameters.Decimal( + 'loc_part_size', + required=False, + label=_(u'LOC Size'), + doc=_(u'Size'), + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'mx_part_exchanger', + required=False, + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + ), + parameters.Str( + 'naptr_part_service', + required=False, + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.DNSNameParam( + 'ns_part_hostname', + required=False, + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + label=_(u'NSEC3 record'), + doc=_(u'Raw NSEC3 records'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.DNSNameParam( + 'ptr_part_hostname', + required=False, + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + label=_(u'RP record'), + doc=_(u'Raw RP records'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.DNSNameParam( + 'srv_part_target', + required=False, + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + label=_(u'TA record'), + doc=_(u'Raw TA records'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Int( + 'tlsa_part_cert_usage', + required=False, + label=_(u'TLSA Certificate Usage'), + doc=_(u'Certificate Usage'), + ), + parameters.Int( + 'tlsa_part_selector', + required=False, + label=_(u'TLSA Selector'), + doc=_(u'Selector'), + ), + parameters.Int( + 'tlsa_part_matching_type', + required=False, + label=_(u'TLSA Matching Type'), + doc=_(u'Matching Type'), + ), + parameters.Str( + 'tlsa_part_cert_association_data', + required=False, + label=_(u'TLSA Certificate Association Data'), + doc=_(u'Certificate Association Data'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + label=_(u'TKEY record'), + doc=_(u'Raw TKEY records'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + label=_(u'TSIG record'), + doc=_(u'Raw TSIG records'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + ) + + +@register() +class dnszone(Object): + takes_params = ( + parameters.DNSNameParam( + 'idnsname', + primary_key=True, + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.DNSNameParam( + 'idnssoamname', + required=False, + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.DNSNameParam( + 'idnssoarname', + label=_(u'Administrator e-mail address'), + ), + parameters.Int( + 'idnssoaserial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + ), + parameters.Int( + 'idnssoarefresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + ), + parameters.Int( + 'idnssoaretry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + ), + parameters.Int( + 'idnssoaexpire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + ), + parameters.Int( + 'idnssoaminimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + ), + parameters.Int( + 'dnsttl', + required=False, + label=_(u'Time to live'), + doc=_(u'Time to live for records at zone apex'), + ), + parameters.Str( + 'dnsclass', + required=False, + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + label=_(u'BIND update policy'), + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + ), + parameters.Str( + 'idnsallowquery', + required=False, + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Bool( + 'idnssecinlinesigning', + required=False, + label=_(u'Allow in-line DNSSEC signing'), + doc=_(u'Allow inline DNSSEC signing of records in the zone'), + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + label=_(u'NSEC3PARAM record'), + doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'), + ), + ) + + +@register() +class dns_is_enabled(Command): + __doc__ = _("Checks if any of the servers has the DNS service enabled.") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dns_resolve(Command): + __doc__ = _("Resolve a host name in DNS.") + + takes_args = ( + parameters.Str( + 'hostname', + label=_(u'Hostname'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsconfig_mod(Method): + __doc__ = _("Modify global DNS configuration.") + + takes_options = ( + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Global forwarders'), + doc=_(u'Global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'), + ), + parameters.Int( + 'idnszonerefresh', + required=False, + deprecated=True, + cli_name='zone_refresh', + label=_(u'Zone refresh interval'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsconfig_show(Method): + __doc__ = _("Show the current global DNS configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_add(Method): + __doc__ = _("Create new DNS forward zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_add_permission(Method): + __doc__ = _("Add a permission for per-forward zone access delegation.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u'Permission value'), + ), + ) + + +@register() +class dnsforwardzone_del(Method): + __doc__ = _("Delete DNS forward zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + multivalue=True, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class dnsforwardzone_disable(Method): + __doc__ = _("Disable DNS Forward Zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_enable(Method): + __doc__ = _("Enable DNS Forward Zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_find(Method): + __doc__ = _("Search for DNS forward zones.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.DNSNameParam( + 'idnsname', + required=False, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + cli_name='zone_active', + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class dnsforwardzone_mod(Method): + __doc__ = _("Modify DNS forward zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_remove_permission(Method): + __doc__ = _("Remove a permission for per-forward zone access delegation.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u'Permission value'), + ), + ) + + +@register() +class dnsforwardzone_show(Method): + __doc__ = _("Display information about a DNS forward zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_add(Method): + __doc__ = _("Add new DNS resource record.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + option_group=u'A Record', + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + cli_name='a_ip_address', + option_group=u'A Record', + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'a_extra_create_reverse', + required=False, + cli_name='a_create_reverse', + option_group=u'A Record', + label=_(u'A Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + default=False, + autofill=True, + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + option_group=u'AAAA Record', + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + cli_name='aaaa_ip_address', + option_group=u'AAAA Record', + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'aaaa_extra_create_reverse', + required=False, + cli_name='aaaa_create_reverse', + option_group=u'AAAA Record', + label=_(u'AAAA Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + default=False, + autofill=True, + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + option_group=u'A6 Record', + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + cli_name='a6_data', + option_group=u'A6 Record', + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + option_group=u'AFSDB Record', + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + cli_name='afsdb_subtype', + option_group=u'AFSDB Record', + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.DNSNameParam( + 'afsdb_part_hostname', + required=False, + cli_name='afsdb_hostname', + option_group=u'AFSDB Record', + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + option_group=u'APL Record', + label=_(u'APL record'), + doc=_(u'Raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + option_group=u'CERT Record', + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + cli_name='cert_type', + option_group=u'CERT Record', + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + cli_name='cert_key_tag', + option_group=u'CERT Record', + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + cli_name='cert_algorithm', + option_group=u'CERT Record', + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + cli_name='cert_certificate_or_crl', + option_group=u'CERT Record', + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + option_group=u'CNAME Record', + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.DNSNameParam( + 'cname_part_hostname', + required=False, + cli_name='cname_hostname', + option_group=u'CNAME Record', + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + option_group=u'DHCID Record', + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + option_group=u'DLV Record', + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Int( + 'dlv_part_key_tag', + required=False, + cli_name='dlv_key_tag', + option_group=u'DLV Record', + label=_(u'DLV Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'dlv_part_algorithm', + required=False, + cli_name='dlv_algorithm', + option_group=u'DLV Record', + label=_(u'DLV Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'dlv_part_digest_type', + required=False, + cli_name='dlv_digest_type', + option_group=u'DLV Record', + label=_(u'DLV Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'dlv_part_digest', + required=False, + cli_name='dlv_digest', + option_group=u'DLV Record', + label=_(u'DLV Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + option_group=u'DNAME Record', + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.DNSNameParam( + 'dname_part_target', + required=False, + cli_name='dname_target', + option_group=u'DNAME Record', + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + cli_name='dnskey_rec', + option_group=u'DNSKEY Record', + label=_(u'DNSKEY record'), + doc=_(u'Raw DNSKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + option_group=u'DS Record', + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + cli_name='ds_key_tag', + option_group=u'DS Record', + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + cli_name='ds_algorithm', + option_group=u'DS Record', + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + cli_name='ds_digest_type', + option_group=u'DS Record', + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + cli_name='ds_digest', + option_group=u'DS Record', + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + option_group=u'HIP Record', + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + option_group=u'IPSECKEY Record', + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + option_group=u'KEY Record', + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + option_group=u'KX Record', + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + cli_name='kx_preference', + option_group=u'KX Record', + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'kx_part_exchanger', + required=False, + cli_name='kx_exchanger', + option_group=u'KX Record', + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + option_group=u'LOC Record', + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + cli_name='loc_lat_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + cli_name='loc_lat_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + cli_name='loc_lat_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + cli_name='loc_lat_dir', + option_group=u'LOC Record', + cli_metavar="['N', 'S']", + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + cli_name='loc_lon_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + cli_name='loc_lon_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + cli_name='loc_lon_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + cli_name='loc_lon_dir', + option_group=u'LOC Record', + cli_metavar="['E', 'W']", + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + cli_name='loc_altitude', + option_group=u'LOC Record', + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_size', + required=False, + cli_name='loc_size', + option_group=u'LOC Record', + label=_(u'LOC Size'), + doc=_(u'Size'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + cli_name='loc_h_precision', + option_group=u'LOC Record', + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + cli_name='loc_v_precision', + option_group=u'LOC Record', + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + no_convert=True, + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + option_group=u'MX Record', + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + cli_name='mx_preference', + option_group=u'MX Record', + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'mx_part_exchanger', + required=False, + cli_name='mx_exchanger', + option_group=u'MX Record', + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + option_group=u'NAPTR Record', + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + cli_name='naptr_order', + option_group=u'NAPTR Record', + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + cli_name='naptr_preference', + option_group=u'NAPTR Record', + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + cli_name='naptr_flags', + option_group=u'NAPTR Record', + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + no_convert=True, + ), + parameters.Str( + 'naptr_part_service', + required=False, + cli_name='naptr_service', + option_group=u'NAPTR Record', + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + cli_name='naptr_regexp', + option_group=u'NAPTR Record', + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + cli_name='naptr_replacement', + option_group=u'NAPTR Record', + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + option_group=u'NS Record', + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.DNSNameParam( + 'ns_part_hostname', + required=False, + cli_name='ns_hostname', + option_group=u'NS Record', + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + option_group=u'NSEC Record', + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + cli_name='nsec3_rec', + option_group=u'NSEC3 Record', + label=_(u'NSEC3 record'), + doc=_(u'Raw NSEC3 records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + option_group=u'PTR Record', + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.DNSNameParam( + 'ptr_part_hostname', + required=False, + cli_name='ptr_hostname', + option_group=u'PTR Record', + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + option_group=u'RRSIG Record', + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + option_group=u'RP Record', + label=_(u'RP record'), + doc=_(u'Raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + option_group=u'SIG Record', + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + option_group=u'SPF Record', + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + option_group=u'SRV Record', + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + cli_name='srv_priority', + option_group=u'SRV Record', + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + cli_name='srv_weight', + option_group=u'SRV Record', + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + cli_name='srv_port', + option_group=u'SRV Record', + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.DNSNameParam( + 'srv_part_target', + required=False, + cli_name='srv_target', + option_group=u'SRV Record', + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + option_group=u'SSHFP Record', + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + cli_name='sshfp_algorithm', + option_group=u'SSHFP Record', + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + cli_name='sshfp_fp_type', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + cli_name='sshfp_fingerprint', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + cli_name='ta_rec', + option_group=u'TA Record', + label=_(u'TA record'), + doc=_(u'Raw TA records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + cli_name='tlsa_rec', + option_group=u'TLSA Record', + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Int( + 'tlsa_part_cert_usage', + required=False, + cli_name='tlsa_cert_usage', + option_group=u'TLSA Record', + label=_(u'TLSA Certificate Usage'), + doc=_(u'Certificate Usage'), + ), + parameters.Int( + 'tlsa_part_selector', + required=False, + cli_name='tlsa_selector', + option_group=u'TLSA Record', + label=_(u'TLSA Selector'), + doc=_(u'Selector'), + ), + parameters.Int( + 'tlsa_part_matching_type', + required=False, + cli_name='tlsa_matching_type', + option_group=u'TLSA Record', + label=_(u'TLSA Matching Type'), + doc=_(u'Matching Type'), + ), + parameters.Str( + 'tlsa_part_cert_association_data', + required=False, + cli_name='tlsa_cert_association_data', + option_group=u'TLSA Record', + label=_(u'TLSA Certificate Association Data'), + doc=_(u'Certificate Association Data'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + cli_name='tkey_rec', + option_group=u'TKEY Record', + label=_(u'TKEY record'), + doc=_(u'Raw TKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + cli_name='tsig_rec', + option_group=u'TSIG Record', + label=_(u'TSIG record'), + doc=_(u'Raw TSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + option_group=u'TXT Record', + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + cli_name='txt_data', + option_group=u'TXT Record', + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force NS record creation even if its hostname is not in DNS'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_del(Method): + __doc__ = _("Delete DNS resource record.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + label=_(u'APL record'), + doc=_(u'Raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + cli_name='dnskey_rec', + label=_(u'DNSKEY record'), + doc=_(u'Raw DNSKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + cli_name='nsec3_rec', + label=_(u'NSEC3 record'), + doc=_(u'Raw NSEC3 records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + label=_(u'RP record'), + doc=_(u'Raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + cli_name='ta_rec', + label=_(u'TA record'), + doc=_(u'Raw TA records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + cli_name='tlsa_rec', + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + cli_name='tkey_rec', + label=_(u'TKEY record'), + doc=_(u'Raw TKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + cli_name='tsig_rec', + label=_(u'TSIG record'), + doc=_(u'Raw TSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Flag( + 'del_all', + label=_(u'Delete all associated records'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class dnsrecord_delentry(Method): + __doc__ = _("Delete DNS record entry.") + + NO_CLI = True + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + multivalue=True, + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class dnsrecord_find(Method): + __doc__ = _("Search for DNS resources.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.DNSNameParam( + 'idnsname', + required=False, + cli_name='name', + label=_(u'Record name'), + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + label=_(u'APL record'), + doc=_(u'Raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + cli_name='dnskey_rec', + label=_(u'DNSKEY record'), + doc=_(u'Raw DNSKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + cli_name='nsec3_rec', + label=_(u'NSEC3 record'), + doc=_(u'Raw NSEC3 records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + label=_(u'RP record'), + doc=_(u'Raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + cli_name='ta_rec', + label=_(u'TA record'), + doc=_(u'Raw TA records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + cli_name='tlsa_rec', + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + cli_name='tkey_rec', + label=_(u'TKEY record'), + doc=_(u'Raw TKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + cli_name='tsig_rec', + label=_(u'TSIG record'), + doc=_(u'Raw TSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class dnsrecord_mod(Method): + __doc__ = _("Modify a DNS resource record.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + option_group=u'A Record', + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + cli_name='a_ip_address', + option_group=u'A Record', + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + option_group=u'AAAA Record', + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + cli_name='aaaa_ip_address', + option_group=u'AAAA Record', + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + option_group=u'A6 Record', + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + cli_name='a6_data', + option_group=u'A6 Record', + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + option_group=u'AFSDB Record', + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + cli_name='afsdb_subtype', + option_group=u'AFSDB Record', + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.DNSNameParam( + 'afsdb_part_hostname', + required=False, + cli_name='afsdb_hostname', + option_group=u'AFSDB Record', + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + option_group=u'APL Record', + label=_(u'APL record'), + doc=_(u'Raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + option_group=u'CERT Record', + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + cli_name='cert_type', + option_group=u'CERT Record', + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + cli_name='cert_key_tag', + option_group=u'CERT Record', + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + cli_name='cert_algorithm', + option_group=u'CERT Record', + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + cli_name='cert_certificate_or_crl', + option_group=u'CERT Record', + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + option_group=u'CNAME Record', + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.DNSNameParam( + 'cname_part_hostname', + required=False, + cli_name='cname_hostname', + option_group=u'CNAME Record', + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + option_group=u'DHCID Record', + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + option_group=u'DLV Record', + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Int( + 'dlv_part_key_tag', + required=False, + cli_name='dlv_key_tag', + option_group=u'DLV Record', + label=_(u'DLV Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'dlv_part_algorithm', + required=False, + cli_name='dlv_algorithm', + option_group=u'DLV Record', + label=_(u'DLV Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'dlv_part_digest_type', + required=False, + cli_name='dlv_digest_type', + option_group=u'DLV Record', + label=_(u'DLV Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'dlv_part_digest', + required=False, + cli_name='dlv_digest', + option_group=u'DLV Record', + label=_(u'DLV Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + option_group=u'DNAME Record', + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.DNSNameParam( + 'dname_part_target', + required=False, + cli_name='dname_target', + option_group=u'DNAME Record', + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + cli_name='dnskey_rec', + option_group=u'DNSKEY Record', + label=_(u'DNSKEY record'), + doc=_(u'Raw DNSKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + option_group=u'DS Record', + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + cli_name='ds_key_tag', + option_group=u'DS Record', + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + cli_name='ds_algorithm', + option_group=u'DS Record', + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + cli_name='ds_digest_type', + option_group=u'DS Record', + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + cli_name='ds_digest', + option_group=u'DS Record', + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + option_group=u'HIP Record', + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + option_group=u'IPSECKEY Record', + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + option_group=u'KEY Record', + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + option_group=u'KX Record', + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + cli_name='kx_preference', + option_group=u'KX Record', + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'kx_part_exchanger', + required=False, + cli_name='kx_exchanger', + option_group=u'KX Record', + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + option_group=u'LOC Record', + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + cli_name='loc_lat_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + cli_name='loc_lat_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + cli_name='loc_lat_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + cli_name='loc_lat_dir', + option_group=u'LOC Record', + cli_metavar="['N', 'S']", + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + cli_name='loc_lon_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + cli_name='loc_lon_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + cli_name='loc_lon_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + cli_name='loc_lon_dir', + option_group=u'LOC Record', + cli_metavar="['E', 'W']", + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + cli_name='loc_altitude', + option_group=u'LOC Record', + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_size', + required=False, + cli_name='loc_size', + option_group=u'LOC Record', + label=_(u'LOC Size'), + doc=_(u'Size'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + cli_name='loc_h_precision', + option_group=u'LOC Record', + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + cli_name='loc_v_precision', + option_group=u'LOC Record', + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + no_convert=True, + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + option_group=u'MX Record', + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + cli_name='mx_preference', + option_group=u'MX Record', + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'mx_part_exchanger', + required=False, + cli_name='mx_exchanger', + option_group=u'MX Record', + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + option_group=u'NAPTR Record', + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + cli_name='naptr_order', + option_group=u'NAPTR Record', + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + cli_name='naptr_preference', + option_group=u'NAPTR Record', + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + cli_name='naptr_flags', + option_group=u'NAPTR Record', + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + no_convert=True, + ), + parameters.Str( + 'naptr_part_service', + required=False, + cli_name='naptr_service', + option_group=u'NAPTR Record', + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + cli_name='naptr_regexp', + option_group=u'NAPTR Record', + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + cli_name='naptr_replacement', + option_group=u'NAPTR Record', + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + option_group=u'NS Record', + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.DNSNameParam( + 'ns_part_hostname', + required=False, + cli_name='ns_hostname', + option_group=u'NS Record', + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + option_group=u'NSEC Record', + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + cli_name='nsec3_rec', + option_group=u'NSEC3 Record', + label=_(u'NSEC3 record'), + doc=_(u'Raw NSEC3 records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + option_group=u'PTR Record', + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.DNSNameParam( + 'ptr_part_hostname', + required=False, + cli_name='ptr_hostname', + option_group=u'PTR Record', + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + option_group=u'RRSIG Record', + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + option_group=u'RP Record', + label=_(u'RP record'), + doc=_(u'Raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + option_group=u'SIG Record', + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + option_group=u'SPF Record', + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + option_group=u'SRV Record', + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + cli_name='srv_priority', + option_group=u'SRV Record', + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + cli_name='srv_weight', + option_group=u'SRV Record', + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + cli_name='srv_port', + option_group=u'SRV Record', + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.DNSNameParam( + 'srv_part_target', + required=False, + cli_name='srv_target', + option_group=u'SRV Record', + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + option_group=u'SSHFP Record', + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + cli_name='sshfp_algorithm', + option_group=u'SSHFP Record', + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + cli_name='sshfp_fp_type', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + cli_name='sshfp_fingerprint', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + cli_name='ta_rec', + option_group=u'TA Record', + label=_(u'TA record'), + doc=_(u'Raw TA records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + cli_name='tlsa_rec', + option_group=u'TLSA Record', + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Int( + 'tlsa_part_cert_usage', + required=False, + cli_name='tlsa_cert_usage', + option_group=u'TLSA Record', + label=_(u'TLSA Certificate Usage'), + doc=_(u'Certificate Usage'), + ), + parameters.Int( + 'tlsa_part_selector', + required=False, + cli_name='tlsa_selector', + option_group=u'TLSA Record', + label=_(u'TLSA Selector'), + doc=_(u'Selector'), + ), + parameters.Int( + 'tlsa_part_matching_type', + required=False, + cli_name='tlsa_matching_type', + option_group=u'TLSA Record', + label=_(u'TLSA Matching Type'), + doc=_(u'Matching Type'), + ), + parameters.Str( + 'tlsa_part_cert_association_data', + required=False, + cli_name='tlsa_cert_association_data', + option_group=u'TLSA Record', + label=_(u'TLSA Certificate Association Data'), + doc=_(u'Certificate Association Data'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + cli_name='tkey_rec', + option_group=u'TKEY Record', + label=_(u'TKEY record'), + doc=_(u'Raw TKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + cli_name='tsig_rec', + option_group=u'TSIG Record', + label=_(u'TSIG record'), + doc=_(u'Raw TSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + option_group=u'TXT Record', + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + cli_name='txt_data', + option_group=u'TXT Record', + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.DNSNameParam( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the DNS resource record object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_show(Method): + __doc__ = _("Display DNS resource.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_add(Method): + __doc__ = _("Create new DNS zone (SOA record).") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.DNSNameParam( + 'idnssoamname', + required=False, + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.DNSNameParam( + 'idnssoarname', + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default=DNSName(u'hostmaster'), + autofill=True, + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + autofill=True, + ), + parameters.Int( + 'idnssoarefresh', + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + autofill=True, + ), + parameters.Int( + 'idnssoaretry', + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + autofill=True, + ), + parameters.Int( + 'idnssoaexpire', + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + autofill=True, + ), + parameters.Int( + 'idnssoaminimum', + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + autofill=True, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + doc=_(u'Time to live for records at zone apex'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + autofill=True, + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + autofill=True, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + autofill=True, + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + autofill=True, + no_convert=True, + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Bool( + 'idnssecinlinesigning', + required=False, + cli_name='dnssec', + label=_(u'Allow in-line DNSSEC signing'), + doc=_(u'Allow inline DNSSEC signing of records in the zone'), + default=False, + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + cli_name='nsec3param_rec', + label=_(u'NSEC3PARAM record'), + doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'Force DNS zone creation even if nameserver is not resolvable.'), + default=False, + autofill=True, + ), + parameters.Str( + 'ip_address', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_add_permission(Method): + __doc__ = _("Add a permission for per-zone access delegation.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u'Permission value'), + ), + ) + + +@register() +class dnszone_del(Method): + __doc__ = _("Delete DNS zone (SOA record).") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + multivalue=True, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class dnszone_disable(Method): + __doc__ = _("Disable DNS Zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_enable(Method): + __doc__ = _("Enable DNS Zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_find(Method): + __doc__ = _("Search for DNS zones (SOA records).") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.DNSNameParam( + 'idnsname', + required=False, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + cli_name='zone_active', + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.DNSNameParam( + 'idnssoamname', + required=False, + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.DNSNameParam( + 'idnssoarname', + required=False, + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default=DNSName(u'hostmaster'), + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + required=False, + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + ), + parameters.Int( + 'idnssoarefresh', + required=False, + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + ), + parameters.Int( + 'idnssoaretry', + required=False, + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + ), + parameters.Int( + 'idnssoaexpire', + required=False, + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + ), + parameters.Int( + 'idnssoaminimum', + required=False, + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + doc=_(u'Time to live for records at zone apex'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + no_convert=True, + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Bool( + 'idnssecinlinesigning', + required=False, + cli_name='dnssec', + label=_(u'Allow in-line DNSSEC signing'), + doc=_(u'Allow inline DNSSEC signing of records in the zone'), + default=False, + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + cli_name='nsec3param_rec', + label=_(u'NSEC3PARAM record'), + doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'forward_only', + label=_(u'Forward zones only'), + doc=_(u'Search for forward zones only'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class dnszone_mod(Method): + __doc__ = _("Modify DNS zone (SOA record).") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.DNSNameParam( + 'idnssoamname', + required=False, + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.DNSNameParam( + 'idnssoarname', + required=False, + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default=DNSName(u'hostmaster'), + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + required=False, + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + ), + parameters.Int( + 'idnssoarefresh', + required=False, + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + ), + parameters.Int( + 'idnssoaretry', + required=False, + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + ), + parameters.Int( + 'idnssoaexpire', + required=False, + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + ), + parameters.Int( + 'idnssoaminimum', + required=False, + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + doc=_(u'Time to live for records at zone apex'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + no_convert=True, + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Bool( + 'idnssecinlinesigning', + required=False, + cli_name='dnssec', + label=_(u'Allow in-line DNSSEC signing'), + doc=_(u'Allow inline DNSSEC signing of records in the zone'), + default=False, + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + cli_name='nsec3param_rec', + label=_(u'NSEC3PARAM record'), + doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'Force nameserver change even if nameserver not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_remove_permission(Method): + __doc__ = _("Remove a permission for per-zone access delegation.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u'Permission value'), + ), + ) + + +@register() +class dnszone_show(Method): + __doc__ = _("Display information about a DNS zone (SOA record).") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/group.py b/ipaclient/remote_plugins/2_114/group.py new file mode 100644 index 000000000..86d8f7d4a --- /dev/null +++ b/ipaclient/remote_plugins/2_114/group.py @@ -0,0 +1,912 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of users + +Manage groups of users. By default, new groups are POSIX groups. You +can add the --nonposix option to the group-add command to mark a new group +as non-POSIX. You can use the --posix argument with the group-mod command +to convert a non-POSIX group into a POSIX group. POSIX groups cannot be +converted to non-POSIX groups. + +Every group must have a description. + +POSIX groups must have a Group ID (GID) number. Changing a GID is +supported but can have an impact on your file permissions. It is not necessary +to supply a GID when creating a group. IPA will generate one automatically +if it is not provided. + +EXAMPLES: + + Add a new group: + ipa group-add --desc='local administrators' localadmins + + Add a new non-POSIX group: + ipa group-add --nonposix --desc='remote administrators' remoteadmins + + Convert a non-POSIX group to posix: + ipa group-mod --posix remoteadmins + + Add a new POSIX group with a specific Group ID number: + ipa group-add --gid=500 --desc='unix admins' unixadmins + + Add a new POSIX group and let IPA assign a Group ID number: + ipa group-add --desc='printer admins' printeradmins + + Remove a group: + ipa group-del unixadmins + + To add the "remoteadmins" group to the "localadmins" group: + ipa group-add-member --groups=remoteadmins localadmins + + Add multiple users to the "localadmins" group: + ipa group-add-member --users=test1 --users=test2 localadmins + + Remove a user from the "localadmins" group: + ipa group-remove-member --users=test2 localadmins + + Display information about a named group. + ipa group-show localadmins + +External group membership is designed to allow users from trusted domains +to be mapped to local POSIX groups in order to actually use IPA resources. +External members should be added to groups that specifically created as +external and non-POSIX. Such group later should be included into one of POSIX +groups. + +An external group member is currently a Security Identifier (SID) as defined by +the trusted domain. When adding external group members, it is possible to +specify them in either SID, or DOM\name, or name@domain format. IPA will attempt +to resolve passed name to SID with the use of Global Catalog of the trusted domain. + +Example: + +1. Create group for the trusted domain admins' mapping and their local POSIX group: + + ipa group-add --desc=' admins external map' ad_admins_external --external + ipa group-add --desc=' admins' ad_admins + +2. Add security identifier of Domain Admins of the to the ad_admins_external + group: + + ipa group-add-member ad_admins_external --external 'AD\Domain Admins' + +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: + + ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external +""") + +register = Registry() + + +@register() +class group(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Group name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'member_user', + required=False, + label=_(u'Member users'), + ), + parameters.Str( + 'member_group', + required=False, + label=_(u'Member groups'), + ), + parameters.Str( + 'memberof_group', + required=False, + label=_(u'Member of groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberindirect_user', + required=False, + label=_(u'Indirect Member users'), + ), + parameters.Str( + 'memberindirect_group', + required=False, + label=_(u'Indirect Member groups'), + ), + parameters.Str( + 'memberofindirect_group', + required=False, + label=_(u'Indirect Member of group'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + ) + + +@register() +class group_add(Method): + __doc__ = _("Create a new group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'nonposix', + doc=_(u'Create as a non-POSIX group'), + default=False, + autofill=True, + ), + parameters.Flag( + 'external', + doc=_(u'Allow adding external non-IPA members from trusted domains'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_add_member(Method): + __doc__ = _("Add members to a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'ipaexternalmember', + required=False, + multivalue=True, + cli_name='external', + label=_(u'External member'), + doc=_(u'Members of a trusted domain in DOM\\name or name@domain form'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class group_del(Method): + __doc__ = _("Delete group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class group_detach(Method): + __doc__ = _("Detach a managed group from a user.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_find(Method): + __doc__ = _("Search for groups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'private', + doc=_(u'search for private groups'), + default=False, + autofill=True, + ), + parameters.Flag( + 'posix', + doc=_(u'search for POSIX groups'), + default=False, + autofill=True, + ), + parameters.Flag( + 'external', + doc=_(u'search for groups with support of external non-IPA members from trusted domains'), + default=False, + autofill=True, + ), + parameters.Flag( + 'nonposix', + doc=_(u'search for non-POSIX groups'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("group-name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'user'), + doc=_(u'Search for groups with these member users.'), + ), + parameters.Str( + 'no_user', + required=False, + multivalue=True, + cli_name='no_users', + label=_(u'user'), + doc=_(u'Search for groups without these member users.'), + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'group'), + doc=_(u'Search for groups with these member groups.'), + ), + parameters.Str( + 'no_group', + required=False, + multivalue=True, + cli_name='no_groups', + label=_(u'group'), + doc=_(u'Search for groups without these member groups.'), + ), + parameters.Str( + 'in_group', + required=False, + multivalue=True, + cli_name='in_groups', + label=_(u'group'), + doc=_(u'Search for groups with these member of groups.'), + ), + parameters.Str( + 'not_in_group', + required=False, + multivalue=True, + cli_name='not_in_groups', + label=_(u'group'), + doc=_(u'Search for groups without these member of groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for groups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for groups without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for groups with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for groups without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for groups with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for groups without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for groups with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for groups without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class group_mod(Method): + __doc__ = _("Modify a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'posix', + doc=_(u'change to a POSIX group'), + default=False, + autofill=True, + ), + parameters.Flag( + 'external', + doc=_(u'change to support external non-IPA members from trusted domains'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the group object'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_remove_member(Method): + __doc__ = _("Remove members from a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'ipaexternalmember', + required=False, + multivalue=True, + cli_name='external', + label=_(u'External member'), + doc=_(u'Members of a trusted domain in DOM\\name or name@domain form'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class group_show(Method): + __doc__ = _("Display information about a named group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/hbacrule.py b/ipaclient/remote_plugins/2_114/hbacrule.py new file mode 100644 index 000000000..443e5ba9b --- /dev/null +++ b/ipaclient/remote_plugins/2_114/hbacrule.py @@ -0,0 +1,1305 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Host-based access control + +Control who can access what services on what hosts. You +can use HBAC to control which users or groups can +access a service, or group of services, on a target host. + +You can also specify a category of users and target hosts. +This is currently limited to "all", but might be expanded in the +future. + +Target hosts in HBAC rules must be hosts managed by IPA. + +The available services and groups of services are controlled by the +hbacsvc and hbacsvcgroup plug-ins respectively. + +EXAMPLES: + + Create a rule, "test1", that grants all users access to the host "server" from + anywhere: + ipa hbacrule-add --usercat=all test1 + ipa hbacrule-add-host --hosts=server.example.com test1 + + Display the properties of a named HBAC rule: + ipa hbacrule-show test1 + + Create a rule for a specific service. This lets the user john access + the sshd service on any machine from any machine: + ipa hbacrule-add --hostcat=all john_sshd + ipa hbacrule-add-user --users=john john_sshd + ipa hbacrule-add-service --hbacsvcs=sshd john_sshd + + Create a rule for a new service group. This lets the user john access + the FTP service on any machine from any machine: + ipa hbacsvcgroup-add ftpers + ipa hbacsvc-add sftp + ipa hbacsvcgroup-add-member --hbacsvcs=ftp --hbacsvcs=sftp ftpers + ipa hbacrule-add --hostcat=all john_ftp + ipa hbacrule-add-user --users=john john_ftp + ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp + + Disable a named HBAC rule: + ipa hbacrule-disable test1 + + Remove a named HBAC rule: + ipa hbacrule-del allow_server +""") + +register = Registry() + + +@register() +class hbacrule(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'accessruletype', + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + ), + parameters.Str( + 'servicecategory', + required=False, + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + ), + parameters.Str( + 'memberservice_hbacsvc', + required=False, + label=_(u'Services'), + ), + parameters.Str( + 'memberservice_hbacsvcgroup', + required=False, + label=_(u'Service Groups'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + ) + + +@register() +class hbacrule_add(Method): + __doc__ = _("Create a new HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'accessruletype', + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + autofill=True, + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_add_host(Method): + __doc__ = _("Add target hosts and hostgroups to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_service(Method): + __doc__ = _("Add services to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'HBAC services to add'), + alwaysask=True, + ), + parameters.Str( + 'hbacsvcgroup', + required=False, + multivalue=True, + cli_name='hbacsvcgroups', + label=_(u'member HBAC service group'), + doc=_(u'HBAC service groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_sourcehost(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_user(Method): + __doc__ = _("Add users and groups to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_del(Method): + __doc__ = _("Delete an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class hbacrule_disable(Method): + __doc__ = _("Disable an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_enable(Method): + __doc__ = _("Enable an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_find(Method): + __doc__ = _("Search for HBAC rules.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Rule name'), + ), + parameters.Str( + 'accessruletype', + required=False, + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacrule_mod(Method): + __doc__ = _("Modify an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'accessruletype', + required=False, + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_remove_host(Method): + __doc__ = _("Remove target hosts and hostgroups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_service(Method): + __doc__ = _("Remove service and service groups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'HBAC services to remove'), + alwaysask=True, + ), + parameters.Str( + 'hbacsvcgroup', + required=False, + multivalue=True, + cli_name='hbacsvcgroups', + label=_(u'member HBAC service group'), + doc=_(u'HBAC service groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_sourcehost(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_user(Method): + __doc__ = _("Remove users and groups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_show(Method): + __doc__ = _("Display the properties of an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/hbacsvc.py b/ipaclient/remote_plugins/2_114/hbacsvc.py new file mode 100644 index 000000000..ab53d6b3a --- /dev/null +++ b/ipaclient/remote_plugins/2_114/hbacsvc.py @@ -0,0 +1,413 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +HBAC Services + +The PAM services that HBAC can control access to. The name used here +must match the service name that PAM is evaluating. + +EXAMPLES: + + Add a new HBAC service: + ipa hbacsvc-add tftp + + Modify an existing HBAC service: + ipa hbacsvc-mod --desc="TFTP service" tftp + + Search for HBAC services. This example will return two results, the FTP + service and the newly-added tftp service: + ipa hbacsvc-find ftp + + Delete an HBAC service: + ipa hbacsvc-del tftp +""") + +register = Registry() + + +@register() +class hbacsvc(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Service name'), + doc=_(u'HBAC service'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'memberof_hbacsvcgroup', + required=False, + label=_(u'Member of HBAC service groups'), + ), + ) + + +@register() +class hbacsvc_add(Method): + __doc__ = _("Add a new HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvc_del(Method): + __doc__ = _("Delete an existing HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class hbacsvc_find(Method): + __doc__ = _("Search for HBAC services.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("service")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacsvc_mod(Method): + __doc__ = _("Modify an HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvc_show(Method): + __doc__ = _("Display information about an HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/hbacsvcgroup.py b/ipaclient/remote_plugins/2_114/hbacsvcgroup.py new file mode 100644 index 000000000..ef987e9fa --- /dev/null +++ b/ipaclient/remote_plugins/2_114/hbacsvcgroup.py @@ -0,0 +1,528 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +HBAC Service Groups + +HBAC service groups can contain any number of individual services, +or "members". Every group must have a description. + +EXAMPLES: + + Add a new HBAC service group: + ipa hbacsvcgroup-add --desc="login services" login + + Add members to an HBAC service group: + ipa hbacsvcgroup-add-member --hbacsvcs=sshd --hbacsvcs=login login + + Display information about a named group: + ipa hbacsvcgroup-show login + + Delete an HBAC service group: + ipa hbacsvcgroup-del login +""") + +register = Registry() + + +@register() +class hbacsvcgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Service group name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'member_hbacsvc', + required=False, + label=_(u'Member HBAC service'), + ), + ) + + +@register() +class hbacsvcgroup_add(Method): + __doc__ = _("Add a new HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvcgroup_add_member(Method): + __doc__ = _("Add members to an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'HBAC services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacsvcgroup_del(Method): + __doc__ = _("Delete an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class hbacsvcgroup_find(Method): + __doc__ = _("Search for an HBAC service group.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacsvcgroup_mod(Method): + __doc__ = _("Modify an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvcgroup_remove_member(Method): + __doc__ = _("Remove members from an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'HBAC services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacsvcgroup_show(Method): + __doc__ = _("Display information about an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/hbactest.py b/ipaclient/remote_plugins/2_114/hbactest.py new file mode 100644 index 000000000..b0c49b71b --- /dev/null +++ b/ipaclient/remote_plugins/2_114/hbactest.py @@ -0,0 +1,284 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Simulate use of Host-based access controls + +HBAC rules control who can access what services on what hosts. +You can use HBAC to control which users or groups can access a service, +or group of services, on a target host. + +Since applying HBAC rules implies use of a production environment, +this plugin aims to provide simulation of HBAC rules evaluation without +having access to the production environment. + + Test user coming to a service on a named host against + existing enabled rules. + + ipa hbactest --user= --host= --service= + [--rules=rules-list] [--nodetail] [--enabled] [--disabled] + [--sizelimit= ] + + --user, --host, and --service are mandatory, others are optional. + + If --rules is specified simulate enabling of the specified rules and test + the login of the user using only these rules. + + If --enabled is specified, all enabled HBAC rules will be added to simulation + + If --disabled is specified, all disabled HBAC rules will be added to simulation + + If --nodetail is specified, do not return information about rules matched/not matched. + + If both --rules and --enabled are specified, apply simulation to --rules _and_ + all IPA enabled rules. + + If no --rules specified, simulation is run against all IPA enabled rules. + By default there is a IPA-wide limit to number of entries fetched, you can change it + with --sizelimit option. + +EXAMPLES: + + 1. Use all enabled HBAC rules in IPA database to simulate: + $ ipa hbactest --user=a1a --host=bar --service=sshd + -------------------- + Access granted: True + -------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + Matched rules: allow_all + + 2. Disable detailed summary of how rules were applied: + $ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail + -------------------- + Access granted: True + -------------------- + + 3. Test explicitly specified HBAC rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --rules=myrule --rules=my-second-rule + --------------------- + Access granted: False + --------------------- + Not matched rules: my-second-rule + Not matched rules: myrule + + 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --rules=myrule --rules=my-second-rule --enabled + -------------------- + Access granted: True + -------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + Matched rules: allow_all + + 5. Test all disabled HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd --disabled + --------------------- + Access granted: False + --------------------- + Not matched rules: new-rule + + 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --rules=myrule --rules=my-second-rule --disabled + --------------------- + Access granted: False + --------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + + 7. Test all (enabled and disabled) HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --enabled --disabled + -------------------- + Access granted: True + -------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + Not matched rules: new-rule + Matched rules: allow_all + + +HBACTEST AND TRUSTED DOMAINS + +When an external trusted domain is configured in IPA, HBAC rules are also applied +on users accessing IPA resources from the trusted domain. Trusted domain users and +groups (and their SIDs) can be then assigned to external groups which can be +members of POSIX groups in IPA which can be used in HBAC rules and thus allowing +access to resources protected by the HBAC system. + +hbactest plugin is capable of testing access for both local IPA users and users +from the trusted domains, either by a fully qualified user name or by user SID. +Such user names need to have a trusted domain specified as a short name +(DOMAIN\Administrator) or with a user principal name (UPN), Administrator@ad.test. + +Please note that hbactest executed with a trusted domain user as --user parameter +can be only run by members of "trust admins" group. + +EXAMPLES: + + 1. Test if a user from a trusted domain specified by its shortname matches any + rule: + + $ ipa hbactest --user 'DOMAIN\Administrator' --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Matched rules: can_login + + 2. Test if a user from a trusted domain specified by its domain name matches + any rule: + + $ ipa hbactest --user 'Administrator@domain.com' --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Matched rules: can_login + + 3. Test if a user from a trusted domain specified by its SID matches any rule: + + $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-500 \ + --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Matched rules: can_login + + 4. Test if other user from a trusted domain specified by its SID matches any rule: + + $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-1203 \ + --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Not matched rules: can_login + + 5. Test if other user from a trusted domain specified by its shortname matches + any rule: + + $ ipa hbactest --user 'DOMAIN\Otheruser' --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Not matched rules: can_login +""") + +register = Registry() + + +@register() +class hbactest(Command): + __doc__ = _("Simulate use of Host-based access controls") + + takes_options = ( + parameters.Str( + 'user', + label=_(u'User name'), + ), + parameters.Str( + 'sourcehost', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'targethost', + cli_name='host', + label=_(u'Target host'), + ), + parameters.Str( + 'service', + label=_(u'Service'), + ), + parameters.Str( + 'rules', + required=False, + multivalue=True, + label=_(u'Rules to test. If not specified, --enabled is assumed'), + ), + parameters.Flag( + 'nodetail', + required=False, + label=_(u'Hide details which rules are matched, not matched, or invalid'), + default=False, + autofill=True, + ), + parameters.Flag( + 'enabled', + required=False, + label=_(u'Include all enabled IPA rules into test [default]'), + default=False, + autofill=True, + ), + parameters.Flag( + 'disabled', + required=False, + label=_(u'Include all disabled IPA rules into test'), + default=False, + autofill=True, + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of rules to process when no --rules is specified'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'warning', + (list, tuple, type(None)), + doc=_(u'Warning'), + ), + output.Output( + 'matched', + (list, tuple, type(None)), + doc=_(u'Matched rules'), + ), + output.Output( + 'notmatched', + (list, tuple, type(None)), + doc=_(u'Not matched rules'), + ), + output.Output( + 'error', + (list, tuple, type(None)), + doc=_(u'Non-existent or invalid rules'), + ), + output.Output( + 'value', + bool, + doc=_(u'Result of simulation'), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/host.py b/ipaclient/remote_plugins/2_114/host.py new file mode 100644 index 000000000..527e75be3 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/host.py @@ -0,0 +1,1556 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Hosts/Machines + +A host represents a machine. It can be used in a number of contexts: +- service entries are associated with a host +- a host stores the host/ service principal +- a host can be used in Host-based Access Control (HBAC) rules +- every enrolled client generates a host entry + +ENROLLMENT: + +There are three enrollment scenarios when enrolling a new client: + +1. You are enrolling as a full administrator. The host entry may exist + or not. A full administrator is a member of the hostadmin role + or the admins group. +2. You are enrolling as a limited administrator. The host must already + exist. A limited administrator is a member a role with the + Host Enrollment privilege. +3. The host has been created with a one-time password. + +RE-ENROLLMENT: + +Host that has been enrolled at some point, and lost its configuration (e.g. VM +destroyed) can be re-enrolled. + +For more information, consult the manual pages for ipa-client-install. + +A host can optionally store information such as where it is located, +the OS that it runs, etc. + +EXAMPLES: + + Add a new host: + ipa host-add --location="3rd floor lab" --locality=Dallas test.example.com + + Delete a host: + ipa host-del test.example.com + + Add a new host with a one-time password: + ipa host-add --os='Fedora 12' --password=Secret123 test.example.com + + Add a new host with a random one-time password: + ipa host-add --os='Fedora 12' --random test.example.com + + Modify information about a host: + ipa host-mod --os='Fedora 12' test.example.com + + Remove SSH public keys of a host and update DNS to reflect this change: + ipa host-mod --sshpubkey= --updatedns test.example.com + + Disable the host Kerberos key, SSL certificate and all of its services: + ipa host-disable test.example.com + + Add a host that can manage this host's keytab and certificate: + ipa host-add-managedby --hosts=test2 test + + Allow user to create a keytab: + ipa host-allow-create-keytab test2 --users=tuser1 +""") + +register = Registry() + + +@register() +class host(Object): + takes_params = ( + parameters.Str( + 'fqdn', + primary_key=True, + label=_(u'Host name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + ), + parameters.Str( + 'randompassword', + required=False, + label=_(u'Random password'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + label=_(u'Principal name'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + label=_(u'Class'), + doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipaassignedidview', + required=False, + label=_(u'Assigned ID View'), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Flag( + 'has_password', + label=_(u'Password'), + ), + parameters.Str( + 'memberof_hostgroup', + required=False, + label=_(u'Member of host-groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_hostgroup', + required=False, + label=_(u'Indirect Member of host-group'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Keytab'), + ), + parameters.Str( + 'managedby_host', + label=_(u'Managed by'), + ), + parameters.Str( + 'managing_host', + label=_(u'Managing'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_user', + label=_(u'Users allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_group', + label=_(u'Groups allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_host', + label=_(u'Hosts allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_hostgroup', + label=_(u'Host Groups allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_user', + label=_(u'Users allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_group', + label=_(u'Groups allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_host', + label=_(u'Hosts allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_hostgroup', + label=_(u'Host Groups allowed to create keytab'), + ), + ) + + +@register() +class host_add(Method): + __doc__ = _("Add a new host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipaassignedidview', + required=False, + label=_(u'Assigned ID View'), + exclude=('cli', 'webui'), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + cli_name='requires_pre_auth', + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + cli_name='ok_as_delegate', + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force host name even if not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_reverse', + doc=_(u'skip reverse DNS detection'), + default=False, + autofill=True, + ), + parameters.Str( + 'ip_address', + required=False, + label=_(u'IP Address'), + doc=_(u'Add the host to DNS with this IP address'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_add_managedby(Method): + __doc__ = _("Add hosts that can manage this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class host_allow_create_keytab(Method): + __doc__ = _("Allow users, groups, hosts or host groups to create a keytab of this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class host_allow_retrieve_keytab(Method): + __doc__ = _("Allow users, groups, hosts or host groups to retrieve a keytab of this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class host_del(Method): + __doc__ = _("Delete a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + multivalue=True, + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Flag( + 'updatedns', + required=False, + doc=_(u'Remove entries from DNS'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class host_disable(Method): + __doc__ = _("Disable the Kerberos key, SSL certificate and all services of a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_disallow_create_keytab(Method): + __doc__ = _("Disallow users, groups, hosts or host groups to create a keytab of this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class host_disallow_retrieve_keytab(Method): + __doc__ = _("Disallow users, groups, hosts or host groups to retrieve a keytab of this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class host_find(Method): + __doc__ = _("Search for hosts.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'fqdn', + required=False, + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipaassignedidview', + required=False, + label=_(u'Assigned ID View'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("hostname")'), + default=False, + autofill=True, + ), + parameters.Str( + 'in_hostgroup', + required=False, + multivalue=True, + cli_name='in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for hosts with these member of host groups.'), + ), + parameters.Str( + 'not_in_hostgroup', + required=False, + multivalue=True, + cli_name='not_in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for hosts without these member of host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for hosts with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for hosts without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for hosts with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for hosts without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for hosts with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for hosts without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for hosts with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for hosts without these member of sudo rules.'), + ), + parameters.Str( + 'enroll_by_user', + required=False, + multivalue=True, + cli_name='enroll_by_users', + label=_(u'user'), + doc=_(u'Search for hosts with these enrolled by users.'), + ), + parameters.Str( + 'not_enroll_by_user', + required=False, + multivalue=True, + cli_name='not_enroll_by_users', + label=_(u'user'), + doc=_(u'Search for hosts without these enrolled by users.'), + ), + parameters.Str( + 'man_by_host', + required=False, + multivalue=True, + cli_name='man_by_hosts', + label=_(u'host'), + doc=_(u'Search for hosts with these managed by hosts.'), + ), + parameters.Str( + 'not_man_by_host', + required=False, + multivalue=True, + cli_name='not_man_by_hosts', + label=_(u'host'), + doc=_(u'Search for hosts without these managed by hosts.'), + ), + parameters.Str( + 'man_host', + required=False, + multivalue=True, + cli_name='man_hosts', + label=_(u'host'), + doc=_(u'Search for hosts with these managing hosts.'), + ), + parameters.Str( + 'not_man_host', + required=False, + multivalue=True, + cli_name='not_man_hosts', + label=_(u'host'), + doc=_(u'Search for hosts without these managing hosts.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class host_mod(Method): + __doc__ = _("Modify information about a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipaassignedidview', + required=False, + label=_(u'Assigned ID View'), + exclude=('cli', 'webui'), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + cli_name='requires_pre_auth', + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + cli_name='ok_as_delegate', + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principalname', + label=_(u'Principal name'), + doc=_(u'Kerberos principal name for this host'), + ), + parameters.Flag( + 'updatedns', + required=False, + doc=_(u'Update DNS entries'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_remove_managedby(Method): + __doc__ = _("Remove hosts that can manage this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class host_show(Method): + __doc__ = _("Display information about a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'file to store certificate in'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/hostgroup.py b/ipaclient/remote_plugins/2_114/hostgroup.py new file mode 100644 index 000000000..3b39849f9 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/hostgroup.py @@ -0,0 +1,709 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of hosts. + +Manage groups of hosts. This is useful for applying access control to a +number of hosts by using Host-based Access Control. + +EXAMPLES: + + Add a new host group: + ipa hostgroup-add --desc="Baltimore hosts" baltimore + + Add another new host group: + ipa hostgroup-add --desc="Maryland hosts" maryland + + Add members to the hostgroup (using Bash brace expansion): + ipa hostgroup-add-member --hosts={box1,box2,box3} baltimore + + Add a hostgroup as a member of another hostgroup: + ipa hostgroup-add-member --hostgroups=baltimore maryland + + Remove a host from the hostgroup: + ipa hostgroup-remove-member --hosts=box2 baltimore + + Display a host group: + ipa hostgroup-show baltimore + + Delete a hostgroup: + ipa hostgroup-del baltimore +""") + +register = Registry() + + +@register() +class hostgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'member_host', + required=False, + label=_(u'Member hosts'), + ), + parameters.Str( + 'member_hostgroup', + required=False, + label=_(u'Member host-groups'), + ), + parameters.Str( + 'memberof_hostgroup', + required=False, + label=_(u'Member of host-groups'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberindirect_host', + required=False, + label=_(u'Indirect Member hosts'), + ), + parameters.Str( + 'memberindirect_hostgroup', + required=False, + label=_(u'Indirect Member host-groups'), + ), + parameters.Str( + 'memberofindirect_hostgroup', + required=False, + label=_(u'Indirect Member of host-group'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + ) + + +@register() +class hostgroup_add(Method): + __doc__ = _("Add a new hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hostgroup_add_member(Method): + __doc__ = _("Add members to a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hostgroup_del(Method): + __doc__ = _("Delete a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class hostgroup_find(Method): + __doc__ = _("Search for hostgroups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("hostgroup-name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'host'), + doc=_(u'Search for host groups with these member hosts.'), + ), + parameters.Str( + 'no_host', + required=False, + multivalue=True, + cli_name='no_hosts', + label=_(u'host'), + doc=_(u'Search for host groups without these member hosts.'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups with these member host groups.'), + ), + parameters.Str( + 'no_hostgroup', + required=False, + multivalue=True, + cli_name='no_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups without these member host groups.'), + ), + parameters.Str( + 'in_hostgroup', + required=False, + multivalue=True, + cli_name='in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups with these member of host groups.'), + ), + parameters.Str( + 'not_in_hostgroup', + required=False, + multivalue=True, + cli_name='not_in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups without these member of host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for host groups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for host groups without these member of netgroups.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for host groups with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for host groups without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for host groups with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for host groups without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hostgroup_mod(Method): + __doc__ = _("Modify a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hostgroup_remove_member(Method): + __doc__ = _("Remove members from a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hostgroup_show(Method): + __doc__ = _("Display information about a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/idrange.py b/ipaclient/remote_plugins/2_114/idrange.py new file mode 100644 index 000000000..2de06871b --- /dev/null +++ b/ipaclient/remote_plugins/2_114/idrange.py @@ -0,0 +1,620 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +ID ranges + +Manage ID ranges used to map Posix IDs to SIDs and back. + +There are two type of ID ranges which are both handled by this utility: + + - the ID ranges of the local domain + - the ID ranges of trusted remote domains + +Both types have the following attributes in common: + + - base-id: the first ID of the Posix ID range + - range-size: the size of the range + +With those two attributes a range object can reserve the Posix IDs starting +with base-id up to but not including base-id+range-size exclusively. + +Additionally an ID range of the local domain may set + - rid-base: the first RID(*) of the corresponding RID range + - secondary-rid-base: first RID of the secondary RID range + +and an ID range of a trusted domain must set + - rid-base: the first RID of the corresponding RID range + - sid: domain SID of the trusted domain + + + +EXAMPLE: Add a new ID range for a trusted domain + +Since there might be more than one trusted domain the domain SID must be given +while creating the ID range. + + ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=0 \ + --dom-sid=S-1-5-21-123-456-789 trusted_dom_range + +This ID range is then used by the IPA server and the SSSD IPA provider to +assign Posix UIDs to users from the trusted domain. + +If e.g a range for a trusted domain is configured with the following values: + base-id = 1200000 + range-size = 200000 + rid-base = 0 +the RIDs 0 to 199999 are mapped to the Posix ID from 1200000 to 13999999. So +RID 1000 <-> Posix ID 1201000 + + + +EXAMPLE: Add a new ID range for the local domain + +To create an ID range for the local domain it is not necessary to specify a +domain SID. But since it is possible that a user and a group can have the same +value as Posix ID a second RID interval is needed to handle conflicts. + + ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=1000 \ + --secondary-rid-base=1000000 local_range + +The data from the ID ranges of the local domain are used by the IPA server +internally to assign SIDs to IPA users and groups. The SID will then be stored +in the user or group objects. + +If e.g. the ID range for the local domain is configured with the values from +the example above then a new user with the UID 1200007 will get the RID 1007. +If this RID is already used by a group the RID will be 1000007. This can only +happen if a user or a group object was created with a fixed ID because the +automatic assignment will not assign the same ID twice. Since there are only +users and groups sharing the same ID namespace it is sufficient to have only +one fallback range to handle conflicts. + +To find the Posix ID for a given RID from the local domain it has to be +checked first if the RID falls in the primary or secondary RID range and +the rid-base or the secondary-rid-base has to be subtracted, respectively, +and the base-id has to be added to get the Posix ID. + +Typically the creation of ID ranges happens behind the scenes and this CLI +must not be used at all. The ID range for the local domain will be created +during installation or upgrade from an older version. The ID range for a +trusted domain will be created together with the trust by 'ipa trust-add ...'. + +USE CASES: + + Add an ID range from a transitively trusted domain + + If the trusted domain (A) trusts another domain (B) as well and this trust + is transitive 'ipa trust-add domain-A' will only create a range for + domain A. The ID range for domain B must be added manually. + + Add an additional ID range for the local domain + + If the ID range of the local domain is exhausted, i.e. no new IDs can be + assigned to Posix users or groups by the DNA plugin, a new range has to be + created to allow new users and groups to be added. (Currently there is no + connection between this range CLI and the DNA plugin, but a future version + might be able to modify the configuration of the DNS plugin as well) + +In general it is not necessary to modify or delete ID ranges. If there is no +other way to achieve a certain configuration than to modify or delete an ID +range it should be done with great care. Because UIDs are stored in the file +system and are used for access control it might be possible that users are +allowed to access files of other users if an ID range got deleted and reused +for a different domain. + +(*) The RID is typically the last integer of a user or group SID which follows +the domain SID. E.g. if the domain SID is S-1-5-21-123-456-789 and a user from +this domain has the SID S-1-5-21-123-456-789-1010 then 1010 id the RID of the +user. RIDs are unique in a domain, 32bit values and are used for users and +groups. + +WARNING: + +DNA plugin in 389-ds will allocate IDs based on the ranges configured for the +local domain. Currently the DNA plugin *cannot* be reconfigured itself based +on the local ranges set via this family of commands. + +Manual configuration change has to be done in the DNA plugin configuration for +the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix +IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be +modified to match the new range. +""") + +register = Registry() + + +@register() +class idrange(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Range name'), + ), + parameters.Int( + 'ipabaseid', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'ipanttrusteddomainname', + required=False, + label=_(u'Name of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + label=_(u'Range type'), + doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'), + ), + ) + + +@register() +class idrange_add(Method): + __doc__ = _(""" +Add new ID range. + + To add a new ID range you always have to specify + + --base-id + --range-size + + Additionally + + --rid-base + --secondary-rid-base + + may be given for a new ID range for the local domain while + + --rid-base + --dom-sid + + must be given to add a new range for a trusted AD domain. + + WARNING: + + DNA plugin in 389-ds will allocate IDs based on the ranges configured for the + local domain. Currently the DNA plugin *cannot* be reconfigured itself based + on the local ranges set via this family of commands. + + Manual configuration change has to be done in the DNA plugin configuration for + the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix + IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be + modified to match the new range. + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Int( + 'ipabaseid', + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='dom_sid', + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'ipanttrusteddomainname', + required=False, + cli_name='dom_name', + label=_(u'Name of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + cli_name='type', + cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']", + label=_(u'Range type'), + doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idrange_del(Method): + __doc__ = _("Delete an ID range.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class idrange_find(Method): + __doc__ = _("Search for ranges.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Range name'), + ), + parameters.Int( + 'ipabaseid', + required=False, + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + required=False, + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='dom_sid', + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + cli_name='type', + cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']", + label=_(u'Range type'), + doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idrange_mod(Method): + __doc__ = _("Modify ID range.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Int( + 'ipabaseid', + required=False, + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + required=False, + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipanttrusteddomainname', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idrange_show(Method): + __doc__ = _("Display information about a range.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/idviews.py b/ipaclient/remote_plugins/2_114/idviews.py new file mode 100644 index 000000000..6bd422c97 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/idviews.py @@ -0,0 +1,1411 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +ID Views +Manage ID Views +IPA allows to override certain properties of users and groups per each host. +This functionality is primarily used to allow migration from older systems or +other Identity Management solutions. +""") + +register = Registry() + + +@register() +class idoverridegroup(Object): + takes_params = ( + parameters.Str( + 'ipaanchoruuid', + primary_key=True, + label=_(u'Anchor to override'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Group name'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + ) + + +@register() +class idoverrideuser(Object): + takes_params = ( + parameters.Str( + 'ipaanchoruuid', + primary_key=True, + label=_(u'Anchor to override'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Str( + 'uid', + required=False, + label=_(u'User login'), + ), + parameters.Int( + 'uidnumber', + required=False, + label=_(u'UID'), + doc=_(u'User ID Number'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'homedirectory', + required=False, + label=_(u'Home directory'), + ), + parameters.Str( + 'loginshell', + required=False, + label=_(u'Login shell'), + ), + parameters.Str( + 'ipaoriginaluid', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + ) + + +@register() +class idview(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'ID View Name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + ) + + +@register() +class idoverridegroup_add(Method): + __doc__ = _("Add a new Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverridegroup_del(Method): + __doc__ = _("Delete an Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + multivalue=True, + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class idoverridegroup_find(Method): + __doc__ = _("Search for an Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaanchoruuid', + required=False, + cli_name='anchor', + label=_(u'Anchor to override'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("anchor")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idoverridegroup_mod(Method): + __doc__ = _("Modify an Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the Group ID override object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverridegroup_show(Method): + __doc__ = _("Display information about an Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverrideuser_add(Method): + __doc__ = _("Add a new User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + no_convert=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'ipaoriginaluid', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverrideuser_del(Method): + __doc__ = _("Delete an User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + multivalue=True, + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class idoverrideuser_find(Method): + __doc__ = _("Search for an User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaanchoruuid', + required=False, + cli_name='anchor', + label=_(u'Anchor to override'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + no_convert=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'ipaoriginaluid', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("anchor")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idoverrideuser_mod(Method): + __doc__ = _("Modify an User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + no_convert=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'ipaoriginaluid', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the User ID override object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverrideuser_show(Method): + __doc__ = _("Display information about an User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idview_add(Method): + __doc__ = _("Add a new ID View.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idview_apply(Method): + __doc__ = _("Applies ID View to specified hosts or current members of specified hostgroups. If any other ID View is applied to the host, it is overriden.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'hosts'), + doc=_(u'Hosts to apply the ID View to'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'hostgroups'), + doc=_(u'Hostgroups to whose hosts apply the ID View to. Please note that view is not applied automatically to any hosts added to the hostgroup after running the idview-apply command.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'succeeded', + dict, + doc=_(u'Hosts that this ID View was applied to.'), + ), + output.Output( + 'failed', + dict, + doc=_(u'Hosts or hostgroups that this ID View could not be applied to.'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of hosts the ID View was applied to:'), + ), + ) + + +@register() +class idview_del(Method): + __doc__ = _("Delete an ID View.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class idview_find(Method): + __doc__ = _("Search for an ID View.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'ID View Name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idview_mod(Method): + __doc__ = _("Modify an ID View.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the ID View object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idview_show(Method): + __doc__ = _("Display information about an ID View.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'show_hosts', + required=False, + doc=_(u'Enumerate all the hosts the view applies to.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idview_unapply(Method): + __doc__ = _("Clears ID View from specified hosts or current members of specified hostgroups.") + + takes_options = ( + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'hosts'), + doc=_(u'Hosts to clear (any) ID View from.'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'hostgroups'), + doc=_(u'Hostgroups whose hosts should have ID Views cleared. Note that view is not cleared automatically from any host added to the hostgroup after running idview-unapply command.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'succeeded', + dict, + doc=_(u'Hosts that ID View was cleared from.'), + ), + output.Output( + 'failed', + dict, + doc=_(u'Hosts or hostgroups that ID View could not be cleared from.'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of hosts that had a ID View was unset:'), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/internal.py b/ipaclient/remote_plugins/2_114/internal.py new file mode 100644 index 000000000..7fec8d26f --- /dev/null +++ b/ipaclient/remote_plugins/2_114/internal.py @@ -0,0 +1,92 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Plugins not accessible directly through the CLI, commands used internally +""") + +register = Registry() + + +@register() +class i18n_messages(Command): + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'texts', + dict, + doc=_(u'Dict of I18N messages'), + ), + ) + + +@register() +class json_metadata(Command): + __doc__ = _("Export plugin meta-data for the webUI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'objname', + required=False, + doc=_(u'Name of object to export'), + ), + parameters.Str( + 'methodname', + required=False, + doc=_(u'Name of method to export'), + ), + ) + takes_options = ( + parameters.Str( + 'object', + required=False, + doc=_(u'Name of object to export'), + ), + parameters.Str( + 'method', + required=False, + doc=_(u'Name of method to export'), + ), + parameters.Str( + 'command', + required=False, + doc=_(u'Name of command to export'), + ), + ) + has_output = ( + output.Output( + 'objects', + dict, + doc=_(u'Dict of JSON encoded IPA Objects'), + ), + output.Output( + 'methods', + dict, + doc=_(u'Dict of JSON encoded IPA Methods'), + ), + output.Output( + 'commands', + dict, + doc=_(u'Dict of JSON encoded IPA Commands'), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/join.py b/ipaclient/remote_plugins/2_114/join.py new file mode 100644 index 000000000..dc0904dc4 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/join.py @@ -0,0 +1,64 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Joining an IPA domain +""") + +register = Registry() + + +@register() +class join(Command): + __doc__ = _("Join an IPA domain") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostname', + doc=_(u'The hostname to register as'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: unicode(installutils.get_fqdn()) + autofill=True, + ), + ) + takes_options = ( + parameters.Str( + 'realm', + doc=_(u'The IPA realm'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: get_realm() + autofill=True, + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + doc=_(u'Hardware platform of the host (e.g. Lenovo T61)'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + doc=_(u'Operating System and version of the host (e.g. Fedora 9)'), + ), + ) + has_output = ( + ) diff --git a/ipaclient/remote_plugins/2_114/krbtpolicy.py b/ipaclient/remote_plugins/2_114/krbtpolicy.py new file mode 100644 index 000000000..42a4b2bc7 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/krbtpolicy.py @@ -0,0 +1,266 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Kerberos ticket policy + +There is a single Kerberos ticket policy. This policy defines the +maximum ticket lifetime and the maximum renewal age, the period during +which the ticket is renewable. + +You can also create a per-user ticket policy by specifying the user login. + +For changes to the global policy to take effect, restarting the KDC service +is required, which can be achieved using: + +service krb5kdc restart + +Changes to per-user policies take effect immediately for newly requested +tickets (e.g. when the user next runs kinit). + +EXAMPLES: + + Display the current Kerberos ticket policy: + ipa krbtpolicy-show + + Reset the policy to the default: + ipa krbtpolicy-reset + + Modify the policy to 8 hours max life, 1-day max renewal: + ipa krbtpolicy-mod --maxlife=28800 --maxrenew=86400 + + Display effective Kerberos ticket policy for user 'admin': + ipa krbtpolicy-show admin + + Reset per-user policy for user 'admin': + ipa krbtpolicy-reset admin + + Modify per-user policy for user 'admin': + ipa krbtpolicy-mod admin --maxlife=3600 +""") + +register = Registry() + + +@register() +class krbtpolicy(Object): + takes_params = ( + parameters.Str( + 'uid', + required=False, + primary_key=True, + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + parameters.Int( + 'krbmaxticketlife', + required=False, + label=_(u'Max life'), + doc=_(u'Maximum ticket life (seconds)'), + ), + parameters.Int( + 'krbmaxrenewableage', + required=False, + label=_(u'Max renew'), + doc=_(u'Maximum renewable age (seconds)'), + ), + ) + + +@register() +class krbtpolicy_mod(Method): + __doc__ = _("Modify Kerberos ticket policy.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxticketlife', + required=False, + cli_name='maxlife', + label=_(u'Max life'), + doc=_(u'Maximum ticket life (seconds)'), + ), + parameters.Int( + 'krbmaxrenewableage', + required=False, + cli_name='maxrenew', + label=_(u'Max renew'), + doc=_(u'Maximum renewable age (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class krbtpolicy_reset(Method): + __doc__ = _("Reset Kerberos ticket policy to the default values.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class krbtpolicy_show(Method): + __doc__ = _("Display the current Kerberos ticket policy.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/migration.py b/ipaclient/remote_plugins/2_114/migration.py new file mode 100644 index 000000000..06c03465f --- /dev/null +++ b/ipaclient/remote_plugins/2_114/migration.py @@ -0,0 +1,302 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Migration to IPA + +Migrate users and groups from an LDAP server to IPA. + +This performs an LDAP query against the remote server searching for +users and groups in a container. In order to migrate passwords you need +to bind as a user that can read the userPassword attribute on the remote +server. This is generally restricted to high-level admins such as +cn=Directory Manager in 389-ds (this is the default bind user). + +The default user container is ou=People. + +The default group container is ou=Groups. + +Users and groups that already exist on the IPA server are skipped. + +Two LDAP schemas define how group members are stored: RFC2307 and +RFC2307bis. RFC2307bis uses member and uniquemember to specify group +members, RFC2307 uses memberUid. The default schema is RFC2307bis. + +The schema compat feature allows IPA to reformat data for systems that +do not support RFC2307bis. It is recommended that this feature is disabled +during migration to reduce system overhead. It can be re-enabled after +migration. To migrate with it enabled use the "--with-compat" option. + +Migrated users do not have Kerberos credentials, they have only their +LDAP password. To complete the migration process, users need to go +to http://ipa.example.com/ipa/migration and authenticate using their +LDAP password in order to generate their Kerberos credentials. + +Migration is disabled by default. Use the command ipa config-mod to +enable it: + + ipa config-mod --enable-migration=TRUE + +If a base DN is not provided with --basedn then IPA will use either +the value of defaultNamingContext if it is set or the first value +in namingContexts set in the root of the remote LDAP server. + +Users are added as members to the default user group. This can be a +time-intensive task so during migration this is done in a batch +mode for every 100 users. As a result there will be a window in which +users will be added to IPA but will not be members of the default +user group. + +EXAMPLES: + + The simplest migration, accepting all defaults: + ipa migrate-ds ldap://ds.example.com:389 + + Specify the user and group container. This can be used to migrate user + and group data from an IPA v1 server: + ipa migrate-ds --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + ldap://ds.example.com:389 + + Since IPA v2 server already contain predefined groups that may collide with + groups in migrated (IPA v1) server (for example admins, ipausers), users + having colliding group as their primary group may happen to belong to + an unknown group on new IPA v2 server. + Use --group-overwrite-gid option to overwrite GID of already existing groups + to prevent this issue: + ipa migrate-ds --group-overwrite-gid \ + --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + ldap://ds.example.com:389 + + Migrated users or groups may have object class and accompanied attributes + unknown to the IPA v2 server. These object classes and attributes may be + left out of the migration process: + ipa migrate-ds --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + --user-ignore-objectclass=radiusprofile \ + --user-ignore-attribute=radiusgroupname \ + ldap://ds.example.com:389 + +LOGGING + +Migration will log warnings and errors to the Apache error log. This +file should be evaluated post-migration to correct or investigate any +issues that were discovered. + +For every 100 users migrated an info-level message will be displayed to +give the current progress and duration to make it possible to track +the progress of migration. + +If the log level is debug, either by setting debug = True in +/etc/ipa/default.conf or /etc/ipa/server.conf, then an entry will be printed +for each user added plus a summary when the default user group is +updated. +""") + +register = Registry() + + +@register() +class migrate_ds(Command): + __doc__ = _("Migrate users and groups from DS to IPA.") + + takes_args = ( + parameters.Str( + 'ldapuri', + cli_name='ldap_uri', + label=_(u'LDAP URI'), + doc=_(u'LDAP URI of DS server to migrate from'), + ), + parameters.Password( + 'bindpw', + cli_name='password', + label=_(u'Password'), + doc=_(u'bind password'), + ), + ) + takes_options = ( + parameters.DNParam( + 'binddn', + required=False, + cli_name='bind_dn', + label=_(u'Bind DN'), + default=DN(u'cn=directory manager'), + autofill=True, + ), + parameters.DNParam( + 'usercontainer', + cli_name='user_container', + label=_(u'User container'), + doc=_(u'DN of container for users in DS relative to base DN'), + default=DN(u'ou=people'), + autofill=True, + ), + parameters.DNParam( + 'groupcontainer', + cli_name='group_container', + label=_(u'Group container'), + doc=_(u'DN of container for groups in DS relative to base DN'), + default=DN(u'ou=groups'), + autofill=True, + ), + parameters.Str( + 'userobjectclass', + multivalue=True, + cli_name='user_objectclass', + label=_(u'User object class'), + doc=_(u'Objectclasses used to search for user entries in DS'), + default=(u'person',), + autofill=True, + ), + parameters.Str( + 'groupobjectclass', + multivalue=True, + cli_name='group_objectclass', + label=_(u'Group object class'), + doc=_(u'Objectclasses used to search for group entries in DS'), + default=(u'groupOfUniqueNames', u'groupOfNames'), + autofill=True, + ), + parameters.Str( + 'userignoreobjectclass', + required=False, + multivalue=True, + cli_name='user_ignore_objectclass', + label=_(u'Ignore user object class'), + doc=_(u'Objectclasses to be ignored for user entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'userignoreattribute', + required=False, + multivalue=True, + cli_name='user_ignore_attribute', + label=_(u'Ignore user attribute'), + doc=_(u'Attributes to be ignored for user entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'groupignoreobjectclass', + required=False, + multivalue=True, + cli_name='group_ignore_objectclass', + label=_(u'Ignore group object class'), + doc=_(u'Objectclasses to be ignored for group entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'groupignoreattribute', + required=False, + multivalue=True, + cli_name='group_ignore_attribute', + label=_(u'Ignore group attribute'), + doc=_(u'Attributes to be ignored for group entries in DS'), + default=(), + autofill=True, + ), + parameters.Flag( + 'groupoverwritegid', + cli_name='group_overwrite_gid', + label=_(u'Overwrite GID'), + doc=_(u'When migrating a group already existing in IPA domain overwrite the group GID and report as success'), + default=False, + autofill=True, + ), + parameters.Str( + 'schema', + required=False, + cli_metavar="['RFC2307bis', 'RFC2307']", + label=_(u'LDAP schema'), + doc=_(u'The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis'), + default=u'RFC2307bis', + autofill=True, + ), + parameters.Flag( + 'continue', + required=False, + label=_(u'Continue'), + doc=_(u'Continuous operation mode. Errors are reported but the process continues'), + default=False, + autofill=True, + ), + parameters.DNParam( + 'basedn', + required=False, + cli_name='base_dn', + label=_(u'Base DN'), + doc=_(u'Base DN on remote LDAP server'), + ), + parameters.Flag( + 'compat', + required=False, + cli_name='with_compat', + label=_(u'Ignore compat plugin'), + doc=_(u'Allows migration despite the usage of compat plugin'), + default=False, + autofill=True, + ), + parameters.Str( + 'cacertfile', + required=False, + cli_name='ca_cert_file', + label=_(u'CA certificate'), + doc=_(u'Load CA certificate of LDAP server from FILE'), + ), + parameters.Str( + 'exclude_groups', + required=False, + multivalue=True, + doc=_(u'groups to exclude from migration'), + default=(), + autofill=True, + ), + parameters.Str( + 'exclude_users', + required=False, + multivalue=True, + doc=_(u'users to exclude from migration'), + default=(), + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Lists of objects migrated; categorized by type.'), + ), + output.Output( + 'failed', + dict, + doc=_(u'Lists of objects that could not be migrated; categorized by type.'), + ), + output.Output( + 'enabled', + bool, + doc=_(u'False if migration mode was disabled.'), + ), + output.Output( + 'compat', + bool, + doc=_(u'False if migration fails because the compatibility plug-in is enabled.'), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/misc.py b/ipaclient/remote_plugins/2_114/misc.py new file mode 100644 index 000000000..4889e666b --- /dev/null +++ b/ipaclient/remote_plugins/2_114/misc.py @@ -0,0 +1,113 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Misc plug-ins +""") + +register = Registry() + + +@register() +class env(Command): + __doc__ = _("Show environment variables.") + + takes_args = ( + parameters.Str( + 'variables', + required=False, + multivalue=True, + ), + ) + takes_options = ( + parameters.Flag( + 'server', + required=False, + doc=_(u'Forward to server instead of running locally'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=True, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + output.Output( + 'total', + int, + doc=_(u'Total number of variables env (>= count)'), + ), + output.Output( + 'count', + int, + doc=_(u'Number of variables returned (<= total)'), + ), + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) + + +@register() +class plugins(Command): + __doc__ = _("Show all loaded plugins.") + + takes_options = ( + parameters.Flag( + 'server', + required=False, + doc=_(u'Forward to server instead of running locally'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=True, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping plugin names to bases'), + ), + output.Output( + 'count', + int, + doc=_(u'Number of plugins loaded'), + ), + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/netgroup.py b/ipaclient/remote_plugins/2_114/netgroup.py new file mode 100644 index 000000000..c6aada019 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/netgroup.py @@ -0,0 +1,865 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Netgroups + +A netgroup is a group used for permission checking. It can contain both +user and host values. + +EXAMPLES: + + Add a new netgroup: + ipa netgroup-add --desc="NFS admins" admins + + Add members to the netgroup: + ipa netgroup-add-member --users=tuser1 --users=tuser2 admins + + Remove a member from the netgroup: + ipa netgroup-remove-member --users=tuser2 admins + + Display information about a netgroup: + ipa netgroup-show admins + + Delete a netgroup: + ipa netgroup-del admins +""") + +register = Registry() + + +@register() +class netgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Netgroup name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + label=_(u'NIS domain name'), + ), + parameters.Str( + 'ipauniqueid', + required=False, + label=_(u'IPA unique ID'), + doc=_(u'IPA unique ID'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + parameters.Str( + 'member_netgroup', + required=False, + label=_(u'Member netgroups'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberindirect_netgroup', + required=False, + label=_(u'Indirect Member netgroups'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Member User'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'Member Group'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Member Host'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Member Hostgroup'), + ), + ) + + +@register() +class netgroup_add(Method): + __doc__ = _("Add a new netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class netgroup_add_member(Method): + __doc__ = _("Add members to a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'member netgroup'), + doc=_(u'netgroups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class netgroup_del(Method): + __doc__ = _("Delete a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class netgroup_find(Method): + __doc__ = _("Search for a netgroup.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'ipauniqueid', + required=False, + cli_name='uuid', + label=_(u'IPA unique ID'), + doc=_(u'IPA unique ID'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'private', + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'managed', + doc=_(u'search for managed groups'), + default=False, + default_from=DefaultFrom(lambda private: private), + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups with these member netgroups.'), + ), + parameters.Str( + 'no_netgroup', + required=False, + multivalue=True, + cli_name='no_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups without these member netgroups.'), + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'user'), + doc=_(u'Search for netgroups with these member users.'), + ), + parameters.Str( + 'no_user', + required=False, + multivalue=True, + cli_name='no_users', + label=_(u'user'), + doc=_(u'Search for netgroups without these member users.'), + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'group'), + doc=_(u'Search for netgroups with these member groups.'), + ), + parameters.Str( + 'no_group', + required=False, + multivalue=True, + cli_name='no_groups', + label=_(u'group'), + doc=_(u'Search for netgroups without these member groups.'), + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'host'), + doc=_(u'Search for netgroups with these member hosts.'), + ), + parameters.Str( + 'no_host', + required=False, + multivalue=True, + cli_name='no_hosts', + label=_(u'host'), + doc=_(u'Search for netgroups without these member hosts.'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'host group'), + doc=_(u'Search for netgroups with these member host groups.'), + ), + parameters.Str( + 'no_hostgroup', + required=False, + multivalue=True, + cli_name='no_hostgroups', + label=_(u'host group'), + doc=_(u'Search for netgroups without these member host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups without these member of netgroups.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class netgroup_mod(Method): + __doc__ = _("Modify a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class netgroup_remove_member(Method): + __doc__ = _("Remove members from a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'member netgroup'), + doc=_(u'netgroups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class netgroup_show(Method): + __doc__ = _("Display information about a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/otpconfig.py b/ipaclient/remote_plugins/2_114/otpconfig.py new file mode 100644 index 000000000..1aceb903e --- /dev/null +++ b/ipaclient/remote_plugins/2_114/otpconfig.py @@ -0,0 +1,206 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +OTP configuration + +Manage the default values that IPA uses for OTP tokens. + +EXAMPLES: + + Show basic OTP configuration: + ipa otpconfig-show + + Show all OTP configuration options: + ipa otpconfig-show --all + + Change maximum TOTP authentication window to 10 minutes: + ipa otpconfig-mod --totp-auth-window=600 + + Change maximum TOTP synchronization window to 12 hours: + ipa otpconfig-mod --totp-sync-window=43200 + + Change maximum HOTP authentication window to 5: + ipa hotpconfig-mod --hotp-auth-window=5 + + Change maximum HOTP synchronization window to 50: + ipa hotpconfig-mod --hotp-sync-window=50 +""") + +register = Registry() + + +@register() +class otpconfig(Object): + takes_params = ( + parameters.Int( + 'ipatokentotpauthwindow', + label=_(u'TOTP authentication Window'), + doc=_(u'TOTP authentication time variance (seconds)'), + ), + parameters.Int( + 'ipatokentotpsyncwindow', + label=_(u'TOTP Synchronization Window'), + doc=_(u'TOTP synchronization time variance (seconds)'), + ), + parameters.Int( + 'ipatokenhotpauthwindow', + label=_(u'HOTP Authentication Window'), + doc=_(u'HOTP authentication skip-ahead'), + ), + parameters.Int( + 'ipatokenhotpsyncwindow', + label=_(u'HOTP Synchronization Window'), + doc=_(u'HOTP synchronization skip-ahead'), + ), + ) + + +@register() +class otpconfig_mod(Method): + __doc__ = _("Modify OTP configuration options.") + + takes_options = ( + parameters.Int( + 'ipatokentotpauthwindow', + required=False, + cli_name='totp_auth_window', + label=_(u'TOTP authentication Window'), + doc=_(u'TOTP authentication time variance (seconds)'), + ), + parameters.Int( + 'ipatokentotpsyncwindow', + required=False, + cli_name='totp_sync_window', + label=_(u'TOTP Synchronization Window'), + doc=_(u'TOTP synchronization time variance (seconds)'), + ), + parameters.Int( + 'ipatokenhotpauthwindow', + required=False, + cli_name='hotp_auth_window', + label=_(u'HOTP Authentication Window'), + doc=_(u'HOTP authentication skip-ahead'), + ), + parameters.Int( + 'ipatokenhotpsyncwindow', + required=False, + cli_name='hotp_sync_window', + label=_(u'HOTP Synchronization Window'), + doc=_(u'HOTP synchronization skip-ahead'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class otpconfig_show(Method): + __doc__ = _("Show the current OTP configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/otptoken.py b/ipaclient/remote_plugins/2_114/otptoken.py new file mode 100644 index 000000000..632c97ea2 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/otptoken.py @@ -0,0 +1,893 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +OTP Tokens + +Manage OTP tokens. + +IPA supports the use of OTP tokens for multi-factor authentication. This +code enables the management of OTP tokens. + +EXAMPLES: + + Add a new token: + ipa otptoken-add --type=totp --owner=jdoe --desc="My soft token" + + Examine the token: + ipa otptoken-show a93db710-a31a-4639-8647-f15b2c70b78a + + Change the vendor: + ipa otptoken-mod a93db710-a31a-4639-8647-f15b2c70b78a --vendor="Red Hat" + + Delete a token: + ipa otptoken-del a93db710-a31a-4639-8647-f15b2c70b78a +""") + +register = Registry() + + +@register() +class otptoken(Object): + takes_params = ( + parameters.Str( + 'ipatokenuniqueid', + primary_key=True, + label=_(u'Unique ID'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of the token'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Token description (informational only)'), + ), + parameters.Str( + 'ipatokenowner', + required=False, + label=_(u'Owner'), + doc=_(u'Assigned user of the token (default: self)'), + ), + parameters.Str( + 'managedby_user', + required=False, + label=_(u'Manager'), + doc=_(u'Assigned manager of the token (default: self)'), + ), + parameters.Bool( + 'ipatokendisabled', + required=False, + label=_(u'Disabled'), + doc=_(u'Mark the token as disabled (default: false)'), + ), + parameters.DateTime( + 'ipatokennotbefore', + required=False, + label=_(u'Validity start'), + doc=_(u'First date/time the token can be used'), + ), + parameters.DateTime( + 'ipatokennotafter', + required=False, + label=_(u'Validity end'), + doc=_(u'Last date/time the token can be used'), + ), + parameters.Str( + 'ipatokenvendor', + required=False, + label=_(u'Vendor'), + doc=_(u'Token vendor name (informational only)'), + ), + parameters.Str( + 'ipatokenmodel', + required=False, + label=_(u'Model'), + doc=_(u'Token model (informational only)'), + ), + parameters.Str( + 'ipatokenserial', + required=False, + label=_(u'Serial'), + doc=_(u'Token serial (informational only)'), + ), + parameters.Bytes( + 'ipatokenotpkey', + required=False, + label=_(u'Key'), + doc=_(u'Token secret (Base32; default: random)'), + ), + parameters.Str( + 'ipatokenotpalgorithm', + required=False, + label=_(u'Algorithm'), + doc=_(u'Token hash algorithm'), + ), + parameters.Int( + 'ipatokenotpdigits', + required=False, + label=_(u'Digits'), + doc=_(u'Number of digits each token code will have'), + ), + parameters.Int( + 'ipatokentotpclockoffset', + required=False, + label=_(u'Clock offset'), + doc=_(u'TOTP token / FreeIPA server time difference'), + ), + parameters.Int( + 'ipatokentotptimestep', + required=False, + label=_(u'Clock interval'), + doc=_(u'Length of TOTP token code validity'), + ), + parameters.Int( + 'ipatokenhotpcounter', + required=False, + label=_(u'Counter'), + doc=_(u'Initial counter for the HOTP token'), + ), + ) + + +@register() +class otptoken_add(Method): + __doc__ = _("Add a new OTP token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + required=False, + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Str( + 'type', + required=False, + cli_metavar="['totp', 'hotp', 'TOTP', 'HOTP']", + label=_(u'Type'), + doc=_(u'Type of the token'), + default=u'totp', + autofill=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Token description (informational only)'), + ), + parameters.Str( + 'ipatokenowner', + required=False, + cli_name='owner', + label=_(u'Owner'), + doc=_(u'Assigned user of the token (default: self)'), + ), + parameters.Bool( + 'ipatokendisabled', + required=False, + cli_name='disabled', + label=_(u'Disabled'), + doc=_(u'Mark the token as disabled (default: false)'), + ), + parameters.DateTime( + 'ipatokennotbefore', + required=False, + cli_name='not_before', + label=_(u'Validity start'), + doc=_(u'First date/time the token can be used'), + ), + parameters.DateTime( + 'ipatokennotafter', + required=False, + cli_name='not_after', + label=_(u'Validity end'), + doc=_(u'Last date/time the token can be used'), + ), + parameters.Str( + 'ipatokenvendor', + required=False, + cli_name='vendor', + label=_(u'Vendor'), + doc=_(u'Token vendor name (informational only)'), + ), + parameters.Str( + 'ipatokenmodel', + required=False, + cli_name='model', + label=_(u'Model'), + doc=_(u'Token model (informational only)'), + ), + parameters.Str( + 'ipatokenserial', + required=False, + cli_name='serial', + label=_(u'Serial'), + doc=_(u'Token serial (informational only)'), + ), + parameters.Bytes( + 'ipatokenotpkey', + required=False, + cli_name='key', + label=_(u'Key'), + doc=_(u'Token secret (Base32; default: random)'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: os.urandom(KEY_LENGTH) + autofill=True, + ), + parameters.Str( + 'ipatokenotpalgorithm', + required=False, + cli_name='algo', + cli_metavar="['sha1', 'sha256', 'sha384', 'sha512']", + label=_(u'Algorithm'), + doc=_(u'Token hash algorithm'), + default=u'sha1', + autofill=True, + ), + parameters.Int( + 'ipatokenotpdigits', + required=False, + cli_name='digits', + cli_metavar="['6', '8']", + label=_(u'Digits'), + doc=_(u'Number of digits each token code will have'), + default=6, + autofill=True, + ), + parameters.Int( + 'ipatokentotpclockoffset', + required=False, + cli_name='offset', + label=_(u'Clock offset'), + doc=_(u'TOTP token / FreeIPA server time difference'), + default=0, + autofill=True, + ), + parameters.Int( + 'ipatokentotptimestep', + required=False, + cli_name='interval', + label=_(u'Clock interval'), + doc=_(u'Length of TOTP token code validity'), + default=30, + autofill=True, + ), + parameters.Int( + 'ipatokenhotpcounter', + required=False, + cli_name='counter', + label=_(u'Counter'), + doc=_(u'Initial counter for the HOTP token'), + default=0, + autofill=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'qrcode', + required=False, + label=_(u'(deprecated)'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_qrcode', + label=_(u'Do not display QR code'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class otptoken_add_managedby(Method): + __doc__ = _("Add users that can manage this token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class otptoken_del(Method): + __doc__ = _("Delete an OTP token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + multivalue=True, + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class otptoken_find(Method): + __doc__ = _("Search for OTP token.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'ipatokenuniqueid', + required=False, + cli_name='id', + label=_(u'Unique ID'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['totp', 'hotp', 'TOTP', 'HOTP']", + label=_(u'Type'), + doc=_(u'Type of the token'), + default=u'totp', + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Token description (informational only)'), + ), + parameters.Str( + 'ipatokenowner', + required=False, + cli_name='owner', + label=_(u'Owner'), + doc=_(u'Assigned user of the token (default: self)'), + ), + parameters.Bool( + 'ipatokendisabled', + required=False, + cli_name='disabled', + label=_(u'Disabled'), + doc=_(u'Mark the token as disabled (default: false)'), + ), + parameters.DateTime( + 'ipatokennotbefore', + required=False, + cli_name='not_before', + label=_(u'Validity start'), + doc=_(u'First date/time the token can be used'), + ), + parameters.DateTime( + 'ipatokennotafter', + required=False, + cli_name='not_after', + label=_(u'Validity end'), + doc=_(u'Last date/time the token can be used'), + ), + parameters.Str( + 'ipatokenvendor', + required=False, + cli_name='vendor', + label=_(u'Vendor'), + doc=_(u'Token vendor name (informational only)'), + ), + parameters.Str( + 'ipatokenmodel', + required=False, + cli_name='model', + label=_(u'Model'), + doc=_(u'Token model (informational only)'), + ), + parameters.Str( + 'ipatokenserial', + required=False, + cli_name='serial', + label=_(u'Serial'), + doc=_(u'Token serial (informational only)'), + ), + parameters.Str( + 'ipatokenotpalgorithm', + required=False, + cli_name='algo', + cli_metavar="['sha1', 'sha256', 'sha384', 'sha512']", + label=_(u'Algorithm'), + doc=_(u'Token hash algorithm'), + default=u'sha1', + ), + parameters.Int( + 'ipatokenotpdigits', + required=False, + cli_name='digits', + cli_metavar="['6', '8']", + label=_(u'Digits'), + doc=_(u'Number of digits each token code will have'), + default=6, + ), + parameters.Int( + 'ipatokentotpclockoffset', + required=False, + cli_name='offset', + label=_(u'Clock offset'), + doc=_(u'TOTP token / FreeIPA server time difference'), + default=0, + ), + parameters.Int( + 'ipatokentotptimestep', + required=False, + cli_name='interval', + label=_(u'Clock interval'), + doc=_(u'Length of TOTP token code validity'), + default=30, + ), + parameters.Int( + 'ipatokenhotpcounter', + required=False, + cli_name='counter', + label=_(u'Counter'), + doc=_(u'Initial counter for the HOTP token'), + default=0, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("id")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class otptoken_mod(Method): + __doc__ = _("Modify a OTP token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Token description (informational only)'), + ), + parameters.Str( + 'ipatokenowner', + required=False, + cli_name='owner', + label=_(u'Owner'), + doc=_(u'Assigned user of the token (default: self)'), + ), + parameters.Bool( + 'ipatokendisabled', + required=False, + cli_name='disabled', + label=_(u'Disabled'), + doc=_(u'Mark the token as disabled (default: false)'), + ), + parameters.DateTime( + 'ipatokennotbefore', + required=False, + cli_name='not_before', + label=_(u'Validity start'), + doc=_(u'First date/time the token can be used'), + ), + parameters.DateTime( + 'ipatokennotafter', + required=False, + cli_name='not_after', + label=_(u'Validity end'), + doc=_(u'Last date/time the token can be used'), + ), + parameters.Str( + 'ipatokenvendor', + required=False, + cli_name='vendor', + label=_(u'Vendor'), + doc=_(u'Token vendor name (informational only)'), + ), + parameters.Str( + 'ipatokenmodel', + required=False, + cli_name='model', + label=_(u'Model'), + doc=_(u'Token model (informational only)'), + ), + parameters.Str( + 'ipatokenserial', + required=False, + cli_name='serial', + label=_(u'Serial'), + doc=_(u'Token serial (informational only)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the OTP token object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class otptoken_remove_managedby(Method): + __doc__ = _("Remove hosts that can manage this host.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class otptoken_show(Method): + __doc__ = _("Display information about an OTP token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/otptoken_yubikey.py b/ipaclient/remote_plugins/2_114/otptoken_yubikey.py new file mode 100644 index 000000000..61fe1b484 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/otptoken_yubikey.py @@ -0,0 +1,33 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +YubiKey Tokens + +Manage YubiKey tokens. + +This code is an extension to the otptoken plugin and provides support for +reading/writing YubiKey tokens directly. + +EXAMPLES: + + Add a new token: + ipa otptoken-add-yubikey --owner=jdoe --desc="My YubiKey" +""") + +register = Registry() diff --git a/ipaclient/remote_plugins/2_114/passwd.py b/ipaclient/remote_plugins/2_114/passwd.py new file mode 100644 index 000000000..66ec54b5c --- /dev/null +++ b/ipaclient/remote_plugins/2_114/passwd.py @@ -0,0 +1,93 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Set a user's password + +If someone other than a user changes that user's password (e.g., Helpdesk +resets it) then the password will need to be changed the first time it +is used. This is so the end-user is the only one who knows the password. + +The IPA password policy controls how often a password may be changed, +what strength requirements exist, and the length of the password history. + +EXAMPLES: + + To reset your own password: + ipa passwd + + To change another user's password: + ipa passwd tuser1 +""") + +register = Registry() + + +@register() +class passwd(Command): + __doc__ = _("Set a user's password.") + + takes_args = ( + parameters.Str( + 'principal', + cli_name='user', + label=_(u'User name'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: util.get_current_principal() + autofill=True, + no_convert=True, + ), + parameters.Password( + 'password', + label=_(u'New Password'), + confirm=True, + ), + parameters.Password( + 'current_password', + label=_(u'Current Password'), + default_from=DefaultFrom(lambda principal: None, 'principal'), + # FIXME: + # lambda principal: get_current_password(principal) + autofill=True, + ), + ) + takes_options = ( + parameters.Password( + 'otp', + required=False, + label=_(u'OTP'), + doc=_(u'One Time Password'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/permission.py b/ipaclient/remote_plugins/2_114/permission.py new file mode 100644 index 000000000..66ab03de1 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/permission.py @@ -0,0 +1,1045 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Permissions + +A permission enables fine-grained delegation of rights. A permission is +a human-readable wrapper around a 389-ds Access Control Rule, +or instruction (ACI). +A permission grants the right to perform a specific task such as adding a +user, modifying a group, etc. + +A permission may not contain other permissions. + +* A permission grants access to read, write, add, delete, read, search, + or compare. +* A privilege combines similar permissions (for example all the permissions + needed to add a user). +* A role grants a set of privileges to users, groups, hosts or hostgroups. + +A permission is made up of a number of different parts: + +1. The name of the permission. +2. The target of the permission. +3. The rights granted by the permission. + +Rights define what operations are allowed, and may be one or more +of the following: +1. write - write one or more attributes +2. read - read one or more attributes +3. search - search on one or more attributes +4. compare - compare one or more attributes +5. add - add a new entry to the tree +6. delete - delete an existing entry +7. all - all permissions are granted + +Note the distinction between attributes and entries. The permissions are +independent, so being able to add a user does not mean that the user will +be editable. + +There are a number of allowed targets: +1. subtree: a DN; the permission applies to the subtree under this DN +2. target filter: an LDAP filter +3. target: DN with possible wildcards, specifies entries permission applies to + +Additionally, there are the following convenience options. +Setting one of these options will set the corresponding attribute(s). +1. type: a type of object (user, group, etc); sets subtree and target filter. +2. memberof: apply to members of a group; sets target filter +3. targetgroup: grant access to modify a specific group (such as granting + the rights to manage group membership); sets target. + +Managed permissions + +Permissions that come with IPA by default can be so-called "managed" +permissions. These have a default set of attributes they apply to, +but the administrator can add/remove individual attributes to/from the set. + +Deleting or renaming a managed permission, as well as changing its target, +is not allowed. + +EXAMPLES: + + Add a permission that grants the creation of users: + ipa permission-add --type=user --permissions=add "Add Users" + + Add a permission that grants the ability to manage group membership: + ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members" +""") + +register = Registry() + + +@register() +class permission(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Permission name'), + ), + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermincludedattr', + required=False, + multivalue=True, + label=_(u'Included attributes'), + doc=_(u'User-specified attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermexcludedattr', + required=False, + multivalue=True, + label=_(u'Excluded attributes'), + doc=_(u'User-specified attributes to which the permission explicitly does not apply'), + ), + parameters.Str( + 'ipapermdefaultattr', + required=False, + multivalue=True, + label=_(u'Default attributes'), + doc=_(u'Attributes to which the permission applies by default'), + ), + parameters.Str( + 'ipapermbindruletype', + label=_(u'Bind rule type'), + ), + parameters.Str( + 'ipapermlocation', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + ), + parameters.Str( + 'member_privilege', + required=False, + label=_(u'Granted to Privilege'), + ), + parameters.Str( + 'memberindirect_role', + required=False, + label=_(u'Indirect Member of roles'), + ), + ) + + +@register() +class permission_add(Method): + __doc__ = _("Add a new permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + cli_name='right', + cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + alwaysask=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermbindruletype', + cli_name='bindtype', + cli_metavar="['permission', 'all', 'anonymous']", + label=_(u'Bind rule type'), + default=u'permission', + autofill=True, + ), + parameters.Str( + 'ipapermlocation', + required=False, + cli_name='subtree', + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + alwaysask=True, + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + cli_name='filter', + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + cli_name='rawfilter', + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + cli_name='target', + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + alwaysask=True, + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + alwaysask=True, + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + alwaysask=True, + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_add_member(Method): + __doc__ = _("Add members to a permission.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'member privilege'), + doc=_(u'privileges to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class permission_add_noaci(Method): + __doc__ = _("Add a system permission without an ACI (internal command)") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipapermissiontype', + multivalue=True, + label=_(u'Permission flags'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_del(Method): + __doc__ = _("Delete a permission.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force delete of SYSTEM permissions'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class permission_find(Method): + __doc__ = _("Search for permissions.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Permission name'), + ), + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + cli_name='right', + cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermincludedattr', + required=False, + multivalue=True, + cli_name='includedattrs', + label=_(u'Included attributes'), + doc=_(u'User-specified attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermexcludedattr', + required=False, + multivalue=True, + cli_name='excludedattrs', + label=_(u'Excluded attributes'), + doc=_(u'User-specified attributes to which the permission explicitly does not apply'), + ), + parameters.Str( + 'ipapermdefaultattr', + required=False, + multivalue=True, + cli_name='defaultattrs', + label=_(u'Default attributes'), + doc=_(u'Attributes to which the permission applies by default'), + ), + parameters.Str( + 'ipapermbindruletype', + required=False, + cli_name='bindtype', + cli_metavar="['permission', 'all', 'anonymous']", + label=_(u'Bind rule type'), + default=u'permission', + ), + parameters.Str( + 'ipapermlocation', + required=False, + cli_name='subtree', + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + cli_name='filter', + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + cli_name='rawfilter', + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + cli_name='target', + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class permission_mod(Method): + __doc__ = _("Modify a permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + cli_name='right', + cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermincludedattr', + required=False, + multivalue=True, + cli_name='includedattrs', + label=_(u'Included attributes'), + doc=_(u'User-specified attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermexcludedattr', + required=False, + multivalue=True, + cli_name='excludedattrs', + label=_(u'Excluded attributes'), + doc=_(u'User-specified attributes to which the permission explicitly does not apply'), + ), + parameters.Str( + 'ipapermbindruletype', + required=False, + cli_name='bindtype', + cli_metavar="['permission', 'all', 'anonymous']", + label=_(u'Bind rule type'), + default=u'permission', + ), + parameters.Str( + 'ipapermlocation', + required=False, + cli_name='subtree', + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + cli_name='filter', + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + cli_name='rawfilter', + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + cli_name='target', + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the permission object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_remove_member(Method): + __doc__ = _("Remove members from a permission.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'member privilege'), + doc=_(u'privileges to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class permission_show(Method): + __doc__ = _("Display information about a permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/ping.py b/ipaclient/remote_plugins/2_114/ping.py new file mode 100644 index 000000000..e9344127c --- /dev/null +++ b/ipaclient/remote_plugins/2_114/ping.py @@ -0,0 +1,62 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Ping the remote IPA server to ensure it is running. + +The ping command sends an echo request to an IPA server. The server +returns its version information. This is used by an IPA client +to confirm that the server is available and accepting requests. + +The server from xmlrpc_uri in /etc/ipa/default.conf is contacted first. +If it does not respond then the client will contact any servers defined +by ldap SRV records in DNS. + +EXAMPLES: + + Ping an IPA server: + ipa ping + ------------------------------------------ + IPA server version 2.1.9. API version 2.20 + ------------------------------------------ + + Ping an IPA server verbosely: + ipa -v ping + ipa: INFO: trying https://ipa.example.com/ipa/xml + ipa: INFO: Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml' + ----------------------------------------------------- + IPA server version 2.1.9. API version 2.20 + ----------------------------------------------------- +""") + +register = Registry() + + +@register() +class ping(Command): + __doc__ = _("Ping a remote server.") + + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/pkinit.py b/ipaclient/remote_plugins/2_114/pkinit.py new file mode 100644 index 000000000..fcb4c6b6b --- /dev/null +++ b/ipaclient/remote_plugins/2_114/pkinit.py @@ -0,0 +1,63 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Kerberos pkinit options + +Enable or disable anonymous pkinit using the principal +WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with +pkinit support. + +EXAMPLES: + + Enable anonymous pkinit: + ipa pkinit-anonymous enable + + Disable anonymous pkinit: + ipa pkinit-anonymous disable + +For more information on anonymous pkinit see: + +http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit +""") + +register = Registry() + + +@register() +class pkinit(Object): + takes_params = ( + ) + + +@register() +class pkinit_anonymous(Command): + __doc__ = _("Enable or Disable Anonymous PKINIT.") + + takes_args = ( + parameters.Str( + 'action', + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_114/privilege.py b/ipaclient/remote_plugins/2_114/privilege.py new file mode 100644 index 000000000..a9fb98316 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/privilege.py @@ -0,0 +1,656 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Privileges + +A privilege combines permissions into a logical task. A permission provides +the rights to do a single task. There are some IPA operations that require +multiple permissions to succeed. A privilege is where permissions are +combined in order to perform a specific task. + +For example, adding a user requires the following permissions: + * Creating a new user entry + * Resetting a user password + * Adding the new user to the default IPA users group + +Combining these three low-level tasks into a higher level task in the +form of a privilege named "Add User" makes it easier to manage Roles. + +A privilege may not contain other privileges. + +See role and permission for additional information. +""") + +register = Registry() + + +@register() +class privilege(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Privilege name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'memberof_permission', + required=False, + label=_(u'Permissions'), + ), + parameters.Str( + 'member_role', + required=False, + label=_(u'Granting privilege to roles'), + ), + ) + + +@register() +class privilege_add(Method): + __doc__ = _("Add a new privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class privilege_add_member(Method): + __doc__ = _("Add members to a privilege.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'role', + required=False, + multivalue=True, + cli_name='roles', + label=_(u'member role'), + doc=_(u'roles to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class privilege_add_permission(Method): + __doc__ = _("Add permissions to a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'permission', + required=False, + multivalue=True, + cli_name='permissions', + label=_(u'permission'), + doc=_(u'permissions'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of permissions added'), + ), + ) + + +@register() +class privilege_del(Method): + __doc__ = _("Delete a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class privilege_find(Method): + __doc__ = _("Search for privileges.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Privilege name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class privilege_mod(Method): + __doc__ = _("Modify a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the privilege object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class privilege_remove_member(Method): + __doc__ = _("Remove members from a privilege") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'role', + required=False, + multivalue=True, + cli_name='roles', + label=_(u'member role'), + doc=_(u'roles to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class privilege_remove_permission(Method): + __doc__ = _("Remove permissions from a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'permission', + required=False, + multivalue=True, + cli_name='permissions', + label=_(u'permission'), + doc=_(u'permissions'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of permissions removed'), + ), + ) + + +@register() +class privilege_show(Method): + __doc__ = _("Display information about a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/pwpolicy.py b/ipaclient/remote_plugins/2_114/pwpolicy.py new file mode 100644 index 000000000..9db8c28df --- /dev/null +++ b/ipaclient/remote_plugins/2_114/pwpolicy.py @@ -0,0 +1,937 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Password policy + +A password policy sets limitations on IPA passwords, including maximum +lifetime, minimum lifetime, the number of passwords to save in +history, the number of character classes required (for stronger passwords) +and the minimum password length. + +By default there is a single, global policy for all users. You can also +create a password policy to apply to a group. Each user is only subject +to one password policy, either the group policy or the global policy. A +group policy stands alone; it is not a super-set of the global policy plus +custom settings. + +Each group password policy requires a unique priority setting. If a user +is in multiple groups that have password policies, this priority determines +which password policy is applied. A lower value indicates a higher priority +policy. + +Group password policies are automatically removed when the groups they +are associated with are removed. + +EXAMPLES: + + Modify the global policy: + ipa pwpolicy-mod --minlength=10 + + Add a new group password policy: + ipa pwpolicy-add --maxlife=90 --minlife=1 --history=10 --minclasses=3 --minlength=8 --priority=10 localadmins + + Display the global password policy: + ipa pwpolicy-show + + Display a group password policy: + ipa pwpolicy-show localadmins + + Display the policy that would be applied to a given user: + ipa pwpolicy-show --user=tuser1 + + Modify a group password policy: + ipa pwpolicy-mod --minclasses=2 localadmins +""") + +register = Registry() + + +@register() +class cosentry(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + ), + parameters.DNParam( + 'krbpwdpolicyreference', + ), + parameters.Int( + 'cospriority', + ), + ) + + +@register() +class pwpolicy(Object): + takes_params = ( + parameters.Str( + 'cn', + required=False, + primary_key=True, + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + parameters.Int( + 'krbmaxpwdlife', + required=False, + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + ) + + +@register() +class cosentry_add(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.DNParam( + 'krbpwdpolicyreference', + ), + parameters.Int( + 'cospriority', + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cosentry_del(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class cosentry_find(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + ), + parameters.DNParam( + 'krbpwdpolicyreference', + required=False, + ), + parameters.Int( + 'cospriority', + required=False, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("cn")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class cosentry_mod(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.DNParam( + 'krbpwdpolicyreference', + required=False, + ), + parameters.Int( + 'cospriority', + required=False, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cosentry_show(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_add(Method): + __doc__ = _("Add a new group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_del(Method): + __doc__ = _("Delete a group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class pwpolicy_find(Method): + __doc__ = _("Search for group password policies.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + required=False, + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("group")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class pwpolicy_mod(Method): + __doc__ = _("Modify a group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + required=False, + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_show(Method): + __doc__ = _("Display information about password policy.") + + takes_args = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + label=_(u'User'), + doc=_(u'Display effective policy for a specific user'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/radiusproxy.py b/ipaclient/remote_plugins/2_114/radiusproxy.py new file mode 100644 index 000000000..fca0b2ec3 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/radiusproxy.py @@ -0,0 +1,521 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +RADIUS Proxy Servers + +Manage RADIUS Proxy Servers. + +IPA supports the use of an external RADIUS proxy server for krb5 OTP +authentications. This permits a great deal of flexibility when +integrating with third-party authentication services. + +EXAMPLES: + + Add a new server: + ipa radiusproxy-add MyRADIUS --server=radius.example.com:1812 + + Find all servers whose entries include the string "example.com": + ipa radiusproxy-find example.com + + Examine the configuration: + ipa radiusproxy-show MyRADIUS + + Change the secret: + ipa radiusproxy-mod MyRADIUS --secret + + Delete a configuration: + ipa radiusproxy-del MyRADIUS +""") + +register = Registry() + + +@register() +class radiusproxy(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'RADIUS proxy server name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this RADIUS proxy server'), + ), + parameters.Str( + 'ipatokenradiusserver', + multivalue=True, + label=_(u'Server'), + doc=_(u'The hostname or IP (with or without port)'), + ), + parameters.Password( + 'ipatokenradiussecret', + label=_(u'Secret'), + doc=_(u'The secret used to encrypt data'), + ), + parameters.Int( + 'ipatokenradiustimeout', + required=False, + label=_(u'Timeout'), + doc=_(u'The total timeout across all retries (in seconds)'), + ), + parameters.Int( + 'ipatokenradiusretries', + required=False, + label=_(u'Retries'), + doc=_(u'The number of times to retry authentication'), + ), + parameters.Str( + 'ipatokenusermapattribute', + required=False, + label=_(u'User attribute'), + doc=_(u'The username attribute on the user object'), + ), + ) + + +@register() +class radiusproxy_add(Method): + __doc__ = _("Add a new RADIUS proxy server.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this RADIUS proxy server'), + ), + parameters.Str( + 'ipatokenradiusserver', + multivalue=True, + cli_name='server', + label=_(u'Server'), + doc=_(u'The hostname or IP (with or without port)'), + ), + parameters.Password( + 'ipatokenradiussecret', + cli_name='secret', + label=_(u'Secret'), + doc=_(u'The secret used to encrypt data'), + exclude=('cli', 'webui'), + confirm=True, + ), + parameters.Int( + 'ipatokenradiustimeout', + required=False, + cli_name='timeout', + label=_(u'Timeout'), + doc=_(u'The total timeout across all retries (in seconds)'), + ), + parameters.Int( + 'ipatokenradiusretries', + required=False, + cli_name='retries', + label=_(u'Retries'), + doc=_(u'The number of times to retry authentication'), + ), + parameters.Str( + 'ipatokenusermapattribute', + required=False, + cli_name='userattr', + label=_(u'User attribute'), + doc=_(u'The username attribute on the user object'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class radiusproxy_del(Method): + __doc__ = _("Delete a RADIUS proxy server.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class radiusproxy_find(Method): + __doc__ = _("Search for RADIUS proxy servers.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this RADIUS proxy server'), + ), + parameters.Str( + 'ipatokenradiusserver', + required=False, + multivalue=True, + cli_name='server', + label=_(u'Server'), + doc=_(u'The hostname or IP (with or without port)'), + ), + parameters.Password( + 'ipatokenradiussecret', + required=False, + cli_name='secret', + label=_(u'Secret'), + doc=_(u'The secret used to encrypt data'), + exclude=('cli', 'webui'), + confirm=True, + ), + parameters.Int( + 'ipatokenradiustimeout', + required=False, + cli_name='timeout', + label=_(u'Timeout'), + doc=_(u'The total timeout across all retries (in seconds)'), + ), + parameters.Int( + 'ipatokenradiusretries', + required=False, + cli_name='retries', + label=_(u'Retries'), + doc=_(u'The number of times to retry authentication'), + ), + parameters.Str( + 'ipatokenusermapattribute', + required=False, + cli_name='userattr', + label=_(u'User attribute'), + doc=_(u'The username attribute on the user object'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class radiusproxy_mod(Method): + __doc__ = _("Modify a RADIUS proxy server.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this RADIUS proxy server'), + ), + parameters.Str( + 'ipatokenradiusserver', + required=False, + multivalue=True, + cli_name='server', + label=_(u'Server'), + doc=_(u'The hostname or IP (with or without port)'), + ), + parameters.Password( + 'ipatokenradiussecret', + required=False, + cli_name='secret', + label=_(u'Secret'), + doc=_(u'The secret used to encrypt data'), + exclude=('cli', 'webui'), + confirm=True, + ), + parameters.Int( + 'ipatokenradiustimeout', + required=False, + cli_name='timeout', + label=_(u'Timeout'), + doc=_(u'The total timeout across all retries (in seconds)'), + ), + parameters.Int( + 'ipatokenradiusretries', + required=False, + cli_name='retries', + label=_(u'Retries'), + doc=_(u'The number of times to retry authentication'), + ), + parameters.Str( + 'ipatokenusermapattribute', + required=False, + cli_name='userattr', + label=_(u'User attribute'), + doc=_(u'The username attribute on the user object'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the RADIUS proxy server object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class radiusproxy_show(Method): + __doc__ = _("Display information about a RADIUS proxy server.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/realmdomains.py b/ipaclient/remote_plugins/2_114/realmdomains.py new file mode 100644 index 000000000..f8f563a45 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/realmdomains.py @@ -0,0 +1,195 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Realm domains + +Manage the list of domains associated with IPA realm. + +EXAMPLES: + + Display the current list of realm domains: + ipa realmdomains-show + + Replace the list of realm domains: + ipa realmdomains-mod --domain=example.com + ipa realmdomains-mod --domain={example1.com,example2.com,example3.com} + + Add a domain to the list of realm domains: + ipa realmdomains-mod --add-domain=newdomain.com + + Delete a domain from the list of realm domains: + ipa realmdomains-mod --del-domain=olddomain.com +""") + +register = Registry() + + +@register() +class realmdomains(Object): + takes_params = ( + parameters.Str( + 'associateddomain', + multivalue=True, + label=_(u'Domain'), + ), + parameters.Str( + 'add_domain', + required=False, + label=_(u'Add domain'), + ), + parameters.Str( + 'del_domain', + required=False, + label=_(u'Delete domain'), + ), + ) + + +@register() +class realmdomains_mod(Method): + __doc__ = _("Modify realm domains.") + + takes_options = ( + parameters.Str( + 'associateddomain', + required=False, + multivalue=True, + cli_name='domain', + label=_(u'Domain'), + no_convert=True, + ), + parameters.Str( + 'add_domain', + required=False, + label=_(u'Add domain'), + no_convert=True, + ), + parameters.Str( + 'del_domain', + required=False, + label=_(u'Delete domain'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'Force adding domain even if not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class realmdomains_show(Method): + __doc__ = _("Display the list of realm domains.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/role.py b/ipaclient/remote_plugins/2_114/role.py new file mode 100644 index 000000000..120b79a08 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/role.py @@ -0,0 +1,758 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Roles + +A role is used for fine-grained delegation. A permission grants the ability +to perform given low-level tasks (add a user, modify a group, etc.). A +privilege combines one or more permissions into a higher-level abstraction +such as useradmin. A useradmin would be able to add, delete and modify users. + +Privileges are assigned to Roles. + +Users, groups, hosts and hostgroups may be members of a Role. + +Roles can not contain other roles. + +EXAMPLES: + + Add a new role: + ipa role-add --desc="Junior-level admin" junioradmin + + Add some privileges to this role: + ipa role-add-privilege --privileges=addusers junioradmin + ipa role-add-privilege --privileges=change_password junioradmin + ipa role-add-privilege --privileges=add_user_to_default_group junioradmin + + Add a group of users to this role: + ipa group-add --desc="User admins" useradmins + ipa role-add-member --groups=useradmins junioradmin + + Display information about a role: + ipa role-show junioradmin + + The result of this is that any users in the group 'junioradmin' can + add users, reset passwords or add a user to the default IPA user group. +""") + +register = Registry() + + +@register() +class role(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Role name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'member_user', + required=False, + label=_(u'Member users'), + ), + parameters.Str( + 'member_group', + required=False, + label=_(u'Member groups'), + ), + parameters.Str( + 'member_host', + required=False, + label=_(u'Member hosts'), + ), + parameters.Str( + 'member_hostgroup', + required=False, + label=_(u'Member host-groups'), + ), + parameters.Str( + 'memberof_privilege', + required=False, + label=_(u'Privileges'), + ), + parameters.Str( + 'member_service', + required=False, + label=_(u'Member services'), + ), + ) + + +@register() +class role_add(Method): + __doc__ = _("Add a new role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class role_add_member(Method): + __doc__ = _("Add members to a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + parameters.Str( + 'service', + required=False, + multivalue=True, + cli_name='services', + label=_(u'member service'), + doc=_(u'services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class role_add_privilege(Method): + __doc__ = _("Add privileges to a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'privilege'), + doc=_(u'privileges'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of privileges added'), + ), + ) + + +@register() +class role_del(Method): + __doc__ = _("Delete a role.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class role_find(Method): + __doc__ = _("Search for roles.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Role name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class role_mod(Method): + __doc__ = _("Modify a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the role object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class role_remove_member(Method): + __doc__ = _("Remove members from a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'service', + required=False, + multivalue=True, + cli_name='services', + label=_(u'member service'), + doc=_(u'services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class role_remove_privilege(Method): + __doc__ = _("Remove privileges from a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'privilege'), + doc=_(u'privileges'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of privileges removed'), + ), + ) + + +@register() +class role_show(Method): + __doc__ = _("Display information about a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/selfservice.py b/ipaclient/remote_plugins/2_114/selfservice.py new file mode 100644 index 000000000..5d7e36f30 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/selfservice.py @@ -0,0 +1,338 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Self-service Permissions + +A permission enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to permissions to perform +given tasks such as adding a user, modifying a group, etc. + +A Self-service permission defines what an object can change in its own entry. + + +EXAMPLES: + + Add a self-service rule to allow users to manage their address (using Bash + brace expansion): + ipa selfservice-add --permissions=write --attrs={street,postalCode,l,c,st} "Users manage their own address" + + When managing the list of attributes you need to include all attributes + in the list, including existing ones. + Add telephoneNumber to the list (using Bash brace expansion): + ipa selfservice-mod --attrs={street,postalCode,l,c,st,telephoneNumber} "Users manage their own address" + + Display our updated rule: + ipa selfservice-show "Users manage their own address" + + Delete a rule: + ipa selfservice-del "Users manage their own address" +""") + +register = Registry() + + +@register() +class selfservice(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'Self-service name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the permission applies.'), + ), + ) + + +@register() +class selfservice_add(Method): + __doc__ = _("Add a new self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the permission applies.'), + no_convert=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_del(Method): + __doc__ = _("Delete a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_find(Method): + __doc__ = _("Search for a self-service permission.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'Self-service name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the permission applies.'), + no_convert=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class selfservice_mod(Method): + __doc__ = _("Modify a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the permission applies.'), + no_convert=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_show(Method): + __doc__ = _("Display information about a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/selinuxusermap.py b/ipaclient/remote_plugins/2_114/selinuxusermap.py new file mode 100644 index 000000000..223aeb722 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/selinuxusermap.py @@ -0,0 +1,905 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +SELinux User Mapping + +Map IPA users to SELinux users by host. + +Hosts, hostgroups, users and groups can be either defined within +the rule or it may point to an existing HBAC rule. When using +--hbacrule option to selinuxusermap-find an exact match is made on the +HBAC rule name, so only one or zero entries will be returned. + +EXAMPLES: + + Create a rule, "test1", that sets all users to xguest_u:s0 on the host "server": + ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1 + ipa selinuxusermap-add-host --hosts=server.example.com test1 + + Create a rule, "test2", that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts: + ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2 + + Display the properties of a rule: + ipa selinuxusermap-show test2 + + Create a rule for a specific user. This sets the SELinux context for + user john to unconfined_u:s0-s0:c0.c1023 on any machine: + ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined + ipa selinuxusermap-add-user --users=john john_unconfined + + Disable a rule: + ipa selinuxusermap-disable test1 + + Enable a rule: + ipa selinuxusermap-enable test1 + + Find a rule referencing a specific HBAC rule: + ipa selinuxusermap-find --hbacrule=allow_some + + Remove a rule: + ipa selinuxusermap-del john_unconfined + +SEEALSO: + + The list controlling the order in which the SELinux user map is applied + and the default SELinux user are available in the config-show command. +""") + +register = Registry() + + +@register() +class selinuxusermap(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'ipaselinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + ) + + +@register() +class selinuxusermap_add(Method): + __doc__ = _("Create a new SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaselinuxuser', + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_add_host(Method): + __doc__ = _("Add target hosts and hostgroups to an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class selinuxusermap_add_user(Method): + __doc__ = _("Add users and groups to an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class selinuxusermap_del(Method): + __doc__ = _("Delete a SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class selinuxusermap_disable(Method): + __doc__ = _("Disable an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_enable(Method): + __doc__ = _("Enable an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_find(Method): + __doc__ = _("Search for SELinux User Maps.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Rule name'), + ), + parameters.Str( + 'ipaselinuxuser', + required=False, + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class selinuxusermap_mod(Method): + __doc__ = _("Modify a SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaselinuxuser', + required=False, + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_remove_host(Method): + __doc__ = _("Remove target hosts and hostgroups from an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class selinuxusermap_remove_user(Method): + __doc__ = _("Remove users and groups from an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class selinuxusermap_show(Method): + __doc__ = _("Display the properties of a SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/service.py b/ipaclient/remote_plugins/2_114/service.py new file mode 100644 index 000000000..8e025b3f2 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/service.py @@ -0,0 +1,1100 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Services + +A IPA service represents a service that runs on a host. The IPA service +record can store a Kerberos principal, an SSL certificate, or both. + +An IPA service can be managed directly from a machine, provided that +machine has been given the correct permission. This is true even for +machines other than the one the service is associated with. For example, +requesting an SSL certificate using the host service principal credentials +of the host. To manage a service using host credentials you need to +kinit as the host: + + # kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM + +Adding an IPA service allows the associated service to request an SSL +certificate or keytab, but this is performed as a separate step; they +are not produced as a result of adding the service. + +Only the public aspect of a certificate is stored in a service record; +the private key is not stored. + +EXAMPLES: + + Add a new IPA service: + ipa service-add HTTP/web.example.com + + Allow a host to manage an IPA service certificate: + ipa service-add-host --hosts=web.example.com HTTP/web.example.com + ipa role-add-member --hosts=web.example.com certadmin + + Override a default list of supported PAC types for the service: + ipa service-mod HTTP/web.example.com --pac-type=MS-PAC + + A typical use case where overriding the PAC type is needed is NFS. + Currently the related code in the Linux kernel can only handle Kerberos + tickets up to a maximal size. Since the PAC data can become quite large it + is recommended to set --pac-type=NONE for NFS services. + + Delete an IPA service: + ipa service-del HTTP/web.example.com + + Find all IPA services associated with a host: + ipa service-find web.example.com + + Find all HTTP services: + ipa service-find HTTP + + Disable the service Kerberos key and SSL certificate: + ipa service-disable HTTP/web.example.com + + Request a certificate for an IPA service: + ipa cert-request --principal=HTTP/web.example.com example.csr + + Allow user to create a keytab: + ipa service-allow-create-keytab HTTP/web.example.com --users=tuser1 + + Generate and retrieve a keytab for an IPA service: + ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab +""") + +register = Registry() + + +@register() +class service(Object): + takes_params = ( + parameters.Str( + 'krbprincipalname', + primary_key=True, + label=_(u'Principal'), + doc=_(u'Service principal'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Keytab'), + ), + parameters.Str( + 'managedby_host', + label=_(u'Managed by'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_user', + label=_(u'Users allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_group', + label=_(u'Groups allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_host', + label=_(u'Hosts allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_hostgroup', + label=_(u'Host Groups allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_user', + label=_(u'Users allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_group', + label=_(u'Groups allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_host', + label=_(u'Hosts allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_hostgroup', + label=_(u'Host Groups allowed to create keytab'), + ), + ) + + +@register() +class service_add(Method): + __doc__ = _("Add a new IPA new service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + cli_name='requires_pre_auth', + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + cli_name='ok_as_delegate', + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force principal name even if not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_add_host(Method): + __doc__ = _("Add hosts that can manage this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class service_allow_create_keytab(Method): + __doc__ = _("Allow users, groups, hosts or host groups to create a keytab of this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class service_allow_retrieve_keytab(Method): + __doc__ = _("Allow users, groups, hosts or host groups to retrieve a keytab of this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class service_del(Method): + __doc__ = _("Delete an IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + multivalue=True, + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class service_disable(Method): + __doc__ = _("Disable the Kerberos key and SSL certificate of a service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_disallow_create_keytab(Method): + __doc__ = _("Disallow users, groups, hosts or host groups to create a keytab of this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class service_disallow_retrieve_keytab(Method): + __doc__ = _("Disallow users, groups, hosts or host groups to retrieve a keytab of this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class service_find(Method): + __doc__ = _("Search for IPA services.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("principal")'), + default=False, + autofill=True, + ), + parameters.Str( + 'man_by_host', + required=False, + multivalue=True, + cli_name='man_by_hosts', + label=_(u'host'), + doc=_(u'Search for services with these managed by hosts.'), + ), + parameters.Str( + 'not_man_by_host', + required=False, + multivalue=True, + cli_name='not_man_by_hosts', + label=_(u'host'), + doc=_(u'Search for services without these managed by hosts.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class service_mod(Method): + __doc__ = _("Modify an existing IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + cli_name='requires_pre_auth', + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + cli_name='ok_as_delegate', + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_remove_host(Method): + __doc__ = _("Remove hosts that can manage this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class service_show(Method): + __doc__ = _("Display information about an IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'file to store certificate in'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/session.py b/ipaclient/remote_plugins/2_114/session.py new file mode 100644 index 000000000..72c565ca4 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/session.py @@ -0,0 +1,626 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Session Support for IPA +John Dennis + +Goals +===== + +Provide per-user session data caching which persists between +requests. Desired features are: + +* Integrates cleanly with minimum impact on existing infrastructure. + +* Provides maximum security balanced against real-world performance + demands. + +* Sessions must be able to be revoked (flushed). + +* Should be flexible and easy to use for developers. + +* Should leverage existing technology and code to the maximum extent + possible to avoid re-invention, excessive implementation time and to + benefit from robustness in field proven components commonly shared + in the open source community. + +* Must support multiple independent processes which share session + data. + +* System must function correctly if session data is available or not. + +* Must be high performance. + +* Should not be tied to specific web servers or browsers. Should + integrate with our chosen WSGI model. + +Issues +====== + +Cookies +------- + +Most session implementations are based on the use of cookies. Cookies +have some inherent problems. + +* User has the option to disable cookies. + +* User stored cookie data is not secure. Can be mitigated by setting + flags indicating the cookie is only to be used with SSL secured HTTP + connections to specific web resources and setting the cookie to + expire at session termination. Most modern browsers enforce these. + +Where to store session data? +---------------------------- + +Session data may be stored on either on the client or on the +server. Storing session data on the client addresses the problem of +session data availability when requests are serviced by independent web +servers because the session data travels with the request. However +there are data size limitations. Storing session data on the client +also exposes sensitive data but this can be mitigated by encrypting +the session data such that only the server can decrypt it. + +The more conventional approach is to bind session data to a unique +name, the session ID. The session ID is transmitted to the client and +the session data is paired with the session ID on the server in a +associative data store. The session data is retrieved by the server +using the session ID when the receiving the request. This eliminates +exposing sensitive session data on the client along with limitations +on data size. It however introduces the issue of session data +availability when requests are serviced by more than one server +process. + +Multi-process session data availability +--------------------------------------- + +Apache (and other web servers) fork child processes to handle requests +in parallel. Also web servers may be deployed in a farm where requests +are load balanced in round robin fashion across different nodes. In +both cases session data cannot be stored in the memory of a server +process because it is not available to other processes, either sibling +children of a master server process or server processes on distinct +nodes. + +Typically this is addressed by storing session data in a SQL +database. When a request is received by a server process containing a +session ID in it's cookie data the session ID is used to perform a SQL +query and the resulting data is then attached to the request as it +proceeds through the request processing pipeline. This of course +introduces coherency issues. + +For IPA the introduction of a SQL database dependency is undesired and +should be avoided. + +Session data may also be shared by independent processes by storing +the session data in files. + +An alternative solution which has gained considerable popularity +recently is the use of a fast memory based caching server. Data is +stored in a single process memory and may be queried and set via a +light weight protocol using standard socket mechanisms, memcached is +one example. A typical use is to optimize SQL queries by storing a SQL +result in shared memory cache avoiding the more expensive SQL +operation. But the memory cache has distinct advantages in non-SQL +situations as well. + +Possible implementations for use by IPA +======================================= + +Apache Sessions +--------------- + +Apache has 2.3 has implemented session support via these modules: + + mod_session + Overarching session support based on cookies. + + See: http://httpd.apache.org/docs/2.3/mod/mod_session.html + + mod_session_cookie + Stores session data in the client. + + See: http://httpd.apache.org/docs/2.3/mod/mod_session_cookie.html + + mod_session_crypto + Encrypts session data for security. Encryption key is shared + configuration parameter visible to all Apache processes and is + stored in a configuration file. + + See: http://httpd.apache.org/docs/2.3/mod/mod_session_crypto.html + + mod_session_dbd + Stores session data in a SQL database permitting multiple + processes to access and share the same session data. + + See: http://httpd.apache.org/docs/2.3/mod/mod_session_dbd.html + +Issues with Apache sessions +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Although Apache has implemented generic session support and Apache is +our web server of preference it nonetheless introduces issues for IPA. + + * Session support is only available in httpd >= 2.3 which at the + time of this writing is currently only available as a Beta release + from upstream. We currently only ship httpd 2.2, the same is true + for other distributions. + + * We could package and ship the sessions modules as a temporary + package in httpd 2.2 environments. But this has the following + consequences: + + - The code has to be backported. the module API has changed + slightly between httpd 2.2 and 2.3. The backporting is not + terribly difficult and a proof of concept has been + implemented. + + - We would then be on the hook to package and maintain a special + case Apache package. This is maintenance burden as well as a + distribution packaging burden. Both of which would be best + avoided if possible. + + * The design of the Apache session modules is such that they can + only be manipulated by other Apache modules. The ability of + consumers of the session data to control the session data is + simplistic, constrained and static during the period the request + is processed. Request handlers which are not native Apache modules + (e.g. IPA via WSGI) can only examine the session data + via request headers and reset it in response headers. + + * Shared session data is available exclusively via SQL. + +However using the 2.3 Apache session modules would give us robust +session support implemented in C based on standardized Apache +interfaces which are widely used. + +Python Web Frameworks +--------------------- + +Virtually every Python web framework supports cookie based sessions, +e.g. Django, Twisted, Zope, Turbogears etc. Early on in IPA we decided +to avoid the use of these frameworks. Trying to pull in just one part +of these frameworks just to get session support would be problematic +because the code does not function outside it's framework. + +IPA implemented sessions +------------------------ + +Originally it was believed the path of least effort was to utilize +existing session support, most likely what would be provided by +Apache. However there are enough basic modular components available in +native Python and other standard packages it should be possible to +provide session support meeting the aforementioned goals with a modest +implementation effort. Because we're leveraging existing components +the implementation difficulties are subsumed by other components which +have already been field proven and have community support. This is a +smart strategy. + +Proposed Solution +================= + +Our interface to the web server is via WSGI which invokes a callback +per request passing us an environmental context for the request. For +this discussion we'll name the WSGI callback "application()", a +conventional name in WSGI parlance. + +Shared session data will be handled by memcached. We will create one +instance of memcached on each server node dedicated to IPA +exclusively. Communication with memcached will be via a UNIX socket +located in the file system under /var/run/ipa_memcached. It will be +protected by file permissions and optionally SELinux policy. + +In application() we examine the request cookies and if there is an IPA +session cookie with a session ID we retrieve the session data from our +memcached instance. + +The session data will be a Python dict. IPA components will read or +write their session information by using a pre-agreed upon name +(e.g. key) in the dict. This is a very flexible system and consistent +with how we pass data in most parts of IPA. + +If the session data is not available an empty session data dict will +be created. + +How does this session data travel with the request in the IPA +pipeline? In IPA we use the HTTP request/response to implement RPC. In +application() we convert the request into a procedure call passing it +arguments derived from the HTTP request. The passed parameters are +specific to the RPC method being invoked. The context the RPC call is +executing in is not passed as an RPC parameter. + +How would the contextual information such as session data be bound to +the request and hence the RPC call? + +In IPA when a RPC invocation is being prepared from a request we +recognize this will only ever be processed serially by one Python +thread. A thread local dict called "context" is allocated for each +thread. The context dict is cleared in between requests (e.g. RPC method +invocations). The per-thread context dict is populated during the +lifetime of the request and is used as a global data structure unique to +the request that various IPA component can read from and write to with +the assurance the data is unique to the current request and/or method +call. + +The session data dict will be written into the context dict under the +session key before the RPC method begins execution. Thus session data +can be read and written by any IPA component by accessing +``context.session``. + +When the RPC method finishes execution the session data bound to the +request/method is retrieved from the context and written back to the +memcached instance. The session ID is set in the response sent back to +the client in the ``Set-Cookie`` header along with the flags +controlling it's usage. + +Issues and details +------------------ + +IPA code cannot depend on session data being present, however it +should always update session data with the hope it will be available +in the future. Session data may not be available because: + + * This is the first request from the user and no session data has + been created yet. + + * The user may have cookies disabled. + + * The session data may have been flushed. memcached operates with + a fixed memory allocation and will flush entries on a LRU basis, + like with any cache there is no guarantee of persistence. + + Also we may have have deliberately expired or deleted session + data, see below. + +Cookie manipulation is done via the standard Python Cookie module. + +Session cookies will be set to only persist as long as the browser has +the session open. They will be tagged so the browser only returns +the session ID on SSL secured HTTP requests. They will not be visible +to Javascript in the browser. + +Session ID's will be created by using 48 bits of random data and +converted to 12 hexadecimal digits. Newly generated session ID's will +be checked for prior existence to handle the unlikely case the random +number repeats. + +memcached will have significantly higher performance than a SQL or file +based storage solution. Communication is effectively though a pipe +(UNIX socket) using a very simple protocol and the data is held +entirely in process memory. memcached also scales easily, it is easy +to add more memcached processes and distribute the load across them. +At this point in time we don't anticipate the need for this. + +A very nice feature of the Python memcached module is that when a data +item is written to the cache it is done with standard Python pickling +(pickling is a standard Python mechanism to marshal and unmarshal +Python objects). We adopt the convention the object written to cache +will be a dict to meet our internal data handling conventions. The +pickling code will recursively handle nested objects in the dict. Thus +we gain a lot of flexibility using standard Python data structures to +store and retrieve our session data without having to author and debug +code to marshal and unmarshal the data if some other storage mechanism +had been used. This is a significant implementation win. Of course +some common sense limitations need to observed when deciding on what +is written to the session cache keeping in mind the data is shared +between processes and it should not be excessively large (a +configurable option) + +We can set an expiration on memcached entries. We may elect to do that +to force session data to be refreshed periodically. For example we may +wish the client to present fresh credentials on a periodic basis even +if the cached credentials are otherwise within their validity period. + +We can explicitly delete session data if for some reason we believe it +is stale, invalid or compromised. + +memcached also gives us certain facilities to prevent race conditions +between different processes utilizing the cache. For example you can +check of the entry has been modified since you last read it or use CAS +(Check And Set) semantics. What has to be protected in terms of cache +coherency will likely have to be determined as the session support is +utilized and different data items are added to the cache. This is very +much data and context specific. Fortunately memcached operations are +atomic. + +Controlling the memcached process +--------------------------------- + +We need a mechanism to start the memcached process and secure it so +that only IPA components can access it. + +Although memcached ships with both an initscript and systemd unit +files those are for generic instances. We want a memcached instance +dedicated exclusively to IPA usage. To accomplish this we would install +a systemd unit file or an SysV initscript to control the IPA specific +memcached service. ipactl would be extended to know about this +additional service. systemd's cgroup facility would give us additional +mechanisms to integrate the IPA memcached service within a larger IPA +process group. + +Protecting the memcached data would be done via file permissions (and +optionally SELinux policy) on the UNIX domain socket. Although recent +implementations of memcached support authentication via SASL this +introduces a performance and complexity burden not warranted when +cached is dedicated to our exclusive use and access controlled by OS +mechanisms. + +Conventionally daemons are protected by assigning a system uid and/or +gid to the daemon. A daemon launched by root will drop it's privileges +by assuming the effective uid:gid assigned to it. File system access +is controlled by the OS via the effective identity and SELinux policy +can be crafted based on the identity. Thus the memcached UNIX socket +would be protected by having it owned by a specific system user and/or +membership in a restricted system group (discounting for the moment +SELinux). + +Unfortunately we currently do not have an IPA system uid whose +identity our processes operate under nor do we have an IPA system +group. IPA does manage a collection of related processes (daemons) and +historically each has been assigned their own uid. When these +unrelated processes communicate they mutually authenticate via other +mechanisms. We do not have much of a history of using shared file +system objects across identities. When file objects are created they +are typically assigned the identity of daemon needing to access the +object and are not accessed by other daemons, or they carry root +identity. + +When our WSGI application runs in Apache it is run as a WSGI +daemon. This means when Apache starts up it forks off WSGI processes +for us and we are independent of other Apache processes. When WSGI is +run in this mode there is the ability to set the uid:gid of the WSGI +process hosting us, however we currently do not take advantage of this +option. WSGI can be run in other modes as well, only in daemon mode +can the uid:gid be independently set from the rest of Apache. All +processes started by Apache can be set to a common uid:gid specified +in the global Apache configuration, by default it's +apache:apache. Thus when our IPA code executes it is running as +apache:apache. + +To protect our memcached UNIX socket we can do one of two things: + +1. Assign it's uid:gid as apache:apache. This would limit access to + our cache only to processes running under httpd. It's somewhat + restricted but far from ideal. Any code running in the web server + could potentially access our cache. It's difficult to control what the + web server runs and admins may not understand the consequences of + configuring httpd to serve other things besides IPA. + +2. Create an IPA specific uid:gid, for example ipa:ipa. We then configure + our WSGI application to run as the ipa:ipa user and group. We also + configure our memcached instance to run as the ipa:ipa user and + group. In this configuration we are now fully protected, only our WSGI + code can read & write to our memcached UNIX socket. + +However there may be unforeseen issues by converting our code to run as +something other than apache:apache. This would require some +investigation and testing. + +IPA is dependent on other system daemons, specifically Directory +Server (ds) and Certificate Server (cs). Currently we configure ds to +run under the dirsrv:dirsrv user and group, an identity of our +creation. We allow cs to default to it's pkiuser:pkiuser user and +group. Should these other cooperating daemons also run under the +common ipa:ipa user and group identities? At first blush there would +seem to be an advantage to coalescing all process identities under a +common IPA user and group identity. However these other processes do +not depend on user and group permissions when working with external +agents, processes, etc. Rather they are designed to be stand-alone +network services which authenticate their clients via other +mechanisms. They do depend on user and group permission to manage +their own file system objects. If somehow the ipa user and/or group +were compromised or malicious code somehow executed under the ipa +identity there would be an advantage in having the cooperating +processes cordoned off under their own identities providing one extra +layer of protection. (Note, these cooperating daemons may not even be +co-located on the same node in which case the issue is moot) + +The UNIX socket behavior (ldapi) with Directory Server is as follows: + + * The socket ownership is: root:root + + * The socket permissions are: 0666 + + * When connecting via ldapi you must authenticate as you would + normally with a TCP socket, except ... + + * If autobind is enabled and the uid:gid is available via + SO_PEERCRED and the uid:gid can be found in the set of users known + to the Directory Server then that connection will be bound as that + user. + + * Otherwise an anonymous bind will occur. + +memcached UNIX socket behavior is as follows: + + * memcached can be invoked with a user argument, no group may be + specified. The effective uid is the uid of the user argument and + the effective gid is the primary group of the user, let's call + this euid:egid + + * The socket ownership is: euid:egid + + * The socket permissions are 0700 by default, but this can be + modified by the -a mask command line arg which sets the umask + (defaults to 0700). + +Overview of authentication in IPA +================================= + +This describes how we currently authenticate and how we plan to +improve authentication performance. First some definitions. + +There are 4 major players: + + 1. client + 2. mod_auth_kerb (in Apache process) + 3. wsgi handler (in IPA wsgi python process) + 4. ds (directory server) + +There are several resources: + + 1. /ipa/ui (unprotected, web UI static resources) + 2. /ipa/xml (protected, xmlrpc RPC used by command line clients) + 3. /ipa/json (protected, json RPC used by javascript in web UI) + 4. ds (protected, wsgi acts as proxy, our LDAP server) + +Current Model +------------- + +This describes how things work in our current system for the web UI. + + 1. Client requests /ipa/ui, this is unprotected, is static and + contains no sensitive information. Apache replies with html and + javascript. The javascript requests /ipa/json. + + 2. Client sends post to /ipa/json. + + 3. mod_auth_kerb is configured to protect /ipa/json, replies 401 + authenticate negotiate. + + 4. Client resends with credentials + + 5. mod_auth_kerb validates credentials + + a. if invalid replies 403 access denied (stops here) + + b. if valid creates temporary ccache, adds KRB5CCNAME to request + headers + + 6. Request passed to wsgi handler + + a. validates request, KRB5CCNAME must be present, referrer, etc. + + b. ccache saved and used to bind to ds + + c. routes to specified RPC handler. + + 7. wsgi handler replies to client + +Proposed new session based optimization +--------------------------------------- + +The round trip negotiate and credential validation in steps 3,4,5 is +expensive. This can be avoided if we can cache the client +credentials. With client sessions we can store the client credentials +in the session bound to the client. + +A few notes about the session implementation. + + * based on session cookies, cookies must be enabled + + * session cookie is secure, only passed on secure connections, only + passed to our URL resource, never visible to client javascript + etc. + + * session cookie has a session id which is used by wsgi handler to + retrieve client session data from shared multi-process cache. + +Changes to Apache's resource protection +--------------------------------------- + + * /ipa/json is no longer protected by mod_auth_kerb. This is + necessary to avoid the negotiate expense in steps 3,4,5 + above. Instead the /ipa/json resource will be protected in our wsgi + handler via the session cookie. + + * A new protected URI is introduced, /ipa/login. This resource + does no serve any data, it is used exclusively for authentication. + +The new sequence is: + + 1. Client requests /ipa/ui, this is unprotected. Apache replies with + html and javascript. The javascript requests /ipa/json. + + 2. Client sends post to /ipa/json, which is unprotected. + + 3. wsgi handler obtains session data from session cookie. + + a. if ccache is present in session data and is valid + + - request is further validated + + - ccache is established for bind to ds + + - request is routed to RPC handler + + - wsgi handler eventually replies to client + + b. if ccache is not present or not valid processing continues ... + + 4. wsgi handler replies with 401 Unauthorized + + 5. client sends request to /ipa/login to obtain session credentials + + 6. mod_auth_kerb replies 401 negotiate on /ipa/login + + 7. client sends credentials to /ipa/login + + 8. mod_auth_kerb validates credentials + + a. if valid + + - mod_auth_kerb permits access to /ipa/login. wsgi handler is + invoked and does the following: + + * establishes session for client + + * retrieves the ccache from KRB5CCNAME and stores it + + a. if invalid + + - mod_auth_kerb sends 403 access denied (processing stops) + + 9. client now posts the same data again to /ipa/json including + session cookie. Processing repeats starting at step 2 and since + the session data now contains a valid ccache step 3a executes, a + successful reply is sent to client. + +Command line client using xmlrpc +-------------------------------- + +The above describes the web UI utilizing the json RPC mechanism. The +IPA command line tools utilize a xmlrpc RPC mechanism on the same +HTTP server. Access to the xmlrpc is via the /ipa/xml URI. The json +and xmlrpc API's are the same, they differ only on how their procedure +calls are marshalled and unmarshalled. + +Under the new scheme /ipa/xml will continue to be Kerberos protected +at all times. Apache's mod_auth_kerb will continue to require the +client provides valid Kerberos credentials. + +When the WSGI handler routes to /ipa/xml the Kerberos credentials will +be extracted from the KRB5CCNAME environment variable as provided by +mod_auth_kerb. Everything else remains the same. +""") + +register = Registry() + + +@register() +class session_logout(Command): + __doc__ = _("RPC command used to log the current user out of their session.") + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_114/sudocmd.py b/ipaclient/remote_plugins/2_114/sudocmd.py new file mode 100644 index 000000000..871535f25 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/sudocmd.py @@ -0,0 +1,394 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Sudo Commands + +Commands used as building blocks for sudo + +EXAMPLES: + + Create a new command + ipa sudocmd-add --desc='For reading log files' /usr/bin/less + + Remove a command + ipa sudocmd-del /usr/bin/less +""") + +register = Registry() + + +@register() +class sudocmd(Object): + takes_params = ( + parameters.Str( + 'sudocmd', + primary_key=True, + label=_(u'Sudo Command'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'memberof_sudocmdgroup', + required=False, + label=_(u'Sudo Command Groups'), + ), + ) + + +@register() +class sudocmd_add(Method): + __doc__ = _("Create new Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmd_del(Method): + __doc__ = _("Delete Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + multivalue=True, + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class sudocmd_find(Method): + __doc__ = _("Search for Sudo Commands.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'sudocmd', + required=False, + cli_name='command', + label=_(u'Sudo Command'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("command")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudocmd_mod(Method): + __doc__ = _("Modify Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmd_show(Method): + __doc__ = _("Display Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/sudocmdgroup.py b/ipaclient/remote_plugins/2_114/sudocmdgroup.py new file mode 100644 index 000000000..25fc8b11d --- /dev/null +++ b/ipaclient/remote_plugins/2_114/sudocmdgroup.py @@ -0,0 +1,540 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of Sudo Commands + +Manage groups of Sudo Commands. + +EXAMPLES: + + Add a new Sudo Command Group: + ipa sudocmdgroup-add --desc='administrators commands' admincmds + + Remove a Sudo Command Group: + ipa sudocmdgroup-del admincmds + + Manage Sudo Command Group membership, commands: + ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less --sudocmds=/usr/bin/vim admincmds + + Manage Sudo Command Group membership, commands: + ipa group-remove-member --sudocmds=/usr/bin/less admincmds + + Show a Sudo Command Group: + ipa group-show localadmins +""") + +register = Registry() + + +@register() +class sudocmdgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Sudo Command Group'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'membercmd_sudocmd', + required=False, + label=_(u'Commands'), + ), + parameters.Str( + 'membercmd_sudocmdgroup', + required=False, + label=_(u'Sudo Command Groups'), + ), + parameters.Str( + 'member_sudocmd', + required=False, + label=_(u'Member Sudo commands'), + ), + ) + + +@register() +class sudocmdgroup_add(Method): + __doc__ = _("Create new Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmdgroup_add_member(Method): + __doc__ = _("Add members to Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudocmdgroup_del(Method): + __doc__ = _("Delete Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class sudocmdgroup_find(Method): + __doc__ = _("Search for Sudo Command Groups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("sudocmdgroup-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudocmdgroup_mod(Method): + __doc__ = _("Modify Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmdgroup_remove_member(Method): + __doc__ = _("Remove members from Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudocmdgroup_show(Method): + __doc__ = _("Display Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/sudorule.py b/ipaclient/remote_plugins/2_114/sudorule.py new file mode 100644 index 000000000..808720e42 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/sudorule.py @@ -0,0 +1,1774 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Sudo Rules + +Sudo (su "do") allows a system administrator to delegate authority to +give certain users (or groups of users) the ability to run some (or all) +commands as root or another user while providing an audit trail of the +commands and their arguments. + +FreeIPA provides a means to configure the various aspects of Sudo: + Users: The user(s)/group(s) allowed to invoke Sudo. + Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo. + Allow Command: The specific command(s) permitted to be run via Sudo. + Deny Command: The specific command(s) prohibited to be run via Sudo. + RunAsUser: The user(s) or group(s) of users whose rights Sudo will be invoked with. + RunAsGroup: The group(s) whose gid rights Sudo will be invoked with. + Options: The various Sudoers Options that can modify Sudo's behavior. + +An order can be added to a sudorule to control the order in which they +are evaluated (if the client supports it). This order is an integer and +must be unique. + +FreeIPA provides a designated binddn to use with Sudo located at: +uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +To enable the binddn run the following command to set the password: +LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +EXAMPLES: + + Create a new rule: + ipa sudorule-add readfiles + + Add sudo command object and add it as allowed command in the rule: + ipa sudocmd-add /usr/bin/less + ipa sudorule-add-allow-command readfiles --sudocmds /usr/bin/less + + Add a host to the rule: + ipa sudorule-add-host readfiles --hosts server.example.com + + Add a user to the rule: + ipa sudorule-add-user readfiles --users jsmith + + Add a special Sudo rule for default Sudo server configuration: + ipa sudorule-add defaults + + Set a default Sudo option: + ipa sudorule-add-option defaults --sudooption '!authenticate' +""") + +register = Registry() + + +@register() +class sudorule(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + parameters.Str( + 'hostmask', + multivalue=True, + label=_(u'Host Masks'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + parameters.Str( + 'memberallowcmd_sudocmd', + required=False, + label=_(u'Sudo Allow Commands'), + ), + parameters.Str( + 'memberdenycmd_sudocmd', + required=False, + label=_(u'Sudo Deny Commands'), + ), + parameters.Str( + 'memberallowcmd_sudocmdgroup', + required=False, + label=_(u'Sudo Allow Command Groups'), + ), + parameters.Str( + 'memberdenycmd_sudocmdgroup', + required=False, + label=_(u'Sudo Deny Command Groups'), + ), + parameters.Str( + 'ipasudorunas_user', + required=False, + label=_(u'RunAs Users'), + doc=_(u'Run as a user'), + ), + parameters.Str( + 'ipasudorunas_group', + required=False, + label=_(u'Groups of RunAs Users'), + doc=_(u'Run as any user within a specified group'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextusergroup', + required=False, + label=_(u'External Groups of RunAs Users'), + doc=_(u'External Groups of users that the command can run as'), + ), + parameters.Str( + 'ipasudorunasgroup_group', + required=False, + label=_(u'RunAs Groups'), + doc=_(u'Run with the gid of a specified POSIX group'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudoopt', + required=False, + label=_(u'Sudo Option'), + ), + ) + + +@register() +class sudorule_add(Method): + __doc__ = _("Create new Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_add_allow_command(Method): + __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to add'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'sudo command groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_deny_command(Method): + __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to add'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'sudo command groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_host(Method): + __doc__ = _("Add hosts and hostgroups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + parameters.Str( + 'hostmask', + required=False, + multivalue=True, + label=_(u'host masks of allowed hosts'), + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_option(Method): + __doc__ = _("Add an option to the Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipasudoopt', + cli_name='sudooption', + label=_(u'Sudo Option'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_add_runasgroup(Method): + __doc__ = _("Add group for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_runasuser(Method): + __doc__ = _("Add users and groups for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_user(Method): + __doc__ = _("Add users and groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_del(Method): + __doc__ = _("Delete Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class sudorule_disable(Method): + __doc__ = _("Disable a Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_enable(Method): + __doc__ = _("Enable a Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_find(Method): + __doc__ = _("Search for Sudo Rule.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("sudorule-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudorule_mod(Method): + __doc__ = _("Modify Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_remove_allow_command(Method): + __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to remove'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'sudo command groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_deny_command(Method): + __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to remove'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'sudo command groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_host(Method): + __doc__ = _("Remove hosts and hostgroups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostmask', + required=False, + multivalue=True, + label=_(u'host masks of allowed hosts'), + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_option(Method): + __doc__ = _("Remove an option from Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipasudoopt', + cli_name='sudooption', + label=_(u'Sudo Option'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_remove_runasgroup(Method): + __doc__ = _("Remove group for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_runasuser(Method): + __doc__ = _("Remove users and groups for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_user(Method): + __doc__ = _("Remove users and groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_show(Method): + __doc__ = _("Display Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/trust.py b/ipaclient/remote_plugins/2_114/trust.py new file mode 100644 index 000000000..1976f4a25 --- /dev/null +++ b/ipaclient/remote_plugins/2_114/trust.py @@ -0,0 +1,1250 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Cross-realm trusts + +Manage trust relationship between IPA and Active Directory domains. + +In order to allow users from a remote domain to access resources in IPA +domain, trust relationship needs to be established. Currently IPA supports +only trusts between IPA and Active Directory domains under control of Windows +Server 2008 or later, with functional level 2008 or later. + +Please note that DNS on both IPA and Active Directory domain sides should be +configured properly to discover each other. Trust relationship relies on +ability to discover special resources in the other domain via DNS records. + +Examples: + +1. Establish cross-realm trust with Active Directory using AD administrator + credentials: + + ipa trust-add --type=ad --admin --password + +2. List all existing trust relationships: + + ipa trust-find + +3. Show details of the specific trust relationship: + + ipa trust-show + +4. Delete existing trust relationship: + + ipa trust-del + +Once trust relationship is established, remote users will need to be mapped +to local POSIX groups in order to actually use IPA resources. The mapping should +be done via use of external membership of non-POSIX group and then this group +should be included into one of local POSIX groups. + +Example: + +1. Create group for the trusted domain admins' mapping and their local POSIX group: + + ipa group-add --desc=' admins external map' ad_admins_external --external + ipa group-add --desc=' admins' ad_admins + +2. Add security identifier of Domain Admins of the to the ad_admins_external + group: + + ipa group-add-member ad_admins_external --external 'AD\Domain Admins' + +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: + + ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external + + +GLOBAL TRUST CONFIGURATION + +When IPA AD trust subpackage is installed and ipa-adtrust-install is run, +a local domain configuration (SID, GUID, NetBIOS name) is generated. These +identifiers are then used when communicating with a trusted domain of the +particular type. + +1. Show global trust configuration for Active Directory type of trusts: + + ipa trustconfig-show --type ad + +2. Modify global configuration for all trusts of Active Directory type and set + a different fallback primary group (fallback primary group GID is used as + a primary user GID if user authenticating to IPA domain does not have any other + primary GID already set): + + ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group" + +3. Change primary fallback group back to default hidden group (any group with + posixGroup object class is allowed): + + ipa trustconfig-mod --type ad --fallback-primary-group "Default SMB Group" +""") + +register = Registry() + + +@register() +class trust(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Realm name'), + ), + parameters.Str( + 'ipantflatname', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + label=_(u'SID blacklist outgoing'), + ), + ) + + +@register() +class trustconfig(Object): + takes_params = ( + parameters.Str( + 'cn', + label=_(u'Domain'), + ), + parameters.Str( + 'ipantsecurityidentifier', + label=_(u'Security Identifier'), + ), + parameters.Str( + 'ipantflatname', + label=_(u'NetBIOS name'), + ), + parameters.Str( + 'ipantdomainguid', + label=_(u'Domain GUID'), + ), + parameters.Str( + 'ipantfallbackprimarygroup', + label=_(u'Fallback primary group'), + ), + ) + + +@register() +class trustdomain(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Domain name'), + ), + parameters.Str( + 'ipantflatname', + required=False, + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipanttrustpartner', + required=False, + label=_(u'Trusted domain partner'), + ), + ) + + +@register() +class adtrust_is_enabled(Command): + __doc__ = _("Determine whether ipa-adtrust-install has been run on this system") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class compat_is_enabled(Command): + __doc__ = _("Determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sidgen_was_run(Command): + __doc__ = _("Determine whether ipa-adtrust-install has been run with sidgen task") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class trust_add(Method): + __doc__ = _(""" +Add new trust to use. + +This command establishes trust relationship to another domain +which becomes 'trusted'. As result, users of the trusted domain +may access resources of this domain. + +Only trusts to Active Directory domains are supported right now. + +The command can be safely run multiple times against the same domain, +this will cause change to trust relationship credentials on both +sides. + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Str( + 'realm_admin', + required=False, + cli_name='admin', + label=_(u'Active Directory domain administrator'), + ), + parameters.Password( + 'realm_passwd', + required=False, + cli_name='password', + label=_(u"Active Directory domain administrator's password"), + ), + parameters.Str( + 'realm_server', + required=False, + cli_name='server', + label=_(u'Domain controller for the Active Directory domain (optional)'), + ), + parameters.Password( + 'trust_secret', + required=False, + label=_(u'Shared secret for the trust'), + ), + parameters.Int( + 'base_id', + required=False, + label=_(u'First Posix ID of the range reserved for the trusted domain'), + ), + parameters.Int( + 'range_size', + required=False, + label=_(u'Size of the ID range reserved for the trusted domain'), + ), + parameters.Str( + 'range_type', + required=False, + cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust']", + label=_(u'Range type'), + doc=_(u'Type of trusted domain ID range, one of ipa-ad-trust-posix, ipa-ad-trust'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trust_del(Method): + __doc__ = _("Delete a trust.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class trust_fetch_domains(Method): + __doc__ = _("Refresh list of the domains associated with the trust") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class trust_find(Method): + __doc__ = _("Search for trusts.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='realm', + label=_(u'Realm name'), + ), + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + cli_name='sid_blacklist_incoming', + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + cli_name='sid_blacklist_outgoing', + label=_(u'SID blacklist outgoing'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("realm")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class trust_mod(Method): + __doc__ = _(""" +Modify a trust (for future use). + + Currently only the default option to modify the LDAP attributes is + available. More specific options will be added in coming releases. + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + cli_name='sid_blacklist_incoming', + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + cli_name='sid_blacklist_outgoing', + label=_(u'SID blacklist outgoing'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trust_resolve(Command): + __doc__ = _("Resolve security identifiers of users and groups in trusted domains") + + NO_CLI = True + + takes_options = ( + parameters.Str( + 'sids', + multivalue=True, + label=_(u'Security Identifiers (SIDs)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.ListOfEntries( + 'result', + ), + ) + + +@register() +class trust_show(Method): + __doc__ = _("Display information about a trust.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustconfig_mod(Method): + __doc__ = _("Modify global trust configuration.") + + takes_options = ( + parameters.Str( + 'ipantfallbackprimarygroup', + required=False, + cli_name='fallback_primary_group', + label=_(u'Fallback primary group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustconfig_show(Method): + __doc__ = _("Show global trust configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustdomain_add(Method): + __doc__ = _("Allow access from the trusted domain") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipanttrustpartner', + required=False, + label=_(u'Trusted domain partner'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustdomain_del(Method): + __doc__ = _("Remove infromation about the domain associated with the trust.") + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + multivalue=True, + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class trustdomain_disable(Method): + __doc__ = _("Disable use of IPA resources by the domain of the trust") + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustdomain_enable(Method): + __doc__ = _("Allow use of IPA resources by the domain of the trust") + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustdomain_find(Method): + __doc__ = _("Search domains of the trust") + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='domain', + label=_(u'Domain name'), + ), + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipanttrustpartner', + required=False, + label=_(u'Trusted domain partner'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("domain")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class trustdomain_mod(Method): + __doc__ = _("Modify trustdomain of the trust") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipanttrustpartner', + required=False, + label=_(u'Trusted domain partner'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_114/user.py b/ipaclient/remote_plugins/2_114/user.py new file mode 100644 index 000000000..c1751cd8d --- /dev/null +++ b/ipaclient/remote_plugins/2_114/user.py @@ -0,0 +1,1623 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Users + +Manage user entries. All users are POSIX users. + +IPA supports a wide range of username formats, but you need to be aware of any +restrictions that may apply to your particular environment. For example, +usernames that start with a digit or usernames that exceed a certain length +may cause problems for some UNIX systems. +Use 'ipa config-mod' to change the username format allowed by IPA tools. + +Disabling a user account prevents that user from obtaining new Kerberos +credentials. It does not invalidate any credentials that have already +been issued. + +Password management is not a part of this module. For more information +about this topic please see: ipa help passwd + +Account lockout on password failure happens per IPA master. The user-status +command can be used to identify which master the user is locked out on. +It is on that master the administrator must unlock the user. + +EXAMPLES: + + Add a new user: + ipa user-add --first=Tim --last=User --password tuser1 + + Find all users whose entries include the string "Tim": + ipa user-find Tim + + Find all users with "Tim" as the first name: + ipa user-find --first=Tim + + Disable a user account: + ipa user-disable tuser1 + + Enable a user account: + ipa user-enable tuser1 + + Delete a user: + ipa user-del tuser1 +""") + +register = Registry() + + +@register() +class user(Object): + takes_params = ( + parameters.Str( + 'uid', + primary_key=True, + label=_(u'User login'), + ), + parameters.Str( + 'givenname', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + ), + parameters.Str( + 'homedirectory', + required=False, + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Str( + 'loginshell', + required=False, + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + label=_(u'Kerberos principal'), + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + ), + parameters.Str( + 'randompassword', + required=False, + label=_(u'Random password'), + ), + parameters.Int( + 'uidnumber', + required=False, + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Flag( + 'has_password', + label=_(u'Password'), + ), + parameters.Str( + 'memberof_group', + required=False, + label=_(u'Member of groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberofindirect_group', + required=False, + label=_(u'Indirect Member of group'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Kerberos keys available'), + ), + ) + + +@register() +class user_add(Method): + __doc__ = _("Add a new user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + autofill=True, + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'), + autofill=True, + no_convert=True, + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'noprivate', + doc=_(u"Don't create user private group"), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_del(Method): + __doc__ = _("Delete a user.") + + takes_args = ( + parameters.Str( + 'uid', + multivalue=True, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class user_disable(Method): + __doc__ = _("Disable a user account.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_enable(Method): + __doc__ = _("Enable a user account.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_find(Method): + __doc__ = _("Search for users.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'), + no_convert=True, + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'whoami', + label=_(u'Self'), + doc=_(u'Display user record for current Kerberos principal'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("login")'), + default=False, + autofill=True, + ), + parameters.Str( + 'in_group', + required=False, + multivalue=True, + cli_name='in_groups', + label=_(u'group'), + doc=_(u'Search for users with these member of groups.'), + ), + parameters.Str( + 'not_in_group', + required=False, + multivalue=True, + cli_name='not_in_groups', + label=_(u'group'), + doc=_(u'Search for users without these member of groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for users with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for users without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for users with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for users without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for users with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for users without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for users with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for users without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class user_mod(Method): + __doc__ = _("Modify a user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the user object'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_show(Method): + __doc__ = _("Display information about a user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_status(Method): + __doc__ = _(""" +Lockout status of a user account + + An account may become locked if the password is entered incorrectly too + many times within a specific time period as controlled by password + policy. A locked account is a temporary condition and may be unlocked by + an administrator. + + This connects to each IPA master and displays the lockout status on + each one. + + To determine whether an account is locked on a given server you need + to compare the number of failed logins and the time of the last failure. + For an account to be locked it must exceed the maxfail failures within + the failinterval duration as specified in the password policy associated + with the user. + + The failed login counter is modified only when a user attempts a log in + so it is possible that an account may appear locked but the last failed + login attempt is older than the lockouttime of the password policy. This + means that the user may attempt a login again. + """) + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class user_unlock(Method): + __doc__ = _(""" +Unlock a user account + + An account may become locked if the password is entered incorrectly too + many times within a specific time period as controlled by password + policy. A locked account is a temporary condition and may be unlocked by + an administrator. + """) + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/__init__.py b/ipaclient/remote_plugins/2_156/__init__.py new file mode 100644 index 000000000..978635202 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/__init__.py @@ -0,0 +1,15 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ..compat import CompatCommand, CompatMethod, CompatObject + +Object = CompatObject + + +class Command(CompatCommand): + api_version = u'2.156' + + +class Method(Command, CompatMethod): + pass diff --git a/ipaclient/remote_plugins/2_156/aci.py b/ipaclient/remote_plugins/2_156/aci.py new file mode 100644 index 000000000..316abeb46 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/aci.py @@ -0,0 +1,812 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Directory Server Access Control Instructions (ACIs) + +ACIs are used to allow or deny access to information. This module is +currently designed to allow, not deny, access. + +The aci commands are designed to grant permissions that allow updating +existing entries or adding or deleting new ones. The goal of the ACIs +that ship with IPA is to provide a set of low-level permissions that +grant access to special groups called taskgroups. These low-level +permissions can be combined into roles that grant broader access. These +roles are another type of group, roles. + +For example, if you have taskgroups that allow adding and modifying users you +could create a role, useradmin. You would assign users to the useradmin +role to allow them to do the operations defined by the taskgroups. + +You can create ACIs that delegate permission so users in group A can write +attributes on group B. + +The type option is a map that applies to all entries in the users, groups or +host location. It is primarily designed to be used when granting add +permissions (to write new entries). + +An ACI consists of three parts: +1. target +2. permissions +3. bind rules + +The target is a set of rules that define which LDAP objects are being +targeted. This can include a list of attributes, an area of that LDAP +tree or an LDAP filter. + +The targets include: +- attrs: list of attributes affected +- type: an object type (user, group, host, service, etc) +- memberof: members of a group +- targetgroup: grant access to modify a specific group. This is primarily + designed to enable users to add or remove members of a specific group. +- filter: A legal LDAP filter used to narrow the scope of the target. +- subtree: Used to apply a rule across an entire set of objects. For example, + to allow adding users you need to grant "add" permission to the subtree + ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option + is a fail-safe for objects that may not be covered by the type option. + +The permissions define what the ACI is allowed to do, and are one or +more of: +1. write - write one or more attributes +2. read - read one or more attributes +3. add - add a new entry to the tree +4. delete - delete an existing entry +5. all - all permissions are granted + +Note the distinction between attributes and entries. The permissions are +independent, so being able to add a user does not mean that the user will +be editable. + +The bind rule defines who this ACI grants permissions to. The LDAP server +allows this to be any valid LDAP entry but we encourage the use of +taskgroups so that the rights can be easily shared through roles. + +For a more thorough description of access controls see +http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html + +EXAMPLES: + +NOTE: ACIs are now added via the permission plugin. These examples are to +demonstrate how the various options work but this is done via the permission +command-line now (see last example). + + Add an ACI so that the group "secretaries" can update the address on any user: + ipa group-add --desc="Office secretaries" secretaries + ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses" + + Show the new ACI: + ipa aci-show --prefix=none "Secretaries write addresses" + + Add an ACI that allows members of the "addusers" permission to add new users: + ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users" + + Add an ACI that allows members of the editors manage members of the admins group: + ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins" + + Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street --attrs=postalcode --prefix=none "admins edit the address of editors" + + Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss: + ipa aci-add --permissions=write --group=admins --attrs=street --attrs=postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss" + + Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: + ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange + + +The show command shows the raw 389-ds ACI. + +IMPORTANT: When modifying the target attributes of an existing ACI you +must include all existing attributes as well. When doing an aci-mod the +targetattr REPLACES the current attributes, it does not add to them. +""") + +register = Registry() + + +@register() +class aci(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'ACI name'), + ), + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + ), + ) + + +@register() +class aci_add(Method): + __doc__ = _("Create new ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'test', + required=False, + doc=_(u"Test the ACI syntax but don't write anything"), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_del(Method): + __doc__ = _("Delete ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_find(Method): + __doc__ = _(""" +Search for ACIs. + + Returns a list of ACIs + + EXAMPLES: + + To find all ACIs that apply directly to members of the group ipausers: + ipa aci-find --memberof=ipausers + + To find all ACIs that grant add access: + ipa aci-find --permissions=add + + Note that the find command only looks for the given text in the set of + ACIs, it does not evaluate the ACIs to see if something would apply. + For example, searching on memberof=ipausers will find all ACIs that + have ipausers as a memberof. There may be other ACIs that apply to + members of that group indirectly. + """) + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'ACI name'), + ), + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Bool( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + ), + parameters.Str( + 'aciprefix', + required=False, + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class aci_mod(Method): + __doc__ = _("Modify ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_rename(Method): + __doc__ = _("Rename an ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Str( + 'newname', + doc=_(u'New ACI name'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_show(Method): + __doc__ = _("Display a single ACI given an ACI name.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.DNParam( + 'location', + required=False, + label=_(u'Location of the ACI'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/automember.py b/ipaclient/remote_plugins/2_156/automember.py new file mode 100644 index 000000000..09b5a8d01 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/automember.py @@ -0,0 +1,827 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Auto Membership Rule. + +Bring clarity to the membership of hosts and users by configuring inclusive +or exclusive regex patterns, you can automatically assign a new entries into +a group or hostgroup based upon attribute information. + +A rule is directly associated with a group by name, so you cannot create +a rule without an accompanying group or hostgroup. + +A condition is a regular expression used by 389-ds to match a new incoming +entry with an automember rule. If it matches an inclusive rule then the +entry is added to the appropriate group or hostgroup. + +A default group or hostgroup could be specified for entries that do not +match any rule. In case of user entries this group will be a fallback group +because all users are by default members of group specified in IPA config. + +The automember-rebuild command can be used to retroactively run automember rules +against existing entries, thus rebuilding their membership. + +EXAMPLES: + + Add the initial group or hostgroup: + ipa hostgroup-add --desc="Web Servers" webservers + ipa group-add --desc="Developers" devel + + Add the initial rule: + ipa automember-add --type=hostgroup webservers + ipa automember-add --type=group devel + + Add a condition to the rule: + ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers + ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel + + Add an exclusive condition to the rule to prevent auto assignment: + ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers + + Add a host: + ipa host-add web1.example.com + + Add a user: + ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott + + Verify automembership: + ipa hostgroup-show webservers + Host-group: webservers + Description: Web Servers + Member hosts: web1.example.com + + ipa group-show devel + Group name: devel + Description: Developers + GID: 1004200000 + Member users: tuser + + Remove a condition from the rule: + ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers + + Modify the automember rule: + ipa automember-mod + + Set the default (fallback) target group: + ipa automember-default-group-set --default-group=webservers --type=hostgroup + ipa automember-default-group-set --default-group=ipausers --type=group + + Remove the default (fallback) target group: + ipa automember-default-group-remove --type=hostgroup + ipa automember-default-group-remove --type=group + + Show the default (fallback) target group: + ipa automember-default-group-show --type=hostgroup + ipa automember-default-group-show --type=group + + Find all of the automember rules: + ipa automember-find + + Display a automember rule: + ipa automember-show --type=hostgroup webservers + ipa automember-show --type=group devel + + Delete an automember rule: + ipa automember-del --type=hostgroup webservers + ipa automember-del --type=group devel + + Rebuild membership for all users: + ipa automember-rebuild --type=group + + Rebuild membership for all hosts: + ipa automember-rebuild --type=hostgroup + + Rebuild membership for specified users: + ipa automember-rebuild --users=tuser1 --users=tuser2 + + Rebuild membership for specified hosts: + ipa automember-rebuild --hosts=web1.example.com --hosts=web2.example.com +""") + +register = Registry() + + +@register() +class automember(Object): + takes_params = ( + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberdefaultgroup', + required=False, + label=_(u'Default (fallback) Group'), + doc=_(u'Default group for entries to land'), + ), + ) + + +@register() +class automember_add(Method): + __doc__ = _("Add an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_add_condition(Method): + __doc__ = _("Add conditions to an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberinclusiveregex', + required=False, + multivalue=True, + cli_name='inclusive_regex', + label=_(u'Inclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'automemberexclusiveregex', + required=False, + multivalue=True, + cli_name='exclusive_regex', + label=_(u'Exclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'key', + label=_(u'Attribute Key'), + doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + output.Output( + 'failed', + dict, + doc=_(u'Conditions that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of conditions added'), + ), + ) + + +@register() +class automember_default_group_remove(Method): + __doc__ = _("Remove default (fallback) group for all unmatched entries.") + + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_default_group_set(Method): + __doc__ = _("Set default (fallback) group for all unmatched entries.") + + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberdefaultgroup', + cli_name='default_group', + label=_(u'Default (fallback) Group'), + doc=_(u'Default (fallback) group for entries to land'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_default_group_show(Method): + __doc__ = _("Display information about the default (fallback) automember groups.") + + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_del(Method): + __doc__ = _("Delete an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class automember_find(Method): + __doc__ = _("Search for automember rules.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automember_mod(Method): + __doc__ = _("Modify an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_rebuild(Command): + __doc__ = _("Rebuild auto membership.") + + takes_options = ( + parameters.Str( + 'type', + required=False, + cli_metavar="['group', 'hostgroup']", + label=_(u'Rebuild membership for all members of a grouping'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Str( + 'users', + required=False, + multivalue=True, + label=_(u'Users'), + doc=_(u'Rebuild membership for specified users'), + ), + parameters.Str( + 'hosts', + required=False, + multivalue=True, + label=_(u'Hosts'), + doc=_(u'Rebuild membership for specified hosts'), + ), + parameters.Flag( + 'no_wait', + required=False, + label=_(u'No wait'), + doc=_(u"Don't wait for rebuilding membership"), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_remove_condition(Method): + __doc__ = _("Remove conditions from an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberinclusiveregex', + required=False, + multivalue=True, + cli_name='inclusive_regex', + label=_(u'Inclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'automemberexclusiveregex', + required=False, + multivalue=True, + cli_name='exclusive_regex', + label=_(u'Exclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'key', + label=_(u'Attribute Key'), + doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + output.Output( + 'failed', + dict, + doc=_(u'Conditions that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of conditions removed'), + ), + ) + + +@register() +class automember_show(Method): + __doc__ = _("Display information about an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/automount.py b/ipaclient/remote_plugins/2_156/automount.py new file mode 100644 index 000000000..334cec034 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/automount.py @@ -0,0 +1,1228 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Automount + +Stores automount(8) configuration for autofs(8) in IPA. + +The base of an automount configuration is the configuration file auto.master. +This is also the base location in IPA. Multiple auto.master configurations +can be stored in separate locations. A location is implementation-specific +with the default being a location named 'default'. For example, you can have +locations by geographic region, by floor, by type, etc. + +Automount has three basic object types: locations, maps and keys. + +A location defines a set of maps anchored in auto.master. This allows you +to store multiple automount configurations. A location in itself isn't +very interesting, it is just a point to start a new automount map. + +A map is roughly equivalent to a discrete automount file and provides +storage for keys. + +A key is a mount point associated with a map. + +When a new location is created, two maps are automatically created for +it: auto.master and auto.direct. auto.master is the root map for all +automount maps for the location. auto.direct is the default map for +direct mounts and is mounted on /-. + +An automount map may contain a submount key. This key defines a mount +location within the map that references another map. This can be done +either using automountmap-add-indirect --parentmap or manually +with automountkey-add and setting info to "-type=autofs :". + +EXAMPLES: + +Locations: + + Create a named location, "Baltimore": + ipa automountlocation-add baltimore + + Display the new location: + ipa automountlocation-show baltimore + + Find available locations: + ipa automountlocation-find + + Remove a named automount location: + ipa automountlocation-del baltimore + + Show what the automount maps would look like if they were in the filesystem: + ipa automountlocation-tofiles baltimore + + Import an existing configuration into a location: + ipa automountlocation-import baltimore /etc/auto.master + + The import will fail if any duplicate entries are found. For + continuous operation where errors are ignored, use the --continue + option. + +Maps: + + Create a new map, "auto.share": + ipa automountmap-add baltimore auto.share + + Display the new map: + ipa automountmap-show baltimore auto.share + + Find maps in the location baltimore: + ipa automountmap-find baltimore + + Create an indirect map with auto.share as a submount: + ipa automountmap-add-indirect baltimore --parentmap=auto.share --mount=sub auto.man + + This is equivalent to: + + ipa automountmap-add-indirect baltimore --mount=/man auto.man + ipa automountkey-add baltimore auto.man --key=sub --info="-fstype=autofs ldap:auto.share" + + Remove the auto.share map: + ipa automountmap-del baltimore auto.share + +Keys: + + Create a new key for the auto.share map in location baltimore. This ties + the map we previously created to auto.master: + ipa automountkey-add baltimore auto.master --key=/share --info=auto.share + + Create a new key for our auto.share map, an NFS mount for man pages: + ipa automountkey-add baltimore auto.share --key=man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man" + + Find all keys for the auto.share map: + ipa automountkey-find baltimore auto.share + + Find all direct automount keys: + ipa automountkey-find baltimore --key=/- + + Remove the man key from the auto.share map: + ipa automountkey-del baltimore auto.share --key=man +""") + +register = Registry() + + +@register() +class automountkey(Object): + takes_params = ( + parameters.Str( + 'automountkey', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + label=_(u'Mount information'), + ), + parameters.Str( + 'description', + required=False, + primary_key=True, + label=_(u'description'), + exclude=('webui', 'cli'), + ), + ) + + +@register() +class automountlocation(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + + +@register() +class automountmap(Object): + takes_params = ( + parameters.Str( + 'automountmapname', + primary_key=True, + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + ) + + +@register() +class automountkey_add(Method): + __doc__ = _("Create a new automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountkey_del(Method): + __doc__ = _("Delete an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class automountkey_find(Method): + __doc__ = _("Search for an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + required=False, + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountkey_mod(Method): + __doc__ = _("Modify an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'newautomountinformation', + required=False, + cli_name='newinfo', + label=_(u'New mount information'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the automount key object'), + exclude=('webui',), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountkey_show(Method): + __doc__ = _("Display an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_add(Method): + __doc__ = _("Create a new automount location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_del(Method): + __doc__ = _("Delete an automount location.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class automountlocation_find(Method): + __doc__ = _("Search for an automount location.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("location")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountlocation_show(Method): + __doc__ = _("Display an automount location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_tofiles(Method): + __doc__ = _("Generate automount files for a specific location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class automountmap_add(Method): + __doc__ = _("Create a new automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_add_indirect(Method): + __doc__ = _("Create a new indirect mount point.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'key', + cli_name='mount', + label=_(u'Mount point'), + ), + parameters.Str( + 'parentmap', + required=False, + label=_(u'Parent map'), + doc=_(u'Name of parent automount map (default: auto.master).'), + default=u'auto.master', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_del(Method): + __doc__ = _("Delete an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + multivalue=True, + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class automountmap_find(Method): + __doc__ = _("Search for an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'automountmapname', + required=False, + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("map")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountmap_mod(Method): + __doc__ = _("Modify an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_show(Method): + __doc__ = _("Display an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/batch.py b/ipaclient/remote_plugins/2_156/batch.py new file mode 100644 index 000000000..4a613b677 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/batch.py @@ -0,0 +1,71 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Plugin to make multiple ipa calls via one remote procedure call + +To run this code in the lite-server + +curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d @batch_request.json -X POST http://localhost:8888/ipa/json + +where the contents of the file batch_request.json follow the below example + +{"method":"batch","params":[[ + {"method":"group_find","params":[[],{}]}, + {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]}, + {"method":"user_show","params":[["admin"],{"all":true}]} + ],{}],"id":1} + +The format of the response is nested the same way. At the top you will see + "error": null, + "id": 1, + "result": { + "count": 3, + "results": [ + + +And then a nested response for each IPA command method sent in the request +""") + +register = Registry() + + +@register() +class batch(Command): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'methods', + required=False, + multivalue=True, + doc=_(u'Nested Methods to execute'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'count', + int, + ), + output.Output( + 'results', + (list, tuple), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/caacl.py b/ipaclient/remote_plugins/2_156/caacl.py new file mode 100644 index 000000000..09cfc4b65 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/caacl.py @@ -0,0 +1,1155 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Manage CA ACL rules. + +This plugin is used to define rules governing which principals are +permitted to have certificates issued using a given certificate +profile. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Create a CA ACL "test" that grants all users access to the + "UserCert" profile: + ipa caacl-add test --usercat=all + ipa caacl-add-profile test --certprofiles UserCert + + Display the properties of a named CA ACL: + ipa caacl-show test + + Create a CA ACL to let user "alice" use the "DNP3" profile: + ipa caacl-add-profile alice_dnp3 --certprofiles DNP3 + ipa caacl-add-user alice_dnp3 --user=alice + + Disable a CA ACL: + ipa caacl-disable test + + Remove a CA ACL: + ipa caacl-del test +""") + +register = Registry() + + +@register() +class caacl(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'ACL name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'ipacertprofilecategory', + required=False, + label=_(u'Profile category'), + doc=_(u'Profile category the ACL applies to'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the ACL applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the ACL applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + label=_(u'Service category'), + doc=_(u'Service category the ACL applies to'), + ), + parameters.Str( + 'ipamembercertprofile_certprofile', + required=False, + label=_(u'Profiles'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + parameters.Str( + 'memberservice_service', + required=False, + label=_(u'Services'), + ), + ) + + +@register() +class caacl_add(Method): + __doc__ = _("Create a new CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipacertprofilecategory', + required=False, + cli_name='profilecat', + cli_metavar="['all']", + label=_(u'Profile category'), + doc=_(u'Profile category the ACL applies to'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the ACL applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the ACL applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the ACL applies to'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class caacl_add_host(Method): + __doc__ = _("Add target hosts and hostgroups to a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class caacl_add_profile(Method): + __doc__ = _("Add profiles to a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'certprofile', + required=False, + multivalue=True, + cli_name='certprofiles', + label=_(u'member Certificate Profile'), + doc=_(u'Certificate Profiles to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class caacl_add_service(Method): + __doc__ = _("Add services to a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + multivalue=True, + cli_name='services', + label=_(u'member service'), + doc=_(u'services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class caacl_add_user(Method): + __doc__ = _("Add users and groups to a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class caacl_del(Method): + __doc__ = _("Delete a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class caacl_disable(Method): + __doc__ = _("Disable a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class caacl_enable(Method): + __doc__ = _("Enable a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class caacl_find(Method): + __doc__ = _("Search for CA ACLs.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'ACL name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipacertprofilecategory', + required=False, + cli_name='profilecat', + cli_metavar="['all']", + label=_(u'Profile category'), + doc=_(u'Profile category the ACL applies to'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the ACL applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the ACL applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the ACL applies to'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class caacl_mod(Method): + __doc__ = _("Modify a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipacertprofilecategory', + required=False, + cli_name='profilecat', + cli_metavar="['all']", + label=_(u'Profile category'), + doc=_(u'Profile category the ACL applies to'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the ACL applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the ACL applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the ACL applies to'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class caacl_remove_host(Method): + __doc__ = _("Remove target hosts and hostgroups from a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class caacl_remove_profile(Method): + __doc__ = _("Remove profiles from a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'certprofile', + required=False, + multivalue=True, + cli_name='certprofiles', + label=_(u'member Certificate Profile'), + doc=_(u'Certificate Profiles to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class caacl_remove_service(Method): + __doc__ = _("Remove services from a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + multivalue=True, + cli_name='services', + label=_(u'member service'), + doc=_(u'services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class caacl_remove_user(Method): + __doc__ = _("Remove users and groups from a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class caacl_show(Method): + __doc__ = _("Display the properties of a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/cert.py b/ipaclient/remote_plugins/2_156/cert.py new file mode 100644 index 000000000..de760fdcb --- /dev/null +++ b/ipaclient/remote_plugins/2_156/cert.py @@ -0,0 +1,382 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +IPA certificate operations + +Implements a set of commands for managing server SSL certificates. + +Certificate requests exist in the form of a Certificate Signing Request (CSR) +in PEM format. + +The dogtag CA uses just the CN value of the CSR and forces the rest of the +subject to values configured in the server. + +A certificate is stored with a service principal and a service principal +needs a host. + +In order to request a certificate: + +* The host must exist +* The service must exist (or you use the --add option to automatically add it) + +SEARCHING: + +Certificates may be searched on by certificate subject, serial number, +revocation reason, validity dates and the issued date. + +When searching on dates the _from date does a >= search and the _to date +does a <= search. When combined these are done as an AND. + +Dates are treated as GMT to match the dates in the certificates. + +The date format is YYYY-mm-dd. + +EXAMPLES: + + Request a new certificate and add the principal: + ipa cert-request --add --principal=HTTP/lion.example.com example.csr + + Retrieve an existing certificate: + ipa cert-show 1032 + + Revoke a certificate (see RFC 5280 for reason details): + ipa cert-revoke --revocation-reason=6 1032 + + Remove a certificate from revocation hold status: + ipa cert-remove-hold 1032 + + Check the status of a signing request: + ipa cert-status 10 + + Search for certificates by hostname: + ipa cert-find --subject=ipaserver.example.com + + Search for revoked certificates by reason: + ipa cert-find --revocation-reason=5 + + Search for certificates based on issuance date + ipa cert-find --issuedon-from=2013-02-01 --issuedon-to=2013-02-07 + +IPA currently immediately issues (or declines) all certificate requests so +the status of a request is not normally useful. This is for future use +or the case where a CA does not immediately issue a certificate. + +The following revocation reasons are supported: + + * 0 - unspecified + * 1 - keyCompromise + * 2 - cACompromise + * 3 - affiliationChanged + * 4 - superseded + * 5 - cessationOfOperation + * 6 - certificateHold + * 8 - removeFromCRL + * 9 - privilegeWithdrawn + * 10 - aACompromise + +Note that reason code 7 is not used. See RFC 5280 for more details: + +http://www.ietf.org/rfc/rfc5280.txt +""") + +register = Registry() + + +@register() +class ca_is_enabled(Command): + __doc__ = _("Checks if any of the servers has the CA service enabled.") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cert_find(Command): + __doc__ = _("Search for existing certificates.") + + takes_options = ( + parameters.Str( + 'subject', + required=False, + label=_(u'Subject'), + ), + parameters.Int( + 'revocation_reason', + required=False, + label=_(u'Reason'), + doc=_(u'Reason for revoking the certificate (0-10)'), + ), + parameters.Int( + 'min_serial_number', + required=False, + doc=_(u'minimum serial number'), + ), + parameters.Int( + 'max_serial_number', + required=False, + doc=_(u'maximum serial number'), + ), + parameters.Flag( + 'exactly', + required=False, + doc=_(u'match the common name exactly'), + default=False, + autofill=True, + ), + parameters.Str( + 'validnotafter_from', + required=False, + doc=_(u'Valid not after from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'validnotafter_to', + required=False, + doc=_(u'Valid not after to this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'validnotbefore_from', + required=False, + doc=_(u'Valid not before from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'validnotbefore_to', + required=False, + doc=_(u'Valid not before to this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'issuedon_from', + required=False, + doc=_(u'Issued on from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'issuedon_to', + required=False, + doc=_(u'Issued on to this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'revokedon_from', + required=False, + doc=_(u'Revoked on from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'revokedon_to', + required=False, + doc=_(u'Revoked on to this date (YYYY-mm-dd)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of certs returned'), + default=100, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class cert_remove_hold(Command): + __doc__ = _("Take a revoked certificate off hold.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_request(Command): + __doc__ = _("Submit a certificate signing request.") + + takes_args = ( + parameters.Str( + 'csr', + cli_name='csr_file', + label=_(u'CSR'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'principal', + label=_(u'Principal'), + doc=_(u'Principal for this certificate (e.g. HTTP/test.example.com)'), + ), + parameters.Str( + 'request_type', + default=u'pkcs10', + autofill=True, + ), + parameters.Flag( + 'add', + doc=_(u"automatically add the principal if it doesn't exist"), + default=False, + autofill=True, + ), + parameters.Str( + 'profile_id', + required=False, + label=_(u'Profile ID'), + doc=_(u'Certificate Profile to use'), + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + ) + + +@register() +class cert_revoke(Command): + __doc__ = _("Revoke a certificate.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Int( + 'revocation_reason', + label=_(u'Reason'), + doc=_(u'Reason for revoking the certificate (0-10)'), + default=0, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_show(Command): + __doc__ = _("Retrieve an existing certificate.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'out', + required=False, + label=_(u'Output filename'), + doc=_(u'File to store the certificate in.'), + exclude=('webui',), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_status(Command): + __doc__ = _("Check the status of a certificate signing request.") + + takes_args = ( + parameters.Str( + 'request_id', + label=_(u'Request id'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_156/certprofile.py b/ipaclient/remote_plugins/2_156/certprofile.py new file mode 100644 index 000000000..b612342a1 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/certprofile.py @@ -0,0 +1,431 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Manage Certificate Profiles + +Certificate Profiles are used by Certificate Authority (CA) in the signing of +certificates to determine if a Certificate Signing Request (CSR) is acceptable, +and if so what features and extensions will be present on the certificate. + +The Certificate Profile format is the property-list format understood by the +Dogtag or Red Hat Certificate System CA. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Import a profile that will not store issued certificates: + ipa certprofile-import ShortLivedUserCert \ + --file UserCert.profile --desc "User Certificates" \ + --store=false + + Delete a certificate profile: + ipa certprofile-del ShortLivedUserCert + + Show information about a profile: + ipa certprofile-show ShortLivedUserCert + + Save profile configuration to a file: + ipa certprofile-show caIPAserviceCert --out caIPAserviceCert.cfg + + Search for profiles that do not store certificates: + ipa certprofile-find --store=false + +PROFILE CONFIGURATION FORMAT: + +The profile configuration format is the raw property-list format +used by Dogtag Certificate System. The XML format is not supported. + +The following restrictions apply to profiles managed by FreeIPA: + +- When importing a profile the "profileId" field, if present, must + match the ID given on the command line. + +- The "classId" field must be set to "caEnrollImpl" + +- The "auth.instance_id" field must be set to "raCertAuth" + +- The "certReqInputImpl" input class and "certOutputImpl" output + class must be used. +""") + +register = Registry() + + +@register() +class certprofile(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Profile ID'), + doc=_(u'Profile ID for referring to this profile'), + ), + parameters.Str( + 'description', + label=_(u'Profile description'), + doc=_(u'Brief description of this profile'), + ), + parameters.Bool( + 'ipacertprofilestoreissued', + label=_(u'Store issued certificates'), + doc=_(u'Whether to store certs issued using this profile'), + ), + ) + + +@register() +class certprofile_del(Method): + __doc__ = _("Delete a Certificate Profile.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='id', + label=_(u'Profile ID'), + doc=_(u'Profile ID for referring to this profile'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class certprofile_find(Method): + __doc__ = _("Search for Certificate Profiles.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='id', + label=_(u'Profile ID'), + doc=_(u'Profile ID for referring to this profile'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Profile description'), + doc=_(u'Brief description of this profile'), + ), + parameters.Bool( + 'ipacertprofilestoreissued', + required=False, + cli_name='store', + label=_(u'Store issued certificates'), + doc=_(u'Whether to store certs issued using this profile'), + default=True, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("id")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class certprofile_import(Method): + __doc__ = _("Import a Certificate Profile.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='id', + label=_(u'Profile ID'), + doc=_(u'Profile ID for referring to this profile'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Profile description'), + doc=_(u'Brief description of this profile'), + ), + parameters.Bool( + 'ipacertprofilestoreissued', + cli_name='store', + label=_(u'Store issued certificates'), + doc=_(u'Whether to store certs issued using this profile'), + default=True, + ), + parameters.Str( + 'file', + label=_(u'Filename of a raw profile. The XML format is not supported.'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class certprofile_mod(Method): + __doc__ = _("Modify Certificate Profile configuration.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='id', + label=_(u'Profile ID'), + doc=_(u'Profile ID for referring to this profile'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Profile description'), + doc=_(u'Brief description of this profile'), + ), + parameters.Bool( + 'ipacertprofilestoreissued', + required=False, + cli_name='store', + label=_(u'Store issued certificates'), + doc=_(u'Whether to store certs issued using this profile'), + default=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'file', + required=False, + label=_(u'File containing profile configuration'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class certprofile_show(Method): + __doc__ = _("Display the properties of a Certificate Profile.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='id', + label=_(u'Profile ID'), + doc=_(u'Profile ID for referring to this profile'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'Write profile configuration to file'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/config.py b/ipaclient/remote_plugins/2_156/config.py new file mode 100644 index 000000000..a1f17ab5b --- /dev/null +++ b/ipaclient/remote_plugins/2_156/config.py @@ -0,0 +1,408 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Server configuration + +Manage the default values that IPA uses and some of its tuning parameters. + +NOTES: + +The password notification value (--pwdexpnotify) is stored here so it will +be replicated. It is not currently used to notify users in advance of an +expiring password. + +Some attributes are read-only, provided only for information purposes. These +include: + +Certificate Subject base: the configured certificate subject base, + e.g. O=EXAMPLE.COM. This is configurable only at install time. +Password plug-in features: currently defines additional hashes that the + password will generate (there may be other conditions). + +When setting the order list for mapping SELinux users you may need to +quote the value so it isn't interpreted by the shell. + +EXAMPLES: + + Show basic server configuration: + ipa config-show + + Show all configuration options: + ipa config-show --all + + Change maximum username length to 99 characters: + ipa config-mod --maxusername=99 + + Increase default time and size limits for maximum IPA server search: + ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000 + + Set default user e-mail domain: + ipa config-mod --emaildomain=example.com + + Enable migration mode to make "ipa migrate-ds" command operational: + ipa config-mod --enable-migration=TRUE + + Define SELinux user map order: + ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' +""") + +register = Registry() + + +@register() +class config(Object): + takes_params = ( + parameters.Int( + 'ipamaxusernamelength', + label=_(u'Maximum username length'), + ), + parameters.Str( + 'ipahomesrootdir', + label=_(u'Home directory base'), + doc=_(u'Default location of home directories'), + ), + parameters.Str( + 'ipadefaultloginshell', + label=_(u'Default shell'), + doc=_(u'Default shell for new users'), + ), + parameters.Str( + 'ipadefaultprimarygroup', + label=_(u'Default users group'), + doc=_(u'Default group for new users'), + ), + parameters.Str( + 'ipadefaultemaildomain', + required=False, + label=_(u'Default e-mail domain'), + ), + parameters.Int( + 'ipasearchtimelimit', + label=_(u'Search time limit'), + doc=_(u'Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)'), + ), + parameters.Int( + 'ipasearchrecordslimit', + label=_(u'Search size limit'), + doc=_(u'Maximum number of records to search (-1 or 0 is unlimited)'), + ), + parameters.Str( + 'ipausersearchfields', + label=_(u'User search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for users'), + ), + parameters.Str( + 'ipagroupsearchfields', + label=_(u'Group search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for groups'), + ), + parameters.Bool( + 'ipamigrationenabled', + label=_(u'Enable migration mode'), + ), + parameters.DNParam( + 'ipacertificatesubjectbase', + label=_(u'Certificate Subject base'), + doc=_(u'Base for certificate subjects (OU=Test,O=Example)'), + ), + parameters.Str( + 'ipagroupobjectclasses', + multivalue=True, + label=_(u'Default group objectclasses'), + doc=_(u'Default group objectclasses (comma-separated list)'), + ), + parameters.Str( + 'ipauserobjectclasses', + multivalue=True, + label=_(u'Default user objectclasses'), + doc=_(u'Default user objectclasses (comma-separated list)'), + ), + parameters.Int( + 'ipapwdexpadvnotify', + label=_(u'Password Expiration Notification (days)'), + doc=_(u"Number of days's notice of impending password expiration"), + ), + parameters.Str( + 'ipaconfigstring', + required=False, + multivalue=True, + label=_(u'Password plugin features'), + doc=_(u'Extra hashes to generate in password plug-in'), + ), + parameters.Str( + 'ipaselinuxusermaporder', + label=_(u'SELinux user map order'), + doc=_(u'Order in increasing priority of SELinux users, delimited by $'), + ), + parameters.Str( + 'ipaselinuxusermapdefault', + required=False, + label=_(u'Default SELinux user'), + doc=_(u'Default SELinux user when no match is found in SELinux map rule'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + label=_(u'Default PAC types'), + doc=_(u'Default types of PAC supported for services'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + label=_(u'Default user authentication types'), + doc=_(u'Default types of supported user authentication'), + ), + ) + + +@register() +class config_mod(Method): + __doc__ = _("Modify configuration options.") + + takes_options = ( + parameters.Int( + 'ipamaxusernamelength', + required=False, + cli_name='maxusername', + label=_(u'Maximum username length'), + ), + parameters.Str( + 'ipahomesrootdir', + required=False, + cli_name='homedirectory', + label=_(u'Home directory base'), + doc=_(u'Default location of home directories'), + ), + parameters.Str( + 'ipadefaultloginshell', + required=False, + cli_name='defaultshell', + label=_(u'Default shell'), + doc=_(u'Default shell for new users'), + ), + parameters.Str( + 'ipadefaultprimarygroup', + required=False, + cli_name='defaultgroup', + label=_(u'Default users group'), + doc=_(u'Default group for new users'), + ), + parameters.Str( + 'ipadefaultemaildomain', + required=False, + cli_name='emaildomain', + label=_(u'Default e-mail domain'), + ), + parameters.Int( + 'ipasearchtimelimit', + required=False, + cli_name='searchtimelimit', + label=_(u'Search time limit'), + doc=_(u'Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)'), + ), + parameters.Int( + 'ipasearchrecordslimit', + required=False, + cli_name='searchrecordslimit', + label=_(u'Search size limit'), + doc=_(u'Maximum number of records to search (-1 or 0 is unlimited)'), + ), + parameters.Str( + 'ipausersearchfields', + required=False, + cli_name='usersearch', + label=_(u'User search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for users'), + ), + parameters.Str( + 'ipagroupsearchfields', + required=False, + cli_name='groupsearch', + label=_(u'Group search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for groups'), + ), + parameters.Bool( + 'ipamigrationenabled', + required=False, + cli_name='enable_migration', + label=_(u'Enable migration mode'), + ), + parameters.Str( + 'ipagroupobjectclasses', + required=False, + multivalue=True, + cli_name='groupobjectclasses', + label=_(u'Default group objectclasses'), + doc=_(u'Default group objectclasses (comma-separated list)'), + ), + parameters.Str( + 'ipauserobjectclasses', + required=False, + multivalue=True, + cli_name='userobjectclasses', + label=_(u'Default user objectclasses'), + doc=_(u'Default user objectclasses (comma-separated list)'), + ), + parameters.Int( + 'ipapwdexpadvnotify', + required=False, + cli_name='pwdexpnotify', + label=_(u'Password Expiration Notification (days)'), + doc=_(u"Number of days's notice of impending password expiration"), + ), + parameters.Str( + 'ipaconfigstring', + required=False, + multivalue=True, + cli_metavar="['AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout']", + label=_(u'Password plugin features'), + doc=_(u'Extra hashes to generate in password plug-in'), + ), + parameters.Str( + 'ipaselinuxusermaporder', + required=False, + label=_(u'SELinux user map order'), + doc=_(u'Order in increasing priority of SELinux users, delimited by $'), + ), + parameters.Str( + 'ipaselinuxusermapdefault', + required=False, + label=_(u'Default SELinux user'), + doc=_(u'Default SELinux user when no match is found in SELinux map rule'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'nfs:NONE']", + label=_(u'Default PAC types'), + doc=_(u'Default types of PAC supported for services'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp', 'disabled']", + label=_(u'Default user authentication types'), + doc=_(u'Default types of supported user authentication'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class config_show(Method): + __doc__ = _("Show the current configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/delegation.py b/ipaclient/remote_plugins/2_156/delegation.py new file mode 100644 index 000000000..87496117f --- /dev/null +++ b/ipaclient/remote_plugins/2_156/delegation.py @@ -0,0 +1,383 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Group to Group Delegation + +A permission enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to permissions to perform +given tasks such as adding a user, modifying a group, etc. + +Group to Group Delegations grants the members of one group to update a set +of attributes of members of another group. + +EXAMPLES: + + Add a delegation rule to allow managers to edit employee's addresses: + ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street" + + When managing the list of attributes you need to include all attributes + in the list, including existing ones. Add postalCode to the list: + ipa delegation-mod --attrs=street --attrs=postalCode --group=managers --membergroup=employees "managers edit employees' street" + + Display our updated rule: + ipa delegation-show "managers edit employees' street" + + Delete a rule: + ipa delegation-del "managers edit employees' street" +""") + +register = Registry() + + +@register() +class delegation(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'Delegation name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the delegation applies'), + ), + parameters.Str( + 'memberof', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + ) + + +@register() +class delegation_add(Method): + __doc__ = _("Add a new delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the delegation applies'), + no_convert=True, + ), + parameters.Str( + 'memberof', + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_del(Method): + __doc__ = _("Delete a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_find(Method): + __doc__ = _("Search for delegations.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'Delegation name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the delegation applies'), + no_convert=True, + ), + parameters.Str( + 'memberof', + required=False, + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class delegation_mod(Method): + __doc__ = _("Modify a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the delegation applies'), + no_convert=True, + ), + parameters.Str( + 'memberof', + required=False, + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_show(Method): + __doc__ = _("Display information about a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/dns.py b/ipaclient/remote_plugins/2_156/dns.py new file mode 100644 index 000000000..39a0b2695 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/dns.py @@ -0,0 +1,5148 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Domain Name System (DNS) + +Manage DNS zone and resource records. + +SUPPORTED ZONE TYPES + + * Master zone (dnszone-*), contains authoritative data. + * Forward zone (dnsforwardzone-*), forwards queries to configured forwarders + (a set of DNS servers). + +USING STRUCTURED PER-TYPE OPTIONS + +There are many structured DNS RR types where DNS data stored in LDAP server +is not just a scalar value, for example an IP address or a domain name, but +a data structure which may be often complex. A good example is a LOC record +[RFC1876] which consists of many mandatory and optional parts (degrees, +minutes, seconds of latitude and longitude, altitude or precision). + +It may be difficult to manipulate such DNS records without making a mistake +and entering an invalid value. DNS module provides an abstraction over these +raw records and allows to manipulate each RR type with specific options. For +each supported RR type, DNS module provides a standard option to manipulate +a raw records with format ---rec, e.g. --mx-rec, and special options +for every part of the RR structure with format ---, e.g. +--mx-preference and --mx-exchanger. + +When adding a record, either RR specific options or standard option for a raw +value can be used, they just should not be combined in one add operation. When +modifying an existing entry, new RR specific options can be used to change +one part of a DNS record, where the standard option for raw value is used +to specify the modified value. The following example demonstrates +a modification of MX record preference from 0 to 1 in a record without +modifying the exchanger: +ipa dnsrecord-mod --mx-rec="0 mx.example.com." --mx-preference=1 + + +EXAMPLES: + + Add new zone: + ipa dnszone-add example.com --admin-email=admin@example.com + + Add system permission that can be used for per-zone privilege delegation: + ipa dnszone-add-permission example.com + + Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM: + ipa dnszone-mod example.com --dynamic-update=TRUE + + This is the equivalent of: + ipa dnszone-mod example.com --dynamic-update=TRUE \ + --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;" + + Modify the zone to allow zone transfers for local network only: + ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24 + + Add new reverse zone specified by network IP address: + ipa dnszone-add --name-from-ip=192.0.2.0/24 + + Add second nameserver for example.com: + ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com + + Add a mail server for example.com: + ipa dnsrecord-add example.com @ --mx-rec="10 mail1" + + Add another record using MX record specific options: + ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2 + + Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod, + or dnsrecord-del are executed with no options): + ipa dnsrecord-add example.com @ + Please choose a type of DNS resource record to be added + The most common types for this type of zone are: NS, MX, LOC + + DNS resource record type: MX + MX Preference: 30 + MX Exchanger: mail3 + Record name: example.com + MX record: 10 mail1, 20 mail2, 30 mail3 + NS record: nameserver.example.com., nameserver2.example.com. + + Delete previously added nameserver from example.com: + ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com. + + Add LOC record for example.com: + ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m" + + Add new A record for www.example.com. Create a reverse record in appropriate + reverse zone as well. In this case a PTR record "2" pointing to www.example.com + will be created in zone 2.0.192.in-addr.arpa. + ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse + + Add new PTR record for www.example.com + ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com. + + Add new SRV records for LDAP servers. Three quarters of the requests + should go to fast.example.com, one quarter to slow.example.com. If neither + is available, switch to backup.example.com. + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com" + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com" + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com" + + The interactive mode can be used for easy modification: + ipa dnsrecord-mod example.com _ldap._tcp + No option to modify specific record provided. + Current DNS record contents: + + SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com + + Modify SRV record '0 3 389 fast.example.com'? Yes/No (default No): + Modify SRV record '0 1 389 slow.example.com'? Yes/No (default No): y + SRV Priority [0]: (keep the default value) + SRV Weight [1]: 2 (modified value) + SRV Port [389]: (keep the default value) + SRV Target [slow.example.com]: (keep the default value) + 1 SRV record skipped. Only one value per DNS record type can be modified at one time. + Record name: _ldap._tcp + SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com + + After this modification, three fifths of the requests should go to + fast.example.com and two fifths to slow.example.com. + + An example of the interactive mode for dnsrecord-del command: + ipa dnsrecord-del example.com www + No option to delete specific record provided. + Delete all? Yes/No (default No): (do not delete all records) + Current DNS record contents: + + A record: 192.0.2.2, 192.0.2.3 + + Delete A record '192.0.2.2'? Yes/No (default No): + Delete A record '192.0.2.3'? Yes/No (default No): y + Record name: www + A record: 192.0.2.2 (A record 192.0.2.3 has been deleted) + + Show zone example.com: + ipa dnszone-show example.com + + Find zone with "example" in its domain name: + ipa dnszone-find example + + Find records for resources with "www" in their name in zone example.com: + ipa dnsrecord-find example.com www + + Find A records with value 192.0.2.2 in zone example.com + ipa dnsrecord-find example.com --a-rec=192.0.2.2 + + Show records for resource www in zone example.com + ipa dnsrecord-show example.com www + + Delegate zone sub.example to another nameserver: + ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1 + ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com. + + Delete zone example.com with all resource records: + ipa dnszone-del example.com + + If a global forwarder is configured, all queries for which this server is not + authoritative (e.g. sub.example.com) will be routed to the global forwarder. + Global forwarding configuration can be overridden per-zone. + + Semantics of forwarding in IPA matches BIND semantics and depends on the type + of zone: + * Master zone: local BIND replies authoritatively to queries for data in + the given zone (including authoritative NXDOMAIN answers) and forwarding + affects only queries for names below zone cuts (NS records) of locally + served zones. + + * Forward zone: forward zone contains no authoritative data. BIND forwards + queries, which cannot be answered from its local cache, to configured + forwarders. + + Semantics of the --forwarder-policy option: + * none - disable forwarding for the given zone. + * first - forward all queries to configured forwarders. If they fail, + do resolution using DNS root servers. + * only - forward all queries to configured forwarders and if they fail, + return failure. + + Disable global forwarding for given sub-tree: + ipa dnszone-mod example.com --forward-policy=none + + This configuration forwards all queries for names outside the example.com + sub-tree to global forwarders. Normal recursive resolution process is used + for names inside the example.com sub-tree (i.e. NS records are followed etc.). + + Forward all requests for the zone external.example.com to another forwarder + using a "first" policy (it will send the queries to the selected forwarder + and if not answered it will use global root servers): + ipa dnsforwardzone-add external.example.com --forward-policy=first \ + --forwarder=203.0.113.1 + + Change forward-policy for external.example.com: + ipa dnsforwardzone-mod external.example.com --forward-policy=only + + Show forward zone external.example.com: + ipa dnsforwardzone-show external.example.com + + List all forward zones: + ipa dnsforwardzone-find + + Delete forward zone external.example.com: + ipa dnsforwardzone-del external.example.com + + Resolve a host name to see if it exists (will add default IPA domain + if one is not included): + ipa dns-resolve www.example.com + ipa dns-resolve www + + +GLOBAL DNS CONFIGURATION + +DNS configuration passed to command line install script is stored in a local +configuration file on each IPA server where DNS service is configured. These +local settings can be overridden with a common configuration stored in LDAP +server: + + Show global DNS configuration: + ipa dnsconfig-show + + Modify global DNS configuration and set a list of global forwarders: + ipa dnsconfig-mod --forwarder=203.0.113.113 +""") + +register = Registry() + + +@register() +class dnsconfig(Object): + takes_params = ( + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + label=_(u'Global forwarders'), + doc=_(u'Global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + label=_(u'Forward policy'), + doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'), + ), + parameters.Int( + 'idnszonerefresh', + required=False, + label=_(u'Zone refresh interval'), + ), + ) + + +@register() +class dnsforwardzone(Object): + takes_params = ( + parameters.DNSNameParam( + 'idnsname', + primary_key=True, + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + ) + + +@register() +class dnsrecord(Object): + takes_params = ( + parameters.DNSNameParam( + 'idnsname', + primary_key=True, + label=_(u'Record name'), + ), + parameters.Int( + 'dnsttl', + required=False, + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + ), + parameters.Str( + 'dnsrecords', + required=False, + label=_(u'Records'), + ), + parameters.Str( + 'dnstype', + required=False, + label=_(u'Record type'), + ), + parameters.Str( + 'dnsdata', + required=False, + label=_(u'Record data'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'a_extra_create_reverse', + required=False, + label=_(u'A Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'aaaa_extra_create_reverse', + required=False, + label=_(u'AAAA Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.DNSNameParam( + 'afsdb_part_hostname', + required=False, + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + label=_(u'APL record'), + doc=_(u'Raw APL records'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.DNSNameParam( + 'cname_part_hostname', + required=False, + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Int( + 'dlv_part_key_tag', + required=False, + label=_(u'DLV Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'dlv_part_algorithm', + required=False, + label=_(u'DLV Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'dlv_part_digest_type', + required=False, + label=_(u'DLV Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'dlv_part_digest', + required=False, + label=_(u'DLV Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.DNSNameParam( + 'dname_part_target', + required=False, + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'kx_part_exchanger', + required=False, + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + ), + parameters.Decimal( + 'loc_part_size', + required=False, + label=_(u'LOC Size'), + doc=_(u'Size'), + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'mx_part_exchanger', + required=False, + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + ), + parameters.Str( + 'naptr_part_service', + required=False, + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.DNSNameParam( + 'ns_part_hostname', + required=False, + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.DNSNameParam( + 'ptr_part_hostname', + required=False, + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + label=_(u'RP record'), + doc=_(u'Raw RP records'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.DNSNameParam( + 'srv_part_target', + required=False, + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Int( + 'tlsa_part_cert_usage', + required=False, + label=_(u'TLSA Certificate Usage'), + doc=_(u'Certificate Usage'), + ), + parameters.Int( + 'tlsa_part_selector', + required=False, + label=_(u'TLSA Selector'), + doc=_(u'Selector'), + ), + parameters.Int( + 'tlsa_part_matching_type', + required=False, + label=_(u'TLSA Matching Type'), + doc=_(u'Matching Type'), + ), + parameters.Str( + 'tlsa_part_cert_association_data', + required=False, + label=_(u'TLSA Certificate Association Data'), + doc=_(u'Certificate Association Data'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + ) + + +@register() +class dnszone(Object): + takes_params = ( + parameters.DNSNameParam( + 'idnsname', + primary_key=True, + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.DNSNameParam( + 'idnssoamname', + required=False, + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.DNSNameParam( + 'idnssoarname', + label=_(u'Administrator e-mail address'), + ), + parameters.Int( + 'idnssoaserial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + ), + parameters.Int( + 'idnssoarefresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + ), + parameters.Int( + 'idnssoaretry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + ), + parameters.Int( + 'idnssoaexpire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + ), + parameters.Int( + 'idnssoaminimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + ), + parameters.Int( + 'dnsttl', + required=False, + label=_(u'Time to live'), + doc=_(u'Time to live for records at zone apex'), + ), + parameters.Str( + 'dnsclass', + required=False, + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + label=_(u'BIND update policy'), + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + ), + parameters.Str( + 'idnsallowquery', + required=False, + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Bool( + 'idnssecinlinesigning', + required=False, + label=_(u'Allow in-line DNSSEC signing'), + doc=_(u'Allow inline DNSSEC signing of records in the zone'), + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + label=_(u'NSEC3PARAM record'), + doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'), + ), + ) + + +@register() +class dns_is_enabled(Command): + __doc__ = _("Checks if any of the servers has the DNS service enabled.") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dns_resolve(Command): + __doc__ = _("Resolve a host name in DNS.") + + takes_args = ( + parameters.Str( + 'hostname', + label=_(u'Hostname'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsconfig_mod(Method): + __doc__ = _("Modify global DNS configuration.") + + takes_options = ( + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Global forwarders'), + doc=_(u'Global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'), + ), + parameters.Int( + 'idnszonerefresh', + required=False, + deprecated=True, + cli_name='zone_refresh', + label=_(u'Zone refresh interval'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsconfig_show(Method): + __doc__ = _("Show the current global DNS configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_add(Method): + __doc__ = _("Create new DNS forward zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_add_permission(Method): + __doc__ = _("Add a permission for per-forward zone access delegation.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u'Permission value'), + ), + ) + + +@register() +class dnsforwardzone_del(Method): + __doc__ = _("Delete DNS forward zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + multivalue=True, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class dnsforwardzone_disable(Method): + __doc__ = _("Disable DNS Forward Zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_enable(Method): + __doc__ = _("Enable DNS Forward Zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_find(Method): + __doc__ = _("Search for DNS forward zones.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.DNSNameParam( + 'idnsname', + required=False, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + cli_name='zone_active', + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class dnsforwardzone_mod(Method): + __doc__ = _("Modify DNS forward zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_remove_permission(Method): + __doc__ = _("Remove a permission for per-forward zone access delegation.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u'Permission value'), + ), + ) + + +@register() +class dnsforwardzone_show(Method): + __doc__ = _("Display information about a DNS forward zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_add(Method): + __doc__ = _("Add new DNS resource record.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + option_group=u'A Record', + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + cli_name='a_ip_address', + option_group=u'A Record', + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'a_extra_create_reverse', + required=False, + cli_name='a_create_reverse', + option_group=u'A Record', + label=_(u'A Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + default=False, + autofill=True, + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + option_group=u'AAAA Record', + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + cli_name='aaaa_ip_address', + option_group=u'AAAA Record', + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'aaaa_extra_create_reverse', + required=False, + cli_name='aaaa_create_reverse', + option_group=u'AAAA Record', + label=_(u'AAAA Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + default=False, + autofill=True, + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + option_group=u'A6 Record', + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + cli_name='a6_data', + option_group=u'A6 Record', + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + option_group=u'AFSDB Record', + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + cli_name='afsdb_subtype', + option_group=u'AFSDB Record', + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.DNSNameParam( + 'afsdb_part_hostname', + required=False, + cli_name='afsdb_hostname', + option_group=u'AFSDB Record', + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + option_group=u'APL Record', + label=_(u'APL record'), + doc=_(u'Raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + option_group=u'CERT Record', + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + cli_name='cert_type', + option_group=u'CERT Record', + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + cli_name='cert_key_tag', + option_group=u'CERT Record', + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + cli_name='cert_algorithm', + option_group=u'CERT Record', + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + cli_name='cert_certificate_or_crl', + option_group=u'CERT Record', + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + option_group=u'CNAME Record', + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.DNSNameParam( + 'cname_part_hostname', + required=False, + cli_name='cname_hostname', + option_group=u'CNAME Record', + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + option_group=u'DHCID Record', + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + option_group=u'DLV Record', + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Int( + 'dlv_part_key_tag', + required=False, + cli_name='dlv_key_tag', + option_group=u'DLV Record', + label=_(u'DLV Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'dlv_part_algorithm', + required=False, + cli_name='dlv_algorithm', + option_group=u'DLV Record', + label=_(u'DLV Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'dlv_part_digest_type', + required=False, + cli_name='dlv_digest_type', + option_group=u'DLV Record', + label=_(u'DLV Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'dlv_part_digest', + required=False, + cli_name='dlv_digest', + option_group=u'DLV Record', + label=_(u'DLV Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + option_group=u'DNAME Record', + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.DNSNameParam( + 'dname_part_target', + required=False, + cli_name='dname_target', + option_group=u'DNAME Record', + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + option_group=u'DS Record', + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + cli_name='ds_key_tag', + option_group=u'DS Record', + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + cli_name='ds_algorithm', + option_group=u'DS Record', + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + cli_name='ds_digest_type', + option_group=u'DS Record', + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + cli_name='ds_digest', + option_group=u'DS Record', + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + option_group=u'HIP Record', + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + option_group=u'IPSECKEY Record', + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + option_group=u'KEY Record', + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + option_group=u'KX Record', + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + cli_name='kx_preference', + option_group=u'KX Record', + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'kx_part_exchanger', + required=False, + cli_name='kx_exchanger', + option_group=u'KX Record', + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + option_group=u'LOC Record', + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + cli_name='loc_lat_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + cli_name='loc_lat_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + cli_name='loc_lat_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + cli_name='loc_lat_dir', + option_group=u'LOC Record', + cli_metavar="['N', 'S']", + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + cli_name='loc_lon_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + cli_name='loc_lon_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + cli_name='loc_lon_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + cli_name='loc_lon_dir', + option_group=u'LOC Record', + cli_metavar="['E', 'W']", + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + cli_name='loc_altitude', + option_group=u'LOC Record', + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_size', + required=False, + cli_name='loc_size', + option_group=u'LOC Record', + label=_(u'LOC Size'), + doc=_(u'Size'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + cli_name='loc_h_precision', + option_group=u'LOC Record', + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + cli_name='loc_v_precision', + option_group=u'LOC Record', + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + no_convert=True, + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + option_group=u'MX Record', + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + cli_name='mx_preference', + option_group=u'MX Record', + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'mx_part_exchanger', + required=False, + cli_name='mx_exchanger', + option_group=u'MX Record', + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + option_group=u'NAPTR Record', + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + cli_name='naptr_order', + option_group=u'NAPTR Record', + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + cli_name='naptr_preference', + option_group=u'NAPTR Record', + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + cli_name='naptr_flags', + option_group=u'NAPTR Record', + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + no_convert=True, + ), + parameters.Str( + 'naptr_part_service', + required=False, + cli_name='naptr_service', + option_group=u'NAPTR Record', + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + cli_name='naptr_regexp', + option_group=u'NAPTR Record', + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + cli_name='naptr_replacement', + option_group=u'NAPTR Record', + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + option_group=u'NS Record', + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.DNSNameParam( + 'ns_part_hostname', + required=False, + cli_name='ns_hostname', + option_group=u'NS Record', + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + option_group=u'NSEC Record', + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + option_group=u'PTR Record', + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.DNSNameParam( + 'ptr_part_hostname', + required=False, + cli_name='ptr_hostname', + option_group=u'PTR Record', + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + option_group=u'RRSIG Record', + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + option_group=u'RP Record', + label=_(u'RP record'), + doc=_(u'Raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + option_group=u'SIG Record', + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + option_group=u'SPF Record', + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + option_group=u'SRV Record', + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + cli_name='srv_priority', + option_group=u'SRV Record', + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + cli_name='srv_weight', + option_group=u'SRV Record', + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + cli_name='srv_port', + option_group=u'SRV Record', + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.DNSNameParam( + 'srv_part_target', + required=False, + cli_name='srv_target', + option_group=u'SRV Record', + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + option_group=u'SSHFP Record', + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + cli_name='sshfp_algorithm', + option_group=u'SSHFP Record', + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + cli_name='sshfp_fp_type', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + cli_name='sshfp_fingerprint', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + cli_name='tlsa_rec', + option_group=u'TLSA Record', + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Int( + 'tlsa_part_cert_usage', + required=False, + cli_name='tlsa_cert_usage', + option_group=u'TLSA Record', + label=_(u'TLSA Certificate Usage'), + doc=_(u'Certificate Usage'), + ), + parameters.Int( + 'tlsa_part_selector', + required=False, + cli_name='tlsa_selector', + option_group=u'TLSA Record', + label=_(u'TLSA Selector'), + doc=_(u'Selector'), + ), + parameters.Int( + 'tlsa_part_matching_type', + required=False, + cli_name='tlsa_matching_type', + option_group=u'TLSA Record', + label=_(u'TLSA Matching Type'), + doc=_(u'Matching Type'), + ), + parameters.Str( + 'tlsa_part_cert_association_data', + required=False, + cli_name='tlsa_cert_association_data', + option_group=u'TLSA Record', + label=_(u'TLSA Certificate Association Data'), + doc=_(u'Certificate Association Data'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + option_group=u'TXT Record', + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + cli_name='txt_data', + option_group=u'TXT Record', + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force NS record creation even if its hostname is not in DNS'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_del(Method): + __doc__ = _("Delete DNS resource record.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + label=_(u'APL record'), + doc=_(u'Raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + label=_(u'RP record'), + doc=_(u'Raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + cli_name='tlsa_rec', + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Flag( + 'del_all', + label=_(u'Delete all associated records'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class dnsrecord_delentry(Method): + __doc__ = _("Delete DNS record entry.") + + NO_CLI = True + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + multivalue=True, + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class dnsrecord_find(Method): + __doc__ = _("Search for DNS resources.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.DNSNameParam( + 'idnsname', + required=False, + cli_name='name', + label=_(u'Record name'), + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + label=_(u'APL record'), + doc=_(u'Raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + label=_(u'RP record'), + doc=_(u'Raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + cli_name='tlsa_rec', + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class dnsrecord_mod(Method): + __doc__ = _("Modify a DNS resource record.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + option_group=u'A Record', + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + cli_name='a_ip_address', + option_group=u'A Record', + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + option_group=u'AAAA Record', + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + cli_name='aaaa_ip_address', + option_group=u'AAAA Record', + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + option_group=u'A6 Record', + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + cli_name='a6_data', + option_group=u'A6 Record', + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + option_group=u'AFSDB Record', + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + cli_name='afsdb_subtype', + option_group=u'AFSDB Record', + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.DNSNameParam( + 'afsdb_part_hostname', + required=False, + cli_name='afsdb_hostname', + option_group=u'AFSDB Record', + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + option_group=u'APL Record', + label=_(u'APL record'), + doc=_(u'Raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + option_group=u'CERT Record', + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + cli_name='cert_type', + option_group=u'CERT Record', + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + cli_name='cert_key_tag', + option_group=u'CERT Record', + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + cli_name='cert_algorithm', + option_group=u'CERT Record', + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + cli_name='cert_certificate_or_crl', + option_group=u'CERT Record', + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + option_group=u'CNAME Record', + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.DNSNameParam( + 'cname_part_hostname', + required=False, + cli_name='cname_hostname', + option_group=u'CNAME Record', + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + option_group=u'DHCID Record', + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + option_group=u'DLV Record', + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Int( + 'dlv_part_key_tag', + required=False, + cli_name='dlv_key_tag', + option_group=u'DLV Record', + label=_(u'DLV Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'dlv_part_algorithm', + required=False, + cli_name='dlv_algorithm', + option_group=u'DLV Record', + label=_(u'DLV Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'dlv_part_digest_type', + required=False, + cli_name='dlv_digest_type', + option_group=u'DLV Record', + label=_(u'DLV Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'dlv_part_digest', + required=False, + cli_name='dlv_digest', + option_group=u'DLV Record', + label=_(u'DLV Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + option_group=u'DNAME Record', + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.DNSNameParam( + 'dname_part_target', + required=False, + cli_name='dname_target', + option_group=u'DNAME Record', + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + option_group=u'DS Record', + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + cli_name='ds_key_tag', + option_group=u'DS Record', + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + cli_name='ds_algorithm', + option_group=u'DS Record', + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + cli_name='ds_digest_type', + option_group=u'DS Record', + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + cli_name='ds_digest', + option_group=u'DS Record', + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + option_group=u'HIP Record', + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + option_group=u'IPSECKEY Record', + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + option_group=u'KEY Record', + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + option_group=u'KX Record', + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + cli_name='kx_preference', + option_group=u'KX Record', + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'kx_part_exchanger', + required=False, + cli_name='kx_exchanger', + option_group=u'KX Record', + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + option_group=u'LOC Record', + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + cli_name='loc_lat_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + cli_name='loc_lat_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + cli_name='loc_lat_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + cli_name='loc_lat_dir', + option_group=u'LOC Record', + cli_metavar="['N', 'S']", + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + cli_name='loc_lon_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + cli_name='loc_lon_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + cli_name='loc_lon_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + cli_name='loc_lon_dir', + option_group=u'LOC Record', + cli_metavar="['E', 'W']", + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + cli_name='loc_altitude', + option_group=u'LOC Record', + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_size', + required=False, + cli_name='loc_size', + option_group=u'LOC Record', + label=_(u'LOC Size'), + doc=_(u'Size'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + cli_name='loc_h_precision', + option_group=u'LOC Record', + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + cli_name='loc_v_precision', + option_group=u'LOC Record', + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + no_convert=True, + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + option_group=u'MX Record', + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + cli_name='mx_preference', + option_group=u'MX Record', + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'mx_part_exchanger', + required=False, + cli_name='mx_exchanger', + option_group=u'MX Record', + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + option_group=u'NAPTR Record', + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + cli_name='naptr_order', + option_group=u'NAPTR Record', + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + cli_name='naptr_preference', + option_group=u'NAPTR Record', + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + cli_name='naptr_flags', + option_group=u'NAPTR Record', + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + no_convert=True, + ), + parameters.Str( + 'naptr_part_service', + required=False, + cli_name='naptr_service', + option_group=u'NAPTR Record', + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + cli_name='naptr_regexp', + option_group=u'NAPTR Record', + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + cli_name='naptr_replacement', + option_group=u'NAPTR Record', + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + option_group=u'NS Record', + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.DNSNameParam( + 'ns_part_hostname', + required=False, + cli_name='ns_hostname', + option_group=u'NS Record', + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + option_group=u'NSEC Record', + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + option_group=u'PTR Record', + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.DNSNameParam( + 'ptr_part_hostname', + required=False, + cli_name='ptr_hostname', + option_group=u'PTR Record', + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + option_group=u'RRSIG Record', + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + option_group=u'RP Record', + label=_(u'RP record'), + doc=_(u'Raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + option_group=u'SIG Record', + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + option_group=u'SPF Record', + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + option_group=u'SRV Record', + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + cli_name='srv_priority', + option_group=u'SRV Record', + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + cli_name='srv_weight', + option_group=u'SRV Record', + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + cli_name='srv_port', + option_group=u'SRV Record', + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.DNSNameParam( + 'srv_part_target', + required=False, + cli_name='srv_target', + option_group=u'SRV Record', + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + option_group=u'SSHFP Record', + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + cli_name='sshfp_algorithm', + option_group=u'SSHFP Record', + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + cli_name='sshfp_fp_type', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + cli_name='sshfp_fingerprint', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + cli_name='tlsa_rec', + option_group=u'TLSA Record', + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Int( + 'tlsa_part_cert_usage', + required=False, + cli_name='tlsa_cert_usage', + option_group=u'TLSA Record', + label=_(u'TLSA Certificate Usage'), + doc=_(u'Certificate Usage'), + ), + parameters.Int( + 'tlsa_part_selector', + required=False, + cli_name='tlsa_selector', + option_group=u'TLSA Record', + label=_(u'TLSA Selector'), + doc=_(u'Selector'), + ), + parameters.Int( + 'tlsa_part_matching_type', + required=False, + cli_name='tlsa_matching_type', + option_group=u'TLSA Record', + label=_(u'TLSA Matching Type'), + doc=_(u'Matching Type'), + ), + parameters.Str( + 'tlsa_part_cert_association_data', + required=False, + cli_name='tlsa_cert_association_data', + option_group=u'TLSA Record', + label=_(u'TLSA Certificate Association Data'), + doc=_(u'Certificate Association Data'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + option_group=u'TXT Record', + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + cli_name='txt_data', + option_group=u'TXT Record', + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.DNSNameParam( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the DNS resource record object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_show(Method): + __doc__ = _("Display DNS resource.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_add(Method): + __doc__ = _("Create new DNS zone (SOA record).") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.DNSNameParam( + 'idnssoamname', + required=False, + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.DNSNameParam( + 'idnssoarname', + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default=DNSName(u'hostmaster'), + autofill=True, + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + autofill=True, + ), + parameters.Int( + 'idnssoarefresh', + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + autofill=True, + ), + parameters.Int( + 'idnssoaretry', + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + autofill=True, + ), + parameters.Int( + 'idnssoaexpire', + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + autofill=True, + ), + parameters.Int( + 'idnssoaminimum', + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + autofill=True, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + doc=_(u'Time to live for records at zone apex'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + autofill=True, + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + autofill=True, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + autofill=True, + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + autofill=True, + no_convert=True, + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Bool( + 'idnssecinlinesigning', + required=False, + cli_name='dnssec', + label=_(u'Allow in-line DNSSEC signing'), + doc=_(u'Allow inline DNSSEC signing of records in the zone'), + default=False, + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + cli_name='nsec3param_rec', + label=_(u'NSEC3PARAM record'), + doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'Force DNS zone creation even if nameserver is not resolvable.'), + default=False, + autofill=True, + ), + parameters.Str( + 'ip_address', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_add_permission(Method): + __doc__ = _("Add a permission for per-zone access delegation.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u'Permission value'), + ), + ) + + +@register() +class dnszone_del(Method): + __doc__ = _("Delete DNS zone (SOA record).") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + multivalue=True, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class dnszone_disable(Method): + __doc__ = _("Disable DNS Zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_enable(Method): + __doc__ = _("Enable DNS Zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_find(Method): + __doc__ = _("Search for DNS zones (SOA records).") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.DNSNameParam( + 'idnsname', + required=False, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + cli_name='zone_active', + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.DNSNameParam( + 'idnssoamname', + required=False, + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.DNSNameParam( + 'idnssoarname', + required=False, + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default=DNSName(u'hostmaster'), + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + required=False, + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + ), + parameters.Int( + 'idnssoarefresh', + required=False, + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + ), + parameters.Int( + 'idnssoaretry', + required=False, + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + ), + parameters.Int( + 'idnssoaexpire', + required=False, + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + ), + parameters.Int( + 'idnssoaminimum', + required=False, + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + doc=_(u'Time to live for records at zone apex'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + no_convert=True, + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Bool( + 'idnssecinlinesigning', + required=False, + cli_name='dnssec', + label=_(u'Allow in-line DNSSEC signing'), + doc=_(u'Allow inline DNSSEC signing of records in the zone'), + default=False, + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + cli_name='nsec3param_rec', + label=_(u'NSEC3PARAM record'), + doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'forward_only', + label=_(u'Forward zones only'), + doc=_(u'Search for forward zones only'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class dnszone_mod(Method): + __doc__ = _("Modify DNS zone (SOA record).") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.DNSNameParam( + 'idnssoamname', + required=False, + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.DNSNameParam( + 'idnssoarname', + required=False, + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default=DNSName(u'hostmaster'), + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + required=False, + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + ), + parameters.Int( + 'idnssoarefresh', + required=False, + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + ), + parameters.Int( + 'idnssoaretry', + required=False, + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + ), + parameters.Int( + 'idnssoaexpire', + required=False, + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + ), + parameters.Int( + 'idnssoaminimum', + required=False, + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + doc=_(u'Time to live for records at zone apex'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + no_convert=True, + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Bool( + 'idnssecinlinesigning', + required=False, + cli_name='dnssec', + label=_(u'Allow in-line DNSSEC signing'), + doc=_(u'Allow inline DNSSEC signing of records in the zone'), + default=False, + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + cli_name='nsec3param_rec', + label=_(u'NSEC3PARAM record'), + doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'Force nameserver change even if nameserver not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_remove_permission(Method): + __doc__ = _("Remove a permission for per-zone access delegation.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u'Permission value'), + ), + ) + + +@register() +class dnszone_show(Method): + __doc__ = _("Display information about a DNS zone (SOA record).") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/domainlevel.py b/ipaclient/remote_plugins/2_156/domainlevel.py new file mode 100644 index 000000000..5e06114cc --- /dev/null +++ b/ipaclient/remote_plugins/2_156/domainlevel.py @@ -0,0 +1,64 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Raise the IPA Domain Level. +""") + +register = Registry() + + +@register() +class domainlevel_get(Command): + __doc__ = _("Query current Domain Level.") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + int, + doc=_(u'Current domain level:'), + ), + ) + + +@register() +class domainlevel_set(Command): + __doc__ = _("Change current Domain Level.") + + NO_CLI = True + + takes_args = ( + parameters.Int( + 'ipadomainlevel', + cli_name='level', + label=_(u'Domain Level'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + int, + doc=_(u'Current domain level:'), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/group.py b/ipaclient/remote_plugins/2_156/group.py new file mode 100644 index 000000000..ed57c4caa --- /dev/null +++ b/ipaclient/remote_plugins/2_156/group.py @@ -0,0 +1,912 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of users + +Manage groups of users. By default, new groups are POSIX groups. You +can add the --nonposix option to the group-add command to mark a new group +as non-POSIX. You can use the --posix argument with the group-mod command +to convert a non-POSIX group into a POSIX group. POSIX groups cannot be +converted to non-POSIX groups. + +Every group must have a description. + +POSIX groups must have a Group ID (GID) number. Changing a GID is +supported but can have an impact on your file permissions. It is not necessary +to supply a GID when creating a group. IPA will generate one automatically +if it is not provided. + +EXAMPLES: + + Add a new group: + ipa group-add --desc='local administrators' localadmins + + Add a new non-POSIX group: + ipa group-add --nonposix --desc='remote administrators' remoteadmins + + Convert a non-POSIX group to posix: + ipa group-mod --posix remoteadmins + + Add a new POSIX group with a specific Group ID number: + ipa group-add --gid=500 --desc='unix admins' unixadmins + + Add a new POSIX group and let IPA assign a Group ID number: + ipa group-add --desc='printer admins' printeradmins + + Remove a group: + ipa group-del unixadmins + + To add the "remoteadmins" group to the "localadmins" group: + ipa group-add-member --groups=remoteadmins localadmins + + Add multiple users to the "localadmins" group: + ipa group-add-member --users=test1 --users=test2 localadmins + + Remove a user from the "localadmins" group: + ipa group-remove-member --users=test2 localadmins + + Display information about a named group. + ipa group-show localadmins + +External group membership is designed to allow users from trusted domains +to be mapped to local POSIX groups in order to actually use IPA resources. +External members should be added to groups that specifically created as +external and non-POSIX. Such group later should be included into one of POSIX +groups. + +An external group member is currently a Security Identifier (SID) as defined by +the trusted domain. When adding external group members, it is possible to +specify them in either SID, or DOM\name, or name@domain format. IPA will attempt +to resolve passed name to SID with the use of Global Catalog of the trusted domain. + +Example: + +1. Create group for the trusted domain admins' mapping and their local POSIX group: + + ipa group-add --desc=' admins external map' ad_admins_external --external + ipa group-add --desc=' admins' ad_admins + +2. Add security identifier of Domain Admins of the to the ad_admins_external + group: + + ipa group-add-member ad_admins_external --external 'AD\Domain Admins' + +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: + + ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external +""") + +register = Registry() + + +@register() +class group(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Group name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'member_user', + required=False, + label=_(u'Member users'), + ), + parameters.Str( + 'member_group', + required=False, + label=_(u'Member groups'), + ), + parameters.Str( + 'memberof_group', + required=False, + label=_(u'Member of groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberindirect_user', + required=False, + label=_(u'Indirect Member users'), + ), + parameters.Str( + 'memberindirect_group', + required=False, + label=_(u'Indirect Member groups'), + ), + parameters.Str( + 'memberofindirect_group', + required=False, + label=_(u'Indirect Member of group'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + ) + + +@register() +class group_add(Method): + __doc__ = _("Create a new group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'nonposix', + doc=_(u'Create as a non-POSIX group'), + default=False, + autofill=True, + ), + parameters.Flag( + 'external', + doc=_(u'Allow adding external non-IPA members from trusted domains'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_add_member(Method): + __doc__ = _("Add members to a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'ipaexternalmember', + required=False, + multivalue=True, + cli_name='external', + label=_(u'External member'), + doc=_(u'Members of a trusted domain in DOM\\name or name@domain form'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class group_del(Method): + __doc__ = _("Delete group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class group_detach(Method): + __doc__ = _("Detach a managed group from a user.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_find(Method): + __doc__ = _("Search for groups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'private', + doc=_(u'search for private groups'), + default=False, + autofill=True, + ), + parameters.Flag( + 'posix', + doc=_(u'search for POSIX groups'), + default=False, + autofill=True, + ), + parameters.Flag( + 'external', + doc=_(u'search for groups with support of external non-IPA members from trusted domains'), + default=False, + autofill=True, + ), + parameters.Flag( + 'nonposix', + doc=_(u'search for non-POSIX groups'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("group-name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'user'), + doc=_(u'Search for groups with these member users.'), + ), + parameters.Str( + 'no_user', + required=False, + multivalue=True, + cli_name='no_users', + label=_(u'user'), + doc=_(u'Search for groups without these member users.'), + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'group'), + doc=_(u'Search for groups with these member groups.'), + ), + parameters.Str( + 'no_group', + required=False, + multivalue=True, + cli_name='no_groups', + label=_(u'group'), + doc=_(u'Search for groups without these member groups.'), + ), + parameters.Str( + 'in_group', + required=False, + multivalue=True, + cli_name='in_groups', + label=_(u'group'), + doc=_(u'Search for groups with these member of groups.'), + ), + parameters.Str( + 'not_in_group', + required=False, + multivalue=True, + cli_name='not_in_groups', + label=_(u'group'), + doc=_(u'Search for groups without these member of groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for groups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for groups without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for groups with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for groups without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for groups with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for groups without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for groups with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for groups without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class group_mod(Method): + __doc__ = _("Modify a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'posix', + doc=_(u'change to a POSIX group'), + default=False, + autofill=True, + ), + parameters.Flag( + 'external', + doc=_(u'change to support external non-IPA members from trusted domains'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the group object'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_remove_member(Method): + __doc__ = _("Remove members from a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'ipaexternalmember', + required=False, + multivalue=True, + cli_name='external', + label=_(u'External member'), + doc=_(u'Members of a trusted domain in DOM\\name or name@domain form'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class group_show(Method): + __doc__ = _("Display information about a named group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/hbacrule.py b/ipaclient/remote_plugins/2_156/hbacrule.py new file mode 100644 index 000000000..567a1bb02 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/hbacrule.py @@ -0,0 +1,1305 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Host-based access control + +Control who can access what services on what hosts. You +can use HBAC to control which users or groups can +access a service, or group of services, on a target host. + +You can also specify a category of users and target hosts. +This is currently limited to "all", but might be expanded in the +future. + +Target hosts in HBAC rules must be hosts managed by IPA. + +The available services and groups of services are controlled by the +hbacsvc and hbacsvcgroup plug-ins respectively. + +EXAMPLES: + + Create a rule, "test1", that grants all users access to the host "server" from + anywhere: + ipa hbacrule-add --usercat=all test1 + ipa hbacrule-add-host --hosts=server.example.com test1 + + Display the properties of a named HBAC rule: + ipa hbacrule-show test1 + + Create a rule for a specific service. This lets the user john access + the sshd service on any machine from any machine: + ipa hbacrule-add --hostcat=all john_sshd + ipa hbacrule-add-user --users=john john_sshd + ipa hbacrule-add-service --hbacsvcs=sshd john_sshd + + Create a rule for a new service group. This lets the user john access + the FTP service on any machine from any machine: + ipa hbacsvcgroup-add ftpers + ipa hbacsvc-add sftp + ipa hbacsvcgroup-add-member --hbacsvcs=ftp --hbacsvcs=sftp ftpers + ipa hbacrule-add --hostcat=all john_ftp + ipa hbacrule-add-user --users=john john_ftp + ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp + + Disable a named HBAC rule: + ipa hbacrule-disable test1 + + Remove a named HBAC rule: + ipa hbacrule-del allow_server +""") + +register = Registry() + + +@register() +class hbacrule(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'accessruletype', + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + ), + parameters.Str( + 'servicecategory', + required=False, + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + ), + parameters.Str( + 'memberservice_hbacsvc', + required=False, + label=_(u'Services'), + ), + parameters.Str( + 'memberservice_hbacsvcgroup', + required=False, + label=_(u'Service Groups'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + ) + + +@register() +class hbacrule_add(Method): + __doc__ = _("Create a new HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'accessruletype', + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + autofill=True, + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_add_host(Method): + __doc__ = _("Add target hosts and hostgroups to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_service(Method): + __doc__ = _("Add services to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'HBAC services to add'), + alwaysask=True, + ), + parameters.Str( + 'hbacsvcgroup', + required=False, + multivalue=True, + cli_name='hbacsvcgroups', + label=_(u'member HBAC service group'), + doc=_(u'HBAC service groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_sourcehost(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_user(Method): + __doc__ = _("Add users and groups to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_del(Method): + __doc__ = _("Delete an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class hbacrule_disable(Method): + __doc__ = _("Disable an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_enable(Method): + __doc__ = _("Enable an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_find(Method): + __doc__ = _("Search for HBAC rules.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Rule name'), + ), + parameters.Str( + 'accessruletype', + required=False, + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacrule_mod(Method): + __doc__ = _("Modify an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'accessruletype', + required=False, + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_remove_host(Method): + __doc__ = _("Remove target hosts and hostgroups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_service(Method): + __doc__ = _("Remove service and service groups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'HBAC services to remove'), + alwaysask=True, + ), + parameters.Str( + 'hbacsvcgroup', + required=False, + multivalue=True, + cli_name='hbacsvcgroups', + label=_(u'member HBAC service group'), + doc=_(u'HBAC service groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_sourcehost(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_user(Method): + __doc__ = _("Remove users and groups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_show(Method): + __doc__ = _("Display the properties of an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/hbacsvc.py b/ipaclient/remote_plugins/2_156/hbacsvc.py new file mode 100644 index 000000000..0de241935 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/hbacsvc.py @@ -0,0 +1,413 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +HBAC Services + +The PAM services that HBAC can control access to. The name used here +must match the service name that PAM is evaluating. + +EXAMPLES: + + Add a new HBAC service: + ipa hbacsvc-add tftp + + Modify an existing HBAC service: + ipa hbacsvc-mod --desc="TFTP service" tftp + + Search for HBAC services. This example will return two results, the FTP + service and the newly-added tftp service: + ipa hbacsvc-find ftp + + Delete an HBAC service: + ipa hbacsvc-del tftp +""") + +register = Registry() + + +@register() +class hbacsvc(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Service name'), + doc=_(u'HBAC service'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'memberof_hbacsvcgroup', + required=False, + label=_(u'Member of HBAC service groups'), + ), + ) + + +@register() +class hbacsvc_add(Method): + __doc__ = _("Add a new HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvc_del(Method): + __doc__ = _("Delete an existing HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class hbacsvc_find(Method): + __doc__ = _("Search for HBAC services.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("service")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacsvc_mod(Method): + __doc__ = _("Modify an HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvc_show(Method): + __doc__ = _("Display information about an HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/hbacsvcgroup.py b/ipaclient/remote_plugins/2_156/hbacsvcgroup.py new file mode 100644 index 000000000..f713b2fe8 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/hbacsvcgroup.py @@ -0,0 +1,528 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +HBAC Service Groups + +HBAC service groups can contain any number of individual services, +or "members". Every group must have a description. + +EXAMPLES: + + Add a new HBAC service group: + ipa hbacsvcgroup-add --desc="login services" login + + Add members to an HBAC service group: + ipa hbacsvcgroup-add-member --hbacsvcs=sshd --hbacsvcs=login login + + Display information about a named group: + ipa hbacsvcgroup-show login + + Delete an HBAC service group: + ipa hbacsvcgroup-del login +""") + +register = Registry() + + +@register() +class hbacsvcgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Service group name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'member_hbacsvc', + required=False, + label=_(u'Member HBAC service'), + ), + ) + + +@register() +class hbacsvcgroup_add(Method): + __doc__ = _("Add a new HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvcgroup_add_member(Method): + __doc__ = _("Add members to an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'HBAC services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacsvcgroup_del(Method): + __doc__ = _("Delete an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class hbacsvcgroup_find(Method): + __doc__ = _("Search for an HBAC service group.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacsvcgroup_mod(Method): + __doc__ = _("Modify an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvcgroup_remove_member(Method): + __doc__ = _("Remove members from an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'HBAC services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacsvcgroup_show(Method): + __doc__ = _("Display information about an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/hbactest.py b/ipaclient/remote_plugins/2_156/hbactest.py new file mode 100644 index 000000000..b0c49b71b --- /dev/null +++ b/ipaclient/remote_plugins/2_156/hbactest.py @@ -0,0 +1,284 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Simulate use of Host-based access controls + +HBAC rules control who can access what services on what hosts. +You can use HBAC to control which users or groups can access a service, +or group of services, on a target host. + +Since applying HBAC rules implies use of a production environment, +this plugin aims to provide simulation of HBAC rules evaluation without +having access to the production environment. + + Test user coming to a service on a named host against + existing enabled rules. + + ipa hbactest --user= --host= --service= + [--rules=rules-list] [--nodetail] [--enabled] [--disabled] + [--sizelimit= ] + + --user, --host, and --service are mandatory, others are optional. + + If --rules is specified simulate enabling of the specified rules and test + the login of the user using only these rules. + + If --enabled is specified, all enabled HBAC rules will be added to simulation + + If --disabled is specified, all disabled HBAC rules will be added to simulation + + If --nodetail is specified, do not return information about rules matched/not matched. + + If both --rules and --enabled are specified, apply simulation to --rules _and_ + all IPA enabled rules. + + If no --rules specified, simulation is run against all IPA enabled rules. + By default there is a IPA-wide limit to number of entries fetched, you can change it + with --sizelimit option. + +EXAMPLES: + + 1. Use all enabled HBAC rules in IPA database to simulate: + $ ipa hbactest --user=a1a --host=bar --service=sshd + -------------------- + Access granted: True + -------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + Matched rules: allow_all + + 2. Disable detailed summary of how rules were applied: + $ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail + -------------------- + Access granted: True + -------------------- + + 3. Test explicitly specified HBAC rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --rules=myrule --rules=my-second-rule + --------------------- + Access granted: False + --------------------- + Not matched rules: my-second-rule + Not matched rules: myrule + + 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --rules=myrule --rules=my-second-rule --enabled + -------------------- + Access granted: True + -------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + Matched rules: allow_all + + 5. Test all disabled HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd --disabled + --------------------- + Access granted: False + --------------------- + Not matched rules: new-rule + + 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --rules=myrule --rules=my-second-rule --disabled + --------------------- + Access granted: False + --------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + + 7. Test all (enabled and disabled) HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --enabled --disabled + -------------------- + Access granted: True + -------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + Not matched rules: new-rule + Matched rules: allow_all + + +HBACTEST AND TRUSTED DOMAINS + +When an external trusted domain is configured in IPA, HBAC rules are also applied +on users accessing IPA resources from the trusted domain. Trusted domain users and +groups (and their SIDs) can be then assigned to external groups which can be +members of POSIX groups in IPA which can be used in HBAC rules and thus allowing +access to resources protected by the HBAC system. + +hbactest plugin is capable of testing access for both local IPA users and users +from the trusted domains, either by a fully qualified user name or by user SID. +Such user names need to have a trusted domain specified as a short name +(DOMAIN\Administrator) or with a user principal name (UPN), Administrator@ad.test. + +Please note that hbactest executed with a trusted domain user as --user parameter +can be only run by members of "trust admins" group. + +EXAMPLES: + + 1. Test if a user from a trusted domain specified by its shortname matches any + rule: + + $ ipa hbactest --user 'DOMAIN\Administrator' --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Matched rules: can_login + + 2. Test if a user from a trusted domain specified by its domain name matches + any rule: + + $ ipa hbactest --user 'Administrator@domain.com' --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Matched rules: can_login + + 3. Test if a user from a trusted domain specified by its SID matches any rule: + + $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-500 \ + --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Matched rules: can_login + + 4. Test if other user from a trusted domain specified by its SID matches any rule: + + $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-1203 \ + --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Not matched rules: can_login + + 5. Test if other user from a trusted domain specified by its shortname matches + any rule: + + $ ipa hbactest --user 'DOMAIN\Otheruser' --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Not matched rules: can_login +""") + +register = Registry() + + +@register() +class hbactest(Command): + __doc__ = _("Simulate use of Host-based access controls") + + takes_options = ( + parameters.Str( + 'user', + label=_(u'User name'), + ), + parameters.Str( + 'sourcehost', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'targethost', + cli_name='host', + label=_(u'Target host'), + ), + parameters.Str( + 'service', + label=_(u'Service'), + ), + parameters.Str( + 'rules', + required=False, + multivalue=True, + label=_(u'Rules to test. If not specified, --enabled is assumed'), + ), + parameters.Flag( + 'nodetail', + required=False, + label=_(u'Hide details which rules are matched, not matched, or invalid'), + default=False, + autofill=True, + ), + parameters.Flag( + 'enabled', + required=False, + label=_(u'Include all enabled IPA rules into test [default]'), + default=False, + autofill=True, + ), + parameters.Flag( + 'disabled', + required=False, + label=_(u'Include all disabled IPA rules into test'), + default=False, + autofill=True, + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of rules to process when no --rules is specified'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'warning', + (list, tuple, type(None)), + doc=_(u'Warning'), + ), + output.Output( + 'matched', + (list, tuple, type(None)), + doc=_(u'Matched rules'), + ), + output.Output( + 'notmatched', + (list, tuple, type(None)), + doc=_(u'Not matched rules'), + ), + output.Output( + 'error', + (list, tuple, type(None)), + doc=_(u'Non-existent or invalid rules'), + ), + output.Output( + 'value', + bool, + doc=_(u'Result of simulation'), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/host.py b/ipaclient/remote_plugins/2_156/host.py new file mode 100644 index 000000000..72b6ef881 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/host.py @@ -0,0 +1,1680 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Hosts/Machines + +A host represents a machine. It can be used in a number of contexts: +- service entries are associated with a host +- a host stores the host/ service principal +- a host can be used in Host-based Access Control (HBAC) rules +- every enrolled client generates a host entry + +ENROLLMENT: + +There are three enrollment scenarios when enrolling a new client: + +1. You are enrolling as a full administrator. The host entry may exist + or not. A full administrator is a member of the hostadmin role + or the admins group. +2. You are enrolling as a limited administrator. The host must already + exist. A limited administrator is a member a role with the + Host Enrollment privilege. +3. The host has been created with a one-time password. + +RE-ENROLLMENT: + +Host that has been enrolled at some point, and lost its configuration (e.g. VM +destroyed) can be re-enrolled. + +For more information, consult the manual pages for ipa-client-install. + +A host can optionally store information such as where it is located, +the OS that it runs, etc. + +EXAMPLES: + + Add a new host: + ipa host-add --location="3rd floor lab" --locality=Dallas test.example.com + + Delete a host: + ipa host-del test.example.com + + Add a new host with a one-time password: + ipa host-add --os='Fedora 12' --password=Secret123 test.example.com + + Add a new host with a random one-time password: + ipa host-add --os='Fedora 12' --random test.example.com + + Modify information about a host: + ipa host-mod --os='Fedora 12' test.example.com + + Remove SSH public keys of a host and update DNS to reflect this change: + ipa host-mod --sshpubkey= --updatedns test.example.com + + Disable the host Kerberos key, SSL certificate and all of its services: + ipa host-disable test.example.com + + Add a host that can manage this host's keytab and certificate: + ipa host-add-managedby --hosts=test2 test + + Allow user to create a keytab: + ipa host-allow-create-keytab test2 --users=tuser1 +""") + +register = Registry() + + +@register() +class host(Object): + takes_params = ( + parameters.Str( + 'fqdn', + primary_key=True, + label=_(u'Host name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + ), + parameters.Str( + 'randompassword', + required=False, + label=_(u'Random password'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + label=_(u'Principal name'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + label=_(u'Class'), + doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipaassignedidview', + required=False, + label=_(u'Assigned ID View'), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Flag( + 'has_password', + label=_(u'Password'), + ), + parameters.Str( + 'memberof_hostgroup', + required=False, + label=_(u'Member of host-groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_hostgroup', + required=False, + label=_(u'Indirect Member of host-group'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Keytab'), + ), + parameters.Str( + 'managedby_host', + label=_(u'Managed by'), + ), + parameters.Str( + 'managing_host', + label=_(u'Managing'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_user', + label=_(u'Users allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_group', + label=_(u'Groups allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_host', + label=_(u'Hosts allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_hostgroup', + label=_(u'Host Groups allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_user', + label=_(u'Users allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_group', + label=_(u'Groups allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_host', + label=_(u'Hosts allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_hostgroup', + label=_(u'Host Groups allowed to create keytab'), + ), + ) + + +@register() +class host_add(Method): + __doc__ = _("Add a new host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipaassignedidview', + required=False, + label=_(u'Assigned ID View'), + exclude=('cli', 'webui'), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + cli_name='requires_pre_auth', + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + cli_name='ok_as_delegate', + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force host name even if not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_reverse', + doc=_(u'skip reverse DNS detection'), + default=False, + autofill=True, + ), + parameters.Str( + 'ip_address', + required=False, + label=_(u'IP Address'), + doc=_(u'Add the host to DNS with this IP address'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_add_cert(Method): + __doc__ = _("Add certificates to host entry") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + alwaysask=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_add_managedby(Method): + __doc__ = _("Add hosts that can manage this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class host_allow_create_keytab(Method): + __doc__ = _("Allow users, groups, hosts or host groups to create a keytab of this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class host_allow_retrieve_keytab(Method): + __doc__ = _("Allow users, groups, hosts or host groups to retrieve a keytab of this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class host_del(Method): + __doc__ = _("Delete a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + multivalue=True, + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Flag( + 'updatedns', + required=False, + doc=_(u'Remove entries from DNS'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class host_disable(Method): + __doc__ = _("Disable the Kerberos key, SSL certificate and all services of a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_disallow_create_keytab(Method): + __doc__ = _("Disallow users, groups, hosts or host groups to create a keytab of this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class host_disallow_retrieve_keytab(Method): + __doc__ = _("Disallow users, groups, hosts or host groups to retrieve a keytab of this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class host_find(Method): + __doc__ = _("Search for hosts.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'fqdn', + required=False, + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipaassignedidview', + required=False, + label=_(u'Assigned ID View'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("hostname")'), + default=False, + autofill=True, + ), + parameters.Str( + 'in_hostgroup', + required=False, + multivalue=True, + cli_name='in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for hosts with these member of host groups.'), + ), + parameters.Str( + 'not_in_hostgroup', + required=False, + multivalue=True, + cli_name='not_in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for hosts without these member of host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for hosts with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for hosts without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for hosts with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for hosts without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for hosts with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for hosts without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for hosts with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for hosts without these member of sudo rules.'), + ), + parameters.Str( + 'enroll_by_user', + required=False, + multivalue=True, + cli_name='enroll_by_users', + label=_(u'user'), + doc=_(u'Search for hosts with these enrolled by users.'), + ), + parameters.Str( + 'not_enroll_by_user', + required=False, + multivalue=True, + cli_name='not_enroll_by_users', + label=_(u'user'), + doc=_(u'Search for hosts without these enrolled by users.'), + ), + parameters.Str( + 'man_by_host', + required=False, + multivalue=True, + cli_name='man_by_hosts', + label=_(u'host'), + doc=_(u'Search for hosts with these managed by hosts.'), + ), + parameters.Str( + 'not_man_by_host', + required=False, + multivalue=True, + cli_name='not_man_by_hosts', + label=_(u'host'), + doc=_(u'Search for hosts without these managed by hosts.'), + ), + parameters.Str( + 'man_host', + required=False, + multivalue=True, + cli_name='man_hosts', + label=_(u'host'), + doc=_(u'Search for hosts with these managing hosts.'), + ), + parameters.Str( + 'not_man_host', + required=False, + multivalue=True, + cli_name='not_man_hosts', + label=_(u'host'), + doc=_(u'Search for hosts without these managing hosts.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class host_mod(Method): + __doc__ = _("Modify information about a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipaassignedidview', + required=False, + label=_(u'Assigned ID View'), + exclude=('cli', 'webui'), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + cli_name='requires_pre_auth', + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + cli_name='ok_as_delegate', + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principalname', + label=_(u'Principal name'), + doc=_(u'Kerberos principal name for this host'), + ), + parameters.Flag( + 'updatedns', + required=False, + doc=_(u'Update DNS entries'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_remove_cert(Method): + __doc__ = _("Remove certificates from host entry") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + alwaysask=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_remove_managedby(Method): + __doc__ = _("Remove hosts that can manage this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class host_show(Method): + __doc__ = _("Display information about a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'file to store certificate in'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/hostgroup.py b/ipaclient/remote_plugins/2_156/hostgroup.py new file mode 100644 index 000000000..afda19d78 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/hostgroup.py @@ -0,0 +1,709 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of hosts. + +Manage groups of hosts. This is useful for applying access control to a +number of hosts by using Host-based Access Control. + +EXAMPLES: + + Add a new host group: + ipa hostgroup-add --desc="Baltimore hosts" baltimore + + Add another new host group: + ipa hostgroup-add --desc="Maryland hosts" maryland + + Add members to the hostgroup (using Bash brace expansion): + ipa hostgroup-add-member --hosts={box1,box2,box3} baltimore + + Add a hostgroup as a member of another hostgroup: + ipa hostgroup-add-member --hostgroups=baltimore maryland + + Remove a host from the hostgroup: + ipa hostgroup-remove-member --hosts=box2 baltimore + + Display a host group: + ipa hostgroup-show baltimore + + Delete a hostgroup: + ipa hostgroup-del baltimore +""") + +register = Registry() + + +@register() +class hostgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'member_host', + required=False, + label=_(u'Member hosts'), + ), + parameters.Str( + 'member_hostgroup', + required=False, + label=_(u'Member host-groups'), + ), + parameters.Str( + 'memberof_hostgroup', + required=False, + label=_(u'Member of host-groups'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberindirect_host', + required=False, + label=_(u'Indirect Member hosts'), + ), + parameters.Str( + 'memberindirect_hostgroup', + required=False, + label=_(u'Indirect Member host-groups'), + ), + parameters.Str( + 'memberofindirect_hostgroup', + required=False, + label=_(u'Indirect Member of host-group'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + ) + + +@register() +class hostgroup_add(Method): + __doc__ = _("Add a new hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hostgroup_add_member(Method): + __doc__ = _("Add members to a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hostgroup_del(Method): + __doc__ = _("Delete a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class hostgroup_find(Method): + __doc__ = _("Search for hostgroups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("hostgroup-name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'host'), + doc=_(u'Search for host groups with these member hosts.'), + ), + parameters.Str( + 'no_host', + required=False, + multivalue=True, + cli_name='no_hosts', + label=_(u'host'), + doc=_(u'Search for host groups without these member hosts.'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups with these member host groups.'), + ), + parameters.Str( + 'no_hostgroup', + required=False, + multivalue=True, + cli_name='no_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups without these member host groups.'), + ), + parameters.Str( + 'in_hostgroup', + required=False, + multivalue=True, + cli_name='in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups with these member of host groups.'), + ), + parameters.Str( + 'not_in_hostgroup', + required=False, + multivalue=True, + cli_name='not_in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups without these member of host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for host groups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for host groups without these member of netgroups.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for host groups with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for host groups without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for host groups with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for host groups without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hostgroup_mod(Method): + __doc__ = _("Modify a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hostgroup_remove_member(Method): + __doc__ = _("Remove members from a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hostgroup_show(Method): + __doc__ = _("Display information about a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/idrange.py b/ipaclient/remote_plugins/2_156/idrange.py new file mode 100644 index 000000000..e4f4728ac --- /dev/null +++ b/ipaclient/remote_plugins/2_156/idrange.py @@ -0,0 +1,639 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +ID ranges + +Manage ID ranges used to map Posix IDs to SIDs and back. + +There are two type of ID ranges which are both handled by this utility: + + - the ID ranges of the local domain + - the ID ranges of trusted remote domains + +Both types have the following attributes in common: + + - base-id: the first ID of the Posix ID range + - range-size: the size of the range + +With those two attributes a range object can reserve the Posix IDs starting +with base-id up to but not including base-id+range-size exclusively. + +Additionally an ID range of the local domain may set + - rid-base: the first RID(*) of the corresponding RID range + - secondary-rid-base: first RID of the secondary RID range + +and an ID range of a trusted domain must set + - rid-base: the first RID of the corresponding RID range + - sid: domain SID of the trusted domain + + + +EXAMPLE: Add a new ID range for a trusted domain + +Since there might be more than one trusted domain the domain SID must be given +while creating the ID range. + + ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=0 \ + --dom-sid=S-1-5-21-123-456-789 trusted_dom_range + +This ID range is then used by the IPA server and the SSSD IPA provider to +assign Posix UIDs to users from the trusted domain. + +If e.g a range for a trusted domain is configured with the following values: + base-id = 1200000 + range-size = 200000 + rid-base = 0 +the RIDs 0 to 199999 are mapped to the Posix ID from 1200000 to 13999999. So +RID 1000 <-> Posix ID 1201000 + + + +EXAMPLE: Add a new ID range for the local domain + +To create an ID range for the local domain it is not necessary to specify a +domain SID. But since it is possible that a user and a group can have the same +value as Posix ID a second RID interval is needed to handle conflicts. + + ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=1000 \ + --secondary-rid-base=1000000 local_range + +The data from the ID ranges of the local domain are used by the IPA server +internally to assign SIDs to IPA users and groups. The SID will then be stored +in the user or group objects. + +If e.g. the ID range for the local domain is configured with the values from +the example above then a new user with the UID 1200007 will get the RID 1007. +If this RID is already used by a group the RID will be 1000007. This can only +happen if a user or a group object was created with a fixed ID because the +automatic assignment will not assign the same ID twice. Since there are only +users and groups sharing the same ID namespace it is sufficient to have only +one fallback range to handle conflicts. + +To find the Posix ID for a given RID from the local domain it has to be +checked first if the RID falls in the primary or secondary RID range and +the rid-base or the secondary-rid-base has to be subtracted, respectively, +and the base-id has to be added to get the Posix ID. + +Typically the creation of ID ranges happens behind the scenes and this CLI +must not be used at all. The ID range for the local domain will be created +during installation or upgrade from an older version. The ID range for a +trusted domain will be created together with the trust by 'ipa trust-add ...'. + +USE CASES: + + Add an ID range from a transitively trusted domain + + If the trusted domain (A) trusts another domain (B) as well and this trust + is transitive 'ipa trust-add domain-A' will only create a range for + domain A. The ID range for domain B must be added manually. + + Add an additional ID range for the local domain + + If the ID range of the local domain is exhausted, i.e. no new IDs can be + assigned to Posix users or groups by the DNA plugin, a new range has to be + created to allow new users and groups to be added. (Currently there is no + connection between this range CLI and the DNA plugin, but a future version + might be able to modify the configuration of the DNS plugin as well) + +In general it is not necessary to modify or delete ID ranges. If there is no +other way to achieve a certain configuration than to modify or delete an ID +range it should be done with great care. Because UIDs are stored in the file +system and are used for access control it might be possible that users are +allowed to access files of other users if an ID range got deleted and reused +for a different domain. + +(*) The RID is typically the last integer of a user or group SID which follows +the domain SID. E.g. if the domain SID is S-1-5-21-123-456-789 and a user from +this domain has the SID S-1-5-21-123-456-789-1010 then 1010 id the RID of the +user. RIDs are unique in a domain, 32bit values and are used for users and +groups. + +======= +WARNING: + +DNA plugin in 389-ds will allocate IDs based on the ranges configured for the +local domain. Currently the DNA plugin *cannot* be reconfigured itself based +on the local ranges set via this family of commands. + +Manual configuration change has to be done in the DNA plugin configuration for +the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix +IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be +modified to match the new range. +======= +""") + +register = Registry() + + +@register() +class idrange(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Range name'), + ), + parameters.Int( + 'ipabaseid', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'ipanttrusteddomainname', + required=False, + label=_(u'Name of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + label=_(u'Range type'), + doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'), + ), + ) + + +@register() +class idrange_add(Method): + __doc__ = _(""" +Add new ID range. + + To add a new ID range you always have to specify + + --base-id + --range-size + + Additionally + + --rid-base + --secondary-rid-base + + may be given for a new ID range for the local domain while + + --rid-base + --dom-sid + + must be given to add a new range for a trusted AD domain. + +======= +WARNING: + +DNA plugin in 389-ds will allocate IDs based on the ranges configured for the +local domain. Currently the DNA plugin *cannot* be reconfigured itself based +on the local ranges set via this family of commands. + +Manual configuration change has to be done in the DNA plugin configuration for +the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix +IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be +modified to match the new range. +======= + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Int( + 'ipabaseid', + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='dom_sid', + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'ipanttrusteddomainname', + required=False, + cli_name='dom_name', + label=_(u'Name of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + cli_name='type', + cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']", + label=_(u'Range type'), + doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idrange_del(Method): + __doc__ = _("Delete an ID range.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class idrange_find(Method): + __doc__ = _("Search for ranges.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Range name'), + ), + parameters.Int( + 'ipabaseid', + required=False, + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + required=False, + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='dom_sid', + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + cli_name='type', + cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']", + label=_(u'Range type'), + doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idrange_mod(Method): + __doc__ = _(""" +Modify ID range. + +======= +WARNING: + +DNA plugin in 389-ds will allocate IDs based on the ranges configured for the +local domain. Currently the DNA plugin *cannot* be reconfigured itself based +on the local ranges set via this family of commands. + +Manual configuration change has to be done in the DNA plugin configuration for +the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix +IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be +modified to match the new range. +======= + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Int( + 'ipabaseid', + required=False, + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + required=False, + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipanttrusteddomainname', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idrange_show(Method): + __doc__ = _("Display information about a range.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/idviews.py b/ipaclient/remote_plugins/2_156/idviews.py new file mode 100644 index 000000000..2b34cba46 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/idviews.py @@ -0,0 +1,1491 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +ID Views +Manage ID Views +IPA allows to override certain properties of users and groups per each host. +This functionality is primarily used to allow migration from older systems or +other Identity Management solutions. +""") + +register = Registry() + + +@register() +class idoverridegroup(Object): + takes_params = ( + parameters.Str( + 'ipaanchoruuid', + primary_key=True, + label=_(u'Anchor to override'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Group name'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + ) + + +@register() +class idoverrideuser(Object): + takes_params = ( + parameters.Str( + 'ipaanchoruuid', + primary_key=True, + label=_(u'Anchor to override'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Str( + 'uid', + required=False, + label=_(u'User login'), + ), + parameters.Int( + 'uidnumber', + required=False, + label=_(u'UID'), + doc=_(u'User ID Number'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'homedirectory', + required=False, + label=_(u'Home directory'), + ), + parameters.Str( + 'loginshell', + required=False, + label=_(u'Login shell'), + ), + parameters.Str( + 'ipaoriginaluid', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + ) + + +@register() +class idview(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'ID View Name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + ) + + +@register() +class idoverridegroup_add(Method): + __doc__ = _("Add a new Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverridegroup_del(Method): + __doc__ = _("Delete an Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + multivalue=True, + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class idoverridegroup_find(Method): + __doc__ = _("Search for an Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaanchoruuid', + required=False, + cli_name='anchor', + label=_(u'Anchor to override'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("anchor")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idoverridegroup_mod(Method): + __doc__ = _("Modify an Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the Group ID override object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverridegroup_show(Method): + __doc__ = _("Display information about an Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverrideuser_add(Method): + __doc__ = _("Add a new User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + no_convert=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'ipaoriginaluid', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverrideuser_del(Method): + __doc__ = _("Delete an User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + multivalue=True, + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class idoverrideuser_find(Method): + __doc__ = _("Search for an User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaanchoruuid', + required=False, + cli_name='anchor', + label=_(u'Anchor to override'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + no_convert=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'ipaoriginaluid', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("anchor")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idoverrideuser_mod(Method): + __doc__ = _("Modify an User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + no_convert=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'ipaoriginaluid', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the User ID override object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverrideuser_show(Method): + __doc__ = _("Display information about an User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idview_add(Method): + __doc__ = _("Add a new ID View.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idview_apply(Method): + __doc__ = _("Applies ID View to specified hosts or current members of specified hostgroups. If any other ID View is applied to the host, it is overridden.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'hosts'), + doc=_(u'Hosts to apply the ID View to'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'hostgroups'), + doc=_(u'Hostgroups to whose hosts apply the ID View to. Please note that view is not applied automatically to any hosts added to the hostgroup after running the idview-apply command.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'succeeded', + dict, + doc=_(u'Hosts that this ID View was applied to.'), + ), + output.Output( + 'failed', + dict, + doc=_(u'Hosts or hostgroups that this ID View could not be applied to.'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of hosts the ID View was applied to:'), + ), + ) + + +@register() +class idview_del(Method): + __doc__ = _("Delete an ID View.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class idview_find(Method): + __doc__ = _("Search for an ID View.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'ID View Name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idview_mod(Method): + __doc__ = _("Modify an ID View.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the ID View object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idview_show(Method): + __doc__ = _("Display information about an ID View.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'show_hosts', + required=False, + doc=_(u'Enumerate all the hosts the view applies to.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idview_unapply(Method): + __doc__ = _("Clears ID View from specified hosts or current members of specified hostgroups.") + + takes_options = ( + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'hosts'), + doc=_(u'Hosts to clear (any) ID View from.'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'hostgroups'), + doc=_(u'Hostgroups whose hosts should have ID Views cleared. Note that view is not cleared automatically from any host added to the hostgroup after running idview-unapply command.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'succeeded', + dict, + doc=_(u'Hosts that ID View was cleared from.'), + ), + output.Output( + 'failed', + dict, + doc=_(u'Hosts or hostgroups that ID View could not be cleared from.'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of hosts that had a ID View was unset:'), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/internal.py b/ipaclient/remote_plugins/2_156/internal.py new file mode 100644 index 000000000..7fec8d26f --- /dev/null +++ b/ipaclient/remote_plugins/2_156/internal.py @@ -0,0 +1,92 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Plugins not accessible directly through the CLI, commands used internally +""") + +register = Registry() + + +@register() +class i18n_messages(Command): + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'texts', + dict, + doc=_(u'Dict of I18N messages'), + ), + ) + + +@register() +class json_metadata(Command): + __doc__ = _("Export plugin meta-data for the webUI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'objname', + required=False, + doc=_(u'Name of object to export'), + ), + parameters.Str( + 'methodname', + required=False, + doc=_(u'Name of method to export'), + ), + ) + takes_options = ( + parameters.Str( + 'object', + required=False, + doc=_(u'Name of object to export'), + ), + parameters.Str( + 'method', + required=False, + doc=_(u'Name of method to export'), + ), + parameters.Str( + 'command', + required=False, + doc=_(u'Name of command to export'), + ), + ) + has_output = ( + output.Output( + 'objects', + dict, + doc=_(u'Dict of JSON encoded IPA Objects'), + ), + output.Output( + 'methods', + dict, + doc=_(u'Dict of JSON encoded IPA Methods'), + ), + output.Output( + 'commands', + dict, + doc=_(u'Dict of JSON encoded IPA Commands'), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/join.py b/ipaclient/remote_plugins/2_156/join.py new file mode 100644 index 000000000..dc0904dc4 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/join.py @@ -0,0 +1,64 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Joining an IPA domain +""") + +register = Registry() + + +@register() +class join(Command): + __doc__ = _("Join an IPA domain") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostname', + doc=_(u'The hostname to register as'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: unicode(installutils.get_fqdn()) + autofill=True, + ), + ) + takes_options = ( + parameters.Str( + 'realm', + doc=_(u'The IPA realm'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: get_realm() + autofill=True, + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + doc=_(u'Hardware platform of the host (e.g. Lenovo T61)'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + doc=_(u'Operating System and version of the host (e.g. Fedora 9)'), + ), + ) + has_output = ( + ) diff --git a/ipaclient/remote_plugins/2_156/krbtpolicy.py b/ipaclient/remote_plugins/2_156/krbtpolicy.py new file mode 100644 index 000000000..42a4b2bc7 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/krbtpolicy.py @@ -0,0 +1,266 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Kerberos ticket policy + +There is a single Kerberos ticket policy. This policy defines the +maximum ticket lifetime and the maximum renewal age, the period during +which the ticket is renewable. + +You can also create a per-user ticket policy by specifying the user login. + +For changes to the global policy to take effect, restarting the KDC service +is required, which can be achieved using: + +service krb5kdc restart + +Changes to per-user policies take effect immediately for newly requested +tickets (e.g. when the user next runs kinit). + +EXAMPLES: + + Display the current Kerberos ticket policy: + ipa krbtpolicy-show + + Reset the policy to the default: + ipa krbtpolicy-reset + + Modify the policy to 8 hours max life, 1-day max renewal: + ipa krbtpolicy-mod --maxlife=28800 --maxrenew=86400 + + Display effective Kerberos ticket policy for user 'admin': + ipa krbtpolicy-show admin + + Reset per-user policy for user 'admin': + ipa krbtpolicy-reset admin + + Modify per-user policy for user 'admin': + ipa krbtpolicy-mod admin --maxlife=3600 +""") + +register = Registry() + + +@register() +class krbtpolicy(Object): + takes_params = ( + parameters.Str( + 'uid', + required=False, + primary_key=True, + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + parameters.Int( + 'krbmaxticketlife', + required=False, + label=_(u'Max life'), + doc=_(u'Maximum ticket life (seconds)'), + ), + parameters.Int( + 'krbmaxrenewableage', + required=False, + label=_(u'Max renew'), + doc=_(u'Maximum renewable age (seconds)'), + ), + ) + + +@register() +class krbtpolicy_mod(Method): + __doc__ = _("Modify Kerberos ticket policy.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxticketlife', + required=False, + cli_name='maxlife', + label=_(u'Max life'), + doc=_(u'Maximum ticket life (seconds)'), + ), + parameters.Int( + 'krbmaxrenewableage', + required=False, + cli_name='maxrenew', + label=_(u'Max renew'), + doc=_(u'Maximum renewable age (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class krbtpolicy_reset(Method): + __doc__ = _("Reset Kerberos ticket policy to the default values.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class krbtpolicy_show(Method): + __doc__ = _("Display the current Kerberos ticket policy.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/migration.py b/ipaclient/remote_plugins/2_156/migration.py new file mode 100644 index 000000000..89049f257 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/migration.py @@ -0,0 +1,319 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Migration to IPA + +Migrate users and groups from an LDAP server to IPA. + +This performs an LDAP query against the remote server searching for +users and groups in a container. In order to migrate passwords you need +to bind as a user that can read the userPassword attribute on the remote +server. This is generally restricted to high-level admins such as +cn=Directory Manager in 389-ds (this is the default bind user). + +The default user container is ou=People. + +The default group container is ou=Groups. + +Users and groups that already exist on the IPA server are skipped. + +Two LDAP schemas define how group members are stored: RFC2307 and +RFC2307bis. RFC2307bis uses member and uniquemember to specify group +members, RFC2307 uses memberUid. The default schema is RFC2307bis. + +The schema compat feature allows IPA to reformat data for systems that +do not support RFC2307bis. It is recommended that this feature is disabled +during migration to reduce system overhead. It can be re-enabled after +migration. To migrate with it enabled use the "--with-compat" option. + +Migrated users do not have Kerberos credentials, they have only their +LDAP password. To complete the migration process, users need to go +to http://ipa.example.com/ipa/migration and authenticate using their +LDAP password in order to generate their Kerberos credentials. + +Migration is disabled by default. Use the command ipa config-mod to +enable it: + + ipa config-mod --enable-migration=TRUE + +If a base DN is not provided with --basedn then IPA will use either +the value of defaultNamingContext if it is set or the first value +in namingContexts set in the root of the remote LDAP server. + +Users are added as members to the default user group. This can be a +time-intensive task so during migration this is done in a batch +mode for every 100 users. As a result there will be a window in which +users will be added to IPA but will not be members of the default +user group. + +EXAMPLES: + + The simplest migration, accepting all defaults: + ipa migrate-ds ldap://ds.example.com:389 + + Specify the user and group container. This can be used to migrate user + and group data from an IPA v1 server: + ipa migrate-ds --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + ldap://ds.example.com:389 + + Since IPA v2 server already contain predefined groups that may collide with + groups in migrated (IPA v1) server (for example admins, ipausers), users + having colliding group as their primary group may happen to belong to + an unknown group on new IPA v2 server. + Use --group-overwrite-gid option to overwrite GID of already existing groups + to prevent this issue: + ipa migrate-ds --group-overwrite-gid \ + --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + ldap://ds.example.com:389 + + Migrated users or groups may have object class and accompanied attributes + unknown to the IPA v2 server. These object classes and attributes may be + left out of the migration process: + ipa migrate-ds --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + --user-ignore-objectclass=radiusprofile \ + --user-ignore-attribute=radiusgroupname \ + ldap://ds.example.com:389 + +LOGGING + +Migration will log warnings and errors to the Apache error log. This +file should be evaluated post-migration to correct or investigate any +issues that were discovered. + +For every 100 users migrated an info-level message will be displayed to +give the current progress and duration to make it possible to track +the progress of migration. + +If the log level is debug, either by setting debug = True in +/etc/ipa/default.conf or /etc/ipa/server.conf, then an entry will be printed +for each user added plus a summary when the default user group is +updated. +""") + +register = Registry() + + +@register() +class migrate_ds(Command): + __doc__ = _("Migrate users and groups from DS to IPA.") + + takes_args = ( + parameters.Str( + 'ldapuri', + cli_name='ldap_uri', + label=_(u'LDAP URI'), + doc=_(u'LDAP URI of DS server to migrate from'), + ), + parameters.Password( + 'bindpw', + cli_name='password', + label=_(u'Password'), + doc=_(u'bind password'), + ), + ) + takes_options = ( + parameters.DNParam( + 'binddn', + required=False, + cli_name='bind_dn', + label=_(u'Bind DN'), + default=DN(u'cn=directory manager'), + autofill=True, + ), + parameters.DNParam( + 'usercontainer', + cli_name='user_container', + label=_(u'User container'), + doc=_(u'DN of container for users in DS relative to base DN'), + default=DN(u'ou=people'), + autofill=True, + ), + parameters.DNParam( + 'groupcontainer', + cli_name='group_container', + label=_(u'Group container'), + doc=_(u'DN of container for groups in DS relative to base DN'), + default=DN(u'ou=groups'), + autofill=True, + ), + parameters.Str( + 'userobjectclass', + multivalue=True, + cli_name='user_objectclass', + label=_(u'User object class'), + doc=_(u'Objectclasses used to search for user entries in DS'), + default=(u'person',), + autofill=True, + ), + parameters.Str( + 'groupobjectclass', + multivalue=True, + cli_name='group_objectclass', + label=_(u'Group object class'), + doc=_(u'Objectclasses used to search for group entries in DS'), + default=(u'groupOfUniqueNames', u'groupOfNames'), + autofill=True, + ), + parameters.Str( + 'userignoreobjectclass', + required=False, + multivalue=True, + cli_name='user_ignore_objectclass', + label=_(u'Ignore user object class'), + doc=_(u'Objectclasses to be ignored for user entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'userignoreattribute', + required=False, + multivalue=True, + cli_name='user_ignore_attribute', + label=_(u'Ignore user attribute'), + doc=_(u'Attributes to be ignored for user entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'groupignoreobjectclass', + required=False, + multivalue=True, + cli_name='group_ignore_objectclass', + label=_(u'Ignore group object class'), + doc=_(u'Objectclasses to be ignored for group entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'groupignoreattribute', + required=False, + multivalue=True, + cli_name='group_ignore_attribute', + label=_(u'Ignore group attribute'), + doc=_(u'Attributes to be ignored for group entries in DS'), + default=(), + autofill=True, + ), + parameters.Flag( + 'groupoverwritegid', + cli_name='group_overwrite_gid', + label=_(u'Overwrite GID'), + doc=_(u'When migrating a group already existing in IPA domain overwrite the group GID and report as success'), + default=False, + autofill=True, + ), + parameters.Str( + 'schema', + required=False, + cli_metavar="['RFC2307bis', 'RFC2307']", + label=_(u'LDAP schema'), + doc=_(u'The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis'), + default=u'RFC2307bis', + autofill=True, + ), + parameters.Flag( + 'continue', + required=False, + label=_(u'Continue'), + doc=_(u'Continuous operation mode. Errors are reported but the process continues'), + default=False, + autofill=True, + ), + parameters.DNParam( + 'basedn', + required=False, + cli_name='base_dn', + label=_(u'Base DN'), + doc=_(u'Base DN on remote LDAP server'), + ), + parameters.Flag( + 'compat', + required=False, + cli_name='with_compat', + label=_(u'Ignore compat plugin'), + doc=_(u'Allows migration despite the usage of compat plugin'), + default=False, + autofill=True, + ), + parameters.Str( + 'cacertfile', + required=False, + cli_name='ca_cert_file', + label=_(u'CA certificate'), + doc=_(u'Load CA certificate of LDAP server from FILE'), + ), + parameters.Bool( + 'use_def_group', + required=False, + cli_name='use_default_group', + label=_(u'Add to default group'), + doc=_(u'Add migrated users without a group to a default group (default: true)'), + default=True, + autofill=True, + ), + parameters.Str( + 'scope', + cli_metavar="['base', 'subtree', 'onelevel']", + label=_(u'Search scope'), + doc=_(u'LDAP search scope for users and groups: base, onelevel, or subtree. Defaults to onelevel'), + default=u'onelevel', + autofill=True, + ), + parameters.Str( + 'exclude_groups', + required=False, + multivalue=True, + doc=_(u'groups to exclude from migration'), + default=(), + autofill=True, + ), + parameters.Str( + 'exclude_users', + required=False, + multivalue=True, + doc=_(u'users to exclude from migration'), + default=(), + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Lists of objects migrated; categorized by type.'), + ), + output.Output( + 'failed', + dict, + doc=_(u'Lists of objects that could not be migrated; categorized by type.'), + ), + output.Output( + 'enabled', + bool, + doc=_(u'False if migration mode was disabled.'), + ), + output.Output( + 'compat', + bool, + doc=_(u'False if migration fails because the compatibility plug-in is enabled.'), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/misc.py b/ipaclient/remote_plugins/2_156/misc.py new file mode 100644 index 000000000..4889e666b --- /dev/null +++ b/ipaclient/remote_plugins/2_156/misc.py @@ -0,0 +1,113 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Misc plug-ins +""") + +register = Registry() + + +@register() +class env(Command): + __doc__ = _("Show environment variables.") + + takes_args = ( + parameters.Str( + 'variables', + required=False, + multivalue=True, + ), + ) + takes_options = ( + parameters.Flag( + 'server', + required=False, + doc=_(u'Forward to server instead of running locally'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=True, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + output.Output( + 'total', + int, + doc=_(u'Total number of variables env (>= count)'), + ), + output.Output( + 'count', + int, + doc=_(u'Number of variables returned (<= total)'), + ), + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) + + +@register() +class plugins(Command): + __doc__ = _("Show all loaded plugins.") + + takes_options = ( + parameters.Flag( + 'server', + required=False, + doc=_(u'Forward to server instead of running locally'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=True, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping plugin names to bases'), + ), + output.Output( + 'count', + int, + doc=_(u'Number of plugins loaded'), + ), + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/netgroup.py b/ipaclient/remote_plugins/2_156/netgroup.py new file mode 100644 index 000000000..a04d99276 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/netgroup.py @@ -0,0 +1,865 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Netgroups + +A netgroup is a group used for permission checking. It can contain both +user and host values. + +EXAMPLES: + + Add a new netgroup: + ipa netgroup-add --desc="NFS admins" admins + + Add members to the netgroup: + ipa netgroup-add-member --users=tuser1 --users=tuser2 admins + + Remove a member from the netgroup: + ipa netgroup-remove-member --users=tuser2 admins + + Display information about a netgroup: + ipa netgroup-show admins + + Delete a netgroup: + ipa netgroup-del admins +""") + +register = Registry() + + +@register() +class netgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Netgroup name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + label=_(u'NIS domain name'), + ), + parameters.Str( + 'ipauniqueid', + required=False, + label=_(u'IPA unique ID'), + doc=_(u'IPA unique ID'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + parameters.Str( + 'member_netgroup', + required=False, + label=_(u'Member netgroups'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberindirect_netgroup', + required=False, + label=_(u'Indirect Member netgroups'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Member User'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'Member Group'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Member Host'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Member Hostgroup'), + ), + ) + + +@register() +class netgroup_add(Method): + __doc__ = _("Add a new netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class netgroup_add_member(Method): + __doc__ = _("Add members to a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'member netgroup'), + doc=_(u'netgroups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class netgroup_del(Method): + __doc__ = _("Delete a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class netgroup_find(Method): + __doc__ = _("Search for a netgroup.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'ipauniqueid', + required=False, + cli_name='uuid', + label=_(u'IPA unique ID'), + doc=_(u'IPA unique ID'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'private', + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'managed', + doc=_(u'search for managed groups'), + default=False, + default_from=DefaultFrom(lambda private: private), + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups with these member netgroups.'), + ), + parameters.Str( + 'no_netgroup', + required=False, + multivalue=True, + cli_name='no_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups without these member netgroups.'), + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'user'), + doc=_(u'Search for netgroups with these member users.'), + ), + parameters.Str( + 'no_user', + required=False, + multivalue=True, + cli_name='no_users', + label=_(u'user'), + doc=_(u'Search for netgroups without these member users.'), + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'group'), + doc=_(u'Search for netgroups with these member groups.'), + ), + parameters.Str( + 'no_group', + required=False, + multivalue=True, + cli_name='no_groups', + label=_(u'group'), + doc=_(u'Search for netgroups without these member groups.'), + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'host'), + doc=_(u'Search for netgroups with these member hosts.'), + ), + parameters.Str( + 'no_host', + required=False, + multivalue=True, + cli_name='no_hosts', + label=_(u'host'), + doc=_(u'Search for netgroups without these member hosts.'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'host group'), + doc=_(u'Search for netgroups with these member host groups.'), + ), + parameters.Str( + 'no_hostgroup', + required=False, + multivalue=True, + cli_name='no_hostgroups', + label=_(u'host group'), + doc=_(u'Search for netgroups without these member host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups without these member of netgroups.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class netgroup_mod(Method): + __doc__ = _("Modify a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class netgroup_remove_member(Method): + __doc__ = _("Remove members from a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'member netgroup'), + doc=_(u'netgroups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class netgroup_show(Method): + __doc__ = _("Display information about a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/otpconfig.py b/ipaclient/remote_plugins/2_156/otpconfig.py new file mode 100644 index 000000000..1aceb903e --- /dev/null +++ b/ipaclient/remote_plugins/2_156/otpconfig.py @@ -0,0 +1,206 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +OTP configuration + +Manage the default values that IPA uses for OTP tokens. + +EXAMPLES: + + Show basic OTP configuration: + ipa otpconfig-show + + Show all OTP configuration options: + ipa otpconfig-show --all + + Change maximum TOTP authentication window to 10 minutes: + ipa otpconfig-mod --totp-auth-window=600 + + Change maximum TOTP synchronization window to 12 hours: + ipa otpconfig-mod --totp-sync-window=43200 + + Change maximum HOTP authentication window to 5: + ipa hotpconfig-mod --hotp-auth-window=5 + + Change maximum HOTP synchronization window to 50: + ipa hotpconfig-mod --hotp-sync-window=50 +""") + +register = Registry() + + +@register() +class otpconfig(Object): + takes_params = ( + parameters.Int( + 'ipatokentotpauthwindow', + label=_(u'TOTP authentication Window'), + doc=_(u'TOTP authentication time variance (seconds)'), + ), + parameters.Int( + 'ipatokentotpsyncwindow', + label=_(u'TOTP Synchronization Window'), + doc=_(u'TOTP synchronization time variance (seconds)'), + ), + parameters.Int( + 'ipatokenhotpauthwindow', + label=_(u'HOTP Authentication Window'), + doc=_(u'HOTP authentication skip-ahead'), + ), + parameters.Int( + 'ipatokenhotpsyncwindow', + label=_(u'HOTP Synchronization Window'), + doc=_(u'HOTP synchronization skip-ahead'), + ), + ) + + +@register() +class otpconfig_mod(Method): + __doc__ = _("Modify OTP configuration options.") + + takes_options = ( + parameters.Int( + 'ipatokentotpauthwindow', + required=False, + cli_name='totp_auth_window', + label=_(u'TOTP authentication Window'), + doc=_(u'TOTP authentication time variance (seconds)'), + ), + parameters.Int( + 'ipatokentotpsyncwindow', + required=False, + cli_name='totp_sync_window', + label=_(u'TOTP Synchronization Window'), + doc=_(u'TOTP synchronization time variance (seconds)'), + ), + parameters.Int( + 'ipatokenhotpauthwindow', + required=False, + cli_name='hotp_auth_window', + label=_(u'HOTP Authentication Window'), + doc=_(u'HOTP authentication skip-ahead'), + ), + parameters.Int( + 'ipatokenhotpsyncwindow', + required=False, + cli_name='hotp_sync_window', + label=_(u'HOTP Synchronization Window'), + doc=_(u'HOTP synchronization skip-ahead'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class otpconfig_show(Method): + __doc__ = _("Show the current OTP configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/otptoken.py b/ipaclient/remote_plugins/2_156/otptoken.py new file mode 100644 index 000000000..0b2b54c6e --- /dev/null +++ b/ipaclient/remote_plugins/2_156/otptoken.py @@ -0,0 +1,893 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +OTP Tokens + +Manage OTP tokens. + +IPA supports the use of OTP tokens for multi-factor authentication. This +code enables the management of OTP tokens. + +EXAMPLES: + + Add a new token: + ipa otptoken-add --type=totp --owner=jdoe --desc="My soft token" + + Examine the token: + ipa otptoken-show a93db710-a31a-4639-8647-f15b2c70b78a + + Change the vendor: + ipa otptoken-mod a93db710-a31a-4639-8647-f15b2c70b78a --vendor="Red Hat" + + Delete a token: + ipa otptoken-del a93db710-a31a-4639-8647-f15b2c70b78a +""") + +register = Registry() + + +@register() +class otptoken(Object): + takes_params = ( + parameters.Str( + 'ipatokenuniqueid', + primary_key=True, + label=_(u'Unique ID'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of the token'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Token description (informational only)'), + ), + parameters.Str( + 'ipatokenowner', + required=False, + label=_(u'Owner'), + doc=_(u'Assigned user of the token (default: self)'), + ), + parameters.Str( + 'managedby_user', + required=False, + label=_(u'Manager'), + doc=_(u'Assigned manager of the token (default: self)'), + ), + parameters.Bool( + 'ipatokendisabled', + required=False, + label=_(u'Disabled'), + doc=_(u'Mark the token as disabled (default: false)'), + ), + parameters.DateTime( + 'ipatokennotbefore', + required=False, + label=_(u'Validity start'), + doc=_(u'First date/time the token can be used'), + ), + parameters.DateTime( + 'ipatokennotafter', + required=False, + label=_(u'Validity end'), + doc=_(u'Last date/time the token can be used'), + ), + parameters.Str( + 'ipatokenvendor', + required=False, + label=_(u'Vendor'), + doc=_(u'Token vendor name (informational only)'), + ), + parameters.Str( + 'ipatokenmodel', + required=False, + label=_(u'Model'), + doc=_(u'Token model (informational only)'), + ), + parameters.Str( + 'ipatokenserial', + required=False, + label=_(u'Serial'), + doc=_(u'Token serial (informational only)'), + ), + parameters.Bytes( + 'ipatokenotpkey', + required=False, + label=_(u'Key'), + doc=_(u'Token secret (Base32; default: random)'), + ), + parameters.Str( + 'ipatokenotpalgorithm', + required=False, + label=_(u'Algorithm'), + doc=_(u'Token hash algorithm'), + ), + parameters.Int( + 'ipatokenotpdigits', + required=False, + label=_(u'Digits'), + doc=_(u'Number of digits each token code will have'), + ), + parameters.Int( + 'ipatokentotpclockoffset', + required=False, + label=_(u'Clock offset'), + doc=_(u'TOTP token / FreeIPA server time difference'), + ), + parameters.Int( + 'ipatokentotptimestep', + required=False, + label=_(u'Clock interval'), + doc=_(u'Length of TOTP token code validity'), + ), + parameters.Int( + 'ipatokenhotpcounter', + required=False, + label=_(u'Counter'), + doc=_(u'Initial counter for the HOTP token'), + ), + ) + + +@register() +class otptoken_add(Method): + __doc__ = _("Add a new OTP token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + required=False, + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Str( + 'type', + required=False, + cli_metavar="['totp', 'hotp', 'TOTP', 'HOTP']", + label=_(u'Type'), + doc=_(u'Type of the token'), + default=u'totp', + autofill=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Token description (informational only)'), + ), + parameters.Str( + 'ipatokenowner', + required=False, + cli_name='owner', + label=_(u'Owner'), + doc=_(u'Assigned user of the token (default: self)'), + ), + parameters.Bool( + 'ipatokendisabled', + required=False, + cli_name='disabled', + label=_(u'Disabled'), + doc=_(u'Mark the token as disabled (default: false)'), + ), + parameters.DateTime( + 'ipatokennotbefore', + required=False, + cli_name='not_before', + label=_(u'Validity start'), + doc=_(u'First date/time the token can be used'), + ), + parameters.DateTime( + 'ipatokennotafter', + required=False, + cli_name='not_after', + label=_(u'Validity end'), + doc=_(u'Last date/time the token can be used'), + ), + parameters.Str( + 'ipatokenvendor', + required=False, + cli_name='vendor', + label=_(u'Vendor'), + doc=_(u'Token vendor name (informational only)'), + ), + parameters.Str( + 'ipatokenmodel', + required=False, + cli_name='model', + label=_(u'Model'), + doc=_(u'Token model (informational only)'), + ), + parameters.Str( + 'ipatokenserial', + required=False, + cli_name='serial', + label=_(u'Serial'), + doc=_(u'Token serial (informational only)'), + ), + parameters.Bytes( + 'ipatokenotpkey', + required=False, + cli_name='key', + label=_(u'Key'), + doc=_(u'Token secret (Base32; default: random)'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: os.urandom(KEY_LENGTH) + autofill=True, + ), + parameters.Str( + 'ipatokenotpalgorithm', + required=False, + cli_name='algo', + cli_metavar="['sha1', 'sha256', 'sha384', 'sha512']", + label=_(u'Algorithm'), + doc=_(u'Token hash algorithm'), + default=u'sha1', + autofill=True, + ), + parameters.Int( + 'ipatokenotpdigits', + required=False, + cli_name='digits', + cli_metavar="['6', '8']", + label=_(u'Digits'), + doc=_(u'Number of digits each token code will have'), + default=6, + autofill=True, + ), + parameters.Int( + 'ipatokentotpclockoffset', + required=False, + cli_name='offset', + label=_(u'Clock offset'), + doc=_(u'TOTP token / FreeIPA server time difference'), + default=0, + autofill=True, + ), + parameters.Int( + 'ipatokentotptimestep', + required=False, + cli_name='interval', + label=_(u'Clock interval'), + doc=_(u'Length of TOTP token code validity'), + default=30, + autofill=True, + ), + parameters.Int( + 'ipatokenhotpcounter', + required=False, + cli_name='counter', + label=_(u'Counter'), + doc=_(u'Initial counter for the HOTP token'), + default=0, + autofill=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'qrcode', + required=False, + label=_(u'(deprecated)'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_qrcode', + label=_(u'Do not display QR code'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class otptoken_add_managedby(Method): + __doc__ = _("Add users that can manage this token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class otptoken_del(Method): + __doc__ = _("Delete an OTP token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + multivalue=True, + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class otptoken_find(Method): + __doc__ = _("Search for OTP token.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'ipatokenuniqueid', + required=False, + cli_name='id', + label=_(u'Unique ID'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['totp', 'hotp', 'TOTP', 'HOTP']", + label=_(u'Type'), + doc=_(u'Type of the token'), + default=u'totp', + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Token description (informational only)'), + ), + parameters.Str( + 'ipatokenowner', + required=False, + cli_name='owner', + label=_(u'Owner'), + doc=_(u'Assigned user of the token (default: self)'), + ), + parameters.Bool( + 'ipatokendisabled', + required=False, + cli_name='disabled', + label=_(u'Disabled'), + doc=_(u'Mark the token as disabled (default: false)'), + ), + parameters.DateTime( + 'ipatokennotbefore', + required=False, + cli_name='not_before', + label=_(u'Validity start'), + doc=_(u'First date/time the token can be used'), + ), + parameters.DateTime( + 'ipatokennotafter', + required=False, + cli_name='not_after', + label=_(u'Validity end'), + doc=_(u'Last date/time the token can be used'), + ), + parameters.Str( + 'ipatokenvendor', + required=False, + cli_name='vendor', + label=_(u'Vendor'), + doc=_(u'Token vendor name (informational only)'), + ), + parameters.Str( + 'ipatokenmodel', + required=False, + cli_name='model', + label=_(u'Model'), + doc=_(u'Token model (informational only)'), + ), + parameters.Str( + 'ipatokenserial', + required=False, + cli_name='serial', + label=_(u'Serial'), + doc=_(u'Token serial (informational only)'), + ), + parameters.Str( + 'ipatokenotpalgorithm', + required=False, + cli_name='algo', + cli_metavar="['sha1', 'sha256', 'sha384', 'sha512']", + label=_(u'Algorithm'), + doc=_(u'Token hash algorithm'), + default=u'sha1', + ), + parameters.Int( + 'ipatokenotpdigits', + required=False, + cli_name='digits', + cli_metavar="['6', '8']", + label=_(u'Digits'), + doc=_(u'Number of digits each token code will have'), + default=6, + ), + parameters.Int( + 'ipatokentotpclockoffset', + required=False, + cli_name='offset', + label=_(u'Clock offset'), + doc=_(u'TOTP token / FreeIPA server time difference'), + default=0, + ), + parameters.Int( + 'ipatokentotptimestep', + required=False, + cli_name='interval', + label=_(u'Clock interval'), + doc=_(u'Length of TOTP token code validity'), + default=30, + ), + parameters.Int( + 'ipatokenhotpcounter', + required=False, + cli_name='counter', + label=_(u'Counter'), + doc=_(u'Initial counter for the HOTP token'), + default=0, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("id")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class otptoken_mod(Method): + __doc__ = _("Modify a OTP token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Token description (informational only)'), + ), + parameters.Str( + 'ipatokenowner', + required=False, + cli_name='owner', + label=_(u'Owner'), + doc=_(u'Assigned user of the token (default: self)'), + ), + parameters.Bool( + 'ipatokendisabled', + required=False, + cli_name='disabled', + label=_(u'Disabled'), + doc=_(u'Mark the token as disabled (default: false)'), + ), + parameters.DateTime( + 'ipatokennotbefore', + required=False, + cli_name='not_before', + label=_(u'Validity start'), + doc=_(u'First date/time the token can be used'), + ), + parameters.DateTime( + 'ipatokennotafter', + required=False, + cli_name='not_after', + label=_(u'Validity end'), + doc=_(u'Last date/time the token can be used'), + ), + parameters.Str( + 'ipatokenvendor', + required=False, + cli_name='vendor', + label=_(u'Vendor'), + doc=_(u'Token vendor name (informational only)'), + ), + parameters.Str( + 'ipatokenmodel', + required=False, + cli_name='model', + label=_(u'Model'), + doc=_(u'Token model (informational only)'), + ), + parameters.Str( + 'ipatokenserial', + required=False, + cli_name='serial', + label=_(u'Serial'), + doc=_(u'Token serial (informational only)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the OTP token object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class otptoken_remove_managedby(Method): + __doc__ = _("Remove users that can manage this token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class otptoken_show(Method): + __doc__ = _("Display information about an OTP token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/otptoken_yubikey.py b/ipaclient/remote_plugins/2_156/otptoken_yubikey.py new file mode 100644 index 000000000..61fe1b484 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/otptoken_yubikey.py @@ -0,0 +1,33 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +YubiKey Tokens + +Manage YubiKey tokens. + +This code is an extension to the otptoken plugin and provides support for +reading/writing YubiKey tokens directly. + +EXAMPLES: + + Add a new token: + ipa otptoken-add-yubikey --owner=jdoe --desc="My YubiKey" +""") + +register = Registry() diff --git a/ipaclient/remote_plugins/2_156/passwd.py b/ipaclient/remote_plugins/2_156/passwd.py new file mode 100644 index 000000000..66ec54b5c --- /dev/null +++ b/ipaclient/remote_plugins/2_156/passwd.py @@ -0,0 +1,93 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Set a user's password + +If someone other than a user changes that user's password (e.g., Helpdesk +resets it) then the password will need to be changed the first time it +is used. This is so the end-user is the only one who knows the password. + +The IPA password policy controls how often a password may be changed, +what strength requirements exist, and the length of the password history. + +EXAMPLES: + + To reset your own password: + ipa passwd + + To change another user's password: + ipa passwd tuser1 +""") + +register = Registry() + + +@register() +class passwd(Command): + __doc__ = _("Set a user's password.") + + takes_args = ( + parameters.Str( + 'principal', + cli_name='user', + label=_(u'User name'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: util.get_current_principal() + autofill=True, + no_convert=True, + ), + parameters.Password( + 'password', + label=_(u'New Password'), + confirm=True, + ), + parameters.Password( + 'current_password', + label=_(u'Current Password'), + default_from=DefaultFrom(lambda principal: None, 'principal'), + # FIXME: + # lambda principal: get_current_password(principal) + autofill=True, + ), + ) + takes_options = ( + parameters.Password( + 'otp', + required=False, + label=_(u'OTP'), + doc=_(u'One Time Password'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/permission.py b/ipaclient/remote_plugins/2_156/permission.py new file mode 100644 index 000000000..94cd1bbaa --- /dev/null +++ b/ipaclient/remote_plugins/2_156/permission.py @@ -0,0 +1,1099 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Permissions + +A permission enables fine-grained delegation of rights. A permission is +a human-readable wrapper around a 389-ds Access Control Rule, +or instruction (ACI). +A permission grants the right to perform a specific task such as adding a +user, modifying a group, etc. + +A permission may not contain other permissions. + +* A permission grants access to read, write, add, delete, read, search, + or compare. +* A privilege combines similar permissions (for example all the permissions + needed to add a user). +* A role grants a set of privileges to users, groups, hosts or hostgroups. + +A permission is made up of a number of different parts: + +1. The name of the permission. +2. The target of the permission. +3. The rights granted by the permission. + +Rights define what operations are allowed, and may be one or more +of the following: +1. write - write one or more attributes +2. read - read one or more attributes +3. search - search on one or more attributes +4. compare - compare one or more attributes +5. add - add a new entry to the tree +6. delete - delete an existing entry +7. all - all permissions are granted + +Note the distinction between attributes and entries. The permissions are +independent, so being able to add a user does not mean that the user will +be editable. + +There are a number of allowed targets: +1. subtree: a DN; the permission applies to the subtree under this DN +2. target filter: an LDAP filter +3. target: DN with possible wildcards, specifies entries permission applies to + +Additionally, there are the following convenience options. +Setting one of these options will set the corresponding attribute(s). +1. type: a type of object (user, group, etc); sets subtree and target filter. +2. memberof: apply to members of a group; sets target filter +3. targetgroup: grant access to modify a specific group (such as granting + the rights to manage group membership); sets target. + +Managed permissions + +Permissions that come with IPA by default can be so-called "managed" +permissions. These have a default set of attributes they apply to, +but the administrator can add/remove individual attributes to/from the set. + +Deleting or renaming a managed permission, as well as changing its target, +is not allowed. + +EXAMPLES: + + Add a permission that grants the creation of users: + ipa permission-add --type=user --permissions=add "Add Users" + + Add a permission that grants the ability to manage group membership: + ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members" +""") + +register = Registry() + + +@register() +class permission(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Permission name'), + ), + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermincludedattr', + required=False, + multivalue=True, + label=_(u'Included attributes'), + doc=_(u'User-specified attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermexcludedattr', + required=False, + multivalue=True, + label=_(u'Excluded attributes'), + doc=_(u'User-specified attributes to which the permission explicitly does not apply'), + ), + parameters.Str( + 'ipapermdefaultattr', + required=False, + multivalue=True, + label=_(u'Default attributes'), + doc=_(u'Attributes to which the permission applies by default'), + ), + parameters.Str( + 'ipapermbindruletype', + label=_(u'Bind rule type'), + ), + parameters.Str( + 'ipapermlocation', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetto', + required=False, + label=_(u'Target DN subtree'), + doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetfrom', + required=False, + label=_(u'Origin DN subtree'), + doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + ), + parameters.Str( + 'member_privilege', + required=False, + label=_(u'Granted to Privilege'), + ), + parameters.Str( + 'memberindirect_role', + required=False, + label=_(u'Indirect Member of roles'), + ), + ) + + +@register() +class permission_add(Method): + __doc__ = _("Add a new permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + cli_name='right', + cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + alwaysask=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermbindruletype', + cli_name='bindtype', + cli_metavar="['permission', 'all', 'anonymous']", + label=_(u'Bind rule type'), + default=u'permission', + autofill=True, + ), + parameters.Str( + 'ipapermlocation', + required=False, + cli_name='subtree', + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + alwaysask=True, + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + cli_name='filter', + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + cli_name='rawfilter', + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + cli_name='target', + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetto', + required=False, + cli_name='targetto', + label=_(u'Target DN subtree'), + doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetfrom', + required=False, + cli_name='targetfrom', + label=_(u'Origin DN subtree'), + doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + alwaysask=True, + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + alwaysask=True, + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + alwaysask=True, + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_add_member(Method): + __doc__ = _("Add members to a permission.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'member privilege'), + doc=_(u'privileges to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class permission_add_noaci(Method): + __doc__ = _("Add a system permission without an ACI (internal command)") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipapermissiontype', + multivalue=True, + label=_(u'Permission flags'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_del(Method): + __doc__ = _("Delete a permission.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force delete of SYSTEM permissions'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class permission_find(Method): + __doc__ = _("Search for permissions.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Permission name'), + ), + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + cli_name='right', + cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermincludedattr', + required=False, + multivalue=True, + cli_name='includedattrs', + label=_(u'Included attributes'), + doc=_(u'User-specified attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermexcludedattr', + required=False, + multivalue=True, + cli_name='excludedattrs', + label=_(u'Excluded attributes'), + doc=_(u'User-specified attributes to which the permission explicitly does not apply'), + ), + parameters.Str( + 'ipapermdefaultattr', + required=False, + multivalue=True, + cli_name='defaultattrs', + label=_(u'Default attributes'), + doc=_(u'Attributes to which the permission applies by default'), + ), + parameters.Str( + 'ipapermbindruletype', + required=False, + cli_name='bindtype', + cli_metavar="['permission', 'all', 'anonymous']", + label=_(u'Bind rule type'), + default=u'permission', + ), + parameters.Str( + 'ipapermlocation', + required=False, + cli_name='subtree', + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + cli_name='filter', + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + cli_name='rawfilter', + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + cli_name='target', + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetto', + required=False, + cli_name='targetto', + label=_(u'Target DN subtree'), + doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetfrom', + required=False, + cli_name='targetfrom', + label=_(u'Origin DN subtree'), + doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class permission_mod(Method): + __doc__ = _("Modify a permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + cli_name='right', + cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermincludedattr', + required=False, + multivalue=True, + cli_name='includedattrs', + label=_(u'Included attributes'), + doc=_(u'User-specified attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermexcludedattr', + required=False, + multivalue=True, + cli_name='excludedattrs', + label=_(u'Excluded attributes'), + doc=_(u'User-specified attributes to which the permission explicitly does not apply'), + ), + parameters.Str( + 'ipapermbindruletype', + required=False, + cli_name='bindtype', + cli_metavar="['permission', 'all', 'anonymous']", + label=_(u'Bind rule type'), + default=u'permission', + ), + parameters.Str( + 'ipapermlocation', + required=False, + cli_name='subtree', + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + cli_name='filter', + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + cli_name='rawfilter', + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + cli_name='target', + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetto', + required=False, + cli_name='targetto', + label=_(u'Target DN subtree'), + doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetfrom', + required=False, + cli_name='targetfrom', + label=_(u'Origin DN subtree'), + doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the permission object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_remove_member(Method): + __doc__ = _("Remove members from a permission.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'member privilege'), + doc=_(u'privileges to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class permission_show(Method): + __doc__ = _("Display information about a permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/ping.py b/ipaclient/remote_plugins/2_156/ping.py new file mode 100644 index 000000000..e9344127c --- /dev/null +++ b/ipaclient/remote_plugins/2_156/ping.py @@ -0,0 +1,62 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Ping the remote IPA server to ensure it is running. + +The ping command sends an echo request to an IPA server. The server +returns its version information. This is used by an IPA client +to confirm that the server is available and accepting requests. + +The server from xmlrpc_uri in /etc/ipa/default.conf is contacted first. +If it does not respond then the client will contact any servers defined +by ldap SRV records in DNS. + +EXAMPLES: + + Ping an IPA server: + ipa ping + ------------------------------------------ + IPA server version 2.1.9. API version 2.20 + ------------------------------------------ + + Ping an IPA server verbosely: + ipa -v ping + ipa: INFO: trying https://ipa.example.com/ipa/xml + ipa: INFO: Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml' + ----------------------------------------------------- + IPA server version 2.1.9. API version 2.20 + ----------------------------------------------------- +""") + +register = Registry() + + +@register() +class ping(Command): + __doc__ = _("Ping a remote server.") + + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/pkinit.py b/ipaclient/remote_plugins/2_156/pkinit.py new file mode 100644 index 000000000..fcb4c6b6b --- /dev/null +++ b/ipaclient/remote_plugins/2_156/pkinit.py @@ -0,0 +1,63 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Kerberos pkinit options + +Enable or disable anonymous pkinit using the principal +WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with +pkinit support. + +EXAMPLES: + + Enable anonymous pkinit: + ipa pkinit-anonymous enable + + Disable anonymous pkinit: + ipa pkinit-anonymous disable + +For more information on anonymous pkinit see: + +http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit +""") + +register = Registry() + + +@register() +class pkinit(Object): + takes_params = ( + ) + + +@register() +class pkinit_anonymous(Command): + __doc__ = _("Enable or Disable Anonymous PKINIT.") + + takes_args = ( + parameters.Str( + 'action', + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_156/privilege.py b/ipaclient/remote_plugins/2_156/privilege.py new file mode 100644 index 000000000..9fb436a92 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/privilege.py @@ -0,0 +1,656 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Privileges + +A privilege combines permissions into a logical task. A permission provides +the rights to do a single task. There are some IPA operations that require +multiple permissions to succeed. A privilege is where permissions are +combined in order to perform a specific task. + +For example, adding a user requires the following permissions: + * Creating a new user entry + * Resetting a user password + * Adding the new user to the default IPA users group + +Combining these three low-level tasks into a higher level task in the +form of a privilege named "Add User" makes it easier to manage Roles. + +A privilege may not contain other privileges. + +See role and permission for additional information. +""") + +register = Registry() + + +@register() +class privilege(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Privilege name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'memberof_permission', + required=False, + label=_(u'Permissions'), + ), + parameters.Str( + 'member_role', + required=False, + label=_(u'Granting privilege to roles'), + ), + ) + + +@register() +class privilege_add(Method): + __doc__ = _("Add a new privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class privilege_add_member(Method): + __doc__ = _("Add members to a privilege.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'role', + required=False, + multivalue=True, + cli_name='roles', + label=_(u'member role'), + doc=_(u'roles to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class privilege_add_permission(Method): + __doc__ = _("Add permissions to a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'permission', + required=False, + multivalue=True, + cli_name='permissions', + label=_(u'permission'), + doc=_(u'permissions'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of permissions added'), + ), + ) + + +@register() +class privilege_del(Method): + __doc__ = _("Delete a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class privilege_find(Method): + __doc__ = _("Search for privileges.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Privilege name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class privilege_mod(Method): + __doc__ = _("Modify a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the privilege object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class privilege_remove_member(Method): + __doc__ = _("Remove members from a privilege") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'role', + required=False, + multivalue=True, + cli_name='roles', + label=_(u'member role'), + doc=_(u'roles to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class privilege_remove_permission(Method): + __doc__ = _("Remove permissions from a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'permission', + required=False, + multivalue=True, + cli_name='permissions', + label=_(u'permission'), + doc=_(u'permissions'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of permissions removed'), + ), + ) + + +@register() +class privilege_show(Method): + __doc__ = _("Display information about a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/pwpolicy.py b/ipaclient/remote_plugins/2_156/pwpolicy.py new file mode 100644 index 000000000..6010579d3 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/pwpolicy.py @@ -0,0 +1,937 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Password policy + +A password policy sets limitations on IPA passwords, including maximum +lifetime, minimum lifetime, the number of passwords to save in +history, the number of character classes required (for stronger passwords) +and the minimum password length. + +By default there is a single, global policy for all users. You can also +create a password policy to apply to a group. Each user is only subject +to one password policy, either the group policy or the global policy. A +group policy stands alone; it is not a super-set of the global policy plus +custom settings. + +Each group password policy requires a unique priority setting. If a user +is in multiple groups that have password policies, this priority determines +which password policy is applied. A lower value indicates a higher priority +policy. + +Group password policies are automatically removed when the groups they +are associated with are removed. + +EXAMPLES: + + Modify the global policy: + ipa pwpolicy-mod --minlength=10 + + Add a new group password policy: + ipa pwpolicy-add --maxlife=90 --minlife=1 --history=10 --minclasses=3 --minlength=8 --priority=10 localadmins + + Display the global password policy: + ipa pwpolicy-show + + Display a group password policy: + ipa pwpolicy-show localadmins + + Display the policy that would be applied to a given user: + ipa pwpolicy-show --user=tuser1 + + Modify a group password policy: + ipa pwpolicy-mod --minclasses=2 localadmins +""") + +register = Registry() + + +@register() +class cosentry(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + ), + parameters.DNParam( + 'krbpwdpolicyreference', + ), + parameters.Int( + 'cospriority', + ), + ) + + +@register() +class pwpolicy(Object): + takes_params = ( + parameters.Str( + 'cn', + required=False, + primary_key=True, + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + parameters.Int( + 'krbmaxpwdlife', + required=False, + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + ) + + +@register() +class cosentry_add(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.DNParam( + 'krbpwdpolicyreference', + ), + parameters.Int( + 'cospriority', + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cosentry_del(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class cosentry_find(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + ), + parameters.DNParam( + 'krbpwdpolicyreference', + required=False, + ), + parameters.Int( + 'cospriority', + required=False, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("cn")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class cosentry_mod(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.DNParam( + 'krbpwdpolicyreference', + required=False, + ), + parameters.Int( + 'cospriority', + required=False, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cosentry_show(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_add(Method): + __doc__ = _("Add a new group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_del(Method): + __doc__ = _("Delete a group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class pwpolicy_find(Method): + __doc__ = _("Search for group password policies.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + required=False, + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("group")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class pwpolicy_mod(Method): + __doc__ = _("Modify a group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + required=False, + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_show(Method): + __doc__ = _("Display information about password policy.") + + takes_args = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + label=_(u'User'), + doc=_(u'Display effective policy for a specific user'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/radiusproxy.py b/ipaclient/remote_plugins/2_156/radiusproxy.py new file mode 100644 index 000000000..9bc020b5d --- /dev/null +++ b/ipaclient/remote_plugins/2_156/radiusproxy.py @@ -0,0 +1,521 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +RADIUS Proxy Servers + +Manage RADIUS Proxy Servers. + +IPA supports the use of an external RADIUS proxy server for krb5 OTP +authentications. This permits a great deal of flexibility when +integrating with third-party authentication services. + +EXAMPLES: + + Add a new server: + ipa radiusproxy-add MyRADIUS --server=radius.example.com:1812 + + Find all servers whose entries include the string "example.com": + ipa radiusproxy-find example.com + + Examine the configuration: + ipa radiusproxy-show MyRADIUS + + Change the secret: + ipa radiusproxy-mod MyRADIUS --secret + + Delete a configuration: + ipa radiusproxy-del MyRADIUS +""") + +register = Registry() + + +@register() +class radiusproxy(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'RADIUS proxy server name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this RADIUS proxy server'), + ), + parameters.Str( + 'ipatokenradiusserver', + multivalue=True, + label=_(u'Server'), + doc=_(u'The hostname or IP (with or without port)'), + ), + parameters.Password( + 'ipatokenradiussecret', + label=_(u'Secret'), + doc=_(u'The secret used to encrypt data'), + ), + parameters.Int( + 'ipatokenradiustimeout', + required=False, + label=_(u'Timeout'), + doc=_(u'The total timeout across all retries (in seconds)'), + ), + parameters.Int( + 'ipatokenradiusretries', + required=False, + label=_(u'Retries'), + doc=_(u'The number of times to retry authentication'), + ), + parameters.Str( + 'ipatokenusermapattribute', + required=False, + label=_(u'User attribute'), + doc=_(u'The username attribute on the user object'), + ), + ) + + +@register() +class radiusproxy_add(Method): + __doc__ = _("Add a new RADIUS proxy server.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this RADIUS proxy server'), + ), + parameters.Str( + 'ipatokenradiusserver', + multivalue=True, + cli_name='server', + label=_(u'Server'), + doc=_(u'The hostname or IP (with or without port)'), + ), + parameters.Password( + 'ipatokenradiussecret', + cli_name='secret', + label=_(u'Secret'), + doc=_(u'The secret used to encrypt data'), + exclude=('cli', 'webui'), + confirm=True, + ), + parameters.Int( + 'ipatokenradiustimeout', + required=False, + cli_name='timeout', + label=_(u'Timeout'), + doc=_(u'The total timeout across all retries (in seconds)'), + ), + parameters.Int( + 'ipatokenradiusretries', + required=False, + cli_name='retries', + label=_(u'Retries'), + doc=_(u'The number of times to retry authentication'), + ), + parameters.Str( + 'ipatokenusermapattribute', + required=False, + cli_name='userattr', + label=_(u'User attribute'), + doc=_(u'The username attribute on the user object'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class radiusproxy_del(Method): + __doc__ = _("Delete a RADIUS proxy server.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class radiusproxy_find(Method): + __doc__ = _("Search for RADIUS proxy servers.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this RADIUS proxy server'), + ), + parameters.Str( + 'ipatokenradiusserver', + required=False, + multivalue=True, + cli_name='server', + label=_(u'Server'), + doc=_(u'The hostname or IP (with or without port)'), + ), + parameters.Password( + 'ipatokenradiussecret', + required=False, + cli_name='secret', + label=_(u'Secret'), + doc=_(u'The secret used to encrypt data'), + exclude=('cli', 'webui'), + confirm=True, + ), + parameters.Int( + 'ipatokenradiustimeout', + required=False, + cli_name='timeout', + label=_(u'Timeout'), + doc=_(u'The total timeout across all retries (in seconds)'), + ), + parameters.Int( + 'ipatokenradiusretries', + required=False, + cli_name='retries', + label=_(u'Retries'), + doc=_(u'The number of times to retry authentication'), + ), + parameters.Str( + 'ipatokenusermapattribute', + required=False, + cli_name='userattr', + label=_(u'User attribute'), + doc=_(u'The username attribute on the user object'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class radiusproxy_mod(Method): + __doc__ = _("Modify a RADIUS proxy server.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this RADIUS proxy server'), + ), + parameters.Str( + 'ipatokenradiusserver', + required=False, + multivalue=True, + cli_name='server', + label=_(u'Server'), + doc=_(u'The hostname or IP (with or without port)'), + ), + parameters.Password( + 'ipatokenradiussecret', + required=False, + cli_name='secret', + label=_(u'Secret'), + doc=_(u'The secret used to encrypt data'), + exclude=('cli', 'webui'), + confirm=True, + ), + parameters.Int( + 'ipatokenradiustimeout', + required=False, + cli_name='timeout', + label=_(u'Timeout'), + doc=_(u'The total timeout across all retries (in seconds)'), + ), + parameters.Int( + 'ipatokenradiusretries', + required=False, + cli_name='retries', + label=_(u'Retries'), + doc=_(u'The number of times to retry authentication'), + ), + parameters.Str( + 'ipatokenusermapattribute', + required=False, + cli_name='userattr', + label=_(u'User attribute'), + doc=_(u'The username attribute on the user object'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the RADIUS proxy server object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class radiusproxy_show(Method): + __doc__ = _("Display information about a RADIUS proxy server.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/realmdomains.py b/ipaclient/remote_plugins/2_156/realmdomains.py new file mode 100644 index 000000000..f8f563a45 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/realmdomains.py @@ -0,0 +1,195 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Realm domains + +Manage the list of domains associated with IPA realm. + +EXAMPLES: + + Display the current list of realm domains: + ipa realmdomains-show + + Replace the list of realm domains: + ipa realmdomains-mod --domain=example.com + ipa realmdomains-mod --domain={example1.com,example2.com,example3.com} + + Add a domain to the list of realm domains: + ipa realmdomains-mod --add-domain=newdomain.com + + Delete a domain from the list of realm domains: + ipa realmdomains-mod --del-domain=olddomain.com +""") + +register = Registry() + + +@register() +class realmdomains(Object): + takes_params = ( + parameters.Str( + 'associateddomain', + multivalue=True, + label=_(u'Domain'), + ), + parameters.Str( + 'add_domain', + required=False, + label=_(u'Add domain'), + ), + parameters.Str( + 'del_domain', + required=False, + label=_(u'Delete domain'), + ), + ) + + +@register() +class realmdomains_mod(Method): + __doc__ = _("Modify realm domains.") + + takes_options = ( + parameters.Str( + 'associateddomain', + required=False, + multivalue=True, + cli_name='domain', + label=_(u'Domain'), + no_convert=True, + ), + parameters.Str( + 'add_domain', + required=False, + label=_(u'Add domain'), + no_convert=True, + ), + parameters.Str( + 'del_domain', + required=False, + label=_(u'Delete domain'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'Force adding domain even if not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class realmdomains_show(Method): + __doc__ = _("Display the list of realm domains.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/role.py b/ipaclient/remote_plugins/2_156/role.py new file mode 100644 index 000000000..122d4cdee --- /dev/null +++ b/ipaclient/remote_plugins/2_156/role.py @@ -0,0 +1,758 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Roles + +A role is used for fine-grained delegation. A permission grants the ability +to perform given low-level tasks (add a user, modify a group, etc.). A +privilege combines one or more permissions into a higher-level abstraction +such as useradmin. A useradmin would be able to add, delete and modify users. + +Privileges are assigned to Roles. + +Users, groups, hosts and hostgroups may be members of a Role. + +Roles can not contain other roles. + +EXAMPLES: + + Add a new role: + ipa role-add --desc="Junior-level admin" junioradmin + + Add some privileges to this role: + ipa role-add-privilege --privileges=addusers junioradmin + ipa role-add-privilege --privileges=change_password junioradmin + ipa role-add-privilege --privileges=add_user_to_default_group junioradmin + + Add a group of users to this role: + ipa group-add --desc="User admins" useradmins + ipa role-add-member --groups=useradmins junioradmin + + Display information about a role: + ipa role-show junioradmin + + The result of this is that any users in the group 'junioradmin' can + add users, reset passwords or add a user to the default IPA user group. +""") + +register = Registry() + + +@register() +class role(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Role name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'member_user', + required=False, + label=_(u'Member users'), + ), + parameters.Str( + 'member_group', + required=False, + label=_(u'Member groups'), + ), + parameters.Str( + 'member_host', + required=False, + label=_(u'Member hosts'), + ), + parameters.Str( + 'member_hostgroup', + required=False, + label=_(u'Member host-groups'), + ), + parameters.Str( + 'memberof_privilege', + required=False, + label=_(u'Privileges'), + ), + parameters.Str( + 'member_service', + required=False, + label=_(u'Member services'), + ), + ) + + +@register() +class role_add(Method): + __doc__ = _("Add a new role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class role_add_member(Method): + __doc__ = _("Add members to a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + parameters.Str( + 'service', + required=False, + multivalue=True, + cli_name='services', + label=_(u'member service'), + doc=_(u'services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class role_add_privilege(Method): + __doc__ = _("Add privileges to a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'privilege'), + doc=_(u'privileges'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of privileges added'), + ), + ) + + +@register() +class role_del(Method): + __doc__ = _("Delete a role.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class role_find(Method): + __doc__ = _("Search for roles.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Role name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class role_mod(Method): + __doc__ = _("Modify a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the role object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class role_remove_member(Method): + __doc__ = _("Remove members from a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'service', + required=False, + multivalue=True, + cli_name='services', + label=_(u'member service'), + doc=_(u'services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class role_remove_privilege(Method): + __doc__ = _("Remove privileges from a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'privilege'), + doc=_(u'privileges'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of privileges removed'), + ), + ) + + +@register() +class role_show(Method): + __doc__ = _("Display information about a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/selfservice.py b/ipaclient/remote_plugins/2_156/selfservice.py new file mode 100644 index 000000000..5d7e36f30 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/selfservice.py @@ -0,0 +1,338 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Self-service Permissions + +A permission enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to permissions to perform +given tasks such as adding a user, modifying a group, etc. + +A Self-service permission defines what an object can change in its own entry. + + +EXAMPLES: + + Add a self-service rule to allow users to manage their address (using Bash + brace expansion): + ipa selfservice-add --permissions=write --attrs={street,postalCode,l,c,st} "Users manage their own address" + + When managing the list of attributes you need to include all attributes + in the list, including existing ones. + Add telephoneNumber to the list (using Bash brace expansion): + ipa selfservice-mod --attrs={street,postalCode,l,c,st,telephoneNumber} "Users manage their own address" + + Display our updated rule: + ipa selfservice-show "Users manage their own address" + + Delete a rule: + ipa selfservice-del "Users manage their own address" +""") + +register = Registry() + + +@register() +class selfservice(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'Self-service name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the permission applies.'), + ), + ) + + +@register() +class selfservice_add(Method): + __doc__ = _("Add a new self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the permission applies.'), + no_convert=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_del(Method): + __doc__ = _("Delete a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_find(Method): + __doc__ = _("Search for a self-service permission.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'Self-service name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the permission applies.'), + no_convert=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class selfservice_mod(Method): + __doc__ = _("Modify a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the permission applies.'), + no_convert=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_show(Method): + __doc__ = _("Display information about a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/selinuxusermap.py b/ipaclient/remote_plugins/2_156/selinuxusermap.py new file mode 100644 index 000000000..cf572f9c7 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/selinuxusermap.py @@ -0,0 +1,905 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +SELinux User Mapping + +Map IPA users to SELinux users by host. + +Hosts, hostgroups, users and groups can be either defined within +the rule or it may point to an existing HBAC rule. When using +--hbacrule option to selinuxusermap-find an exact match is made on the +HBAC rule name, so only one or zero entries will be returned. + +EXAMPLES: + + Create a rule, "test1", that sets all users to xguest_u:s0 on the host "server": + ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1 + ipa selinuxusermap-add-host --hosts=server.example.com test1 + + Create a rule, "test2", that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts: + ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2 + + Display the properties of a rule: + ipa selinuxusermap-show test2 + + Create a rule for a specific user. This sets the SELinux context for + user john to unconfined_u:s0-s0:c0.c1023 on any machine: + ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined + ipa selinuxusermap-add-user --users=john john_unconfined + + Disable a rule: + ipa selinuxusermap-disable test1 + + Enable a rule: + ipa selinuxusermap-enable test1 + + Find a rule referencing a specific HBAC rule: + ipa selinuxusermap-find --hbacrule=allow_some + + Remove a rule: + ipa selinuxusermap-del john_unconfined + +SEEALSO: + + The list controlling the order in which the SELinux user map is applied + and the default SELinux user are available in the config-show command. +""") + +register = Registry() + + +@register() +class selinuxusermap(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'ipaselinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + ) + + +@register() +class selinuxusermap_add(Method): + __doc__ = _("Create a new SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaselinuxuser', + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_add_host(Method): + __doc__ = _("Add target hosts and hostgroups to an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class selinuxusermap_add_user(Method): + __doc__ = _("Add users and groups to an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class selinuxusermap_del(Method): + __doc__ = _("Delete a SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class selinuxusermap_disable(Method): + __doc__ = _("Disable an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_enable(Method): + __doc__ = _("Enable an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_find(Method): + __doc__ = _("Search for SELinux User Maps.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Rule name'), + ), + parameters.Str( + 'ipaselinuxuser', + required=False, + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class selinuxusermap_mod(Method): + __doc__ = _("Modify a SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaselinuxuser', + required=False, + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_remove_host(Method): + __doc__ = _("Remove target hosts and hostgroups from an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class selinuxusermap_remove_user(Method): + __doc__ = _("Remove users and groups from an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class selinuxusermap_show(Method): + __doc__ = _("Display the properties of a SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/server.py b/ipaclient/remote_plugins/2_156/server.py new file mode 100644 index 000000000..0b24b53d9 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/server.py @@ -0,0 +1,246 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +IPA servers + +Get information about installed IPA servers. + +EXAMPLES: + + Find all servers: + ipa server-find + + Show specific server: + ipa server-show ipa.example.com +""") + +register = Registry() + + +@register() +class server(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Server name'), + doc=_(u'IPA server hostname'), + ), + parameters.Str( + 'iparepltopomanagedsuffix', + label=_(u'Managed suffix'), + ), + parameters.Int( + 'ipamindomainlevel', + label=_(u'Min domain level'), + doc=_(u'Minimum domain level'), + ), + parameters.Int( + 'ipamaxdomainlevel', + label=_(u'Max domain level'), + doc=_(u'Maximum domain level'), + ), + ) + + +@register() +class server_del(Method): + __doc__ = _("Delete IPA server.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Server name'), + doc=_(u'IPA server hostname'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class server_find(Method): + __doc__ = _("Search for IPA servers.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Server name'), + doc=_(u'IPA server hostname'), + ), + parameters.Str( + 'iparepltopomanagedsuffix', + required=False, + cli_name='suffix', + label=_(u'Managed suffix'), + ), + parameters.Int( + 'ipamindomainlevel', + required=False, + cli_name='minlevel', + label=_(u'Min domain level'), + doc=_(u'Minimum domain level'), + ), + parameters.Int( + 'ipamaxdomainlevel', + required=False, + cli_name='maxlevel', + label=_(u'Max domain level'), + doc=_(u'Maximum domain level'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class server_show(Method): + __doc__ = _("Show IPA server.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Server name'), + doc=_(u'IPA server hostname'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/service.py b/ipaclient/remote_plugins/2_156/service.py new file mode 100644 index 000000000..0c7b9d803 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/service.py @@ -0,0 +1,1225 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Services + +A IPA service represents a service that runs on a host. The IPA service +record can store a Kerberos principal, an SSL certificate, or both. + +An IPA service can be managed directly from a machine, provided that +machine has been given the correct permission. This is true even for +machines other than the one the service is associated with. For example, +requesting an SSL certificate using the host service principal credentials +of the host. To manage a service using host credentials you need to +kinit as the host: + + # kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM + +Adding an IPA service allows the associated service to request an SSL +certificate or keytab, but this is performed as a separate step; they +are not produced as a result of adding the service. + +Only the public aspect of a certificate is stored in a service record; +the private key is not stored. + +EXAMPLES: + + Add a new IPA service: + ipa service-add HTTP/web.example.com + + Allow a host to manage an IPA service certificate: + ipa service-add-host --hosts=web.example.com HTTP/web.example.com + ipa role-add-member --hosts=web.example.com certadmin + + Override a default list of supported PAC types for the service: + ipa service-mod HTTP/web.example.com --pac-type=MS-PAC + + A typical use case where overriding the PAC type is needed is NFS. + Currently the related code in the Linux kernel can only handle Kerberos + tickets up to a maximal size. Since the PAC data can become quite large it + is recommended to set --pac-type=NONE for NFS services. + + Delete an IPA service: + ipa service-del HTTP/web.example.com + + Find all IPA services associated with a host: + ipa service-find web.example.com + + Find all HTTP services: + ipa service-find HTTP + + Disable the service Kerberos key and SSL certificate: + ipa service-disable HTTP/web.example.com + + Request a certificate for an IPA service: + ipa cert-request --principal=HTTP/web.example.com example.csr + + Allow user to create a keytab: + ipa service-allow-create-keytab HTTP/web.example.com --users=tuser1 + + Generate and retrieve a keytab for an IPA service: + ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab +""") + +register = Registry() + + +@register() +class service(Object): + takes_params = ( + parameters.Str( + 'krbprincipalname', + primary_key=True, + label=_(u'Principal'), + doc=_(u'Service principal'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Keytab'), + ), + parameters.Str( + 'managedby_host', + label=_(u'Managed by'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_user', + label=_(u'Users allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_group', + label=_(u'Groups allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_host', + label=_(u'Hosts allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_hostgroup', + label=_(u'Host Groups allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_user', + label=_(u'Users allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_group', + label=_(u'Groups allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_host', + label=_(u'Hosts allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_hostgroup', + label=_(u'Host Groups allowed to create keytab'), + ), + ) + + +@register() +class service_add(Method): + __doc__ = _("Add a new IPA new service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + cli_name='requires_pre_auth', + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + cli_name='ok_as_delegate', + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force principal name even if not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_add_cert(Method): + __doc__ = _("Add new certificates to a service") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + alwaysask=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_add_host(Method): + __doc__ = _("Add hosts that can manage this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class service_allow_create_keytab(Method): + __doc__ = _("Allow users, groups, hosts or host groups to create a keytab of this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class service_allow_retrieve_keytab(Method): + __doc__ = _("Allow users, groups, hosts or host groups to retrieve a keytab of this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class service_del(Method): + __doc__ = _("Delete an IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + multivalue=True, + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class service_disable(Method): + __doc__ = _("Disable the Kerberos key and SSL certificate of a service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_disallow_create_keytab(Method): + __doc__ = _("Disallow users, groups, hosts or host groups to create a keytab of this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class service_disallow_retrieve_keytab(Method): + __doc__ = _("Disallow users, groups, hosts or host groups to retrieve a keytab of this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class service_find(Method): + __doc__ = _("Search for IPA services.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("principal")'), + default=False, + autofill=True, + ), + parameters.Str( + 'man_by_host', + required=False, + multivalue=True, + cli_name='man_by_hosts', + label=_(u'host'), + doc=_(u'Search for services with these managed by hosts.'), + ), + parameters.Str( + 'not_man_by_host', + required=False, + multivalue=True, + cli_name='not_man_by_hosts', + label=_(u'host'), + doc=_(u'Search for services without these managed by hosts.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class service_mod(Method): + __doc__ = _("Modify an existing IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + cli_name='requires_pre_auth', + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + cli_name='ok_as_delegate', + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_remove_cert(Method): + __doc__ = _("Remove certificates from a service") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + alwaysask=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_remove_host(Method): + __doc__ = _("Remove hosts that can manage this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class service_show(Method): + __doc__ = _("Display information about an IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'file to store certificate in'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/servicedelegation.py b/ipaclient/remote_plugins/2_156/servicedelegation.py new file mode 100644 index 000000000..d96462d91 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/servicedelegation.py @@ -0,0 +1,907 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Service Constrained Delegation + +Manage rules to allow constrained delegation of credentials so +that a service can impersonate a user when communicating with another +service without requiring the user to actually forward their TGT. +This makes for a much better method of delegating credentials as it +prevents exposure of the short term secret of the user. + +The naming convention is to append the word "target" or "targets" to +a matching rule name. This is not mandatory but helps conceptually +to associate rules and targets. + +A rule consists of two things: + - A list of targets the rule applies to + - A list of memberPrincipals that are allowed to delegate for + those targets + +A target consists of a list of principals that can be delegated. + +In English, a rule says that this principal can delegate as this +list of principals, as defined by these targets. + +EXAMPLES: + + Add a new constrained delegation rule: + ipa servicedelegationrule-add ftp-delegation + + Add a new constrained delegation target: + ipa servicedelegationtarget-add ftp-delegation-target + + Add a principal to the rule: + ipa servicedelegationrule-add-member --principals=ftp/ipa.example.com ftp-delegation + + Add our target to the rule: + ipa servicedelegationrule-add-target --servicedelegationtargets=ftp-delegation-target ftp-delegation + + Add a principal to the target: + ipa servicedelegationtarget-add-member --principals=ldap/ipa.example.com ftp-delegation-target + + Display information about a named delegation rule and target: + ipa servicedelegationrule_show ftp-delegation + ipa servicedelegationtarget_show ftp-delegation-target + + Remove a constrained delegation: + ipa servicedelegationrule-del ftp-delegation-target + ipa servicedelegationtarget-del ftp-delegation + +In this example the ftp service can get a TGT for the ldap service on +the bound user's behalf. + +It is strongly discouraged to modify the delegations that ship with +IPA, ipa-http-delegation and its targets ipa-cifs-delegation-targets and +ipa-ldap-delegation-targets. Incorrect changes can remove the ability +to delegate, causing the framework to stop functioning. +""") + +register = Registry() + + +@register() +class servicedelegationrule(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Delegation name'), + ), + parameters.Str( + 'ipaallowedtarget_servicedelegationtarget', + label=_(u'Allowed Target'), + ), + ) + + +@register() +class servicedelegationtarget(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Delegation name'), + ), + ) + + +@register() +class servicedelegationrule_add(Method): + __doc__ = _("Create a new service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class servicedelegationrule_add_member(Method): + __doc__ = _("Add member to a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'principal', + required=False, + multivalue=True, + cli_name='principals', + label=_(u'member principal'), + doc=_(u'principal to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class servicedelegationrule_add_target(Method): + __doc__ = _("Add target to a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'servicedelegationtarget', + required=False, + multivalue=True, + cli_name='servicedelegationtargets', + label=_(u'member service delegation target'), + doc=_(u'service delegation targets to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class servicedelegationrule_del(Method): + __doc__ = _("Delete service delegation.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class servicedelegationrule_find(Method): + __doc__ = _("Search for service delegations rule.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("delegation-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class servicedelegationrule_remove_member(Method): + __doc__ = _("Remove member from a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'principal', + required=False, + multivalue=True, + cli_name='principals', + label=_(u'member principal'), + doc=_(u'principal to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class servicedelegationrule_remove_target(Method): + __doc__ = _("Remove target from a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'servicedelegationtarget', + required=False, + multivalue=True, + cli_name='servicedelegationtargets', + label=_(u'member service delegation target'), + doc=_(u'service delegation targets to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class servicedelegationrule_show(Method): + __doc__ = _("Display information about a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class servicedelegationtarget_add(Method): + __doc__ = _("Create a new service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class servicedelegationtarget_add_member(Method): + __doc__ = _("Add member to a named service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'principal', + required=False, + multivalue=True, + cli_name='principals', + label=_(u'member principal'), + doc=_(u'principal to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class servicedelegationtarget_del(Method): + __doc__ = _("Delete service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class servicedelegationtarget_find(Method): + __doc__ = _("Search for service delegation target.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("delegation-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class servicedelegationtarget_remove_member(Method): + __doc__ = _("Remove member from a named service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'principal', + required=False, + multivalue=True, + cli_name='principals', + label=_(u'member principal'), + doc=_(u'principal to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class servicedelegationtarget_show(Method): + __doc__ = _("Display information about a named service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/session.py b/ipaclient/remote_plugins/2_156/session.py new file mode 100644 index 000000000..7b30c92a0 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/session.py @@ -0,0 +1,34 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +register = Registry() + + +@register() +class session_logout(Command): + __doc__ = _("RPC command used to log the current user out of their session.") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_156/stageuser.py b/ipaclient/remote_plugins/2_156/stageuser.py new file mode 100644 index 000000000..a660cc9ce --- /dev/null +++ b/ipaclient/remote_plugins/2_156/stageuser.py @@ -0,0 +1,1492 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Stageusers + +Manage stage user entries. + +Stage user entries are directly under the container: "cn=stage users, +cn=accounts, cn=provisioning, SUFFIX". +User can not authenticate with those entries (even if the entries +contain credentials) and are candidate to become Active entries. + +Active user entries are Posix users directly under the container: "cn=accounts, SUFFIX". +User can authenticate with Active entries, at the condition they have +credentials + +Delete user entries are Posix users directly under the container: "cn=deleted users, +cn=accounts, cn=provisioning, SUFFIX". +User can not authenticate with those entries (even if the entries contain credentials) + +The stage user container contains entries + - created by 'stageuser-add' commands that are Posix users + - created by external provisioning system + +A valid stage user entry MUST: + - entry RDN is 'uid' + - ipaUniqueID is 'autogenerate' + +IPA supports a wide range of username formats, but you need to be aware of any +restrictions that may apply to your particular environment. For example, +usernames that start with a digit or usernames that exceed a certain length +may cause problems for some UNIX systems. +Use 'ipa config-mod' to change the username format allowed by IPA tools. + + +EXAMPLES: + + Add a new stageuser: + ipa stageuser-add --first=Tim --last=User --password tuser1 + + Add a stageuser from the Delete container + ipa stageuser-add --first=Tim --last=User --from-delete tuser1 +""") + +register = Registry() + + +@register() +class stageuser(Object): + takes_params = ( + parameters.Str( + 'uid', + primary_key=True, + label=_(u'User login'), + ), + parameters.Str( + 'givenname', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + ), + parameters.Str( + 'homedirectory', + required=False, + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Str( + 'loginshell', + required=False, + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + label=_(u'Kerberos principal'), + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + ), + parameters.Str( + 'randompassword', + required=False, + label=_(u'Random password'), + ), + parameters.Int( + 'uidnumber', + required=False, + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Flag( + 'has_password', + label=_(u'Password'), + ), + parameters.Str( + 'memberof_group', + required=False, + label=_(u'Member of groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberofindirect_group', + required=False, + label=_(u'Indirect Member of group'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Kerberos keys available'), + ), + ) + + +@register() +class stageuser_activate(Method): + __doc__ = _("Activate a stage user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class stageuser_add(Method): + __doc__ = _("Add a new stage user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + autofill=True, + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'), + autofill=True, + no_convert=True, + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Bool( + 'from_delete', + required=False, + deprecated=True, + doc=_(u'Create Stage user in from a delete user'), + exclude=('cli', 'webui'), + default=False, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class stageuser_del(Method): + __doc__ = _("Delete a stage user.") + + takes_args = ( + parameters.Str( + 'uid', + multivalue=True, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class stageuser_find(Method): + __doc__ = _("Search for stage users.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'), + no_convert=True, + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("login")'), + default=False, + autofill=True, + ), + parameters.Str( + 'in_group', + required=False, + multivalue=True, + cli_name='in_groups', + label=_(u'group'), + doc=_(u'Search for stage users with these member of groups.'), + ), + parameters.Str( + 'not_in_group', + required=False, + multivalue=True, + cli_name='not_in_groups', + label=_(u'group'), + doc=_(u'Search for stage users without these member of groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for stage users with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for stage users without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for stage users with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for stage users without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for stage users with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for stage users without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for stage users with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for stage users without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class stageuser_mod(Method): + __doc__ = _("Modify a stage user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the stage user object'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class stageuser_show(Method): + __doc__ = _("Display information about a stage user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/sudocmd.py b/ipaclient/remote_plugins/2_156/sudocmd.py new file mode 100644 index 000000000..ccc78a77a --- /dev/null +++ b/ipaclient/remote_plugins/2_156/sudocmd.py @@ -0,0 +1,394 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Sudo Commands + +Commands used as building blocks for sudo + +EXAMPLES: + + Create a new command + ipa sudocmd-add --desc='For reading log files' /usr/bin/less + + Remove a command + ipa sudocmd-del /usr/bin/less +""") + +register = Registry() + + +@register() +class sudocmd(Object): + takes_params = ( + parameters.Str( + 'sudocmd', + primary_key=True, + label=_(u'Sudo Command'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'memberof_sudocmdgroup', + required=False, + label=_(u'Sudo Command Groups'), + ), + ) + + +@register() +class sudocmd_add(Method): + __doc__ = _("Create new Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmd_del(Method): + __doc__ = _("Delete Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + multivalue=True, + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class sudocmd_find(Method): + __doc__ = _("Search for Sudo Commands.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'sudocmd', + required=False, + cli_name='command', + label=_(u'Sudo Command'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("command")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudocmd_mod(Method): + __doc__ = _("Modify Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmd_show(Method): + __doc__ = _("Display Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/sudocmdgroup.py b/ipaclient/remote_plugins/2_156/sudocmdgroup.py new file mode 100644 index 000000000..747213d93 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/sudocmdgroup.py @@ -0,0 +1,540 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of Sudo Commands + +Manage groups of Sudo Commands. + +EXAMPLES: + + Add a new Sudo Command Group: + ipa sudocmdgroup-add --desc='administrators commands' admincmds + + Remove a Sudo Command Group: + ipa sudocmdgroup-del admincmds + + Manage Sudo Command Group membership, commands: + ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less --sudocmds=/usr/bin/vim admincmds + + Manage Sudo Command Group membership, commands: + ipa group-remove-member --sudocmds=/usr/bin/less admincmds + + Show a Sudo Command Group: + ipa group-show localadmins +""") + +register = Registry() + + +@register() +class sudocmdgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Sudo Command Group'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'membercmd_sudocmd', + required=False, + label=_(u'Commands'), + ), + parameters.Str( + 'membercmd_sudocmdgroup', + required=False, + label=_(u'Sudo Command Groups'), + ), + parameters.Str( + 'member_sudocmd', + required=False, + label=_(u'Member Sudo commands'), + ), + ) + + +@register() +class sudocmdgroup_add(Method): + __doc__ = _("Create new Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmdgroup_add_member(Method): + __doc__ = _("Add members to Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudocmdgroup_del(Method): + __doc__ = _("Delete Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class sudocmdgroup_find(Method): + __doc__ = _("Search for Sudo Command Groups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("sudocmdgroup-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudocmdgroup_mod(Method): + __doc__ = _("Modify Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmdgroup_remove_member(Method): + __doc__ = _("Remove members from Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudocmdgroup_show(Method): + __doc__ = _("Display Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/sudorule.py b/ipaclient/remote_plugins/2_156/sudorule.py new file mode 100644 index 000000000..5d185ed31 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/sudorule.py @@ -0,0 +1,1774 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Sudo Rules + +Sudo (su "do") allows a system administrator to delegate authority to +give certain users (or groups of users) the ability to run some (or all) +commands as root or another user while providing an audit trail of the +commands and their arguments. + +FreeIPA provides a means to configure the various aspects of Sudo: + Users: The user(s)/group(s) allowed to invoke Sudo. + Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo. + Allow Command: The specific command(s) permitted to be run via Sudo. + Deny Command: The specific command(s) prohibited to be run via Sudo. + RunAsUser: The user(s) or group(s) of users whose rights Sudo will be invoked with. + RunAsGroup: The group(s) whose gid rights Sudo will be invoked with. + Options: The various Sudoers Options that can modify Sudo's behavior. + +An order can be added to a sudorule to control the order in which they +are evaluated (if the client supports it). This order is an integer and +must be unique. + +FreeIPA provides a designated binddn to use with Sudo located at: +uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +To enable the binddn run the following command to set the password: +LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +EXAMPLES: + + Create a new rule: + ipa sudorule-add readfiles + + Add sudo command object and add it as allowed command in the rule: + ipa sudocmd-add /usr/bin/less + ipa sudorule-add-allow-command readfiles --sudocmds /usr/bin/less + + Add a host to the rule: + ipa sudorule-add-host readfiles --hosts server.example.com + + Add a user to the rule: + ipa sudorule-add-user readfiles --users jsmith + + Add a special Sudo rule for default Sudo server configuration: + ipa sudorule-add defaults + + Set a default Sudo option: + ipa sudorule-add-option defaults --sudooption '!authenticate' +""") + +register = Registry() + + +@register() +class sudorule(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + parameters.Str( + 'hostmask', + multivalue=True, + label=_(u'Host Masks'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + parameters.Str( + 'memberallowcmd_sudocmd', + required=False, + label=_(u'Sudo Allow Commands'), + ), + parameters.Str( + 'memberdenycmd_sudocmd', + required=False, + label=_(u'Sudo Deny Commands'), + ), + parameters.Str( + 'memberallowcmd_sudocmdgroup', + required=False, + label=_(u'Sudo Allow Command Groups'), + ), + parameters.Str( + 'memberdenycmd_sudocmdgroup', + required=False, + label=_(u'Sudo Deny Command Groups'), + ), + parameters.Str( + 'ipasudorunas_user', + required=False, + label=_(u'RunAs Users'), + doc=_(u'Run as a user'), + ), + parameters.Str( + 'ipasudorunas_group', + required=False, + label=_(u'Groups of RunAs Users'), + doc=_(u'Run as any user within a specified group'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextusergroup', + required=False, + label=_(u'External Groups of RunAs Users'), + doc=_(u'External Groups of users that the command can run as'), + ), + parameters.Str( + 'ipasudorunasgroup_group', + required=False, + label=_(u'RunAs Groups'), + doc=_(u'Run with the gid of a specified POSIX group'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudoopt', + required=False, + label=_(u'Sudo Option'), + ), + ) + + +@register() +class sudorule_add(Method): + __doc__ = _("Create new Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_add_allow_command(Method): + __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to add'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'sudo command groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_deny_command(Method): + __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to add'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'sudo command groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_host(Method): + __doc__ = _("Add hosts and hostgroups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + parameters.Str( + 'hostmask', + required=False, + multivalue=True, + label=_(u'host masks of allowed hosts'), + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_option(Method): + __doc__ = _("Add an option to the Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipasudoopt', + cli_name='sudooption', + label=_(u'Sudo Option'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_add_runasgroup(Method): + __doc__ = _("Add group for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_runasuser(Method): + __doc__ = _("Add users and groups for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_user(Method): + __doc__ = _("Add users and groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_del(Method): + __doc__ = _("Delete Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class sudorule_disable(Method): + __doc__ = _("Disable a Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_enable(Method): + __doc__ = _("Enable a Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_find(Method): + __doc__ = _("Search for Sudo Rule.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("sudorule-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudorule_mod(Method): + __doc__ = _("Modify Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_remove_allow_command(Method): + __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to remove'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'sudo command groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_deny_command(Method): + __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to remove'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'sudo command groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_host(Method): + __doc__ = _("Remove hosts and hostgroups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostmask', + required=False, + multivalue=True, + label=_(u'host masks of allowed hosts'), + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_option(Method): + __doc__ = _("Remove an option from Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipasudoopt', + cli_name='sudooption', + label=_(u'Sudo Option'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_remove_runasgroup(Method): + __doc__ = _("Remove group for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_runasuser(Method): + __doc__ = _("Remove users and groups for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_user(Method): + __doc__ = _("Remove users and groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_show(Method): + __doc__ = _("Display Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/topology.py b/ipaclient/remote_plugins/2_156/topology.py new file mode 100644 index 000000000..ca0910687 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/topology.py @@ -0,0 +1,1026 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Topology + +Management of a replication topology. + +Requires minimum domain level 1. +""") + +register = Registry() + + +@register() +class topologysegment(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + ), + parameters.Str( + 'iparepltoposegmentleftnode', + label=_(u'Left node'), + doc=_(u'Left replication node - an IPA server'), + ), + parameters.Str( + 'iparepltoposegmentrightnode', + label=_(u'Right node'), + doc=_(u'Right replication node - an IPA server'), + ), + parameters.Str( + 'iparepltoposegmentdirection', + label=_(u'Connectivity'), + doc=_(u'Direction of replication between left and right replication node'), + ), + parameters.Str( + 'nsds5replicastripattrs', + required=False, + label=_(u'Attributes to strip'), + doc=_(u'A space separated list of attributes which are removed from replication updates.'), + ), + parameters.Str( + 'nsds5replicatedattributelist', + required=False, + label=_(u'Attributes to replicate'), + doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'), + ), + parameters.Str( + 'nsds5replicatedattributelisttotal', + required=False, + label=_(u'Attributes for total update'), + doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'), + ), + parameters.Int( + 'nsds5replicatimeout', + required=False, + label=_(u'Session timeout'), + doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'), + ), + parameters.Str( + 'nsds5replicaenabled', + required=False, + label=_(u'Replication agreement enabled'), + doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'), + ), + ) + + +@register() +class topologysuffix(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Suffix name'), + ), + parameters.Str( + 'iparepltopoconfroot', + label=_(u'LDAP suffix to be managed'), + ), + ) + + +@register() +class topologysegment_add(Method): + __doc__ = _("Add a new segment.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'topologysuffixcn', + cli_name='topologysuffix', + label=_(u'Suffix name'), + ), + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + # FIXME: + # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'iparepltoposegmentleftnode', + cli_name='leftnode', + label=_(u'Left node'), + doc=_(u'Left replication node - an IPA server'), + no_convert=True, + ), + parameters.Str( + 'iparepltoposegmentrightnode', + cli_name='rightnode', + label=_(u'Right node'), + doc=_(u'Right replication node - an IPA server'), + no_convert=True, + ), + parameters.Str( + 'iparepltoposegmentdirection', + cli_name='direction', + cli_metavar="['both', 'left-right', 'right-left']", + label=_(u'Connectivity'), + doc=_(u'Direction of replication between left and right replication node'), + exclude=('cli', 'webui'), + default=u'both', + ), + parameters.Str( + 'nsds5replicastripattrs', + required=False, + cli_name='stripattrs', + label=_(u'Attributes to strip'), + doc=_(u'A space separated list of attributes which are removed from replication updates.'), + no_convert=True, + ), + parameters.Str( + 'nsds5replicatedattributelist', + required=False, + cli_name='replattrs', + label=_(u'Attributes to replicate'), + doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'), + ), + parameters.Str( + 'nsds5replicatedattributelisttotal', + required=False, + cli_name='replattrstotal', + label=_(u'Attributes for total update'), + doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'), + ), + parameters.Int( + 'nsds5replicatimeout', + required=False, + cli_name='timeout', + label=_(u'Session timeout'), + doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'), + ), + parameters.Str( + 'nsds5replicaenabled', + required=False, + cli_name='enabled', + cli_metavar="['on', 'off']", + label=_(u'Replication agreement enabled'), + doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysegment_del(Method): + __doc__ = _("Delete a segment.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'topologysuffixcn', + cli_name='topologysuffix', + label=_(u'Suffix name'), + ), + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + # FIXME: + # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class topologysegment_find(Method): + __doc__ = _("Search for topology segments.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'topologysuffixcn', + cli_name='topologysuffix', + label=_(u'Suffix name'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + # FIXME: + # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: + no_convert=True, + ), + parameters.Str( + 'iparepltoposegmentleftnode', + required=False, + cli_name='leftnode', + label=_(u'Left node'), + doc=_(u'Left replication node - an IPA server'), + no_convert=True, + ), + parameters.Str( + 'iparepltoposegmentrightnode', + required=False, + cli_name='rightnode', + label=_(u'Right node'), + doc=_(u'Right replication node - an IPA server'), + no_convert=True, + ), + parameters.Str( + 'iparepltoposegmentdirection', + required=False, + cli_name='direction', + cli_metavar="['both', 'left-right', 'right-left']", + label=_(u'Connectivity'), + doc=_(u'Direction of replication between left and right replication node'), + exclude=('cli', 'webui'), + default=u'both', + ), + parameters.Str( + 'nsds5replicastripattrs', + required=False, + cli_name='stripattrs', + label=_(u'Attributes to strip'), + doc=_(u'A space separated list of attributes which are removed from replication updates.'), + no_convert=True, + ), + parameters.Str( + 'nsds5replicatedattributelist', + required=False, + cli_name='replattrs', + label=_(u'Attributes to replicate'), + doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'), + ), + parameters.Str( + 'nsds5replicatedattributelisttotal', + required=False, + cli_name='replattrstotal', + label=_(u'Attributes for total update'), + doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'), + ), + parameters.Int( + 'nsds5replicatimeout', + required=False, + cli_name='timeout', + label=_(u'Session timeout'), + doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'), + ), + parameters.Str( + 'nsds5replicaenabled', + required=False, + cli_name='enabled', + cli_metavar="['on', 'off']", + label=_(u'Replication agreement enabled'), + doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class topologysegment_mod(Method): + __doc__ = _("Modify a segment.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'topologysuffixcn', + cli_name='topologysuffix', + label=_(u'Suffix name'), + ), + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + # FIXME: + # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'nsds5replicastripattrs', + required=False, + cli_name='stripattrs', + label=_(u'Attributes to strip'), + doc=_(u'A space separated list of attributes which are removed from replication updates.'), + no_convert=True, + ), + parameters.Str( + 'nsds5replicatedattributelist', + required=False, + cli_name='replattrs', + label=_(u'Attributes to replicate'), + doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'), + ), + parameters.Str( + 'nsds5replicatedattributelisttotal', + required=False, + cli_name='replattrstotal', + label=_(u'Attributes for total update'), + doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'), + ), + parameters.Int( + 'nsds5replicatimeout', + required=False, + cli_name='timeout', + label=_(u'Session timeout'), + doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'), + ), + parameters.Str( + 'nsds5replicaenabled', + required=False, + cli_name='enabled', + cli_metavar="['on', 'off']", + label=_(u'Replication agreement enabled'), + doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysegment_reinitialize(Method): + __doc__ = _("Request a full re-initialization of the node retrieving data from the other node.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'topologysuffixcn', + cli_name='topologysuffix', + label=_(u'Suffix name'), + ), + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + # FIXME: + # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'left', + required=False, + doc=_(u'Initialize left node'), + default=False, + autofill=True, + ), + parameters.Flag( + 'right', + required=False, + doc=_(u'Initialize right node'), + default=False, + autofill=True, + ), + parameters.Flag( + 'stop', + required=False, + doc=_(u'Stop already started refresh of chosen node(s)'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysegment_show(Method): + __doc__ = _("Display a segment.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'topologysuffixcn', + cli_name='topologysuffix', + label=_(u'Suffix name'), + ), + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + # FIXME: + # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysuffix_add(Method): + __doc__ = _("Add a new topology suffix to be managed.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Suffix name'), + ), + ) + takes_options = ( + parameters.Str( + 'iparepltopoconfroot', + cli_name='suffix', + label=_(u'LDAP suffix to be managed'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysuffix_del(Method): + __doc__ = _("Delete a topology suffix.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Suffix name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class topologysuffix_find(Method): + __doc__ = _("Search for topology suffices.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Suffix name'), + ), + parameters.Str( + 'iparepltopoconfroot', + required=False, + cli_name='suffix', + label=_(u'LDAP suffix to be managed'), + no_convert=True, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class topologysuffix_mod(Method): + __doc__ = _("Modify a topology suffix.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Suffix name'), + ), + ) + takes_options = ( + parameters.Str( + 'iparepltopoconfroot', + required=False, + cli_name='suffix', + label=_(u'LDAP suffix to be managed'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysuffix_show(Method): + __doc__ = _("Show managed suffix.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Suffix name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysuffix_verify(Method): + __doc__ = _(""" +Verify replication topology for suffix. + +Checks done: + 1. check if a topology is not disconnected. In other words if there are + replication paths between all servers. + 2. check if servers don't have more than the recommended number of + replication agreements + """) + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Suffix name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_156/trust.py b/ipaclient/remote_plugins/2_156/trust.py new file mode 100644 index 000000000..369ffcd18 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/trust.py @@ -0,0 +1,1264 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Cross-realm trusts + +Manage trust relationship between IPA and Active Directory domains. + +In order to allow users from a remote domain to access resources in IPA +domain, trust relationship needs to be established. Currently IPA supports +only trusts between IPA and Active Directory domains under control of Windows +Server 2008 or later, with functional level 2008 or later. + +Please note that DNS on both IPA and Active Directory domain sides should be +configured properly to discover each other. Trust relationship relies on +ability to discover special resources in the other domain via DNS records. + +Examples: + +1. Establish cross-realm trust with Active Directory using AD administrator + credentials: + + ipa trust-add --type=ad --admin --password + +2. List all existing trust relationships: + + ipa trust-find + +3. Show details of the specific trust relationship: + + ipa trust-show + +4. Delete existing trust relationship: + + ipa trust-del + +Once trust relationship is established, remote users will need to be mapped +to local POSIX groups in order to actually use IPA resources. The mapping should +be done via use of external membership of non-POSIX group and then this group +should be included into one of local POSIX groups. + +Example: + +1. Create group for the trusted domain admins' mapping and their local POSIX group: + + ipa group-add --desc=' admins external map' ad_admins_external --external + ipa group-add --desc=' admins' ad_admins + +2. Add security identifier of Domain Admins of the to the ad_admins_external + group: + + ipa group-add-member ad_admins_external --external 'AD\Domain Admins' + +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: + + ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external + + +GLOBAL TRUST CONFIGURATION + +When IPA AD trust subpackage is installed and ipa-adtrust-install is run, +a local domain configuration (SID, GUID, NetBIOS name) is generated. These +identifiers are then used when communicating with a trusted domain of the +particular type. + +1. Show global trust configuration for Active Directory type of trusts: + + ipa trustconfig-show --type ad + +2. Modify global configuration for all trusts of Active Directory type and set + a different fallback primary group (fallback primary group GID is used as + a primary user GID if user authenticating to IPA domain does not have any other + primary GID already set): + + ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group" + +3. Change primary fallback group back to default hidden group (any group with + posixGroup object class is allowed): + + ipa trustconfig-mod --type ad --fallback-primary-group "Default SMB Group" +""") + +register = Registry() + + +@register() +class trust(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Realm name'), + ), + parameters.Str( + 'ipantflatname', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + label=_(u'SID blacklist outgoing'), + ), + ) + + +@register() +class trustconfig(Object): + takes_params = ( + parameters.Str( + 'cn', + label=_(u'Domain'), + ), + parameters.Str( + 'ipantsecurityidentifier', + label=_(u'Security Identifier'), + ), + parameters.Str( + 'ipantflatname', + label=_(u'NetBIOS name'), + ), + parameters.Str( + 'ipantdomainguid', + label=_(u'Domain GUID'), + ), + parameters.Str( + 'ipantfallbackprimarygroup', + label=_(u'Fallback primary group'), + ), + ) + + +@register() +class trustdomain(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Domain name'), + ), + parameters.Str( + 'ipantflatname', + required=False, + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipanttrustpartner', + required=False, + label=_(u'Trusted domain partner'), + ), + ) + + +@register() +class adtrust_is_enabled(Command): + __doc__ = _("Determine whether ipa-adtrust-install has been run on this system") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class compat_is_enabled(Command): + __doc__ = _("Determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sidgen_was_run(Command): + __doc__ = _("Determine whether ipa-adtrust-install has been run with sidgen task") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class trust_add(Method): + __doc__ = _(""" +Add new trust to use. + +This command establishes trust relationship to another domain +which becomes 'trusted'. As result, users of the trusted domain +may access resources of this domain. + +Only trusts to Active Directory domains are supported right now. + +The command can be safely run multiple times against the same domain, +this will cause change to trust relationship credentials on both +sides. + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Str( + 'realm_admin', + required=False, + cli_name='admin', + label=_(u'Active Directory domain administrator'), + ), + parameters.Password( + 'realm_passwd', + required=False, + cli_name='password', + label=_(u"Active Directory domain administrator's password"), + ), + parameters.Str( + 'realm_server', + required=False, + cli_name='server', + label=_(u'Domain controller for the Active Directory domain (optional)'), + ), + parameters.Password( + 'trust_secret', + required=False, + label=_(u'Shared secret for the trust'), + ), + parameters.Int( + 'base_id', + required=False, + label=_(u'First Posix ID of the range reserved for the trusted domain'), + ), + parameters.Int( + 'range_size', + required=False, + label=_(u'Size of the ID range reserved for the trusted domain'), + ), + parameters.Str( + 'range_type', + required=False, + cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust']", + label=_(u'Range type'), + doc=_(u'Type of trusted domain ID range, one of ipa-ad-trust-posix, ipa-ad-trust'), + ), + parameters.Bool( + 'bidirectional', + required=False, + cli_name='two_way', + label=_(u'Two-way trust'), + doc=_(u'Establish bi-directional trust. By default trust is inbound one-way only.'), + default=False, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trust_del(Method): + __doc__ = _("Delete a trust.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class trust_fetch_domains(Method): + __doc__ = _("Refresh list of the domains associated with the trust") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'realm_server', + required=False, + cli_name='server', + label=_(u'Domain controller for the Active Directory domain (optional)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class trust_find(Method): + __doc__ = _("Search for trusts.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='realm', + label=_(u'Realm name'), + ), + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + cli_name='sid_blacklist_incoming', + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + cli_name='sid_blacklist_outgoing', + label=_(u'SID blacklist outgoing'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("realm")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class trust_mod(Method): + __doc__ = _(""" +Modify a trust (for future use). + + Currently only the default option to modify the LDAP attributes is + available. More specific options will be added in coming releases. + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + cli_name='sid_blacklist_incoming', + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + cli_name='sid_blacklist_outgoing', + label=_(u'SID blacklist outgoing'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trust_resolve(Command): + __doc__ = _("Resolve security identifiers of users and groups in trusted domains") + + NO_CLI = True + + takes_options = ( + parameters.Str( + 'sids', + multivalue=True, + label=_(u'Security Identifiers (SIDs)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.ListOfEntries( + 'result', + ), + ) + + +@register() +class trust_show(Method): + __doc__ = _("Display information about a trust.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustconfig_mod(Method): + __doc__ = _("Modify global trust configuration.") + + takes_options = ( + parameters.Str( + 'ipantfallbackprimarygroup', + required=False, + cli_name='fallback_primary_group', + label=_(u'Fallback primary group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustconfig_show(Method): + __doc__ = _("Show global trust configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustdomain_add(Method): + __doc__ = _("Allow access from the trusted domain") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipanttrustpartner', + required=False, + label=_(u'Trusted domain partner'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustdomain_del(Method): + __doc__ = _("Remove infromation about the domain associated with the trust.") + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + multivalue=True, + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class trustdomain_disable(Method): + __doc__ = _("Disable use of IPA resources by the domain of the trust") + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustdomain_enable(Method): + __doc__ = _("Allow use of IPA resources by the domain of the trust") + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustdomain_find(Method): + __doc__ = _("Search domains of the trust") + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='domain', + label=_(u'Domain name'), + ), + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipanttrustpartner', + required=False, + label=_(u'Trusted domain partner'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("domain")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class trustdomain_mod(Method): + __doc__ = _("Modify trustdomain of the trust") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipanttrustpartner', + required=False, + label=_(u'Trusted domain partner'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/user.py b/ipaclient/remote_plugins/2_156/user.py new file mode 100644 index 000000000..e545ca179 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/user.py @@ -0,0 +1,1869 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Users + +Manage user entries. All users are POSIX users. + +IPA supports a wide range of username formats, but you need to be aware of any +restrictions that may apply to your particular environment. For example, +usernames that start with a digit or usernames that exceed a certain length +may cause problems for some UNIX systems. +Use 'ipa config-mod' to change the username format allowed by IPA tools. + +Disabling a user account prevents that user from obtaining new Kerberos +credentials. It does not invalidate any credentials that have already +been issued. + +Password management is not a part of this module. For more information +about this topic please see: ipa help passwd + +Account lockout on password failure happens per IPA master. The user-status +command can be used to identify which master the user is locked out on. +It is on that master the administrator must unlock the user. + +EXAMPLES: + + Add a new user: + ipa user-add --first=Tim --last=User --password tuser1 + + Find all users whose entries include the string "Tim": + ipa user-find Tim + + Find all users with "Tim" as the first name: + ipa user-find --first=Tim + + Disable a user account: + ipa user-disable tuser1 + + Enable a user account: + ipa user-enable tuser1 + + Delete a user: + ipa user-del tuser1 +""") + +register = Registry() + + +@register() +class user(Object): + takes_params = ( + parameters.Str( + 'uid', + primary_key=True, + label=_(u'User login'), + ), + parameters.Str( + 'givenname', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + ), + parameters.Str( + 'homedirectory', + required=False, + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Str( + 'loginshell', + required=False, + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + label=_(u'Kerberos principal'), + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + ), + parameters.Str( + 'randompassword', + required=False, + label=_(u'Random password'), + ), + parameters.Int( + 'uidnumber', + required=False, + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + ), + parameters.Bool( + 'preserved', + required=False, + label=_(u'Preserved user'), + ), + parameters.Flag( + 'has_password', + label=_(u'Password'), + ), + parameters.Str( + 'memberof_group', + required=False, + label=_(u'Member of groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberofindirect_group', + required=False, + label=_(u'Indirect Member of group'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Kerberos keys available'), + ), + ) + + +@register() +class user_add(Method): + __doc__ = _("Add a new user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + autofill=True, + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + autofill=True, + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + autofill=True, + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + autofill=True, + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + autofill=True, + no_convert=True, + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'noprivate', + doc=_(u"Don't create user private group"), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_add_cert(Method): + __doc__ = _("Add one or more certificates to the user entry") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + alwaysask=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_del(Method): + __doc__ = _("Delete a user.") + + takes_args = ( + parameters.Str( + 'uid', + multivalue=True, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Bool( + 'preserve', + required=False, + exclude=('cli',), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class user_disable(Method): + __doc__ = _("Disable a user account.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_enable(Method): + __doc__ = _("Enable a user account.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_find(Method): + __doc__ = _("Search for users.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Bool( + 'preserved', + required=False, + label=_(u'Preserved user'), + default=False, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'whoami', + label=_(u'Self'), + doc=_(u'Display user record for current Kerberos principal'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("login")'), + default=False, + autofill=True, + ), + parameters.Str( + 'in_group', + required=False, + multivalue=True, + cli_name='in_groups', + label=_(u'group'), + doc=_(u'Search for users with these member of groups.'), + ), + parameters.Str( + 'not_in_group', + required=False, + multivalue=True, + cli_name='not_in_groups', + label=_(u'group'), + doc=_(u'Search for users without these member of groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for users with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for users without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for users with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for users without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for users with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for users without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for users with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for users without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class user_mod(Method): + __doc__ = _("Modify a user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the user object'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_remove_cert(Method): + __doc__ = _("Remove one or more certificates to the user entry") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + alwaysask=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_show(Method): + __doc__ = _("Display information about a user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'file to store certificate in'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_stage(Method): + __doc__ = _("Move deleted user into staged area") + + takes_args = ( + parameters.Str( + 'uid', + multivalue=True, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class user_status(Method): + __doc__ = _(""" +Lockout status of a user account + + An account may become locked if the password is entered incorrectly too + many times within a specific time period as controlled by password + policy. A locked account is a temporary condition and may be unlocked by + an administrator. + + This connects to each IPA master and displays the lockout status on + each one. + + To determine whether an account is locked on a given server you need + to compare the number of failed logins and the time of the last failure. + For an account to be locked it must exceed the maxfail failures within + the failinterval duration as specified in the password policy associated + with the user. + + The failed login counter is modified only when a user attempts a log in + so it is possible that an account may appear locked but the last failed + login attempt is older than the lockouttime of the password policy. This + means that the user may attempt a login again. + """) + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class user_undel(Method): + __doc__ = _("Undelete a delete user account.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_unlock(Method): + __doc__ = _(""" +Unlock a user account + + An account may become locked if the password is entered incorrectly too + many times within a specific time period as controlled by password + policy. A locked account is a temporary condition and may be unlocked by + an administrator. + """) + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_156/vault.py b/ipaclient/remote_plugins/2_156/vault.py new file mode 100644 index 000000000..8da030cf3 --- /dev/null +++ b/ipaclient/remote_plugins/2_156/vault.py @@ -0,0 +1,1680 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Vaults + +Manage vaults. + +Vault is a secure place to store a secret. + +Based on the ownership there are three vault categories: +* user/private vault +* service vault +* shared vault + +User vaults are vaults owned used by a particular user. Private +vaults are vaults owned the current user. Service vaults are +vaults owned by a service. Shared vaults are owned by the admin +but they can be used by other users or services. + +Based on the security mechanism there are three types of +vaults: +* standard vault +* symmetric vault +* asymmetric vault + +Standard vault uses a secure mechanism to transport and +store the secret. The secret can only be retrieved by users +that have access to the vault. + +Symmetric vault is similar to the standard vault, but it +pre-encrypts the secret using a password before transport. +The secret can only be retrieved using the same password. + +Asymmetric vault is similar to the standard vault, but it +pre-encrypts the secret using a public key before transport. +The secret can only be retrieved using the private key. + +EXAMPLES: + + List vaults: + ipa vault-find + [--user |--service |--shared] + + Add a standard vault: + ipa vault-add + [--user |--service |--shared] + --type standard + + Add a symmetric vault: + ipa vault-add + [--user |--service |--shared] + --type symmetric --password-file password.txt + + Add an asymmetric vault: + ipa vault-add + [--user |--service |--shared] + --type asymmetric --public-key-file public.pem + + Show a vault: + ipa vault-show + [--user |--service |--shared] + + Modify vault description: + ipa vault-mod + [--user |--service |--shared] + --desc + + Modify vault type: + ipa vault-mod + [--user |--service |--shared] + --type + [old password/private key] + [new password/public key] + + Modify symmetric vault password: + ipa vault-mod + [--user |--service |--shared] + --change-password + ipa vault-mod + [--user |--service |--shared] + --old-password + --new-password + ipa vault-mod + [--user |--service |--shared] + --old-password-file + --new-password-file + + Modify asymmetric vault keys: + ipa vault-mod + [--user |--service |--shared] + --private-key-file + --public-key-file + + Delete a vault: + ipa vault-del + [--user |--service |--shared] + + Display vault configuration: + ipa vaultconfig-show + + Archive data into standard vault: + ipa vault-archive + [--user |--service |--shared] + --in + + Archive data into symmetric vault: + ipa vault-archive + [--user |--service |--shared] + --in + --password-file password.txt + + Archive data into asymmetric vault: + ipa vault-archive + [--user |--service |--shared] + --in + + Retrieve data from standard vault: + ipa vault-retrieve + [--user |--service |--shared] + --out + + Retrieve data from symmetric vault: + ipa vault-retrieve + [--user |--service |--shared] + --out + --password-file password.txt + + Retrieve data from asymmetric vault: + ipa vault-retrieve + [--user |--service |--shared] + --out --private-key-file private.pem + + Add vault owners: + ipa vault-add-owner + [--user |--service |--shared] + [--users ] [--groups ] [--services ] + + Delete vault owners: + ipa vault-remove-owner + [--user |--service |--shared] + [--users ] [--groups ] [--services ] + + Add vault members: + ipa vault-add-member + [--user |--service |--shared] + [--users ] [--groups ] [--services ] + + Delete vault members: + ipa vault-remove-member + [--user |--service |--shared] + [--users ] [--groups ] [--services ] +""") + +register = Registry() + + +@register() +class vault(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Vault name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Vault description'), + ), + parameters.Str( + 'ipavaulttype', + required=False, + label=_(u'Type'), + doc=_(u'Vault type'), + ), + parameters.Bytes( + 'ipavaultsalt', + required=False, + label=_(u'Salt'), + doc=_(u'Vault salt'), + ), + parameters.Bytes( + 'ipavaultpublickey', + required=False, + label=_(u'Public key'), + doc=_(u'Vault public key'), + ), + parameters.Str( + 'owner_user', + required=False, + label=_(u'Owner users'), + ), + parameters.Str( + 'owner_group', + required=False, + label=_(u'Owner groups'), + ), + parameters.Str( + 'owner_service', + required=False, + label=_(u'Owner services'), + ), + parameters.Str( + 'owner', + required=False, + label=_(u'Failed owners'), + ), + parameters.Str( + 'service', + required=False, + label=_(u'Vault service'), + ), + parameters.Flag( + 'shared', + required=False, + label=_(u'Shared vault'), + ), + parameters.Str( + 'username', + required=False, + label=_(u'Vault user'), + ), + parameters.Str( + 'member_user', + required=False, + label=_(u'Member users'), + ), + parameters.Str( + 'member_group', + required=False, + label=_(u'Member groups'), + ), + parameters.Str( + 'member_service', + required=False, + label=_(u'Member services'), + ), + ) + + +@register() +class vaultconfig(Object): + takes_params = ( + parameters.Bytes( + 'transport_cert', + label=_(u'Transport Certificate'), + ), + ) + + +@register() +class vaultcontainer(Object): + takes_params = ( + parameters.Str( + 'owner_user', + required=False, + label=_(u'Owner users'), + ), + parameters.Str( + 'owner_group', + required=False, + label=_(u'Owner groups'), + ), + parameters.Str( + 'owner_service', + required=False, + label=_(u'Owner services'), + ), + parameters.Str( + 'owner', + required=False, + label=_(u'Failed owners'), + ), + parameters.Str( + 'service', + required=False, + label=_(u'Vault service'), + ), + parameters.Flag( + 'shared', + required=False, + label=_(u'Shared vault'), + ), + parameters.Str( + 'username', + required=False, + label=_(u'Vault user'), + ), + ) + + +@register() +class kra_is_enabled(Command): + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vault_add_internal(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Vault description'), + ), + parameters.Str( + 'ipavaulttype', + required=False, + cli_name='type', + cli_metavar="['standard', 'symmetric', 'asymmetric']", + label=_(u'Type'), + doc=_(u'Vault type'), + default=u'symmetric', + autofill=True, + ), + parameters.Bytes( + 'ipavaultsalt', + required=False, + cli_name='salt', + label=_(u'Salt'), + doc=_(u'Vault salt'), + ), + parameters.Bytes( + 'ipavaultpublickey', + required=False, + cli_name='public_key', + label=_(u'Public key'), + doc=_(u'Vault public key'), + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vault_add_member(Method): + __doc__ = _("Add members to a vault.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'services', + required=False, + multivalue=True, + label=_(u'member service'), + doc=_(u'services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class vault_add_owner(Method): + __doc__ = _("Add owners to a vault.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'owner user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'owner group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'services', + required=False, + multivalue=True, + label=_(u'owner service'), + doc=_(u'services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Owners that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of owners added'), + ), + ) + + +@register() +class vault_archive_internal(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Bytes( + 'session_key', + doc=_(u'Session key wrapped with transport certificate'), + ), + parameters.Bytes( + 'vault_data', + doc=_(u'Vault data encrypted with session key'), + ), + parameters.Bytes( + 'nonce', + doc=_(u'Nonce'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vault_del(Method): + __doc__ = _("Delete a vault.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class vault_find(Method): + __doc__ = _("Search for vaults.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Vault name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Vault description'), + ), + parameters.Str( + 'ipavaulttype', + required=False, + cli_name='type', + cli_metavar="['standard', 'symmetric', 'asymmetric']", + label=_(u'Type'), + doc=_(u'Vault type'), + default=u'symmetric', + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'services', + required=False, + doc=_(u'List all service vaults'), + default=False, + autofill=True, + ), + parameters.Flag( + 'users', + required=False, + doc=_(u'List all user vaults'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class vault_mod_internal(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Vault description'), + ), + parameters.Str( + 'ipavaulttype', + required=False, + cli_name='type', + cli_metavar="['standard', 'symmetric', 'asymmetric']", + label=_(u'Type'), + doc=_(u'Vault type'), + default=u'symmetric', + ), + parameters.Bytes( + 'ipavaultsalt', + required=False, + cli_name='salt', + label=_(u'Salt'), + doc=_(u'Vault salt'), + ), + parameters.Bytes( + 'ipavaultpublickey', + required=False, + cli_name='public_key', + label=_(u'Public key'), + doc=_(u'Vault public key'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vault_remove_member(Method): + __doc__ = _("Remove members from a vault.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'services', + required=False, + multivalue=True, + label=_(u'member service'), + doc=_(u'services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class vault_remove_owner(Method): + __doc__ = _("Remove owners from a vault.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'owner user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'owner group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'services', + required=False, + multivalue=True, + label=_(u'owner service'), + doc=_(u'services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Owners that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of owners removed'), + ), + ) + + +@register() +class vault_retrieve_internal(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Bytes( + 'session_key', + doc=_(u'Session key wrapped with transport certificate'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vault_show(Method): + __doc__ = _("Display information about a vault.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vaultconfig_show(Method): + __doc__ = _("Show vault configuration.") + + takes_options = ( + parameters.Str( + 'transport_out', + required=False, + doc=_(u'Output file to store the transport certificate'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vaultcontainer_add_owner(Method): + __doc__ = _("Add owners to a vault container.") + + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'owner user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'owner group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'services', + required=False, + multivalue=True, + label=_(u'owner service'), + doc=_(u'services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Owners that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of owners added'), + ), + ) + + +@register() +class vaultcontainer_del(Method): + __doc__ = _("Delete a vault container.") + + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class vaultcontainer_remove_owner(Method): + __doc__ = _("Remove owners from a vault container.") + + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'owner user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'owner group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'services', + required=False, + multivalue=True, + label=_(u'owner service'), + doc=_(u'services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Owners that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of owners removed'), + ), + ) + + +@register() +class vaultcontainer_show(Method): + __doc__ = _("Display information about a vault container.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/__init__.py b/ipaclient/remote_plugins/2_164/__init__.py new file mode 100644 index 000000000..c17e26a61 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/__init__.py @@ -0,0 +1,15 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ..compat import CompatCommand, CompatMethod, CompatObject + +Object = CompatObject + + +class Command(CompatCommand): + api_version = u'2.164' + + +class Method(Command, CompatMethod): + pass diff --git a/ipaclient/remote_plugins/2_164/aci.py b/ipaclient/remote_plugins/2_164/aci.py new file mode 100644 index 000000000..316abeb46 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/aci.py @@ -0,0 +1,812 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Directory Server Access Control Instructions (ACIs) + +ACIs are used to allow or deny access to information. This module is +currently designed to allow, not deny, access. + +The aci commands are designed to grant permissions that allow updating +existing entries or adding or deleting new ones. The goal of the ACIs +that ship with IPA is to provide a set of low-level permissions that +grant access to special groups called taskgroups. These low-level +permissions can be combined into roles that grant broader access. These +roles are another type of group, roles. + +For example, if you have taskgroups that allow adding and modifying users you +could create a role, useradmin. You would assign users to the useradmin +role to allow them to do the operations defined by the taskgroups. + +You can create ACIs that delegate permission so users in group A can write +attributes on group B. + +The type option is a map that applies to all entries in the users, groups or +host location. It is primarily designed to be used when granting add +permissions (to write new entries). + +An ACI consists of three parts: +1. target +2. permissions +3. bind rules + +The target is a set of rules that define which LDAP objects are being +targeted. This can include a list of attributes, an area of that LDAP +tree or an LDAP filter. + +The targets include: +- attrs: list of attributes affected +- type: an object type (user, group, host, service, etc) +- memberof: members of a group +- targetgroup: grant access to modify a specific group. This is primarily + designed to enable users to add or remove members of a specific group. +- filter: A legal LDAP filter used to narrow the scope of the target. +- subtree: Used to apply a rule across an entire set of objects. For example, + to allow adding users you need to grant "add" permission to the subtree + ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option + is a fail-safe for objects that may not be covered by the type option. + +The permissions define what the ACI is allowed to do, and are one or +more of: +1. write - write one or more attributes +2. read - read one or more attributes +3. add - add a new entry to the tree +4. delete - delete an existing entry +5. all - all permissions are granted + +Note the distinction between attributes and entries. The permissions are +independent, so being able to add a user does not mean that the user will +be editable. + +The bind rule defines who this ACI grants permissions to. The LDAP server +allows this to be any valid LDAP entry but we encourage the use of +taskgroups so that the rights can be easily shared through roles. + +For a more thorough description of access controls see +http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html + +EXAMPLES: + +NOTE: ACIs are now added via the permission plugin. These examples are to +demonstrate how the various options work but this is done via the permission +command-line now (see last example). + + Add an ACI so that the group "secretaries" can update the address on any user: + ipa group-add --desc="Office secretaries" secretaries + ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses" + + Show the new ACI: + ipa aci-show --prefix=none "Secretaries write addresses" + + Add an ACI that allows members of the "addusers" permission to add new users: + ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users" + + Add an ACI that allows members of the editors manage members of the admins group: + ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins" + + Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street --attrs=postalcode --prefix=none "admins edit the address of editors" + + Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss: + ipa aci-add --permissions=write --group=admins --attrs=street --attrs=postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss" + + Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: + ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange + + +The show command shows the raw 389-ds ACI. + +IMPORTANT: When modifying the target attributes of an existing ACI you +must include all existing attributes as well. When doing an aci-mod the +targetattr REPLACES the current attributes, it does not add to them. +""") + +register = Registry() + + +@register() +class aci(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'ACI name'), + ), + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + ), + ) + + +@register() +class aci_add(Method): + __doc__ = _("Create new ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'test', + required=False, + doc=_(u"Test the ACI syntax but don't write anything"), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_del(Method): + __doc__ = _("Delete ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_find(Method): + __doc__ = _(""" +Search for ACIs. + + Returns a list of ACIs + + EXAMPLES: + + To find all ACIs that apply directly to members of the group ipausers: + ipa aci-find --memberof=ipausers + + To find all ACIs that grant add access: + ipa aci-find --permissions=add + + Note that the find command only looks for the given text in the set of + ACIs, it does not evaluate the ACIs to see if something would apply. + For example, searching on memberof=ipausers will find all ACIs that + have ipausers as a memberof. There may be other ACIs that apply to + members of that group indirectly. + """) + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'ACI name'), + ), + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Bool( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + ), + parameters.Str( + 'aciprefix', + required=False, + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class aci_mod(Method): + __doc__ = _("Modify ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_rename(Method): + __doc__ = _("Rename an ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes to which the permission applies'), + doc=_(u'Attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Str( + 'newname', + doc=_(u'New ACI name'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_show(Method): + __doc__ = _("Display a single ACI given an ACI name.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.DNParam( + 'location', + required=False, + label=_(u'Location of the ACI'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/automember.py b/ipaclient/remote_plugins/2_164/automember.py new file mode 100644 index 000000000..09b5a8d01 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/automember.py @@ -0,0 +1,827 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Auto Membership Rule. + +Bring clarity to the membership of hosts and users by configuring inclusive +or exclusive regex patterns, you can automatically assign a new entries into +a group or hostgroup based upon attribute information. + +A rule is directly associated with a group by name, so you cannot create +a rule without an accompanying group or hostgroup. + +A condition is a regular expression used by 389-ds to match a new incoming +entry with an automember rule. If it matches an inclusive rule then the +entry is added to the appropriate group or hostgroup. + +A default group or hostgroup could be specified for entries that do not +match any rule. In case of user entries this group will be a fallback group +because all users are by default members of group specified in IPA config. + +The automember-rebuild command can be used to retroactively run automember rules +against existing entries, thus rebuilding their membership. + +EXAMPLES: + + Add the initial group or hostgroup: + ipa hostgroup-add --desc="Web Servers" webservers + ipa group-add --desc="Developers" devel + + Add the initial rule: + ipa automember-add --type=hostgroup webservers + ipa automember-add --type=group devel + + Add a condition to the rule: + ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers + ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel + + Add an exclusive condition to the rule to prevent auto assignment: + ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers + + Add a host: + ipa host-add web1.example.com + + Add a user: + ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott + + Verify automembership: + ipa hostgroup-show webservers + Host-group: webservers + Description: Web Servers + Member hosts: web1.example.com + + ipa group-show devel + Group name: devel + Description: Developers + GID: 1004200000 + Member users: tuser + + Remove a condition from the rule: + ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers + + Modify the automember rule: + ipa automember-mod + + Set the default (fallback) target group: + ipa automember-default-group-set --default-group=webservers --type=hostgroup + ipa automember-default-group-set --default-group=ipausers --type=group + + Remove the default (fallback) target group: + ipa automember-default-group-remove --type=hostgroup + ipa automember-default-group-remove --type=group + + Show the default (fallback) target group: + ipa automember-default-group-show --type=hostgroup + ipa automember-default-group-show --type=group + + Find all of the automember rules: + ipa automember-find + + Display a automember rule: + ipa automember-show --type=hostgroup webservers + ipa automember-show --type=group devel + + Delete an automember rule: + ipa automember-del --type=hostgroup webservers + ipa automember-del --type=group devel + + Rebuild membership for all users: + ipa automember-rebuild --type=group + + Rebuild membership for all hosts: + ipa automember-rebuild --type=hostgroup + + Rebuild membership for specified users: + ipa automember-rebuild --users=tuser1 --users=tuser2 + + Rebuild membership for specified hosts: + ipa automember-rebuild --hosts=web1.example.com --hosts=web2.example.com +""") + +register = Registry() + + +@register() +class automember(Object): + takes_params = ( + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberdefaultgroup', + required=False, + label=_(u'Default (fallback) Group'), + doc=_(u'Default group for entries to land'), + ), + ) + + +@register() +class automember_add(Method): + __doc__ = _("Add an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_add_condition(Method): + __doc__ = _("Add conditions to an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberinclusiveregex', + required=False, + multivalue=True, + cli_name='inclusive_regex', + label=_(u'Inclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'automemberexclusiveregex', + required=False, + multivalue=True, + cli_name='exclusive_regex', + label=_(u'Exclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'key', + label=_(u'Attribute Key'), + doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + output.Output( + 'failed', + dict, + doc=_(u'Conditions that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of conditions added'), + ), + ) + + +@register() +class automember_default_group_remove(Method): + __doc__ = _("Remove default (fallback) group for all unmatched entries.") + + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_default_group_set(Method): + __doc__ = _("Set default (fallback) group for all unmatched entries.") + + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberdefaultgroup', + cli_name='default_group', + label=_(u'Default (fallback) Group'), + doc=_(u'Default (fallback) group for entries to land'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_default_group_show(Method): + __doc__ = _("Display information about the default (fallback) automember groups.") + + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_del(Method): + __doc__ = _("Delete an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class automember_find(Method): + __doc__ = _("Search for automember rules.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automember_mod(Method): + __doc__ = _("Modify an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_rebuild(Command): + __doc__ = _("Rebuild auto membership.") + + takes_options = ( + parameters.Str( + 'type', + required=False, + cli_metavar="['group', 'hostgroup']", + label=_(u'Rebuild membership for all members of a grouping'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Str( + 'users', + required=False, + multivalue=True, + label=_(u'Users'), + doc=_(u'Rebuild membership for specified users'), + ), + parameters.Str( + 'hosts', + required=False, + multivalue=True, + label=_(u'Hosts'), + doc=_(u'Rebuild membership for specified hosts'), + ), + parameters.Flag( + 'no_wait', + required=False, + label=_(u'No wait'), + doc=_(u"Don't wait for rebuilding membership"), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_remove_condition(Method): + __doc__ = _("Remove conditions from an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberinclusiveregex', + required=False, + multivalue=True, + cli_name='inclusive_regex', + label=_(u'Inclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'automemberexclusiveregex', + required=False, + multivalue=True, + cli_name='exclusive_regex', + label=_(u'Exclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'key', + label=_(u'Attribute Key'), + doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + output.Output( + 'failed', + dict, + doc=_(u'Conditions that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of conditions removed'), + ), + ) + + +@register() +class automember_show(Method): + __doc__ = _("Display information about an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/automount.py b/ipaclient/remote_plugins/2_164/automount.py new file mode 100644 index 000000000..334cec034 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/automount.py @@ -0,0 +1,1228 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Automount + +Stores automount(8) configuration for autofs(8) in IPA. + +The base of an automount configuration is the configuration file auto.master. +This is also the base location in IPA. Multiple auto.master configurations +can be stored in separate locations. A location is implementation-specific +with the default being a location named 'default'. For example, you can have +locations by geographic region, by floor, by type, etc. + +Automount has three basic object types: locations, maps and keys. + +A location defines a set of maps anchored in auto.master. This allows you +to store multiple automount configurations. A location in itself isn't +very interesting, it is just a point to start a new automount map. + +A map is roughly equivalent to a discrete automount file and provides +storage for keys. + +A key is a mount point associated with a map. + +When a new location is created, two maps are automatically created for +it: auto.master and auto.direct. auto.master is the root map for all +automount maps for the location. auto.direct is the default map for +direct mounts and is mounted on /-. + +An automount map may contain a submount key. This key defines a mount +location within the map that references another map. This can be done +either using automountmap-add-indirect --parentmap or manually +with automountkey-add and setting info to "-type=autofs :". + +EXAMPLES: + +Locations: + + Create a named location, "Baltimore": + ipa automountlocation-add baltimore + + Display the new location: + ipa automountlocation-show baltimore + + Find available locations: + ipa automountlocation-find + + Remove a named automount location: + ipa automountlocation-del baltimore + + Show what the automount maps would look like if they were in the filesystem: + ipa automountlocation-tofiles baltimore + + Import an existing configuration into a location: + ipa automountlocation-import baltimore /etc/auto.master + + The import will fail if any duplicate entries are found. For + continuous operation where errors are ignored, use the --continue + option. + +Maps: + + Create a new map, "auto.share": + ipa automountmap-add baltimore auto.share + + Display the new map: + ipa automountmap-show baltimore auto.share + + Find maps in the location baltimore: + ipa automountmap-find baltimore + + Create an indirect map with auto.share as a submount: + ipa automountmap-add-indirect baltimore --parentmap=auto.share --mount=sub auto.man + + This is equivalent to: + + ipa automountmap-add-indirect baltimore --mount=/man auto.man + ipa automountkey-add baltimore auto.man --key=sub --info="-fstype=autofs ldap:auto.share" + + Remove the auto.share map: + ipa automountmap-del baltimore auto.share + +Keys: + + Create a new key for the auto.share map in location baltimore. This ties + the map we previously created to auto.master: + ipa automountkey-add baltimore auto.master --key=/share --info=auto.share + + Create a new key for our auto.share map, an NFS mount for man pages: + ipa automountkey-add baltimore auto.share --key=man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man" + + Find all keys for the auto.share map: + ipa automountkey-find baltimore auto.share + + Find all direct automount keys: + ipa automountkey-find baltimore --key=/- + + Remove the man key from the auto.share map: + ipa automountkey-del baltimore auto.share --key=man +""") + +register = Registry() + + +@register() +class automountkey(Object): + takes_params = ( + parameters.Str( + 'automountkey', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + label=_(u'Mount information'), + ), + parameters.Str( + 'description', + required=False, + primary_key=True, + label=_(u'description'), + exclude=('webui', 'cli'), + ), + ) + + +@register() +class automountlocation(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + + +@register() +class automountmap(Object): + takes_params = ( + parameters.Str( + 'automountmapname', + primary_key=True, + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + ) + + +@register() +class automountkey_add(Method): + __doc__ = _("Create a new automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountkey_del(Method): + __doc__ = _("Delete an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class automountkey_find(Method): + __doc__ = _("Search for an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + required=False, + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountkey_mod(Method): + __doc__ = _("Modify an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'newautomountinformation', + required=False, + cli_name='newinfo', + label=_(u'New mount information'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the automount key object'), + exclude=('webui',), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountkey_show(Method): + __doc__ = _("Display an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_add(Method): + __doc__ = _("Create a new automount location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_del(Method): + __doc__ = _("Delete an automount location.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class automountlocation_find(Method): + __doc__ = _("Search for an automount location.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("location")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountlocation_show(Method): + __doc__ = _("Display an automount location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_tofiles(Method): + __doc__ = _("Generate automount files for a specific location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class automountmap_add(Method): + __doc__ = _("Create a new automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_add_indirect(Method): + __doc__ = _("Create a new indirect mount point.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'key', + cli_name='mount', + label=_(u'Mount point'), + ), + parameters.Str( + 'parentmap', + required=False, + label=_(u'Parent map'), + doc=_(u'Name of parent automount map (default: auto.master).'), + default=u'auto.master', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_del(Method): + __doc__ = _("Delete an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + multivalue=True, + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class automountmap_find(Method): + __doc__ = _("Search for an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'automountmapname', + required=False, + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("map")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountmap_mod(Method): + __doc__ = _("Modify an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_show(Method): + __doc__ = _("Display an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/batch.py b/ipaclient/remote_plugins/2_164/batch.py new file mode 100644 index 000000000..4a613b677 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/batch.py @@ -0,0 +1,71 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Plugin to make multiple ipa calls via one remote procedure call + +To run this code in the lite-server + +curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d @batch_request.json -X POST http://localhost:8888/ipa/json + +where the contents of the file batch_request.json follow the below example + +{"method":"batch","params":[[ + {"method":"group_find","params":[[],{}]}, + {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]}, + {"method":"user_show","params":[["admin"],{"all":true}]} + ],{}],"id":1} + +The format of the response is nested the same way. At the top you will see + "error": null, + "id": 1, + "result": { + "count": 3, + "results": [ + + +And then a nested response for each IPA command method sent in the request +""") + +register = Registry() + + +@register() +class batch(Command): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'methods', + required=False, + multivalue=True, + doc=_(u'Nested Methods to execute'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'count', + int, + ), + output.Output( + 'results', + (list, tuple), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/caacl.py b/ipaclient/remote_plugins/2_164/caacl.py new file mode 100644 index 000000000..09cfc4b65 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/caacl.py @@ -0,0 +1,1155 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Manage CA ACL rules. + +This plugin is used to define rules governing which principals are +permitted to have certificates issued using a given certificate +profile. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Create a CA ACL "test" that grants all users access to the + "UserCert" profile: + ipa caacl-add test --usercat=all + ipa caacl-add-profile test --certprofiles UserCert + + Display the properties of a named CA ACL: + ipa caacl-show test + + Create a CA ACL to let user "alice" use the "DNP3" profile: + ipa caacl-add-profile alice_dnp3 --certprofiles DNP3 + ipa caacl-add-user alice_dnp3 --user=alice + + Disable a CA ACL: + ipa caacl-disable test + + Remove a CA ACL: + ipa caacl-del test +""") + +register = Registry() + + +@register() +class caacl(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'ACL name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'ipacertprofilecategory', + required=False, + label=_(u'Profile category'), + doc=_(u'Profile category the ACL applies to'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the ACL applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the ACL applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + label=_(u'Service category'), + doc=_(u'Service category the ACL applies to'), + ), + parameters.Str( + 'ipamembercertprofile_certprofile', + required=False, + label=_(u'Profiles'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + parameters.Str( + 'memberservice_service', + required=False, + label=_(u'Services'), + ), + ) + + +@register() +class caacl_add(Method): + __doc__ = _("Create a new CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipacertprofilecategory', + required=False, + cli_name='profilecat', + cli_metavar="['all']", + label=_(u'Profile category'), + doc=_(u'Profile category the ACL applies to'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the ACL applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the ACL applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the ACL applies to'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class caacl_add_host(Method): + __doc__ = _("Add target hosts and hostgroups to a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class caacl_add_profile(Method): + __doc__ = _("Add profiles to a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'certprofile', + required=False, + multivalue=True, + cli_name='certprofiles', + label=_(u'member Certificate Profile'), + doc=_(u'Certificate Profiles to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class caacl_add_service(Method): + __doc__ = _("Add services to a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + multivalue=True, + cli_name='services', + label=_(u'member service'), + doc=_(u'services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class caacl_add_user(Method): + __doc__ = _("Add users and groups to a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class caacl_del(Method): + __doc__ = _("Delete a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class caacl_disable(Method): + __doc__ = _("Disable a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class caacl_enable(Method): + __doc__ = _("Enable a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class caacl_find(Method): + __doc__ = _("Search for CA ACLs.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'ACL name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipacertprofilecategory', + required=False, + cli_name='profilecat', + cli_metavar="['all']", + label=_(u'Profile category'), + doc=_(u'Profile category the ACL applies to'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the ACL applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the ACL applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the ACL applies to'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class caacl_mod(Method): + __doc__ = _("Modify a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipacertprofilecategory', + required=False, + cli_name='profilecat', + cli_metavar="['all']", + label=_(u'Profile category'), + doc=_(u'Profile category the ACL applies to'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the ACL applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the ACL applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the ACL applies to'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class caacl_remove_host(Method): + __doc__ = _("Remove target hosts and hostgroups from a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class caacl_remove_profile(Method): + __doc__ = _("Remove profiles from a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'certprofile', + required=False, + multivalue=True, + cli_name='certprofiles', + label=_(u'member Certificate Profile'), + doc=_(u'Certificate Profiles to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class caacl_remove_service(Method): + __doc__ = _("Remove services from a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + multivalue=True, + cli_name='services', + label=_(u'member service'), + doc=_(u'services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class caacl_remove_user(Method): + __doc__ = _("Remove users and groups from a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class caacl_show(Method): + __doc__ = _("Display the properties of a CA ACL.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ACL name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/cert.py b/ipaclient/remote_plugins/2_164/cert.py new file mode 100644 index 000000000..de760fdcb --- /dev/null +++ b/ipaclient/remote_plugins/2_164/cert.py @@ -0,0 +1,382 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +IPA certificate operations + +Implements a set of commands for managing server SSL certificates. + +Certificate requests exist in the form of a Certificate Signing Request (CSR) +in PEM format. + +The dogtag CA uses just the CN value of the CSR and forces the rest of the +subject to values configured in the server. + +A certificate is stored with a service principal and a service principal +needs a host. + +In order to request a certificate: + +* The host must exist +* The service must exist (or you use the --add option to automatically add it) + +SEARCHING: + +Certificates may be searched on by certificate subject, serial number, +revocation reason, validity dates and the issued date. + +When searching on dates the _from date does a >= search and the _to date +does a <= search. When combined these are done as an AND. + +Dates are treated as GMT to match the dates in the certificates. + +The date format is YYYY-mm-dd. + +EXAMPLES: + + Request a new certificate and add the principal: + ipa cert-request --add --principal=HTTP/lion.example.com example.csr + + Retrieve an existing certificate: + ipa cert-show 1032 + + Revoke a certificate (see RFC 5280 for reason details): + ipa cert-revoke --revocation-reason=6 1032 + + Remove a certificate from revocation hold status: + ipa cert-remove-hold 1032 + + Check the status of a signing request: + ipa cert-status 10 + + Search for certificates by hostname: + ipa cert-find --subject=ipaserver.example.com + + Search for revoked certificates by reason: + ipa cert-find --revocation-reason=5 + + Search for certificates based on issuance date + ipa cert-find --issuedon-from=2013-02-01 --issuedon-to=2013-02-07 + +IPA currently immediately issues (or declines) all certificate requests so +the status of a request is not normally useful. This is for future use +or the case where a CA does not immediately issue a certificate. + +The following revocation reasons are supported: + + * 0 - unspecified + * 1 - keyCompromise + * 2 - cACompromise + * 3 - affiliationChanged + * 4 - superseded + * 5 - cessationOfOperation + * 6 - certificateHold + * 8 - removeFromCRL + * 9 - privilegeWithdrawn + * 10 - aACompromise + +Note that reason code 7 is not used. See RFC 5280 for more details: + +http://www.ietf.org/rfc/rfc5280.txt +""") + +register = Registry() + + +@register() +class ca_is_enabled(Command): + __doc__ = _("Checks if any of the servers has the CA service enabled.") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cert_find(Command): + __doc__ = _("Search for existing certificates.") + + takes_options = ( + parameters.Str( + 'subject', + required=False, + label=_(u'Subject'), + ), + parameters.Int( + 'revocation_reason', + required=False, + label=_(u'Reason'), + doc=_(u'Reason for revoking the certificate (0-10)'), + ), + parameters.Int( + 'min_serial_number', + required=False, + doc=_(u'minimum serial number'), + ), + parameters.Int( + 'max_serial_number', + required=False, + doc=_(u'maximum serial number'), + ), + parameters.Flag( + 'exactly', + required=False, + doc=_(u'match the common name exactly'), + default=False, + autofill=True, + ), + parameters.Str( + 'validnotafter_from', + required=False, + doc=_(u'Valid not after from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'validnotafter_to', + required=False, + doc=_(u'Valid not after to this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'validnotbefore_from', + required=False, + doc=_(u'Valid not before from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'validnotbefore_to', + required=False, + doc=_(u'Valid not before to this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'issuedon_from', + required=False, + doc=_(u'Issued on from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'issuedon_to', + required=False, + doc=_(u'Issued on to this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'revokedon_from', + required=False, + doc=_(u'Revoked on from this date (YYYY-mm-dd)'), + ), + parameters.Str( + 'revokedon_to', + required=False, + doc=_(u'Revoked on to this date (YYYY-mm-dd)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of certs returned'), + default=100, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class cert_remove_hold(Command): + __doc__ = _("Take a revoked certificate off hold.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_request(Command): + __doc__ = _("Submit a certificate signing request.") + + takes_args = ( + parameters.Str( + 'csr', + cli_name='csr_file', + label=_(u'CSR'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'principal', + label=_(u'Principal'), + doc=_(u'Principal for this certificate (e.g. HTTP/test.example.com)'), + ), + parameters.Str( + 'request_type', + default=u'pkcs10', + autofill=True, + ), + parameters.Flag( + 'add', + doc=_(u"automatically add the principal if it doesn't exist"), + default=False, + autofill=True, + ), + parameters.Str( + 'profile_id', + required=False, + label=_(u'Profile ID'), + doc=_(u'Certificate Profile to use'), + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + ) + + +@register() +class cert_revoke(Command): + __doc__ = _("Revoke a certificate.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Int( + 'revocation_reason', + label=_(u'Reason'), + doc=_(u'Reason for revoking the certificate (0-10)'), + default=0, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_show(Command): + __doc__ = _("Retrieve an existing certificate.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'out', + required=False, + label=_(u'Output filename'), + doc=_(u'File to store the certificate in.'), + exclude=('webui',), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_status(Command): + __doc__ = _("Check the status of a certificate signing request.") + + takes_args = ( + parameters.Str( + 'request_id', + label=_(u'Request id'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_164/certprofile.py b/ipaclient/remote_plugins/2_164/certprofile.py new file mode 100644 index 000000000..b612342a1 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/certprofile.py @@ -0,0 +1,431 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Manage Certificate Profiles + +Certificate Profiles are used by Certificate Authority (CA) in the signing of +certificates to determine if a Certificate Signing Request (CSR) is acceptable, +and if so what features and extensions will be present on the certificate. + +The Certificate Profile format is the property-list format understood by the +Dogtag or Red Hat Certificate System CA. + +PROFILE ID SYNTAX: + +A Profile ID is a string without spaces or punctuation starting with a letter +and followed by a sequence of letters, digits or underscore ("_"). + +EXAMPLES: + + Import a profile that will not store issued certificates: + ipa certprofile-import ShortLivedUserCert \ + --file UserCert.profile --desc "User Certificates" \ + --store=false + + Delete a certificate profile: + ipa certprofile-del ShortLivedUserCert + + Show information about a profile: + ipa certprofile-show ShortLivedUserCert + + Save profile configuration to a file: + ipa certprofile-show caIPAserviceCert --out caIPAserviceCert.cfg + + Search for profiles that do not store certificates: + ipa certprofile-find --store=false + +PROFILE CONFIGURATION FORMAT: + +The profile configuration format is the raw property-list format +used by Dogtag Certificate System. The XML format is not supported. + +The following restrictions apply to profiles managed by FreeIPA: + +- When importing a profile the "profileId" field, if present, must + match the ID given on the command line. + +- The "classId" field must be set to "caEnrollImpl" + +- The "auth.instance_id" field must be set to "raCertAuth" + +- The "certReqInputImpl" input class and "certOutputImpl" output + class must be used. +""") + +register = Registry() + + +@register() +class certprofile(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Profile ID'), + doc=_(u'Profile ID for referring to this profile'), + ), + parameters.Str( + 'description', + label=_(u'Profile description'), + doc=_(u'Brief description of this profile'), + ), + parameters.Bool( + 'ipacertprofilestoreissued', + label=_(u'Store issued certificates'), + doc=_(u'Whether to store certs issued using this profile'), + ), + ) + + +@register() +class certprofile_del(Method): + __doc__ = _("Delete a Certificate Profile.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='id', + label=_(u'Profile ID'), + doc=_(u'Profile ID for referring to this profile'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class certprofile_find(Method): + __doc__ = _("Search for Certificate Profiles.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='id', + label=_(u'Profile ID'), + doc=_(u'Profile ID for referring to this profile'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Profile description'), + doc=_(u'Brief description of this profile'), + ), + parameters.Bool( + 'ipacertprofilestoreissued', + required=False, + cli_name='store', + label=_(u'Store issued certificates'), + doc=_(u'Whether to store certs issued using this profile'), + default=True, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("id")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class certprofile_import(Method): + __doc__ = _("Import a Certificate Profile.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='id', + label=_(u'Profile ID'), + doc=_(u'Profile ID for referring to this profile'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Profile description'), + doc=_(u'Brief description of this profile'), + ), + parameters.Bool( + 'ipacertprofilestoreissued', + cli_name='store', + label=_(u'Store issued certificates'), + doc=_(u'Whether to store certs issued using this profile'), + default=True, + ), + parameters.Str( + 'file', + label=_(u'Filename of a raw profile. The XML format is not supported.'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class certprofile_mod(Method): + __doc__ = _("Modify Certificate Profile configuration.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='id', + label=_(u'Profile ID'), + doc=_(u'Profile ID for referring to this profile'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Profile description'), + doc=_(u'Brief description of this profile'), + ), + parameters.Bool( + 'ipacertprofilestoreissued', + required=False, + cli_name='store', + label=_(u'Store issued certificates'), + doc=_(u'Whether to store certs issued using this profile'), + default=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'file', + required=False, + label=_(u'File containing profile configuration'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class certprofile_show(Method): + __doc__ = _("Display the properties of a Certificate Profile.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='id', + label=_(u'Profile ID'), + doc=_(u'Profile ID for referring to this profile'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'Write profile configuration to file'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/config.py b/ipaclient/remote_plugins/2_164/config.py new file mode 100644 index 000000000..4997d0324 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/config.py @@ -0,0 +1,408 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Server configuration + +Manage the default values that IPA uses and some of its tuning parameters. + +NOTES: + +The password notification value (--pwdexpnotify) is stored here so it will +be replicated. It is not currently used to notify users in advance of an +expiring password. + +Some attributes are read-only, provided only for information purposes. These +include: + +Certificate Subject base: the configured certificate subject base, + e.g. O=EXAMPLE.COM. This is configurable only at install time. +Password plug-in features: currently defines additional hashes that the + password will generate (there may be other conditions). + +When setting the order list for mapping SELinux users you may need to +quote the value so it isn't interpreted by the shell. + +EXAMPLES: + + Show basic server configuration: + ipa config-show + + Show all configuration options: + ipa config-show --all + + Change maximum username length to 99 characters: + ipa config-mod --maxusername=99 + + Increase default time and size limits for maximum IPA server search: + ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000 + + Set default user e-mail domain: + ipa config-mod --emaildomain=example.com + + Enable migration mode to make "ipa migrate-ds" command operational: + ipa config-mod --enable-migration=TRUE + + Define SELinux user map order: + ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' +""") + +register = Registry() + + +@register() +class config(Object): + takes_params = ( + parameters.Int( + 'ipamaxusernamelength', + label=_(u'Maximum username length'), + ), + parameters.Str( + 'ipahomesrootdir', + label=_(u'Home directory base'), + doc=_(u'Default location of home directories'), + ), + parameters.Str( + 'ipadefaultloginshell', + label=_(u'Default shell'), + doc=_(u'Default shell for new users'), + ), + parameters.Str( + 'ipadefaultprimarygroup', + label=_(u'Default users group'), + doc=_(u'Default group for new users'), + ), + parameters.Str( + 'ipadefaultemaildomain', + required=False, + label=_(u'Default e-mail domain'), + ), + parameters.Int( + 'ipasearchtimelimit', + label=_(u'Search time limit'), + doc=_(u'Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)'), + ), + parameters.Int( + 'ipasearchrecordslimit', + label=_(u'Search size limit'), + doc=_(u'Maximum number of records to search (-1 or 0 is unlimited)'), + ), + parameters.Str( + 'ipausersearchfields', + label=_(u'User search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for users'), + ), + parameters.Str( + 'ipagroupsearchfields', + label=_(u'Group search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for groups'), + ), + parameters.Bool( + 'ipamigrationenabled', + label=_(u'Enable migration mode'), + ), + parameters.DNParam( + 'ipacertificatesubjectbase', + label=_(u'Certificate Subject base'), + doc=_(u'Base for certificate subjects (OU=Test,O=Example)'), + ), + parameters.Str( + 'ipagroupobjectclasses', + multivalue=True, + label=_(u'Default group objectclasses'), + doc=_(u'Default group objectclasses (comma-separated list)'), + ), + parameters.Str( + 'ipauserobjectclasses', + multivalue=True, + label=_(u'Default user objectclasses'), + doc=_(u'Default user objectclasses (comma-separated list)'), + ), + parameters.Int( + 'ipapwdexpadvnotify', + label=_(u'Password Expiration Notification (days)'), + doc=_(u"Number of days's notice of impending password expiration"), + ), + parameters.Str( + 'ipaconfigstring', + required=False, + multivalue=True, + label=_(u'Password plugin features'), + doc=_(u'Extra hashes to generate in password plug-in'), + ), + parameters.Str( + 'ipaselinuxusermaporder', + label=_(u'SELinux user map order'), + doc=_(u'Order in increasing priority of SELinux users, delimited by $'), + ), + parameters.Str( + 'ipaselinuxusermapdefault', + required=False, + label=_(u'Default SELinux user'), + doc=_(u'Default SELinux user when no match is found in SELinux map rule'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + label=_(u'Default PAC types'), + doc=_(u'Default types of PAC supported for services'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + label=_(u'Default user authentication types'), + doc=_(u'Default types of supported user authentication'), + ), + ) + + +@register() +class config_mod(Method): + __doc__ = _("Modify configuration options.") + + takes_options = ( + parameters.Int( + 'ipamaxusernamelength', + required=False, + cli_name='maxusername', + label=_(u'Maximum username length'), + ), + parameters.Str( + 'ipahomesrootdir', + required=False, + cli_name='homedirectory', + label=_(u'Home directory base'), + doc=_(u'Default location of home directories'), + ), + parameters.Str( + 'ipadefaultloginshell', + required=False, + cli_name='defaultshell', + label=_(u'Default shell'), + doc=_(u'Default shell for new users'), + ), + parameters.Str( + 'ipadefaultprimarygroup', + required=False, + cli_name='defaultgroup', + label=_(u'Default users group'), + doc=_(u'Default group for new users'), + ), + parameters.Str( + 'ipadefaultemaildomain', + required=False, + cli_name='emaildomain', + label=_(u'Default e-mail domain'), + ), + parameters.Int( + 'ipasearchtimelimit', + required=False, + cli_name='searchtimelimit', + label=_(u'Search time limit'), + doc=_(u'Maximum amount of time (seconds) for a search (-1 or 0 is unlimited)'), + ), + parameters.Int( + 'ipasearchrecordslimit', + required=False, + cli_name='searchrecordslimit', + label=_(u'Search size limit'), + doc=_(u'Maximum number of records to search (-1 or 0 is unlimited)'), + ), + parameters.Str( + 'ipausersearchfields', + required=False, + cli_name='usersearch', + label=_(u'User search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for users'), + ), + parameters.Str( + 'ipagroupsearchfields', + required=False, + cli_name='groupsearch', + label=_(u'Group search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for groups'), + ), + parameters.Bool( + 'ipamigrationenabled', + required=False, + cli_name='enable_migration', + label=_(u'Enable migration mode'), + ), + parameters.Str( + 'ipagroupobjectclasses', + required=False, + multivalue=True, + cli_name='groupobjectclasses', + label=_(u'Default group objectclasses'), + doc=_(u'Default group objectclasses (comma-separated list)'), + ), + parameters.Str( + 'ipauserobjectclasses', + required=False, + multivalue=True, + cli_name='userobjectclasses', + label=_(u'Default user objectclasses'), + doc=_(u'Default user objectclasses (comma-separated list)'), + ), + parameters.Int( + 'ipapwdexpadvnotify', + required=False, + cli_name='pwdexpnotify', + label=_(u'Password Expiration Notification (days)'), + doc=_(u"Number of days's notice of impending password expiration"), + ), + parameters.Str( + 'ipaconfigstring', + required=False, + multivalue=True, + cli_metavar="['AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs']", + label=_(u'Password plugin features'), + doc=_(u'Extra hashes to generate in password plug-in'), + ), + parameters.Str( + 'ipaselinuxusermaporder', + required=False, + label=_(u'SELinux user map order'), + doc=_(u'Order in increasing priority of SELinux users, delimited by $'), + ), + parameters.Str( + 'ipaselinuxusermapdefault', + required=False, + label=_(u'Default SELinux user'), + doc=_(u'Default SELinux user when no match is found in SELinux map rule'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'nfs:NONE']", + label=_(u'Default PAC types'), + doc=_(u'Default types of PAC supported for services'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp', 'disabled']", + label=_(u'Default user authentication types'), + doc=_(u'Default types of supported user authentication'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class config_show(Method): + __doc__ = _("Show the current configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/delegation.py b/ipaclient/remote_plugins/2_164/delegation.py new file mode 100644 index 000000000..87496117f --- /dev/null +++ b/ipaclient/remote_plugins/2_164/delegation.py @@ -0,0 +1,383 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Group to Group Delegation + +A permission enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to permissions to perform +given tasks such as adding a user, modifying a group, etc. + +Group to Group Delegations grants the members of one group to update a set +of attributes of members of another group. + +EXAMPLES: + + Add a delegation rule to allow managers to edit employee's addresses: + ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street" + + When managing the list of attributes you need to include all attributes + in the list, including existing ones. Add postalCode to the list: + ipa delegation-mod --attrs=street --attrs=postalCode --group=managers --membergroup=employees "managers edit employees' street" + + Display our updated rule: + ipa delegation-show "managers edit employees' street" + + Delete a rule: + ipa delegation-del "managers edit employees' street" +""") + +register = Registry() + + +@register() +class delegation(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'Delegation name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the delegation applies'), + ), + parameters.Str( + 'memberof', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + ) + + +@register() +class delegation_add(Method): + __doc__ = _("Add a new delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the delegation applies'), + no_convert=True, + ), + parameters.Str( + 'memberof', + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_del(Method): + __doc__ = _("Delete a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_find(Method): + __doc__ = _("Search for delegations.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'Delegation name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the delegation applies'), + no_convert=True, + ), + parameters.Str( + 'memberof', + required=False, + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class delegation_mod(Method): + __doc__ = _("Modify a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the delegation applies'), + no_convert=True, + ), + parameters.Str( + 'memberof', + required=False, + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_show(Method): + __doc__ = _("Display information about a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/dns.py b/ipaclient/remote_plugins/2_164/dns.py new file mode 100644 index 000000000..b07a94f19 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/dns.py @@ -0,0 +1,5167 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Domain Name System (DNS) + +Manage DNS zone and resource records. + +SUPPORTED ZONE TYPES + + * Master zone (dnszone-*), contains authoritative data. + * Forward zone (dnsforwardzone-*), forwards queries to configured forwarders + (a set of DNS servers). + +USING STRUCTURED PER-TYPE OPTIONS + +There are many structured DNS RR types where DNS data stored in LDAP server +is not just a scalar value, for example an IP address or a domain name, but +a data structure which may be often complex. A good example is a LOC record +[RFC1876] which consists of many mandatory and optional parts (degrees, +minutes, seconds of latitude and longitude, altitude or precision). + +It may be difficult to manipulate such DNS records without making a mistake +and entering an invalid value. DNS module provides an abstraction over these +raw records and allows to manipulate each RR type with specific options. For +each supported RR type, DNS module provides a standard option to manipulate +a raw records with format ---rec, e.g. --mx-rec, and special options +for every part of the RR structure with format ---, e.g. +--mx-preference and --mx-exchanger. + +When adding a record, either RR specific options or standard option for a raw +value can be used, they just should not be combined in one add operation. When +modifying an existing entry, new RR specific options can be used to change +one part of a DNS record, where the standard option for raw value is used +to specify the modified value. The following example demonstrates +a modification of MX record preference from 0 to 1 in a record without +modifying the exchanger: +ipa dnsrecord-mod --mx-rec="0 mx.example.com." --mx-preference=1 + + +EXAMPLES: + + Add new zone: + ipa dnszone-add example.com --admin-email=admin@example.com + + Add system permission that can be used for per-zone privilege delegation: + ipa dnszone-add-permission example.com + + Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM: + ipa dnszone-mod example.com --dynamic-update=TRUE + + This is the equivalent of: + ipa dnszone-mod example.com --dynamic-update=TRUE \ + --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;" + + Modify the zone to allow zone transfers for local network only: + ipa dnszone-mod example.com --allow-transfer=192.0.2.0/24 + + Add new reverse zone specified by network IP address: + ipa dnszone-add --name-from-ip=192.0.2.0/24 + + Add second nameserver for example.com: + ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com + + Add a mail server for example.com: + ipa dnsrecord-add example.com @ --mx-rec="10 mail1" + + Add another record using MX record specific options: + ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2 + + Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod, + or dnsrecord-del are executed with no options): + ipa dnsrecord-add example.com @ + Please choose a type of DNS resource record to be added + The most common types for this type of zone are: NS, MX, LOC + + DNS resource record type: MX + MX Preference: 30 + MX Exchanger: mail3 + Record name: example.com + MX record: 10 mail1, 20 mail2, 30 mail3 + NS record: nameserver.example.com., nameserver2.example.com. + + Delete previously added nameserver from example.com: + ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com. + + Add LOC record for example.com: + ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m" + + Add new A record for www.example.com. Create a reverse record in appropriate + reverse zone as well. In this case a PTR record "2" pointing to www.example.com + will be created in zone 2.0.192.in-addr.arpa. + ipa dnsrecord-add example.com www --a-rec=192.0.2.2 --a-create-reverse + + Add new PTR record for www.example.com + ipa dnsrecord-add 2.0.192.in-addr.arpa. 2 --ptr-rec=www.example.com. + + Add new SRV records for LDAP servers. Three quarters of the requests + should go to fast.example.com, one quarter to slow.example.com. If neither + is available, switch to backup.example.com. + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com" + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com" + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com" + + The interactive mode can be used for easy modification: + ipa dnsrecord-mod example.com _ldap._tcp + No option to modify specific record provided. + Current DNS record contents: + + SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com + + Modify SRV record '0 3 389 fast.example.com'? Yes/No (default No): + Modify SRV record '0 1 389 slow.example.com'? Yes/No (default No): y + SRV Priority [0]: (keep the default value) + SRV Weight [1]: 2 (modified value) + SRV Port [389]: (keep the default value) + SRV Target [slow.example.com]: (keep the default value) + 1 SRV record skipped. Only one value per DNS record type can be modified at one time. + Record name: _ldap._tcp + SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com + + After this modification, three fifths of the requests should go to + fast.example.com and two fifths to slow.example.com. + + An example of the interactive mode for dnsrecord-del command: + ipa dnsrecord-del example.com www + No option to delete specific record provided. + Delete all? Yes/No (default No): (do not delete all records) + Current DNS record contents: + + A record: 192.0.2.2, 192.0.2.3 + + Delete A record '192.0.2.2'? Yes/No (default No): + Delete A record '192.0.2.3'? Yes/No (default No): y + Record name: www + A record: 192.0.2.2 (A record 192.0.2.3 has been deleted) + + Show zone example.com: + ipa dnszone-show example.com + + Find zone with "example" in its domain name: + ipa dnszone-find example + + Find records for resources with "www" in their name in zone example.com: + ipa dnsrecord-find example.com www + + Find A records with value 192.0.2.2 in zone example.com + ipa dnsrecord-find example.com --a-rec=192.0.2.2 + + Show records for resource www in zone example.com + ipa dnsrecord-show example.com www + + Delegate zone sub.example to another nameserver: + ipa dnsrecord-add example.com ns.sub --a-rec=203.0.113.1 + ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com. + + Delete zone example.com with all resource records: + ipa dnszone-del example.com + + If a global forwarder is configured, all queries for which this server is not + authoritative (e.g. sub.example.com) will be routed to the global forwarder. + Global forwarding configuration can be overridden per-zone. + + Semantics of forwarding in IPA matches BIND semantics and depends on the type + of zone: + * Master zone: local BIND replies authoritatively to queries for data in + the given zone (including authoritative NXDOMAIN answers) and forwarding + affects only queries for names below zone cuts (NS records) of locally + served zones. + + * Forward zone: forward zone contains no authoritative data. BIND forwards + queries, which cannot be answered from its local cache, to configured + forwarders. + + Semantics of the --forwarder-policy option: + * none - disable forwarding for the given zone. + * first - forward all queries to configured forwarders. If they fail, + do resolution using DNS root servers. + * only - forward all queries to configured forwarders and if they fail, + return failure. + + Disable global forwarding for given sub-tree: + ipa dnszone-mod example.com --forward-policy=none + + This configuration forwards all queries for names outside the example.com + sub-tree to global forwarders. Normal recursive resolution process is used + for names inside the example.com sub-tree (i.e. NS records are followed etc.). + + Forward all requests for the zone external.example.com to another forwarder + using a "first" policy (it will send the queries to the selected forwarder + and if not answered it will use global root servers): + ipa dnsforwardzone-add external.example.com --forward-policy=first \ + --forwarder=203.0.113.1 + + Change forward-policy for external.example.com: + ipa dnsforwardzone-mod external.example.com --forward-policy=only + + Show forward zone external.example.com: + ipa dnsforwardzone-show external.example.com + + List all forward zones: + ipa dnsforwardzone-find + + Delete forward zone external.example.com: + ipa dnsforwardzone-del external.example.com + + Resolve a host name to see if it exists (will add default IPA domain + if one is not included): + ipa dns-resolve www.example.com + ipa dns-resolve www + + +GLOBAL DNS CONFIGURATION + +DNS configuration passed to command line install script is stored in a local +configuration file on each IPA server where DNS service is configured. These +local settings can be overridden with a common configuration stored in LDAP +server: + + Show global DNS configuration: + ipa dnsconfig-show + + Modify global DNS configuration and set a list of global forwarders: + ipa dnsconfig-mod --forwarder=203.0.113.113 +""") + +register = Registry() + + +@register() +class dnsconfig(Object): + takes_params = ( + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + label=_(u'Global forwarders'), + doc=_(u'Global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + label=_(u'Forward policy'), + doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'), + ), + parameters.Int( + 'idnszonerefresh', + required=False, + label=_(u'Zone refresh interval'), + ), + ) + + +@register() +class dnsforwardzone(Object): + takes_params = ( + parameters.DNSNameParam( + 'idnsname', + primary_key=True, + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + ) + + +@register() +class dnsrecord(Object): + takes_params = ( + parameters.DNSNameParam( + 'idnsname', + primary_key=True, + label=_(u'Record name'), + ), + parameters.Int( + 'dnsttl', + required=False, + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + ), + parameters.Str( + 'dnsrecords', + required=False, + label=_(u'Records'), + ), + parameters.Str( + 'dnstype', + required=False, + label=_(u'Record type'), + ), + parameters.Str( + 'dnsdata', + required=False, + label=_(u'Record data'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'a_extra_create_reverse', + required=False, + label=_(u'A Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'aaaa_extra_create_reverse', + required=False, + label=_(u'AAAA Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.DNSNameParam( + 'afsdb_part_hostname', + required=False, + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + label=_(u'APL record'), + doc=_(u'Raw APL records'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.DNSNameParam( + 'cname_part_hostname', + required=False, + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Int( + 'dlv_part_key_tag', + required=False, + label=_(u'DLV Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'dlv_part_algorithm', + required=False, + label=_(u'DLV Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'dlv_part_digest_type', + required=False, + label=_(u'DLV Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'dlv_part_digest', + required=False, + label=_(u'DLV Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.DNSNameParam( + 'dname_part_target', + required=False, + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'kx_part_exchanger', + required=False, + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + ), + parameters.Decimal( + 'loc_part_size', + required=False, + label=_(u'LOC Size'), + doc=_(u'Size'), + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'mx_part_exchanger', + required=False, + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + ), + parameters.Str( + 'naptr_part_service', + required=False, + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.DNSNameParam( + 'ns_part_hostname', + required=False, + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.DNSNameParam( + 'ptr_part_hostname', + required=False, + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + label=_(u'RP record'), + doc=_(u'Raw RP records'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.DNSNameParam( + 'srv_part_target', + required=False, + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Int( + 'tlsa_part_cert_usage', + required=False, + label=_(u'TLSA Certificate Usage'), + doc=_(u'Certificate Usage'), + ), + parameters.Int( + 'tlsa_part_selector', + required=False, + label=_(u'TLSA Selector'), + doc=_(u'Selector'), + ), + parameters.Int( + 'tlsa_part_matching_type', + required=False, + label=_(u'TLSA Matching Type'), + doc=_(u'Matching Type'), + ), + parameters.Str( + 'tlsa_part_cert_association_data', + required=False, + label=_(u'TLSA Certificate Association Data'), + doc=_(u'Certificate Association Data'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + ) + + +@register() +class dnszone(Object): + takes_params = ( + parameters.DNSNameParam( + 'idnsname', + primary_key=True, + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.DNSNameParam( + 'idnssoamname', + required=False, + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.DNSNameParam( + 'idnssoarname', + label=_(u'Administrator e-mail address'), + ), + parameters.Int( + 'idnssoaserial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + ), + parameters.Int( + 'idnssoarefresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + ), + parameters.Int( + 'idnssoaretry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + ), + parameters.Int( + 'idnssoaexpire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + ), + parameters.Int( + 'idnssoaminimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + ), + parameters.Int( + 'dnsttl', + required=False, + label=_(u'Time to live'), + doc=_(u'Time to live for records at zone apex'), + ), + parameters.Str( + 'dnsclass', + required=False, + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + label=_(u'BIND update policy'), + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + ), + parameters.Str( + 'idnsallowquery', + required=False, + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Bool( + 'idnssecinlinesigning', + required=False, + label=_(u'Allow in-line DNSSEC signing'), + doc=_(u'Allow inline DNSSEC signing of records in the zone'), + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + label=_(u'NSEC3PARAM record'), + doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'), + ), + ) + + +@register() +class dns_is_enabled(Command): + __doc__ = _("Checks if any of the servers has the DNS service enabled.") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dns_resolve(Command): + __doc__ = _("Resolve a host name in DNS. (Deprecated)") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'hostname', + label=_(u'Hostname (FQDN)'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsconfig_mod(Method): + __doc__ = _("Modify global DNS configuration.") + + takes_options = ( + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Global forwarders'), + doc=_(u'Global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'), + ), + parameters.Int( + 'idnszonerefresh', + required=False, + deprecated=True, + cli_name='zone_refresh', + label=_(u'Zone refresh interval'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsconfig_show(Method): + __doc__ = _("Show the current global DNS configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_add(Method): + __doc__ = _("Create new DNS forward zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'skip_overlap_check', + doc=_(u'Force DNS zone creation even if it will overlap with an existing zone.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_add_permission(Method): + __doc__ = _("Add a permission for per-forward zone access delegation.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u'Permission value'), + ), + ) + + +@register() +class dnsforwardzone_del(Method): + __doc__ = _("Delete DNS forward zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + multivalue=True, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class dnsforwardzone_disable(Method): + __doc__ = _("Disable DNS Forward Zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_enable(Method): + __doc__ = _("Enable DNS Forward Zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_find(Method): + __doc__ = _("Search for DNS forward zones.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.DNSNameParam( + 'idnsname', + required=False, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + cli_name='zone_active', + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class dnsforwardzone_mod(Method): + __doc__ = _("Modify DNS forward zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsforwardzone_remove_permission(Method): + __doc__ = _("Remove a permission for per-forward zone access delegation.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u'Permission value'), + ), + ) + + +@register() +class dnsforwardzone_show(Method): + __doc__ = _("Display information about a DNS forward zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_add(Method): + __doc__ = _("Add new DNS resource record.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + option_group=u'A Record', + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + cli_name='a_ip_address', + option_group=u'A Record', + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'a_extra_create_reverse', + required=False, + cli_name='a_create_reverse', + option_group=u'A Record', + label=_(u'A Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + default=False, + autofill=True, + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + option_group=u'AAAA Record', + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + cli_name='aaaa_ip_address', + option_group=u'AAAA Record', + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'aaaa_extra_create_reverse', + required=False, + cli_name='aaaa_create_reverse', + option_group=u'AAAA Record', + label=_(u'AAAA Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + default=False, + autofill=True, + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + option_group=u'A6 Record', + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + cli_name='a6_data', + option_group=u'A6 Record', + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + option_group=u'AFSDB Record', + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + cli_name='afsdb_subtype', + option_group=u'AFSDB Record', + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.DNSNameParam( + 'afsdb_part_hostname', + required=False, + cli_name='afsdb_hostname', + option_group=u'AFSDB Record', + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + option_group=u'APL Record', + label=_(u'APL record'), + doc=_(u'Raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + option_group=u'CERT Record', + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + cli_name='cert_type', + option_group=u'CERT Record', + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + cli_name='cert_key_tag', + option_group=u'CERT Record', + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + cli_name='cert_algorithm', + option_group=u'CERT Record', + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + cli_name='cert_certificate_or_crl', + option_group=u'CERT Record', + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + option_group=u'CNAME Record', + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.DNSNameParam( + 'cname_part_hostname', + required=False, + cli_name='cname_hostname', + option_group=u'CNAME Record', + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + option_group=u'DHCID Record', + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + option_group=u'DLV Record', + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Int( + 'dlv_part_key_tag', + required=False, + cli_name='dlv_key_tag', + option_group=u'DLV Record', + label=_(u'DLV Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'dlv_part_algorithm', + required=False, + cli_name='dlv_algorithm', + option_group=u'DLV Record', + label=_(u'DLV Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'dlv_part_digest_type', + required=False, + cli_name='dlv_digest_type', + option_group=u'DLV Record', + label=_(u'DLV Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'dlv_part_digest', + required=False, + cli_name='dlv_digest', + option_group=u'DLV Record', + label=_(u'DLV Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + option_group=u'DNAME Record', + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.DNSNameParam( + 'dname_part_target', + required=False, + cli_name='dname_target', + option_group=u'DNAME Record', + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + option_group=u'DS Record', + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + cli_name='ds_key_tag', + option_group=u'DS Record', + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + cli_name='ds_algorithm', + option_group=u'DS Record', + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + cli_name='ds_digest_type', + option_group=u'DS Record', + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + cli_name='ds_digest', + option_group=u'DS Record', + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + option_group=u'HIP Record', + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + option_group=u'IPSECKEY Record', + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + option_group=u'KEY Record', + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + option_group=u'KX Record', + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + cli_name='kx_preference', + option_group=u'KX Record', + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'kx_part_exchanger', + required=False, + cli_name='kx_exchanger', + option_group=u'KX Record', + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + option_group=u'LOC Record', + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + cli_name='loc_lat_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + cli_name='loc_lat_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + cli_name='loc_lat_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + cli_name='loc_lat_dir', + option_group=u'LOC Record', + cli_metavar="['N', 'S']", + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + cli_name='loc_lon_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + cli_name='loc_lon_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + cli_name='loc_lon_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + cli_name='loc_lon_dir', + option_group=u'LOC Record', + cli_metavar="['E', 'W']", + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + cli_name='loc_altitude', + option_group=u'LOC Record', + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_size', + required=False, + cli_name='loc_size', + option_group=u'LOC Record', + label=_(u'LOC Size'), + doc=_(u'Size'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + cli_name='loc_h_precision', + option_group=u'LOC Record', + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + cli_name='loc_v_precision', + option_group=u'LOC Record', + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + no_convert=True, + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + option_group=u'MX Record', + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + cli_name='mx_preference', + option_group=u'MX Record', + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'mx_part_exchanger', + required=False, + cli_name='mx_exchanger', + option_group=u'MX Record', + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + option_group=u'NAPTR Record', + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + cli_name='naptr_order', + option_group=u'NAPTR Record', + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + cli_name='naptr_preference', + option_group=u'NAPTR Record', + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + cli_name='naptr_flags', + option_group=u'NAPTR Record', + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + no_convert=True, + ), + parameters.Str( + 'naptr_part_service', + required=False, + cli_name='naptr_service', + option_group=u'NAPTR Record', + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + cli_name='naptr_regexp', + option_group=u'NAPTR Record', + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + cli_name='naptr_replacement', + option_group=u'NAPTR Record', + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + option_group=u'NS Record', + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.DNSNameParam( + 'ns_part_hostname', + required=False, + cli_name='ns_hostname', + option_group=u'NS Record', + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + option_group=u'NSEC Record', + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + option_group=u'PTR Record', + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.DNSNameParam( + 'ptr_part_hostname', + required=False, + cli_name='ptr_hostname', + option_group=u'PTR Record', + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + option_group=u'RRSIG Record', + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + option_group=u'RP Record', + label=_(u'RP record'), + doc=_(u'Raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + option_group=u'SIG Record', + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + option_group=u'SPF Record', + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + option_group=u'SRV Record', + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + cli_name='srv_priority', + option_group=u'SRV Record', + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + cli_name='srv_weight', + option_group=u'SRV Record', + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + cli_name='srv_port', + option_group=u'SRV Record', + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.DNSNameParam( + 'srv_part_target', + required=False, + cli_name='srv_target', + option_group=u'SRV Record', + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + option_group=u'SSHFP Record', + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + cli_name='sshfp_algorithm', + option_group=u'SSHFP Record', + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + cli_name='sshfp_fp_type', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + cli_name='sshfp_fingerprint', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + cli_name='tlsa_rec', + option_group=u'TLSA Record', + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Int( + 'tlsa_part_cert_usage', + required=False, + cli_name='tlsa_cert_usage', + option_group=u'TLSA Record', + label=_(u'TLSA Certificate Usage'), + doc=_(u'Certificate Usage'), + ), + parameters.Int( + 'tlsa_part_selector', + required=False, + cli_name='tlsa_selector', + option_group=u'TLSA Record', + label=_(u'TLSA Selector'), + doc=_(u'Selector'), + ), + parameters.Int( + 'tlsa_part_matching_type', + required=False, + cli_name='tlsa_matching_type', + option_group=u'TLSA Record', + label=_(u'TLSA Matching Type'), + doc=_(u'Matching Type'), + ), + parameters.Str( + 'tlsa_part_cert_association_data', + required=False, + cli_name='tlsa_cert_association_data', + option_group=u'TLSA Record', + label=_(u'TLSA Certificate Association Data'), + doc=_(u'Certificate Association Data'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + option_group=u'TXT Record', + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + cli_name='txt_data', + option_group=u'TXT Record', + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force NS record creation even if its hostname is not in DNS'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_del(Method): + __doc__ = _("Delete DNS resource record.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + label=_(u'APL record'), + doc=_(u'Raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + label=_(u'RP record'), + doc=_(u'Raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + cli_name='tlsa_rec', + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Flag( + 'del_all', + label=_(u'Delete all associated records'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class dnsrecord_delentry(Method): + __doc__ = _("Delete DNS record entry.") + + NO_CLI = True + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + multivalue=True, + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class dnsrecord_find(Method): + __doc__ = _("Search for DNS resources.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.DNSNameParam( + 'idnsname', + required=False, + cli_name='name', + label=_(u'Record name'), + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + label=_(u'APL record'), + doc=_(u'Raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + label=_(u'RP record'), + doc=_(u'Raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + cli_name='tlsa_rec', + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class dnsrecord_mod(Method): + __doc__ = _("Modify a DNS resource record.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + option_group=u'A Record', + label=_(u'A record'), + doc=_(u'Raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + cli_name='a_ip_address', + option_group=u'A Record', + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + option_group=u'AAAA Record', + label=_(u'AAAA record'), + doc=_(u'Raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + cli_name='aaaa_ip_address', + option_group=u'AAAA Record', + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + option_group=u'A6 Record', + label=_(u'A6 record'), + doc=_(u'Raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + cli_name='a6_data', + option_group=u'A6 Record', + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + option_group=u'AFSDB Record', + label=_(u'AFSDB record'), + doc=_(u'Raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + cli_name='afsdb_subtype', + option_group=u'AFSDB Record', + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.DNSNameParam( + 'afsdb_part_hostname', + required=False, + cli_name='afsdb_hostname', + option_group=u'AFSDB Record', + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + option_group=u'APL Record', + label=_(u'APL record'), + doc=_(u'Raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + option_group=u'CERT Record', + label=_(u'CERT record'), + doc=_(u'Raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + cli_name='cert_type', + option_group=u'CERT Record', + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + cli_name='cert_key_tag', + option_group=u'CERT Record', + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + cli_name='cert_algorithm', + option_group=u'CERT Record', + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + cli_name='cert_certificate_or_crl', + option_group=u'CERT Record', + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + option_group=u'CNAME Record', + label=_(u'CNAME record'), + doc=_(u'Raw CNAME records'), + ), + parameters.DNSNameParam( + 'cname_part_hostname', + required=False, + cli_name='cname_hostname', + option_group=u'CNAME Record', + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + option_group=u'DHCID Record', + label=_(u'DHCID record'), + doc=_(u'Raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + option_group=u'DLV Record', + label=_(u'DLV record'), + doc=_(u'Raw DLV records'), + ), + parameters.Int( + 'dlv_part_key_tag', + required=False, + cli_name='dlv_key_tag', + option_group=u'DLV Record', + label=_(u'DLV Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'dlv_part_algorithm', + required=False, + cli_name='dlv_algorithm', + option_group=u'DLV Record', + label=_(u'DLV Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'dlv_part_digest_type', + required=False, + cli_name='dlv_digest_type', + option_group=u'DLV Record', + label=_(u'DLV Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'dlv_part_digest', + required=False, + cli_name='dlv_digest', + option_group=u'DLV Record', + label=_(u'DLV Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + option_group=u'DNAME Record', + label=_(u'DNAME record'), + doc=_(u'Raw DNAME records'), + ), + parameters.DNSNameParam( + 'dname_part_target', + required=False, + cli_name='dname_target', + option_group=u'DNAME Record', + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + option_group=u'DS Record', + label=_(u'DS record'), + doc=_(u'Raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + cli_name='ds_key_tag', + option_group=u'DS Record', + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + cli_name='ds_algorithm', + option_group=u'DS Record', + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + cli_name='ds_digest_type', + option_group=u'DS Record', + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + cli_name='ds_digest', + option_group=u'DS Record', + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + option_group=u'HIP Record', + label=_(u'HIP record'), + doc=_(u'Raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + option_group=u'IPSECKEY Record', + label=_(u'IPSECKEY record'), + doc=_(u'Raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + option_group=u'KEY Record', + label=_(u'KEY record'), + doc=_(u'Raw KEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + option_group=u'KX Record', + label=_(u'KX record'), + doc=_(u'Raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + cli_name='kx_preference', + option_group=u'KX Record', + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'kx_part_exchanger', + required=False, + cli_name='kx_exchanger', + option_group=u'KX Record', + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + option_group=u'LOC Record', + label=_(u'LOC record'), + doc=_(u'Raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + cli_name='loc_lat_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + cli_name='loc_lat_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + cli_name='loc_lat_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + cli_name='loc_lat_dir', + option_group=u'LOC Record', + cli_metavar="['N', 'S']", + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + cli_name='loc_lon_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + cli_name='loc_lon_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + cli_name='loc_lon_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + cli_name='loc_lon_dir', + option_group=u'LOC Record', + cli_metavar="['E', 'W']", + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + cli_name='loc_altitude', + option_group=u'LOC Record', + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_size', + required=False, + cli_name='loc_size', + option_group=u'LOC Record', + label=_(u'LOC Size'), + doc=_(u'Size'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + cli_name='loc_h_precision', + option_group=u'LOC Record', + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + cli_name='loc_v_precision', + option_group=u'LOC Record', + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + no_convert=True, + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + option_group=u'MX Record', + label=_(u'MX record'), + doc=_(u'Raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + cli_name='mx_preference', + option_group=u'MX Record', + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.DNSNameParam( + 'mx_part_exchanger', + required=False, + cli_name='mx_exchanger', + option_group=u'MX Record', + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + option_group=u'NAPTR Record', + label=_(u'NAPTR record'), + doc=_(u'Raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + cli_name='naptr_order', + option_group=u'NAPTR Record', + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + cli_name='naptr_preference', + option_group=u'NAPTR Record', + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + cli_name='naptr_flags', + option_group=u'NAPTR Record', + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + no_convert=True, + ), + parameters.Str( + 'naptr_part_service', + required=False, + cli_name='naptr_service', + option_group=u'NAPTR Record', + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + cli_name='naptr_regexp', + option_group=u'NAPTR Record', + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + cli_name='naptr_replacement', + option_group=u'NAPTR Record', + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + option_group=u'NS Record', + label=_(u'NS record'), + doc=_(u'Raw NS records'), + ), + parameters.DNSNameParam( + 'ns_part_hostname', + required=False, + cli_name='ns_hostname', + option_group=u'NS Record', + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + option_group=u'NSEC Record', + label=_(u'NSEC record'), + doc=_(u'Raw NSEC records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + option_group=u'PTR Record', + label=_(u'PTR record'), + doc=_(u'Raw PTR records'), + ), + parameters.DNSNameParam( + 'ptr_part_hostname', + required=False, + cli_name='ptr_hostname', + option_group=u'PTR Record', + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + option_group=u'RRSIG Record', + label=_(u'RRSIG record'), + doc=_(u'Raw RRSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + option_group=u'RP Record', + label=_(u'RP record'), + doc=_(u'Raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + option_group=u'SIG Record', + label=_(u'SIG record'), + doc=_(u'Raw SIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + option_group=u'SPF Record', + label=_(u'SPF record'), + doc=_(u'Raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + option_group=u'SRV Record', + label=_(u'SRV record'), + doc=_(u'Raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + cli_name='srv_priority', + option_group=u'SRV Record', + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + cli_name='srv_weight', + option_group=u'SRV Record', + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + cli_name='srv_port', + option_group=u'SRV Record', + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.DNSNameParam( + 'srv_part_target', + required=False, + cli_name='srv_target', + option_group=u'SRV Record', + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + option_group=u'SSHFP Record', + label=_(u'SSHFP record'), + doc=_(u'Raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + cli_name='sshfp_algorithm', + option_group=u'SSHFP Record', + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + cli_name='sshfp_fp_type', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + cli_name='sshfp_fingerprint', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tlsarecord', + required=False, + multivalue=True, + cli_name='tlsa_rec', + option_group=u'TLSA Record', + label=_(u'TLSA record'), + doc=_(u'Raw TLSA records'), + ), + parameters.Int( + 'tlsa_part_cert_usage', + required=False, + cli_name='tlsa_cert_usage', + option_group=u'TLSA Record', + label=_(u'TLSA Certificate Usage'), + doc=_(u'Certificate Usage'), + ), + parameters.Int( + 'tlsa_part_selector', + required=False, + cli_name='tlsa_selector', + option_group=u'TLSA Record', + label=_(u'TLSA Selector'), + doc=_(u'Selector'), + ), + parameters.Int( + 'tlsa_part_matching_type', + required=False, + cli_name='tlsa_matching_type', + option_group=u'TLSA Record', + label=_(u'TLSA Matching Type'), + doc=_(u'Matching Type'), + ), + parameters.Str( + 'tlsa_part_cert_association_data', + required=False, + cli_name='tlsa_cert_association_data', + option_group=u'TLSA Record', + label=_(u'TLSA Certificate Association Data'), + doc=_(u'Certificate Association Data'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + option_group=u'TXT Record', + label=_(u'TXT record'), + doc=_(u'Raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + cli_name='txt_data', + option_group=u'TXT Record', + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.DNSNameParam( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the DNS resource record object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_show(Method): + __doc__ = _("Display DNS resource.") + + takes_args = ( + parameters.DNSNameParam( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_add(Method): + __doc__ = _("Create new DNS zone (SOA record).") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.DNSNameParam( + 'idnssoamname', + required=False, + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.DNSNameParam( + 'idnssoarname', + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default=DNSName(u'hostmaster'), + autofill=True, + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + autofill=True, + ), + parameters.Int( + 'idnssoarefresh', + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + autofill=True, + ), + parameters.Int( + 'idnssoaretry', + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + autofill=True, + ), + parameters.Int( + 'idnssoaexpire', + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + autofill=True, + ), + parameters.Int( + 'idnssoaminimum', + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + autofill=True, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + doc=_(u'Time to live for records at zone apex'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + autofill=True, + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + autofill=True, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + autofill=True, + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + autofill=True, + no_convert=True, + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Bool( + 'idnssecinlinesigning', + required=False, + cli_name='dnssec', + label=_(u'Allow in-line DNSSEC signing'), + doc=_(u'Allow inline DNSSEC signing of records in the zone'), + default=False, + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + cli_name='nsec3param_rec', + label=_(u'NSEC3PARAM record'), + doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'skip_overlap_check', + doc=_(u'Force DNS zone creation even if it will overlap with an existing zone.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + doc=_(u'Force DNS zone creation even if nameserver is not resolvable. (Deprecated)'), + default=False, + autofill=True, + ), + parameters.Flag( + 'skip_nameserver_check', + doc=_(u'Force DNS zone creation even if nameserver is not resolvable.'), + default=False, + autofill=True, + ), + parameters.Str( + 'ip_address', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_add_permission(Method): + __doc__ = _("Add a permission for per-zone access delegation.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u'Permission value'), + ), + ) + + +@register() +class dnszone_del(Method): + __doc__ = _("Delete DNS zone (SOA record).") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + multivalue=True, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class dnszone_disable(Method): + __doc__ = _("Disable DNS Zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_enable(Method): + __doc__ = _("Enable DNS Zone.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_find(Method): + __doc__ = _("Search for DNS zones (SOA records).") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.DNSNameParam( + 'idnsname', + required=False, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + cli_name='zone_active', + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.DNSNameParam( + 'idnssoamname', + required=False, + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.DNSNameParam( + 'idnssoarname', + required=False, + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default=DNSName(u'hostmaster'), + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + required=False, + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + ), + parameters.Int( + 'idnssoarefresh', + required=False, + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + ), + parameters.Int( + 'idnssoaretry', + required=False, + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + ), + parameters.Int( + 'idnssoaexpire', + required=False, + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + ), + parameters.Int( + 'idnssoaminimum', + required=False, + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + doc=_(u'Time to live for records at zone apex'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + no_convert=True, + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Bool( + 'idnssecinlinesigning', + required=False, + cli_name='dnssec', + label=_(u'Allow in-line DNSSEC signing'), + doc=_(u'Allow inline DNSSEC signing of records in the zone'), + default=False, + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + cli_name='nsec3param_rec', + label=_(u'NSEC3PARAM record'), + doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'forward_only', + label=_(u'Forward zones only'), + doc=_(u'Search for forward zones only'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class dnszone_mod(Method): + __doc__ = _("Modify DNS zone (SOA record).") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'Per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.DNSNameParam( + 'idnssoamname', + required=False, + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.DNSNameParam( + 'idnssoarname', + required=False, + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default=DNSName(u'hostmaster'), + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + required=False, + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + ), + parameters.Int( + 'idnssoarefresh', + required=False, + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + ), + parameters.Int( + 'idnssoaretry', + required=False, + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + ), + parameters.Int( + 'idnssoaexpire', + required=False, + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + ), + parameters.Int( + 'idnssoaminimum', + required=False, + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + doc=_(u'Time to live for records at zone apex'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + exclude=('cli', 'webui'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + no_convert=True, + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Bool( + 'idnssecinlinesigning', + required=False, + cli_name='dnssec', + label=_(u'Allow in-line DNSSEC signing'), + doc=_(u'Allow inline DNSSEC signing of records in the zone'), + default=False, + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + cli_name='nsec3param_rec', + label=_(u'NSEC3PARAM record'), + doc=_(u'NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'Force nameserver change even if nameserver not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_remove_permission(Method): + __doc__ = _("Remove a permission for per-zone access delegation.") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u'Permission value'), + ), + ) + + +@register() +class dnszone_show(Method): + __doc__ = _("Display information about a DNS zone (SOA record).") + + takes_args = ( + parameters.DNSNameParam( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/domainlevel.py b/ipaclient/remote_plugins/2_164/domainlevel.py new file mode 100644 index 000000000..bca5262ba --- /dev/null +++ b/ipaclient/remote_plugins/2_164/domainlevel.py @@ -0,0 +1,60 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Raise the IPA Domain Level. +""") + +register = Registry() + + +@register() +class domainlevel_get(Command): + __doc__ = _("Query current Domain Level.") + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + int, + doc=_(u'Current domain level:'), + ), + ) + + +@register() +class domainlevel_set(Command): + __doc__ = _("Change current Domain Level.") + + takes_args = ( + parameters.Int( + 'ipadomainlevel', + cli_name='level', + label=_(u'Domain Level'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + int, + doc=_(u'Current domain level:'), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/group.py b/ipaclient/remote_plugins/2_164/group.py new file mode 100644 index 000000000..ed57c4caa --- /dev/null +++ b/ipaclient/remote_plugins/2_164/group.py @@ -0,0 +1,912 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of users + +Manage groups of users. By default, new groups are POSIX groups. You +can add the --nonposix option to the group-add command to mark a new group +as non-POSIX. You can use the --posix argument with the group-mod command +to convert a non-POSIX group into a POSIX group. POSIX groups cannot be +converted to non-POSIX groups. + +Every group must have a description. + +POSIX groups must have a Group ID (GID) number. Changing a GID is +supported but can have an impact on your file permissions. It is not necessary +to supply a GID when creating a group. IPA will generate one automatically +if it is not provided. + +EXAMPLES: + + Add a new group: + ipa group-add --desc='local administrators' localadmins + + Add a new non-POSIX group: + ipa group-add --nonposix --desc='remote administrators' remoteadmins + + Convert a non-POSIX group to posix: + ipa group-mod --posix remoteadmins + + Add a new POSIX group with a specific Group ID number: + ipa group-add --gid=500 --desc='unix admins' unixadmins + + Add a new POSIX group and let IPA assign a Group ID number: + ipa group-add --desc='printer admins' printeradmins + + Remove a group: + ipa group-del unixadmins + + To add the "remoteadmins" group to the "localadmins" group: + ipa group-add-member --groups=remoteadmins localadmins + + Add multiple users to the "localadmins" group: + ipa group-add-member --users=test1 --users=test2 localadmins + + Remove a user from the "localadmins" group: + ipa group-remove-member --users=test2 localadmins + + Display information about a named group. + ipa group-show localadmins + +External group membership is designed to allow users from trusted domains +to be mapped to local POSIX groups in order to actually use IPA resources. +External members should be added to groups that specifically created as +external and non-POSIX. Such group later should be included into one of POSIX +groups. + +An external group member is currently a Security Identifier (SID) as defined by +the trusted domain. When adding external group members, it is possible to +specify them in either SID, or DOM\name, or name@domain format. IPA will attempt +to resolve passed name to SID with the use of Global Catalog of the trusted domain. + +Example: + +1. Create group for the trusted domain admins' mapping and their local POSIX group: + + ipa group-add --desc=' admins external map' ad_admins_external --external + ipa group-add --desc=' admins' ad_admins + +2. Add security identifier of Domain Admins of the to the ad_admins_external + group: + + ipa group-add-member ad_admins_external --external 'AD\Domain Admins' + +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: + + ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external +""") + +register = Registry() + + +@register() +class group(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Group name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'member_user', + required=False, + label=_(u'Member users'), + ), + parameters.Str( + 'member_group', + required=False, + label=_(u'Member groups'), + ), + parameters.Str( + 'memberof_group', + required=False, + label=_(u'Member of groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberindirect_user', + required=False, + label=_(u'Indirect Member users'), + ), + parameters.Str( + 'memberindirect_group', + required=False, + label=_(u'Indirect Member groups'), + ), + parameters.Str( + 'memberofindirect_group', + required=False, + label=_(u'Indirect Member of group'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + ) + + +@register() +class group_add(Method): + __doc__ = _("Create a new group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'nonposix', + doc=_(u'Create as a non-POSIX group'), + default=False, + autofill=True, + ), + parameters.Flag( + 'external', + doc=_(u'Allow adding external non-IPA members from trusted domains'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_add_member(Method): + __doc__ = _("Add members to a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'ipaexternalmember', + required=False, + multivalue=True, + cli_name='external', + label=_(u'External member'), + doc=_(u'Members of a trusted domain in DOM\\name or name@domain form'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class group_del(Method): + __doc__ = _("Delete group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class group_detach(Method): + __doc__ = _("Detach a managed group from a user.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_find(Method): + __doc__ = _("Search for groups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'private', + doc=_(u'search for private groups'), + default=False, + autofill=True, + ), + parameters.Flag( + 'posix', + doc=_(u'search for POSIX groups'), + default=False, + autofill=True, + ), + parameters.Flag( + 'external', + doc=_(u'search for groups with support of external non-IPA members from trusted domains'), + default=False, + autofill=True, + ), + parameters.Flag( + 'nonposix', + doc=_(u'search for non-POSIX groups'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("group-name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'user'), + doc=_(u'Search for groups with these member users.'), + ), + parameters.Str( + 'no_user', + required=False, + multivalue=True, + cli_name='no_users', + label=_(u'user'), + doc=_(u'Search for groups without these member users.'), + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'group'), + doc=_(u'Search for groups with these member groups.'), + ), + parameters.Str( + 'no_group', + required=False, + multivalue=True, + cli_name='no_groups', + label=_(u'group'), + doc=_(u'Search for groups without these member groups.'), + ), + parameters.Str( + 'in_group', + required=False, + multivalue=True, + cli_name='in_groups', + label=_(u'group'), + doc=_(u'Search for groups with these member of groups.'), + ), + parameters.Str( + 'not_in_group', + required=False, + multivalue=True, + cli_name='not_in_groups', + label=_(u'group'), + doc=_(u'Search for groups without these member of groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for groups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for groups without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for groups with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for groups without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for groups with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for groups without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for groups with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for groups without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class group_mod(Method): + __doc__ = _("Modify a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'posix', + doc=_(u'change to a POSIX group'), + default=False, + autofill=True, + ), + parameters.Flag( + 'external', + doc=_(u'change to support external non-IPA members from trusted domains'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the group object'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_remove_member(Method): + __doc__ = _("Remove members from a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'ipaexternalmember', + required=False, + multivalue=True, + cli_name='external', + label=_(u'External member'), + doc=_(u'Members of a trusted domain in DOM\\name or name@domain form'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class group_show(Method): + __doc__ = _("Display information about a named group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/hbacrule.py b/ipaclient/remote_plugins/2_164/hbacrule.py new file mode 100644 index 000000000..567a1bb02 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/hbacrule.py @@ -0,0 +1,1305 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Host-based access control + +Control who can access what services on what hosts. You +can use HBAC to control which users or groups can +access a service, or group of services, on a target host. + +You can also specify a category of users and target hosts. +This is currently limited to "all", but might be expanded in the +future. + +Target hosts in HBAC rules must be hosts managed by IPA. + +The available services and groups of services are controlled by the +hbacsvc and hbacsvcgroup plug-ins respectively. + +EXAMPLES: + + Create a rule, "test1", that grants all users access to the host "server" from + anywhere: + ipa hbacrule-add --usercat=all test1 + ipa hbacrule-add-host --hosts=server.example.com test1 + + Display the properties of a named HBAC rule: + ipa hbacrule-show test1 + + Create a rule for a specific service. This lets the user john access + the sshd service on any machine from any machine: + ipa hbacrule-add --hostcat=all john_sshd + ipa hbacrule-add-user --users=john john_sshd + ipa hbacrule-add-service --hbacsvcs=sshd john_sshd + + Create a rule for a new service group. This lets the user john access + the FTP service on any machine from any machine: + ipa hbacsvcgroup-add ftpers + ipa hbacsvc-add sftp + ipa hbacsvcgroup-add-member --hbacsvcs=ftp --hbacsvcs=sftp ftpers + ipa hbacrule-add --hostcat=all john_ftp + ipa hbacrule-add-user --users=john john_ftp + ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp + + Disable a named HBAC rule: + ipa hbacrule-disable test1 + + Remove a named HBAC rule: + ipa hbacrule-del allow_server +""") + +register = Registry() + + +@register() +class hbacrule(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'accessruletype', + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + ), + parameters.Str( + 'servicecategory', + required=False, + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + ), + parameters.Str( + 'memberservice_hbacsvc', + required=False, + label=_(u'Services'), + ), + parameters.Str( + 'memberservice_hbacsvcgroup', + required=False, + label=_(u'Service Groups'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + ) + + +@register() +class hbacrule_add(Method): + __doc__ = _("Create a new HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'accessruletype', + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + autofill=True, + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_add_host(Method): + __doc__ = _("Add target hosts and hostgroups to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_service(Method): + __doc__ = _("Add services to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'HBAC services to add'), + alwaysask=True, + ), + parameters.Str( + 'hbacsvcgroup', + required=False, + multivalue=True, + cli_name='hbacsvcgroups', + label=_(u'member HBAC service group'), + doc=_(u'HBAC service groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_sourcehost(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_user(Method): + __doc__ = _("Add users and groups to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_del(Method): + __doc__ = _("Delete an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class hbacrule_disable(Method): + __doc__ = _("Disable an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_enable(Method): + __doc__ = _("Enable an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_find(Method): + __doc__ = _("Search for HBAC rules.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Rule name'), + ), + parameters.Str( + 'accessruletype', + required=False, + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacrule_mod(Method): + __doc__ = _("Modify an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'accessruletype', + required=False, + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_remove_host(Method): + __doc__ = _("Remove target hosts and hostgroups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_service(Method): + __doc__ = _("Remove service and service groups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'HBAC services to remove'), + alwaysask=True, + ), + parameters.Str( + 'hbacsvcgroup', + required=False, + multivalue=True, + cli_name='hbacsvcgroups', + label=_(u'member HBAC service group'), + doc=_(u'HBAC service groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_sourcehost(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_user(Method): + __doc__ = _("Remove users and groups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_show(Method): + __doc__ = _("Display the properties of an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/hbacsvc.py b/ipaclient/remote_plugins/2_164/hbacsvc.py new file mode 100644 index 000000000..0de241935 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/hbacsvc.py @@ -0,0 +1,413 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +HBAC Services + +The PAM services that HBAC can control access to. The name used here +must match the service name that PAM is evaluating. + +EXAMPLES: + + Add a new HBAC service: + ipa hbacsvc-add tftp + + Modify an existing HBAC service: + ipa hbacsvc-mod --desc="TFTP service" tftp + + Search for HBAC services. This example will return two results, the FTP + service and the newly-added tftp service: + ipa hbacsvc-find ftp + + Delete an HBAC service: + ipa hbacsvc-del tftp +""") + +register = Registry() + + +@register() +class hbacsvc(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Service name'), + doc=_(u'HBAC service'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'memberof_hbacsvcgroup', + required=False, + label=_(u'Member of HBAC service groups'), + ), + ) + + +@register() +class hbacsvc_add(Method): + __doc__ = _("Add a new HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvc_del(Method): + __doc__ = _("Delete an existing HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class hbacsvc_find(Method): + __doc__ = _("Search for HBAC services.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("service")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacsvc_mod(Method): + __doc__ = _("Modify an HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvc_show(Method): + __doc__ = _("Display information about an HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/hbacsvcgroup.py b/ipaclient/remote_plugins/2_164/hbacsvcgroup.py new file mode 100644 index 000000000..f713b2fe8 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/hbacsvcgroup.py @@ -0,0 +1,528 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +HBAC Service Groups + +HBAC service groups can contain any number of individual services, +or "members". Every group must have a description. + +EXAMPLES: + + Add a new HBAC service group: + ipa hbacsvcgroup-add --desc="login services" login + + Add members to an HBAC service group: + ipa hbacsvcgroup-add-member --hbacsvcs=sshd --hbacsvcs=login login + + Display information about a named group: + ipa hbacsvcgroup-show login + + Delete an HBAC service group: + ipa hbacsvcgroup-del login +""") + +register = Registry() + + +@register() +class hbacsvcgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Service group name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'member_hbacsvc', + required=False, + label=_(u'Member HBAC service'), + ), + ) + + +@register() +class hbacsvcgroup_add(Method): + __doc__ = _("Add a new HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvcgroup_add_member(Method): + __doc__ = _("Add members to an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'HBAC services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacsvcgroup_del(Method): + __doc__ = _("Delete an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class hbacsvcgroup_find(Method): + __doc__ = _("Search for an HBAC service group.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacsvcgroup_mod(Method): + __doc__ = _("Modify an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvcgroup_remove_member(Method): + __doc__ = _("Remove members from an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'HBAC services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacsvcgroup_show(Method): + __doc__ = _("Display information about an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/hbactest.py b/ipaclient/remote_plugins/2_164/hbactest.py new file mode 100644 index 000000000..b0c49b71b --- /dev/null +++ b/ipaclient/remote_plugins/2_164/hbactest.py @@ -0,0 +1,284 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Simulate use of Host-based access controls + +HBAC rules control who can access what services on what hosts. +You can use HBAC to control which users or groups can access a service, +or group of services, on a target host. + +Since applying HBAC rules implies use of a production environment, +this plugin aims to provide simulation of HBAC rules evaluation without +having access to the production environment. + + Test user coming to a service on a named host against + existing enabled rules. + + ipa hbactest --user= --host= --service= + [--rules=rules-list] [--nodetail] [--enabled] [--disabled] + [--sizelimit= ] + + --user, --host, and --service are mandatory, others are optional. + + If --rules is specified simulate enabling of the specified rules and test + the login of the user using only these rules. + + If --enabled is specified, all enabled HBAC rules will be added to simulation + + If --disabled is specified, all disabled HBAC rules will be added to simulation + + If --nodetail is specified, do not return information about rules matched/not matched. + + If both --rules and --enabled are specified, apply simulation to --rules _and_ + all IPA enabled rules. + + If no --rules specified, simulation is run against all IPA enabled rules. + By default there is a IPA-wide limit to number of entries fetched, you can change it + with --sizelimit option. + +EXAMPLES: + + 1. Use all enabled HBAC rules in IPA database to simulate: + $ ipa hbactest --user=a1a --host=bar --service=sshd + -------------------- + Access granted: True + -------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + Matched rules: allow_all + + 2. Disable detailed summary of how rules were applied: + $ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail + -------------------- + Access granted: True + -------------------- + + 3. Test explicitly specified HBAC rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --rules=myrule --rules=my-second-rule + --------------------- + Access granted: False + --------------------- + Not matched rules: my-second-rule + Not matched rules: myrule + + 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --rules=myrule --rules=my-second-rule --enabled + -------------------- + Access granted: True + -------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + Matched rules: allow_all + + 5. Test all disabled HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd --disabled + --------------------- + Access granted: False + --------------------- + Not matched rules: new-rule + + 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --rules=myrule --rules=my-second-rule --disabled + --------------------- + Access granted: False + --------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + + 7. Test all (enabled and disabled) HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd \ + --enabled --disabled + -------------------- + Access granted: True + -------------------- + Not matched rules: my-second-rule + Not matched rules: my-third-rule + Not matched rules: myrule + Not matched rules: new-rule + Matched rules: allow_all + + +HBACTEST AND TRUSTED DOMAINS + +When an external trusted domain is configured in IPA, HBAC rules are also applied +on users accessing IPA resources from the trusted domain. Trusted domain users and +groups (and their SIDs) can be then assigned to external groups which can be +members of POSIX groups in IPA which can be used in HBAC rules and thus allowing +access to resources protected by the HBAC system. + +hbactest plugin is capable of testing access for both local IPA users and users +from the trusted domains, either by a fully qualified user name or by user SID. +Such user names need to have a trusted domain specified as a short name +(DOMAIN\Administrator) or with a user principal name (UPN), Administrator@ad.test. + +Please note that hbactest executed with a trusted domain user as --user parameter +can be only run by members of "trust admins" group. + +EXAMPLES: + + 1. Test if a user from a trusted domain specified by its shortname matches any + rule: + + $ ipa hbactest --user 'DOMAIN\Administrator' --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Matched rules: can_login + + 2. Test if a user from a trusted domain specified by its domain name matches + any rule: + + $ ipa hbactest --user 'Administrator@domain.com' --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Matched rules: can_login + + 3. Test if a user from a trusted domain specified by its SID matches any rule: + + $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-500 \ + --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Matched rules: can_login + + 4. Test if other user from a trusted domain specified by its SID matches any rule: + + $ ipa hbactest --user S-1-5-21-3035198329-144811719-1378114514-1203 \ + --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Not matched rules: can_login + + 5. Test if other user from a trusted domain specified by its shortname matches + any rule: + + $ ipa hbactest --user 'DOMAIN\Otheruser' --host `hostname` --service sshd + -------------------- + Access granted: True + -------------------- + Matched rules: allow_all + Not matched rules: can_login +""") + +register = Registry() + + +@register() +class hbactest(Command): + __doc__ = _("Simulate use of Host-based access controls") + + takes_options = ( + parameters.Str( + 'user', + label=_(u'User name'), + ), + parameters.Str( + 'sourcehost', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'targethost', + cli_name='host', + label=_(u'Target host'), + ), + parameters.Str( + 'service', + label=_(u'Service'), + ), + parameters.Str( + 'rules', + required=False, + multivalue=True, + label=_(u'Rules to test. If not specified, --enabled is assumed'), + ), + parameters.Flag( + 'nodetail', + required=False, + label=_(u'Hide details which rules are matched, not matched, or invalid'), + default=False, + autofill=True, + ), + parameters.Flag( + 'enabled', + required=False, + label=_(u'Include all enabled IPA rules into test [default]'), + default=False, + autofill=True, + ), + parameters.Flag( + 'disabled', + required=False, + label=_(u'Include all disabled IPA rules into test'), + default=False, + autofill=True, + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of rules to process when no --rules is specified'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'warning', + (list, tuple, type(None)), + doc=_(u'Warning'), + ), + output.Output( + 'matched', + (list, tuple, type(None)), + doc=_(u'Matched rules'), + ), + output.Output( + 'notmatched', + (list, tuple, type(None)), + doc=_(u'Not matched rules'), + ), + output.Output( + 'error', + (list, tuple, type(None)), + doc=_(u'Non-existent or invalid rules'), + ), + output.Output( + 'value', + bool, + doc=_(u'Result of simulation'), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/host.py b/ipaclient/remote_plugins/2_164/host.py new file mode 100644 index 000000000..72b6ef881 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/host.py @@ -0,0 +1,1680 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Hosts/Machines + +A host represents a machine. It can be used in a number of contexts: +- service entries are associated with a host +- a host stores the host/ service principal +- a host can be used in Host-based Access Control (HBAC) rules +- every enrolled client generates a host entry + +ENROLLMENT: + +There are three enrollment scenarios when enrolling a new client: + +1. You are enrolling as a full administrator. The host entry may exist + or not. A full administrator is a member of the hostadmin role + or the admins group. +2. You are enrolling as a limited administrator. The host must already + exist. A limited administrator is a member a role with the + Host Enrollment privilege. +3. The host has been created with a one-time password. + +RE-ENROLLMENT: + +Host that has been enrolled at some point, and lost its configuration (e.g. VM +destroyed) can be re-enrolled. + +For more information, consult the manual pages for ipa-client-install. + +A host can optionally store information such as where it is located, +the OS that it runs, etc. + +EXAMPLES: + + Add a new host: + ipa host-add --location="3rd floor lab" --locality=Dallas test.example.com + + Delete a host: + ipa host-del test.example.com + + Add a new host with a one-time password: + ipa host-add --os='Fedora 12' --password=Secret123 test.example.com + + Add a new host with a random one-time password: + ipa host-add --os='Fedora 12' --random test.example.com + + Modify information about a host: + ipa host-mod --os='Fedora 12' test.example.com + + Remove SSH public keys of a host and update DNS to reflect this change: + ipa host-mod --sshpubkey= --updatedns test.example.com + + Disable the host Kerberos key, SSL certificate and all of its services: + ipa host-disable test.example.com + + Add a host that can manage this host's keytab and certificate: + ipa host-add-managedby --hosts=test2 test + + Allow user to create a keytab: + ipa host-allow-create-keytab test2 --users=tuser1 +""") + +register = Registry() + + +@register() +class host(Object): + takes_params = ( + parameters.Str( + 'fqdn', + primary_key=True, + label=_(u'Host name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + ), + parameters.Str( + 'randompassword', + required=False, + label=_(u'Random password'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + label=_(u'Principal name'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + label=_(u'Class'), + doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipaassignedidview', + required=False, + label=_(u'Assigned ID View'), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Flag( + 'has_password', + label=_(u'Password'), + ), + parameters.Str( + 'memberof_hostgroup', + required=False, + label=_(u'Member of host-groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_hostgroup', + required=False, + label=_(u'Indirect Member of host-group'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Keytab'), + ), + parameters.Str( + 'managedby_host', + label=_(u'Managed by'), + ), + parameters.Str( + 'managing_host', + label=_(u'Managing'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_user', + label=_(u'Users allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_group', + label=_(u'Groups allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_host', + label=_(u'Hosts allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_hostgroup', + label=_(u'Host Groups allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_user', + label=_(u'Users allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_group', + label=_(u'Groups allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_host', + label=_(u'Hosts allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_hostgroup', + label=_(u'Host Groups allowed to create keytab'), + ), + ) + + +@register() +class host_add(Method): + __doc__ = _("Add a new host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipaassignedidview', + required=False, + label=_(u'Assigned ID View'), + exclude=('cli', 'webui'), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + cli_name='requires_pre_auth', + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + cli_name='ok_as_delegate', + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force host name even if not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_reverse', + doc=_(u'skip reverse DNS detection'), + default=False, + autofill=True, + ), + parameters.Str( + 'ip_address', + required=False, + label=_(u'IP Address'), + doc=_(u'Add the host to DNS with this IP address'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_add_cert(Method): + __doc__ = _("Add certificates to host entry") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + alwaysask=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_add_managedby(Method): + __doc__ = _("Add hosts that can manage this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class host_allow_create_keytab(Method): + __doc__ = _("Allow users, groups, hosts or host groups to create a keytab of this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class host_allow_retrieve_keytab(Method): + __doc__ = _("Allow users, groups, hosts or host groups to retrieve a keytab of this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class host_del(Method): + __doc__ = _("Delete a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + multivalue=True, + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Flag( + 'updatedns', + required=False, + doc=_(u'Remove entries from DNS'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class host_disable(Method): + __doc__ = _("Disable the Kerberos key, SSL certificate and all services of a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_disallow_create_keytab(Method): + __doc__ = _("Disallow users, groups, hosts or host groups to create a keytab of this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class host_disallow_retrieve_keytab(Method): + __doc__ = _("Disallow users, groups, hosts or host groups to retrieve a keytab of this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class host_find(Method): + __doc__ = _("Search for hosts.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'fqdn', + required=False, + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipaassignedidview', + required=False, + label=_(u'Assigned ID View'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("hostname")'), + default=False, + autofill=True, + ), + parameters.Str( + 'in_hostgroup', + required=False, + multivalue=True, + cli_name='in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for hosts with these member of host groups.'), + ), + parameters.Str( + 'not_in_hostgroup', + required=False, + multivalue=True, + cli_name='not_in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for hosts without these member of host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for hosts with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for hosts without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for hosts with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for hosts without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for hosts with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for hosts without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for hosts with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for hosts without these member of sudo rules.'), + ), + parameters.Str( + 'enroll_by_user', + required=False, + multivalue=True, + cli_name='enroll_by_users', + label=_(u'user'), + doc=_(u'Search for hosts with these enrolled by users.'), + ), + parameters.Str( + 'not_enroll_by_user', + required=False, + multivalue=True, + cli_name='not_enroll_by_users', + label=_(u'user'), + doc=_(u'Search for hosts without these enrolled by users.'), + ), + parameters.Str( + 'man_by_host', + required=False, + multivalue=True, + cli_name='man_by_hosts', + label=_(u'host'), + doc=_(u'Search for hosts with these managed by hosts.'), + ), + parameters.Str( + 'not_man_by_host', + required=False, + multivalue=True, + cli_name='not_man_by_hosts', + label=_(u'host'), + doc=_(u'Search for hosts without these managed by hosts.'), + ), + parameters.Str( + 'man_host', + required=False, + multivalue=True, + cli_name='man_hosts', + label=_(u'host'), + doc=_(u'Search for hosts with these managing hosts.'), + ), + parameters.Str( + 'not_man_host', + required=False, + multivalue=True, + cli_name='not_man_hosts', + label=_(u'host'), + doc=_(u'Search for hosts without these managing hosts.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class host_mod(Method): + __doc__ = _("Modify information about a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'Host category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipaassignedidview', + required=False, + label=_(u'Assigned ID View'), + exclude=('cli', 'webui'), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + cli_name='requires_pre_auth', + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + cli_name='ok_as_delegate', + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principalname', + label=_(u'Principal name'), + doc=_(u'Kerberos principal name for this host'), + ), + parameters.Flag( + 'updatedns', + required=False, + doc=_(u'Update DNS entries'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_remove_cert(Method): + __doc__ = _("Remove certificates from host entry") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + alwaysask=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_remove_managedby(Method): + __doc__ = _("Remove hosts that can manage this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class host_show(Method): + __doc__ = _("Display information about a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'file to store certificate in'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/hostgroup.py b/ipaclient/remote_plugins/2_164/hostgroup.py new file mode 100644 index 000000000..afda19d78 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/hostgroup.py @@ -0,0 +1,709 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of hosts. + +Manage groups of hosts. This is useful for applying access control to a +number of hosts by using Host-based Access Control. + +EXAMPLES: + + Add a new host group: + ipa hostgroup-add --desc="Baltimore hosts" baltimore + + Add another new host group: + ipa hostgroup-add --desc="Maryland hosts" maryland + + Add members to the hostgroup (using Bash brace expansion): + ipa hostgroup-add-member --hosts={box1,box2,box3} baltimore + + Add a hostgroup as a member of another hostgroup: + ipa hostgroup-add-member --hostgroups=baltimore maryland + + Remove a host from the hostgroup: + ipa hostgroup-remove-member --hosts=box2 baltimore + + Display a host group: + ipa hostgroup-show baltimore + + Delete a hostgroup: + ipa hostgroup-del baltimore +""") + +register = Registry() + + +@register() +class hostgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'member_host', + required=False, + label=_(u'Member hosts'), + ), + parameters.Str( + 'member_hostgroup', + required=False, + label=_(u'Member host-groups'), + ), + parameters.Str( + 'memberof_hostgroup', + required=False, + label=_(u'Member of host-groups'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberindirect_host', + required=False, + label=_(u'Indirect Member hosts'), + ), + parameters.Str( + 'memberindirect_hostgroup', + required=False, + label=_(u'Indirect Member host-groups'), + ), + parameters.Str( + 'memberofindirect_hostgroup', + required=False, + label=_(u'Indirect Member of host-group'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + ) + + +@register() +class hostgroup_add(Method): + __doc__ = _("Add a new hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hostgroup_add_member(Method): + __doc__ = _("Add members to a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hostgroup_del(Method): + __doc__ = _("Delete a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class hostgroup_find(Method): + __doc__ = _("Search for hostgroups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("hostgroup-name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'host'), + doc=_(u'Search for host groups with these member hosts.'), + ), + parameters.Str( + 'no_host', + required=False, + multivalue=True, + cli_name='no_hosts', + label=_(u'host'), + doc=_(u'Search for host groups without these member hosts.'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups with these member host groups.'), + ), + parameters.Str( + 'no_hostgroup', + required=False, + multivalue=True, + cli_name='no_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups without these member host groups.'), + ), + parameters.Str( + 'in_hostgroup', + required=False, + multivalue=True, + cli_name='in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups with these member of host groups.'), + ), + parameters.Str( + 'not_in_hostgroup', + required=False, + multivalue=True, + cli_name='not_in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups without these member of host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for host groups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for host groups without these member of netgroups.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for host groups with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for host groups without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for host groups with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for host groups without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hostgroup_mod(Method): + __doc__ = _("Modify a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hostgroup_remove_member(Method): + __doc__ = _("Remove members from a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hostgroup_show(Method): + __doc__ = _("Display information about a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/idrange.py b/ipaclient/remote_plugins/2_164/idrange.py new file mode 100644 index 000000000..e4f4728ac --- /dev/null +++ b/ipaclient/remote_plugins/2_164/idrange.py @@ -0,0 +1,639 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +ID ranges + +Manage ID ranges used to map Posix IDs to SIDs and back. + +There are two type of ID ranges which are both handled by this utility: + + - the ID ranges of the local domain + - the ID ranges of trusted remote domains + +Both types have the following attributes in common: + + - base-id: the first ID of the Posix ID range + - range-size: the size of the range + +With those two attributes a range object can reserve the Posix IDs starting +with base-id up to but not including base-id+range-size exclusively. + +Additionally an ID range of the local domain may set + - rid-base: the first RID(*) of the corresponding RID range + - secondary-rid-base: first RID of the secondary RID range + +and an ID range of a trusted domain must set + - rid-base: the first RID of the corresponding RID range + - sid: domain SID of the trusted domain + + + +EXAMPLE: Add a new ID range for a trusted domain + +Since there might be more than one trusted domain the domain SID must be given +while creating the ID range. + + ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=0 \ + --dom-sid=S-1-5-21-123-456-789 trusted_dom_range + +This ID range is then used by the IPA server and the SSSD IPA provider to +assign Posix UIDs to users from the trusted domain. + +If e.g a range for a trusted domain is configured with the following values: + base-id = 1200000 + range-size = 200000 + rid-base = 0 +the RIDs 0 to 199999 are mapped to the Posix ID from 1200000 to 13999999. So +RID 1000 <-> Posix ID 1201000 + + + +EXAMPLE: Add a new ID range for the local domain + +To create an ID range for the local domain it is not necessary to specify a +domain SID. But since it is possible that a user and a group can have the same +value as Posix ID a second RID interval is needed to handle conflicts. + + ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=1000 \ + --secondary-rid-base=1000000 local_range + +The data from the ID ranges of the local domain are used by the IPA server +internally to assign SIDs to IPA users and groups. The SID will then be stored +in the user or group objects. + +If e.g. the ID range for the local domain is configured with the values from +the example above then a new user with the UID 1200007 will get the RID 1007. +If this RID is already used by a group the RID will be 1000007. This can only +happen if a user or a group object was created with a fixed ID because the +automatic assignment will not assign the same ID twice. Since there are only +users and groups sharing the same ID namespace it is sufficient to have only +one fallback range to handle conflicts. + +To find the Posix ID for a given RID from the local domain it has to be +checked first if the RID falls in the primary or secondary RID range and +the rid-base or the secondary-rid-base has to be subtracted, respectively, +and the base-id has to be added to get the Posix ID. + +Typically the creation of ID ranges happens behind the scenes and this CLI +must not be used at all. The ID range for the local domain will be created +during installation or upgrade from an older version. The ID range for a +trusted domain will be created together with the trust by 'ipa trust-add ...'. + +USE CASES: + + Add an ID range from a transitively trusted domain + + If the trusted domain (A) trusts another domain (B) as well and this trust + is transitive 'ipa trust-add domain-A' will only create a range for + domain A. The ID range for domain B must be added manually. + + Add an additional ID range for the local domain + + If the ID range of the local domain is exhausted, i.e. no new IDs can be + assigned to Posix users or groups by the DNA plugin, a new range has to be + created to allow new users and groups to be added. (Currently there is no + connection between this range CLI and the DNA plugin, but a future version + might be able to modify the configuration of the DNS plugin as well) + +In general it is not necessary to modify or delete ID ranges. If there is no +other way to achieve a certain configuration than to modify or delete an ID +range it should be done with great care. Because UIDs are stored in the file +system and are used for access control it might be possible that users are +allowed to access files of other users if an ID range got deleted and reused +for a different domain. + +(*) The RID is typically the last integer of a user or group SID which follows +the domain SID. E.g. if the domain SID is S-1-5-21-123-456-789 and a user from +this domain has the SID S-1-5-21-123-456-789-1010 then 1010 id the RID of the +user. RIDs are unique in a domain, 32bit values and are used for users and +groups. + +======= +WARNING: + +DNA plugin in 389-ds will allocate IDs based on the ranges configured for the +local domain. Currently the DNA plugin *cannot* be reconfigured itself based +on the local ranges set via this family of commands. + +Manual configuration change has to be done in the DNA plugin configuration for +the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix +IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be +modified to match the new range. +======= +""") + +register = Registry() + + +@register() +class idrange(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Range name'), + ), + parameters.Int( + 'ipabaseid', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'ipanttrusteddomainname', + required=False, + label=_(u'Name of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + label=_(u'Range type'), + doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'), + ), + ) + + +@register() +class idrange_add(Method): + __doc__ = _(""" +Add new ID range. + + To add a new ID range you always have to specify + + --base-id + --range-size + + Additionally + + --rid-base + --secondary-rid-base + + may be given for a new ID range for the local domain while + + --rid-base + --dom-sid + + must be given to add a new range for a trusted AD domain. + +======= +WARNING: + +DNA plugin in 389-ds will allocate IDs based on the ranges configured for the +local domain. Currently the DNA plugin *cannot* be reconfigured itself based +on the local ranges set via this family of commands. + +Manual configuration change has to be done in the DNA plugin configuration for +the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix +IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be +modified to match the new range. +======= + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Int( + 'ipabaseid', + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='dom_sid', + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'ipanttrusteddomainname', + required=False, + cli_name='dom_name', + label=_(u'Name of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + cli_name='type', + cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']", + label=_(u'Range type'), + doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idrange_del(Method): + __doc__ = _("Delete an ID range.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class idrange_find(Method): + __doc__ = _("Search for ranges.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Range name'), + ), + parameters.Int( + 'ipabaseid', + required=False, + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + required=False, + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='dom_sid', + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + cli_name='type', + cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust', 'ipa-local']", + label=_(u'Range type'), + doc=_(u'ID range type, one of ipa-ad-trust-posix, ipa-ad-trust, ipa-local'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idrange_mod(Method): + __doc__ = _(""" +Modify ID range. + +======= +WARNING: + +DNA plugin in 389-ds will allocate IDs based on the ranges configured for the +local domain. Currently the DNA plugin *cannot* be reconfigured itself based +on the local ranges set via this family of commands. + +Manual configuration change has to be done in the DNA plugin configuration for +the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix +IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be +modified to match the new range. +======= + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Int( + 'ipabaseid', + required=False, + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + required=False, + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipanttrusteddomainname', + required=False, + deprecated=True, + exclude=('cli', 'webui'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idrange_show(Method): + __doc__ = _("Display information about a range.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/idviews.py b/ipaclient/remote_plugins/2_164/idviews.py new file mode 100644 index 000000000..2b34cba46 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/idviews.py @@ -0,0 +1,1491 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +ID Views +Manage ID Views +IPA allows to override certain properties of users and groups per each host. +This functionality is primarily used to allow migration from older systems or +other Identity Management solutions. +""") + +register = Registry() + + +@register() +class idoverridegroup(Object): + takes_params = ( + parameters.Str( + 'ipaanchoruuid', + primary_key=True, + label=_(u'Anchor to override'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Group name'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + ) + + +@register() +class idoverrideuser(Object): + takes_params = ( + parameters.Str( + 'ipaanchoruuid', + primary_key=True, + label=_(u'Anchor to override'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Str( + 'uid', + required=False, + label=_(u'User login'), + ), + parameters.Int( + 'uidnumber', + required=False, + label=_(u'UID'), + doc=_(u'User ID Number'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'homedirectory', + required=False, + label=_(u'Home directory'), + ), + parameters.Str( + 'loginshell', + required=False, + label=_(u'Login shell'), + ), + parameters.Str( + 'ipaoriginaluid', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + ) + + +@register() +class idview(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'ID View Name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + ) + + +@register() +class idoverridegroup_add(Method): + __doc__ = _("Add a new Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverridegroup_del(Method): + __doc__ = _("Delete an Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + multivalue=True, + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class idoverridegroup_find(Method): + __doc__ = _("Search for an Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaanchoruuid', + required=False, + cli_name='anchor', + label=_(u'Anchor to override'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("anchor")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idoverridegroup_mod(Method): + __doc__ = _("Modify an Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the Group ID override object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverridegroup_show(Method): + __doc__ = _("Display information about an Group ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverrideuser_add(Method): + __doc__ = _("Add a new User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + no_convert=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'ipaoriginaluid', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverrideuser_del(Method): + __doc__ = _("Delete an User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + multivalue=True, + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class idoverrideuser_find(Method): + __doc__ = _("Search for an User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaanchoruuid', + required=False, + cli_name='anchor', + label=_(u'Anchor to override'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + no_convert=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'ipaoriginaluid', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("anchor")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idoverrideuser_mod(Method): + __doc__ = _("Modify an User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + no_convert=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'ipaoriginaluid', + required=False, + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the User ID override object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idoverrideuser_show(Method): + __doc__ = _("Display information about an User ID override.") + + takes_args = ( + parameters.Str( + 'idviewcn', + cli_name='idview', + label=_(u'ID View Name'), + ), + parameters.Str( + 'ipaanchoruuid', + cli_name='anchor', + label=_(u'Anchor to override'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'fallback_to_ldap', + required=False, + label=_(u'Fallback to AD DC LDAP'), + doc=_(u'Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idview_add(Method): + __doc__ = _("Add a new ID View.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idview_apply(Method): + __doc__ = _("Applies ID View to specified hosts or current members of specified hostgroups. If any other ID View is applied to the host, it is overridden.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'hosts'), + doc=_(u'Hosts to apply the ID View to'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'hostgroups'), + doc=_(u'Hostgroups to whose hosts apply the ID View to. Please note that view is not applied automatically to any hosts added to the hostgroup after running the idview-apply command.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'succeeded', + dict, + doc=_(u'Hosts that this ID View was applied to.'), + ), + output.Output( + 'failed', + dict, + doc=_(u'Hosts or hostgroups that this ID View could not be applied to.'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of hosts the ID View was applied to:'), + ), + ) + + +@register() +class idview_del(Method): + __doc__ = _("Delete an ID View.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class idview_find(Method): + __doc__ = _("Search for an ID View.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'ID View Name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idview_mod(Method): + __doc__ = _("Modify an ID View.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the ID View object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idview_show(Method): + __doc__ = _("Display information about an ID View.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'ID View Name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'show_hosts', + required=False, + doc=_(u'Enumerate all the hosts the view applies to.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idview_unapply(Method): + __doc__ = _("Clears ID View from specified hosts or current members of specified hostgroups.") + + takes_options = ( + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'hosts'), + doc=_(u'Hosts to clear (any) ID View from.'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'hostgroups'), + doc=_(u'Hostgroups whose hosts should have ID Views cleared. Note that view is not cleared automatically from any host added to the hostgroup after running idview-unapply command.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'succeeded', + dict, + doc=_(u'Hosts that ID View was cleared from.'), + ), + output.Output( + 'failed', + dict, + doc=_(u'Hosts or hostgroups that ID View could not be cleared from.'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of hosts that had a ID View was unset:'), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/internal.py b/ipaclient/remote_plugins/2_164/internal.py new file mode 100644 index 000000000..7fec8d26f --- /dev/null +++ b/ipaclient/remote_plugins/2_164/internal.py @@ -0,0 +1,92 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Plugins not accessible directly through the CLI, commands used internally +""") + +register = Registry() + + +@register() +class i18n_messages(Command): + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'texts', + dict, + doc=_(u'Dict of I18N messages'), + ), + ) + + +@register() +class json_metadata(Command): + __doc__ = _("Export plugin meta-data for the webUI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'objname', + required=False, + doc=_(u'Name of object to export'), + ), + parameters.Str( + 'methodname', + required=False, + doc=_(u'Name of method to export'), + ), + ) + takes_options = ( + parameters.Str( + 'object', + required=False, + doc=_(u'Name of object to export'), + ), + parameters.Str( + 'method', + required=False, + doc=_(u'Name of method to export'), + ), + parameters.Str( + 'command', + required=False, + doc=_(u'Name of command to export'), + ), + ) + has_output = ( + output.Output( + 'objects', + dict, + doc=_(u'Dict of JSON encoded IPA Objects'), + ), + output.Output( + 'methods', + dict, + doc=_(u'Dict of JSON encoded IPA Methods'), + ), + output.Output( + 'commands', + dict, + doc=_(u'Dict of JSON encoded IPA Commands'), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/join.py b/ipaclient/remote_plugins/2_164/join.py new file mode 100644 index 000000000..07403510b --- /dev/null +++ b/ipaclient/remote_plugins/2_164/join.py @@ -0,0 +1,62 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Joining an IPA domain +""") + +register = Registry() + + +@register() +class join(Command): + __doc__ = _("Join an IPA domain") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostname', + doc=_(u'The hostname to register as'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: unicode(installutils.get_fqdn()) + autofill=True, + ), + ) + takes_options = ( + parameters.Str( + 'realm', + doc=_(u'The IPA realm'), + default_from=DefaultFrom(lambda: api.env.realm), + autofill=True, + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + doc=_(u'Hardware platform of the host (e.g. Lenovo T61)'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + doc=_(u'Operating System and version of the host (e.g. Fedora 9)'), + ), + ) + has_output = ( + ) diff --git a/ipaclient/remote_plugins/2_164/krbtpolicy.py b/ipaclient/remote_plugins/2_164/krbtpolicy.py new file mode 100644 index 000000000..42a4b2bc7 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/krbtpolicy.py @@ -0,0 +1,266 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Kerberos ticket policy + +There is a single Kerberos ticket policy. This policy defines the +maximum ticket lifetime and the maximum renewal age, the period during +which the ticket is renewable. + +You can also create a per-user ticket policy by specifying the user login. + +For changes to the global policy to take effect, restarting the KDC service +is required, which can be achieved using: + +service krb5kdc restart + +Changes to per-user policies take effect immediately for newly requested +tickets (e.g. when the user next runs kinit). + +EXAMPLES: + + Display the current Kerberos ticket policy: + ipa krbtpolicy-show + + Reset the policy to the default: + ipa krbtpolicy-reset + + Modify the policy to 8 hours max life, 1-day max renewal: + ipa krbtpolicy-mod --maxlife=28800 --maxrenew=86400 + + Display effective Kerberos ticket policy for user 'admin': + ipa krbtpolicy-show admin + + Reset per-user policy for user 'admin': + ipa krbtpolicy-reset admin + + Modify per-user policy for user 'admin': + ipa krbtpolicy-mod admin --maxlife=3600 +""") + +register = Registry() + + +@register() +class krbtpolicy(Object): + takes_params = ( + parameters.Str( + 'uid', + required=False, + primary_key=True, + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + parameters.Int( + 'krbmaxticketlife', + required=False, + label=_(u'Max life'), + doc=_(u'Maximum ticket life (seconds)'), + ), + parameters.Int( + 'krbmaxrenewableage', + required=False, + label=_(u'Max renew'), + doc=_(u'Maximum renewable age (seconds)'), + ), + ) + + +@register() +class krbtpolicy_mod(Method): + __doc__ = _("Modify Kerberos ticket policy.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxticketlife', + required=False, + cli_name='maxlife', + label=_(u'Max life'), + doc=_(u'Maximum ticket life (seconds)'), + ), + parameters.Int( + 'krbmaxrenewableage', + required=False, + cli_name='maxrenew', + label=_(u'Max renew'), + doc=_(u'Maximum renewable age (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class krbtpolicy_reset(Method): + __doc__ = _("Reset Kerberos ticket policy to the default values.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class krbtpolicy_show(Method): + __doc__ = _("Display the current Kerberos ticket policy.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/migration.py b/ipaclient/remote_plugins/2_164/migration.py new file mode 100644 index 000000000..89049f257 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/migration.py @@ -0,0 +1,319 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Migration to IPA + +Migrate users and groups from an LDAP server to IPA. + +This performs an LDAP query against the remote server searching for +users and groups in a container. In order to migrate passwords you need +to bind as a user that can read the userPassword attribute on the remote +server. This is generally restricted to high-level admins such as +cn=Directory Manager in 389-ds (this is the default bind user). + +The default user container is ou=People. + +The default group container is ou=Groups. + +Users and groups that already exist on the IPA server are skipped. + +Two LDAP schemas define how group members are stored: RFC2307 and +RFC2307bis. RFC2307bis uses member and uniquemember to specify group +members, RFC2307 uses memberUid. The default schema is RFC2307bis. + +The schema compat feature allows IPA to reformat data for systems that +do not support RFC2307bis. It is recommended that this feature is disabled +during migration to reduce system overhead. It can be re-enabled after +migration. To migrate with it enabled use the "--with-compat" option. + +Migrated users do not have Kerberos credentials, they have only their +LDAP password. To complete the migration process, users need to go +to http://ipa.example.com/ipa/migration and authenticate using their +LDAP password in order to generate their Kerberos credentials. + +Migration is disabled by default. Use the command ipa config-mod to +enable it: + + ipa config-mod --enable-migration=TRUE + +If a base DN is not provided with --basedn then IPA will use either +the value of defaultNamingContext if it is set or the first value +in namingContexts set in the root of the remote LDAP server. + +Users are added as members to the default user group. This can be a +time-intensive task so during migration this is done in a batch +mode for every 100 users. As a result there will be a window in which +users will be added to IPA but will not be members of the default +user group. + +EXAMPLES: + + The simplest migration, accepting all defaults: + ipa migrate-ds ldap://ds.example.com:389 + + Specify the user and group container. This can be used to migrate user + and group data from an IPA v1 server: + ipa migrate-ds --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + ldap://ds.example.com:389 + + Since IPA v2 server already contain predefined groups that may collide with + groups in migrated (IPA v1) server (for example admins, ipausers), users + having colliding group as their primary group may happen to belong to + an unknown group on new IPA v2 server. + Use --group-overwrite-gid option to overwrite GID of already existing groups + to prevent this issue: + ipa migrate-ds --group-overwrite-gid \ + --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + ldap://ds.example.com:389 + + Migrated users or groups may have object class and accompanied attributes + unknown to the IPA v2 server. These object classes and attributes may be + left out of the migration process: + ipa migrate-ds --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + --user-ignore-objectclass=radiusprofile \ + --user-ignore-attribute=radiusgroupname \ + ldap://ds.example.com:389 + +LOGGING + +Migration will log warnings and errors to the Apache error log. This +file should be evaluated post-migration to correct or investigate any +issues that were discovered. + +For every 100 users migrated an info-level message will be displayed to +give the current progress and duration to make it possible to track +the progress of migration. + +If the log level is debug, either by setting debug = True in +/etc/ipa/default.conf or /etc/ipa/server.conf, then an entry will be printed +for each user added plus a summary when the default user group is +updated. +""") + +register = Registry() + + +@register() +class migrate_ds(Command): + __doc__ = _("Migrate users and groups from DS to IPA.") + + takes_args = ( + parameters.Str( + 'ldapuri', + cli_name='ldap_uri', + label=_(u'LDAP URI'), + doc=_(u'LDAP URI of DS server to migrate from'), + ), + parameters.Password( + 'bindpw', + cli_name='password', + label=_(u'Password'), + doc=_(u'bind password'), + ), + ) + takes_options = ( + parameters.DNParam( + 'binddn', + required=False, + cli_name='bind_dn', + label=_(u'Bind DN'), + default=DN(u'cn=directory manager'), + autofill=True, + ), + parameters.DNParam( + 'usercontainer', + cli_name='user_container', + label=_(u'User container'), + doc=_(u'DN of container for users in DS relative to base DN'), + default=DN(u'ou=people'), + autofill=True, + ), + parameters.DNParam( + 'groupcontainer', + cli_name='group_container', + label=_(u'Group container'), + doc=_(u'DN of container for groups in DS relative to base DN'), + default=DN(u'ou=groups'), + autofill=True, + ), + parameters.Str( + 'userobjectclass', + multivalue=True, + cli_name='user_objectclass', + label=_(u'User object class'), + doc=_(u'Objectclasses used to search for user entries in DS'), + default=(u'person',), + autofill=True, + ), + parameters.Str( + 'groupobjectclass', + multivalue=True, + cli_name='group_objectclass', + label=_(u'Group object class'), + doc=_(u'Objectclasses used to search for group entries in DS'), + default=(u'groupOfUniqueNames', u'groupOfNames'), + autofill=True, + ), + parameters.Str( + 'userignoreobjectclass', + required=False, + multivalue=True, + cli_name='user_ignore_objectclass', + label=_(u'Ignore user object class'), + doc=_(u'Objectclasses to be ignored for user entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'userignoreattribute', + required=False, + multivalue=True, + cli_name='user_ignore_attribute', + label=_(u'Ignore user attribute'), + doc=_(u'Attributes to be ignored for user entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'groupignoreobjectclass', + required=False, + multivalue=True, + cli_name='group_ignore_objectclass', + label=_(u'Ignore group object class'), + doc=_(u'Objectclasses to be ignored for group entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'groupignoreattribute', + required=False, + multivalue=True, + cli_name='group_ignore_attribute', + label=_(u'Ignore group attribute'), + doc=_(u'Attributes to be ignored for group entries in DS'), + default=(), + autofill=True, + ), + parameters.Flag( + 'groupoverwritegid', + cli_name='group_overwrite_gid', + label=_(u'Overwrite GID'), + doc=_(u'When migrating a group already existing in IPA domain overwrite the group GID and report as success'), + default=False, + autofill=True, + ), + parameters.Str( + 'schema', + required=False, + cli_metavar="['RFC2307bis', 'RFC2307']", + label=_(u'LDAP schema'), + doc=_(u'The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis'), + default=u'RFC2307bis', + autofill=True, + ), + parameters.Flag( + 'continue', + required=False, + label=_(u'Continue'), + doc=_(u'Continuous operation mode. Errors are reported but the process continues'), + default=False, + autofill=True, + ), + parameters.DNParam( + 'basedn', + required=False, + cli_name='base_dn', + label=_(u'Base DN'), + doc=_(u'Base DN on remote LDAP server'), + ), + parameters.Flag( + 'compat', + required=False, + cli_name='with_compat', + label=_(u'Ignore compat plugin'), + doc=_(u'Allows migration despite the usage of compat plugin'), + default=False, + autofill=True, + ), + parameters.Str( + 'cacertfile', + required=False, + cli_name='ca_cert_file', + label=_(u'CA certificate'), + doc=_(u'Load CA certificate of LDAP server from FILE'), + ), + parameters.Bool( + 'use_def_group', + required=False, + cli_name='use_default_group', + label=_(u'Add to default group'), + doc=_(u'Add migrated users without a group to a default group (default: true)'), + default=True, + autofill=True, + ), + parameters.Str( + 'scope', + cli_metavar="['base', 'subtree', 'onelevel']", + label=_(u'Search scope'), + doc=_(u'LDAP search scope for users and groups: base, onelevel, or subtree. Defaults to onelevel'), + default=u'onelevel', + autofill=True, + ), + parameters.Str( + 'exclude_groups', + required=False, + multivalue=True, + doc=_(u'groups to exclude from migration'), + default=(), + autofill=True, + ), + parameters.Str( + 'exclude_users', + required=False, + multivalue=True, + doc=_(u'users to exclude from migration'), + default=(), + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Lists of objects migrated; categorized by type.'), + ), + output.Output( + 'failed', + dict, + doc=_(u'Lists of objects that could not be migrated; categorized by type.'), + ), + output.Output( + 'enabled', + bool, + doc=_(u'False if migration mode was disabled.'), + ), + output.Output( + 'compat', + bool, + doc=_(u'False if migration fails because the compatibility plug-in is enabled.'), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/misc.py b/ipaclient/remote_plugins/2_164/misc.py new file mode 100644 index 000000000..4889e666b --- /dev/null +++ b/ipaclient/remote_plugins/2_164/misc.py @@ -0,0 +1,113 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Misc plug-ins +""") + +register = Registry() + + +@register() +class env(Command): + __doc__ = _("Show environment variables.") + + takes_args = ( + parameters.Str( + 'variables', + required=False, + multivalue=True, + ), + ) + takes_options = ( + parameters.Flag( + 'server', + required=False, + doc=_(u'Forward to server instead of running locally'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=True, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + output.Output( + 'total', + int, + doc=_(u'Total number of variables env (>= count)'), + ), + output.Output( + 'count', + int, + doc=_(u'Number of variables returned (<= total)'), + ), + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) + + +@register() +class plugins(Command): + __doc__ = _("Show all loaded plugins.") + + takes_options = ( + parameters.Flag( + 'server', + required=False, + doc=_(u'Forward to server instead of running locally'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=True, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping plugin names to bases'), + ), + output.Output( + 'count', + int, + doc=_(u'Number of plugins loaded'), + ), + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/netgroup.py b/ipaclient/remote_plugins/2_164/netgroup.py new file mode 100644 index 000000000..a04d99276 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/netgroup.py @@ -0,0 +1,865 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Netgroups + +A netgroup is a group used for permission checking. It can contain both +user and host values. + +EXAMPLES: + + Add a new netgroup: + ipa netgroup-add --desc="NFS admins" admins + + Add members to the netgroup: + ipa netgroup-add-member --users=tuser1 --users=tuser2 admins + + Remove a member from the netgroup: + ipa netgroup-remove-member --users=tuser2 admins + + Display information about a netgroup: + ipa netgroup-show admins + + Delete a netgroup: + ipa netgroup-del admins +""") + +register = Registry() + + +@register() +class netgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Netgroup name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + label=_(u'NIS domain name'), + ), + parameters.Str( + 'ipauniqueid', + required=False, + label=_(u'IPA unique ID'), + doc=_(u'IPA unique ID'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + parameters.Str( + 'member_netgroup', + required=False, + label=_(u'Member netgroups'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberindirect_netgroup', + required=False, + label=_(u'Indirect Member netgroups'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Member User'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'Member Group'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Member Host'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Member Hostgroup'), + ), + ) + + +@register() +class netgroup_add(Method): + __doc__ = _("Add a new netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class netgroup_add_member(Method): + __doc__ = _("Add members to a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'member netgroup'), + doc=_(u'netgroups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class netgroup_del(Method): + __doc__ = _("Delete a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class netgroup_find(Method): + __doc__ = _("Search for a netgroup.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'ipauniqueid', + required=False, + cli_name='uuid', + label=_(u'IPA unique ID'), + doc=_(u'IPA unique ID'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'private', + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'managed', + doc=_(u'search for managed groups'), + default=False, + default_from=DefaultFrom(lambda private: private), + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups with these member netgroups.'), + ), + parameters.Str( + 'no_netgroup', + required=False, + multivalue=True, + cli_name='no_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups without these member netgroups.'), + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'user'), + doc=_(u'Search for netgroups with these member users.'), + ), + parameters.Str( + 'no_user', + required=False, + multivalue=True, + cli_name='no_users', + label=_(u'user'), + doc=_(u'Search for netgroups without these member users.'), + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'group'), + doc=_(u'Search for netgroups with these member groups.'), + ), + parameters.Str( + 'no_group', + required=False, + multivalue=True, + cli_name='no_groups', + label=_(u'group'), + doc=_(u'Search for netgroups without these member groups.'), + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'host'), + doc=_(u'Search for netgroups with these member hosts.'), + ), + parameters.Str( + 'no_host', + required=False, + multivalue=True, + cli_name='no_hosts', + label=_(u'host'), + doc=_(u'Search for netgroups without these member hosts.'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'host group'), + doc=_(u'Search for netgroups with these member host groups.'), + ), + parameters.Str( + 'no_hostgroup', + required=False, + multivalue=True, + cli_name='no_hostgroups', + label=_(u'host group'), + doc=_(u'Search for netgroups without these member host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups without these member of netgroups.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class netgroup_mod(Method): + __doc__ = _("Modify a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class netgroup_remove_member(Method): + __doc__ = _("Remove members from a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'member netgroup'), + doc=_(u'netgroups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class netgroup_show(Method): + __doc__ = _("Display information about a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/otpconfig.py b/ipaclient/remote_plugins/2_164/otpconfig.py new file mode 100644 index 000000000..1aceb903e --- /dev/null +++ b/ipaclient/remote_plugins/2_164/otpconfig.py @@ -0,0 +1,206 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +OTP configuration + +Manage the default values that IPA uses for OTP tokens. + +EXAMPLES: + + Show basic OTP configuration: + ipa otpconfig-show + + Show all OTP configuration options: + ipa otpconfig-show --all + + Change maximum TOTP authentication window to 10 minutes: + ipa otpconfig-mod --totp-auth-window=600 + + Change maximum TOTP synchronization window to 12 hours: + ipa otpconfig-mod --totp-sync-window=43200 + + Change maximum HOTP authentication window to 5: + ipa hotpconfig-mod --hotp-auth-window=5 + + Change maximum HOTP synchronization window to 50: + ipa hotpconfig-mod --hotp-sync-window=50 +""") + +register = Registry() + + +@register() +class otpconfig(Object): + takes_params = ( + parameters.Int( + 'ipatokentotpauthwindow', + label=_(u'TOTP authentication Window'), + doc=_(u'TOTP authentication time variance (seconds)'), + ), + parameters.Int( + 'ipatokentotpsyncwindow', + label=_(u'TOTP Synchronization Window'), + doc=_(u'TOTP synchronization time variance (seconds)'), + ), + parameters.Int( + 'ipatokenhotpauthwindow', + label=_(u'HOTP Authentication Window'), + doc=_(u'HOTP authentication skip-ahead'), + ), + parameters.Int( + 'ipatokenhotpsyncwindow', + label=_(u'HOTP Synchronization Window'), + doc=_(u'HOTP synchronization skip-ahead'), + ), + ) + + +@register() +class otpconfig_mod(Method): + __doc__ = _("Modify OTP configuration options.") + + takes_options = ( + parameters.Int( + 'ipatokentotpauthwindow', + required=False, + cli_name='totp_auth_window', + label=_(u'TOTP authentication Window'), + doc=_(u'TOTP authentication time variance (seconds)'), + ), + parameters.Int( + 'ipatokentotpsyncwindow', + required=False, + cli_name='totp_sync_window', + label=_(u'TOTP Synchronization Window'), + doc=_(u'TOTP synchronization time variance (seconds)'), + ), + parameters.Int( + 'ipatokenhotpauthwindow', + required=False, + cli_name='hotp_auth_window', + label=_(u'HOTP Authentication Window'), + doc=_(u'HOTP authentication skip-ahead'), + ), + parameters.Int( + 'ipatokenhotpsyncwindow', + required=False, + cli_name='hotp_sync_window', + label=_(u'HOTP Synchronization Window'), + doc=_(u'HOTP synchronization skip-ahead'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class otpconfig_show(Method): + __doc__ = _("Show the current OTP configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/otptoken.py b/ipaclient/remote_plugins/2_164/otptoken.py new file mode 100644 index 000000000..0b2b54c6e --- /dev/null +++ b/ipaclient/remote_plugins/2_164/otptoken.py @@ -0,0 +1,893 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +OTP Tokens + +Manage OTP tokens. + +IPA supports the use of OTP tokens for multi-factor authentication. This +code enables the management of OTP tokens. + +EXAMPLES: + + Add a new token: + ipa otptoken-add --type=totp --owner=jdoe --desc="My soft token" + + Examine the token: + ipa otptoken-show a93db710-a31a-4639-8647-f15b2c70b78a + + Change the vendor: + ipa otptoken-mod a93db710-a31a-4639-8647-f15b2c70b78a --vendor="Red Hat" + + Delete a token: + ipa otptoken-del a93db710-a31a-4639-8647-f15b2c70b78a +""") + +register = Registry() + + +@register() +class otptoken(Object): + takes_params = ( + parameters.Str( + 'ipatokenuniqueid', + primary_key=True, + label=_(u'Unique ID'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of the token'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Token description (informational only)'), + ), + parameters.Str( + 'ipatokenowner', + required=False, + label=_(u'Owner'), + doc=_(u'Assigned user of the token (default: self)'), + ), + parameters.Str( + 'managedby_user', + required=False, + label=_(u'Manager'), + doc=_(u'Assigned manager of the token (default: self)'), + ), + parameters.Bool( + 'ipatokendisabled', + required=False, + label=_(u'Disabled'), + doc=_(u'Mark the token as disabled (default: false)'), + ), + parameters.DateTime( + 'ipatokennotbefore', + required=False, + label=_(u'Validity start'), + doc=_(u'First date/time the token can be used'), + ), + parameters.DateTime( + 'ipatokennotafter', + required=False, + label=_(u'Validity end'), + doc=_(u'Last date/time the token can be used'), + ), + parameters.Str( + 'ipatokenvendor', + required=False, + label=_(u'Vendor'), + doc=_(u'Token vendor name (informational only)'), + ), + parameters.Str( + 'ipatokenmodel', + required=False, + label=_(u'Model'), + doc=_(u'Token model (informational only)'), + ), + parameters.Str( + 'ipatokenserial', + required=False, + label=_(u'Serial'), + doc=_(u'Token serial (informational only)'), + ), + parameters.Bytes( + 'ipatokenotpkey', + required=False, + label=_(u'Key'), + doc=_(u'Token secret (Base32; default: random)'), + ), + parameters.Str( + 'ipatokenotpalgorithm', + required=False, + label=_(u'Algorithm'), + doc=_(u'Token hash algorithm'), + ), + parameters.Int( + 'ipatokenotpdigits', + required=False, + label=_(u'Digits'), + doc=_(u'Number of digits each token code will have'), + ), + parameters.Int( + 'ipatokentotpclockoffset', + required=False, + label=_(u'Clock offset'), + doc=_(u'TOTP token / FreeIPA server time difference'), + ), + parameters.Int( + 'ipatokentotptimestep', + required=False, + label=_(u'Clock interval'), + doc=_(u'Length of TOTP token code validity'), + ), + parameters.Int( + 'ipatokenhotpcounter', + required=False, + label=_(u'Counter'), + doc=_(u'Initial counter for the HOTP token'), + ), + ) + + +@register() +class otptoken_add(Method): + __doc__ = _("Add a new OTP token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + required=False, + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Str( + 'type', + required=False, + cli_metavar="['totp', 'hotp', 'TOTP', 'HOTP']", + label=_(u'Type'), + doc=_(u'Type of the token'), + default=u'totp', + autofill=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Token description (informational only)'), + ), + parameters.Str( + 'ipatokenowner', + required=False, + cli_name='owner', + label=_(u'Owner'), + doc=_(u'Assigned user of the token (default: self)'), + ), + parameters.Bool( + 'ipatokendisabled', + required=False, + cli_name='disabled', + label=_(u'Disabled'), + doc=_(u'Mark the token as disabled (default: false)'), + ), + parameters.DateTime( + 'ipatokennotbefore', + required=False, + cli_name='not_before', + label=_(u'Validity start'), + doc=_(u'First date/time the token can be used'), + ), + parameters.DateTime( + 'ipatokennotafter', + required=False, + cli_name='not_after', + label=_(u'Validity end'), + doc=_(u'Last date/time the token can be used'), + ), + parameters.Str( + 'ipatokenvendor', + required=False, + cli_name='vendor', + label=_(u'Vendor'), + doc=_(u'Token vendor name (informational only)'), + ), + parameters.Str( + 'ipatokenmodel', + required=False, + cli_name='model', + label=_(u'Model'), + doc=_(u'Token model (informational only)'), + ), + parameters.Str( + 'ipatokenserial', + required=False, + cli_name='serial', + label=_(u'Serial'), + doc=_(u'Token serial (informational only)'), + ), + parameters.Bytes( + 'ipatokenotpkey', + required=False, + cli_name='key', + label=_(u'Key'), + doc=_(u'Token secret (Base32; default: random)'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: os.urandom(KEY_LENGTH) + autofill=True, + ), + parameters.Str( + 'ipatokenotpalgorithm', + required=False, + cli_name='algo', + cli_metavar="['sha1', 'sha256', 'sha384', 'sha512']", + label=_(u'Algorithm'), + doc=_(u'Token hash algorithm'), + default=u'sha1', + autofill=True, + ), + parameters.Int( + 'ipatokenotpdigits', + required=False, + cli_name='digits', + cli_metavar="['6', '8']", + label=_(u'Digits'), + doc=_(u'Number of digits each token code will have'), + default=6, + autofill=True, + ), + parameters.Int( + 'ipatokentotpclockoffset', + required=False, + cli_name='offset', + label=_(u'Clock offset'), + doc=_(u'TOTP token / FreeIPA server time difference'), + default=0, + autofill=True, + ), + parameters.Int( + 'ipatokentotptimestep', + required=False, + cli_name='interval', + label=_(u'Clock interval'), + doc=_(u'Length of TOTP token code validity'), + default=30, + autofill=True, + ), + parameters.Int( + 'ipatokenhotpcounter', + required=False, + cli_name='counter', + label=_(u'Counter'), + doc=_(u'Initial counter for the HOTP token'), + default=0, + autofill=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'qrcode', + required=False, + label=_(u'(deprecated)'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_qrcode', + label=_(u'Do not display QR code'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class otptoken_add_managedby(Method): + __doc__ = _("Add users that can manage this token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class otptoken_del(Method): + __doc__ = _("Delete an OTP token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + multivalue=True, + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class otptoken_find(Method): + __doc__ = _("Search for OTP token.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'ipatokenuniqueid', + required=False, + cli_name='id', + label=_(u'Unique ID'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['totp', 'hotp', 'TOTP', 'HOTP']", + label=_(u'Type'), + doc=_(u'Type of the token'), + default=u'totp', + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Token description (informational only)'), + ), + parameters.Str( + 'ipatokenowner', + required=False, + cli_name='owner', + label=_(u'Owner'), + doc=_(u'Assigned user of the token (default: self)'), + ), + parameters.Bool( + 'ipatokendisabled', + required=False, + cli_name='disabled', + label=_(u'Disabled'), + doc=_(u'Mark the token as disabled (default: false)'), + ), + parameters.DateTime( + 'ipatokennotbefore', + required=False, + cli_name='not_before', + label=_(u'Validity start'), + doc=_(u'First date/time the token can be used'), + ), + parameters.DateTime( + 'ipatokennotafter', + required=False, + cli_name='not_after', + label=_(u'Validity end'), + doc=_(u'Last date/time the token can be used'), + ), + parameters.Str( + 'ipatokenvendor', + required=False, + cli_name='vendor', + label=_(u'Vendor'), + doc=_(u'Token vendor name (informational only)'), + ), + parameters.Str( + 'ipatokenmodel', + required=False, + cli_name='model', + label=_(u'Model'), + doc=_(u'Token model (informational only)'), + ), + parameters.Str( + 'ipatokenserial', + required=False, + cli_name='serial', + label=_(u'Serial'), + doc=_(u'Token serial (informational only)'), + ), + parameters.Str( + 'ipatokenotpalgorithm', + required=False, + cli_name='algo', + cli_metavar="['sha1', 'sha256', 'sha384', 'sha512']", + label=_(u'Algorithm'), + doc=_(u'Token hash algorithm'), + default=u'sha1', + ), + parameters.Int( + 'ipatokenotpdigits', + required=False, + cli_name='digits', + cli_metavar="['6', '8']", + label=_(u'Digits'), + doc=_(u'Number of digits each token code will have'), + default=6, + ), + parameters.Int( + 'ipatokentotpclockoffset', + required=False, + cli_name='offset', + label=_(u'Clock offset'), + doc=_(u'TOTP token / FreeIPA server time difference'), + default=0, + ), + parameters.Int( + 'ipatokentotptimestep', + required=False, + cli_name='interval', + label=_(u'Clock interval'), + doc=_(u'Length of TOTP token code validity'), + default=30, + ), + parameters.Int( + 'ipatokenhotpcounter', + required=False, + cli_name='counter', + label=_(u'Counter'), + doc=_(u'Initial counter for the HOTP token'), + default=0, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("id")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class otptoken_mod(Method): + __doc__ = _("Modify a OTP token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Token description (informational only)'), + ), + parameters.Str( + 'ipatokenowner', + required=False, + cli_name='owner', + label=_(u'Owner'), + doc=_(u'Assigned user of the token (default: self)'), + ), + parameters.Bool( + 'ipatokendisabled', + required=False, + cli_name='disabled', + label=_(u'Disabled'), + doc=_(u'Mark the token as disabled (default: false)'), + ), + parameters.DateTime( + 'ipatokennotbefore', + required=False, + cli_name='not_before', + label=_(u'Validity start'), + doc=_(u'First date/time the token can be used'), + ), + parameters.DateTime( + 'ipatokennotafter', + required=False, + cli_name='not_after', + label=_(u'Validity end'), + doc=_(u'Last date/time the token can be used'), + ), + parameters.Str( + 'ipatokenvendor', + required=False, + cli_name='vendor', + label=_(u'Vendor'), + doc=_(u'Token vendor name (informational only)'), + ), + parameters.Str( + 'ipatokenmodel', + required=False, + cli_name='model', + label=_(u'Model'), + doc=_(u'Token model (informational only)'), + ), + parameters.Str( + 'ipatokenserial', + required=False, + cli_name='serial', + label=_(u'Serial'), + doc=_(u'Token serial (informational only)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the OTP token object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class otptoken_remove_managedby(Method): + __doc__ = _("Remove users that can manage this token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class otptoken_show(Method): + __doc__ = _("Display information about an OTP token.") + + takes_args = ( + parameters.Str( + 'ipatokenuniqueid', + cli_name='id', + label=_(u'Unique ID'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/otptoken_yubikey.py b/ipaclient/remote_plugins/2_164/otptoken_yubikey.py new file mode 100644 index 000000000..61fe1b484 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/otptoken_yubikey.py @@ -0,0 +1,33 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +YubiKey Tokens + +Manage YubiKey tokens. + +This code is an extension to the otptoken plugin and provides support for +reading/writing YubiKey tokens directly. + +EXAMPLES: + + Add a new token: + ipa otptoken-add-yubikey --owner=jdoe --desc="My YubiKey" +""") + +register = Registry() diff --git a/ipaclient/remote_plugins/2_164/passwd.py b/ipaclient/remote_plugins/2_164/passwd.py new file mode 100644 index 000000000..4476cf1ec --- /dev/null +++ b/ipaclient/remote_plugins/2_164/passwd.py @@ -0,0 +1,93 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Set a user's password + +If someone other than a user changes that user's password (e.g., Helpdesk +resets it) then the password will need to be changed the first time it +is used. This is so the end-user is the only one who knows the password. + +The IPA password policy controls how often a password may be changed, +what strength requirements exist, and the length of the password history. + +EXAMPLES: + + To reset your own password: + ipa passwd + + To change another user's password: + ipa passwd tuser1 +""") + +register = Registry() + + +@register() +class passwd(Command): + __doc__ = _("Set a user's password.") + + takes_args = ( + parameters.Str( + 'principal', + cli_name='user', + label=_(u'User name'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: krb_utils.get_principal() + autofill=True, + no_convert=True, + ), + parameters.Password( + 'password', + label=_(u'New Password'), + confirm=True, + ), + parameters.Password( + 'current_password', + label=_(u'Current Password'), + default_from=DefaultFrom(lambda principal: None, 'principal'), + # FIXME: + # lambda principal: get_current_password(principal) + autofill=True, + ), + ) + takes_options = ( + parameters.Password( + 'otp', + required=False, + label=_(u'OTP'), + doc=_(u'One Time Password'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/permission.py b/ipaclient/remote_plugins/2_164/permission.py new file mode 100644 index 000000000..94cd1bbaa --- /dev/null +++ b/ipaclient/remote_plugins/2_164/permission.py @@ -0,0 +1,1099 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Permissions + +A permission enables fine-grained delegation of rights. A permission is +a human-readable wrapper around a 389-ds Access Control Rule, +or instruction (ACI). +A permission grants the right to perform a specific task such as adding a +user, modifying a group, etc. + +A permission may not contain other permissions. + +* A permission grants access to read, write, add, delete, read, search, + or compare. +* A privilege combines similar permissions (for example all the permissions + needed to add a user). +* A role grants a set of privileges to users, groups, hosts or hostgroups. + +A permission is made up of a number of different parts: + +1. The name of the permission. +2. The target of the permission. +3. The rights granted by the permission. + +Rights define what operations are allowed, and may be one or more +of the following: +1. write - write one or more attributes +2. read - read one or more attributes +3. search - search on one or more attributes +4. compare - compare one or more attributes +5. add - add a new entry to the tree +6. delete - delete an existing entry +7. all - all permissions are granted + +Note the distinction between attributes and entries. The permissions are +independent, so being able to add a user does not mean that the user will +be editable. + +There are a number of allowed targets: +1. subtree: a DN; the permission applies to the subtree under this DN +2. target filter: an LDAP filter +3. target: DN with possible wildcards, specifies entries permission applies to + +Additionally, there are the following convenience options. +Setting one of these options will set the corresponding attribute(s). +1. type: a type of object (user, group, etc); sets subtree and target filter. +2. memberof: apply to members of a group; sets target filter +3. targetgroup: grant access to modify a specific group (such as granting + the rights to manage group membership); sets target. + +Managed permissions + +Permissions that come with IPA by default can be so-called "managed" +permissions. These have a default set of attributes they apply to, +but the administrator can add/remove individual attributes to/from the set. + +Deleting or renaming a managed permission, as well as changing its target, +is not allowed. + +EXAMPLES: + + Add a permission that grants the creation of users: + ipa permission-add --type=user --permissions=add "Add Users" + + Add a permission that grants the ability to manage group membership: + ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members" +""") + +register = Registry() + + +@register() +class permission(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Permission name'), + ), + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermincludedattr', + required=False, + multivalue=True, + label=_(u'Included attributes'), + doc=_(u'User-specified attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermexcludedattr', + required=False, + multivalue=True, + label=_(u'Excluded attributes'), + doc=_(u'User-specified attributes to which the permission explicitly does not apply'), + ), + parameters.Str( + 'ipapermdefaultattr', + required=False, + multivalue=True, + label=_(u'Default attributes'), + doc=_(u'Attributes to which the permission applies by default'), + ), + parameters.Str( + 'ipapermbindruletype', + label=_(u'Bind rule type'), + ), + parameters.Str( + 'ipapermlocation', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetto', + required=False, + label=_(u'Target DN subtree'), + doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetfrom', + required=False, + label=_(u'Origin DN subtree'), + doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + ), + parameters.Str( + 'member_privilege', + required=False, + label=_(u'Granted to Privilege'), + ), + parameters.Str( + 'memberindirect_role', + required=False, + label=_(u'Indirect Member of roles'), + ), + ) + + +@register() +class permission_add(Method): + __doc__ = _("Add a new permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + cli_name='right', + cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + alwaysask=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermbindruletype', + cli_name='bindtype', + cli_metavar="['permission', 'all', 'anonymous']", + label=_(u'Bind rule type'), + default=u'permission', + autofill=True, + ), + parameters.Str( + 'ipapermlocation', + required=False, + cli_name='subtree', + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + alwaysask=True, + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + cli_name='filter', + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + cli_name='rawfilter', + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + cli_name='target', + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetto', + required=False, + cli_name='targetto', + label=_(u'Target DN subtree'), + doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetfrom', + required=False, + cli_name='targetfrom', + label=_(u'Origin DN subtree'), + doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + alwaysask=True, + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + alwaysask=True, + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + alwaysask=True, + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_add_member(Method): + __doc__ = _("Add members to a permission.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'member privilege'), + doc=_(u'privileges to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class permission_add_noaci(Method): + __doc__ = _("Add a system permission without an ACI (internal command)") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipapermissiontype', + multivalue=True, + label=_(u'Permission flags'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_del(Method): + __doc__ = _("Delete a permission.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force delete of SYSTEM permissions'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class permission_find(Method): + __doc__ = _("Search for permissions.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Permission name'), + ), + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + cli_name='right', + cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermincludedattr', + required=False, + multivalue=True, + cli_name='includedattrs', + label=_(u'Included attributes'), + doc=_(u'User-specified attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermexcludedattr', + required=False, + multivalue=True, + cli_name='excludedattrs', + label=_(u'Excluded attributes'), + doc=_(u'User-specified attributes to which the permission explicitly does not apply'), + ), + parameters.Str( + 'ipapermdefaultattr', + required=False, + multivalue=True, + cli_name='defaultattrs', + label=_(u'Default attributes'), + doc=_(u'Attributes to which the permission applies by default'), + ), + parameters.Str( + 'ipapermbindruletype', + required=False, + cli_name='bindtype', + cli_metavar="['permission', 'all', 'anonymous']", + label=_(u'Bind rule type'), + default=u'permission', + ), + parameters.Str( + 'ipapermlocation', + required=False, + cli_name='subtree', + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + cli_name='filter', + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + cli_name='rawfilter', + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + cli_name='target', + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetto', + required=False, + cli_name='targetto', + label=_(u'Target DN subtree'), + doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetfrom', + required=False, + cli_name='targetfrom', + label=_(u'Origin DN subtree'), + doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class permission_mod(Method): + __doc__ = _("Modify a permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipapermright', + required=False, + multivalue=True, + cli_name='right', + cli_metavar="['read', 'search', 'compare', 'write', 'add', 'delete', 'all']", + label=_(u'Granted rights'), + doc=_(u'Rights to grant (read, search, compare, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Effective attributes'), + doc=_(u'All attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermincludedattr', + required=False, + multivalue=True, + cli_name='includedattrs', + label=_(u'Included attributes'), + doc=_(u'User-specified attributes to which the permission applies'), + ), + parameters.Str( + 'ipapermexcludedattr', + required=False, + multivalue=True, + cli_name='excludedattrs', + label=_(u'Excluded attributes'), + doc=_(u'User-specified attributes to which the permission explicitly does not apply'), + ), + parameters.Str( + 'ipapermbindruletype', + required=False, + cli_name='bindtype', + cli_metavar="['permission', 'all', 'anonymous']", + label=_(u'Bind rule type'), + default=u'permission', + ), + parameters.Str( + 'ipapermlocation', + required=False, + cli_name='subtree', + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'extratargetfilter', + required=False, + multivalue=True, + cli_name='filter', + label=_(u'Extra target filter'), + ), + parameters.Str( + 'ipapermtargetfilter', + required=False, + multivalue=True, + cli_name='rawfilter', + label=_(u'Raw target filter'), + doc=_(u'All target filters, including those implied by type and memberof'), + ), + parameters.DNParam( + 'ipapermtarget', + required=False, + cli_name='target', + label=_(u'Target DN'), + doc=_(u'Optional DN to apply the permission to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetto', + required=False, + cli_name='targetto', + label=_(u'Target DN subtree'), + doc=_(u'Optional DN subtree where an entry can be moved to (must be in the subtree, but may not yet exist)'), + ), + parameters.DNParam( + 'ipapermtargetfrom', + required=False, + cli_name='targetfrom', + label=_(u'Origin DN subtree'), + doc=_(u'Optional DN subtree from where an entry can be moved (must be in the subtree, but may not yet exist)'), + ), + parameters.Str( + 'memberof', + required=False, + multivalue=True, + label=_(u'Member of group'), + doc=_(u'Target members of a group (sets memberOf targetfilter)'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to (sets target)'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (sets subtree and objectClass targetfilter)'), + ), + parameters.Str( + 'filter', + required=False, + multivalue=True, + doc=_(u'Deprecated; use extratargetfilter'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'subtree', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermlocation'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + doc=_(u'Deprecated; use ipapermright'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the permission object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_remove_member(Method): + __doc__ = _("Remove members from a permission.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'member privilege'), + doc=_(u'privileges to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class permission_show(Method): + __doc__ = _("Display information about a permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/ping.py b/ipaclient/remote_plugins/2_164/ping.py new file mode 100644 index 000000000..e9344127c --- /dev/null +++ b/ipaclient/remote_plugins/2_164/ping.py @@ -0,0 +1,62 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Ping the remote IPA server to ensure it is running. + +The ping command sends an echo request to an IPA server. The server +returns its version information. This is used by an IPA client +to confirm that the server is available and accepting requests. + +The server from xmlrpc_uri in /etc/ipa/default.conf is contacted first. +If it does not respond then the client will contact any servers defined +by ldap SRV records in DNS. + +EXAMPLES: + + Ping an IPA server: + ipa ping + ------------------------------------------ + IPA server version 2.1.9. API version 2.20 + ------------------------------------------ + + Ping an IPA server verbosely: + ipa -v ping + ipa: INFO: trying https://ipa.example.com/ipa/xml + ipa: INFO: Forwarding 'ping' to server 'https://ipa.example.com/ipa/xml' + ----------------------------------------------------- + IPA server version 2.1.9. API version 2.20 + ----------------------------------------------------- +""") + +register = Registry() + + +@register() +class ping(Command): + __doc__ = _("Ping a remote server.") + + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/pkinit.py b/ipaclient/remote_plugins/2_164/pkinit.py new file mode 100644 index 000000000..fcb4c6b6b --- /dev/null +++ b/ipaclient/remote_plugins/2_164/pkinit.py @@ -0,0 +1,63 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Kerberos pkinit options + +Enable or disable anonymous pkinit using the principal +WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with +pkinit support. + +EXAMPLES: + + Enable anonymous pkinit: + ipa pkinit-anonymous enable + + Disable anonymous pkinit: + ipa pkinit-anonymous disable + +For more information on anonymous pkinit see: + +http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit +""") + +register = Registry() + + +@register() +class pkinit(Object): + takes_params = ( + ) + + +@register() +class pkinit_anonymous(Command): + __doc__ = _("Enable or Disable Anonymous PKINIT.") + + takes_args = ( + parameters.Str( + 'action', + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_164/privilege.py b/ipaclient/remote_plugins/2_164/privilege.py new file mode 100644 index 000000000..9fb436a92 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/privilege.py @@ -0,0 +1,656 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Privileges + +A privilege combines permissions into a logical task. A permission provides +the rights to do a single task. There are some IPA operations that require +multiple permissions to succeed. A privilege is where permissions are +combined in order to perform a specific task. + +For example, adding a user requires the following permissions: + * Creating a new user entry + * Resetting a user password + * Adding the new user to the default IPA users group + +Combining these three low-level tasks into a higher level task in the +form of a privilege named "Add User" makes it easier to manage Roles. + +A privilege may not contain other privileges. + +See role and permission for additional information. +""") + +register = Registry() + + +@register() +class privilege(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Privilege name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'memberof_permission', + required=False, + label=_(u'Permissions'), + ), + parameters.Str( + 'member_role', + required=False, + label=_(u'Granting privilege to roles'), + ), + ) + + +@register() +class privilege_add(Method): + __doc__ = _("Add a new privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class privilege_add_member(Method): + __doc__ = _("Add members to a privilege.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'role', + required=False, + multivalue=True, + cli_name='roles', + label=_(u'member role'), + doc=_(u'roles to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class privilege_add_permission(Method): + __doc__ = _("Add permissions to a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'permission', + required=False, + multivalue=True, + cli_name='permissions', + label=_(u'permission'), + doc=_(u'permissions'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of permissions added'), + ), + ) + + +@register() +class privilege_del(Method): + __doc__ = _("Delete a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class privilege_find(Method): + __doc__ = _("Search for privileges.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Privilege name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class privilege_mod(Method): + __doc__ = _("Modify a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the privilege object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class privilege_remove_member(Method): + __doc__ = _("Remove members from a privilege") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'role', + required=False, + multivalue=True, + cli_name='roles', + label=_(u'member role'), + doc=_(u'roles to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class privilege_remove_permission(Method): + __doc__ = _("Remove permissions from a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'permission', + required=False, + multivalue=True, + cli_name='permissions', + label=_(u'permission'), + doc=_(u'permissions'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of permissions removed'), + ), + ) + + +@register() +class privilege_show(Method): + __doc__ = _("Display information about a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/pwpolicy.py b/ipaclient/remote_plugins/2_164/pwpolicy.py new file mode 100644 index 000000000..6010579d3 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/pwpolicy.py @@ -0,0 +1,937 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Password policy + +A password policy sets limitations on IPA passwords, including maximum +lifetime, minimum lifetime, the number of passwords to save in +history, the number of character classes required (for stronger passwords) +and the minimum password length. + +By default there is a single, global policy for all users. You can also +create a password policy to apply to a group. Each user is only subject +to one password policy, either the group policy or the global policy. A +group policy stands alone; it is not a super-set of the global policy plus +custom settings. + +Each group password policy requires a unique priority setting. If a user +is in multiple groups that have password policies, this priority determines +which password policy is applied. A lower value indicates a higher priority +policy. + +Group password policies are automatically removed when the groups they +are associated with are removed. + +EXAMPLES: + + Modify the global policy: + ipa pwpolicy-mod --minlength=10 + + Add a new group password policy: + ipa pwpolicy-add --maxlife=90 --minlife=1 --history=10 --minclasses=3 --minlength=8 --priority=10 localadmins + + Display the global password policy: + ipa pwpolicy-show + + Display a group password policy: + ipa pwpolicy-show localadmins + + Display the policy that would be applied to a given user: + ipa pwpolicy-show --user=tuser1 + + Modify a group password policy: + ipa pwpolicy-mod --minclasses=2 localadmins +""") + +register = Registry() + + +@register() +class cosentry(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + ), + parameters.DNParam( + 'krbpwdpolicyreference', + ), + parameters.Int( + 'cospriority', + ), + ) + + +@register() +class pwpolicy(Object): + takes_params = ( + parameters.Str( + 'cn', + required=False, + primary_key=True, + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + parameters.Int( + 'krbmaxpwdlife', + required=False, + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + ) + + +@register() +class cosentry_add(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.DNParam( + 'krbpwdpolicyreference', + ), + parameters.Int( + 'cospriority', + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cosentry_del(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class cosentry_find(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + ), + parameters.DNParam( + 'krbpwdpolicyreference', + required=False, + ), + parameters.Int( + 'cospriority', + required=False, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("cn")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class cosentry_mod(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.DNParam( + 'krbpwdpolicyreference', + required=False, + ), + parameters.Int( + 'cospriority', + required=False, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cosentry_show(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_add(Method): + __doc__ = _("Add a new group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_del(Method): + __doc__ = _("Delete a group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class pwpolicy_find(Method): + __doc__ = _("Search for group password policies.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + required=False, + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("group")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class pwpolicy_mod(Method): + __doc__ = _("Modify a group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + required=False, + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_show(Method): + __doc__ = _("Display information about password policy.") + + takes_args = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + label=_(u'User'), + doc=_(u'Display effective policy for a specific user'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/radiusproxy.py b/ipaclient/remote_plugins/2_164/radiusproxy.py new file mode 100644 index 000000000..9bc020b5d --- /dev/null +++ b/ipaclient/remote_plugins/2_164/radiusproxy.py @@ -0,0 +1,521 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +RADIUS Proxy Servers + +Manage RADIUS Proxy Servers. + +IPA supports the use of an external RADIUS proxy server for krb5 OTP +authentications. This permits a great deal of flexibility when +integrating with third-party authentication services. + +EXAMPLES: + + Add a new server: + ipa radiusproxy-add MyRADIUS --server=radius.example.com:1812 + + Find all servers whose entries include the string "example.com": + ipa radiusproxy-find example.com + + Examine the configuration: + ipa radiusproxy-show MyRADIUS + + Change the secret: + ipa radiusproxy-mod MyRADIUS --secret + + Delete a configuration: + ipa radiusproxy-del MyRADIUS +""") + +register = Registry() + + +@register() +class radiusproxy(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'RADIUS proxy server name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this RADIUS proxy server'), + ), + parameters.Str( + 'ipatokenradiusserver', + multivalue=True, + label=_(u'Server'), + doc=_(u'The hostname or IP (with or without port)'), + ), + parameters.Password( + 'ipatokenradiussecret', + label=_(u'Secret'), + doc=_(u'The secret used to encrypt data'), + ), + parameters.Int( + 'ipatokenradiustimeout', + required=False, + label=_(u'Timeout'), + doc=_(u'The total timeout across all retries (in seconds)'), + ), + parameters.Int( + 'ipatokenradiusretries', + required=False, + label=_(u'Retries'), + doc=_(u'The number of times to retry authentication'), + ), + parameters.Str( + 'ipatokenusermapattribute', + required=False, + label=_(u'User attribute'), + doc=_(u'The username attribute on the user object'), + ), + ) + + +@register() +class radiusproxy_add(Method): + __doc__ = _("Add a new RADIUS proxy server.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this RADIUS proxy server'), + ), + parameters.Str( + 'ipatokenradiusserver', + multivalue=True, + cli_name='server', + label=_(u'Server'), + doc=_(u'The hostname or IP (with or without port)'), + ), + parameters.Password( + 'ipatokenradiussecret', + cli_name='secret', + label=_(u'Secret'), + doc=_(u'The secret used to encrypt data'), + exclude=('cli', 'webui'), + confirm=True, + ), + parameters.Int( + 'ipatokenradiustimeout', + required=False, + cli_name='timeout', + label=_(u'Timeout'), + doc=_(u'The total timeout across all retries (in seconds)'), + ), + parameters.Int( + 'ipatokenradiusretries', + required=False, + cli_name='retries', + label=_(u'Retries'), + doc=_(u'The number of times to retry authentication'), + ), + parameters.Str( + 'ipatokenusermapattribute', + required=False, + cli_name='userattr', + label=_(u'User attribute'), + doc=_(u'The username attribute on the user object'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class radiusproxy_del(Method): + __doc__ = _("Delete a RADIUS proxy server.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class radiusproxy_find(Method): + __doc__ = _("Search for RADIUS proxy servers.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this RADIUS proxy server'), + ), + parameters.Str( + 'ipatokenradiusserver', + required=False, + multivalue=True, + cli_name='server', + label=_(u'Server'), + doc=_(u'The hostname or IP (with or without port)'), + ), + parameters.Password( + 'ipatokenradiussecret', + required=False, + cli_name='secret', + label=_(u'Secret'), + doc=_(u'The secret used to encrypt data'), + exclude=('cli', 'webui'), + confirm=True, + ), + parameters.Int( + 'ipatokenradiustimeout', + required=False, + cli_name='timeout', + label=_(u'Timeout'), + doc=_(u'The total timeout across all retries (in seconds)'), + ), + parameters.Int( + 'ipatokenradiusretries', + required=False, + cli_name='retries', + label=_(u'Retries'), + doc=_(u'The number of times to retry authentication'), + ), + parameters.Str( + 'ipatokenusermapattribute', + required=False, + cli_name='userattr', + label=_(u'User attribute'), + doc=_(u'The username attribute on the user object'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class radiusproxy_mod(Method): + __doc__ = _("Modify a RADIUS proxy server.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this RADIUS proxy server'), + ), + parameters.Str( + 'ipatokenradiusserver', + required=False, + multivalue=True, + cli_name='server', + label=_(u'Server'), + doc=_(u'The hostname or IP (with or without port)'), + ), + parameters.Password( + 'ipatokenradiussecret', + required=False, + cli_name='secret', + label=_(u'Secret'), + doc=_(u'The secret used to encrypt data'), + exclude=('cli', 'webui'), + confirm=True, + ), + parameters.Int( + 'ipatokenradiustimeout', + required=False, + cli_name='timeout', + label=_(u'Timeout'), + doc=_(u'The total timeout across all retries (in seconds)'), + ), + parameters.Int( + 'ipatokenradiusretries', + required=False, + cli_name='retries', + label=_(u'Retries'), + doc=_(u'The number of times to retry authentication'), + ), + parameters.Str( + 'ipatokenusermapattribute', + required=False, + cli_name='userattr', + label=_(u'User attribute'), + doc=_(u'The username attribute on the user object'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the RADIUS proxy server object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class radiusproxy_show(Method): + __doc__ = _("Display information about a RADIUS proxy server.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'RADIUS proxy server name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/realmdomains.py b/ipaclient/remote_plugins/2_164/realmdomains.py new file mode 100644 index 000000000..f8f563a45 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/realmdomains.py @@ -0,0 +1,195 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Realm domains + +Manage the list of domains associated with IPA realm. + +EXAMPLES: + + Display the current list of realm domains: + ipa realmdomains-show + + Replace the list of realm domains: + ipa realmdomains-mod --domain=example.com + ipa realmdomains-mod --domain={example1.com,example2.com,example3.com} + + Add a domain to the list of realm domains: + ipa realmdomains-mod --add-domain=newdomain.com + + Delete a domain from the list of realm domains: + ipa realmdomains-mod --del-domain=olddomain.com +""") + +register = Registry() + + +@register() +class realmdomains(Object): + takes_params = ( + parameters.Str( + 'associateddomain', + multivalue=True, + label=_(u'Domain'), + ), + parameters.Str( + 'add_domain', + required=False, + label=_(u'Add domain'), + ), + parameters.Str( + 'del_domain', + required=False, + label=_(u'Delete domain'), + ), + ) + + +@register() +class realmdomains_mod(Method): + __doc__ = _("Modify realm domains.") + + takes_options = ( + parameters.Str( + 'associateddomain', + required=False, + multivalue=True, + cli_name='domain', + label=_(u'Domain'), + no_convert=True, + ), + parameters.Str( + 'add_domain', + required=False, + label=_(u'Add domain'), + no_convert=True, + ), + parameters.Str( + 'del_domain', + required=False, + label=_(u'Delete domain'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'Force adding domain even if not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class realmdomains_show(Method): + __doc__ = _("Display the list of realm domains.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/role.py b/ipaclient/remote_plugins/2_164/role.py new file mode 100644 index 000000000..122d4cdee --- /dev/null +++ b/ipaclient/remote_plugins/2_164/role.py @@ -0,0 +1,758 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Roles + +A role is used for fine-grained delegation. A permission grants the ability +to perform given low-level tasks (add a user, modify a group, etc.). A +privilege combines one or more permissions into a higher-level abstraction +such as useradmin. A useradmin would be able to add, delete and modify users. + +Privileges are assigned to Roles. + +Users, groups, hosts and hostgroups may be members of a Role. + +Roles can not contain other roles. + +EXAMPLES: + + Add a new role: + ipa role-add --desc="Junior-level admin" junioradmin + + Add some privileges to this role: + ipa role-add-privilege --privileges=addusers junioradmin + ipa role-add-privilege --privileges=change_password junioradmin + ipa role-add-privilege --privileges=add_user_to_default_group junioradmin + + Add a group of users to this role: + ipa group-add --desc="User admins" useradmins + ipa role-add-member --groups=useradmins junioradmin + + Display information about a role: + ipa role-show junioradmin + + The result of this is that any users in the group 'junioradmin' can + add users, reset passwords or add a user to the default IPA user group. +""") + +register = Registry() + + +@register() +class role(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Role name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'member_user', + required=False, + label=_(u'Member users'), + ), + parameters.Str( + 'member_group', + required=False, + label=_(u'Member groups'), + ), + parameters.Str( + 'member_host', + required=False, + label=_(u'Member hosts'), + ), + parameters.Str( + 'member_hostgroup', + required=False, + label=_(u'Member host-groups'), + ), + parameters.Str( + 'memberof_privilege', + required=False, + label=_(u'Privileges'), + ), + parameters.Str( + 'member_service', + required=False, + label=_(u'Member services'), + ), + ) + + +@register() +class role_add(Method): + __doc__ = _("Add a new role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class role_add_member(Method): + __doc__ = _("Add members to a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + parameters.Str( + 'service', + required=False, + multivalue=True, + cli_name='services', + label=_(u'member service'), + doc=_(u'services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class role_add_privilege(Method): + __doc__ = _("Add privileges to a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'privilege'), + doc=_(u'privileges'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of privileges added'), + ), + ) + + +@register() +class role_del(Method): + __doc__ = _("Delete a role.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class role_find(Method): + __doc__ = _("Search for roles.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Role name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class role_mod(Method): + __doc__ = _("Modify a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the role object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class role_remove_member(Method): + __doc__ = _("Remove members from a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'service', + required=False, + multivalue=True, + cli_name='services', + label=_(u'member service'), + doc=_(u'services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class role_remove_privilege(Method): + __doc__ = _("Remove privileges from a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'privilege'), + doc=_(u'privileges'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of privileges removed'), + ), + ) + + +@register() +class role_show(Method): + __doc__ = _("Display information about a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/selfservice.py b/ipaclient/remote_plugins/2_164/selfservice.py new file mode 100644 index 000000000..5d7e36f30 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/selfservice.py @@ -0,0 +1,338 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Self-service Permissions + +A permission enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to permissions to perform +given tasks such as adding a user, modifying a group, etc. + +A Self-service permission defines what an object can change in its own entry. + + +EXAMPLES: + + Add a self-service rule to allow users to manage their address (using Bash + brace expansion): + ipa selfservice-add --permissions=write --attrs={street,postalCode,l,c,st} "Users manage their own address" + + When managing the list of attributes you need to include all attributes + in the list, including existing ones. + Add telephoneNumber to the list (using Bash brace expansion): + ipa selfservice-mod --attrs={street,postalCode,l,c,st,telephoneNumber} "Users manage their own address" + + Display our updated rule: + ipa selfservice-show "Users manage their own address" + + Delete a rule: + ipa selfservice-del "Users manage their own address" +""") + +register = Registry() + + +@register() +class selfservice(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'Self-service name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the permission applies.'), + ), + ) + + +@register() +class selfservice_add(Method): + __doc__ = _("Add a new self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the permission applies.'), + no_convert=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_del(Method): + __doc__ = _("Delete a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_find(Method): + __doc__ = _("Search for a self-service permission.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'Self-service name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the permission applies.'), + no_convert=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class selfservice_mod(Method): + __doc__ = _("Modify a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Attributes to which the permission applies.'), + no_convert=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_show(Method): + __doc__ = _("Display information about a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/selinuxusermap.py b/ipaclient/remote_plugins/2_164/selinuxusermap.py new file mode 100644 index 000000000..cf572f9c7 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/selinuxusermap.py @@ -0,0 +1,905 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +SELinux User Mapping + +Map IPA users to SELinux users by host. + +Hosts, hostgroups, users and groups can be either defined within +the rule or it may point to an existing HBAC rule. When using +--hbacrule option to selinuxusermap-find an exact match is made on the +HBAC rule name, so only one or zero entries will be returned. + +EXAMPLES: + + Create a rule, "test1", that sets all users to xguest_u:s0 on the host "server": + ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1 + ipa selinuxusermap-add-host --hosts=server.example.com test1 + + Create a rule, "test2", that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts: + ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2 + + Display the properties of a rule: + ipa selinuxusermap-show test2 + + Create a rule for a specific user. This sets the SELinux context for + user john to unconfined_u:s0-s0:c0.c1023 on any machine: + ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined + ipa selinuxusermap-add-user --users=john john_unconfined + + Disable a rule: + ipa selinuxusermap-disable test1 + + Enable a rule: + ipa selinuxusermap-enable test1 + + Find a rule referencing a specific HBAC rule: + ipa selinuxusermap-find --hbacrule=allow_some + + Remove a rule: + ipa selinuxusermap-del john_unconfined + +SEEALSO: + + The list controlling the order in which the SELinux user map is applied + and the default SELinux user are available in the config-show command. +""") + +register = Registry() + + +@register() +class selinuxusermap(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'ipaselinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + ) + + +@register() +class selinuxusermap_add(Method): + __doc__ = _("Create a new SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaselinuxuser', + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_add_host(Method): + __doc__ = _("Add target hosts and hostgroups to an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class selinuxusermap_add_user(Method): + __doc__ = _("Add users and groups to an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class selinuxusermap_del(Method): + __doc__ = _("Delete a SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class selinuxusermap_disable(Method): + __doc__ = _("Disable an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_enable(Method): + __doc__ = _("Enable an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_find(Method): + __doc__ = _("Search for SELinux User Maps.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Rule name'), + ), + parameters.Str( + 'ipaselinuxuser', + required=False, + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class selinuxusermap_mod(Method): + __doc__ = _("Modify a SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaselinuxuser', + required=False, + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_remove_host(Method): + __doc__ = _("Remove target hosts and hostgroups from an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class selinuxusermap_remove_user(Method): + __doc__ = _("Remove users and groups from an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class selinuxusermap_show(Method): + __doc__ = _("Display the properties of a SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/server.py b/ipaclient/remote_plugins/2_164/server.py new file mode 100644 index 000000000..249b6a476 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/server.py @@ -0,0 +1,317 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +IPA servers + +Get information about installed IPA servers. + +EXAMPLES: + + Find all servers: + ipa server-find + + Show specific server: + ipa server-show ipa.example.com +""") + +register = Registry() + + +@register() +class server(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Server name'), + doc=_(u'IPA server hostname'), + ), + parameters.Str( + 'iparepltopomanagedsuffix', + required=False, + multivalue=True, + ), + parameters.Str( + 'iparepltopomanagedsuffix_topologysuffix', + required=False, + multivalue=True, + label=_(u'Managed suffixes'), + ), + parameters.Int( + 'ipamindomainlevel', + label=_(u'Min domain level'), + doc=_(u'Minimum domain level'), + ), + parameters.Int( + 'ipamaxdomainlevel', + label=_(u'Max domain level'), + doc=_(u'Maximum domain level'), + ), + ) + + +@register() +class server_conncheck(Method): + __doc__ = _("Check connection to remote IPA server.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Server name'), + doc=_(u'IPA server hostname'), + ), + parameters.Str( + 'remote_cn', + cli_name='remote_name', + label=_(u'Remote server name'), + doc=_(u'Remote IPA server hostname'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class server_del(Method): + __doc__ = _("Delete IPA server.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Server name'), + doc=_(u'IPA server hostname'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class server_find(Method): + __doc__ = _("Search for IPA servers.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Server name'), + doc=_(u'IPA server hostname'), + ), + parameters.Int( + 'ipamindomainlevel', + required=False, + cli_name='minlevel', + label=_(u'Min domain level'), + doc=_(u'Minimum domain level'), + ), + parameters.Int( + 'ipamaxdomainlevel', + required=False, + cli_name='maxlevel', + label=_(u'Max domain level'), + doc=_(u'Maximum domain level'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'topologysuffix', + required=False, + multivalue=True, + cli_name='topologysuffixes', + label=_(u'suffix'), + doc=_(u'Search for servers with these managed suffixes.'), + ), + parameters.Str( + 'no_topologysuffix', + required=False, + multivalue=True, + cli_name='no_topologysuffixes', + label=_(u'suffix'), + doc=_(u'Search for servers without these managed suffixes.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class server_show(Method): + __doc__ = _("Show IPA server.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Server name'), + doc=_(u'IPA server hostname'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/service.py b/ipaclient/remote_plugins/2_164/service.py new file mode 100644 index 000000000..0c7b9d803 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/service.py @@ -0,0 +1,1225 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Services + +A IPA service represents a service that runs on a host. The IPA service +record can store a Kerberos principal, an SSL certificate, or both. + +An IPA service can be managed directly from a machine, provided that +machine has been given the correct permission. This is true even for +machines other than the one the service is associated with. For example, +requesting an SSL certificate using the host service principal credentials +of the host. To manage a service using host credentials you need to +kinit as the host: + + # kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM + +Adding an IPA service allows the associated service to request an SSL +certificate or keytab, but this is performed as a separate step; they +are not produced as a result of adding the service. + +Only the public aspect of a certificate is stored in a service record; +the private key is not stored. + +EXAMPLES: + + Add a new IPA service: + ipa service-add HTTP/web.example.com + + Allow a host to manage an IPA service certificate: + ipa service-add-host --hosts=web.example.com HTTP/web.example.com + ipa role-add-member --hosts=web.example.com certadmin + + Override a default list of supported PAC types for the service: + ipa service-mod HTTP/web.example.com --pac-type=MS-PAC + + A typical use case where overriding the PAC type is needed is NFS. + Currently the related code in the Linux kernel can only handle Kerberos + tickets up to a maximal size. Since the PAC data can become quite large it + is recommended to set --pac-type=NONE for NFS services. + + Delete an IPA service: + ipa service-del HTTP/web.example.com + + Find all IPA services associated with a host: + ipa service-find web.example.com + + Find all HTTP services: + ipa service-find HTTP + + Disable the service Kerberos key and SSL certificate: + ipa service-disable HTTP/web.example.com + + Request a certificate for an IPA service: + ipa cert-request --principal=HTTP/web.example.com example.csr + + Allow user to create a keytab: + ipa service-allow-create-keytab HTTP/web.example.com --users=tuser1 + + Generate and retrieve a keytab for an IPA service: + ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab +""") + +register = Registry() + + +@register() +class service(Object): + takes_params = ( + parameters.Str( + 'krbprincipalname', + primary_key=True, + label=_(u'Principal'), + doc=_(u'Service principal'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Keytab'), + ), + parameters.Str( + 'managedby_host', + label=_(u'Managed by'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_user', + label=_(u'Users allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_group', + label=_(u'Groups allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_host', + label=_(u'Hosts allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_read_keys_hostgroup', + label=_(u'Host Groups allowed to retrieve keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_user', + label=_(u'Users allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_group', + label=_(u'Groups allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_host', + label=_(u'Hosts allowed to create keytab'), + ), + parameters.Str( + 'ipaallowedtoperform_write_keys_hostgroup', + label=_(u'Host Groups allowed to create keytab'), + ), + ) + + +@register() +class service_add(Method): + __doc__ = _("Add a new IPA new service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + cli_name='requires_pre_auth', + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + cli_name='ok_as_delegate', + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force principal name even if not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_add_cert(Method): + __doc__ = _("Add new certificates to a service") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + alwaysask=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_add_host(Method): + __doc__ = _("Add hosts that can manage this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class service_allow_create_keytab(Method): + __doc__ = _("Allow users, groups, hosts or host groups to create a keytab of this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class service_allow_retrieve_keytab(Method): + __doc__ = _("Allow users, groups, hosts or host groups to retrieve a keytab of this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class service_del(Method): + __doc__ = _("Delete an IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + multivalue=True, + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class service_disable(Method): + __doc__ = _("Disable the Kerberos key and SSL certificate of a service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_disallow_create_keytab(Method): + __doc__ = _("Disallow users, groups, hosts or host groups to create a keytab of this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class service_disallow_retrieve_keytab(Method): + __doc__ = _("Disallow users, groups, hosts or host groups to retrieve a keytab of this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class service_find(Method): + __doc__ = _("Search for IPA services.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("principal")'), + default=False, + autofill=True, + ), + parameters.Str( + 'man_by_host', + required=False, + multivalue=True, + cli_name='man_by_hosts', + label=_(u'host'), + doc=_(u'Search for services with these managed by hosts.'), + ), + parameters.Str( + 'not_man_by_host', + required=False, + multivalue=True, + cli_name='not_man_by_hosts', + label=_(u'host'), + doc=_(u'Search for services without these managed by hosts.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class service_mod(Method): + __doc__ = _("Modify an existing IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service, e.g. this might be necessary for NFS services."), + ), + parameters.Bool( + 'ipakrbrequirespreauth', + required=False, + cli_name='requires_pre_auth', + label=_(u'Requires pre-authentication'), + doc=_(u'Pre-authentication is required for the service'), + ), + parameters.Bool( + 'ipakrbokasdelegate', + required=False, + cli_name='ok_as_delegate', + label=_(u'Trusted for delegation'), + doc=_(u'Client credentials may be delegated to the service'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_remove_cert(Method): + __doc__ = _("Remove certificates from a service") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + alwaysask=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_remove_host(Method): + __doc__ = _("Remove hosts that can manage this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class service_show(Method): + __doc__ = _("Display information about an IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'file to store certificate in'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/servicedelegation.py b/ipaclient/remote_plugins/2_164/servicedelegation.py new file mode 100644 index 000000000..d96462d91 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/servicedelegation.py @@ -0,0 +1,907 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Service Constrained Delegation + +Manage rules to allow constrained delegation of credentials so +that a service can impersonate a user when communicating with another +service without requiring the user to actually forward their TGT. +This makes for a much better method of delegating credentials as it +prevents exposure of the short term secret of the user. + +The naming convention is to append the word "target" or "targets" to +a matching rule name. This is not mandatory but helps conceptually +to associate rules and targets. + +A rule consists of two things: + - A list of targets the rule applies to + - A list of memberPrincipals that are allowed to delegate for + those targets + +A target consists of a list of principals that can be delegated. + +In English, a rule says that this principal can delegate as this +list of principals, as defined by these targets. + +EXAMPLES: + + Add a new constrained delegation rule: + ipa servicedelegationrule-add ftp-delegation + + Add a new constrained delegation target: + ipa servicedelegationtarget-add ftp-delegation-target + + Add a principal to the rule: + ipa servicedelegationrule-add-member --principals=ftp/ipa.example.com ftp-delegation + + Add our target to the rule: + ipa servicedelegationrule-add-target --servicedelegationtargets=ftp-delegation-target ftp-delegation + + Add a principal to the target: + ipa servicedelegationtarget-add-member --principals=ldap/ipa.example.com ftp-delegation-target + + Display information about a named delegation rule and target: + ipa servicedelegationrule_show ftp-delegation + ipa servicedelegationtarget_show ftp-delegation-target + + Remove a constrained delegation: + ipa servicedelegationrule-del ftp-delegation-target + ipa servicedelegationtarget-del ftp-delegation + +In this example the ftp service can get a TGT for the ldap service on +the bound user's behalf. + +It is strongly discouraged to modify the delegations that ship with +IPA, ipa-http-delegation and its targets ipa-cifs-delegation-targets and +ipa-ldap-delegation-targets. Incorrect changes can remove the ability +to delegate, causing the framework to stop functioning. +""") + +register = Registry() + + +@register() +class servicedelegationrule(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Delegation name'), + ), + parameters.Str( + 'ipaallowedtarget_servicedelegationtarget', + label=_(u'Allowed Target'), + ), + ) + + +@register() +class servicedelegationtarget(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Delegation name'), + ), + ) + + +@register() +class servicedelegationrule_add(Method): + __doc__ = _("Create a new service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class servicedelegationrule_add_member(Method): + __doc__ = _("Add member to a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'principal', + required=False, + multivalue=True, + cli_name='principals', + label=_(u'member principal'), + doc=_(u'principal to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class servicedelegationrule_add_target(Method): + __doc__ = _("Add target to a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'servicedelegationtarget', + required=False, + multivalue=True, + cli_name='servicedelegationtargets', + label=_(u'member service delegation target'), + doc=_(u'service delegation targets to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class servicedelegationrule_del(Method): + __doc__ = _("Delete service delegation.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class servicedelegationrule_find(Method): + __doc__ = _("Search for service delegations rule.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("delegation-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class servicedelegationrule_remove_member(Method): + __doc__ = _("Remove member from a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'principal', + required=False, + multivalue=True, + cli_name='principals', + label=_(u'member principal'), + doc=_(u'principal to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class servicedelegationrule_remove_target(Method): + __doc__ = _("Remove target from a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'servicedelegationtarget', + required=False, + multivalue=True, + cli_name='servicedelegationtargets', + label=_(u'member service delegation target'), + doc=_(u'service delegation targets to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class servicedelegationrule_show(Method): + __doc__ = _("Display information about a named service delegation rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class servicedelegationtarget_add(Method): + __doc__ = _("Create a new service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class servicedelegationtarget_add_member(Method): + __doc__ = _("Add member to a named service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'principal', + required=False, + multivalue=True, + cli_name='principals', + label=_(u'member principal'), + doc=_(u'principal to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class servicedelegationtarget_del(Method): + __doc__ = _("Delete service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class servicedelegationtarget_find(Method): + __doc__ = _("Search for service delegation target.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("delegation-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class servicedelegationtarget_remove_member(Method): + __doc__ = _("Remove member from a named service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'principal', + required=False, + multivalue=True, + cli_name='principals', + label=_(u'member principal'), + doc=_(u'principal to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class servicedelegationtarget_show(Method): + __doc__ = _("Display information about a named service delegation target.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='delegation_name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/session.py b/ipaclient/remote_plugins/2_164/session.py new file mode 100644 index 000000000..7b30c92a0 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/session.py @@ -0,0 +1,34 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +register = Registry() + + +@register() +class session_logout(Command): + __doc__ = _("RPC command used to log the current user out of their session.") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_164/stageuser.py b/ipaclient/remote_plugins/2_164/stageuser.py new file mode 100644 index 000000000..37ccb28c9 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/stageuser.py @@ -0,0 +1,1616 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Stageusers + +Manage stage user entries. + +Stage user entries are directly under the container: "cn=stage users, +cn=accounts, cn=provisioning, SUFFIX". +User can not authenticate with those entries (even if the entries +contain credentials) and are candidate to become Active entries. + +Active user entries are Posix users directly under the container: "cn=accounts, SUFFIX". +User can authenticate with Active entries, at the condition they have +credentials + +Delete user entries are Posix users directly under the container: "cn=deleted users, +cn=accounts, cn=provisioning, SUFFIX". +User can not authenticate with those entries (even if the entries contain credentials) + +The stage user container contains entries + - created by 'stageuser-add' commands that are Posix users + - created by external provisioning system + +A valid stage user entry MUST: + - entry RDN is 'uid' + - ipaUniqueID is 'autogenerate' + +IPA supports a wide range of username formats, but you need to be aware of any +restrictions that may apply to your particular environment. For example, +usernames that start with a digit or usernames that exceed a certain length +may cause problems for some UNIX systems. +Use 'ipa config-mod' to change the username format allowed by IPA tools. + + +EXAMPLES: + + Add a new stageuser: + ipa stageuser-add --first=Tim --last=User --password tuser1 + + Add a stageuser from the Delete container + ipa stageuser-add --first=Tim --last=User --from-delete tuser1 +""") + +register = Registry() + + +@register() +class stageuser(Object): + takes_params = ( + parameters.Str( + 'uid', + primary_key=True, + label=_(u'User login'), + ), + parameters.Str( + 'givenname', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + ), + parameters.Str( + 'homedirectory', + required=False, + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Str( + 'loginshell', + required=False, + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + label=_(u'Kerberos principal'), + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + ), + parameters.Str( + 'randompassword', + required=False, + label=_(u'Random password'), + ), + parameters.Int( + 'uidnumber', + required=False, + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Flag( + 'has_password', + label=_(u'Password'), + ), + parameters.Str( + 'memberof_group', + required=False, + label=_(u'Member of groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberofindirect_group', + required=False, + label=_(u'Indirect Member of group'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Kerberos keys available'), + ), + ) + + +@register() +class stageuser_activate(Method): + __doc__ = _("Activate a stage user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class stageuser_add(Method): + __doc__ = _("Add a new stage user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + autofill=True, + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'), + autofill=True, + no_convert=True, + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Bool( + 'from_delete', + required=False, + deprecated=True, + doc=_(u'Create Stage user in from a delete user'), + exclude=('cli', 'webui'), + default=False, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class stageuser_add_manager(Method): + __doc__ = _("Add a manager to the stage user entry") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class stageuser_del(Method): + __doc__ = _("Delete a stage user.") + + takes_args = ( + parameters.Str( + 'uid', + multivalue=True, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class stageuser_find(Method): + __doc__ = _("Search for stage users.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'), + no_convert=True, + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("login")'), + default=False, + autofill=True, + ), + parameters.Str( + 'in_group', + required=False, + multivalue=True, + cli_name='in_groups', + label=_(u'group'), + doc=_(u'Search for stage users with these member of groups.'), + ), + parameters.Str( + 'not_in_group', + required=False, + multivalue=True, + cli_name='not_in_groups', + label=_(u'group'), + doc=_(u'Search for stage users without these member of groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for stage users with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for stage users without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for stage users with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for stage users without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for stage users with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for stage users without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for stage users with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for stage users without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class stageuser_mod(Method): + __doc__ = _("Modify a stage user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the stage user object'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class stageuser_remove_manager(Method): + __doc__ = _("Remove a manager to the stage user entry") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class stageuser_show(Method): + __doc__ = _("Display information about a stage user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/sudocmd.py b/ipaclient/remote_plugins/2_164/sudocmd.py new file mode 100644 index 000000000..ccc78a77a --- /dev/null +++ b/ipaclient/remote_plugins/2_164/sudocmd.py @@ -0,0 +1,394 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Sudo Commands + +Commands used as building blocks for sudo + +EXAMPLES: + + Create a new command + ipa sudocmd-add --desc='For reading log files' /usr/bin/less + + Remove a command + ipa sudocmd-del /usr/bin/less +""") + +register = Registry() + + +@register() +class sudocmd(Object): + takes_params = ( + parameters.Str( + 'sudocmd', + primary_key=True, + label=_(u'Sudo Command'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'memberof_sudocmdgroup', + required=False, + label=_(u'Sudo Command Groups'), + ), + ) + + +@register() +class sudocmd_add(Method): + __doc__ = _("Create new Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmd_del(Method): + __doc__ = _("Delete Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + multivalue=True, + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class sudocmd_find(Method): + __doc__ = _("Search for Sudo Commands.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'sudocmd', + required=False, + cli_name='command', + label=_(u'Sudo Command'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("command")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudocmd_mod(Method): + __doc__ = _("Modify Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmd_show(Method): + __doc__ = _("Display Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/sudocmdgroup.py b/ipaclient/remote_plugins/2_164/sudocmdgroup.py new file mode 100644 index 000000000..747213d93 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/sudocmdgroup.py @@ -0,0 +1,540 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of Sudo Commands + +Manage groups of Sudo Commands. + +EXAMPLES: + + Add a new Sudo Command Group: + ipa sudocmdgroup-add --desc='administrators commands' admincmds + + Remove a Sudo Command Group: + ipa sudocmdgroup-del admincmds + + Manage Sudo Command Group membership, commands: + ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less --sudocmds=/usr/bin/vim admincmds + + Manage Sudo Command Group membership, commands: + ipa group-remove-member --sudocmds=/usr/bin/less admincmds + + Show a Sudo Command Group: + ipa group-show localadmins +""") + +register = Registry() + + +@register() +class sudocmdgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Sudo Command Group'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'membercmd_sudocmd', + required=False, + label=_(u'Commands'), + ), + parameters.Str( + 'membercmd_sudocmdgroup', + required=False, + label=_(u'Sudo Command Groups'), + ), + parameters.Str( + 'member_sudocmd', + required=False, + label=_(u'Member Sudo commands'), + ), + ) + + +@register() +class sudocmdgroup_add(Method): + __doc__ = _("Create new Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmdgroup_add_member(Method): + __doc__ = _("Add members to Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudocmdgroup_del(Method): + __doc__ = _("Delete Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class sudocmdgroup_find(Method): + __doc__ = _("Search for Sudo Command Groups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("sudocmdgroup-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudocmdgroup_mod(Method): + __doc__ = _("Modify Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmdgroup_remove_member(Method): + __doc__ = _("Remove members from Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudocmdgroup_show(Method): + __doc__ = _("Display Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/sudorule.py b/ipaclient/remote_plugins/2_164/sudorule.py new file mode 100644 index 000000000..5d185ed31 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/sudorule.py @@ -0,0 +1,1774 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Sudo Rules + +Sudo (su "do") allows a system administrator to delegate authority to +give certain users (or groups of users) the ability to run some (or all) +commands as root or another user while providing an audit trail of the +commands and their arguments. + +FreeIPA provides a means to configure the various aspects of Sudo: + Users: The user(s)/group(s) allowed to invoke Sudo. + Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo. + Allow Command: The specific command(s) permitted to be run via Sudo. + Deny Command: The specific command(s) prohibited to be run via Sudo. + RunAsUser: The user(s) or group(s) of users whose rights Sudo will be invoked with. + RunAsGroup: The group(s) whose gid rights Sudo will be invoked with. + Options: The various Sudoers Options that can modify Sudo's behavior. + +An order can be added to a sudorule to control the order in which they +are evaluated (if the client supports it). This order is an integer and +must be unique. + +FreeIPA provides a designated binddn to use with Sudo located at: +uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +To enable the binddn run the following command to set the password: +LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +EXAMPLES: + + Create a new rule: + ipa sudorule-add readfiles + + Add sudo command object and add it as allowed command in the rule: + ipa sudocmd-add /usr/bin/less + ipa sudorule-add-allow-command readfiles --sudocmds /usr/bin/less + + Add a host to the rule: + ipa sudorule-add-host readfiles --hosts server.example.com + + Add a user to the rule: + ipa sudorule-add-user readfiles --users jsmith + + Add a special Sudo rule for default Sudo server configuration: + ipa sudorule-add defaults + + Set a default Sudo option: + ipa sudorule-add-option defaults --sudooption '!authenticate' +""") + +register = Registry() + + +@register() +class sudorule(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + parameters.Str( + 'hostmask', + multivalue=True, + label=_(u'Host Masks'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + parameters.Str( + 'memberallowcmd_sudocmd', + required=False, + label=_(u'Sudo Allow Commands'), + ), + parameters.Str( + 'memberdenycmd_sudocmd', + required=False, + label=_(u'Sudo Deny Commands'), + ), + parameters.Str( + 'memberallowcmd_sudocmdgroup', + required=False, + label=_(u'Sudo Allow Command Groups'), + ), + parameters.Str( + 'memberdenycmd_sudocmdgroup', + required=False, + label=_(u'Sudo Deny Command Groups'), + ), + parameters.Str( + 'ipasudorunas_user', + required=False, + label=_(u'RunAs Users'), + doc=_(u'Run as a user'), + ), + parameters.Str( + 'ipasudorunas_group', + required=False, + label=_(u'Groups of RunAs Users'), + doc=_(u'Run as any user within a specified group'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextusergroup', + required=False, + label=_(u'External Groups of RunAs Users'), + doc=_(u'External Groups of users that the command can run as'), + ), + parameters.Str( + 'ipasudorunasgroup_group', + required=False, + label=_(u'RunAs Groups'), + doc=_(u'Run with the gid of a specified POSIX group'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudoopt', + required=False, + label=_(u'Sudo Option'), + ), + ) + + +@register() +class sudorule_add(Method): + __doc__ = _("Create new Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_add_allow_command(Method): + __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to add'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'sudo command groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_deny_command(Method): + __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to add'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'sudo command groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_host(Method): + __doc__ = _("Add hosts and hostgroups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to add'), + alwaysask=True, + ), + parameters.Str( + 'hostmask', + required=False, + multivalue=True, + label=_(u'host masks of allowed hosts'), + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_option(Method): + __doc__ = _("Add an option to the Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipasudoopt', + cli_name='sudooption', + label=_(u'Sudo Option'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_add_runasgroup(Method): + __doc__ = _("Add group for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_runasuser(Method): + __doc__ = _("Add users and groups for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_user(Method): + __doc__ = _("Add users and groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_del(Method): + __doc__ = _("Delete Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class sudorule_disable(Method): + __doc__ = _("Disable a Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_enable(Method): + __doc__ = _("Enable a Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_find(Method): + __doc__ = _("Search for Sudo Rule.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("sudorule-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudorule_mod(Method): + __doc__ = _("Modify Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_remove_allow_command(Method): + __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to remove'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'sudo command groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_deny_command(Method): + __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'sudo commands to remove'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'sudo command groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_host(Method): + __doc__ = _("Remove hosts and hostgroups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'host groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostmask', + required=False, + multivalue=True, + label=_(u'host masks of allowed hosts'), + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_option(Method): + __doc__ = _("Remove an option from Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipasudoopt', + cli_name='sudooption', + label=_(u'Sudo Option'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_remove_runasgroup(Method): + __doc__ = _("Remove group for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_runasuser(Method): + __doc__ = _("Remove users and groups for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_user(Method): + __doc__ = _("Remove users and groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_show(Method): + __doc__ = _("Display Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/topology.py b/ipaclient/remote_plugins/2_164/topology.py new file mode 100644 index 000000000..6347fb9ea --- /dev/null +++ b/ipaclient/remote_plugins/2_164/topology.py @@ -0,0 +1,1055 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Topology + +Management of a replication topology at domain level 1. + +IPA server's data is stored in LDAP server in two suffixes: +* domain suffix, e.g., 'dc=example,dc=com', contains all domain related data +* ca suffix, 'o=ipaca', is present only on server with CA installed. It + contains data for Certificate Server component + +Data stored on IPA servers is replicated to other IPA servers. The way it is +replicated is defined by replication agreements. Replication agreements needs +to be set for both suffixes separately. On domain level 0 they are managed +using ipa-replica-manage and ipa-csreplica-manage tools. With domain level 1 +they are managed centrally using `ipa topology*` commands. + +Agreements are represented by topology segments. By default topology segment +represents 2 replication agreements - one for each direction, e.g., A to B and +B to A. Creation of unidirectional segments is not allowed. + +To verify that no server is disconnected in the topology of the given suffix, +use: + ipa topologysuffix-verify $suffix + + +Examples: + Find all IPA servers: + ipa server-find + + Find all suffixes: + ipa topologysuffix-find + + Add topology segment to 'domain' suffix: + ipa topologysegment-add domain --left IPA_SERVER_A --right IPA_SERVER_B + + Add topology segment to 'ca' suffix: + ipa topologysegment-add ca --left IPA_SERVER_A --right IPA_SERVER_B + + List all topology segments in 'domain' suffix: + ipa topologysegment-find domain + + List all topology segments in 'ca' suffix: + ipa topologysegment-find ca + + Delete topology segment in 'domain' suffix: + ipa topologysegment-del domain segment_name + + Delete topology segment in 'ca' suffix: + ipa topologysegment-del ca segment_name + + Verify topology of 'domain' suffix: + ipa topologysuffix-verify domain + + Verify topology of 'ca' suffix: + ipa topologysuffix-verify ca +""") + +register = Registry() + + +@register() +class topologysegment(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + ), + parameters.Str( + 'iparepltoposegmentleftnode', + label=_(u'Left node'), + doc=_(u'Left replication node - an IPA server'), + ), + parameters.Str( + 'iparepltoposegmentrightnode', + label=_(u'Right node'), + doc=_(u'Right replication node - an IPA server'), + ), + parameters.Str( + 'iparepltoposegmentdirection', + label=_(u'Connectivity'), + doc=_(u'Direction of replication between left and right replication node'), + ), + parameters.Str( + 'nsds5replicastripattrs', + required=False, + label=_(u'Attributes to strip'), + doc=_(u'A space separated list of attributes which are removed from replication updates.'), + ), + parameters.Str( + 'nsds5replicatedattributelist', + required=False, + label=_(u'Attributes to replicate'), + doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'), + ), + parameters.Str( + 'nsds5replicatedattributelisttotal', + required=False, + label=_(u'Attributes for total update'), + doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'), + ), + parameters.Int( + 'nsds5replicatimeout', + required=False, + label=_(u'Session timeout'), + doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'), + ), + parameters.Str( + 'nsds5replicaenabled', + required=False, + label=_(u'Replication agreement enabled'), + doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'), + ), + ) + + +@register() +class topologysuffix(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Suffix name'), + ), + parameters.DNParam( + 'iparepltopoconfroot', + label=_(u'Managed LDAP suffix DN'), + ), + ) + + +@register() +class topologysegment_add(Method): + __doc__ = _("Add a new segment.") + + takes_args = ( + parameters.Str( + 'topologysuffixcn', + cli_name='topologysuffix', + label=_(u'Suffix name'), + ), + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + # FIXME: + # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'iparepltoposegmentleftnode', + cli_name='leftnode', + label=_(u'Left node'), + doc=_(u'Left replication node - an IPA server'), + no_convert=True, + ), + parameters.Str( + 'iparepltoposegmentrightnode', + cli_name='rightnode', + label=_(u'Right node'), + doc=_(u'Right replication node - an IPA server'), + no_convert=True, + ), + parameters.Str( + 'iparepltoposegmentdirection', + cli_name='direction', + cli_metavar="['both', 'left-right', 'right-left']", + label=_(u'Connectivity'), + doc=_(u'Direction of replication between left and right replication node'), + exclude=('cli', 'webui'), + default=u'both', + autofill=True, + ), + parameters.Str( + 'nsds5replicastripattrs', + required=False, + cli_name='stripattrs', + label=_(u'Attributes to strip'), + doc=_(u'A space separated list of attributes which are removed from replication updates.'), + no_convert=True, + ), + parameters.Str( + 'nsds5replicatedattributelist', + required=False, + cli_name='replattrs', + label=_(u'Attributes to replicate'), + doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'), + ), + parameters.Str( + 'nsds5replicatedattributelisttotal', + required=False, + cli_name='replattrstotal', + label=_(u'Attributes for total update'), + doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'), + ), + parameters.Int( + 'nsds5replicatimeout', + required=False, + cli_name='timeout', + label=_(u'Session timeout'), + doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'), + ), + parameters.Str( + 'nsds5replicaenabled', + required=False, + cli_name='enabled', + cli_metavar="['on', 'off']", + label=_(u'Replication agreement enabled'), + doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysegment_del(Method): + __doc__ = _("Delete a segment.") + + takes_args = ( + parameters.Str( + 'topologysuffixcn', + cli_name='topologysuffix', + label=_(u'Suffix name'), + ), + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + # FIXME: + # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class topologysegment_find(Method): + __doc__ = _("Search for topology segments.") + + takes_args = ( + parameters.Str( + 'topologysuffixcn', + cli_name='topologysuffix', + label=_(u'Suffix name'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + # FIXME: + # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: + no_convert=True, + ), + parameters.Str( + 'iparepltoposegmentleftnode', + required=False, + cli_name='leftnode', + label=_(u'Left node'), + doc=_(u'Left replication node - an IPA server'), + no_convert=True, + ), + parameters.Str( + 'iparepltoposegmentrightnode', + required=False, + cli_name='rightnode', + label=_(u'Right node'), + doc=_(u'Right replication node - an IPA server'), + no_convert=True, + ), + parameters.Str( + 'iparepltoposegmentdirection', + required=False, + cli_name='direction', + cli_metavar="['both', 'left-right', 'right-left']", + label=_(u'Connectivity'), + doc=_(u'Direction of replication between left and right replication node'), + exclude=('cli', 'webui'), + default=u'both', + ), + parameters.Str( + 'nsds5replicastripattrs', + required=False, + cli_name='stripattrs', + label=_(u'Attributes to strip'), + doc=_(u'A space separated list of attributes which are removed from replication updates.'), + no_convert=True, + ), + parameters.Str( + 'nsds5replicatedattributelist', + required=False, + cli_name='replattrs', + label=_(u'Attributes to replicate'), + doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'), + ), + parameters.Str( + 'nsds5replicatedattributelisttotal', + required=False, + cli_name='replattrstotal', + label=_(u'Attributes for total update'), + doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'), + ), + parameters.Int( + 'nsds5replicatimeout', + required=False, + cli_name='timeout', + label=_(u'Session timeout'), + doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'), + ), + parameters.Str( + 'nsds5replicaenabled', + required=False, + cli_name='enabled', + cli_metavar="['on', 'off']", + label=_(u'Replication agreement enabled'), + doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class topologysegment_mod(Method): + __doc__ = _("Modify a segment.") + + takes_args = ( + parameters.Str( + 'topologysuffixcn', + cli_name='topologysuffix', + label=_(u'Suffix name'), + ), + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + # FIXME: + # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'nsds5replicastripattrs', + required=False, + cli_name='stripattrs', + label=_(u'Attributes to strip'), + doc=_(u'A space separated list of attributes which are removed from replication updates.'), + no_convert=True, + ), + parameters.Str( + 'nsds5replicatedattributelist', + required=False, + cli_name='replattrs', + label=_(u'Attributes to replicate'), + doc=_(u'Attributes that are not replicated to a consumer server during a fractional update. E.g., `(objectclass=*) $ EXCLUDE accountlockout memberof'), + ), + parameters.Str( + 'nsds5replicatedattributelisttotal', + required=False, + cli_name='replattrstotal', + label=_(u'Attributes for total update'), + doc=_(u'Attributes that are not replicated to a consumer server during a total update. E.g. (objectclass=*) $ EXCLUDE accountlockout'), + ), + parameters.Int( + 'nsds5replicatimeout', + required=False, + cli_name='timeout', + label=_(u'Session timeout'), + doc=_(u'Number of seconds outbound LDAP operations waits for a response from the remote replica before timing out and failing'), + ), + parameters.Str( + 'nsds5replicaenabled', + required=False, + cli_name='enabled', + cli_metavar="['on', 'off']", + label=_(u'Replication agreement enabled'), + doc=_(u'Whether a replication agreement is active, meaning whether replication is occurring per that agreement'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysegment_reinitialize(Method): + __doc__ = _("Request a full re-initialization of the node retrieving data from the other node.") + + takes_args = ( + parameters.Str( + 'topologysuffixcn', + cli_name='topologysuffix', + label=_(u'Suffix name'), + ), + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + # FIXME: + # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'left', + required=False, + doc=_(u'Initialize left node'), + default=False, + autofill=True, + ), + parameters.Flag( + 'right', + required=False, + doc=_(u'Initialize right node'), + default=False, + autofill=True, + ), + parameters.Flag( + 'stop', + required=False, + doc=_(u'Stop already started refresh of chosen node(s)'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysegment_show(Method): + __doc__ = _("Display a segment.") + + takes_args = ( + parameters.Str( + 'topologysuffixcn', + cli_name='topologysuffix', + label=_(u'Suffix name'), + ), + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Segment name'), + doc=_(u'Arbitrary string identifying the segment'), + default_from=DefaultFrom(lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: None, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + # FIXME: + # lambda iparepltoposegmentleftnode, iparepltoposegmentrightnode: + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysuffix_add(Method): + __doc__ = _("Add a new topology suffix to be managed.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Suffix name'), + ), + ) + takes_options = ( + parameters.DNParam( + 'iparepltopoconfroot', + cli_name='suffix_dn', + label=_(u'Managed LDAP suffix DN'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysuffix_del(Method): + __doc__ = _("Delete a topology suffix.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Suffix name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class topologysuffix_find(Method): + __doc__ = _("Search for topology suffixes.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Suffix name'), + ), + parameters.DNParam( + 'iparepltopoconfroot', + required=False, + cli_name='suffix_dn', + label=_(u'Managed LDAP suffix DN'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class topologysuffix_mod(Method): + __doc__ = _("Modify a topology suffix.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Suffix name'), + ), + ) + takes_options = ( + parameters.DNParam( + 'iparepltopoconfroot', + required=False, + cli_name='suffix_dn', + label=_(u'Managed LDAP suffix DN'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysuffix_show(Method): + __doc__ = _("Show managed suffix.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Suffix name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class topologysuffix_verify(Method): + __doc__ = _(""" +Verify replication topology for suffix. + +Checks done: + 1. check if a topology is not disconnected. In other words if there are + replication paths between all servers. + 2. check if servers don't have more than the recommended number of + replication agreements + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Suffix name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_164/trust.py b/ipaclient/remote_plugins/2_164/trust.py new file mode 100644 index 000000000..369ffcd18 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/trust.py @@ -0,0 +1,1264 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Cross-realm trusts + +Manage trust relationship between IPA and Active Directory domains. + +In order to allow users from a remote domain to access resources in IPA +domain, trust relationship needs to be established. Currently IPA supports +only trusts between IPA and Active Directory domains under control of Windows +Server 2008 or later, with functional level 2008 or later. + +Please note that DNS on both IPA and Active Directory domain sides should be +configured properly to discover each other. Trust relationship relies on +ability to discover special resources in the other domain via DNS records. + +Examples: + +1. Establish cross-realm trust with Active Directory using AD administrator + credentials: + + ipa trust-add --type=ad --admin --password + +2. List all existing trust relationships: + + ipa trust-find + +3. Show details of the specific trust relationship: + + ipa trust-show + +4. Delete existing trust relationship: + + ipa trust-del + +Once trust relationship is established, remote users will need to be mapped +to local POSIX groups in order to actually use IPA resources. The mapping should +be done via use of external membership of non-POSIX group and then this group +should be included into one of local POSIX groups. + +Example: + +1. Create group for the trusted domain admins' mapping and their local POSIX group: + + ipa group-add --desc=' admins external map' ad_admins_external --external + ipa group-add --desc=' admins' ad_admins + +2. Add security identifier of Domain Admins of the to the ad_admins_external + group: + + ipa group-add-member ad_admins_external --external 'AD\Domain Admins' + +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: + + ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external + + +GLOBAL TRUST CONFIGURATION + +When IPA AD trust subpackage is installed and ipa-adtrust-install is run, +a local domain configuration (SID, GUID, NetBIOS name) is generated. These +identifiers are then used when communicating with a trusted domain of the +particular type. + +1. Show global trust configuration for Active Directory type of trusts: + + ipa trustconfig-show --type ad + +2. Modify global configuration for all trusts of Active Directory type and set + a different fallback primary group (fallback primary group GID is used as + a primary user GID if user authenticating to IPA domain does not have any other + primary GID already set): + + ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group" + +3. Change primary fallback group back to default hidden group (any group with + posixGroup object class is allowed): + + ipa trustconfig-mod --type ad --fallback-primary-group "Default SMB Group" +""") + +register = Registry() + + +@register() +class trust(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Realm name'), + ), + parameters.Str( + 'ipantflatname', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + label=_(u'SID blacklist outgoing'), + ), + ) + + +@register() +class trustconfig(Object): + takes_params = ( + parameters.Str( + 'cn', + label=_(u'Domain'), + ), + parameters.Str( + 'ipantsecurityidentifier', + label=_(u'Security Identifier'), + ), + parameters.Str( + 'ipantflatname', + label=_(u'NetBIOS name'), + ), + parameters.Str( + 'ipantdomainguid', + label=_(u'Domain GUID'), + ), + parameters.Str( + 'ipantfallbackprimarygroup', + label=_(u'Fallback primary group'), + ), + ) + + +@register() +class trustdomain(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Domain name'), + ), + parameters.Str( + 'ipantflatname', + required=False, + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipanttrustpartner', + required=False, + label=_(u'Trusted domain partner'), + ), + ) + + +@register() +class adtrust_is_enabled(Command): + __doc__ = _("Determine whether ipa-adtrust-install has been run on this system") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class compat_is_enabled(Command): + __doc__ = _("Determine whether Schema Compatibility plugin is configured to serve trusted domain users and groups") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sidgen_was_run(Command): + __doc__ = _("Determine whether ipa-adtrust-install has been run with sidgen task") + + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class trust_add(Method): + __doc__ = _(""" +Add new trust to use. + +This command establishes trust relationship to another domain +which becomes 'trusted'. As result, users of the trusted domain +may access resources of this domain. + +Only trusts to Active Directory domains are supported right now. + +The command can be safely run multiple times against the same domain, +this will cause change to trust relationship credentials on both +sides. + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Str( + 'realm_admin', + required=False, + cli_name='admin', + label=_(u'Active Directory domain administrator'), + ), + parameters.Password( + 'realm_passwd', + required=False, + cli_name='password', + label=_(u"Active Directory domain administrator's password"), + ), + parameters.Str( + 'realm_server', + required=False, + cli_name='server', + label=_(u'Domain controller for the Active Directory domain (optional)'), + ), + parameters.Password( + 'trust_secret', + required=False, + label=_(u'Shared secret for the trust'), + ), + parameters.Int( + 'base_id', + required=False, + label=_(u'First Posix ID of the range reserved for the trusted domain'), + ), + parameters.Int( + 'range_size', + required=False, + label=_(u'Size of the ID range reserved for the trusted domain'), + ), + parameters.Str( + 'range_type', + required=False, + cli_metavar="['ipa-ad-trust-posix', 'ipa-ad-trust']", + label=_(u'Range type'), + doc=_(u'Type of trusted domain ID range, one of ipa-ad-trust-posix, ipa-ad-trust'), + ), + parameters.Bool( + 'bidirectional', + required=False, + cli_name='two_way', + label=_(u'Two-way trust'), + doc=_(u'Establish bi-directional trust. By default trust is inbound one-way only.'), + default=False, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trust_del(Method): + __doc__ = _("Delete a trust.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class trust_fetch_domains(Method): + __doc__ = _("Refresh list of the domains associated with the trust") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'realm_server', + required=False, + cli_name='server', + label=_(u'Domain controller for the Active Directory domain (optional)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class trust_find(Method): + __doc__ = _("Search for trusts.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='realm', + label=_(u'Realm name'), + ), + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + cli_name='sid_blacklist_incoming', + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + cli_name='sid_blacklist_outgoing', + label=_(u'SID blacklist outgoing'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("realm")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class trust_mod(Method): + __doc__ = _(""" +Modify a trust (for future use). + + Currently only the default option to modify the LDAP attributes is + available. More specific options will be added in coming releases. + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + cli_name='sid_blacklist_incoming', + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + cli_name='sid_blacklist_outgoing', + label=_(u'SID blacklist outgoing'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trust_resolve(Command): + __doc__ = _("Resolve security identifiers of users and groups in trusted domains") + + NO_CLI = True + + takes_options = ( + parameters.Str( + 'sids', + multivalue=True, + label=_(u'Security Identifiers (SIDs)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.ListOfEntries( + 'result', + ), + ) + + +@register() +class trust_show(Method): + __doc__ = _("Display information about a trust.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustconfig_mod(Method): + __doc__ = _("Modify global trust configuration.") + + takes_options = ( + parameters.Str( + 'ipantfallbackprimarygroup', + required=False, + cli_name='fallback_primary_group', + label=_(u'Fallback primary group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustconfig_show(Method): + __doc__ = _("Show global trust configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustdomain_add(Method): + __doc__ = _("Allow access from the trusted domain") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipanttrustpartner', + required=False, + label=_(u'Trusted domain partner'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustdomain_del(Method): + __doc__ = _("Remove infromation about the domain associated with the trust.") + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + multivalue=True, + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class trustdomain_disable(Method): + __doc__ = _("Disable use of IPA resources by the domain of the trust") + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustdomain_enable(Method): + __doc__ = _("Allow use of IPA resources by the domain of the trust") + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustdomain_find(Method): + __doc__ = _("Search domains of the trust") + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='domain', + label=_(u'Domain name'), + ), + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipanttrustpartner', + required=False, + label=_(u'Trusted domain partner'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("domain")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class trustdomain_mod(Method): + __doc__ = _("Modify trustdomain of the trust") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'trustcn', + cli_name='trust', + label=_(u'Realm name'), + ), + parameters.Str( + 'cn', + cli_name='domain', + label=_(u'Domain name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipanttrustpartner', + required=False, + label=_(u'Trusted domain partner'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/user.py b/ipaclient/remote_plugins/2_164/user.py new file mode 100644 index 000000000..8b8b850c0 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/user.py @@ -0,0 +1,1993 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Users + +Manage user entries. All users are POSIX users. + +IPA supports a wide range of username formats, but you need to be aware of any +restrictions that may apply to your particular environment. For example, +usernames that start with a digit or usernames that exceed a certain length +may cause problems for some UNIX systems. +Use 'ipa config-mod' to change the username format allowed by IPA tools. + +Disabling a user account prevents that user from obtaining new Kerberos +credentials. It does not invalidate any credentials that have already +been issued. + +Password management is not a part of this module. For more information +about this topic please see: ipa help passwd + +Account lockout on password failure happens per IPA master. The user-status +command can be used to identify which master the user is locked out on. +It is on that master the administrator must unlock the user. + +EXAMPLES: + + Add a new user: + ipa user-add --first=Tim --last=User --password tuser1 + + Find all users whose entries include the string "Tim": + ipa user-find Tim + + Find all users with "Tim" as the first name: + ipa user-find --first=Tim + + Disable a user account: + ipa user-disable tuser1 + + Enable a user account: + ipa user-enable tuser1 + + Delete a user: + ipa user-del tuser1 +""") + +register = Registry() + + +@register() +class user(Object): + takes_params = ( + parameters.Str( + 'uid', + primary_key=True, + label=_(u'User login'), + ), + parameters.Str( + 'givenname', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + ), + parameters.Str( + 'homedirectory', + required=False, + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + ), + parameters.Str( + 'loginshell', + required=False, + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + label=_(u'Kerberos principal'), + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + ), + parameters.Str( + 'randompassword', + required=False, + label=_(u'Random password'), + ), + parameters.Int( + 'uidnumber', + required=False, + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + ), + parameters.Bool( + 'preserved', + required=False, + label=_(u'Preserved user'), + ), + parameters.Flag( + 'has_password', + label=_(u'Password'), + ), + parameters.Str( + 'memberof_group', + required=False, + label=_(u'Member of groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberofindirect_group', + required=False, + label=_(u'Indirect Member of group'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Kerberos keys available'), + ), + ) + + +@register() +class user_add(Method): + __doc__ = _("Add a new user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + autofill=True, + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + autofill=True, + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + autofill=True, + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + autofill=True, + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + autofill=True, + no_convert=True, + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'noprivate', + doc=_(u"Don't create user private group"), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_add_cert(Method): + __doc__ = _("Add one or more certificates to the user entry") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + alwaysask=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_add_manager(Method): + __doc__ = _("Add a manager to the user entry") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class user_del(Method): + __doc__ = _("Delete a user.") + + takes_args = ( + parameters.Str( + 'uid', + multivalue=True, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Bool( + 'preserve', + required=False, + exclude=('cli',), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class user_disable(Method): + __doc__ = _("Disable a user account.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_enable(Method): + __doc__ = _("Enable a user account.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_find(Method): + __doc__ = _("Search for users.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Bool( + 'preserved', + required=False, + label=_(u'Preserved user'), + default=False, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Flag( + 'whoami', + label=_(u'Self'), + doc=_(u'Display user record for current Kerberos principal'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("login")'), + default=False, + autofill=True, + ), + parameters.Str( + 'in_group', + required=False, + multivalue=True, + cli_name='in_groups', + label=_(u'group'), + doc=_(u'Search for users with these member of groups.'), + ), + parameters.Str( + 'not_in_group', + required=False, + multivalue=True, + cli_name='not_in_groups', + label=_(u'group'), + doc=_(u'Search for users without these member of groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for users with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for users without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for users with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for users without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for users with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for users without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for users with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for users without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class user_mod(Method): + __doc__ = _("Modify a user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.DateTime( + 'krbprincipalexpiration', + required=False, + cli_name='principal_expiration', + label=_(u'Kerberos principal expiration'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + multivalue=True, + label=_(u'Car License'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'ipauserauthtype', + required=False, + multivalue=True, + cli_name='user_auth_type', + cli_metavar="['password', 'radius', 'otp']", + label=_(u'User authentication types'), + doc=_(u'Types of supported user authentication'), + ), + parameters.Str( + 'userclass', + required=False, + multivalue=True, + cli_name='class', + label=_(u'Class'), + doc=_(u'User category (semantics placed on this attribute are for local interpretation)'), + ), + parameters.Str( + 'ipatokenradiusconfiglink', + required=False, + cli_name='radius', + label=_(u'RADIUS proxy configuration'), + ), + parameters.Str( + 'ipatokenradiususername', + required=False, + cli_name='radius_username', + label=_(u'RADIUS proxy username'), + ), + parameters.Str( + 'departmentnumber', + required=False, + multivalue=True, + label=_(u'Department Number'), + ), + parameters.Str( + 'employeenumber', + required=False, + label=_(u'Employee Number'), + ), + parameters.Str( + 'employeetype', + required=False, + label=_(u'Employee Type'), + ), + parameters.Str( + 'preferredlanguage', + required=False, + label=_(u'Preferred Language'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the user object'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_remove_cert(Method): + __doc__ = _("Remove one or more certificates to the user entry") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + alwaysask=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_remove_manager(Method): + __doc__ = _("Remove a manager to the user entry") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class user_show(Method): + __doc__ = _("Display information about a user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'file to store certificate in'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_stage(Method): + __doc__ = _("Move deleted user into staged area") + + takes_args = ( + parameters.Str( + 'uid', + multivalue=True, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class user_status(Method): + __doc__ = _(""" +Lockout status of a user account + + An account may become locked if the password is entered incorrectly too + many times within a specific time period as controlled by password + policy. A locked account is a temporary condition and may be unlocked by + an administrator. + + This connects to each IPA master and displays the lockout status on + each one. + + To determine whether an account is locked on a given server you need + to compare the number of failed logins and the time of the last failure. + For an account to be locked it must exceed the maxfail failures within + the failinterval duration as specified in the password policy associated + with the user. + + The failed login counter is modified only when a user attempts a log in + so it is possible that an account may appear locked but the last failed + login attempt is older than the lockouttime of the password policy. This + means that the user may attempt a login again. + """) + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class user_undel(Method): + __doc__ = _("Undelete a delete user account.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_unlock(Method): + __doc__ = _(""" +Unlock a user account + + An account may become locked if the password is entered incorrectly too + many times within a specific time period as controlled by password + policy. A locked account is a temporary condition and may be unlocked by + an administrator. + """) + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'iparepltoposegmentleftnode', 'iparepltoposegmentrightnode'), + no_convert=True, + ), + ) + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_164/vault.py b/ipaclient/remote_plugins/2_164/vault.py new file mode 100644 index 000000000..8da030cf3 --- /dev/null +++ b/ipaclient/remote_plugins/2_164/vault.py @@ -0,0 +1,1680 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Vaults + +Manage vaults. + +Vault is a secure place to store a secret. + +Based on the ownership there are three vault categories: +* user/private vault +* service vault +* shared vault + +User vaults are vaults owned used by a particular user. Private +vaults are vaults owned the current user. Service vaults are +vaults owned by a service. Shared vaults are owned by the admin +but they can be used by other users or services. + +Based on the security mechanism there are three types of +vaults: +* standard vault +* symmetric vault +* asymmetric vault + +Standard vault uses a secure mechanism to transport and +store the secret. The secret can only be retrieved by users +that have access to the vault. + +Symmetric vault is similar to the standard vault, but it +pre-encrypts the secret using a password before transport. +The secret can only be retrieved using the same password. + +Asymmetric vault is similar to the standard vault, but it +pre-encrypts the secret using a public key before transport. +The secret can only be retrieved using the private key. + +EXAMPLES: + + List vaults: + ipa vault-find + [--user |--service |--shared] + + Add a standard vault: + ipa vault-add + [--user |--service |--shared] + --type standard + + Add a symmetric vault: + ipa vault-add + [--user |--service |--shared] + --type symmetric --password-file password.txt + + Add an asymmetric vault: + ipa vault-add + [--user |--service |--shared] + --type asymmetric --public-key-file public.pem + + Show a vault: + ipa vault-show + [--user |--service |--shared] + + Modify vault description: + ipa vault-mod + [--user |--service |--shared] + --desc + + Modify vault type: + ipa vault-mod + [--user |--service |--shared] + --type + [old password/private key] + [new password/public key] + + Modify symmetric vault password: + ipa vault-mod + [--user |--service |--shared] + --change-password + ipa vault-mod + [--user |--service |--shared] + --old-password + --new-password + ipa vault-mod + [--user |--service |--shared] + --old-password-file + --new-password-file + + Modify asymmetric vault keys: + ipa vault-mod + [--user |--service |--shared] + --private-key-file + --public-key-file + + Delete a vault: + ipa vault-del + [--user |--service |--shared] + + Display vault configuration: + ipa vaultconfig-show + + Archive data into standard vault: + ipa vault-archive + [--user |--service |--shared] + --in + + Archive data into symmetric vault: + ipa vault-archive + [--user |--service |--shared] + --in + --password-file password.txt + + Archive data into asymmetric vault: + ipa vault-archive + [--user |--service |--shared] + --in + + Retrieve data from standard vault: + ipa vault-retrieve + [--user |--service |--shared] + --out + + Retrieve data from symmetric vault: + ipa vault-retrieve + [--user |--service |--shared] + --out + --password-file password.txt + + Retrieve data from asymmetric vault: + ipa vault-retrieve + [--user |--service |--shared] + --out --private-key-file private.pem + + Add vault owners: + ipa vault-add-owner + [--user |--service |--shared] + [--users ] [--groups ] [--services ] + + Delete vault owners: + ipa vault-remove-owner + [--user |--service |--shared] + [--users ] [--groups ] [--services ] + + Add vault members: + ipa vault-add-member + [--user |--service |--shared] + [--users ] [--groups ] [--services ] + + Delete vault members: + ipa vault-remove-member + [--user |--service |--shared] + [--users ] [--groups ] [--services ] +""") + +register = Registry() + + +@register() +class vault(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Vault name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'Vault description'), + ), + parameters.Str( + 'ipavaulttype', + required=False, + label=_(u'Type'), + doc=_(u'Vault type'), + ), + parameters.Bytes( + 'ipavaultsalt', + required=False, + label=_(u'Salt'), + doc=_(u'Vault salt'), + ), + parameters.Bytes( + 'ipavaultpublickey', + required=False, + label=_(u'Public key'), + doc=_(u'Vault public key'), + ), + parameters.Str( + 'owner_user', + required=False, + label=_(u'Owner users'), + ), + parameters.Str( + 'owner_group', + required=False, + label=_(u'Owner groups'), + ), + parameters.Str( + 'owner_service', + required=False, + label=_(u'Owner services'), + ), + parameters.Str( + 'owner', + required=False, + label=_(u'Failed owners'), + ), + parameters.Str( + 'service', + required=False, + label=_(u'Vault service'), + ), + parameters.Flag( + 'shared', + required=False, + label=_(u'Shared vault'), + ), + parameters.Str( + 'username', + required=False, + label=_(u'Vault user'), + ), + parameters.Str( + 'member_user', + required=False, + label=_(u'Member users'), + ), + parameters.Str( + 'member_group', + required=False, + label=_(u'Member groups'), + ), + parameters.Str( + 'member_service', + required=False, + label=_(u'Member services'), + ), + ) + + +@register() +class vaultconfig(Object): + takes_params = ( + parameters.Bytes( + 'transport_cert', + label=_(u'Transport Certificate'), + ), + ) + + +@register() +class vaultcontainer(Object): + takes_params = ( + parameters.Str( + 'owner_user', + required=False, + label=_(u'Owner users'), + ), + parameters.Str( + 'owner_group', + required=False, + label=_(u'Owner groups'), + ), + parameters.Str( + 'owner_service', + required=False, + label=_(u'Owner services'), + ), + parameters.Str( + 'owner', + required=False, + label=_(u'Failed owners'), + ), + parameters.Str( + 'service', + required=False, + label=_(u'Vault service'), + ), + parameters.Flag( + 'shared', + required=False, + label=_(u'Shared vault'), + ), + parameters.Str( + 'username', + required=False, + label=_(u'Vault user'), + ), + ) + + +@register() +class kra_is_enabled(Command): + NO_CLI = True + + takes_options = ( + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vault_add_internal(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Vault description'), + ), + parameters.Str( + 'ipavaulttype', + required=False, + cli_name='type', + cli_metavar="['standard', 'symmetric', 'asymmetric']", + label=_(u'Type'), + doc=_(u'Vault type'), + default=u'symmetric', + autofill=True, + ), + parameters.Bytes( + 'ipavaultsalt', + required=False, + cli_name='salt', + label=_(u'Salt'), + doc=_(u'Vault salt'), + ), + parameters.Bytes( + 'ipavaultpublickey', + required=False, + cli_name='public_key', + label=_(u'Public key'), + doc=_(u'Vault public key'), + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vault_add_member(Method): + __doc__ = _("Add members to a vault.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'services', + required=False, + multivalue=True, + label=_(u'member service'), + doc=_(u'services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class vault_add_owner(Method): + __doc__ = _("Add owners to a vault.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'owner user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'owner group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'services', + required=False, + multivalue=True, + label=_(u'owner service'), + doc=_(u'services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Owners that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of owners added'), + ), + ) + + +@register() +class vault_archive_internal(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Bytes( + 'session_key', + doc=_(u'Session key wrapped with transport certificate'), + ), + parameters.Bytes( + 'vault_data', + doc=_(u'Vault data encrypted with session key'), + ), + parameters.Bytes( + 'nonce', + doc=_(u'Nonce'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vault_del(Method): + __doc__ = _("Delete a vault.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class vault_find(Method): + __doc__ = _("Search for vaults.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Vault name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Vault description'), + ), + parameters.Str( + 'ipavaulttype', + required=False, + cli_name='type', + cli_metavar="['standard', 'symmetric', 'asymmetric']", + label=_(u'Type'), + doc=_(u'Vault type'), + default=u'symmetric', + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds (0 is unlimited)'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned (0 is unlimited)'), + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'services', + required=False, + doc=_(u'List all service vaults'), + default=False, + autofill=True, + ), + parameters.Flag( + 'users', + required=False, + doc=_(u'List all user vaults'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class vault_mod_internal(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Vault description'), + ), + parameters.Str( + 'ipavaulttype', + required=False, + cli_name='type', + cli_metavar="['standard', 'symmetric', 'asymmetric']", + label=_(u'Type'), + doc=_(u'Vault type'), + default=u'symmetric', + ), + parameters.Bytes( + 'ipavaultsalt', + required=False, + cli_name='salt', + label=_(u'Salt'), + doc=_(u'Vault salt'), + ), + parameters.Bytes( + 'ipavaultpublickey', + required=False, + cli_name='public_key', + label=_(u'Public key'), + doc=_(u'Vault public key'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vault_remove_member(Method): + __doc__ = _("Remove members from a vault.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'services', + required=False, + multivalue=True, + label=_(u'member service'), + doc=_(u'services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class vault_remove_owner(Method): + __doc__ = _("Remove owners from a vault.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'owner user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'owner group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'services', + required=False, + multivalue=True, + label=_(u'owner service'), + doc=_(u'services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Owners that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of owners removed'), + ), + ) + + +@register() +class vault_retrieve_internal(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Bytes( + 'session_key', + doc=_(u'Session key wrapped with transport certificate'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vault_show(Method): + __doc__ = _("Display information about a vault.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Vault name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vaultconfig_show(Method): + __doc__ = _("Show vault configuration.") + + takes_options = ( + parameters.Str( + 'transport_out', + required=False, + doc=_(u'Output file to store the transport certificate'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class vaultcontainer_add_owner(Method): + __doc__ = _("Add owners to a vault container.") + + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'owner user'), + doc=_(u'users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'owner group'), + doc=_(u'groups to add'), + alwaysask=True, + ), + parameters.Str( + 'services', + required=False, + multivalue=True, + label=_(u'owner service'), + doc=_(u'services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Owners that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of owners added'), + ), + ) + + +@register() +class vaultcontainer_del(Method): + __doc__ = _("Delete a vault container.") + + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.ListOfPrimaryKeys( + 'value', + ), + ) + + +@register() +class vaultcontainer_remove_owner(Method): + __doc__ = _("Remove owners from a vault container.") + + takes_options = ( + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'owner user'), + doc=_(u'users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'owner group'), + doc=_(u'groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'services', + required=False, + multivalue=True, + label=_(u'owner service'), + doc=_(u'services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Owners that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of owners removed'), + ), + ) + + +@register() +class vaultcontainer_show(Method): + __doc__ = _("Display information about a vault container.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'service', + required=False, + doc=_(u'Service name of the service vault'), + no_convert=True, + ), + parameters.Flag( + 'shared', + required=False, + doc=_(u'Shared vault'), + default=False, + autofill=True, + ), + parameters.Str( + 'username', + required=False, + cli_name='user', + doc=_(u'Username of the user vault'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_members', + doc=_(u'Suppress processing of membership attributes.'), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.PrimaryKey( + 'value', + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/__init__.py b/ipaclient/remote_plugins/2_49/__init__.py new file mode 100644 index 000000000..4ef04a772 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/__init__.py @@ -0,0 +1,15 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from ..compat import CompatCommand, CompatMethod, CompatObject + +Object = CompatObject + + +class Command(CompatCommand): + api_version = u'2.49' + + +class Method(Command, CompatMethod): + pass diff --git a/ipaclient/remote_plugins/2_49/aci.py b/ipaclient/remote_plugins/2_49/aci.py new file mode 100644 index 000000000..b2d6d88a7 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/aci.py @@ -0,0 +1,811 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Directory Server Access Control Instructions (ACIs) + +ACIs are used to allow or deny access to information. This module is +currently designed to allow, not deny, access. + +The aci commands are designed to grant permissions that allow updating +existing entries or adding or deleting new ones. The goal of the ACIs +that ship with IPA is to provide a set of low-level permissions that +grant access to special groups called taskgroups. These low-level +permissions can be combined into roles that grant broader access. These +roles are another type of group, roles. + +For example, if you have taskgroups that allow adding and modifying users you +could create a role, useradmin. You would assign users to the useradmin +role to allow them to do the operations defined by the taskgroups. + +You can create ACIs that delegate permission so users in group A can write +attributes on group B. + +The type option is a map that applies to all entries in the users, groups or +host location. It is primarily designed to be used when granting add +permissions (to write new entries). + +An ACI consists of three parts: +1. target +2. permissions +3. bind rules + +The target is a set of rules that define which LDAP objects are being +targeted. This can include a list of attributes, an area of that LDAP +tree or an LDAP filter. + +The targets include: +- attrs: list of attributes affected +- type: an object type (user, group, host, service, etc) +- memberof: members of a group +- targetgroup: grant access to modify a specific group. This is primarily + designed to enable users to add or remove members of a specific group. +- filter: A legal LDAP filter used to narrow the scope of the target. +- subtree: Used to apply a rule across an entire set of objects. For example, + to allow adding users you need to grant "add" permission to the subtree + ldap://uid=*,cn=users,cn=accounts,dc=example,dc=com. The subtree option + is a fail-safe for objects that may not be covered by the type option. + +The permissions define what the ACI is allowed to do, and are one or +more of: +1. write - write one or more attributes +2. read - read one or more attributes +3. add - add a new entry to the tree +4. delete - delete an existing entry +5. all - all permissions are granted + +Note the distinction between attributes and entries. The permissions are +independent, so being able to add a user does not mean that the user will +be editable. + +The bind rule defines who this ACI grants permissions to. The LDAP server +allows this to be any valid LDAP entry but we encourage the use of +taskgroups so that the rights can be easily shared through roles. + +For a more thorough description of access controls see +http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control.html + +EXAMPLES: + +NOTE: ACIs are now added via the permission plugin. These examples are to +demonstrate how the various options work but this is done via the permission +command-line now (see last example). + + Add an ACI so that the group "secretaries" can update the address on any user: + ipa group-add --desc="Office secretaries" secretaries + ipa aci-add --attrs=streetAddress --memberof=ipausers --group=secretaries --permissions=write --prefix=none "Secretaries write addresses" + + Show the new ACI: + ipa aci-show --prefix=none "Secretaries write addresses" + + Add an ACI that allows members of the "addusers" permission to add new users: + ipa aci-add --type=user --permission=addusers --permissions=add --prefix=none "Add new users" + + Add an ACI that allows members of the editors manage members of the admins group: + ipa aci-add --permissions=write --attrs=member --targetgroup=admins --group=editors --prefix=none "Editors manage admins" + + Add an ACI that allows members of the admins group to manage the street and zip code of those in the editors group: + ipa aci-add --permissions=write --memberof=editors --group=admins --attrs=street,postalcode --prefix=none "admins edit the address of editors" + + Add an ACI that allows the admins group manage the street and zipcode of those who work for the boss: + ipa aci-add --permissions=write --group=admins --attrs=street,postalcode --filter="(manager=uid=boss,cn=users,cn=accounts,dc=example,dc=com)" --prefix=none "Edit the address of those who work for the boss" + + Add an entirely new kind of record to IPA that isn't covered by any of the --type options, creating a permission: + ipa permission-add --permissions=add --subtree="cn=*,cn=orange,cn=accounts,dc=example,dc=com" --desc="Add Orange Entries" add_orange + + +The show command shows the raw 389-ds ACI. + +IMPORTANT: When modifying the target attributes of an existing ACI you +must include all existing attributes as well. When doing an aci-mod the +targetattr REPLACES the current attributes, it does not add to them. +""") + +register = Registry() + + +@register() +class aci(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'ACI name'), + ), + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + ), + ) + + +@register() +class aci_add(Method): + __doc__ = _("Create new ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'test', + required=False, + doc=_(u"Test the ACI syntax but don't write anything"), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_del(Method): + __doc__ = _("Delete ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_find(Method): + __doc__ = _(""" +Search for ACIs. + + Returns a list of ACIs + + EXAMPLES: + + To find all ACIs that apply directly to members of the group ipausers: + ipa aci-find --memberof=ipausers + + To find all ACIs that grant add access: + ipa aci-find --permissions=add + + Note that the find command only looks for the given text in the set of + ACIs, it does not evaluate the ACIs to see if something would apply. + For example, searching on memberof=ipausers will find all ACIs that + have ipausers as a memberof. There may be other ACIs that apply to + members of that group indirectly. + """) + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'ACI name'), + ), + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Bool( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + ), + parameters.Str( + 'aciprefix', + required=False, + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class aci_mod(Method): + __doc__ = _("Modify ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_rename(Method): + __doc__ = _("Rename an ACI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'permission', + required=False, + label=_(u'Permission'), + doc=_(u'Permission ACI grants access to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'comma-separated list of permissions to grant(read, write, add, delete, all)'), + no_convert=True, + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'type of IPA object (user, group, host, hostgroup, service, netgroup)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of'), + doc=_(u'Member of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply ACI to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'Group to apply ACI to'), + ), + parameters.Flag( + 'selfaci', + required=False, + cli_name='self', + label=_(u'Target your own entry (self)'), + doc=_(u'Apply ACI to your own entry (self)'), + default=False, + autofill=True, + ), + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Str( + 'newname', + doc=_(u'New ACI name'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class aci_show(Method): + __doc__ = _("Display a single ACI given an ACI name.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'ACI name'), + ), + ) + takes_options = ( + parameters.Str( + 'aciprefix', + cli_name='prefix', + cli_metavar="['permission', 'delegation', 'selfservice', 'none']", + label=_(u'ACI prefix'), + doc=_(u'Prefix used to distinguish ACI types (permission, delegation, selfservice, none)'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/automember.py b/ipaclient/remote_plugins/2_49/automember.py new file mode 100644 index 000000000..39cdac0b4 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/automember.py @@ -0,0 +1,758 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Auto Membership Rule. + +Bring clarity to the membership of hosts and users by configuring inclusive +or exclusive regex patterns, you can automatically assign a new entries into +a group or hostgroup based upon attribute information. + +A rule is directly associated with a group by name, so you cannot create +a rule without an accompanying group or hostgroup. + +A condition is a regular expression used by 389-ds to match a new incoming +entry with an automember rule. If it matches an inclusive rule then the +entry is added to the appropriate group or hostgroup. + +A default group or hostgroup could be specified for entries that do not +match any rule. In case of user entries this group will be a fallback group +because all users are by default members of group specified in IPA config. + + +EXAMPLES: + + Add the initial group or hostgroup: + ipa hostgroup-add --desc="Web Servers" webservers + ipa group-add --desc="Developers" devel + + Add the initial rule: + ipa automember-add --type=hostgroup webservers + ipa automember-add --type=group devel + + Add a condition to the rule: + ipa automember-add-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers + ipa automember-add-condition --key=manager --type=group --inclusive-regex=^uid=mscott devel + + Add an exclusive condition to the rule to prevent auto assignment: + ipa automember-add-condition --key=fqdn --type=hostgroup --exclusive-regex=^web5\.example\.com webservers + + Add a host: + ipa host-add web1.example.com + + Add a user: + ipa user-add --first=Tim --last=User --password tuser1 --manager=mscott + + Verify automembership: + ipa hostgroup-show webservers + Host-group: webservers + Description: Web Servers + Member hosts: web1.example.com + + ipa group-show devel + Group name: devel + Description: Developers + GID: 1004200000 + Member users: tuser + + Remove a condition from the rule: + ipa automember-remove-condition --key=fqdn --type=hostgroup --inclusive-regex=^web[1-9]+\.example\.com webservers + + Modify the automember rule: + ipa automember-mod + + Set the default (fallback) target group: + ipa automember-default-group-set --default-group=webservers --type=hostgroup + ipa automember-default-group-set --default-group=ipausers --type=group + + Remove the default (fallback) target group: + ipa automember-default-group-remove --type=hostgroup + ipa automember-default-group-remove --type=group + + Show the default (fallback) target group: + ipa automember-default-group-show --type=hostgroup + ipa automember-default-group-show --type=group + + Find all of the automember rules: + ipa automember-find + + Display a automember rule: + ipa automember-show --type=hostgroup webservers + ipa automember-show --type=group devel + + Delete an automember rule: + ipa automember-del --type=hostgroup webservers + ipa automember-del --type=group devel +""") + +register = Registry() + + +@register() +class automember(Object): + takes_params = ( + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberdefaultgroup', + required=False, + label=_(u'Default (fallback) Group'), + doc=_(u'Default group for entries to land'), + ), + ) + + +@register() +class automember_add(Method): + __doc__ = _("Add an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_add_condition(Method): + __doc__ = _("Add conditions to an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberinclusiveregex', + required=False, + multivalue=True, + cli_name='inclusive_regex', + label=_(u'Inclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'automemberexclusiveregex', + required=False, + multivalue=True, + cli_name='exclusive_regex', + label=_(u'Exclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'key', + label=_(u'Attribute Key'), + doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + output.Output( + 'failed', + dict, + doc=_(u'Conditions that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of conditions added'), + ), + ) + + +@register() +class automember_default_group_remove(Method): + __doc__ = _("Remove default (fallback) group for all unmatched entries.") + + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_default_group_set(Method): + __doc__ = _("Set default (fallback) group for all unmatched entries.") + + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberdefaultgroup', + cli_name='default_group', + label=_(u'Default (fallback) Group'), + doc=_(u'Default (fallback) group for entries to land'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_default_group_show(Method): + __doc__ = _("Display information about the default (fallback) automember groups.") + + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_del(Method): + __doc__ = _("Delete an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_find(Method): + __doc__ = _("Search for automember rules.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automember_mod(Method): + __doc__ = _("Modify an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automember_remove_condition(Method): + __doc__ = _("Remove conditions from an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this auto member rule'), + ), + parameters.Str( + 'automemberinclusiveregex', + required=False, + multivalue=True, + cli_name='inclusive_regex', + label=_(u'Inclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'automemberexclusiveregex', + required=False, + multivalue=True, + cli_name='exclusive_regex', + label=_(u'Exclusive Regex'), + alwaysask=True, + ), + parameters.Str( + 'key', + label=_(u'Attribute Key'), + doc=_(u'Attribute to filter via regex. For example fqdn for a host, or manager for a user'), + ), + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + output.Output( + 'failed', + dict, + doc=_(u'Conditions that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of conditions removed'), + ), + ) + + +@register() +class automember_show(Method): + __doc__ = _("Display information about an automember rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='automember_rule', + label=_(u'Automember Rule'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'type', + cli_metavar="['group', 'hostgroup']", + label=_(u'Grouping Type'), + doc=_(u'Grouping to which the rule applies'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/automount.py b/ipaclient/remote_plugins/2_49/automount.py new file mode 100644 index 000000000..4c7a2c65d --- /dev/null +++ b/ipaclient/remote_plugins/2_49/automount.py @@ -0,0 +1,1225 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Automount + +Stores automount(8) configuration for autofs(8) in IPA. + +The base of an automount configuration is the configuration file auto.master. +This is also the base location in IPA. Multiple auto.master configurations +can be stored in separate locations. A location is implementation-specific +with the default being a location named 'default'. For example, you can have +locations by geographic region, by floor, by type, etc. + +Automount has three basic object types: locations, maps and keys. + +A location defines a set of maps anchored in auto.master. This allows you +to store multiple automount configurations. A location in itself isn't +very interesting, it is just a point to start a new automount map. + +A map is roughly equivalent to a discrete automount file and provides +storage for keys. + +A key is a mount point associated with a map. + +When a new location is created, two maps are automatically created for +it: auto.master and auto.direct. auto.master is the root map for all +automount maps for the location. auto.direct is the default map for +direct mounts and is mounted on /-. + +An automount map may contain a submount key. This key defines a mount +location within the map that references another map. This can be done +either using automountmap-add-indirect --parentmap or manually +with automountkey-add and setting info to "-type=autofs :". + +EXAMPLES: + +Locations: + + Create a named location, "Baltimore": + ipa automountlocation-add baltimore + + Display the new location: + ipa automountlocation-show baltimore + + Find available locations: + ipa automountlocation-find + + Remove a named automount location: + ipa automountlocation-del baltimore + + Show what the automount maps would look like if they were in the filesystem: + ipa automountlocation-tofiles baltimore + + Import an existing configuration into a location: + ipa automountlocation-import baltimore /etc/auto.master + + The import will fail if any duplicate entries are found. For + continuous operation where errors are ignored, use the --continue + option. + +Maps: + + Create a new map, "auto.share": + ipa automountmap-add baltimore auto.share + + Display the new map: + ipa automountmap-show baltimore auto.share + + Find maps in the location baltimore: + ipa automountmap-find baltimore + + Create an indirect map with auto.share as a submount: + ipa automountmap-add-indirect baltimore --parentmap=auto.share --mount=sub auto.man + + This is equivalent to: + + ipa automountmap-add-indirect baltimore --mount=/man auto.man + ipa automountkey-add baltimore auto.man --key=sub --info="-fstype=autofs ldap:auto.share" + + Remove the auto.share map: + ipa automountmap-del baltimore auto.share + +Keys: + + Create a new key for the auto.share map in location baltimore. This ties + the map we previously created to auto.master: + ipa automountkey-add baltimore auto.master --key=/share --info=auto.share + + Create a new key for our auto.share map, an NFS mount for man pages: + ipa automountkey-add baltimore auto.share --key=man --info="-ro,soft,rsize=8192,wsize=8192 ipa.example.com:/shared/man" + + Find all keys for the auto.share map: + ipa automountkey-find baltimore auto.share + + Find all direct automount keys: + ipa automountkey-find baltimore --key=/- + + Remove the man key from the auto.share map: + ipa automountkey-del baltimore auto.share --key=man +""") + +register = Registry() + + +@register() +class automountkey(Object): + takes_params = ( + parameters.Str( + 'automountkey', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + label=_(u'Mount information'), + ), + parameters.Str( + 'description', + required=False, + primary_key=True, + label=_(u'description'), + exclude=('webui', 'cli'), + ), + ) + + +@register() +class automountlocation(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + + +@register() +class automountmap(Object): + takes_params = ( + parameters.Str( + 'automountmapname', + primary_key=True, + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + ) + + +@register() +class automountkey_add(Method): + __doc__ = _("Create a new automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountkey_del(Method): + __doc__ = _("Delete an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountkey_find(Method): + __doc__ = _("Search for an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + required=False, + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountkey_mod(Method): + __doc__ = _("Modify an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + ), + ) + takes_options = ( + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'newautomountinformation', + required=False, + cli_name='newinfo', + label=_(u'New mount information'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the automount key object'), + exclude=('webui',), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountkey_show(Method): + __doc__ = _("Display an automount key.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapautomountmapname', + cli_name='automountmap', + label=_(u'Map'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'automountkey', + cli_name='key', + label=_(u'Key'), + doc=_(u'Automount key name.'), + ), + parameters.Str( + 'automountinformation', + required=False, + cli_name='info', + label=_(u'Mount information'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_add(Method): + __doc__ = _("Create a new automount location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_del(Method): + __doc__ = _("Delete an automount location.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_find(Method): + __doc__ = _("Search for an automount location.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("location")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountlocation_show(Method): + __doc__ = _("Display an automount location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountlocation_tofiles(Method): + __doc__ = _("Generate automount files for a specific location.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='location', + label=_(u'Location'), + doc=_(u'Automount location name.'), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class automountmap_add(Method): + __doc__ = _("Create a new automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_add_indirect(Method): + __doc__ = _("Create a new indirect mount point.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'key', + cli_name='mount', + label=_(u'Mount point'), + ), + parameters.Str( + 'parentmap', + required=False, + label=_(u'Parent map'), + doc=_(u'Name of parent automount map (default: auto.master).'), + default=u'auto.master', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_del(Method): + __doc__ = _("Delete an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapname', + multivalue=True, + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_find(Method): + __doc__ = _("Search for an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'automountmapname', + required=False, + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("map")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class automountmap_mod(Method): + __doc__ = _("Modify an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class automountmap_show(Method): + __doc__ = _("Display an automount map.") + + takes_args = ( + parameters.Str( + 'automountlocationcn', + cli_name='automountlocation', + label=_(u'Location'), + ), + parameters.Str( + 'automountmapname', + cli_name='map', + label=_(u'Map'), + doc=_(u'Automount map name.'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/batch.py b/ipaclient/remote_plugins/2_49/batch.py new file mode 100644 index 000000000..a1f351d33 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/batch.py @@ -0,0 +1,69 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Plugin to make multiple ipa calls via one remote procedure call + +To run this code in the lite-server + +curl -H "Content-Type:application/json" -H "Accept:application/json" -H "Accept-Language:en" --negotiate -u : --cacert /etc/ipa/ca.crt -d @batch_request.json -X POST http://localhost:8888/ipa/json + +where the contents of the file batch_request.json follow the below example + +{"method":"batch","params":[[ + {"method":"group_find","params":[[],{}]}, + {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]}, + {"method":"user_show","params":[["admin"],{"all":true}]} + ],{}],"id":1} + +The format of the response is nested the same way. At the top you will see + "error": null, + "id": 1, + "result": { + "count": 3, + "results": [ + + +And then a nested response for each IPA command method sent in the request +""") + +register = Registry() + + +@register() +class batch(Command): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'methods', + required=False, + multivalue=True, + doc=_(u'Nested Methods to execute'), + ), + ) + has_output = ( + output.Output( + 'count', + int, + ), + output.Output( + 'results', + (list, tuple), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/cert.py b/ipaclient/remote_plugins/2_49/cert.py new file mode 100644 index 000000000..0e029ff19 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/cert.py @@ -0,0 +1,209 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +IPA certificate operations + +Implements a set of commands for managing server SSL certificates. + +Certificate requests exist in the form of a Certificate Signing Request (CSR) +in PEM format. + +If using the selfsign back end then the subject in the CSR needs to match +the subject configured in the server. The dogtag CA uses just the CN +value of the CSR and forces the rest of the subject. + +A certificate is stored with a service principal and a service principal +needs a host. + +In order to request a certificate: + +* The host must exist +* The service must exist (or you use the --add option to automatically add it) + +EXAMPLES: + + Request a new certificate and add the principal: + ipa cert-request --add --principal=HTTP/lion.example.com example.csr + + Retrieve an existing certificate: + ipa cert-show 1032 + + Revoke a certificate (see RFC 5280 for reason details): + ipa cert-revoke --revocation-reason=6 1032 + + Remove a certificate from revocation hold status: + ipa cert-remove-hold 1032 + + Check the status of a signing request: + ipa cert-status 10 + +IPA currently immediately issues (or declines) all certificate requests so +the status of a request is not normally useful. This is for future use +or the case where a CA does not immediately issue a certificate. + +The following revocation reasons are supported: + + * 0 - unspecified + * 1 - keyCompromise + * 2 - cACompromise + * 3 - affiliationChanged + * 4 - superseded + * 5 - cessationOfOperation + * 6 - certificateHold + * 8 - removeFromCRL + * 9 - privilegeWithdrawn + * 10 - aACompromise + +Note that reason code 7 is not used. See RFC 5280 for more details: + +http://www.ietf.org/rfc/rfc5280.txt +""") + +register = Registry() + + +@register() +class cert_remove_hold(Command): + __doc__ = _("Take a revoked certificate off hold.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_request(Command): + __doc__ = _("Submit a certificate signing request.") + + takes_args = ( + parameters.Str( + 'csr', + cli_name='csr_file', + label=_(u'CSR'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'principal', + label=_(u'Principal'), + doc=_(u'Service principal for this certificate (e.g. HTTP/test.example.com)'), + ), + parameters.Str( + 'request_type', + default=u'pkcs10', + autofill=True, + ), + parameters.Flag( + 'add', + doc=_(u"automatically add the principal if it doesn't exist"), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + ) + + +@register() +class cert_revoke(Command): + __doc__ = _("Revoke a certificate.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Int( + 'revocation_reason', + label=_(u'Reason'), + doc=_(u'Reason for revoking the certificate (0-10)'), + default=0, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_show(Command): + __doc__ = _("Retrieve an existing certificate.") + + takes_args = ( + parameters.Str( + 'serial_number', + label=_(u'Serial number'), + doc=_(u'Serial number in decimal or if prefixed with 0x in hexadecimal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'out', + required=False, + label=_(u'Output filename'), + doc=_(u'File to store the certificate in.'), + exclude=('webui',), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class cert_status(Command): + __doc__ = _("Check the status of a certificate signing request.") + + takes_args = ( + parameters.Str( + 'request_id', + label=_(u'Request id'), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_49/config.py b/ipaclient/remote_plugins/2_49/config.py new file mode 100644 index 000000000..41abee8fe --- /dev/null +++ b/ipaclient/remote_plugins/2_49/config.py @@ -0,0 +1,394 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Server configuration + +Manage the default values that IPA uses and some of its tuning parameters. + +NOTES: + +The password notification value (--pwdexpnotify) is stored here so it will +be replicated. It is not currently used to notify users in advance of an +expiring password. + +Some attributes are read-only, provided only for information purposes. These +include: + +Certificate Subject base: the configured certificate subject base, + e.g. O=EXAMPLE.COM. This is configurable only at install time. +Password plug-in features: currently defines additional hashes that the + password will generate (there may be other conditions). + +When setting the order list for mapping SELinux users you may need to +quote the value so it isn't interpreted by the shell. + +EXAMPLES: + + Show basic server configuration: + ipa config-show + + Show all configuration options: + ipa config-show --all + + Change maximum username length to 99 characters: + ipa config-mod --maxusername=99 + + Increase default time and size limits for maximum IPA server search: + ipa config-mod --searchtimelimit=10 --searchrecordslimit=2000 + + Set default user e-mail domain: + ipa config-mod --emaildomain=example.com + + Enable migration mode to make "ipa migrate-ds" command operational: + ipa config-mod --enable-migration=TRUE + + Define SELinux user map order: + ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' +""") + +register = Registry() + + +@register() +class config(Object): + takes_params = ( + parameters.Int( + 'ipamaxusernamelength', + label=_(u'Maximum username length'), + ), + parameters.Str( + 'ipahomesrootdir', + label=_(u'Home directory base'), + doc=_(u'Default location of home directories'), + ), + parameters.Str( + 'ipadefaultloginshell', + label=_(u'Default shell'), + doc=_(u'Default shell for new users'), + ), + parameters.Str( + 'ipadefaultprimarygroup', + label=_(u'Default users group'), + doc=_(u'Default group for new users'), + ), + parameters.Str( + 'ipadefaultemaildomain', + required=False, + label=_(u'Default e-mail domain'), + ), + parameters.Int( + 'ipasearchtimelimit', + label=_(u'Search time limit'), + doc=_(u'Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)'), + ), + parameters.Int( + 'ipasearchrecordslimit', + label=_(u'Search size limit'), + doc=_(u'Maximum number of records to search (-1 is unlimited)'), + ), + parameters.Str( + 'ipausersearchfields', + label=_(u'User search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for users'), + ), + parameters.Str( + 'ipagroupsearchfields', + label=_(u'Group search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for groups'), + ), + parameters.Bool( + 'ipamigrationenabled', + label=_(u'Enable migration mode'), + ), + parameters.DNParam( + 'ipacertificatesubjectbase', + label=_(u'Certificate Subject base'), + doc=_(u'Base for certificate subjects (OU=Test,O=Example)'), + ), + parameters.Str( + 'ipagroupobjectclasses', + multivalue=True, + label=_(u'Default group objectclasses'), + doc=_(u'Default group objectclasses (comma-separated list)'), + ), + parameters.Str( + 'ipauserobjectclasses', + multivalue=True, + label=_(u'Default user objectclasses'), + doc=_(u'Default user objectclasses (comma-separated list)'), + ), + parameters.Int( + 'ipapwdexpadvnotify', + label=_(u'Password Expiration Notification (days)'), + doc=_(u"Number of days's notice of impending password expiration"), + ), + parameters.Str( + 'ipaconfigstring', + required=False, + multivalue=True, + label=_(u'Password plugin features'), + doc=_(u'Extra hashes to generate in password plug-in'), + ), + parameters.Str( + 'ipaselinuxusermaporder', + label=_(u'SELinux user map order'), + doc=_(u'Order in increasing priority of SELinux users, delimited by $'), + ), + parameters.Str( + 'ipaselinuxusermapdefault', + required=False, + label=_(u'Default SELinux user'), + doc=_(u'Default SELinux user when no match is found in SELinux map rule'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + label=_(u'Default PAC types'), + doc=_(u'Default types of PAC supported for services'), + ), + ) + + +@register() +class config_mod(Method): + __doc__ = _("Modify configuration options.") + + takes_options = ( + parameters.Int( + 'ipamaxusernamelength', + required=False, + cli_name='maxusername', + label=_(u'Maximum username length'), + ), + parameters.Str( + 'ipahomesrootdir', + required=False, + cli_name='homedirectory', + label=_(u'Home directory base'), + doc=_(u'Default location of home directories'), + ), + parameters.Str( + 'ipadefaultloginshell', + required=False, + cli_name='defaultshell', + label=_(u'Default shell'), + doc=_(u'Default shell for new users'), + ), + parameters.Str( + 'ipadefaultprimarygroup', + required=False, + cli_name='defaultgroup', + label=_(u'Default users group'), + doc=_(u'Default group for new users'), + ), + parameters.Str( + 'ipadefaultemaildomain', + required=False, + cli_name='emaildomain', + label=_(u'Default e-mail domain'), + ), + parameters.Int( + 'ipasearchtimelimit', + required=False, + cli_name='searchtimelimit', + label=_(u'Search time limit'), + doc=_(u'Maximum amount of time (seconds) for a search (> 0, or -1 for unlimited)'), + ), + parameters.Int( + 'ipasearchrecordslimit', + required=False, + cli_name='searchrecordslimit', + label=_(u'Search size limit'), + doc=_(u'Maximum number of records to search (-1 is unlimited)'), + ), + parameters.Str( + 'ipausersearchfields', + required=False, + cli_name='usersearch', + label=_(u'User search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for users'), + ), + parameters.Str( + 'ipagroupsearchfields', + required=False, + cli_name='groupsearch', + label=_(u'Group search fields'), + doc=_(u'A comma-separated list of fields to search in when searching for groups'), + ), + parameters.Bool( + 'ipamigrationenabled', + required=False, + cli_name='enable_migration', + label=_(u'Enable migration mode'), + ), + parameters.Str( + 'ipagroupobjectclasses', + required=False, + multivalue=True, + cli_name='groupobjectclasses', + label=_(u'Default group objectclasses'), + doc=_(u'Default group objectclasses (comma-separated list)'), + ), + parameters.Str( + 'ipauserobjectclasses', + required=False, + multivalue=True, + cli_name='userobjectclasses', + label=_(u'Default user objectclasses'), + doc=_(u'Default user objectclasses (comma-separated list)'), + ), + parameters.Int( + 'ipapwdexpadvnotify', + required=False, + cli_name='pwdexpnotify', + label=_(u'Password Expiration Notification (days)'), + doc=_(u"Number of days's notice of impending password expiration"), + ), + parameters.Str( + 'ipaconfigstring', + required=False, + multivalue=True, + cli_metavar="['AllowLMhash', 'AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout']", + label=_(u'Password plugin features'), + doc=_(u'Extra hashes to generate in password plug-in'), + ), + parameters.Str( + 'ipaselinuxusermaporder', + required=False, + label=_(u'SELinux user map order'), + doc=_(u'Order in increasing priority of SELinux users, delimited by $'), + ), + parameters.Str( + 'ipaselinuxusermapdefault', + required=False, + label=_(u'Default SELinux user'), + doc=_(u'Default SELinux user when no match is found in SELinux map rule'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD']", + label=_(u'Default PAC types'), + doc=_(u'Default types of PAC supported for services'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class config_show(Method): + __doc__ = _("Show the current configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/delegation.py b/ipaclient/remote_plugins/2_49/delegation.py new file mode 100644 index 000000000..352f6350e --- /dev/null +++ b/ipaclient/remote_plugins/2_49/delegation.py @@ -0,0 +1,384 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Group to Group Delegation + +A permission enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to permissions to perform +given tasks such as adding a user, modifying a group, etc. + +Group to Group Delegations grants the members of one group to update a set +of attributes of members of another group. + +EXAMPLES: + + Add a delegation rule to allow managers to edit employee's addresses: + ipa delegation-add --attrs=street --group=managers --membergroup=employees "managers edit employees' street" + + When managing the list of attributes you need to include all attributes + in the list, including existing ones. Add postalCode to the list: + ipa delegation-mod --attrs=street,postalCode --group=managers --membergroup=employees "managers edit employees' street" + + Display our updated rule: + ipa delegation-show "managers edit employees' street" + + Delete a rule: + ipa delegation-del "managers edit employees' street" +""") + +register = Registry() + + +@register() +class delegation(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'Delegation name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'memberof', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + ) + + +@register() +class delegation_add(Method): + __doc__ = _("Add a new delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Str( + 'memberof', + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_del(Method): + __doc__ = _("Delete a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_find(Method): + __doc__ = _("Search for delegations.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'Delegation name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Str( + 'memberof', + required=False, + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class delegation_mod(Method): + __doc__ = _("Modify a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Str( + 'memberof', + required=False, + cli_name='membergroup', + label=_(u'Member user group'), + doc=_(u'User group to apply delegation to'), + ), + parameters.Str( + 'group', + required=False, + label=_(u'User group'), + doc=_(u'User group ACI grants access to'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class delegation_show(Method): + __doc__ = _("Display information about a delegation.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Delegation name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/dns.py b/ipaclient/remote_plugins/2_49/dns.py new file mode 100644 index 000000000..07cef75c2 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/dns.py @@ -0,0 +1,5063 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Domain Name System (DNS) + +Manage DNS zone and resource records. + + +USING STRUCTURED PER-TYPE OPTIONS + +There are many structured DNS RR types where DNS data stored in LDAP server +is not just a scalar value, for example an IP address or a domain name, but +a data structure which may be often complex. A good example is a LOC record +[RFC1876] which consists of many mandatory and optional parts (degrees, +minutes, seconds of latitude and longitude, altitude or precision). + +It may be difficult to manipulate such DNS records without making a mistake +and entering an invalid value. DNS module provides an abstraction over these +raw records and allows to manipulate each RR type with specific options. For +each supported RR type, DNS module provides a standard option to manipulate +a raw records with format ---rec, e.g. --mx-rec, and special options +for every part of the RR structure with format ---, e.g. +--mx-preference and --mx-exchanger. + +When adding a record, either RR specific options or standard option for a raw +value can be used, they just should not be combined in one add operation. When +modifying an existing entry, new RR specific options can be used to change +one part of a DNS record, where the standard option for raw value is used +to specify the modified value. The following example demonstrates +a modification of MX record preference from 0 to 1 in a record without +modifying the exchanger: +ipa dnsrecord-mod --mx-rec="0 mx.example.com." --mx-preference=1 + + +EXAMPLES: + + Add new zone: + ipa dnszone-add example.com --name-server=ns \ + --admin-email=admin@example.com \ + --ip-address=10.0.0.1 + + Add system permission that can be used for per-zone privilege delegation: + ipa dnszone-add-permission example.com + + Modify the zone to allow dynamic updates for hosts own records in realm EXAMPLE.COM: + ipa dnszone-mod example.com --dynamic-update=TRUE + + This is the equivalent of: + ipa dnszone-mod example.com --dynamic-update=TRUE \ + --update-policy="grant EXAMPLE.COM krb5-self * A; grant EXAMPLE.COM krb5-self * AAAA; grant EXAMPLE.COM krb5-self * SSHFP;" + + Modify the zone to allow zone transfers for local network only: + ipa dnszone-mod example.com --allow-transfer=10.0.0.0/8 + + Add new reverse zone specified by network IP address: + ipa dnszone-add --name-from-ip=80.142.15.0/24 \ + --name-server=ns.example.com. + + Add second nameserver for example.com: + ipa dnsrecord-add example.com @ --ns-rec=nameserver2.example.com + + Add a mail server for example.com: + ipa dnsrecord-add example.com @ --mx-rec="10 mail1" + + Add another record using MX record specific options: + ipa dnsrecord-add example.com @ --mx-preference=20 --mx-exchanger=mail2 + + Add another record using interactive mode (started when dnsrecord-add, dnsrecord-mod, + or dnsrecord-del are executed with no options): + ipa dnsrecord-add example.com @ + Please choose a type of DNS resource record to be added + The most common types for this type of zone are: NS, MX, LOC + + DNS resource record type: MX + MX Preference: 30 + MX Exchanger: mail3 + Record name: example.com + MX record: 10 mail1, 20 mail2, 30 mail3 + NS record: nameserver.example.com., nameserver2.example.com. + + Delete previously added nameserver from example.com: + ipa dnsrecord-del example.com @ --ns-rec=nameserver2.example.com. + + Add LOC record for example.com: + ipa dnsrecord-add example.com @ --loc-rec="49 11 42.4 N 16 36 29.6 E 227.64m" + + Add new A record for www.example.com. Create a reverse record in appropriate + reverse zone as well. In this case a PTR record "2" pointing to www.example.com + will be created in zone 15.142.80.in-addr.arpa. + ipa dnsrecord-add example.com www --a-rec=80.142.15.2 --a-create-reverse + + Add new PTR record for www.example.com + ipa dnsrecord-add 15.142.80.in-addr.arpa. 2 --ptr-rec=www.example.com. + + Add new SRV records for LDAP servers. Three quarters of the requests + should go to fast.example.com, one quarter to slow.example.com. If neither + is available, switch to backup.example.com. + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 3 389 fast.example.com" + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="0 1 389 slow.example.com" + ipa dnsrecord-add example.com _ldap._tcp --srv-rec="1 1 389 backup.example.com" + + The interactive mode can be used for easy modification: + ipa dnsrecord-mod example.com _ldap._tcp + No option to modify specific record provided. + Current DNS record contents: + + SRV record: 0 3 389 fast.example.com, 0 1 389 slow.example.com, 1 1 389 backup.example.com + + Modify SRV record '0 3 389 fast.example.com'? Yes/No (default No): + Modify SRV record '0 1 389 slow.example.com'? Yes/No (default No): y + SRV Priority [0]: (keep the default value) + SRV Weight [1]: 2 (modified value) + SRV Port [389]: (keep the default value) + SRV Target [slow.example.com]: (keep the default value) + 1 SRV record skipped. Only one value per DNS record type can be modified at one time. + Record name: _ldap._tcp + SRV record: 0 3 389 fast.example.com, 1 1 389 backup.example.com, 0 2 389 slow.example.com + + After this modification, three fifths of the requests should go to + fast.example.com and two fifths to slow.example.com. + + An example of the interactive mode for dnsrecord-del command: + ipa dnsrecord-del example.com www + No option to delete specific record provided. + Delete all? Yes/No (default No): (do not delete all records) + Current DNS record contents: + + A record: 1.2.3.4, 11.22.33.44 + + Delete A record '1.2.3.4'? Yes/No (default No): + Delete A record '11.22.33.44'? Yes/No (default No): y + Record name: www + A record: 1.2.3.4 (A record 11.22.33.44 has been deleted) + + Show zone example.com: + ipa dnszone-show example.com + + Find zone with "example" in its domain name: + ipa dnszone-find example + + Find records for resources with "www" in their name in zone example.com: + ipa dnsrecord-find example.com www + + Find A records with value 10.10.0.1 in zone example.com + ipa dnsrecord-find example.com --a-rec=10.10.0.1 + + Show records for resource www in zone example.com + ipa dnsrecord-show example.com www + + Delegate zone sub.example to another nameserver: + ipa dnsrecord-add example.com ns.sub --a-rec=10.0.100.5 + ipa dnsrecord-add example.com sub --ns-rec=ns.sub.example.com. + + If global forwarder is configured, all requests to sub.example.com will be + routed through the global forwarder. To change the behavior for example.com + zone only and forward the request directly to ns.sub.example.com., global + forwarding may be disabled per-zone: + ipa dnszone-mod example.com --forward-policy=none + + Forward all requests for the zone external.com to another nameserver using + a "first" policy (it will send the queries to the selected forwarder and if + not answered it will use global resolvers): + ipa dnszone-add external.com + ipa dnszone-mod external.com --forwarder=10.20.0.1 \ + --forward-policy=first + + Delete zone example.com with all resource records: + ipa dnszone-del example.com + + Resolve a host name to see if it exists (will add default IPA domain + if one is not included): + ipa dns-resolve www.example.com + ipa dns-resolve www + + +GLOBAL DNS CONFIGURATION + +DNS configuration passed to command line install script is stored in a local +configuration file on each IPA server where DNS service is configured. These +local settings can be overridden with a common configuration stored in LDAP +server: + + Show global DNS configuration: + ipa dnsconfig-show + + Modify global DNS configuration and set a list of global forwarders: + ipa dnsconfig-mod --forwarder=10.0.0.1 +""") + +register = Registry() + + +@register() +class dnsconfig(Object): + takes_params = ( + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + label=_(u'Global forwarders'), + doc=_(u'A list of global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + label=_(u'Forward policy'), + doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'), + ), + parameters.Int( + 'idnszonerefresh', + required=False, + label=_(u'Zone refresh interval'), + doc=_(u'An interval between regular polls of the name server for new DNS zones'), + ), + ) + + +@register() +class dnsrecord(Object): + takes_params = ( + parameters.Str( + 'idnsname', + primary_key=True, + label=_(u'Record name'), + ), + parameters.Int( + 'dnsttl', + required=False, + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + label=_(u'Class'), + doc=_(u'DNS class'), + ), + parameters.Str( + 'dnsrecords', + required=False, + label=_(u'Records'), + ), + parameters.Str( + 'dnstype', + required=False, + label=_(u'Record type'), + ), + parameters.Str( + 'dnsdata', + required=False, + label=_(u'Record data'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + label=_(u'A record'), + doc=_(u'Comma-separated list of raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'a_extra_create_reverse', + required=False, + label=_(u'A Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + label=_(u'AAAA record'), + doc=_(u'Comma-separated list of raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'aaaa_extra_create_reverse', + required=False, + label=_(u'AAAA Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + label=_(u'A6 record'), + doc=_(u'Comma-separated list of raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + label=_(u'AFSDB record'), + doc=_(u'Comma-separated list of raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.Str( + 'afsdb_part_hostname', + required=False, + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + label=_(u'APL record'), + doc=_(u'Comma-separated list of raw APL records'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + label=_(u'CERT record'), + doc=_(u'Comma-separated list of raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + label=_(u'CNAME record'), + doc=_(u'Comma-separated list of raw CNAME records'), + ), + parameters.Str( + 'cname_part_hostname', + required=False, + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + label=_(u'DHCID record'), + doc=_(u'Comma-separated list of raw DHCID records'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + label=_(u'DLV record'), + doc=_(u'Comma-separated list of raw DLV records'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + label=_(u'DNAME record'), + doc=_(u'Comma-separated list of raw DNAME records'), + ), + parameters.Str( + 'dname_part_target', + required=False, + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + label=_(u'DNSKEY record'), + doc=_(u'Comma-separated list of raw DNSKEY records'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + label=_(u'DS record'), + doc=_(u'Comma-separated list of raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + label=_(u'HIP record'), + doc=_(u'Comma-separated list of raw HIP records'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + label=_(u'IPSECKEY record'), + doc=_(u'Comma-separated list of raw IPSECKEY records'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + label=_(u'KEY record'), + doc=_(u'Comma-separated list of raw KEY records'), + ), + parameters.Int( + 'key_part_flags', + required=False, + label=_(u'KEY Flags'), + doc=_(u'Flags'), + ), + parameters.Int( + 'key_part_protocol', + required=False, + label=_(u'KEY Protocol'), + doc=_(u'Protocol'), + ), + parameters.Int( + 'key_part_algorithm', + required=False, + label=_(u'KEY Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'key_part_public_key', + required=False, + label=_(u'KEY Public Key'), + doc=_(u'Public Key'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + label=_(u'KX record'), + doc=_(u'Comma-separated list of raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.Str( + 'kx_part_exchanger', + required=False, + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + label=_(u'LOC record'), + doc=_(u'Comma-separated list of raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + ), + parameters.Decimal( + 'loc_part_size', + required=False, + label=_(u'LOC Size'), + doc=_(u'Size'), + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + label=_(u'MX record'), + doc=_(u'Comma-separated list of raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.Str( + 'mx_part_exchanger', + required=False, + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + label=_(u'NAPTR record'), + doc=_(u'Comma-separated list of raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + ), + parameters.Str( + 'naptr_part_service', + required=False, + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + label=_(u'NS record'), + doc=_(u'Comma-separated list of raw NS records'), + ), + parameters.Str( + 'ns_part_hostname', + required=False, + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + label=_(u'NSEC record'), + doc=_(u'Comma-separated list of raw NSEC records'), + ), + parameters.Str( + 'nsec_part_next', + required=False, + label=_(u'NSEC Next Domain Name'), + doc=_(u'Next Domain Name'), + ), + parameters.Str( + 'nsec_part_types', + required=False, + multivalue=True, + label=_(u'NSEC Type Map'), + doc=_(u'Type Map'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + label=_(u'NSEC3 record'), + doc=_(u'Comma-separated list of raw NSEC3 records'), + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + multivalue=True, + label=_(u'NSEC3PARAM record'), + doc=_(u'Comma-separated list of raw NSEC3PARAM records'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + label=_(u'PTR record'), + doc=_(u'Comma-separated list of raw PTR records'), + ), + parameters.Str( + 'ptr_part_hostname', + required=False, + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + label=_(u'RRSIG record'), + doc=_(u'Comma-separated list of raw RRSIG records'), + ), + parameters.Str( + 'rrsig_part_type_covered', + required=False, + label=_(u'RRSIG Type Covered'), + doc=_(u'Type Covered'), + ), + parameters.Int( + 'rrsig_part_algorithm', + required=False, + label=_(u'RRSIG Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'rrsig_part_labels', + required=False, + label=_(u'RRSIG Labels'), + doc=_(u'Labels'), + ), + parameters.Int( + 'rrsig_part_original_ttl', + required=False, + label=_(u'RRSIG Original TTL'), + doc=_(u'Original TTL'), + ), + parameters.Str( + 'rrsig_part_signature_expiration', + required=False, + label=_(u'RRSIG Signature Expiration'), + doc=_(u'Signature Expiration'), + ), + parameters.Str( + 'rrsig_part_signature_inception', + required=False, + label=_(u'RRSIG Signature Inception'), + doc=_(u'Signature Inception'), + ), + parameters.Int( + 'rrsig_part_key_tag', + required=False, + label=_(u'RRSIG Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Str( + 'rrsig_part_signers_name', + required=False, + label=_(u"RRSIG Signer's Name"), + doc=_(u"Signer's Name"), + ), + parameters.Str( + 'rrsig_part_signature', + required=False, + label=_(u'RRSIG Signature'), + doc=_(u'Signature'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + label=_(u'RP record'), + doc=_(u'Comma-separated list of raw RP records'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + label=_(u'SIG record'), + doc=_(u'Comma-separated list of raw SIG records'), + ), + parameters.Str( + 'sig_part_type_covered', + required=False, + label=_(u'SIG Type Covered'), + doc=_(u'Type Covered'), + ), + parameters.Int( + 'sig_part_algorithm', + required=False, + label=_(u'SIG Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sig_part_labels', + required=False, + label=_(u'SIG Labels'), + doc=_(u'Labels'), + ), + parameters.Int( + 'sig_part_original_ttl', + required=False, + label=_(u'SIG Original TTL'), + doc=_(u'Original TTL'), + ), + parameters.Str( + 'sig_part_signature_expiration', + required=False, + label=_(u'SIG Signature Expiration'), + doc=_(u'Signature Expiration'), + ), + parameters.Str( + 'sig_part_signature_inception', + required=False, + label=_(u'SIG Signature Inception'), + doc=_(u'Signature Inception'), + ), + parameters.Int( + 'sig_part_key_tag', + required=False, + label=_(u'SIG Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Str( + 'sig_part_signers_name', + required=False, + label=_(u"SIG Signer's Name"), + doc=_(u"Signer's Name"), + ), + parameters.Str( + 'sig_part_signature', + required=False, + label=_(u'SIG Signature'), + doc=_(u'Signature'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + label=_(u'SPF record'), + doc=_(u'Comma-separated list of raw SPF records'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + label=_(u'SRV record'), + doc=_(u'Comma-separated list of raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.Str( + 'srv_part_target', + required=False, + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + label=_(u'SSHFP record'), + doc=_(u'Comma-separated list of raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + label=_(u'TA record'), + doc=_(u'Comma-separated list of raw TA records'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + label=_(u'TKEY record'), + doc=_(u'Comma-separated list of raw TKEY records'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + label=_(u'TSIG record'), + doc=_(u'Comma-separated list of raw TSIG records'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + label=_(u'TXT record'), + doc=_(u'Comma-separated list of raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + ) + + +@register() +class dnszone(Object): + takes_params = ( + parameters.Str( + 'idnsname', + primary_key=True, + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnssoamname', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + ), + parameters.Str( + 'idnssoarname', + label=_(u'Administrator e-mail address'), + ), + parameters.Int( + 'idnssoaserial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + ), + parameters.Int( + 'idnssoarefresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + ), + parameters.Int( + 'idnssoaretry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + ), + parameters.Int( + 'idnssoaexpire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + ), + parameters.Int( + 'idnssoaminimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + ), + parameters.Int( + 'dnsttl', + required=False, + label=_(u'SOA time to live'), + doc=_(u'SOA record time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + label=_(u'SOA class'), + doc=_(u'SOA record class'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + label=_(u'BIND update policy'), + ), + parameters.Bool( + 'idnszoneactive', + required=False, + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + ), + parameters.Str( + 'idnsallowquery', + required=False, + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + label=_(u'Zone forwarders'), + doc=_(u'A list of per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + ) + + +@register() +class dns_is_enabled(Command): + __doc__ = _("Checks if any of the servers has the DNS service enabled.") + + NO_CLI = True + + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dns_resolve(Command): + __doc__ = _("Resolve a host name in DNS.") + + takes_args = ( + parameters.Str( + 'hostname', + label=_(u'Hostname'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsconfig_mod(Method): + __doc__ = _("Modify global DNS configuration.") + + takes_options = ( + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Global forwarders'), + doc=_(u'A list of global forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Global forwarding policy. Set to "none" to disable any configured global forwarders.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records'), + ), + parameters.Int( + 'idnszonerefresh', + required=False, + cli_name='zone_refresh', + label=_(u'Zone refresh interval'), + doc=_(u'An interval between regular polls of the name server for new DNS zones'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsconfig_show(Method): + __doc__ = _("Show the current global DNS configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_add(Method): + __doc__ = _("Add new DNS resource record.") + + takes_args = ( + parameters.Str( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + ), + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'Class'), + doc=_(u'DNS class'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + option_group=u'A Record', + label=_(u'A record'), + doc=_(u'Comma-separated list of raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + cli_name='a_ip_address', + option_group=u'A Record', + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'a_extra_create_reverse', + required=False, + cli_name='a_create_reverse', + option_group=u'A Record', + label=_(u'A Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + default=False, + autofill=True, + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + option_group=u'AAAA Record', + label=_(u'AAAA record'), + doc=_(u'Comma-separated list of raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + cli_name='aaaa_ip_address', + option_group=u'AAAA Record', + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Flag( + 'aaaa_extra_create_reverse', + required=False, + cli_name='aaaa_create_reverse', + option_group=u'AAAA Record', + label=_(u'AAAA Create reverse'), + doc=_(u'Create reverse record for this IP Address'), + default=False, + autofill=True, + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + option_group=u'A6 Record', + label=_(u'A6 record'), + doc=_(u'Comma-separated list of raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + cli_name='a6_data', + option_group=u'A6 Record', + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + option_group=u'AFSDB Record', + label=_(u'AFSDB record'), + doc=_(u'Comma-separated list of raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + cli_name='afsdb_subtype', + option_group=u'AFSDB Record', + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.Str( + 'afsdb_part_hostname', + required=False, + cli_name='afsdb_hostname', + option_group=u'AFSDB Record', + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + option_group=u'APL Record', + label=_(u'APL record'), + doc=_(u'Comma-separated list of raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + option_group=u'CERT Record', + label=_(u'CERT record'), + doc=_(u'Comma-separated list of raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + cli_name='cert_type', + option_group=u'CERT Record', + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + cli_name='cert_key_tag', + option_group=u'CERT Record', + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + cli_name='cert_algorithm', + option_group=u'CERT Record', + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + cli_name='cert_certificate_or_crl', + option_group=u'CERT Record', + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + option_group=u'CNAME Record', + label=_(u'CNAME record'), + doc=_(u'Comma-separated list of raw CNAME records'), + ), + parameters.Str( + 'cname_part_hostname', + required=False, + cli_name='cname_hostname', + option_group=u'CNAME Record', + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + option_group=u'DHCID Record', + label=_(u'DHCID record'), + doc=_(u'Comma-separated list of raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + option_group=u'DLV Record', + label=_(u'DLV record'), + doc=_(u'Comma-separated list of raw DLV records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + option_group=u'DNAME Record', + label=_(u'DNAME record'), + doc=_(u'Comma-separated list of raw DNAME records'), + ), + parameters.Str( + 'dname_part_target', + required=False, + cli_name='dname_target', + option_group=u'DNAME Record', + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + cli_name='dnskey_rec', + option_group=u'DNSKEY Record', + label=_(u'DNSKEY record'), + doc=_(u'Comma-separated list of raw DNSKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + option_group=u'DS Record', + label=_(u'DS record'), + doc=_(u'Comma-separated list of raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + cli_name='ds_key_tag', + option_group=u'DS Record', + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + cli_name='ds_algorithm', + option_group=u'DS Record', + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + cli_name='ds_digest_type', + option_group=u'DS Record', + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + cli_name='ds_digest', + option_group=u'DS Record', + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + option_group=u'HIP Record', + label=_(u'HIP record'), + doc=_(u'Comma-separated list of raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + option_group=u'IPSECKEY Record', + label=_(u'IPSECKEY record'), + doc=_(u'Comma-separated list of raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + option_group=u'KEY Record', + label=_(u'KEY record'), + doc=_(u'Comma-separated list of raw KEY records'), + ), + parameters.Int( + 'key_part_flags', + required=False, + cli_name='key_flags', + option_group=u'KEY Record', + label=_(u'KEY Flags'), + doc=_(u'Flags'), + ), + parameters.Int( + 'key_part_protocol', + required=False, + cli_name='key_protocol', + option_group=u'KEY Record', + label=_(u'KEY Protocol'), + doc=_(u'Protocol'), + ), + parameters.Int( + 'key_part_algorithm', + required=False, + cli_name='key_algorithm', + option_group=u'KEY Record', + label=_(u'KEY Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'key_part_public_key', + required=False, + cli_name='key_public_key', + option_group=u'KEY Record', + label=_(u'KEY Public Key'), + doc=_(u'Public Key'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + option_group=u'KX Record', + label=_(u'KX record'), + doc=_(u'Comma-separated list of raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + cli_name='kx_preference', + option_group=u'KX Record', + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.Str( + 'kx_part_exchanger', + required=False, + cli_name='kx_exchanger', + option_group=u'KX Record', + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + option_group=u'LOC Record', + label=_(u'LOC record'), + doc=_(u'Comma-separated list of raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + cli_name='loc_lat_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + cli_name='loc_lat_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + cli_name='loc_lat_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + cli_name='loc_lat_dir', + option_group=u'LOC Record', + cli_metavar="['N', 'S']", + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + cli_name='loc_lon_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + cli_name='loc_lon_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + cli_name='loc_lon_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + cli_name='loc_lon_dir', + option_group=u'LOC Record', + cli_metavar="['E', 'W']", + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + cli_name='loc_altitude', + option_group=u'LOC Record', + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_size', + required=False, + cli_name='loc_size', + option_group=u'LOC Record', + label=_(u'LOC Size'), + doc=_(u'Size'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + cli_name='loc_h_precision', + option_group=u'LOC Record', + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + cli_name='loc_v_precision', + option_group=u'LOC Record', + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + no_convert=True, + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + option_group=u'MX Record', + label=_(u'MX record'), + doc=_(u'Comma-separated list of raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + cli_name='mx_preference', + option_group=u'MX Record', + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.Str( + 'mx_part_exchanger', + required=False, + cli_name='mx_exchanger', + option_group=u'MX Record', + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + option_group=u'NAPTR Record', + label=_(u'NAPTR record'), + doc=_(u'Comma-separated list of raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + cli_name='naptr_order', + option_group=u'NAPTR Record', + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + cli_name='naptr_preference', + option_group=u'NAPTR Record', + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + cli_name='naptr_flags', + option_group=u'NAPTR Record', + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + no_convert=True, + ), + parameters.Str( + 'naptr_part_service', + required=False, + cli_name='naptr_service', + option_group=u'NAPTR Record', + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + cli_name='naptr_regexp', + option_group=u'NAPTR Record', + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + cli_name='naptr_replacement', + option_group=u'NAPTR Record', + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + option_group=u'NS Record', + label=_(u'NS record'), + doc=_(u'Comma-separated list of raw NS records'), + ), + parameters.Str( + 'ns_part_hostname', + required=False, + cli_name='ns_hostname', + option_group=u'NS Record', + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + option_group=u'NSEC Record', + label=_(u'NSEC record'), + doc=_(u'Comma-separated list of raw NSEC records'), + ), + parameters.Str( + 'nsec_part_next', + required=False, + cli_name='nsec_next', + option_group=u'NSEC Record', + label=_(u'NSEC Next Domain Name'), + doc=_(u'Next Domain Name'), + ), + parameters.Str( + 'nsec_part_types', + required=False, + multivalue=True, + cli_name='nsec_types', + option_group=u'NSEC Record', + cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SIG', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']", + label=_(u'NSEC Type Map'), + doc=_(u'Type Map'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + cli_name='nsec3_rec', + option_group=u'NSEC3 Record', + label=_(u'NSEC3 record'), + doc=_(u'Comma-separated list of raw NSEC3 records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + multivalue=True, + cli_name='nsec3param_rec', + option_group=u'NSEC3PARAM Record', + label=_(u'NSEC3PARAM record'), + doc=_(u'Comma-separated list of raw NSEC3PARAM records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + option_group=u'PTR Record', + label=_(u'PTR record'), + doc=_(u'Comma-separated list of raw PTR records'), + ), + parameters.Str( + 'ptr_part_hostname', + required=False, + cli_name='ptr_hostname', + option_group=u'PTR Record', + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + no_convert=True, + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + option_group=u'RRSIG Record', + label=_(u'RRSIG record'), + doc=_(u'Comma-separated list of raw RRSIG records'), + ), + parameters.Str( + 'rrsig_part_type_covered', + required=False, + cli_name='rrsig_type_covered', + option_group=u'RRSIG Record', + cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']", + label=_(u'RRSIG Type Covered'), + doc=_(u'Type Covered'), + ), + parameters.Int( + 'rrsig_part_algorithm', + required=False, + cli_name='rrsig_algorithm', + option_group=u'RRSIG Record', + label=_(u'RRSIG Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'rrsig_part_labels', + required=False, + cli_name='rrsig_labels', + option_group=u'RRSIG Record', + label=_(u'RRSIG Labels'), + doc=_(u'Labels'), + ), + parameters.Int( + 'rrsig_part_original_ttl', + required=False, + cli_name='rrsig_original_ttl', + option_group=u'RRSIG Record', + label=_(u'RRSIG Original TTL'), + doc=_(u'Original TTL'), + ), + parameters.Str( + 'rrsig_part_signature_expiration', + required=False, + cli_name='rrsig_signature_expiration', + option_group=u'RRSIG Record', + label=_(u'RRSIG Signature Expiration'), + doc=_(u'Signature Expiration'), + ), + parameters.Str( + 'rrsig_part_signature_inception', + required=False, + cli_name='rrsig_signature_inception', + option_group=u'RRSIG Record', + label=_(u'RRSIG Signature Inception'), + doc=_(u'Signature Inception'), + ), + parameters.Int( + 'rrsig_part_key_tag', + required=False, + cli_name='rrsig_key_tag', + option_group=u'RRSIG Record', + label=_(u'RRSIG Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Str( + 'rrsig_part_signers_name', + required=False, + cli_name='rrsig_signers_name', + option_group=u'RRSIG Record', + label=_(u"RRSIG Signer's Name"), + doc=_(u"Signer's Name"), + ), + parameters.Str( + 'rrsig_part_signature', + required=False, + cli_name='rrsig_signature', + option_group=u'RRSIG Record', + label=_(u'RRSIG Signature'), + doc=_(u'Signature'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + option_group=u'RP Record', + label=_(u'RP record'), + doc=_(u'Comma-separated list of raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + option_group=u'SIG Record', + label=_(u'SIG record'), + doc=_(u'Comma-separated list of raw SIG records'), + ), + parameters.Str( + 'sig_part_type_covered', + required=False, + cli_name='sig_type_covered', + option_group=u'SIG Record', + cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']", + label=_(u'SIG Type Covered'), + doc=_(u'Type Covered'), + ), + parameters.Int( + 'sig_part_algorithm', + required=False, + cli_name='sig_algorithm', + option_group=u'SIG Record', + label=_(u'SIG Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sig_part_labels', + required=False, + cli_name='sig_labels', + option_group=u'SIG Record', + label=_(u'SIG Labels'), + doc=_(u'Labels'), + ), + parameters.Int( + 'sig_part_original_ttl', + required=False, + cli_name='sig_original_ttl', + option_group=u'SIG Record', + label=_(u'SIG Original TTL'), + doc=_(u'Original TTL'), + ), + parameters.Str( + 'sig_part_signature_expiration', + required=False, + cli_name='sig_signature_expiration', + option_group=u'SIG Record', + label=_(u'SIG Signature Expiration'), + doc=_(u'Signature Expiration'), + ), + parameters.Str( + 'sig_part_signature_inception', + required=False, + cli_name='sig_signature_inception', + option_group=u'SIG Record', + label=_(u'SIG Signature Inception'), + doc=_(u'Signature Inception'), + ), + parameters.Int( + 'sig_part_key_tag', + required=False, + cli_name='sig_key_tag', + option_group=u'SIG Record', + label=_(u'SIG Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Str( + 'sig_part_signers_name', + required=False, + cli_name='sig_signers_name', + option_group=u'SIG Record', + label=_(u"SIG Signer's Name"), + doc=_(u"Signer's Name"), + ), + parameters.Str( + 'sig_part_signature', + required=False, + cli_name='sig_signature', + option_group=u'SIG Record', + label=_(u'SIG Signature'), + doc=_(u'Signature'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + option_group=u'SPF Record', + label=_(u'SPF record'), + doc=_(u'Comma-separated list of raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + option_group=u'SRV Record', + label=_(u'SRV record'), + doc=_(u'Comma-separated list of raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + cli_name='srv_priority', + option_group=u'SRV Record', + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + cli_name='srv_weight', + option_group=u'SRV Record', + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + cli_name='srv_port', + option_group=u'SRV Record', + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.Str( + 'srv_part_target', + required=False, + cli_name='srv_target', + option_group=u'SRV Record', + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + option_group=u'SSHFP Record', + label=_(u'SSHFP record'), + doc=_(u'Comma-separated list of raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + cli_name='sshfp_algorithm', + option_group=u'SSHFP Record', + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + cli_name='sshfp_fp_type', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + cli_name='sshfp_fingerprint', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + cli_name='ta_rec', + option_group=u'TA Record', + label=_(u'TA record'), + doc=_(u'Comma-separated list of raw TA records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + cli_name='tkey_rec', + option_group=u'TKEY Record', + label=_(u'TKEY record'), + doc=_(u'Comma-separated list of raw TKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + cli_name='tsig_rec', + option_group=u'TSIG Record', + label=_(u'TSIG record'), + doc=_(u'Comma-separated list of raw TSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + option_group=u'TXT Record', + label=_(u'TXT record'), + doc=_(u'Comma-separated list of raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + cli_name='txt_data', + option_group=u'TXT Record', + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force NS record creation even if its hostname is not in DNS'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_del(Method): + __doc__ = _("Delete DNS resource record.") + + takes_args = ( + parameters.Str( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + ), + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'Class'), + doc=_(u'DNS class'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + label=_(u'A record'), + doc=_(u'Comma-separated list of raw A records'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + label=_(u'AAAA record'), + doc=_(u'Comma-separated list of raw AAAA records'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + label=_(u'A6 record'), + doc=_(u'Comma-separated list of raw A6 records'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + label=_(u'AFSDB record'), + doc=_(u'Comma-separated list of raw AFSDB records'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + label=_(u'APL record'), + doc=_(u'Comma-separated list of raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + label=_(u'CERT record'), + doc=_(u'Comma-separated list of raw CERT records'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + label=_(u'CNAME record'), + doc=_(u'Comma-separated list of raw CNAME records'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + label=_(u'DHCID record'), + doc=_(u'Comma-separated list of raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + label=_(u'DLV record'), + doc=_(u'Comma-separated list of raw DLV records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + label=_(u'DNAME record'), + doc=_(u'Comma-separated list of raw DNAME records'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + cli_name='dnskey_rec', + label=_(u'DNSKEY record'), + doc=_(u'Comma-separated list of raw DNSKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + label=_(u'DS record'), + doc=_(u'Comma-separated list of raw DS records'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + label=_(u'HIP record'), + doc=_(u'Comma-separated list of raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + label=_(u'IPSECKEY record'), + doc=_(u'Comma-separated list of raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + label=_(u'KEY record'), + doc=_(u'Comma-separated list of raw KEY records'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + label=_(u'KX record'), + doc=_(u'Comma-separated list of raw KX records'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + label=_(u'LOC record'), + doc=_(u'Comma-separated list of raw LOC records'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + label=_(u'MX record'), + doc=_(u'Comma-separated list of raw MX records'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + label=_(u'NAPTR record'), + doc=_(u'Comma-separated list of raw NAPTR records'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + label=_(u'NS record'), + doc=_(u'Comma-separated list of raw NS records'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + label=_(u'NSEC record'), + doc=_(u'Comma-separated list of raw NSEC records'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + cli_name='nsec3_rec', + label=_(u'NSEC3 record'), + doc=_(u'Comma-separated list of raw NSEC3 records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + multivalue=True, + cli_name='nsec3param_rec', + label=_(u'NSEC3PARAM record'), + doc=_(u'Comma-separated list of raw NSEC3PARAM records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + label=_(u'PTR record'), + doc=_(u'Comma-separated list of raw PTR records'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + label=_(u'RRSIG record'), + doc=_(u'Comma-separated list of raw RRSIG records'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + label=_(u'RP record'), + doc=_(u'Comma-separated list of raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + label=_(u'SIG record'), + doc=_(u'Comma-separated list of raw SIG records'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + label=_(u'SPF record'), + doc=_(u'Comma-separated list of raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + label=_(u'SRV record'), + doc=_(u'Comma-separated list of raw SRV records'), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + label=_(u'SSHFP record'), + doc=_(u'Comma-separated list of raw SSHFP records'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + cli_name='ta_rec', + label=_(u'TA record'), + doc=_(u'Comma-separated list of raw TA records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + cli_name='tkey_rec', + label=_(u'TKEY record'), + doc=_(u'Comma-separated list of raw TKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + cli_name='tsig_rec', + label=_(u'TSIG record'), + doc=_(u'Comma-separated list of raw TSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + label=_(u'TXT record'), + doc=_(u'Comma-separated list of raw TXT records'), + ), + parameters.Flag( + 'del_all', + label=_(u'Delete all associated records'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_delentry(Method): + __doc__ = _("Delete DNS record entry.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + ), + parameters.Str( + 'idnsname', + multivalue=True, + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_find(Method): + __doc__ = _("Search for DNS resources.") + + takes_args = ( + parameters.Str( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + ), + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'idnsname', + required=False, + cli_name='name', + label=_(u'Record name'), + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'Class'), + doc=_(u'DNS class'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + label=_(u'A record'), + doc=_(u'Comma-separated list of raw A records'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + label=_(u'AAAA record'), + doc=_(u'Comma-separated list of raw AAAA records'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + label=_(u'A6 record'), + doc=_(u'Comma-separated list of raw A6 records'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + label=_(u'AFSDB record'), + doc=_(u'Comma-separated list of raw AFSDB records'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + label=_(u'APL record'), + doc=_(u'Comma-separated list of raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + label=_(u'CERT record'), + doc=_(u'Comma-separated list of raw CERT records'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + label=_(u'CNAME record'), + doc=_(u'Comma-separated list of raw CNAME records'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + label=_(u'DHCID record'), + doc=_(u'Comma-separated list of raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + label=_(u'DLV record'), + doc=_(u'Comma-separated list of raw DLV records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + label=_(u'DNAME record'), + doc=_(u'Comma-separated list of raw DNAME records'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + cli_name='dnskey_rec', + label=_(u'DNSKEY record'), + doc=_(u'Comma-separated list of raw DNSKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + label=_(u'DS record'), + doc=_(u'Comma-separated list of raw DS records'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + label=_(u'HIP record'), + doc=_(u'Comma-separated list of raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + label=_(u'IPSECKEY record'), + doc=_(u'Comma-separated list of raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + label=_(u'KEY record'), + doc=_(u'Comma-separated list of raw KEY records'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + label=_(u'KX record'), + doc=_(u'Comma-separated list of raw KX records'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + label=_(u'LOC record'), + doc=_(u'Comma-separated list of raw LOC records'), + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + label=_(u'MX record'), + doc=_(u'Comma-separated list of raw MX records'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + label=_(u'NAPTR record'), + doc=_(u'Comma-separated list of raw NAPTR records'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + label=_(u'NS record'), + doc=_(u'Comma-separated list of raw NS records'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + label=_(u'NSEC record'), + doc=_(u'Comma-separated list of raw NSEC records'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + cli_name='nsec3_rec', + label=_(u'NSEC3 record'), + doc=_(u'Comma-separated list of raw NSEC3 records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + multivalue=True, + cli_name='nsec3param_rec', + label=_(u'NSEC3PARAM record'), + doc=_(u'Comma-separated list of raw NSEC3PARAM records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + label=_(u'PTR record'), + doc=_(u'Comma-separated list of raw PTR records'), + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + label=_(u'RRSIG record'), + doc=_(u'Comma-separated list of raw RRSIG records'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + label=_(u'RP record'), + doc=_(u'Comma-separated list of raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + label=_(u'SIG record'), + doc=_(u'Comma-separated list of raw SIG records'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + label=_(u'SPF record'), + doc=_(u'Comma-separated list of raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + label=_(u'SRV record'), + doc=_(u'Comma-separated list of raw SRV records'), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + label=_(u'SSHFP record'), + doc=_(u'Comma-separated list of raw SSHFP records'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + cli_name='ta_rec', + label=_(u'TA record'), + doc=_(u'Comma-separated list of raw TA records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + cli_name='tkey_rec', + label=_(u'TKEY record'), + doc=_(u'Comma-separated list of raw TKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + cli_name='tsig_rec', + label=_(u'TSIG record'), + doc=_(u'Comma-separated list of raw TSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + label=_(u'TXT record'), + doc=_(u'Comma-separated list of raw TXT records'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class dnsrecord_mod(Method): + __doc__ = _("Modify a DNS resource record.") + + takes_args = ( + parameters.Str( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + ), + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'Time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'Class'), + doc=_(u'DNS class'), + ), + parameters.Str( + 'arecord', + required=False, + multivalue=True, + cli_name='a_rec', + option_group=u'A Record', + label=_(u'A record'), + doc=_(u'Comma-separated list of raw A records'), + ), + parameters.Str( + 'a_part_ip_address', + required=False, + cli_name='a_ip_address', + option_group=u'A Record', + label=_(u'A IP Address'), + doc=_(u'IP Address'), + ), + parameters.Str( + 'aaaarecord', + required=False, + multivalue=True, + cli_name='aaaa_rec', + option_group=u'AAAA Record', + label=_(u'AAAA record'), + doc=_(u'Comma-separated list of raw AAAA records'), + ), + parameters.Str( + 'aaaa_part_ip_address', + required=False, + cli_name='aaaa_ip_address', + option_group=u'AAAA Record', + label=_(u'AAAA IP Address'), + doc=_(u'IP Address'), + ), + parameters.Str( + 'a6record', + required=False, + multivalue=True, + cli_name='a6_rec', + option_group=u'A6 Record', + label=_(u'A6 record'), + doc=_(u'Comma-separated list of raw A6 records'), + ), + parameters.Str( + 'a6_part_data', + required=False, + cli_name='a6_data', + option_group=u'A6 Record', + label=_(u'A6 Record data'), + doc=_(u'Record data'), + ), + parameters.Str( + 'afsdbrecord', + required=False, + multivalue=True, + cli_name='afsdb_rec', + option_group=u'AFSDB Record', + label=_(u'AFSDB record'), + doc=_(u'Comma-separated list of raw AFSDB records'), + ), + parameters.Int( + 'afsdb_part_subtype', + required=False, + cli_name='afsdb_subtype', + option_group=u'AFSDB Record', + label=_(u'AFSDB Subtype'), + doc=_(u'Subtype'), + ), + parameters.Str( + 'afsdb_part_hostname', + required=False, + cli_name='afsdb_hostname', + option_group=u'AFSDB Record', + label=_(u'AFSDB Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'aplrecord', + required=False, + multivalue=True, + cli_name='apl_rec', + option_group=u'APL Record', + label=_(u'APL record'), + doc=_(u'Comma-separated list of raw APL records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'certrecord', + required=False, + multivalue=True, + cli_name='cert_rec', + option_group=u'CERT Record', + label=_(u'CERT record'), + doc=_(u'Comma-separated list of raw CERT records'), + ), + parameters.Int( + 'cert_part_type', + required=False, + cli_name='cert_type', + option_group=u'CERT Record', + label=_(u'CERT Certificate Type'), + doc=_(u'Certificate Type'), + ), + parameters.Int( + 'cert_part_key_tag', + required=False, + cli_name='cert_key_tag', + option_group=u'CERT Record', + label=_(u'CERT Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'cert_part_algorithm', + required=False, + cli_name='cert_algorithm', + option_group=u'CERT Record', + label=_(u'CERT Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'cert_part_certificate_or_crl', + required=False, + cli_name='cert_certificate_or_crl', + option_group=u'CERT Record', + label=_(u'CERT Certificate/CRL'), + doc=_(u'Certificate/CRL'), + ), + parameters.Str( + 'cnamerecord', + required=False, + multivalue=True, + cli_name='cname_rec', + option_group=u'CNAME Record', + label=_(u'CNAME record'), + doc=_(u'Comma-separated list of raw CNAME records'), + ), + parameters.Str( + 'cname_part_hostname', + required=False, + cli_name='cname_hostname', + option_group=u'CNAME Record', + label=_(u'CNAME Hostname'), + doc=_(u'A hostname which this alias hostname points to'), + ), + parameters.Str( + 'dhcidrecord', + required=False, + multivalue=True, + cli_name='dhcid_rec', + option_group=u'DHCID Record', + label=_(u'DHCID record'), + doc=_(u'Comma-separated list of raw DHCID records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dlvrecord', + required=False, + multivalue=True, + cli_name='dlv_rec', + option_group=u'DLV Record', + label=_(u'DLV record'), + doc=_(u'Comma-separated list of raw DLV records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dnamerecord', + required=False, + multivalue=True, + cli_name='dname_rec', + option_group=u'DNAME Record', + label=_(u'DNAME record'), + doc=_(u'Comma-separated list of raw DNAME records'), + ), + parameters.Str( + 'dname_part_target', + required=False, + cli_name='dname_target', + option_group=u'DNAME Record', + label=_(u'DNAME Target'), + doc=_(u'Target'), + ), + parameters.Str( + 'dnskeyrecord', + required=False, + multivalue=True, + cli_name='dnskey_rec', + option_group=u'DNSKEY Record', + label=_(u'DNSKEY record'), + doc=_(u'Comma-separated list of raw DNSKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'dsrecord', + required=False, + multivalue=True, + cli_name='ds_rec', + option_group=u'DS Record', + label=_(u'DS record'), + doc=_(u'Comma-separated list of raw DS records'), + ), + parameters.Int( + 'ds_part_key_tag', + required=False, + cli_name='ds_key_tag', + option_group=u'DS Record', + label=_(u'DS Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Int( + 'ds_part_algorithm', + required=False, + cli_name='ds_algorithm', + option_group=u'DS Record', + label=_(u'DS Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'ds_part_digest_type', + required=False, + cli_name='ds_digest_type', + option_group=u'DS Record', + label=_(u'DS Digest Type'), + doc=_(u'Digest Type'), + ), + parameters.Str( + 'ds_part_digest', + required=False, + cli_name='ds_digest', + option_group=u'DS Record', + label=_(u'DS Digest'), + doc=_(u'Digest'), + ), + parameters.Str( + 'hiprecord', + required=False, + multivalue=True, + cli_name='hip_rec', + option_group=u'HIP Record', + label=_(u'HIP record'), + doc=_(u'Comma-separated list of raw HIP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipseckeyrecord', + required=False, + multivalue=True, + cli_name='ipseckey_rec', + option_group=u'IPSECKEY Record', + label=_(u'IPSECKEY record'), + doc=_(u'Comma-separated list of raw IPSECKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'keyrecord', + required=False, + multivalue=True, + cli_name='key_rec', + option_group=u'KEY Record', + label=_(u'KEY record'), + doc=_(u'Comma-separated list of raw KEY records'), + ), + parameters.Int( + 'key_part_flags', + required=False, + cli_name='key_flags', + option_group=u'KEY Record', + label=_(u'KEY Flags'), + doc=_(u'Flags'), + ), + parameters.Int( + 'key_part_protocol', + required=False, + cli_name='key_protocol', + option_group=u'KEY Record', + label=_(u'KEY Protocol'), + doc=_(u'Protocol'), + ), + parameters.Int( + 'key_part_algorithm', + required=False, + cli_name='key_algorithm', + option_group=u'KEY Record', + label=_(u'KEY Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Str( + 'key_part_public_key', + required=False, + cli_name='key_public_key', + option_group=u'KEY Record', + label=_(u'KEY Public Key'), + doc=_(u'Public Key'), + ), + parameters.Str( + 'kxrecord', + required=False, + multivalue=True, + cli_name='kx_rec', + option_group=u'KX Record', + label=_(u'KX record'), + doc=_(u'Comma-separated list of raw KX records'), + ), + parameters.Int( + 'kx_part_preference', + required=False, + cli_name='kx_preference', + option_group=u'KX Record', + label=_(u'KX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.Str( + 'kx_part_exchanger', + required=False, + cli_name='kx_exchanger', + option_group=u'KX Record', + label=_(u'KX Exchanger'), + doc=_(u'A host willing to act as a key exchanger'), + ), + parameters.Str( + 'locrecord', + required=False, + multivalue=True, + cli_name='loc_rec', + option_group=u'LOC Record', + label=_(u'LOC record'), + doc=_(u'Comma-separated list of raw LOC records'), + ), + parameters.Int( + 'loc_part_lat_deg', + required=False, + cli_name='loc_lat_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Latitude'), + doc=_(u'Degrees Latitude'), + ), + parameters.Int( + 'loc_part_lat_min', + required=False, + cli_name='loc_lat_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Latitude'), + doc=_(u'Minutes Latitude'), + ), + parameters.Decimal( + 'loc_part_lat_sec', + required=False, + cli_name='loc_lat_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Latitude'), + doc=_(u'Seconds Latitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lat_dir', + required=False, + cli_name='loc_lat_dir', + option_group=u'LOC Record', + cli_metavar="['N', 'S']", + label=_(u'LOC Direction Latitude'), + doc=_(u'Direction Latitude'), + ), + parameters.Int( + 'loc_part_lon_deg', + required=False, + cli_name='loc_lon_deg', + option_group=u'LOC Record', + label=_(u'LOC Degrees Longitude'), + doc=_(u'Degrees Longitude'), + ), + parameters.Int( + 'loc_part_lon_min', + required=False, + cli_name='loc_lon_min', + option_group=u'LOC Record', + label=_(u'LOC Minutes Longitude'), + doc=_(u'Minutes Longitude'), + ), + parameters.Decimal( + 'loc_part_lon_sec', + required=False, + cli_name='loc_lon_sec', + option_group=u'LOC Record', + label=_(u'LOC Seconds Longitude'), + doc=_(u'Seconds Longitude'), + no_convert=True, + ), + parameters.Str( + 'loc_part_lon_dir', + required=False, + cli_name='loc_lon_dir', + option_group=u'LOC Record', + cli_metavar="['E', 'W']", + label=_(u'LOC Direction Longitude'), + doc=_(u'Direction Longitude'), + ), + parameters.Decimal( + 'loc_part_altitude', + required=False, + cli_name='loc_altitude', + option_group=u'LOC Record', + label=_(u'LOC Altitude'), + doc=_(u'Altitude'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_size', + required=False, + cli_name='loc_size', + option_group=u'LOC Record', + label=_(u'LOC Size'), + doc=_(u'Size'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_h_precision', + required=False, + cli_name='loc_h_precision', + option_group=u'LOC Record', + label=_(u'LOC Horizontal Precision'), + doc=_(u'Horizontal Precision'), + no_convert=True, + ), + parameters.Decimal( + 'loc_part_v_precision', + required=False, + cli_name='loc_v_precision', + option_group=u'LOC Record', + label=_(u'LOC Vertical Precision'), + doc=_(u'Vertical Precision'), + no_convert=True, + ), + parameters.Str( + 'mxrecord', + required=False, + multivalue=True, + cli_name='mx_rec', + option_group=u'MX Record', + label=_(u'MX record'), + doc=_(u'Comma-separated list of raw MX records'), + ), + parameters.Int( + 'mx_part_preference', + required=False, + cli_name='mx_preference', + option_group=u'MX Record', + label=_(u'MX Preference'), + doc=_(u'Preference given to this exchanger. Lower values are more preferred'), + ), + parameters.Str( + 'mx_part_exchanger', + required=False, + cli_name='mx_exchanger', + option_group=u'MX Record', + label=_(u'MX Exchanger'), + doc=_(u'A host willing to act as a mail exchanger'), + ), + parameters.Str( + 'naptrrecord', + required=False, + multivalue=True, + cli_name='naptr_rec', + option_group=u'NAPTR Record', + label=_(u'NAPTR record'), + doc=_(u'Comma-separated list of raw NAPTR records'), + ), + parameters.Int( + 'naptr_part_order', + required=False, + cli_name='naptr_order', + option_group=u'NAPTR Record', + label=_(u'NAPTR Order'), + doc=_(u'Order'), + ), + parameters.Int( + 'naptr_part_preference', + required=False, + cli_name='naptr_preference', + option_group=u'NAPTR Record', + label=_(u'NAPTR Preference'), + doc=_(u'Preference'), + ), + parameters.Str( + 'naptr_part_flags', + required=False, + cli_name='naptr_flags', + option_group=u'NAPTR Record', + label=_(u'NAPTR Flags'), + doc=_(u'Flags'), + no_convert=True, + ), + parameters.Str( + 'naptr_part_service', + required=False, + cli_name='naptr_service', + option_group=u'NAPTR Record', + label=_(u'NAPTR Service'), + doc=_(u'Service'), + ), + parameters.Str( + 'naptr_part_regexp', + required=False, + cli_name='naptr_regexp', + option_group=u'NAPTR Record', + label=_(u'NAPTR Regular Expression'), + doc=_(u'Regular Expression'), + ), + parameters.Str( + 'naptr_part_replacement', + required=False, + cli_name='naptr_replacement', + option_group=u'NAPTR Record', + label=_(u'NAPTR Replacement'), + doc=_(u'Replacement'), + ), + parameters.Str( + 'nsrecord', + required=False, + multivalue=True, + cli_name='ns_rec', + option_group=u'NS Record', + label=_(u'NS record'), + doc=_(u'Comma-separated list of raw NS records'), + ), + parameters.Str( + 'ns_part_hostname', + required=False, + cli_name='ns_hostname', + option_group=u'NS Record', + label=_(u'NS Hostname'), + doc=_(u'Hostname'), + ), + parameters.Str( + 'nsecrecord', + required=False, + multivalue=True, + cli_name='nsec_rec', + option_group=u'NSEC Record', + label=_(u'NSEC record'), + doc=_(u'Comma-separated list of raw NSEC records'), + ), + parameters.Str( + 'nsec_part_next', + required=False, + cli_name='nsec_next', + option_group=u'NSEC Record', + label=_(u'NSEC Next Domain Name'), + doc=_(u'Next Domain Name'), + ), + parameters.Str( + 'nsec_part_types', + required=False, + multivalue=True, + cli_name='nsec_types', + option_group=u'NSEC Record', + cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SIG', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']", + label=_(u'NSEC Type Map'), + doc=_(u'Type Map'), + ), + parameters.Str( + 'nsec3record', + required=False, + multivalue=True, + cli_name='nsec3_rec', + option_group=u'NSEC3 Record', + label=_(u'NSEC3 record'), + doc=_(u'Comma-separated list of raw NSEC3 records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'nsec3paramrecord', + required=False, + multivalue=True, + cli_name='nsec3param_rec', + option_group=u'NSEC3PARAM Record', + label=_(u'NSEC3PARAM record'), + doc=_(u'Comma-separated list of raw NSEC3PARAM records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ptrrecord', + required=False, + multivalue=True, + cli_name='ptr_rec', + option_group=u'PTR Record', + label=_(u'PTR record'), + doc=_(u'Comma-separated list of raw PTR records'), + ), + parameters.Str( + 'ptr_part_hostname', + required=False, + cli_name='ptr_hostname', + option_group=u'PTR Record', + label=_(u'PTR Hostname'), + doc=_(u'The hostname this reverse record points to'), + no_convert=True, + ), + parameters.Str( + 'rrsigrecord', + required=False, + multivalue=True, + cli_name='rrsig_rec', + option_group=u'RRSIG Record', + label=_(u'RRSIG record'), + doc=_(u'Comma-separated list of raw RRSIG records'), + ), + parameters.Str( + 'rrsig_part_type_covered', + required=False, + cli_name='rrsig_type_covered', + option_group=u'RRSIG Record', + cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']", + label=_(u'RRSIG Type Covered'), + doc=_(u'Type Covered'), + ), + parameters.Int( + 'rrsig_part_algorithm', + required=False, + cli_name='rrsig_algorithm', + option_group=u'RRSIG Record', + label=_(u'RRSIG Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'rrsig_part_labels', + required=False, + cli_name='rrsig_labels', + option_group=u'RRSIG Record', + label=_(u'RRSIG Labels'), + doc=_(u'Labels'), + ), + parameters.Int( + 'rrsig_part_original_ttl', + required=False, + cli_name='rrsig_original_ttl', + option_group=u'RRSIG Record', + label=_(u'RRSIG Original TTL'), + doc=_(u'Original TTL'), + ), + parameters.Str( + 'rrsig_part_signature_expiration', + required=False, + cli_name='rrsig_signature_expiration', + option_group=u'RRSIG Record', + label=_(u'RRSIG Signature Expiration'), + doc=_(u'Signature Expiration'), + ), + parameters.Str( + 'rrsig_part_signature_inception', + required=False, + cli_name='rrsig_signature_inception', + option_group=u'RRSIG Record', + label=_(u'RRSIG Signature Inception'), + doc=_(u'Signature Inception'), + ), + parameters.Int( + 'rrsig_part_key_tag', + required=False, + cli_name='rrsig_key_tag', + option_group=u'RRSIG Record', + label=_(u'RRSIG Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Str( + 'rrsig_part_signers_name', + required=False, + cli_name='rrsig_signers_name', + option_group=u'RRSIG Record', + label=_(u"RRSIG Signer's Name"), + doc=_(u"Signer's Name"), + ), + parameters.Str( + 'rrsig_part_signature', + required=False, + cli_name='rrsig_signature', + option_group=u'RRSIG Record', + label=_(u'RRSIG Signature'), + doc=_(u'Signature'), + ), + parameters.Str( + 'rprecord', + required=False, + multivalue=True, + cli_name='rp_rec', + option_group=u'RP Record', + label=_(u'RP record'), + doc=_(u'Comma-separated list of raw RP records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'sigrecord', + required=False, + multivalue=True, + cli_name='sig_rec', + option_group=u'SIG Record', + label=_(u'SIG record'), + doc=_(u'Comma-separated list of raw SIG records'), + ), + parameters.Str( + 'sig_part_type_covered', + required=False, + cli_name='sig_type_covered', + option_group=u'SIG Record', + cli_metavar="['SOA', 'A', 'AAAA', 'A6', 'AFSDB', 'APL', 'CERT', 'CNAME', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'HIP', 'IPSECKEY', 'KEY', 'KX', 'LOC', 'MX', 'NAPTR', 'NS', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'PTR', 'RRSIG', 'RP', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TSIG', 'TXT']", + label=_(u'SIG Type Covered'), + doc=_(u'Type Covered'), + ), + parameters.Int( + 'sig_part_algorithm', + required=False, + cli_name='sig_algorithm', + option_group=u'SIG Record', + label=_(u'SIG Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sig_part_labels', + required=False, + cli_name='sig_labels', + option_group=u'SIG Record', + label=_(u'SIG Labels'), + doc=_(u'Labels'), + ), + parameters.Int( + 'sig_part_original_ttl', + required=False, + cli_name='sig_original_ttl', + option_group=u'SIG Record', + label=_(u'SIG Original TTL'), + doc=_(u'Original TTL'), + ), + parameters.Str( + 'sig_part_signature_expiration', + required=False, + cli_name='sig_signature_expiration', + option_group=u'SIG Record', + label=_(u'SIG Signature Expiration'), + doc=_(u'Signature Expiration'), + ), + parameters.Str( + 'sig_part_signature_inception', + required=False, + cli_name='sig_signature_inception', + option_group=u'SIG Record', + label=_(u'SIG Signature Inception'), + doc=_(u'Signature Inception'), + ), + parameters.Int( + 'sig_part_key_tag', + required=False, + cli_name='sig_key_tag', + option_group=u'SIG Record', + label=_(u'SIG Key Tag'), + doc=_(u'Key Tag'), + ), + parameters.Str( + 'sig_part_signers_name', + required=False, + cli_name='sig_signers_name', + option_group=u'SIG Record', + label=_(u"SIG Signer's Name"), + doc=_(u"Signer's Name"), + ), + parameters.Str( + 'sig_part_signature', + required=False, + cli_name='sig_signature', + option_group=u'SIG Record', + label=_(u'SIG Signature'), + doc=_(u'Signature'), + ), + parameters.Str( + 'spfrecord', + required=False, + multivalue=True, + cli_name='spf_rec', + option_group=u'SPF Record', + label=_(u'SPF record'), + doc=_(u'Comma-separated list of raw SPF records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'srvrecord', + required=False, + multivalue=True, + cli_name='srv_rec', + option_group=u'SRV Record', + label=_(u'SRV record'), + doc=_(u'Comma-separated list of raw SRV records'), + ), + parameters.Int( + 'srv_part_priority', + required=False, + cli_name='srv_priority', + option_group=u'SRV Record', + label=_(u'SRV Priority'), + doc=_(u'Priority'), + ), + parameters.Int( + 'srv_part_weight', + required=False, + cli_name='srv_weight', + option_group=u'SRV Record', + label=_(u'SRV Weight'), + doc=_(u'Weight'), + ), + parameters.Int( + 'srv_part_port', + required=False, + cli_name='srv_port', + option_group=u'SRV Record', + label=_(u'SRV Port'), + doc=_(u'Port'), + ), + parameters.Str( + 'srv_part_target', + required=False, + cli_name='srv_target', + option_group=u'SRV Record', + label=_(u'SRV Target'), + doc=_(u"The domain name of the target host or '.' if the service is decidedly not available at this domain"), + ), + parameters.Str( + 'sshfprecord', + required=False, + multivalue=True, + cli_name='sshfp_rec', + option_group=u'SSHFP Record', + label=_(u'SSHFP record'), + doc=_(u'Comma-separated list of raw SSHFP records'), + ), + parameters.Int( + 'sshfp_part_algorithm', + required=False, + cli_name='sshfp_algorithm', + option_group=u'SSHFP Record', + label=_(u'SSHFP Algorithm'), + doc=_(u'Algorithm'), + ), + parameters.Int( + 'sshfp_part_fp_type', + required=False, + cli_name='sshfp_fp_type', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint Type'), + doc=_(u'Fingerprint Type'), + ), + parameters.Str( + 'sshfp_part_fingerprint', + required=False, + cli_name='sshfp_fingerprint', + option_group=u'SSHFP Record', + label=_(u'SSHFP Fingerprint'), + doc=_(u'Fingerprint'), + ), + parameters.Str( + 'tarecord', + required=False, + multivalue=True, + cli_name='ta_rec', + option_group=u'TA Record', + label=_(u'TA record'), + doc=_(u'Comma-separated list of raw TA records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tkeyrecord', + required=False, + multivalue=True, + cli_name='tkey_rec', + option_group=u'TKEY Record', + label=_(u'TKEY record'), + doc=_(u'Comma-separated list of raw TKEY records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'tsigrecord', + required=False, + multivalue=True, + cli_name='tsig_rec', + option_group=u'TSIG Record', + label=_(u'TSIG record'), + doc=_(u'Comma-separated list of raw TSIG records'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'txtrecord', + required=False, + multivalue=True, + cli_name='txt_rec', + option_group=u'TXT Record', + label=_(u'TXT record'), + doc=_(u'Comma-separated list of raw TXT records'), + ), + parameters.Str( + 'txt_part_data', + required=False, + cli_name='txt_data', + option_group=u'TXT Record', + label=_(u'TXT Text Data'), + doc=_(u'Text Data'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the DNS resource record object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnsrecord_show(Method): + __doc__ = _("Display DNS resource.") + + takes_args = ( + parameters.Str( + 'dnszoneidnsname', + cli_name='dnszone', + label=_(u'Zone name'), + ), + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Record name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'structured', + label=_(u'Structured'), + doc=_(u'Parse all raw DNS records and return them in a structured way'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_add(Method): + __doc__ = _("Create new DNS zone (SOA record).") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnssoamname', + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + no_convert=True, + ), + parameters.Str( + 'idnssoarname', + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default_from=DefaultFrom(lambda idnsname: 'hostmaster.%s' % idnsname, 'name_from_ip'), + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + autofill=True, + ), + parameters.Int( + 'idnssoarefresh', + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + autofill=True, + ), + parameters.Int( + 'idnssoaretry', + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + autofill=True, + ), + parameters.Int( + 'idnssoaexpire', + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + autofill=True, + ), + parameters.Int( + 'idnssoaminimum', + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + autofill=True, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'SOA time to live'), + doc=_(u'SOA record time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'SOA class'), + doc=_(u'SOA record class'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + autofill=True, + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + autofill=True, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + autofill=True, + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + autofill=True, + no_convert=True, + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'A list of per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'Force DNS zone creation even if nameserver is not resolvable.'), + default=False, + autofill=True, + ), + parameters.Str( + 'ip_address', + required=False, + doc=_(u'Add forward record for nameserver located in the created zone'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_add_permission(Method): + __doc__ = _("Add a permission for per-zone access delegation.") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_del(Method): + __doc__ = _("Delete DNS zone (SOA record).") + + takes_args = ( + parameters.Str( + 'idnsname', + multivalue=True, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_disable(Method): + __doc__ = _("Disable DNS Zone.") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_enable(Method): + __doc__ = _("Enable DNS Zone.") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_find(Method): + __doc__ = _("Search for DNS zones (SOA records).") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'idnsname', + required=False, + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnssoamname', + required=False, + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + no_convert=True, + ), + parameters.Str( + 'idnssoarname', + required=False, + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default_from=DefaultFrom(lambda idnsname: 'hostmaster.%s' % idnsname, 'name_from_ip'), + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + required=False, + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + ), + parameters.Int( + 'idnssoarefresh', + required=False, + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + ), + parameters.Int( + 'idnssoaretry', + required=False, + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + ), + parameters.Int( + 'idnssoaexpire', + required=False, + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + ), + parameters.Int( + 'idnssoaminimum', + required=False, + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'SOA time to live'), + doc=_(u'SOA record time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'SOA class'), + doc=_(u'SOA record class'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + ), + parameters.Bool( + 'idnszoneactive', + required=False, + cli_name='zone_active', + label=_(u'Active zone'), + doc=_(u'Is zone active?'), + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + no_convert=True, + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'A list of per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'forward_only', + label=_(u'Forward zones only'), + doc=_(u'Search for forward zones only'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class dnszone_mod(Method): + __doc__ = _("Modify DNS zone (SOA record).") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'name_from_ip', + required=False, + label=_(u'Reverse zone IP network'), + doc=_(u'IP network to create reverse zone name from'), + ), + parameters.Str( + 'idnssoamname', + required=False, + cli_name='name_server', + label=_(u'Authoritative nameserver'), + doc=_(u'Authoritative nameserver domain name'), + no_convert=True, + ), + parameters.Str( + 'idnssoarname', + required=False, + cli_name='admin_email', + label=_(u'Administrator e-mail address'), + default_from=DefaultFrom(lambda idnsname: 'hostmaster.%s' % idnsname, 'name_from_ip'), + no_convert=True, + ), + parameters.Int( + 'idnssoaserial', + required=False, + cli_name='serial', + label=_(u'SOA serial'), + doc=_(u'SOA record serial number'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # def _create_zone_serial(): + # """ + # Generate serial number for zones. bind-dyndb-ldap expects unix time in + # to be used for SOA serial. + # + # SOA serial in a date format would also work, but it may be set to far + # future when many DNS updates are done per day (more than 100). Unix + # timestamp is more resilient to this issue. + # """ + # return int(time.time()) + ), + parameters.Int( + 'idnssoarefresh', + required=False, + cli_name='refresh', + label=_(u'SOA refresh'), + doc=_(u'SOA record refresh time'), + default=3600, + ), + parameters.Int( + 'idnssoaretry', + required=False, + cli_name='retry', + label=_(u'SOA retry'), + doc=_(u'SOA record retry time'), + default=900, + ), + parameters.Int( + 'idnssoaexpire', + required=False, + cli_name='expire', + label=_(u'SOA expire'), + doc=_(u'SOA record expire time'), + default=1209600, + ), + parameters.Int( + 'idnssoaminimum', + required=False, + cli_name='minimum', + label=_(u'SOA minimum'), + doc=_(u'How long should negative responses be cached'), + default=3600, + ), + parameters.Int( + 'dnsttl', + required=False, + cli_name='ttl', + label=_(u'SOA time to live'), + doc=_(u'SOA record time to live'), + ), + parameters.Str( + 'dnsclass', + required=False, + cli_name='class', + cli_metavar="['IN', 'CS', 'CH', 'HS']", + label=_(u'SOA class'), + doc=_(u'SOA record class'), + ), + parameters.Str( + 'idnsupdatepolicy', + required=False, + cli_name='update_policy', + label=_(u'BIND update policy'), + default_from=DefaultFrom(lambda idnsname: None, 'idnsname'), + # FIXME: + # lambda idnsname: default_zone_update_policy(idnsname) + ), + parameters.Bool( + 'idnsallowdynupdate', + required=False, + cli_name='dynamic_update', + label=_(u'Dynamic update'), + doc=_(u'Allow dynamic updates.'), + default=False, + ), + parameters.Str( + 'idnsallowquery', + required=False, + cli_name='allow_query', + label=_(u'Allow query'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to issue queries'), + default=u'any;', + no_convert=True, + ), + parameters.Str( + 'idnsallowtransfer', + required=False, + cli_name='allow_transfer', + label=_(u'Allow transfer'), + doc=_(u'Semicolon separated list of IP addresses or networks which are allowed to transfer the zone'), + default=u'none;', + no_convert=True, + ), + parameters.Str( + 'idnsforwarders', + required=False, + multivalue=True, + cli_name='forwarder', + label=_(u'Zone forwarders'), + doc=_(u'A list of per-zone forwarders. A custom port can be specified for each forwarder using a standard format "IP_ADDRESS port PORT"'), + ), + parameters.Str( + 'idnsforwardpolicy', + required=False, + cli_name='forward_policy', + cli_metavar="['only', 'first', 'none']", + label=_(u'Forward policy'), + doc=_(u'Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded.'), + ), + parameters.Bool( + 'idnsallowsyncptr', + required=False, + cli_name='allow_sync_ptr', + label=_(u'Allow PTR sync'), + doc=_(u'Allow synchronization of forward (A, AAAA) and reverse (PTR) records in the zone'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'Force nameserver change even if nameserver not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_remove_permission(Method): + __doc__ = _("Remove a permission for per-zone access delegation.") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class dnszone_show(Method): + __doc__ = _("Display information about a DNS zone (SOA record).") + + takes_args = ( + parameters.Str( + 'idnsname', + cli_name='name', + label=_(u'Zone name'), + doc=_(u'Zone name (FQDN)'), + default_from=DefaultFrom(lambda name_from_ip: None, 'name_from_ip'), + # FIXME: + # lambda name_from_ip: _reverse_zone_name(name_from_ip) + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/entitle.py b/ipaclient/remote_plugins/2_49/entitle.py new file mode 100644 index 000000000..f527939bf --- /dev/null +++ b/ipaclient/remote_plugins/2_49/entitle.py @@ -0,0 +1,383 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Entitlements + +Manage entitlements for client machines + +Entitlements can be managed either by registering with an entitlement +server with a username and password or by manually importing entitlement +certificates. An entitlement certificate contains embedded information +such as the product being entitled, the quantity and the validity dates. + +An entitlement server manages the number of client entitlements available. +To mark these entitlements as used by the IPA server you provide a quantity +and they are marked as consumed on the entitlement server. + + Register with an entitlement server: + ipa entitle-register consumer + + Import an entitlement certificate: + ipa entitle-import /home/user/ipaclient.pem + + Display current entitlements: + ipa entitle-status + + Retrieve details on entitlement certificates: + ipa entitle-get + + Consume some entitlements from the entitlement server: + ipa entitle-consume 50 + +The registration ID is a Unique Identifier (UUID). This ID will be +IMPORTED if you have used entitle-import. + +Changes to /etc/rhsm/rhsm.conf require a restart of the httpd service. +""") + +register = Registry() + + +@register() +class entitle(Object): + takes_params = ( + ) + + +@register() +class entitle_consume(Method): + __doc__ = _("Consume an entitlement.") + + takes_args = ( + parameters.Int( + 'quantity', + label=_(u'Quantity'), + ), + ) + takes_options = ( + parameters.Int( + 'hidden', + label=_(u'Quantity'), + exclude=('cli', 'webui'), + default=1, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class entitle_find(Method): + __doc__ = _("Search for entitlement accounts.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class entitle_get(Command): + __doc__ = _("Retrieve the entitlement certs.") + + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class entitle_import(Method): + __doc__ = _("Import an entitlement certificate.") + + takes_args = ( + parameters.Str( + 'usercertificate', + required=False, + multivalue=True, + cli_name='certificate_file', + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'uuid', + required=False, + label=_(u'UUID'), + doc=_(u'Enrollment UUID'), + default=u'IMPORTED', + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + ) + + +@register() +class entitle_register(Method): + __doc__ = _("Register to the entitlement system.") + + takes_args = ( + parameters.Str( + 'username', + label=_(u'Username'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'ipaentitlementid', + required=False, + label=_(u'UUID'), + doc=_(u'Enrollment UUID (not implemented)'), + ), + parameters.Password( + 'password', + label=_(u'Password'), + doc=_(u'Registration password'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class entitle_status(Command): + __doc__ = _("Display current entitlements.") + + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + ) + + +@register() +class entitle_sync(Method): + __doc__ = _("Re-sync the local entitlement cache with the entitlement server.") + + takes_options = ( + parameters.Int( + 'hidden', + label=_(u'Quantity'), + exclude=('cli', 'webui'), + default=1, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/group.py b/ipaclient/remote_plugins/2_49/group.py new file mode 100644 index 000000000..940a113df --- /dev/null +++ b/ipaclient/remote_plugins/2_49/group.py @@ -0,0 +1,854 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of users + +Manage groups of users. By default, new groups are POSIX groups. You +can add the --nonposix option to the group-add command to mark a new group +as non-POSIX. You can use the --posix argument with the group-mod command +to convert a non-POSIX group into a POSIX group. POSIX groups cannot be +converted to non-POSIX groups. + +Every group must have a description. + +POSIX groups must have a Group ID (GID) number. Changing a GID is +supported but can have an impact on your file permissions. It is not necessary +to supply a GID when creating a group. IPA will generate one automatically +if it is not provided. + +EXAMPLES: + + Add a new group: + ipa group-add --desc='local administrators' localadmins + + Add a new non-POSIX group: + ipa group-add --nonposix --desc='remote administrators' remoteadmins + + Convert a non-POSIX group to posix: + ipa group-mod --posix remoteadmins + + Add a new POSIX group with a specific Group ID number: + ipa group-add --gid=500 --desc='unix admins' unixadmins + + Add a new POSIX group and let IPA assign a Group ID number: + ipa group-add --desc='printer admins' printeradmins + + Remove a group: + ipa group-del unixadmins + + To add the "remoteadmins" group to the "localadmins" group: + ipa group-add-member --groups=remoteadmins localadmins + + Add a list of users to the "localadmins" group: + ipa group-add-member --users=test1,test2 localadmins + + Remove a user from the "localadmins" group: + ipa group-remove-member --users=test2 localadmins + + Display information about a named group. + ipa group-show localadmins + +External group membership is designed to allow users from trusted domains +to be mapped to local POSIX groups in order to actually use IPA resources. +External members should be added to groups that specifically created as +external and non-POSIX. Such group later should be included into one of POSIX +groups. + +An external group member is currently a Security Identifier (SID) as defined by +the trusted domain. When adding external group members, it is possible to +specify them in either SID, or DOM\name, or name@domain format. IPA will attempt +to resolve passed name to SID with the use of Global Catalog of the trusted domain. + +Example: + +1. Create group for the trusted domain admins' mapping and their local POSIX group: + + ipa group-add --desc=' admins external map' ad_admins_external --external + ipa group-add --desc=' admins' ad_admins + +2. Add security identifier of Domain Admins of the to the ad_admins_external + group: + + ipa group-add-member ad_admins_external --external 'AD\Domain Admins' + +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: + + ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external +""") + +register = Registry() + + +@register() +class group(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Group name'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'member_user', + required=False, + label=_(u'Member users'), + ), + parameters.Str( + 'member_group', + required=False, + label=_(u'Member groups'), + ), + parameters.Str( + 'memberof_group', + required=False, + label=_(u'Member of groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberindirect_user', + required=False, + label=_(u'Indirect Member users'), + ), + parameters.Str( + 'memberindirect_group', + required=False, + label=_(u'Indirect Member groups'), + ), + parameters.Str( + 'memberofindirect_group', + required=False, + label=_(u'Indirect Member of group'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + ) + + +@register() +class group_add(Method): + __doc__ = _("Create a new group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'nonposix', + doc=_(u'Create as a non-POSIX group'), + default=False, + autofill=True, + ), + parameters.Flag( + 'external', + doc=_(u'Allow adding external non-IPA members from trusted domains'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_add_member(Method): + __doc__ = _("Add members to a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'ipaexternalmember', + required=False, + multivalue=True, + cli_name='external', + label=_(u'External member'), + doc=_(u'comma-separated list of members of a trusted domain in DOM\\name or name@domain form'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class group_del(Method): + __doc__ = _("Delete group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_detach(Method): + __doc__ = _("Detach a managed group from a user.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_find(Method): + __doc__ = _("Search for groups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'private', + doc=_(u'search for private groups'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("group-name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'user'), + doc=_(u'Search for groups with these member users.'), + ), + parameters.Str( + 'no_user', + required=False, + multivalue=True, + cli_name='no_users', + label=_(u'user'), + doc=_(u'Search for groups without these member users.'), + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'group'), + doc=_(u'Search for groups with these member groups.'), + ), + parameters.Str( + 'no_group', + required=False, + multivalue=True, + cli_name='no_groups', + label=_(u'group'), + doc=_(u'Search for groups without these member groups.'), + ), + parameters.Str( + 'in_group', + required=False, + multivalue=True, + cli_name='in_groups', + label=_(u'group'), + doc=_(u'Search for groups with these member of groups.'), + ), + parameters.Str( + 'not_in_group', + required=False, + multivalue=True, + cli_name='not_in_groups', + label=_(u'group'), + doc=_(u'Search for groups without these member of groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for groups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for groups without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for groups with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for groups without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for groups with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for groups without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for groups with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for groups without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class group_mod(Method): + __doc__ = _("Modify a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'gidnumber', + required=False, + cli_name='gid', + label=_(u'GID'), + doc=_(u'GID (use this option to set it manually)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'posix', + doc=_(u'change to a POSIX group'), + default=False, + autofill=True, + ), + parameters.Flag( + 'external', + doc=_(u'change to support external non-IPA members from trusted domains'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the group object'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class group_remove_member(Method): + __doc__ = _("Remove members from a group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'ipaexternalmember', + required=False, + multivalue=True, + cli_name='external', + label=_(u'External member'), + doc=_(u'comma-separated list of members of a trusted domain in DOM\\name or name@domain form'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class group_show(Method): + __doc__ = _("Display information about a named group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group_name', + label=_(u'Group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/hbacrule.py b/ipaclient/remote_plugins/2_49/hbacrule.py new file mode 100644 index 000000000..64e195797 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/hbacrule.py @@ -0,0 +1,1198 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Host-based access control + +Control who can access what services on what hosts and from where. You +can use HBAC to control which users or groups on a source host can +access a service, or group of services, on a target host. + +You can also specify a category of users, target hosts, and source +hosts. This is currently limited to "all", but might be expanded in the +future. + +Target hosts and source hosts in HBAC rules must be hosts managed by IPA. + +The available services and groups of services are controlled by the +hbacsvc and hbacsvcgroup plug-ins respectively. + +EXAMPLES: + + Create a rule, "test1", that grants all users access to the host "server" from + anywhere: + ipa hbacrule-add --usercat=all --srchostcat=all test1 + ipa hbacrule-add-host --hosts=server.example.com test1 + + Display the properties of a named HBAC rule: + ipa hbacrule-show test1 + + Create a rule for a specific service. This lets the user john access + the sshd service on any machine from any machine: + ipa hbacrule-add --hostcat=all --srchostcat=all john_sshd + ipa hbacrule-add-user --users=john john_sshd + ipa hbacrule-add-service --hbacsvcs=sshd john_sshd + + Create a rule for a new service group. This lets the user john access + the FTP service on any machine from any machine: + ipa hbacsvcgroup-add ftpers + ipa hbacsvc-add sftp + ipa hbacsvcgroup-add-member --hbacsvcs=ftp,sftp ftpers + ipa hbacrule-add --hostcat=all --srchostcat=all john_ftp + ipa hbacrule-add-user --users=john john_ftp + ipa hbacrule-add-service --hbacsvcgroups=ftpers john_ftp + + Disable a named HBAC rule: + ipa hbacrule-disable test1 + + Remove a named HBAC rule: + ipa hbacrule-del allow_server +""") + +register = Registry() + + +@register() +class hbacrule(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'accessruletype', + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + label=_(u'Source host category'), + doc=_(u'Source host category the rule applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + parameters.Str( + 'sourcehost_host', + required=False, + label=_(u'Source Hosts'), + ), + parameters.Str( + 'sourcehost_hostgroup', + required=False, + label=_(u'Source Host Groups'), + ), + parameters.Str( + 'memberservice_hbacsvc', + required=False, + label=_(u'Services'), + ), + parameters.Str( + 'memberservice_hbacsvcgroup', + required=False, + label=_(u'Service Groups'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + ) + + +@register() +class hbacrule_add(Method): + __doc__ = _("Create a new HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'accessruletype', + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + autofill=True, + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + cli_name='srchostcat', + cli_metavar="['all']", + label=_(u'Source host category'), + doc=_(u'Source host category the rule applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_add_host(Method): + __doc__ = _("Add target hosts and hostgroups to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_service(Method): + __doc__ = _("Add services to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'comma-separated list of HBAC services to add'), + alwaysask=True, + ), + parameters.Str( + 'hbacsvcgroup', + required=False, + multivalue=True, + cli_name='hbacsvcgroups', + label=_(u'member HBAC service group'), + doc=_(u'comma-separated list of HBAC service groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_sourcehost(Method): + __doc__ = _("Add source hosts and hostgroups from a HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_add_user(Method): + __doc__ = _("Add users and groups to an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacrule_del(Method): + __doc__ = _("Delete an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_disable(Method): + __doc__ = _("Disable an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_enable(Method): + __doc__ = _("Enable an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_find(Method): + __doc__ = _("Search for HBAC rules.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Rule name'), + ), + parameters.Str( + 'accessruletype', + required=False, + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + cli_name='srchostcat', + cli_metavar="['all']", + label=_(u'Source host category'), + doc=_(u'Source host category the rule applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacrule_mod(Method): + __doc__ = _("Modify an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'accessruletype', + required=False, + cli_name='type', + cli_metavar="['allow', 'deny']", + label=_(u'Rule type'), + doc=_(u'Rule type (allow)'), + exclude=('webui', 'cli'), + default=u'allow', + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'sourcehostcategory', + required=False, + cli_name='srchostcat', + cli_metavar="['all']", + label=_(u'Source host category'), + doc=_(u'Source host category the rule applies to'), + ), + parameters.Str( + 'servicecategory', + required=False, + cli_name='servicecat', + cli_metavar="['all']", + label=_(u'Service category'), + doc=_(u'Service category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacrule_remove_host(Method): + __doc__ = _("Remove target hosts and hostgroups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_service(Method): + __doc__ = _("Remove service and service groups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'comma-separated list of HBAC services to remove'), + alwaysask=True, + ), + parameters.Str( + 'hbacsvcgroup', + required=False, + multivalue=True, + cli_name='hbacsvcgroups', + label=_(u'member HBAC service group'), + doc=_(u'comma-separated list of HBAC service groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_sourcehost(Method): + __doc__ = _("Remove source hosts and hostgroups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_remove_user(Method): + __doc__ = _("Remove users and groups from an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacrule_show(Method): + __doc__ = _("Display the properties of an HBAC rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/hbacsvc.py b/ipaclient/remote_plugins/2_49/hbacsvc.py new file mode 100644 index 000000000..89d57b512 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/hbacsvc.py @@ -0,0 +1,390 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +HBAC Services + +The PAM services that HBAC can control access to. The name used here +must match the service name that PAM is evaluating. + +EXAMPLES: + + Add a new HBAC service: + ipa hbacsvc-add tftp + + Modify an existing HBAC service: + ipa hbacsvc-mod --desc="TFTP service" tftp + + Search for HBAC services. This example will return two results, the FTP + service and the newly-added tftp service: + ipa hbacsvc-find ftp + + Delete an HBAC service: + ipa hbacsvc-del tftp +""") + +register = Registry() + + +@register() +class hbacsvc(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Service name'), + doc=_(u'HBAC service'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'memberof_hbacsvcgroup', + required=False, + label=_(u'Member of HBAC service groups'), + ), + ) + + +@register() +class hbacsvc_add(Method): + __doc__ = _("Add a new HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvc_del(Method): + __doc__ = _("Delete an existing HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvc_find(Method): + __doc__ = _("Search for HBAC services.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("service")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacsvc_mod(Method): + __doc__ = _("Modify an HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvc_show(Method): + __doc__ = _("Display information about an HBAC service.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='service', + label=_(u'Service name'), + doc=_(u'HBAC service'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/hbacsvcgroup.py b/ipaclient/remote_plugins/2_49/hbacsvcgroup.py new file mode 100644 index 000000000..4949ddc4c --- /dev/null +++ b/ipaclient/remote_plugins/2_49/hbacsvcgroup.py @@ -0,0 +1,493 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +HBAC Service Groups + +HBAC service groups can contain any number of individual services, +or "members". Every group must have a description. + +EXAMPLES: + + Add a new HBAC service group: + ipa hbacsvcgroup-add --desc="login services" login + + Add members to an HBAC service group: + ipa hbacsvcgroup-add-member --hbacsvcs=sshd,login login + + Display information about a named group: + ipa hbacsvcgroup-show login + + Add a new group to the "login" group: + ipa hbacsvcgroup-add --desc="switch users" login + ipa hbacsvcgroup-add-member --hbacsvcs=su,su-l login + + Delete an HBAC service group: + ipa hbacsvcgroup-del login +""") + +register = Registry() + + +@register() +class hbacsvcgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Service group name'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'member_hbacsvc', + required=False, + label=_(u'Member HBAC service'), + ), + ) + + +@register() +class hbacsvcgroup_add(Method): + __doc__ = _("Add a new HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvcgroup_add_member(Method): + __doc__ = _("Add members to an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'comma-separated list of HBAC services to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hbacsvcgroup_del(Method): + __doc__ = _("Delete an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvcgroup_find(Method): + __doc__ = _("Search for an HBAC service group.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hbacsvcgroup_mod(Method): + __doc__ = _("Modify an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'HBAC service group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hbacsvcgroup_remove_member(Method): + __doc__ = _("Remove members from an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'hbacsvc', + required=False, + multivalue=True, + cli_name='hbacsvcs', + label=_(u'member HBAC service'), + doc=_(u'comma-separated list of HBAC services to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hbacsvcgroup_show(Method): + __doc__ = _("Display information about an HBAC service group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Service group name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/hbactest.py b/ipaclient/remote_plugins/2_49/hbactest.py new file mode 100644 index 000000000..e13093df0 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/hbactest.py @@ -0,0 +1,213 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Simulate use of Host-based access controls + +HBAC rules control who can access what services on what hosts and from where. +You can use HBAC to control which users or groups can access a service, +or group of services, on a target host. + +Since applying HBAC rules implies use of a production environment, +this plugin aims to provide simulation of HBAC rules evaluation without +having access to the production environment. + + Test user coming to a service on a named host against + existing enabled rules. + + ipa hbactest --user= --host= --service= + [--rules=rules-list] [--nodetail] [--enabled] [--disabled] + [--srchost= ] [--sizelimit= ] + + --user, --host, and --service are mandatory, others are optional. + + If --rules is specified simulate enabling of the specified rules and test + the login of the user using only these rules. + + If --enabled is specified, all enabled HBAC rules will be added to simulation + + If --disabled is specified, all disabled HBAC rules will be added to simulation + + If --nodetail is specified, do not return information about rules matched/not matched. + + If both --rules and --enabled are specified, apply simulation to --rules _and_ + all IPA enabled rules. + + If no --rules specified, simulation is run against all IPA enabled rules. + By default there is a IPA-wide limit to number of entries fetched, you can change it + with --sizelimit option. + + If --srchost is specified, it will be ignored. It is left because of compatibility reasons only. + +EXAMPLES: + + 1. Use all enabled HBAC rules in IPA database to simulate: + $ ipa hbactest --user=a1a --host=bar --service=sshd + -------------------- + Access granted: True + -------------------- + notmatched: my-second-rule + notmatched: my-third-rule + notmatched: myrule + matched: allow_all + + 2. Disable detailed summary of how rules were applied: + $ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail + -------------------- + Access granted: True + -------------------- + + 3. Test explicitly specified HBAC rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule + --------------------- + Access granted: False + --------------------- + notmatched: my-second-rule + notmatched: myrule + + 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule --enabled + -------------------- + Access granted: True + -------------------- + notmatched: my-second-rule + notmatched: my-third-rule + notmatched: myrule + matched: allow_all + + 5. Test all disabled HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd --disabled + --------------------- + Access granted: False + --------------------- + notmatched: new-rule + + 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: + $ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule --disabled + --------------------- + Access granted: False + --------------------- + notmatched: my-second-rule + notmatched: my-third-rule + notmatched: myrule + + 7. Test all (enabled and disabled) HBAC rules in IPA database: + $ ipa hbactest --user=a1a --host=bar --service=sshd --enabled --disabled + -------------------- + Access granted: True + -------------------- + notmatched: my-second-rule + notmatched: my-third-rule + notmatched: myrule + notmatched: new-rule + matched: allow_all +""") + +register = Registry() + + +@register() +class hbactest(Command): + __doc__ = _("Simulate use of Host-based access controls") + + takes_options = ( + parameters.Str( + 'user', + label=_(u'User name'), + ), + parameters.Str( + 'sourcehost', + required=False, + cli_name='srchost', + label=_(u'Source host'), + ), + parameters.Str( + 'targethost', + cli_name='host', + label=_(u'Target host'), + ), + parameters.Str( + 'service', + label=_(u'Service'), + ), + parameters.Str( + 'rules', + required=False, + multivalue=True, + label=_(u'Rules to test. If not specified, --enabled is assumed'), + ), + parameters.Flag( + 'nodetail', + required=False, + label=_(u'Hide details which rules are matched, not matched, or invalid'), + default=False, + autofill=True, + ), + parameters.Flag( + 'enabled', + required=False, + label=_(u'Include all enabled IPA rules into test [default]'), + default=False, + autofill=True, + ), + parameters.Flag( + 'disabled', + required=False, + label=_(u'Include all disabled IPA rules into test'), + default=False, + autofill=True, + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of rules to process when no --rules is specified'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'warning', + (list, tuple, type(None)), + doc=_(u'Warning'), + ), + output.Output( + 'matched', + (list, tuple, type(None)), + doc=_(u'Matched rules'), + ), + output.Output( + 'notmatched', + (list, tuple, type(None)), + doc=_(u'Not matched rules'), + ), + output.Output( + 'error', + (list, tuple, type(None)), + doc=_(u'Non-existent or invalid rules'), + ), + output.Output( + 'value', + bool, + doc=_(u'Result of simulation'), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/host.py b/ipaclient/remote_plugins/2_49/host.py new file mode 100644 index 000000000..988a83b2d --- /dev/null +++ b/ipaclient/remote_plugins/2_49/host.py @@ -0,0 +1,1030 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Hosts/Machines + +A host represents a machine. It can be used in a number of contexts: +- service entries are associated with a host +- a host stores the host/ service principal +- a host can be used in Host-based Access Control (HBAC) rules +- every enrolled client generates a host entry + +ENROLLMENT: + +There are three enrollment scenarios when enrolling a new client: + +1. You are enrolling as a full administrator. The host entry may exist + or not. A full administrator is a member of the hostadmin role + or the admins group. +2. You are enrolling as a limited administrator. The host must already + exist. A limited administrator is a member a role with the + Host Enrollment privilege. +3. The host has been created with a one-time password. + +A host can only be enrolled once. If a client has enrolled and needs to +be re-enrolled, the host entry must be removed and re-created. Note that +re-creating the host entry will result in all services for the host being +removed, and all SSL certificates associated with those services being +revoked. + +A host can optionally store information such as where it is located, +the OS that it runs, etc. + +EXAMPLES: + + Add a new host: + ipa host-add --location="3rd floor lab" --locality=Dallas test.example.com + + Delete a host: + ipa host-del test.example.com + + Add a new host with a one-time password: + ipa host-add --os='Fedora 12' --password=Secret123 test.example.com + + Add a new host with a random one-time password: + ipa host-add --os='Fedora 12' --random test.example.com + + Modify information about a host: + ipa host-mod --os='Fedora 12' test.example.com + + Remove SSH public keys of a host and update DNS to reflect this change: + ipa host-mod --sshpubkey= --updatedns test.example.com + + Disable the host Kerberos key, SSL certificate and all of its services: + ipa host-disable test.example.com + + Add a host that can manage this host's keytab and certificate: + ipa host-add-managedby --hosts=test2 test +""") + +register = Registry() + + +@register() +class host(Object): + takes_params = ( + parameters.Str( + 'fqdn', + primary_key=True, + label=_(u'Host name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + ), + parameters.Str( + 'randompassword', + required=False, + label=_(u'Random password'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + label=_(u'Principal name'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + parameters.Flag( + 'has_password', + label=_(u'Password'), + ), + parameters.Str( + 'memberof_hostgroup', + required=False, + label=_(u'Member of host-groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_hostgroup', + required=False, + label=_(u'Indirect Member of host-group'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Keytab'), + ), + parameters.Str( + 'managedby_host', + label=_(u'Managed by'), + ), + parameters.Str( + 'managing_host', + label=_(u'Managing'), + ), + ) + + +@register() +class host_add(Method): + __doc__ = _("Add a new host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force host name even if not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'no_reverse', + doc=_(u'skip reverse DNS detection'), + default=False, + autofill=True, + ), + parameters.Str( + 'ip_address', + required=False, + label=_(u'IP Address'), + doc=_(u'Add the host to DNS with this IP address'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_add_managedby(Method): + __doc__ = _("Add hosts that can manage this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class host_del(Method): + __doc__ = _("Delete a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + multivalue=True, + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'updatedns', + required=False, + doc=_(u'Remove entries from DNS'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_disable(Method): + __doc__ = _("Disable the Kerberos key, SSL certificate and all services of a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_find(Method): + __doc__ = _("Search for hosts.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'fqdn', + required=False, + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("hostname")'), + default=False, + autofill=True, + ), + parameters.Str( + 'in_hostgroup', + required=False, + multivalue=True, + cli_name='in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for hosts with these member of host groups.'), + ), + parameters.Str( + 'not_in_hostgroup', + required=False, + multivalue=True, + cli_name='not_in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for hosts without these member of host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for hosts with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for hosts without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for hosts with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for hosts without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for hosts with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for hosts without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for hosts with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for hosts without these member of sudo rules.'), + ), + parameters.Str( + 'enroll_by_user', + required=False, + multivalue=True, + cli_name='enroll_by_users', + label=_(u'user'), + doc=_(u'Search for hosts with these enrolled by users.'), + ), + parameters.Str( + 'not_enroll_by_user', + required=False, + multivalue=True, + cli_name='not_enroll_by_users', + label=_(u'user'), + doc=_(u'Search for hosts without these enrolled by users.'), + ), + parameters.Str( + 'man_by_host', + required=False, + multivalue=True, + cli_name='man_by_hosts', + label=_(u'host'), + doc=_(u'Search for hosts with these managed by hosts.'), + ), + parameters.Str( + 'not_man_by_host', + required=False, + multivalue=True, + cli_name='not_man_by_hosts', + label=_(u'host'), + doc=_(u'Search for hosts without these managed by hosts.'), + ), + parameters.Str( + 'man_host', + required=False, + multivalue=True, + cli_name='man_hosts', + label=_(u'host'), + doc=_(u'Search for hosts with these managing hosts.'), + ), + parameters.Str( + 'not_man_host', + required=False, + multivalue=True, + cli_name='not_man_hosts', + label=_(u'host'), + doc=_(u'Search for hosts without these managing hosts.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class host_mod(Method): + __doc__ = _("Modify information about a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host'), + ), + parameters.Str( + 'l', + required=False, + cli_name='locality', + label=_(u'Locality'), + doc=_(u'Host locality (e.g. "Baltimore, MD")'), + ), + parameters.Str( + 'nshostlocation', + required=False, + cli_name='location', + label=_(u'Location'), + doc=_(u'Host location (e.g. "Lab 2")'), + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + label=_(u'Platform'), + doc=_(u'Host hardware platform (e.g. "Lenovo T61")'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + label=_(u'Operating system'), + doc=_(u'Host operating system and version (e.g. "Fedora 9")'), + ), + parameters.Str( + 'userpassword', + required=False, + cli_name='password', + label=_(u'User password'), + doc=_(u'Password used in bulk enrollment'), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random password to be used in bulk enrollment'), + default=False, + autofill=True, + ), + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'macaddress', + required=False, + multivalue=True, + label=_(u'MAC address'), + doc=_(u'Hardware MAC address(es) on this host'), + no_convert=True, + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principalname', + label=_(u'Principal name'), + doc=_(u'Kerberos principal name for this host'), + ), + parameters.Flag( + 'updatedns', + required=False, + doc=_(u'Update DNS entries'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class host_remove_managedby(Method): + __doc__ = _("Remove hosts that can manage this host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class host_show(Method): + __doc__ = _("Display information about a host.") + + takes_args = ( + parameters.Str( + 'fqdn', + cli_name='hostname', + label=_(u'Host name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'file to store certificate in'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/hostgroup.py b/ipaclient/remote_plugins/2_49/hostgroup.py new file mode 100644 index 000000000..2ff646db5 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/hostgroup.py @@ -0,0 +1,670 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of hosts. + +Manage groups of hosts. This is useful for applying access control to a +number of hosts by using Host-based Access Control. + +EXAMPLES: + + Add a new host group: + ipa hostgroup-add --desc="Baltimore hosts" baltimore + + Add another new host group: + ipa hostgroup-add --desc="Maryland hosts" maryland + + Add members to the hostgroup: + ipa hostgroup-add-member --hosts=box1,box2,box3 baltimore + + Add a hostgroup as a member of another hostgroup: + ipa hostgroup-add-member --hostgroups=baltimore maryland + + Remove a host from the hostgroup: + ipa hostgroup-remove-member --hosts=box2 baltimore + + Display a host group: + ipa hostgroup-show baltimore + + Delete a hostgroup: + ipa hostgroup-del baltimore +""") + +register = Registry() + + +@register() +class hostgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'member_host', + required=False, + label=_(u'Member hosts'), + ), + parameters.Str( + 'member_hostgroup', + required=False, + label=_(u'Member host-groups'), + ), + parameters.Str( + 'memberof_hostgroup', + required=False, + label=_(u'Member of host-groups'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberindirect_host', + required=False, + label=_(u'Indirect Member hosts'), + ), + parameters.Str( + 'memberindirect_hostgroup', + required=False, + label=_(u'Indirect Member host-groups'), + ), + parameters.Str( + 'memberofindirect_hostgroup', + required=False, + label=_(u'Indirect Member of host-group'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + ) + + +@register() +class hostgroup_add(Method): + __doc__ = _("Add a new hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hostgroup_add_member(Method): + __doc__ = _("Add members to a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class hostgroup_del(Method): + __doc__ = _("Delete a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hostgroup_find(Method): + __doc__ = _("Search for hostgroups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("hostgroup-name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'host'), + doc=_(u'Search for host groups with these member hosts.'), + ), + parameters.Str( + 'no_host', + required=False, + multivalue=True, + cli_name='no_hosts', + label=_(u'host'), + doc=_(u'Search for host groups without these member hosts.'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups with these member host groups.'), + ), + parameters.Str( + 'no_hostgroup', + required=False, + multivalue=True, + cli_name='no_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups without these member host groups.'), + ), + parameters.Str( + 'in_hostgroup', + required=False, + multivalue=True, + cli_name='in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups with these member of host groups.'), + ), + parameters.Str( + 'not_in_hostgroup', + required=False, + multivalue=True, + cli_name='not_in_hostgroups', + label=_(u'host group'), + doc=_(u'Search for host groups without these member of host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for host groups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for host groups without these member of netgroups.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for host groups with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for host groups without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for host groups with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for host groups without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class hostgroup_mod(Method): + __doc__ = _("Modify a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this host-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class hostgroup_remove_member(Method): + __doc__ = _("Remove members from a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class hostgroup_show(Method): + __doc__ = _("Display information about a hostgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostgroup_name', + label=_(u'Host-group'), + doc=_(u'Name of host-group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/idrange.py b/ipaclient/remote_plugins/2_49/idrange.py new file mode 100644 index 000000000..5b2c1096d --- /dev/null +++ b/ipaclient/remote_plugins/2_49/idrange.py @@ -0,0 +1,609 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +ID ranges + +Manage ID ranges used to map Posix IDs to SIDs and back. + +There are two type of ID ranges which are both handled by this utility: + + - the ID ranges of the local domain + - the ID ranges of trusted remote domains + +Both types have the following attributes in common: + + - base-id: the first ID of the Posix ID range + - range-size: the size of the range + +With those two attributes a range object can reserve the Posix IDs starting +with base-id up to but not including base-id+range-size exclusively. + +Additionally an ID range of the local domain may set + - rid-base: the first RID(*) of the corresponding RID range + - secondary-rid-base: first RID of the secondary RID range + +and an ID range of a trusted domain must set + - rid-base: the first RID of the corresponding RID range + - dom_sid: domain SID of the trusted domain + + + +EXAMPLE: Add a new ID range for a trusted domain + +Since there might be more than one trusted domain the domain SID must be given +while creating the ID range. + + ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=0 \ + --dom-sid=S-1-5-21-123-456-789 trusted_dom_range + +This ID range is then used by the IPA server and the SSSD IPA provider to +assign Posix UIDs to users from the trusted domain. + +If e.g a range for a trusted domain is configured with the following values: + base-id = 1200000 + range-size = 200000 + rid-base = 0 +the RIDs 0 to 199999 are mapped to the Posix ID from 1200000 to 13999999. So +RID 1000 <-> Posix ID 1201000 + + + +EXAMPLE: Add a new ID range for the local domain + +To create an ID range for the local domain it is not necessary to specify a +domain SID. But since it is possible that a user and a group can have the same +value as Posix ID a second RID interval is needed to handle conflicts. + + ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=1000 \ + --secondary-rid-base=1000000 local_range + +The data from the ID ranges of the local domain are used by the IPA server +internally to assign SIDs to IPA users and groups. The SID will then be stored +in the user or group objects. + +If e.g. the ID range for the local domain is configured with the values from +the example above then a new user with the UID 1200007 will get the RID 1007. +If this RID is already used by a group the RID will be 1000007. This can only +happen if a user or a group object was created with a fixed ID because the +automatic assignment will not assign the same ID twice. Since there are only +users and groups sharing the same ID namespace it is sufficient to have only +one fallback range to handle conflicts. + +To find the Posix ID for a given RID from the local domain it has to be +checked first if the RID falls in the primary or secondary RID range and +the rid-base or the secondary-rid-base has to be subtracted, respectively, +and the base-id has to be added to get the Posix ID. + +Typically the creation of ID ranges happens behind the scenes and this CLI +must not be used at all. The ID range for the local domain will be created +during installation or upgrade from an older version. The ID range for a +trusted domain will be created together with the trust by 'ipa trust-add ...'. + +USE CASES: + + Add an ID range from a transitively trusted domain + + If the trusted domain (A) trusts another domain (B) as well and this trust + is transitive 'ipa trust-add domain-A' will only create a range for + domain A. The ID range for domain B must be added manually. + + Add an additional ID range for the local domain + + If the ID range of the local domain is exhausted, i.e. no new IDs can be + assigned to Posix users or groups by the DNA plugin, a new range has to be + created to allow new users and groups to be added. (Currently there is no + connection between this range CLI and the DNA plugin, but a future version + might be able to modify the configuration of the DNS plugin as well) + +In general it is not necessary to modify or delete ID ranges. If there is no +other way to achieve a certain configuration than to modify or delete an ID +range it should be done with great care. Because UIDs are stored in the file +system and are used for access control it might be possible that users are +allowed to access files of other users if an ID range got deleted and reused +for a different domain. + +(*) The RID is typically the last integer of a user or group SID which follows +the domain SID. E.g. if the domain SID is S-1-5-21-123-456-789 and a user from +this domain has the SID S-1-5-21-123-456-789-1010 then 1010 id the RID of the +user. RIDs are unique in a domain, 32bit values and are used for users and +groups. + +WARNING: + +DNA plugin in 389-ds will allocate IDs based on the ranges configured for the +local domain. Currently the DNA plugin *cannot* be reconfigured itself based +on the local ranges set via this family of commands. + +Manual configuration change has to be done in the DNA plugin configuration for +the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix +IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be +modified to match the new range. +""") + +register = Registry() + + +@register() +class idrange(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Range name'), + ), + parameters.Int( + 'ipabaseid', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + label=_(u'Range type'), + ), + ) + + +@register() +class idrange_add(Method): + __doc__ = _(""" +Add new ID range. + + To add a new ID range you always have to specify + + --base-id + --range-size + + Additionally + + --rid-base + --secondary-rid-base + + may be given for a new ID range for the local domain while + + --rid-bas + --dom-sid + + must be given to add a new range for a trusted AD domain. + + WARNING: + + DNA plugin in 389-ds will allocate IDs based on the ranges configured for the + local domain. Currently the DNA plugin *cannot* be reconfigured itself based + on the local ranges set via this family of commands. + + Manual configuration change has to be done in the DNA plugin configuration for + the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix + IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be + modified to match the new range. + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Int( + 'ipabaseid', + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='dom_sid', + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + label=_(u'Range type'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idrange_del(Method): + __doc__ = _("Delete an ID range.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idrange_find(Method): + __doc__ = _("Search for ranges.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Range name'), + ), + parameters.Int( + 'ipabaseid', + required=False, + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + required=False, + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='dom_sid', + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + label=_(u'Range type'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class idrange_mod(Method): + __doc__ = _("Modify ID range.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Int( + 'ipabaseid', + required=False, + cli_name='base_id', + label=_(u'First Posix ID of the range'), + ), + parameters.Int( + 'ipaidrangesize', + required=False, + cli_name='range_size', + label=_(u'Number of IDs in the range'), + ), + parameters.Int( + 'ipabaserid', + required=False, + cli_name='rid_base', + label=_(u'First RID of the corresponding RID range'), + ), + parameters.Int( + 'ipasecondarybaserid', + required=False, + cli_name='secondary_rid_base', + label=_(u'First RID of the secondary RID range'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='dom_sid', + label=_(u'Domain SID of the trusted domain'), + ), + parameters.Str( + 'iparangetype', + required=False, + label=_(u'Range type'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class idrange_show(Method): + __doc__ = _("Display information about a range.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Range name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/internal.py b/ipaclient/remote_plugins/2_49/internal.py new file mode 100644 index 000000000..63a4adca1 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/internal.py @@ -0,0 +1,90 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Plugins not accessible directly through the CLI, commands used internally +""") + +register = Registry() + + +@register() +class i18n_messages(Command): + NO_CLI = True + + has_output = ( + output.Output( + 'messages', + dict, + doc=_(u'Dict of I18N messages'), + ), + ) + + +@register() +class json_metadata(Command): + __doc__ = _("Export plugin meta-data for the webUI.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'objname', + required=False, + doc=_(u'Name of object to export'), + ), + parameters.Str( + 'methodname', + required=False, + doc=_(u'Name of method to export'), + ), + ) + takes_options = ( + parameters.Str( + 'object', + required=False, + doc=_(u'Name of object to export'), + ), + parameters.Str( + 'method', + required=False, + doc=_(u'Name of method to export'), + ), + parameters.Str( + 'command', + required=False, + doc=_(u'Name of command to export'), + ), + ) + has_output = ( + output.Output( + 'objects', + dict, + doc=_(u'Dict of JSON encoded IPA Objects'), + ), + output.Output( + 'methods', + dict, + doc=_(u'Dict of JSON encoded IPA Methods'), + ), + output.Output( + 'commands', + dict, + doc=_(u'Dict of JSON encoded IPA Commands'), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/join.py b/ipaclient/remote_plugins/2_49/join.py new file mode 100644 index 000000000..dc0904dc4 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/join.py @@ -0,0 +1,64 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Joining an IPA domain +""") + +register = Registry() + + +@register() +class join(Command): + __doc__ = _("Join an IPA domain") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='hostname', + doc=_(u'The hostname to register as'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: unicode(installutils.get_fqdn()) + autofill=True, + ), + ) + takes_options = ( + parameters.Str( + 'realm', + doc=_(u'The IPA realm'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: get_realm() + autofill=True, + ), + parameters.Str( + 'nshardwareplatform', + required=False, + cli_name='platform', + doc=_(u'Hardware platform of the host (e.g. Lenovo T61)'), + ), + parameters.Str( + 'nsosversion', + required=False, + cli_name='os', + doc=_(u'Operating System and version of the host (e.g. Fedora 9)'), + ), + ) + has_output = ( + ) diff --git a/ipaclient/remote_plugins/2_49/krbtpolicy.py b/ipaclient/remote_plugins/2_49/krbtpolicy.py new file mode 100644 index 000000000..9765c4cd8 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/krbtpolicy.py @@ -0,0 +1,269 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Kerberos ticket policy + +There is a single Kerberos ticket policy. This policy defines the +maximum ticket lifetime and the maximum renewal age, the period during +which the ticket is renewable. + +You can also create a per-user ticket policy by specifying the user login. + +For changes to the global policy to take effect, restarting the KDC service +is required, which can be achieved using: + +service krb5kdc restart + +Changes to per-user policies take effect immediately for newly requested +tickets (e.g. when the user next runs kinit). + +EXAMPLES: + + Display the current Kerberos ticket policy: + ipa krbtpolicy-show + + Reset the policy to the default: + ipa krbtpolicy-reset + + Modify the policy to 8 hours max life, 1-day max renewal: + ipa krbtpolicy-mod --maxlife=28800 --maxrenew=86400 + + Display effective Kerberos ticket policy for user 'admin': + ipa krbtpolicy-show admin + + Reset per-user policy for user 'admin': + ipa krbtpolicy-reset admin + + Modify per-user policy for user 'admin': + ipa krbtpolicy-mod admin --maxlife=3600 +""") + +register = Registry() + + +@register() +class krbtpolicy(Object): + takes_params = ( + parameters.Str( + 'uid', + required=False, + primary_key=True, + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + parameters.Int( + 'krbmaxticketlife', + required=False, + label=_(u'Max life'), + doc=_(u'Maximum ticket life (seconds)'), + ), + parameters.Int( + 'krbmaxrenewableage', + required=False, + label=_(u'Max renew'), + doc=_(u'Maximum renewable age (seconds)'), + ), + ) + + +@register() +class krbtpolicy_mod(Method): + __doc__ = _("Modify Kerberos ticket policy.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxticketlife', + required=False, + cli_name='maxlife', + label=_(u'Max life'), + doc=_(u'Maximum ticket life (seconds)'), + ), + parameters.Int( + 'krbmaxrenewableage', + required=False, + cli_name='maxrenew', + label=_(u'Max renew'), + doc=_(u'Maximum renewable age (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class krbtpolicy_reset(Method): + __doc__ = _("Reset Kerberos ticket policy to the default values.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class krbtpolicy_show(Method): + __doc__ = _("Display the current Kerberos ticket policy.") + + takes_args = ( + parameters.Str( + 'uid', + required=False, + cli_name='user', + label=_(u'User name'), + doc=_(u'Manage ticket policy for specific user'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/migration.py b/ipaclient/remote_plugins/2_49/migration.py new file mode 100644 index 000000000..753f23a16 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/migration.py @@ -0,0 +1,295 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Migration to IPA + +Migrate users and groups from an LDAP server to IPA. + +This performs an LDAP query against the remote server searching for +users and groups in a container. In order to migrate passwords you need +to bind as a user that can read the userPassword attribute on the remote +server. This is generally restricted to high-level admins such as +cn=Directory Manager in 389-ds (this is the default bind user). + +The default user container is ou=People. + +The default group container is ou=Groups. + +Users and groups that already exist on the IPA server are skipped. + +Two LDAP schemas define how group members are stored: RFC2307 and +RFC2307bis. RFC2307bis uses member and uniquemember to specify group +members, RFC2307 uses memberUid. The default schema is RFC2307bis. + +The schema compat feature allows IPA to reformat data for systems that +do not support RFC2307bis. It is recommended that this feature is disabled +during migration to reduce system overhead. It can be re-enabled after +migration. To migrate with it enabled use the "--with-compat" option. + +Migrated users do not have Kerberos credentials, they have only their +LDAP password. To complete the migration process, users need to go +to http://ipa.example.com/ipa/migration and authenticate using their +LDAP password in order to generate their Kerberos credentials. + +Migration is disabled by default. Use the command ipa config-mod to +enable it: + + ipa config-mod --enable-migration=TRUE + +If a base DN is not provided with --basedn then IPA will use either +the value of defaultNamingContext if it is set or the first value +in namingContexts set in the root of the remote LDAP server. + +Users are added as members to the default user group. This can be a +time-intensive task so during migration this is done in a batch +mode for every 100 users. As a result there will be a window in which +users will be added to IPA but will not be members of the default +user group. + +EXAMPLES: + + The simplest migration, accepting all defaults: + ipa migrate-ds ldap://ds.example.com:389 + + Specify the user and group container. This can be used to migrate user + and group data from an IPA v1 server: + ipa migrate-ds --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + ldap://ds.example.com:389 + + Since IPA v2 server already contain predefined groups that may collide with + groups in migrated (IPA v1) server (for example admins, ipausers), users + having colliding group as their primary group may happen to belong to + an unknown group on new IPA v2 server. + Use --group-overwrite-gid option to overwrite GID of already existing groups + to prevent this issue: + ipa migrate-ds --group-overwrite-gid \ + --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + ldap://ds.example.com:389 + + Migrated users or groups may have object class and accompanied attributes + unknown to the IPA v2 server. These object classes and attributes may be + left out of the migration process: + ipa migrate-ds --user-container='cn=users,cn=accounts' \ + --group-container='cn=groups,cn=accounts' \ + --user-ignore-objectclass=radiusprofile \ + --user-ignore-attribute=radiusgroupname \ + ldap://ds.example.com:389 + +LOGGING + +Migration will log warnings and errors to the Apache error log. This +file should be evaluated post-migration to correct or investigate any +issues that were discovered. + +For every 100 users migrated an info-level message will be displayed to +give the current progress and duration to make it possible to track +the progress of migration. + +If the log level is debug, either by setting debug = True in +/etc/ipa/default.conf or /etc/ipa/server.conf, then an entry will be printed +for each user added plus a summary when the default user group is +updated. +""") + +register = Registry() + + +@register() +class migrate_ds(Command): + __doc__ = _("Migrate users and groups from DS to IPA.") + + takes_args = ( + parameters.Str( + 'ldapuri', + cli_name='ldap_uri', + label=_(u'LDAP URI'), + doc=_(u'LDAP URI of DS server to migrate from'), + ), + parameters.Password( + 'bindpw', + cli_name='password', + label=_(u'Password'), + doc=_(u'bind password'), + ), + ) + takes_options = ( + parameters.DNParam( + 'binddn', + required=False, + cli_name='bind_dn', + label=_(u'Bind DN'), + default=DN(u'cn=directory manager'), + autofill=True, + ), + parameters.DNParam( + 'usercontainer', + cli_name='user_container', + label=_(u'User container'), + doc=_(u'DN of container for users in DS relative to base DN'), + default=DN(u'ou=people'), + autofill=True, + ), + parameters.DNParam( + 'groupcontainer', + cli_name='group_container', + label=_(u'Group container'), + doc=_(u'DN of container for groups in DS relative to base DN'), + default=DN(u'ou=groups'), + autofill=True, + ), + parameters.Str( + 'userobjectclass', + multivalue=True, + cli_name='user_objectclass', + label=_(u'User object class'), + doc=_(u'Comma-separated list of objectclasses used to search for user entries in DS'), + default=(u'person',), + autofill=True, + ), + parameters.Str( + 'groupobjectclass', + multivalue=True, + cli_name='group_objectclass', + label=_(u'Group object class'), + doc=_(u'Comma-separated list of objectclasses used to search for group entries in DS'), + default=(u'groupOfUniqueNames', u'groupOfNames'), + autofill=True, + ), + parameters.Str( + 'userignoreobjectclass', + required=False, + multivalue=True, + cli_name='user_ignore_objectclass', + label=_(u'Ignore user object class'), + doc=_(u'Comma-separated list of objectclasses to be ignored for user entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'userignoreattribute', + required=False, + multivalue=True, + cli_name='user_ignore_attribute', + label=_(u'Ignore user attribute'), + doc=_(u'Comma-separated list of attributes to be ignored for user entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'groupignoreobjectclass', + required=False, + multivalue=True, + cli_name='group_ignore_objectclass', + label=_(u'Ignore group object class'), + doc=_(u'Comma-separated list of objectclasses to be ignored for group entries in DS'), + default=(), + autofill=True, + ), + parameters.Str( + 'groupignoreattribute', + required=False, + multivalue=True, + cli_name='group_ignore_attribute', + label=_(u'Ignore group attribute'), + doc=_(u'Comma-separated list of attributes to be ignored for group entries in DS'), + default=(), + autofill=True, + ), + parameters.Flag( + 'groupoverwritegid', + cli_name='group_overwrite_gid', + label=_(u'Overwrite GID'), + doc=_(u'When migrating a group already existing in IPA domain overwrite the group GID and report as success'), + default=False, + autofill=True, + ), + parameters.Str( + 'schema', + required=False, + cli_metavar="['RFC2307bis', 'RFC2307']", + label=_(u'LDAP schema'), + doc=_(u'The schema used on the LDAP server. Supported values are RFC2307 and RFC2307bis. The default is RFC2307bis'), + default=u'RFC2307bis', + autofill=True, + ), + parameters.Flag( + 'continue', + required=False, + label=_(u'Continue'), + doc=_(u'Continuous operation mode. Errors are reported but the process continues'), + default=False, + autofill=True, + ), + parameters.DNParam( + 'basedn', + required=False, + cli_name='base_dn', + label=_(u'Base DN'), + doc=_(u'Base DN on remote LDAP server'), + ), + parameters.Flag( + 'compat', + required=False, + cli_name='with_compat', + label=_(u'Ignore compat plugin'), + doc=_(u'Allows migration despite the usage of compat plugin'), + default=False, + autofill=True, + ), + parameters.Str( + 'exclude_groups', + required=False, + multivalue=True, + doc=_(u'comma-separated list of groups to exclude from migration'), + default=(), + autofill=True, + ), + parameters.Str( + 'exclude_users', + required=False, + multivalue=True, + doc=_(u'comma-separated list of users to exclude from migration'), + default=(), + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Lists of objects migrated; categorized by type.'), + ), + output.Output( + 'failed', + dict, + doc=_(u'Lists of objects that could not be migrated; categorized by type.'), + ), + output.Output( + 'enabled', + bool, + doc=_(u'False if migration mode was disabled.'), + ), + output.Output( + 'compat', + bool, + doc=_(u'False if migration fails because the compatibility plug-in is enabled.'), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/misc.py b/ipaclient/remote_plugins/2_49/misc.py new file mode 100644 index 000000000..4889e666b --- /dev/null +++ b/ipaclient/remote_plugins/2_49/misc.py @@ -0,0 +1,113 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Misc plug-ins +""") + +register = Registry() + + +@register() +class env(Command): + __doc__ = _("Show environment variables.") + + takes_args = ( + parameters.Str( + 'variables', + required=False, + multivalue=True, + ), + ) + takes_options = ( + parameters.Flag( + 'server', + required=False, + doc=_(u'Forward to server instead of running locally'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=True, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping variable name to value'), + ), + output.Output( + 'total', + int, + doc=_(u'Total number of variables env (>= count)'), + ), + output.Output( + 'count', + int, + doc=_(u'Number of variables returned (<= total)'), + ), + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) + + +@register() +class plugins(Command): + __doc__ = _("Show all loaded plugins.") + + takes_options = ( + parameters.Flag( + 'server', + required=False, + doc=_(u'Forward to server instead of running locally'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=True, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'result', + dict, + doc=_(u'Dictionary mapping plugin names to bases'), + ), + output.Output( + 'count', + int, + doc=_(u'Number of plugins loaded'), + ), + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/netgroup.py b/ipaclient/remote_plugins/2_49/netgroup.py new file mode 100644 index 000000000..ea2936270 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/netgroup.py @@ -0,0 +1,826 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Netgroups + +A netgroup is a group used for permission checking. It can contain both +user and host values. + +EXAMPLES: + + Add a new netgroup: + ipa netgroup-add --desc="NFS admins" admins + + Add members to the netgroup: + ipa netgroup-add-member --users=tuser1,tuser2 admins + + Remove a member from the netgroup: + ipa netgroup-remove-member --users=tuser2 admins + + Display information about a netgroup: + ipa netgroup-show admins + + Delete a netgroup: + ipa netgroup-del admins +""") + +register = Registry() + + +@register() +class netgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Netgroup name'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + label=_(u'NIS domain name'), + ), + parameters.Str( + 'ipauniqueid', + required=False, + label=_(u'IPA unique ID'), + doc=_(u'IPA unique ID'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + parameters.Str( + 'member_netgroup', + required=False, + label=_(u'Member netgroups'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberindirect_netgroup', + required=False, + label=_(u'Indirect Member netgroups'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Member User'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'Member Group'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Member Host'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Member Hostgroup'), + ), + ) + + +@register() +class netgroup_add(Method): + __doc__ = _("Add a new netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class netgroup_add_member(Method): + __doc__ = _("Add members to a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'member netgroup'), + doc=_(u'comma-separated list of netgroups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class netgroup_del(Method): + __doc__ = _("Delete a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class netgroup_find(Method): + __doc__ = _("Search for a netgroup.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'ipauniqueid', + required=False, + cli_name='uuid', + label=_(u'IPA unique ID'), + doc=_(u'IPA unique ID'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'private', + exclude=('webui', 'cli'), + default=False, + autofill=True, + ), + parameters.Flag( + 'managed', + doc=_(u'search for managed groups'), + default=False, + default_from=DefaultFrom(lambda private: private), + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups with these member netgroups.'), + ), + parameters.Str( + 'no_netgroup', + required=False, + multivalue=True, + cli_name='no_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups without these member netgroups.'), + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'user'), + doc=_(u'Search for netgroups with these member users.'), + ), + parameters.Str( + 'no_user', + required=False, + multivalue=True, + cli_name='no_users', + label=_(u'user'), + doc=_(u'Search for netgroups without these member users.'), + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'group'), + doc=_(u'Search for netgroups with these member groups.'), + ), + parameters.Str( + 'no_group', + required=False, + multivalue=True, + cli_name='no_groups', + label=_(u'group'), + doc=_(u'Search for netgroups without these member groups.'), + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'host'), + doc=_(u'Search for netgroups with these member hosts.'), + ), + parameters.Str( + 'no_host', + required=False, + multivalue=True, + cli_name='no_hosts', + label=_(u'host'), + doc=_(u'Search for netgroups without these member hosts.'), + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'host group'), + doc=_(u'Search for netgroups with these member host groups.'), + ), + parameters.Str( + 'no_hostgroup', + required=False, + multivalue=True, + cli_name='no_hostgroups', + label=_(u'host group'), + doc=_(u'Search for netgroups without these member host groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for netgroups without these member of netgroups.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class netgroup_mod(Method): + __doc__ = _("Modify a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Netgroup description'), + ), + parameters.Str( + 'nisdomainname', + required=False, + cli_name='nisdomain', + label=_(u'NIS domain name'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class netgroup_remove_member(Method): + __doc__ = _("Remove members from a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'netgroup', + required=False, + multivalue=True, + cli_name='netgroups', + label=_(u'member netgroup'), + doc=_(u'comma-separated list of netgroups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class netgroup_show(Method): + __doc__ = _("Display information about a netgroup.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Netgroup name'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/passwd.py b/ipaclient/remote_plugins/2_49/passwd.py new file mode 100644 index 000000000..34385df6d --- /dev/null +++ b/ipaclient/remote_plugins/2_49/passwd.py @@ -0,0 +1,86 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Set a user's password + +If someone other than a user changes that user's password (e.g., Helpdesk +resets it) then the password will need to be changed the first time it +is used. This is so the end-user is the only one who knows the password. + +The IPA password policy controls how often a password may be changed, +what strength requirements exist, and the length of the password history. + +EXAMPLES: + + To reset your own password: + ipa passwd + + To change another user's password: + ipa passwd tuser1 +""") + +register = Registry() + + +@register() +class passwd(Command): + __doc__ = _("Set a user's password.") + + takes_args = ( + parameters.Str( + 'principal', + cli_name='user', + label=_(u'User name'), + default_from=DefaultFrom(lambda : None), + # FIXME: + # lambda: util.get_current_principal() + autofill=True, + no_convert=True, + ), + parameters.Password( + 'password', + label=_(u'New Password'), + confirm=True, + ), + parameters.Password( + 'current_password', + label=_(u'Current Password'), + default_from=DefaultFrom(lambda principal: None, 'principal'), + # FIXME: + # lambda principal: get_current_password(principal) + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/permission.py b/ipaclient/remote_plugins/2_49/permission.py new file mode 100644 index 000000000..bce582fdd --- /dev/null +++ b/ipaclient/remote_plugins/2_49/permission.py @@ -0,0 +1,751 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Permissions + +A permission enables fine-grained delegation of rights. A permission is +a human-readable form of a 389-ds Access Control Rule, or instruction (ACI). +A permission grants the right to perform a specific task such as adding a +user, modifying a group, etc. + +A permission may not contain other permissions. + +* A permission grants access to read, write, add or delete. +* A privilege combines similar permissions (for example all the permissions + needed to add a user). +* A role grants a set of privileges to users, groups, hosts or hostgroups. + +A permission is made up of a number of different parts: + +1. The name of the permission. +2. The target of the permission. +3. The rights granted by the permission. + +Rights define what operations are allowed, and may be one or more +of the following: +1. write - write one or more attributes +2. read - read one or more attributes +3. add - add a new entry to the tree +4. delete - delete an existing entry +5. all - all permissions are granted + +Read permission is granted for most attributes by default so the read +permission is not expected to be used very often. + +Note the distinction between attributes and entries. The permissions are +independent, so being able to add a user does not mean that the user will +be editable. + +There are a number of allowed targets: +1. type: a type of object (user, group, etc). +2. memberof: a member of a group or hostgroup +3. filter: an LDAP filter +4. subtree: an LDAP filter specifying part of the LDAP DIT. This is a + super-set of the "type" target. +5. targetgroup: grant access to modify a specific group (such as granting + the rights to manage group membership) + +EXAMPLES: + + Add a permission that grants the creation of users: + ipa permission-add --type=user --permissions=add "Add Users" + + Add a permission that grants the ability to manage group membership: + ipa permission-add --attrs=member --permissions=write --type=group "Manage Group Members" +""") + +register = Registry() + + +@register() +class permission(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Permission name'), + ), + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + parameters.Str( + 'type', + required=False, + label=_(u'Type'), + doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of group'), + doc=_(u'Target members of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to'), + ), + parameters.Str( + 'member_privilege', + required=False, + label=_(u'Granted to Privilege'), + ), + parameters.Str( + 'memberindirect_role', + required=False, + label=_(u'Indirect Member of roles'), + ), + ) + + +@register() +class permission_add(Method): + __doc__ = _("Add a new permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + alwaysask=True, + no_convert=True, + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'), + alwaysask=True, + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of group'), + doc=_(u'Target members of a group'), + alwaysask=True, + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + alwaysask=True, + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + alwaysask=True, + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to'), + alwaysask=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_add_member(Method): + __doc__ = _("Add members to a permission.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'member privilege'), + doc=_(u'comma-separated list of privileges to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class permission_add_noaci(Method): + __doc__ = _("Add a system permission without an ACI") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissiontype', + required=False, + cli_metavar="['SYSTEM']", + label=_(u'Permission type'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_del(Method): + __doc__ = _("Delete a permission.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force delete of SYSTEM permissions'), + exclude=('cli', 'webui'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_find(Method): + __doc__ = _("Search for permissions.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Permission name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of group'), + doc=_(u'Target members of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class permission_mod(Method): + __doc__ = _("Modify a permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write, add, delete, all)'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Str( + 'type', + required=False, + cli_metavar="['user', 'group', 'host', 'service', 'hostgroup', 'netgroup', 'dnsrecord']", + label=_(u'Type'), + doc=_(u'Type of IPA object (user, group, host, hostgroup, service, netgroup, dns)'), + ), + parameters.Str( + 'memberof', + required=False, + label=_(u'Member of group'), + doc=_(u'Target members of a group'), + ), + parameters.Str( + 'filter', + required=False, + label=_(u'Filter'), + doc=_(u'Legal LDAP filter (e.g. ou=Engineering)'), + ), + parameters.Str( + 'subtree', + required=False, + label=_(u'Subtree'), + doc=_(u'Subtree to apply permissions to'), + ), + parameters.Str( + 'targetgroup', + required=False, + label=_(u'Target group'), + doc=_(u'User group to apply permissions to'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the permission object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class permission_remove_member(Method): + __doc__ = _("Remove members from a permission.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'member privilege'), + doc=_(u'comma-separated list of privileges to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class permission_show(Method): + __doc__ = _("Display information about a permission.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Permission name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/ping.py b/ipaclient/remote_plugins/2_49/ping.py new file mode 100644 index 000000000..83917fbb7 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/ping.py @@ -0,0 +1,60 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Ping the remote IPA server to ensure it is running. + +The ping command sends an echo request to an IPA server. The server +returns its version information. This is used by an IPA client +to confirm that the server is available and accepting requests. + +The server from xmlrpc_uri in /etc/ipa/default.conf is contacted first. +If it does not respond then the client will contact any servers defined +by ldap SRV records in DNS. + +EXAMPLES: + + Ping an IPA server: + ipa ping + ------------------------------------------ + IPA server version 2.1.9. API version 2.20 + ------------------------------------------ + + Ping an IPA server verbosely: + ipa -v ping + ipa: INFO: trying https://ipa.example.com/ipa/xml + ipa: INFO: Forwarding 'ping' to server u'https://ipa.example.com/ipa/xml' + ----------------------------------------------------- + IPA server version 2.1.9. API version 2.20 + ----------------------------------------------------- +""") + +register = Registry() + + +@register() +class ping(Command): + __doc__ = _("Ping a remote server.") + + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/pkinit.py b/ipaclient/remote_plugins/2_49/pkinit.py new file mode 100644 index 000000000..9b06c2ef0 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/pkinit.py @@ -0,0 +1,61 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Kerberos pkinit options + +Enable or disable anonymous pkinit using the principal +WELLKNOWN/ANONYMOUS@REALM. The server must have been installed with +pkinit support. + +EXAMPLES: + + Enable anonymous pkinit: + ipa pkinit-anonymous enable + + Disable anonymous pkinit: + ipa pkinit-anonymous disable + +For more information on anonymous pkinit see: + +http://k5wiki.kerberos.org/wiki/Projects/Anonymous_pkinit +""") + +register = Registry() + + +@register() +class pkinit(Object): + takes_params = ( + ) + + +@register() +class pkinit_anonymous(Command): + __doc__ = _("Enable or Disable Anonymous PKINIT.") + + takes_args = ( + parameters.Str( + 'action', + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_49/privilege.py b/ipaclient/remote_plugins/2_49/privilege.py new file mode 100644 index 000000000..f450c20f1 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/privilege.py @@ -0,0 +1,603 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Privileges + +A privilege combines permissions into a logical task. A permission provides +the rights to do a single task. There are some IPA operations that require +multiple permissions to succeed. A privilege is where permissions are +combined in order to perform a specific task. + +For example, adding a user requires the following permissions: + * Creating a new user entry + * Resetting a user password + * Adding the new user to the default IPA users group + +Combining these three low-level tasks into a higher level task in the +form of a privilege named "Add User" makes it easier to manage Roles. + +A privilege may not contain other privileges. + +See role and permission for additional information. +""") + +register = Registry() + + +@register() +class privilege(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Privilege name'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'memberof_permission', + required=False, + label=_(u'Permissions'), + ), + parameters.Str( + 'member_role', + required=False, + label=_(u'Granting privilege to roles'), + ), + ) + + +@register() +class privilege_add(Method): + __doc__ = _("Add a new privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class privilege_add_member(Method): + __doc__ = _("Add members to a privilege.") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'role', + required=False, + multivalue=True, + cli_name='roles', + label=_(u'member role'), + doc=_(u'comma-separated list of roles to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class privilege_add_permission(Method): + __doc__ = _("Add permissions to a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'permission', + required=False, + multivalue=True, + cli_name='permissions', + label=_(u'permission'), + doc=_(u'comma-separated list of permissions'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of permissions added'), + ), + ) + + +@register() +class privilege_del(Method): + __doc__ = _("Delete a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class privilege_find(Method): + __doc__ = _("Search for privileges.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Privilege name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class privilege_mod(Method): + __doc__ = _("Modify a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Privilege description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the privilege object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class privilege_remove_member(Method): + __doc__ = _("Remove members from a privilege") + + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'role', + required=False, + multivalue=True, + cli_name='roles', + label=_(u'member role'), + doc=_(u'comma-separated list of roles to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class privilege_remove_permission(Method): + __doc__ = _("Remove permissions from a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'permission', + required=False, + multivalue=True, + cli_name='permissions', + label=_(u'permission'), + doc=_(u'comma-separated list of permissions'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of permissions removed'), + ), + ) + + +@register() +class privilege_show(Method): + __doc__ = _("Display information about a privilege.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Privilege name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/pwpolicy.py b/ipaclient/remote_plugins/2_49/pwpolicy.py new file mode 100644 index 000000000..99e494548 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/pwpolicy.py @@ -0,0 +1,947 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Password policy + +A password policy sets limitations on IPA passwords, including maximum +lifetime, minimum lifetime, the number of passwords to save in +history, the number of character classes required (for stronger passwords) +and the minimum password length. + +By default there is a single, global policy for all users. You can also +create a password policy to apply to a group. Each user is only subject +to one password policy, either the group policy or the global policy. A +group policy stands alone; it is not a super-set of the global policy plus +custom settings. + +Each group password policy requires a unique priority setting. If a user +is in multiple groups that have password policies, this priority determines +which password policy is applied. A lower value indicates a higher priority +policy. + +Group password policies are automatically removed when the groups they +are associated with are removed. + +EXAMPLES: + + Modify the global policy: + ipa pwpolicy-mod --minlength=10 + + Add a new group password policy: + ipa pwpolicy-add --maxlife=90 --minlife=1 --history=10 --minclasses=3 --minlength=8 --priority=10 localadmins + + Display the global password policy: + ipa pwpolicy-show + + Display a group password policy: + ipa pwpolicy-show localadmins + + Display the policy that would be applied to a given user: + ipa pwpolicy-show --user=tuser1 + + Modify a group password policy: + ipa pwpolicy-mod --minclasses=2 localadmins +""") + +register = Registry() + + +@register() +class cosentry(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + ), + parameters.DNParam( + 'krbpwdpolicyreference', + ), + parameters.Int( + 'cospriority', + ), + ) + + +@register() +class pwpolicy(Object): + takes_params = ( + parameters.Str( + 'cn', + required=False, + primary_key=True, + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + parameters.Int( + 'krbmaxpwdlife', + required=False, + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + ) + + +@register() +class cosentry_add(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.DNParam( + 'krbpwdpolicyreference', + ), + parameters.Int( + 'cospriority', + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cosentry_del(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cosentry_find(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + ), + parameters.DNParam( + 'krbpwdpolicyreference', + required=False, + ), + parameters.Int( + 'cospriority', + required=False, + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("cn")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class cosentry_mod(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.DNParam( + 'krbpwdpolicyreference', + required=False, + ), + parameters.Int( + 'cospriority', + required=False, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class cosentry_show(Method): + NO_CLI = True + + takes_args = ( + parameters.Str( + 'cn', + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_add(Method): + __doc__ = _("Add a new group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_del(Method): + __doc__ = _("Delete a group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_find(Method): + __doc__ = _("Search for group password policies.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + required=False, + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("group")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class pwpolicy_mod(Method): + __doc__ = _("Modify a group password policy.") + + takes_args = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Int( + 'krbmaxpwdlife', + required=False, + cli_name='maxlife', + label=_(u'Max lifetime (days)'), + doc=_(u'Maximum password lifetime (in days)'), + ), + parameters.Int( + 'krbminpwdlife', + required=False, + cli_name='minlife', + label=_(u'Min lifetime (hours)'), + doc=_(u'Minimum password lifetime (in hours)'), + ), + parameters.Int( + 'krbpwdhistorylength', + required=False, + cli_name='history', + label=_(u'History size'), + doc=_(u'Password history size'), + ), + parameters.Int( + 'krbpwdmindiffchars', + required=False, + cli_name='minclasses', + label=_(u'Character classes'), + doc=_(u'Minimum number of character classes'), + ), + parameters.Int( + 'krbpwdminlength', + required=False, + cli_name='minlength', + label=_(u'Min length'), + doc=_(u'Minimum length of password'), + ), + parameters.Int( + 'cospriority', + required=False, + cli_name='priority', + label=_(u'Priority'), + doc=_(u'Priority of the policy (higher number means lower priority'), + ), + parameters.Int( + 'krbpwdmaxfailure', + required=False, + cli_name='maxfail', + label=_(u'Max failures'), + doc=_(u'Consecutive failures before lockout'), + ), + parameters.Int( + 'krbpwdfailurecountinterval', + required=False, + cli_name='failinterval', + label=_(u'Failure reset interval'), + doc=_(u'Period after which failure count will be reset (seconds)'), + ), + parameters.Int( + 'krbpwdlockoutduration', + required=False, + cli_name='lockouttime', + label=_(u'Lockout duration'), + doc=_(u'Period for which lockout is enforced (seconds)'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class pwpolicy_show(Method): + __doc__ = _("Display information about password policy.") + + takes_args = ( + parameters.Str( + 'cn', + required=False, + cli_name='group', + label=_(u'Group'), + doc=_(u'Manage password policy for specific group'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + label=_(u'User'), + doc=_(u'Display effective policy for a specific user'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/role.py b/ipaclient/remote_plugins/2_49/role.py new file mode 100644 index 000000000..e7ac59b7f --- /dev/null +++ b/ipaclient/remote_plugins/2_49/role.py @@ -0,0 +1,682 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Roles + +A role is used for fine-grained delegation. A permission grants the ability +to perform given low-level tasks (add a user, modify a group, etc.). A +privilege combines one or more permissions into a higher-level abstraction +such as useradmin. A useradmin would be able to add, delete and modify users. + +Privileges are assigned to Roles. + +Users, groups, hosts and hostgroups may be members of a Role. + +Roles can not contain other roles. + +EXAMPLES: + + Add a new role: + ipa role-add --desc="Junior-level admin" junioradmin + + Add some privileges to this role: + ipa role-add-privilege --privileges=addusers junioradmin + ipa role-add-privilege --privileges=change_password junioradmin + ipa role-add-privilege --privileges=add_user_to_default_group junioradmin + + Add a group of users to this role: + ipa group-add --desc="User admins" useradmins + ipa role-add-member --groups=useradmins junioradmin + + Display information about a role: + ipa role-show junioradmin + + The result of this is that any users in the group 'junioradmin' can + add users, reset passwords or add a user to the default IPA user group. +""") + +register = Registry() + + +@register() +class role(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Role name'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'member_user', + required=False, + label=_(u'Member users'), + ), + parameters.Str( + 'member_group', + required=False, + label=_(u'Member groups'), + ), + parameters.Str( + 'member_host', + required=False, + label=_(u'Member hosts'), + ), + parameters.Str( + 'member_hostgroup', + required=False, + label=_(u'Member host-groups'), + ), + parameters.Str( + 'memberof_privilege', + required=False, + label=_(u'Privileges'), + ), + ) + + +@register() +class role_add(Method): + __doc__ = _("Add a new role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class role_add_member(Method): + __doc__ = _("Add members to a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class role_add_privilege(Method): + __doc__ = _("Add privileges to a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'privilege'), + doc=_(u'comma-separated list of privileges'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of privileges added'), + ), + ) + + +@register() +class role_del(Method): + __doc__ = _("Delete a role.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class role_find(Method): + __doc__ = _("Search for roles.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Role name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class role_mod(Method): + __doc__ = _("Modify a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this role-group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the role object'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class role_remove_member(Method): + __doc__ = _("Remove members from a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class role_remove_privilege(Method): + __doc__ = _("Remove privileges from a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'privilege', + required=False, + multivalue=True, + cli_name='privileges', + label=_(u'privilege'), + doc=_(u'comma-separated list of privileges'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of privileges removed'), + ), + ) + + +@register() +class role_show(Method): + __doc__ = _("Display information about a role.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Role name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/selfservice.py b/ipaclient/remote_plugins/2_49/selfservice.py new file mode 100644 index 000000000..76bb84ca4 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/selfservice.py @@ -0,0 +1,337 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Self-service Permissions + +A permission enables fine-grained delegation of permissions. Access Control +Rules, or instructions (ACIs), grant permission to permissions to perform +given tasks such as adding a user, modifying a group, etc. + +A Self-service permission defines what an object can change in its own entry. + + +EXAMPLES: + + Add a self-service rule to allow users to manage their address: + ipa selfservice-add --permissions=write --attrs=street,postalCode,l,c,st "Users manage their own address" + + When managing the list of attributes you need to include all attributes + in the list, including existing ones. Add telephoneNumber to the list: + ipa selfservice-mod --attrs=street,postalCode,l,c,st,telephoneNumber "Users manage their own address" + + Display our updated rule: + ipa selfservice-show "Users manage their own address" + + Delete a rule: + ipa selfservice-del "Users manage their own address" +""") + +register = Registry() + + +@register() +class selfservice(Object): + takes_params = ( + parameters.Str( + 'aciname', + primary_key=True, + label=_(u'Self-service name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + ), + ) + + +@register() +class selfservice_add(Method): + __doc__ = _("Add a new self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_del(Method): + __doc__ = _("Delete a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_find(Method): + __doc__ = _("Search for a self-service permission.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + ), + ) + takes_options = ( + parameters.Str( + 'aciname', + required=False, + cli_name='name', + label=_(u'Self-service name'), + ), + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class selfservice_mod(Method): + __doc__ = _("Modify a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Str( + 'permissions', + required=False, + multivalue=True, + label=_(u'Permissions'), + doc=_(u'Comma-separated list of permissions to grant (read, write). Default is write.'), + ), + parameters.Str( + 'attrs', + required=False, + multivalue=True, + label=_(u'Attributes'), + doc=_(u'Comma-separated list of attributes'), + no_convert=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selfservice_show(Method): + __doc__ = _("Display information about a self-service permission.") + + takes_args = ( + parameters.Str( + 'aciname', + cli_name='name', + label=_(u'Self-service name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/selinuxusermap.py b/ipaclient/remote_plugins/2_49/selinuxusermap.py new file mode 100644 index 000000000..eaa98412a --- /dev/null +++ b/ipaclient/remote_plugins/2_49/selinuxusermap.py @@ -0,0 +1,852 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +SELinux User Mapping + +Map IPA users to SELinux users by host. + +Hosts, hostgroups, users and groups can be either defined within +the rule or it may point to an existing HBAC rule. When using +--hbacrule option to selinuxusermap-find an exact match is made on the +HBAC rule name, so only one or zero entries will be returned. + +EXAMPLES: + + Create a rule, "test1", that sets all users to xguest_u:s0 on the host "server": + ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1 + ipa selinuxusermap-add-host --hosts=server.example.com test1 + + Create a rule, "test2", that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts: + ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2 + + Display the properties of a rule: + ipa selinuxusermap-show test2 + + Create a rule for a specific user. This sets the SELinux context for + user john to unconfined_u:s0-s0:c0.c1023 on any machine: + ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined + ipa selinuxusermap-add-user --users=john john_unconfined + + Disable a rule: + ipa selinuxusermap-disable test1 + + Enable a rule: + ipa selinuxusermap-enable test1 + + Find a rule referencing a specific HBAC rule: + ipa selinuxusermap-find --hbacrule=allow_some + + Remove a rule: + ipa selinuxusermap-del john_unconfined + +SEEALSO: + + The list controlling the order in which the SELinux user map is applied + and the default SELinux user are available in the config-show command. +""") + +register = Registry() + + +@register() +class selinuxusermap(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'ipaselinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + ) + + +@register() +class selinuxusermap_add(Method): + __doc__ = _("Create a new SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaselinuxuser', + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_add_host(Method): + __doc__ = _("Add target hosts and hostgroups to an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class selinuxusermap_add_user(Method): + __doc__ = _("Add users and groups to an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class selinuxusermap_del(Method): + __doc__ = _("Delete a SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_disable(Method): + __doc__ = _("Disable an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_enable(Method): + __doc__ = _("Enable an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_find(Method): + __doc__ = _("Search for SELinux User Maps.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='name', + label=_(u'Rule name'), + ), + parameters.Str( + 'ipaselinuxuser', + required=False, + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class selinuxusermap_mod(Method): + __doc__ = _("Modify a SELinux User Map.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipaselinuxuser', + required=False, + cli_name='selinuxuser', + label=_(u'SELinux User'), + ), + parameters.Str( + 'seealso', + required=False, + cli_name='hbacrule', + label=_(u'HBAC Rule'), + doc=_(u'HBAC Rule that defines the users, groups and hostgroups'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class selinuxusermap_remove_host(Method): + __doc__ = _("Remove target hosts and hostgroups from an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class selinuxusermap_remove_user(Method): + __doc__ = _("Remove users and groups from an SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class selinuxusermap_show(Method): + __doc__ = _("Display the properties of a SELinux User Map rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/service.py b/ipaclient/remote_plugins/2_49/service.py new file mode 100644 index 000000000..b0d6da055 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/service.py @@ -0,0 +1,621 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Services + +A IPA service represents a service that runs on a host. The IPA service +record can store a Kerberos principal, an SSL certificate, or both. + +An IPA service can be managed directly from a machine, provided that +machine has been given the correct permission. This is true even for +machines other than the one the service is associated with. For example, +requesting an SSL certificate using the host service principal credentials +of the host. To manage a service using host credentials you need to +kinit as the host: + + # kinit -kt /etc/krb5.keytab host/ipa.example.com@EXAMPLE.COM + +Adding an IPA service allows the associated service to request an SSL +certificate or keytab, but this is performed as a separate step; they +are not produced as a result of adding the service. + +Only the public aspect of a certificate is stored in a service record; +the private key is not stored. + +EXAMPLES: + + Add a new IPA service: + ipa service-add HTTP/web.example.com + + Allow a host to manage an IPA service certificate: + ipa service-add-host --hosts=web.example.com HTTP/web.example.com + ipa role-add-member --hosts=web.example.com certadmin + + Override a default list of supported PAC types for the service: + ipa service-mod HTTP/web.example.com --pac-type=MS-PAC + + Delete an IPA service: + ipa service-del HTTP/web.example.com + + Find all IPA services associated with a host: + ipa service-find web.example.com + + Find all HTTP services: + ipa service-find HTTP + + Disable the service Kerberos key and SSL certificate: + ipa service-disable HTTP/web.example.com + + Request a certificate for an IPA service: + ipa cert-request --principal=HTTP/web.example.com example.csr + + Generate and retrieve a keytab for an IPA service: + ipa-getkeytab -s ipa.example.com -p HTTP/web.example.com -k /etc/httpd/httpd.keytab +""") + +register = Registry() + + +@register() +class service(Object): + takes_params = ( + parameters.Str( + 'krbprincipalname', + primary_key=True, + label=_(u'Principal'), + doc=_(u'Service principal'), + ), + parameters.Bytes( + 'usercertificate', + required=False, + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Keytab'), + ), + parameters.Str( + 'managedby_host', + label=_(u'Managed by'), + ), + ) + + +@register() +class service_add(Method): + __doc__ = _("Add a new IPA new service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'force', + label=_(u'Force'), + doc=_(u'force principal name even if not in DNS'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_add_host(Method): + __doc__ = _("Add hosts that can manage this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class service_del(Method): + __doc__ = _("Delete an IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + multivalue=True, + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_disable(Method): + __doc__ = _("Disable the Kerberos key and SSL certificate of a service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_find(Method): + __doc__ = _("Search for IPA services.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("principal")'), + default=False, + autofill=True, + ), + parameters.Str( + 'man_by_host', + required=False, + multivalue=True, + cli_name='man_by_hosts', + label=_(u'host'), + doc=_(u'Search for services with these managed by hosts.'), + ), + parameters.Str( + 'not_man_by_host', + required=False, + multivalue=True, + cli_name='not_man_by_hosts', + label=_(u'host'), + doc=_(u'Search for services without these managed by hosts.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class service_mod(Method): + __doc__ = _("Modify an existing IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Bytes( + 'usercertificate', + required=False, + cli_name='certificate', + label=_(u'Certificate'), + doc=_(u'Base-64 encoded server certificate'), + ), + parameters.Str( + 'ipakrbauthzdata', + required=False, + multivalue=True, + cli_name='pac_type', + cli_metavar="['MS-PAC', 'PAD', 'NONE']", + label=_(u'PAC type'), + doc=_(u"Override default list of supported PAC types. Use 'NONE' to disable PAC support for this service"), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class service_remove_host(Method): + __doc__ = _("Remove hosts that can manage this service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class service_show(Method): + __doc__ = _("Display information about an IPA service.") + + takes_args = ( + parameters.Str( + 'krbprincipalname', + cli_name='principal', + label=_(u'Principal'), + doc=_(u'Service principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'out', + required=False, + doc=_(u'file to store certificate in'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/session.py b/ipaclient/remote_plugins/2_49/session.py new file mode 100644 index 000000000..af56cd688 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/session.py @@ -0,0 +1,624 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Session Support for IPA +John Dennis + +Goals +===== + +Provide per-user session data caching which persists between +requests. Desired features are: + +* Integrates cleanly with minimum impact on existing infrastructure. + +* Provides maximum security balanced against real-world performance + demands. + +* Sessions must be able to be revoked (flushed). + +* Should be flexible and easy to use for developers. + +* Should leverage existing technology and code to the maximum extent + possible to avoid re-invention, excessive implementation time and to + benefit from robustness in field proven components commonly shared + in the open source community. + +* Must support multiple independent processes which share session + data. + +* System must function correctly if session data is available or not. + +* Must be high performance. + +* Should not be tied to specific web servers or browsers. Should + integrate with our chosen WSGI model. + +Issues +====== + +Cookies +------- + +Most session implementations are based on the use of cookies. Cookies +have some inherent problems. + +* User has the option to disable cookies. + +* User stored cookie data is not secure. Can be mitigated by setting + flags indicating the cookie is only to be used with SSL secured HTTP + connections to specific web resources and setting the cookie to + expire at session termination. Most modern browsers enforce these. + +Where to store session data? +---------------------------- + +Session data may be stored on either on the client or on the +server. Storing session data on the client addresses the problem of +session data availability when requests are serviced by independent web +servers because the session data travels with the request. However +there are data size limitations. Storing session data on the client +also exposes sensitive data but this can be mitigated by encrypting +the session data such that only the server can decrypt it. + +The more conventional approach is to bind session data to a unique +name, the session ID. The session ID is transmitted to the client and +the session data is paired with the session ID on the server in a +associative data store. The session data is retrieved by the server +using the session ID when the receiving the request. This eliminates +exposing sensitive session data on the client along with limitations +on data size. It however introduces the issue of session data +availability when requests are serviced by more than one server +process. + +Multi-process session data availability +--------------------------------------- + +Apache (and other web servers) fork child processes to handle requests +in parallel. Also web servers may be deployed in a farm where requests +are load balanced in round robin fashion across different nodes. In +both cases session data cannot be stored in the memory of a server +process because it is not available to other processes, either sibling +children of a master server process or server processes on distinct +nodes. + +Typically this is addressed by storing session data in a SQL +database. When a request is received by a server process containing a +session ID in it's cookie data the session ID is used to perform a SQL +query and the resulting data is then attached to the request as it +proceeds through the request processing pipeline. This of course +introduces coherency issues. + +For IPA the introduction of a SQL database dependency is undesired and +should be avoided. + +Session data may also be shared by independent processes by storing +the session data in files. + +An alternative solution which has gained considerable popularity +recently is the use of a fast memory based caching server. Data is +stored in a single process memory and may be queried and set via a +light weight protocol using standard socket mechanisms, memcached is +one example. A typical use is to optimize SQL queries by storing a SQL +result in shared memory cache avoiding the more expensive SQL +operation. But the memory cache has distinct advantages in non-SQL +situations as well. + +Possible implementations for use by IPA +======================================= + +Apache Sessions +--------------- + +Apache has 2.3 has implemented session support via these modules: + + mod_session + Overarching session support based on cookies. + + See: http://httpd.apache.org/docs/2.3/mod/mod_session.html + + mod_session_cookie + Stores session data in the client. + + See: http://httpd.apache.org/docs/2.3/mod/mod_session_cookie.html + + mod_session_crypto + Encrypts session data for security. Encryption key is shared + configuration parameter visible to all Apache processes and is + stored in a configuration file. + + See: http://httpd.apache.org/docs/2.3/mod/mod_session_crypto.html + + mod_session_dbd + Stores session data in a SQL database permitting multiple + processes to access and share the same session data. + + See: http://httpd.apache.org/docs/2.3/mod/mod_session_dbd.html + +Issues with Apache sessions +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Although Apache has implemented generic session support and Apache is +our web server of preference it nonetheless introduces issues for IPA. + + * Session support is only available in httpd >= 2.3 which at the + time of this writing is currently only available as a Beta release + from upstream. We currently only ship httpd 2.2, the same is true + for other distributions. + + * We could package and ship the sessions modules as a temporary + package in httpd 2.2 environments. But this has the following + consequences: + + - The code has to be backported. the module API has changed + slightly between httpd 2.2 and 2.3. The backporting is not + terribly difficult and a proof of concept has been + implemented. + + - We would then be on the hook to package and maintain a special + case Apache package. This is maintenance burden as well as a + distribution packaging burden. Both of which would be best + avoided if possible. + + * The design of the Apache session modules is such that they can + only be manipulated by other Apache modules. The ability of + consumers of the session data to control the session data is + simplistic, constrained and static during the period the request + is processed. Request handlers which are not native Apache modules + (e.g. IPA via WSGI) can only examine the session data + via request headers and reset it in response headers. + + * Shared session data is available exclusively via SQL. + +However using the 2.3 Apache session modules would give us robust +session support implemented in C based on standardized Apache +interfaces which are widely used. + +Python Web Frameworks +--------------------- + +Virtually every Python web framework supports cookie based sessions, +e.g. Django, Twisted, Zope, Turbogears etc. Early on in IPA we decided +to avoid the use of these frameworks. Trying to pull in just one part +of these frameworks just to get session support would be problematic +because the code does not function outside it's framework. + +IPA implemented sessions +------------------------ + +Originally it was believed the path of least effort was to utilize +existing session support, most likely what would be provided by +Apache. However there are enough basic modular components available in +native Python and other standard packages it should be possible to +provide session support meeting the aforementioned goals with a modest +implementation effort. Because we're leveraging existing components +the implementation difficulties are subsumed by other components which +have already been field proven and have community support. This is a +smart strategy. + +Proposed Solution +================= + +Our interface to the web server is via WSGI which invokes a callback +per request passing us an environmental context for the request. For +this discussion we'll name the WSGI callback "application()", a +conventional name in WSGI parlance. + +Shared session data will be handled by memcached. We will create one +instance of memcached on each server node dedicated to IPA +exclusively. Communication with memcached will be via a UNIX socket +located in the file system under /var/run/ipa_memcached. It will be +protected by file permissions and optionally SELinux policy. + +In application() we examine the request cookies and if there is an IPA +session cookie with a session ID we retrieve the session data from our +memcached instance. + +The session data will be a Python dict. IPA components will read or +write their session information by using a pre-agreed upon name +(e.g. key) in the dict. This is a very flexible system and consistent +with how we pass data in most parts of IPA. + +If the session data is not available an empty session data dict will +be created. + +How does this session data travel with the request in the IPA +pipeline? In IPA we use the HTTP request/response to implement RPC. In +application() we convert the request into a procedure call passing it +arguments derived from the HTTP request. The passed parameters are +specific to the RPC method being invoked. The context the RPC call is +executing in is not passed as an RPC parameter. + +How would the contextual information such as session data be bound to +the request and hence the RPC call? + +In IPA when a RPC invocation is being prepared from a request we +recognize this will only ever be processed serially by one Python +thread. A thread local dict called "context" is allocated for each +thread. The context dict is cleared in between requests (e.g. RPC method +invocations). The per-thread context dict is populated during the +lifetime of the request and is used as a global data structure unique to +the request that various IPA component can read from and write to with +the assurance the data is unique to the current request and/or method +call. + +The session data dict will be written into the context dict under the +session key before the RPC method begins execution. Thus session data +can be read and written by any IPA component by accessing +``context.session``. + +When the RPC method finishes execution the session data bound to the +request/method is retrieved from the context and written back to the +memcached instance. The session ID is set in the response sent back to +the client in the ``Set-Cookie`` header along with the flags +controlling it's usage. + +Issues and details +------------------ + +IPA code cannot depend on session data being present, however it +should always update session data with the hope it will be available +in the future. Session data may not be available because: + + * This is the first request from the user and no session data has + been created yet. + + * The user may have cookies disabled. + + * The session data may have been flushed. memcached operates with + a fixed memory allocation and will flush entries on a LRU basis, + like with any cache there is no guarantee of persistence. + + Also we may have have deliberately expired or deleted session + data, see below. + +Cookie manipulation is done via the standard Python Cookie module. + +Session cookies will be set to only persist as long as the browser has +the session open. They will be tagged so the browser only returns +the session ID on SSL secured HTTP requests. They will not be visible +to Javascript in the browser. + +Session ID's will be created by using 48 bits of random data and +converted to 12 hexadecimal digits. Newly generated session ID's will +be checked for prior existence to handle the unlikely case the random +number repeats. + +memcached will have significantly higher performance than a SQL or file +based storage solution. Communication is effectively though a pipe +(UNIX socket) using a very simple protocol and the data is held +entirely in process memory. memcached also scales easily, it is easy +to add more memcached processes and distribute the load across them. +At this point in time we don't anticipate the need for this. + +A very nice feature of the Python memcached module is that when a data +item is written to the cache it is done with standard Python pickling +(pickling is a standard Python mechanism to marshal and unmarshal +Python objects). We adopt the convention the object written to cache +will be a dict to meet our internal data handling conventions. The +pickling code will recursively handle nested objects in the dict. Thus +we gain a lot of flexibility using standard Python data structures to +store and retrieve our session data without having to author and debug +code to marshal and unmarshal the data if some other storage mechanism +had been used. This is a significant implementation win. Of course +some common sense limitations need to observed when deciding on what +is written to the session cache keeping in mind the data is shared +between processes and it should not be excessively large (a +configurable option) + +We can set an expiration on memcached entries. We may elect to do that +to force session data to be refreshed periodically. For example we may +wish the client to present fresh credentials on a periodic basis even +if the cached credentials are otherwise within their validity period. + +We can explicitly delete session data if for some reason we believe it +is stale, invalid or compromised. + +memcached also gives us certain facilities to prevent race conditions +between different processes utilizing the cache. For example you can +check of the entry has been modified since you last read it or use CAS +(Check And Set) semantics. What has to be protected in terms of cache +coherency will likely have to be determined as the session support is +utilized and different data items are added to the cache. This is very +much data and context specific. Fortunately memcached operations are +atomic. + +Controlling the memcached process +--------------------------------- + +We need a mechanism to start the memcached process and secure it so +that only IPA components can access it. + +Although memcached ships with both an initscript and systemd unit +files those are for generic instances. We want a memcached instance +dedicated exclusively to IPA usage. To accomplish this we would install +a systemd unit file or an SysV initscript to control the IPA specific +memcached service. ipactl would be extended to know about this +additional service. systemd's cgroup facility would give us additional +mechanisms to integrate the IPA memcached service within a larger IPA +process group. + +Protecting the memcached data would be done via file permissions (and +optionally SELinux policy) on the UNIX domain socket. Although recent +implementations of memcached support authentication via SASL this +introduces a performance and complexity burden not warranted when +cached is dedicated to our exclusive use and access controlled by OS +mechanisms. + +Conventionally daemons are protected by assigning a system uid and/or +gid to the daemon. A daemon launched by root will drop it's privileges +by assuming the effective uid:gid assigned to it. File system access +is controlled by the OS via the effective identity and SELinux policy +can be crafted based on the identity. Thus the memcached UNIX socket +would be protected by having it owned by a specific system user and/or +membership in a restricted system group (discounting for the moment +SELinux). + +Unfortunately we currently do not have an IPA system uid whose +identity our processes operate under nor do we have an IPA system +group. IPA does manage a collection of related processes (daemons) and +historically each has been assigned their own uid. When these +unrelated processes communicate they mutually authenticate via other +mechanisms. We do not have much of a history of using shared file +system objects across identities. When file objects are created they +are typically assigned the identity of daemon needing to access the +object and are not accessed by other daemons, or they carry root +identity. + +When our WSGI application runs in Apache it is run as a WSGI +daemon. This means when Apache starts up it forks off WSGI processes +for us and we are independent of other Apache processes. When WSGI is +run in this mode there is the ability to set the uid:gid of the WSGI +process hosting us, however we currently do not take advantage of this +option. WSGI can be run in other modes as well, only in daemon mode +can the uid:gid be independently set from the rest of Apache. All +processes started by Apache can be set to a common uid:gid specified +in the global Apache configuration, by default it's +apache:apache. Thus when our IPA code executes it is running as +apache:apache. + +To protect our memcached UNIX socket we can do one of two things: + +1. Assign it's uid:gid as apache:apache. This would limit access to + our cache only to processes running under httpd. It's somewhat + restricted but far from ideal. Any code running in the web server + could potentially access our cache. It's difficult to control what the + web server runs and admins may not understand the consequences of + configuring httpd to serve other things besides IPA. + +2. Create an IPA specific uid:gid, for example ipa:ipa. We then configure + our WSGI application to run as the ipa:ipa user and group. We also + configure our memcached instance to run as the ipa:ipa user and + group. In this configuration we are now fully protected, only our WSGI + code can read & write to our memcached UNIX socket. + +However there may be unforeseen issues by converting our code to run as +something other than apache:apache. This would require some +investigation and testing. + +IPA is dependent on other system daemons, specifically Directory +Server (ds) and Certificate Server (cs). Currently we configure ds to +run under the dirsrv:dirsrv user and group, an identity of our +creation. We allow cs to default to it's pkiuser:pkiuser user and +group. Should these other cooperating daemons also run under the +common ipa:ipa user and group identities? At first blush there would +seem to be an advantage to coalescing all process identities under a +common IPA user and group identity. However these other processes do +not depend on user and group permissions when working with external +agents, processes, etc. Rather they are designed to be stand-alone +network services which authenticate their clients via other +mechanisms. They do depend on user and group permission to manage +their own file system objects. If somehow the ipa user and/or group +were compromised or malicious code somehow executed under the ipa +identity there would be an advantage in having the cooperating +processes cordoned off under their own identities providing one extra +layer of protection. (Note, these cooperating daemons may not even be +co-located on the same node in which case the issue is moot) + +The UNIX socket behavior (ldapi) with Directory Server is as follows: + + * The socket ownership is: root:root + + * The socket permissions are: 0666 + + * When connecting via ldapi you must authenticate as you would + normally with a TCP socket, except ... + + * If autobind is enabled and the uid:gid is available via + SO_PEERCRED and the uid:gid can be found in the set of users known + to the Directory Server then that connection will be bound as that + user. + + * Otherwise an anonymous bind will occur. + +memcached UNIX socket behavior is as follows: + + * memcached can be invoked with a user argument, no group may be + specified. The effective uid is the uid of the user argument and + the effective gid is the primary group of the user, let's call + this euid:egid + + * The socket ownership is: euid:egid + + * The socket permissions are 0700 by default, but this can be + modified by the -a mask command line arg which sets the umask + (defaults to 0700). + +Overview of authentication in IPA +================================= + +This describes how we currently authenticate and how we plan to +improve authentication performance. First some definitions. + +There are 4 major players: + + 1. client + 2. mod_auth_kerb (in Apache process) + 3. wsgi handler (in IPA wsgi python process) + 4. ds (directory server) + +There are several resources: + + 1. /ipa/ui (unprotected, web UI static resources) + 2. /ipa/xml (protected, xmlrpc RPC used by command line clients) + 3. /ipa/json (protected, json RPC used by javascript in web UI) + 4. ds (protected, wsgi acts as proxy, our LDAP server) + +Current Model +------------- + +This describes how things work in our current system for the web UI. + + 1. Client requests /ipa/ui, this is unprotected, is static and + contains no sensitive information. Apache replies with html and + javascript. The javascript requests /ipa/json. + + 2. Client sends post to /ipa/json. + + 3. mod_auth_kerb is configured to protect /ipa/json, replies 401 + authenticate negotiate. + + 4. Client resends with credentials + + 5. mod_auth_kerb validates credentials + + a. if invalid replies 403 access denied (stops here) + + b. if valid creates temporary ccache, adds KRB5CCNAME to request + headers + + 6. Request passed to wsgi handler + + a. validates request, KRB5CCNAME must be present, referrer, etc. + + b. ccache saved and used to bind to ds + + c. routes to specified RPC handler. + + 7. wsgi handler replies to client + +Proposed new session based optimization +--------------------------------------- + +The round trip negotiate and credential validation in steps 3,4,5 is +expensive. This can be avoided if we can cache the client +credentials. With client sessions we can store the client credentials +in the session bound to the client. + +A few notes about the session implementation. + + * based on session cookies, cookies must be enabled + + * session cookie is secure, only passed on secure connections, only + passed to our URL resource, never visible to client javascript + etc. + + * session cookie has a session id which is used by wsgi handler to + retrieve client session data from shared multi-process cache. + +Changes to Apache's resource protection +--------------------------------------- + + * /ipa/json is no longer protected by mod_auth_kerb. This is + necessary to avoid the negotiate expense in steps 3,4,5 + above. Instead the /ipa/json resource will be protected in our wsgi + handler via the session cookie. + + * A new protected URI is introduced, /ipa/login. This resource + does no serve any data, it is used exclusively for authentication. + +The new sequence is: + + 1. Client requests /ipa/ui, this is unprotected. Apache replies with + html and javascript. The javascript requests /ipa/json. + + 2. Client sends post to /ipa/json, which is unprotected. + + 3. wsgi handler obtains session data from session cookie. + + a. if ccache is present in session data and is valid + + - request is further validated + + - ccache is established for bind to ds + + - request is routed to RPC handler + + - wsgi handler eventually replies to client + + b. if ccache is not present or not valid processing continues ... + + 4. wsgi handler replies with 401 Unauthorized + + 5. client sends request to /ipa/login to obtain session credentials + + 6. mod_auth_kerb replies 401 negotiate on /ipa/login + + 7. client sends credentials to /ipa/login + + 8. mod_auth_kerb validates credentials + + a. if valid + + - mod_auth_kerb permits access to /ipa/login. wsgi handler is + invoked and does the following: + + * establishes session for client + + * retrieves the ccache from KRB5CCNAME and stores it + + a. if invalid + + - mod_auth_kerb sends 403 access denied (processing stops) + + 9. client now posts the same data again to /ipa/json including + session cookie. Processing repeats starting at step 2 and since + the session data now contains a valid ccache step 3a executes, a + successful reply is sent to client. + +Command line client using xmlrpc +-------------------------------- + +The above describes the web UI utilizing the json RPC mechanism. The +IPA command line tools utilize a xmlrpc RPC mechanism on the same +HTTP server. Access to the xmlrpc is via the /ipa/xml URI. The json +and xmlrpc API's are the same, they differ only on how their procedure +calls are marshalled and unmarshalled. + +Under the new scheme /ipa/xml will continue to be Kerberos protected +at all times. Apache's mod_auth_kerb will continue to require the +client provides valid Kerberos credentials. + +When the WSGI handler routes to /ipa/xml the Kerberos credentials will +be extracted from the KRB5CCNAME environment variable as provided by +mod_auth_kerb. Everything else remains the same. +""") + +register = Registry() + + +@register() +class session_logout(Command): + __doc__ = _("RPC command used to log the current user out of their session.") + + has_output = ( + output.Output( + 'result', + ), + ) diff --git a/ipaclient/remote_plugins/2_49/sudocmd.py b/ipaclient/remote_plugins/2_49/sudocmd.py new file mode 100644 index 000000000..5df9f792d --- /dev/null +++ b/ipaclient/remote_plugins/2_49/sudocmd.py @@ -0,0 +1,371 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Sudo Commands + +Commands used as building blocks for sudo + +EXAMPLES: + + Create a new command + ipa sudocmd-add --desc='For reading log files' /usr/bin/less + + Remove a command + ipa sudocmd-del /usr/bin/less +""") + +register = Registry() + + +@register() +class sudocmd(Object): + takes_params = ( + parameters.Str( + 'sudocmd', + primary_key=True, + label=_(u'Sudo Command'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'memberof_sudocmdgroup', + required=False, + label=_(u'Sudo Command Groups'), + ), + ) + + +@register() +class sudocmd_add(Method): + __doc__ = _("Create new Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmd_del(Method): + __doc__ = _("Delete Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + multivalue=True, + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmd_find(Method): + __doc__ = _("Search for Sudo Commands.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'sudocmd', + required=False, + cli_name='command', + label=_(u'Sudo Command'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("command")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudocmd_mod(Method): + __doc__ = _("Modify Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'A description of this command'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmd_show(Method): + __doc__ = _("Display Sudo Command.") + + takes_args = ( + parameters.Str( + 'sudocmd', + cli_name='command', + label=_(u'Sudo Command'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/sudocmdgroup.py b/ipaclient/remote_plugins/2_49/sudocmdgroup.py new file mode 100644 index 000000000..4bad860c6 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/sudocmdgroup.py @@ -0,0 +1,501 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Groups of Sudo Commands + +Manage groups of Sudo Commands. + +EXAMPLES: + + Add a new Sudo Command Group: + ipa sudocmdgroup-add --desc='administrators commands' admincmds + + Remove a Sudo Command Group: + ipa sudocmdgroup-del admincmds + + Manage Sudo Command Group membership, commands: + ipa sudocmdgroup-add-member --sudocmds=/usr/bin/less,/usr/bin/vim admincmds + + Manage Sudo Command Group membership, commands: + ipa group-remove-member --sudocmds=/usr/bin/less admincmds + + Show a Sudo Command Group: + ipa group-show localadmins +""") + +register = Registry() + + +@register() +class sudocmdgroup(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Sudo Command Group'), + ), + parameters.Str( + 'description', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'membercmd_sudocmd', + required=False, + label=_(u'Commands'), + ), + parameters.Str( + 'membercmd_sudocmdgroup', + required=False, + label=_(u'Sudo Command Groups'), + ), + parameters.Str( + 'member_sudocmd', + required=False, + label=_(u'Member Sudo commands'), + ), + ) + + +@register() +class sudocmdgroup_add(Method): + __doc__ = _("Create new Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmdgroup_add_member(Method): + __doc__ = _("Add members to Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'comma-separated list of sudo commands to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudocmdgroup_del(Method): + __doc__ = _("Delete Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmdgroup_find(Method): + __doc__ = _("Search for Sudo Command Groups.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("sudocmdgroup-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudocmdgroup_mod(Method): + __doc__ = _("Modify Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + doc=_(u'Group description'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudocmdgroup_remove_member(Method): + __doc__ = _("Remove members from Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'comma-separated list of sudo commands to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudocmdgroup_show(Method): + __doc__ = _("Display Sudo Command Group.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudocmdgroup_name', + label=_(u'Sudo Command Group'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/sudorule.py b/ipaclient/remote_plugins/2_49/sudorule.py new file mode 100644 index 000000000..3d01ecdf2 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/sudorule.py @@ -0,0 +1,1561 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Sudo Rules + +Sudo (su "do") allows a system administrator to delegate authority to +give certain users (or groups of users) the ability to run some (or all) +commands as root or another user while providing an audit trail of the +commands and their arguments. + +FreeIPA provides a means to configure the various aspects of Sudo: + Users: The user(s)/group(s) allowed to invoke Sudo. + Hosts: The host(s)/hostgroup(s) which the user is allowed to to invoke Sudo. + Allow Command: The specific command(s) permitted to be run via Sudo. + Deny Command: The specific command(s) prohibited to be run via Sudo. + RunAsUser: The user(s) or group(s) of users whose rights Sudo will be invoked with. + RunAsGroup: The group(s) whose gid rights Sudo will be invoked with. + Options: The various Sudoers Options that can modify Sudo's behavior. + +An order can be added to a sudorule to control the order in which they +are evaluated (if the client supports it). This order is an integer and +must be unique. + +FreeIPA provides a designated binddn to use with Sudo located at: +uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +To enable the binddn run the following command to set the password: +LDAPTLS_CACERT=/etc/ipa/ca.crt /usr/bin/ldappasswd -S -W -h ipa.example.com -ZZ -D "cn=Directory Manager" uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +For more information, see the FreeIPA Documentation to Sudo. +""") + +register = Registry() + + +@register() +class sudorule(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Rule name'), + ), + parameters.Str( + 'description', + required=False, + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + ), + parameters.Str( + 'usercategory', + required=False, + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + ), + parameters.Str( + 'memberuser_user', + required=False, + label=_(u'Users'), + ), + parameters.Str( + 'memberuser_group', + required=False, + label=_(u'User Groups'), + ), + parameters.Str( + 'memberhost_host', + required=False, + label=_(u'Hosts'), + ), + parameters.Str( + 'memberhost_hostgroup', + required=False, + label=_(u'Host Groups'), + ), + parameters.Str( + 'memberallowcmd_sudocmd', + required=False, + label=_(u'Sudo Allow Commands'), + ), + parameters.Str( + 'memberdenycmd_sudocmd', + required=False, + label=_(u'Sudo Deny Commands'), + ), + parameters.Str( + 'memberallowcmd_sudocmdgroup', + required=False, + label=_(u'Sudo Allow Command Groups'), + ), + parameters.Str( + 'memberdenycmd_sudocmdgroup', + required=False, + label=_(u'Sudo Deny Command Groups'), + ), + parameters.Str( + 'ipasudorunas_user', + required=False, + label=_(u'RunAs Users'), + doc=_(u'Run as a user'), + ), + parameters.Str( + 'ipasudorunas_group', + required=False, + label=_(u'Groups of RunAs Users'), + doc=_(u'Run as any user within a specified group'), + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudoopt', + required=False, + label=_(u'Sudo Option'), + ), + parameters.Str( + 'ipasudorunasgroup_group', + required=False, + label=_(u'RunAs Groups'), + doc=_(u'Run with the gid of a specified POSIX group'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + ), + ) + + +@register() +class sudorule_add(Method): + __doc__ = _("Create new Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_add_allow_command(Method): + __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'comma-separated list of sudo commands to add'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'comma-separated list of sudo command groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_deny_command(Method): + __doc__ = _("Add commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'comma-separated list of sudo commands to add'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'comma-separated list of sudo command groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_host(Method): + __doc__ = _("Add hosts and hostgroups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to add'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_option(Method): + __doc__ = _("Add an option to the Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipasudoopt', + cli_name='sudooption', + label=_(u'Sudo Option'), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_add_runasgroup(Method): + __doc__ = _("Add group for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_runasuser(Method): + __doc__ = _("Add users and groups for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_add_user(Method): + __doc__ = _("Add users and groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to add'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to add'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be added'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members added'), + ), + ) + + +@register() +class sudorule_del(Method): + __doc__ = _("Delete Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_disable(Method): + __doc__ = _("Disable a Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_enable(Method): + __doc__ = _("Enable a Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_find(Method): + __doc__ = _("Search for Sudo Rule.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("sudorule-name")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class sudorule_mod(Method): + __doc__ = _("Modify Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'description', + required=False, + cli_name='desc', + label=_(u'Description'), + ), + parameters.Bool( + 'ipaenabledflag', + required=False, + label=_(u'Enabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'usercategory', + required=False, + cli_name='usercat', + cli_metavar="['all']", + label=_(u'User category'), + doc=_(u'User category the rule applies to'), + ), + parameters.Str( + 'hostcategory', + required=False, + cli_name='hostcat', + cli_metavar="['all']", + label=_(u'Host category'), + doc=_(u'Host category the rule applies to'), + ), + parameters.Str( + 'cmdcategory', + required=False, + cli_name='cmdcat', + cli_metavar="['all']", + label=_(u'Command category'), + doc=_(u'Command category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasusercategory', + required=False, + cli_name='runasusercat', + cli_metavar="['all']", + label=_(u'RunAs User category'), + doc=_(u'RunAs User category the rule applies to'), + ), + parameters.Str( + 'ipasudorunasgroupcategory', + required=False, + cli_name='runasgroupcat', + cli_metavar="['all']", + label=_(u'RunAs Group category'), + doc=_(u'RunAs Group category the rule applies to'), + ), + parameters.Int( + 'sudoorder', + required=False, + cli_name='order', + label=_(u'Sudo order'), + doc=_(u'integer to order the Sudo rules'), + default=0, + ), + parameters.Str( + 'externaluser', + required=False, + label=_(u'External User'), + doc=_(u'External User the rule applies to (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextuser', + required=False, + cli_name='runasexternaluser', + label=_(u'RunAs External User'), + doc=_(u'External User the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'ipasudorunasextgroup', + required=False, + cli_name='runasexternalgroup', + label=_(u'RunAs External Group'), + doc=_(u'External Group the commands can run as (sudorule-find only)'), + ), + parameters.Str( + 'externalhost', + required=False, + multivalue=True, + label=_(u'External host'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class sudorule_remove_allow_command(Method): + __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'comma-separated list of sudo commands to remove'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'comma-separated list of sudo command groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_deny_command(Method): + __doc__ = _("Remove commands and sudo command groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'sudocmd', + required=False, + multivalue=True, + cli_name='sudocmds', + label=_(u'member sudo command'), + doc=_(u'comma-separated list of sudo commands to remove'), + alwaysask=True, + ), + parameters.Str( + 'sudocmdgroup', + required=False, + multivalue=True, + cli_name='sudocmdgroups', + label=_(u'member sudo command group'), + doc=_(u'comma-separated list of sudo command groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_host(Method): + __doc__ = _("Remove hosts and hostgroups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'host', + required=False, + multivalue=True, + cli_name='hosts', + label=_(u'member host'), + doc=_(u'comma-separated list of hosts to remove'), + alwaysask=True, + ), + parameters.Str( + 'hostgroup', + required=False, + multivalue=True, + cli_name='hostgroups', + label=_(u'member host group'), + doc=_(u'comma-separated list of host groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_option(Method): + __doc__ = _("Remove an option from Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipasudoopt', + cli_name='sudooption', + label=_(u'Sudo Option'), + ), + ) + has_output = ( + output.Output( + 'result', + ), + ) + + +@register() +class sudorule_remove_runasgroup(Method): + __doc__ = _("Remove group for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_runasuser(Method): + __doc__ = _("Remove users and groups for Sudo to execute as.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_remove_user(Method): + __doc__ = _("Remove users and groups affected by Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'user', + required=False, + multivalue=True, + cli_name='users', + label=_(u'member user'), + doc=_(u'comma-separated list of users to remove'), + alwaysask=True, + ), + parameters.Str( + 'group', + required=False, + multivalue=True, + cli_name='groups', + label=_(u'member group'), + doc=_(u'comma-separated list of groups to remove'), + alwaysask=True, + ), + ) + has_output = ( + output.Entry( + 'result', + ), + output.Output( + 'failed', + dict, + doc=_(u'Members that could not be removed'), + ), + output.Output( + 'completed', + int, + doc=_(u'Number of members removed'), + ), + ) + + +@register() +class sudorule_show(Method): + __doc__ = _("Display Sudo Rule.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='sudorule_name', + label=_(u'Rule name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/trust.py b/ipaclient/remote_plugins/2_49/trust.py new file mode 100644 index 000000000..e3ef33459 --- /dev/null +++ b/ipaclient/remote_plugins/2_49/trust.py @@ -0,0 +1,685 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Cross-realm trusts + +Manage trust relationship between IPA and Active Directory domains. + +In order to allow users from a remote domain to access resources in IPA +domain, trust relationship needs to be established. Currently IPA supports +only trusts between IPA and Active Directory domains under control of Windows +Server 2008 or later, with functional level 2008 or later. + +Please note that DNS on both IPA and Active Directory domain sides should be +configured properly to discover each other. Trust relationship relies on +ability to discover special resources in the other domain via DNS records. + +Examples: + +1. Establish cross-realm trust with Active Directory using AD administrator + credentials: + + ipa trust-add --type=ad --admin --password + +2. List all existing trust relationships: + + ipa trust-find + +3. Show details of the specific trust relationship: + + ipa trust-show + +4. Delete existing trust relationship: + + ipa trust-del + +Once trust relationship is established, remote users will need to be mapped +to local POSIX groups in order to actually use IPA resources. The mapping should +be done via use of external membership of non-POSIX group and then this group +should be included into one of local POSIX groups. + +Example: + +1. Create group for the trusted domain admins' mapping and their local POSIX group: + + ipa group-add --desc=' admins external map' ad_admins_external --external + ipa group-add --desc=' admins' ad_admins + +2. Add security identifier of Domain Admins of the to the ad_admins_external + group: + + ipa group-add-member ad_admins_external --external 'AD\Domain Admins' + +3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group: + + ipa group-add-member ad_admins --groups ad_admins_external + +4. List members of external members of ad_admins_external group to see their SIDs: + + ipa group-show ad_admins_external + + +GLOBAL TRUST CONFIGURATION + +When IPA AD trust subpackage is installed and ipa-adtrust-install is run, +a local domain configuration (SID, GUID, NetBIOS name) is generated. These +identifiers are then used when communicating with a trusted domain of the +particular type. + +1. Show global trust configuration for Active Directory type of trusts: + + ipa trustconfig-show --type ad + +2. Modify global configuration for all trusts of Active Directory type and set + a different fallback primary group (fallback primary group GID is used as + a primary user GID if user authenticating to IPA domain does not have any other + primary GID already set): + + ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group" + +3. Change primary fallback group back to default hidden group (any group with + posixGroup object class is allowed): + + ipa trustconfig-mod --type ad --fallback-primary-group "Default SMB Group" +""") + +register = Registry() + + +@register() +class trust(Object): + takes_params = ( + parameters.Str( + 'cn', + primary_key=True, + label=_(u'Realm name'), + ), + parameters.Str( + 'ipantflatname', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + label=_(u'SID blacklist outgoing'), + ), + ) + + +@register() +class trustconfig(Object): + takes_params = ( + parameters.Str( + 'cn', + label=_(u'Domain'), + ), + parameters.Str( + 'ipantsecurityidentifier', + label=_(u'Security Identifier'), + ), + parameters.Str( + 'ipantflatname', + label=_(u'NetBIOS name'), + ), + parameters.Str( + 'ipantdomainguid', + label=_(u'Domain GUID'), + ), + parameters.Str( + 'ipantfallbackprimarygroup', + label=_(u'Fallback primary group'), + ), + ) + + +@register() +class trust_add(Method): + __doc__ = _(""" +Add new trust to use. + +This command establishes trust relationship to another domain +which becomes 'trusted'. As result, users of the trusted domain +may access resources of this domain. + +Only trusts to Active Directory domains are supported right now. + +The command can be safely run multiple times against the same domain, +this will cause change to trust relationship credentials on both +sides. + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Str( + 'realm_admin', + required=False, + cli_name='admin', + label=_(u'Active Directory domain administrator'), + ), + parameters.Password( + 'realm_passwd', + required=False, + cli_name='password', + label=_(u"Active directory domain administrator's password"), + ), + parameters.Str( + 'realm_server', + required=False, + cli_name='server', + label=_(u'Domain controller for the Active Directory domain (optional)'), + ), + parameters.Password( + 'trust_secret', + required=False, + label=_(u'Shared secret for the trust'), + ), + parameters.Int( + 'base_id', + required=False, + label=_(u'First Posix ID of the range reserved for the trusted domain'), + ), + parameters.Int( + 'range_size', + required=False, + label=_(u'Size of the ID range reserved for the trusted domain'), + default=200000, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trust_del(Method): + __doc__ = _("Delete a trust.") + + takes_args = ( + parameters.Str( + 'cn', + multivalue=True, + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trust_find(Method): + __doc__ = _("Search for trusts.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'cn', + required=False, + cli_name='realm', + label=_(u'Realm name'), + ), + parameters.Str( + 'ipantflatname', + required=False, + cli_name='flat_name', + label=_(u'Domain NetBIOS name'), + ), + parameters.Str( + 'ipanttrusteddomainsid', + required=False, + cli_name='sid', + label=_(u'Domain Security Identifier'), + ), + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + cli_name='sid_blacklist_incoming', + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + cli_name='sid_blacklist_outgoing', + label=_(u'SID blacklist outgoing'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("realm")'), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class trust_mod(Method): + __doc__ = _(""" +Modify a trust (for future use). + + Currently only the default option to modify the LDAP attributes is + available. More specific options will be added in coming releases. + """) + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Str( + 'ipantsidblacklistincoming', + required=False, + multivalue=True, + cli_name='sid_blacklist_incoming', + label=_(u'SID blacklist incoming'), + ), + parameters.Str( + 'ipantsidblacklistoutgoing', + required=False, + multivalue=True, + cli_name='sid_blacklist_outgoing', + label=_(u'SID blacklist outgoing'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trust_show(Method): + __doc__ = _("Display information about a trust.") + + takes_args = ( + parameters.Str( + 'cn', + cli_name='realm', + label=_(u'Realm name'), + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustconfig_mod(Method): + __doc__ = _("Modify global trust configuration.") + + takes_options = ( + parameters.Str( + 'ipantfallbackprimarygroup', + required=False, + cli_name='fallback_primary_group', + label=_(u'Fallback primary group'), + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class trustconfig_show(Method): + __doc__ = _("Show global trust configuration.") + + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Str( + 'trust_type', + cli_name='type', + cli_metavar="['ad']", + label=_(u'Trust type (ad for Active Directory, default)'), + default=u'ad', + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/2_49/user.py b/ipaclient/remote_plugins/2_49/user.py new file mode 100644 index 000000000..e5d7713bc --- /dev/null +++ b/ipaclient/remote_plugins/2_49/user.py @@ -0,0 +1,1372 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +# pylint: disable=unused-import +import six + +from . import Command, Method, Object +from ipalib import api, parameters, output +from ipalib.parameters import DefaultFrom +from ipalib.plugable import Registry +from ipalib.text import _ +from ipapython.dn import DN +from ipapython.dnsutil import DNSName + +if six.PY3: + unicode = str + +__doc__ = _(""" +Users + +Manage user entries. All users are POSIX users. + +IPA supports a wide range of username formats, but you need to be aware of any +restrictions that may apply to your particular environment. For example, +usernames that start with a digit or usernames that exceed a certain length +may cause problems for some UNIX systems. +Use 'ipa config-mod' to change the username format allowed by IPA tools. + +Disabling a user account prevents that user from obtaining new Kerberos +credentials. It does not invalidate any credentials that have already +been issued. + +Password management is not a part of this module. For more information +about this topic please see: ipa help passwd + +Account lockout on password failure happens per IPA master. The user-status +command can be used to identify which master the user is locked out on. +It is on that master the administrator must unlock the user. + +EXAMPLES: + + Add a new user: + ipa user-add --first=Tim --last=User --password tuser1 + + Find all users whose entries include the string "Tim": + ipa user-find Tim + + Find all users with "Tim" as the first name: + ipa user-find --first=Tim + + Disable a user account: + ipa user-disable tuser1 + + Enable a user account: + ipa user-enable tuser1 + + Delete a user: + ipa user-del tuser1 +""") + +register = Registry() + + +@register() +class user(Object): + takes_params = ( + parameters.Str( + 'uid', + primary_key=True, + label=_(u'User login'), + ), + parameters.Str( + 'givenname', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + ), + parameters.Str( + 'homedirectory', + required=False, + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS field'), + ), + parameters.Str( + 'loginshell', + required=False, + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + label=_(u'Kerberos principal'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + ), + parameters.Str( + 'randompassword', + required=False, + label=_(u'Random password'), + ), + parameters.Int( + 'uidnumber', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + ), + parameters.Int( + 'gidnumber', + label=_(u'GID'), + doc=_(u'Group ID Number'), + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + label=_(u'Car License'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + label=_(u'SSH public key'), + ), + parameters.Flag( + 'has_password', + label=_(u'Password'), + ), + parameters.Str( + 'memberof_group', + required=False, + label=_(u'Member of groups'), + ), + parameters.Str( + 'memberof_role', + required=False, + label=_(u'Roles'), + ), + parameters.Str( + 'memberof_netgroup', + required=False, + label=_(u'Member of netgroups'), + ), + parameters.Str( + 'memberof_sudorule', + required=False, + label=_(u'Member of Sudo rule'), + ), + parameters.Str( + 'memberof_hbacrule', + required=False, + label=_(u'Member of HBAC rule'), + ), + parameters.Str( + 'memberofindirect_group', + required=False, + label=_(u'Indirect Member of group'), + ), + parameters.Str( + 'memberofindirect_netgroup', + required=False, + label=_(u'Indirect Member of netgroup'), + ), + parameters.Str( + 'memberofindirect_role', + required=False, + label=_(u'Indirect Member of role'), + ), + parameters.Str( + 'memberofindirect_sudorule', + required=False, + label=_(u'Indirect Member of Sudo rule'), + ), + parameters.Str( + 'memberofindirect_hbacrule', + required=False, + label=_(u'Indirect Member of HBAC rule'), + ), + parameters.Flag( + 'has_keytab', + label=_(u'Kerberos keys available'), + ), + ) + + +@register() +class user_add(Method): + __doc__ = _("Add a new user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + autofill=True, + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS field'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + autofill=True, + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'), + autofill=True, + no_convert=True, + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + default=999, + autofill=True, + ), + parameters.Int( + 'gidnumber', + label=_(u'GID'), + doc=_(u'Group ID Number'), + default=999, + autofill=True, + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + label=_(u'Car License'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Flag( + 'noprivate', + doc=_(u"Don't create user private group"), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_del(Method): + __doc__ = _("Delete a user.") + + takes_args = ( + parameters.Str( + 'uid', + multivalue=True, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'continue', + doc=_(u"Continuous mode: Don't stop on errors."), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + dict, + doc=_(u'List of deletions that failed'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_disable(Method): + __doc__ = _("Disable a user account.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_enable(Method): + __doc__ = _("Enable a user account.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_find(Method): + __doc__ = _("Search for users.") + + takes_args = ( + parameters.Str( + 'criteria', + required=False, + doc=_(u'A string searched in all relevant object attributes'), + ), + ) + takes_options = ( + parameters.Str( + 'uid', + required=False, + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS field'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'krbprincipalname', + required=False, + cli_name='principal', + label=_(u'Kerberos principal'), + default_from=DefaultFrom(lambda uid: '%s@%s' % (uid.lower(), api.env.realm), 'principal'), + no_convert=True, + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + default=999, + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + default=999, + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + label=_(u'Car License'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Int( + 'timelimit', + required=False, + label=_(u'Time Limit'), + doc=_(u'Time limit of search in seconds'), + ), + parameters.Int( + 'sizelimit', + required=False, + label=_(u'Size Limit'), + doc=_(u'Maximum number of entries returned'), + ), + parameters.Flag( + 'whoami', + label=_(u'Self'), + doc=_(u'Display user record for current Kerberos principal'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'pkey_only', + required=False, + label=_(u'Primary key only'), + doc=_(u'Results should contain primary key attribute only ("login")'), + default=False, + autofill=True, + ), + parameters.Str( + 'in_group', + required=False, + multivalue=True, + cli_name='in_groups', + label=_(u'group'), + doc=_(u'Search for users with these member of groups.'), + ), + parameters.Str( + 'not_in_group', + required=False, + multivalue=True, + cli_name='not_in_groups', + label=_(u'group'), + doc=_(u'Search for users without these member of groups.'), + ), + parameters.Str( + 'in_netgroup', + required=False, + multivalue=True, + cli_name='in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for users with these member of netgroups.'), + ), + parameters.Str( + 'not_in_netgroup', + required=False, + multivalue=True, + cli_name='not_in_netgroups', + label=_(u'netgroup'), + doc=_(u'Search for users without these member of netgroups.'), + ), + parameters.Str( + 'in_role', + required=False, + multivalue=True, + cli_name='in_roles', + label=_(u'role'), + doc=_(u'Search for users with these member of roles.'), + ), + parameters.Str( + 'not_in_role', + required=False, + multivalue=True, + cli_name='not_in_roles', + label=_(u'role'), + doc=_(u'Search for users without these member of roles.'), + ), + parameters.Str( + 'in_hbacrule', + required=False, + multivalue=True, + cli_name='in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for users with these member of HBAC rules.'), + ), + parameters.Str( + 'not_in_hbacrule', + required=False, + multivalue=True, + cli_name='not_in_hbacrules', + label=_(u'HBAC rule'), + doc=_(u'Search for users without these member of HBAC rules.'), + ), + parameters.Str( + 'in_sudorule', + required=False, + multivalue=True, + cli_name='in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for users with these member of sudo rules.'), + ), + parameters.Str( + 'not_in_sudorule', + required=False, + multivalue=True, + cli_name='not_in_sudorules', + label=_(u'sudo rule'), + doc=_(u'Search for users without these member of sudo rules.'), + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class user_mod(Method): + __doc__ = _("Modify a user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Str( + 'givenname', + required=False, + cli_name='first', + label=_(u'First name'), + ), + parameters.Str( + 'sn', + required=False, + cli_name='last', + label=_(u'Last name'), + ), + parameters.Str( + 'cn', + required=False, + label=_(u'Full name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'displayname', + required=False, + label=_(u'Display name'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'initials', + required=False, + label=_(u'Initials'), + default_from=DefaultFrom(lambda givenname, sn: '%c%c' % (givenname[0], sn[0]), 'principal'), + ), + parameters.Str( + 'homedirectory', + required=False, + cli_name='homedir', + label=_(u'Home directory'), + ), + parameters.Str( + 'gecos', + required=False, + label=_(u'GECOS field'), + default_from=DefaultFrom(lambda givenname, sn: '%s %s' % (givenname, sn), 'principal'), + ), + parameters.Str( + 'loginshell', + required=False, + cli_name='shell', + label=_(u'Login shell'), + ), + parameters.Str( + 'mail', + required=False, + multivalue=True, + cli_name='email', + label=_(u'Email address'), + ), + parameters.Password( + 'userpassword', + required=False, + cli_name='password', + label=_(u'Password'), + doc=_(u'Prompt to set the user password'), + exclude=('webui',), + confirm=True, + ), + parameters.Flag( + 'random', + required=False, + doc=_(u'Generate a random user password'), + default=False, + autofill=True, + ), + parameters.Int( + 'uidnumber', + required=False, + cli_name='uid', + label=_(u'UID'), + doc=_(u'User ID Number (system will assign one if not provided)'), + default=999, + ), + parameters.Int( + 'gidnumber', + required=False, + label=_(u'GID'), + doc=_(u'Group ID Number'), + default=999, + ), + parameters.Str( + 'street', + required=False, + label=_(u'Street address'), + ), + parameters.Str( + 'l', + required=False, + cli_name='city', + label=_(u'City'), + ), + parameters.Str( + 'st', + required=False, + cli_name='state', + label=_(u'State/Province'), + ), + parameters.Str( + 'postalcode', + required=False, + label=_(u'ZIP'), + ), + parameters.Str( + 'telephonenumber', + required=False, + multivalue=True, + cli_name='phone', + label=_(u'Telephone Number'), + ), + parameters.Str( + 'mobile', + required=False, + multivalue=True, + label=_(u'Mobile Telephone Number'), + ), + parameters.Str( + 'pager', + required=False, + multivalue=True, + label=_(u'Pager Number'), + ), + parameters.Str( + 'facsimiletelephonenumber', + required=False, + multivalue=True, + cli_name='fax', + label=_(u'Fax Number'), + ), + parameters.Str( + 'ou', + required=False, + cli_name='orgunit', + label=_(u'Org. Unit'), + ), + parameters.Str( + 'title', + required=False, + label=_(u'Job Title'), + ), + parameters.Str( + 'manager', + required=False, + label=_(u'Manager'), + ), + parameters.Str( + 'carlicense', + required=False, + label=_(u'Car License'), + ), + parameters.Bool( + 'nsaccountlock', + required=False, + label=_(u'Account disabled'), + exclude=('cli', 'webui'), + ), + parameters.Str( + 'ipasshpubkey', + required=False, + multivalue=True, + cli_name='sshpubkey', + label=_(u'SSH public key'), + no_convert=True, + ), + parameters.Str( + 'setattr', + required=False, + multivalue=True, + doc=_(u'Set an attribute to a name/value pair. Format is attr=value.\nFor multi-valued attributes, the command replaces the values already present.'), + exclude=('webui',), + ), + parameters.Str( + 'addattr', + required=False, + multivalue=True, + doc=_(u'Add an attribute/value pair. Format is attr=value. The attribute\nmust be part of the schema.'), + exclude=('webui',), + ), + parameters.Str( + 'delattr', + required=False, + multivalue=True, + doc=_(u'Delete an attribute/value pair. The option will be evaluated\nlast, after all sets and adds.'), + exclude=('webui',), + ), + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Str( + 'rename', + required=False, + label=_(u'Rename'), + doc=_(u'Rename the user object'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_show(Method): + __doc__ = _("Display information about a user.") + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'rights', + label=_(u'Rights'), + doc=_(u'Display the access rights of this entry (requires --all). See ipa man page for details.'), + default=False, + autofill=True, + ), + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Entry( + 'result', + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) + + +@register() +class user_status(Method): + __doc__ = _(""" +Lockout status of a user account + + An account may become locked if the password is entered incorrectly too + many times within a specific time period as controlled by password + policy. A locked account is a temporary condition and may be unlocked by + an administrator. + + This connects to each IPA master and displays the lockout status on + each one. + + To determine whether an account is locked on a given server you need + to compare the number of failed logins and the time of the last failure. + For an account to be locked it must exceed the maxfail failures within + the failinterval duration as specified in the password policy associated + with the user. + + The failed login counter is modified only when a user attempts a log in + so it is possible that an account may appear locked but the last failed + login attempt is older than the lockouttime of the password policy. This + means that the user may attempt a login again. + """) + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + takes_options = ( + parameters.Flag( + 'all', + doc=_(u'Retrieve and print all attributes from the server. Affects command output.'), + exclude=('webui',), + default=False, + autofill=True, + ), + parameters.Flag( + 'raw', + doc=_(u'Print entries as stored on the server. Only affects output format.'), + exclude=('webui',), + default=False, + autofill=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.ListOfEntries( + 'result', + ), + output.Output( + 'count', + int, + doc=_(u'Number of entries returned'), + ), + output.Output( + 'truncated', + bool, + doc=_(u'True if not all results were returned'), + ), + ) + + +@register() +class user_unlock(Method): + __doc__ = _(""" +Unlock a user account + + An account may become locked if the password is entered incorrectly too + many times within a specific time period as controlled by password + policy. A locked account is a temporary condition and may be unlocked by + an administrator. + """) + + takes_args = ( + parameters.Str( + 'uid', + cli_name='login', + label=_(u'User login'), + default_from=DefaultFrom(lambda givenname, sn: givenname[0] + sn, 'principal'), + no_convert=True, + ), + ) + has_output = ( + output.Output( + 'summary', + (unicode, type(None)), + doc=_(u'User-friendly description of action performed'), + ), + output.Output( + 'result', + bool, + doc=_(u'True means the operation was successful'), + ), + output.Output( + 'value', + unicode, + doc=_(u"The primary_key value of the entry, e.g. 'jdoe' for a user"), + ), + ) diff --git a/ipaclient/remote_plugins/__init__.py b/ipaclient/remote_plugins/__init__.py index 93636fcb5..6454a4f4e 100644 --- a/ipaclient/remote_plugins/__init__.py +++ b/ipaclient/remote_plugins/__init__.py @@ -2,13 +2,23 @@ # Copyright (C) 2016 FreeIPA Contributors see COPYING for license # +from . import compat from . import schema +from ipaclient.plugins.rpcclient import rpcclient def get_package(api): if api.env.in_tree: from ipaserver import plugins else: - plugins = schema.get_package(api) + client = rpcclient(api) + client.finalize() + try: + plugins = schema.get_package(api, client) + except schema.NotAvailable: + plugins = compat.get_package(api, client) + finally: + if client.isconnected(): + client.disconnect() return plugins diff --git a/ipaclient/remote_plugins/compat.py b/ipaclient/remote_plugins/compat.py new file mode 100644 index 000000000..40521af45 --- /dev/null +++ b/ipaclient/remote_plugins/compat.py @@ -0,0 +1,76 @@ +# +# Copyright (C) 2016 FreeIPA Contributors see COPYING for license +# + +from distutils.version import LooseVersion +import importlib +import os +import re +import sys + +import six + +from ipaclient.frontend import ClientCommand, ClientMethod +from ipalib.frontend import Object + +if six.PY3: + unicode = str + + +class CompatCommand(ClientCommand): + @property + def forwarded_name(self): + return self.name + + +class CompatMethod(ClientMethod, CompatCommand): + pass + + +class CompatObject(Object): + pass + + +def get_package(api, client): + if not client.isconnected(): + client.connect(verbose=False) + + env = client.forward(u'env', u'api_version', version=u'2.0') + try: + server_version = env['result']['api_version'] + except KeyError: + ping = client.forward(u'ping', u'api_version', version=u'2.0') + try: + match = re.search(u'API version (2\.[0-9]+)', ping['summary']) + except KeyError: + match = None + if match is not None: + server_version = match.group(1) + else: + server_version = u'2.0' + server_version = LooseVersion(server_version) + + package_names = {} + base_name = __name__.rpartition('.')[0] + base_dir = os.path.dirname(__file__) + for name in os.listdir(base_dir): + package_dir = os.path.join(base_dir, name) + if name.startswith('2_') and os.path.isdir(package_dir): + package_version = name.replace('_', '.') + package_names[package_version] = '{}.{}'.format(base_name, name) + + package_version = None + for version in sorted(package_names, key=LooseVersion): + if (package_version is None or + LooseVersion(package_version) < LooseVersion(version)): + package_version = version + if LooseVersion(version) >= server_version: + break + + package_name = package_names[package_version] + try: + package = sys.modules[package_name] + except KeyError: + package = importlib.import_module(package_name) + + return package diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py index da917a984..8ce26e608 100644 --- a/ipaclient/remote_plugins/schema.py +++ b/ipaclient/remote_plugins/schema.py @@ -16,12 +16,11 @@ import zipfile import six -from ipaclient.plugins.rpcclient import rpcclient +from ipaclient.frontend import ClientCommand, ClientMethod from ipalib import errors, parameters, plugable -from ipalib.frontend import Command, Method, Object +from ipalib.frontend import Object from ipalib.output import Output from ipalib.parameters import DefaultFrom, Flag, Password, Str -from ipalib.text import _ from ipapython.dn import DN from ipapython.dnsutil import DNSName from ipapython.ipa_log_manager import log_mgr @@ -70,92 +69,11 @@ SERVERS_DIR = os.path.join(USER_CACHE_PATH, 'ipa', 'servers') logger = log_mgr.get_logger(__name__) -class _SchemaCommand(Command): - def get_options(self): - skip = set() - for option in super(_SchemaCommand, self).get_options(): - if option.name in skip: - continue - if option.name in ('all', 'raw'): - skip.add(option.name) - yield option +class _SchemaCommand(ClientCommand): + pass -class _SchemaMethod(Method, _SchemaCommand): - _failed_member_output_params = ( - # baseldap - Str( - 'member', - label=_("Failed members"), - ), - Str( - 'sourcehost', - label=_("Failed source hosts/hostgroups"), - ), - Str( - 'memberhost', - label=_("Failed hosts/hostgroups"), - ), - Str( - 'memberuser', - label=_("Failed users/groups"), - ), - Str( - 'memberservice', - label=_("Failed service/service groups"), - ), - Str( - 'failed', - label=_("Failed to remove"), - flags=['suppress_empty'], - ), - Str( - 'ipasudorunas', - label=_("Failed RunAs"), - ), - Str( - 'ipasudorunasgroup', - label=_("Failed RunAsGroup"), - ), - # caacl - Str( - 'ipamembercertprofile', - label=_("Failed profiles"), - ), - Str( - 'ipamemberca', - label=_("Failed CAs"), - ), - # host - Str( - 'managedby', - label=_("Failed managedby"), - ), - # service - Str( - 'ipaallowedtoperform_read_keys', - label=_("Failed allowed to retrieve keytab"), - ), - Str( - 'ipaallowedtoperform_write_keys', - label=_("Failed allowed to create keytab"), - ), - # servicedelegation - Str( - 'failed_memberprincipal', - label=_("Failed members"), - ), - Str( - 'ipaallowedtarget', - label=_("Failed targets"), - ), - # vault - Str( - 'owner?', - label=_("Failed owners"), - ), - ) - +class _SchemaMethod(ClientMethod): @property def obj_name(self): return self.api.Object[self.obj_full_name].name @@ -164,15 +82,6 @@ class _SchemaMethod(Method, _SchemaCommand): def obj_version(self): return self.api.Object[self.obj_full_name].version - def get_output_params(self): - seen = set() - for output_param in super(_SchemaMethod, self).get_output_params(): - seen.add(output_param.name) - yield output_param - for output_param in self._failed_member_output_params: - if output_param.name not in seen: - yield output_param - class _SchemaObject(Object): pass @@ -407,6 +316,10 @@ class _SchemaNameSpace(collections.Mapping): return len(list(self._schema.iter_namespace(self.name))) +class NotAvailable(Exception): + pass + + class Schema(object): """ Store and provide schema for commands and topics @@ -443,8 +356,9 @@ class Schema(object): def _in_cache(cls, fingeprint): return os.path.exists(cls.schema_path_template.format(fingeprint)) - def __init__(self, api): + def __init__(self, api, client): self._api = api + self._client = client self._dict = {} def _open_server_info(self, hostname, mode): @@ -453,9 +367,9 @@ class Schema(object): return open(path, mode) def _get_schema(self): - client = rpcclient(self._api) - client.finalize() - client.connect(verbose=False) + client = self._client + if not client.isconnected(): + client.connect(verbose=False) fps = [unicode(f) for f in Schema._list()] kwargs = {u'version': u'2.170'} @@ -463,6 +377,8 @@ class Schema(object): kwargs[u'known_fingerprints'] = fps try: schema = client.forward(u'schema', **kwargs)['result'] + except errors.CommandError: + raise NotAvailable() except errors.SchemaUpToDate as e: fp = e.fingerprint ttl = e.ttl @@ -561,11 +477,11 @@ class Schema(object): yield r.groups('name')[0] -def get_package(api): +def get_package(api, client): try: schema = api._schema except AttributeError: - schema = Schema(api) + schema = Schema(api, client) object.__setattr__(api, '_schema', schema) fingerprint = str(schema['fingerprint']) diff --git a/ipaclient/setup.py.in b/ipaclient/setup.py.in index 139b9dec6..1c8654f00 100644 --- a/ipaclient/setup.py.in +++ b/ipaclient/setup.py.in @@ -64,6 +64,10 @@ def setup_package(): "ipaclient", "ipaclient.plugins", "ipaclient.remote_plugins", + "ipaclient.remote_plugins.2_49", + "ipaclient.remote_plugins.2_114", + "ipaclient.remote_plugins.2_156", + "ipaclient.remote_plugins.2_164", ], scripts=['../ipa'], data_files = [('share/man/man1', ["../ipa.1"])], diff --git a/ipalib/frontend.py b/ipalib/frontend.py index f324add29..cb00841f2 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -424,6 +424,8 @@ class Command(HasParam): callback_types = ('interactive_prompt',) + api_version = API_VERSION + @property def topic(self): return type(self).__module__.rpartition('.')[2] @@ -451,11 +453,11 @@ class Command(HasParam): elif self.api.env.skip_version_check and not self.api.env.in_server: options['version'] = u'2.0' else: - options['version'] = API_VERSION + options['version'] = self.api_version if self.api.env.in_server: # add message only on server side self.add_message( - messages.VersionMissing(server_version=API_VERSION)) + messages.VersionMissing(server_version=self.api_version)) params = self.args_options_2_params(*args, **options) self.debug( 'raw: %s(%s)', self.name, ', '.join(self._repr_iter(**params)) -- cgit