diff options
| author | Sumit Bose <sbose@nb.localdomain> | 2008-10-20 11:14:54 +0200 |
|---|---|---|
| committer | Sumit Bose <sbose@nb.localdomain> | 2008-10-20 11:14:54 +0200 |
| commit | 98824689e3f11cac83e9ee785ecd76616490d21c (patch) | |
| tree | 68cc9207523a5e5e361f42edc4f4251e7be6f543 /ipaaction | |
| parent | bc009a849c81888f45f123f3bea473df8fd494f6 (diff) | |
| download | ipa_policy-98824689e3f11cac83e9ee785ecd76616490d21c.tar.gz ipa_policy-98824689e3f11cac83e9ee785ecd76616490d21c.tar.xz ipa_policy-98824689e3f11cac83e9ee785ecd76616490d21c.zip | |
added ipaaction example
Diffstat (limited to 'ipaaction')
| -rw-r--r-- | ipaaction/ipaaction.rng | 89 | ||||
| -rw-r--r-- | ipaaction/ipaaction.xslt | 100 | ||||
| -rw-r--r-- | ipaaction/ipaaction_example_policy.xml | 33 |
3 files changed, 222 insertions, 0 deletions
diff --git a/ipaaction/ipaaction.rng b/ipaaction/ipaaction.rng new file mode 100644 index 0000000..983786b --- /dev/null +++ b/ipaaction/ipaaction.rng @@ -0,0 +1,89 @@ +<?xml version="1.0" encoding="utf-8"?> +<grammar ns="http://freeipa.org/xml/rng/ipaaction/1.0" +xmlns="http://relaxng.org/ns/structure/1.0" +datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" +xmlns:a="http://relaxng.org/ns/compatibility/annotations/1.0" +xmlns:pa="http://freeipa.org/xml/rng/ns/plugable_architecture/1.0"> + + <a:documentation>IPA Actions</a:documentation> + + <a:documentation>The following section can be used to register the RNG schema file for the UI</a:documentation> + <a:name>ipaaction</a:name> + <a:description>Handles IPA action policies</a:description> + <a:author>sbose@redhat.com</a:author> + <a:xslt>ipaaction.xsl</a:xslt> + <a:version>0.1</a:version> + + <define name="rng_filename"><value>ipaaction.rng</value></define> + <define name="xslt_filename"><value>ipaaction.xslt</value></define> + <define name="application_name"><value>ipaaction</value></define> + <include href="policy_metadata.rng"/> + + <start ns="http://freeipa.org/xml/rng/ipaaction/1.0"> + <element name="ipa"> + <a:documentation>Doc test.</a:documentation> + + <ref name="policy_metadata"/> + + <element name="ipaaction"> + <oneOrMore> + <choice> + <element name="file"> + <choice> + <element name="data"> + <data type="base64Binary"/> + </element> + <element name="url"> + <data type="anyURI"/> + </element> + </choice> + <element name="path"> + <data type="string"> + <param name="pattern">/.*</param> + </data> + </element> + <element name="owner"> + <text/> + </element> + <element name="group"> + <text/> + </element> + <element name="access"> + <text/> + </element> + <optional> + <element name="selinux_context"> + <text/> + </element> + </optional> + <optional> + <element name="condition"> + <data type="string"> + <param name="pattern">/.*</param> + </data> + </element> + </optional> + </element> <!-- file --> + <element name="run"> + <element name="command"> + <data type="string"> + <param name="pattern">/.*</param> + </data> + </element> + <optional> + <element name="user"> + <text/> + </element> + </optional> + <optional> + <element name="schedule"> + <text/> + </element> + </optional> + </element> <!-- run --> + </choice> + </oneOrMore> + </element> <!-- ipaaction --> + </element> <!-- ipa --> + </start> +</grammar> diff --git a/ipaaction/ipaaction.xslt b/ipaaction/ipaaction.xslt new file mode 100644 index 0000000..cb4be34 --- /dev/null +++ b/ipaaction/ipaaction.xslt @@ -0,0 +1,100 @@ +<?xml version="1.0" encoding="UTF-8"?> +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:xs="http://www.w3.org/2001/XMLSchema" + xmlns:md="http://freeipa.org/xsl/metadata/1.0" + xmlns:xd="http://www.pnp-software.com/XSLTdoc" + xmlns:ipaaction="http://freeipa.org/xml/rng/ipaaction/1.0"> + + <md:output_handler> + <xd:doc>Here we have two different kind of handlers 'download' and 'exec'.</xd:doc> + <download param_name="output_selector" param_value="file"/> + <xd:doc>TODO: we have to decide what the client application should do. It would be possible to call an external program like 'curl' or 'wget' or the call libcurl to download a file. I would vote for using 'curl' or 'libcurl' because it seem that curl supports more methods than wget. Download should be done by user nobody into a teporary file and then moved and chowned to the destination.</xd:doc> + <exec param_name="output_selector" param_value="run"/> + <xd:doc>TODO: we have to decide how the client application should call the applied program or script. If no 'user' is specifed the default user should be 'nobody'.</xd:doc> + </md:output_handler> + + <xsl:param name="output_selector"/> + + <xsl:output method="text" indent="no"/> + <xsl:strip-space elements="*"/> + + <xsl:template match="/"> + <xsl:text># IPA generated script for ipaaction policy. DO NOT EDIT

</xsl:text> + <xsl:apply-templates select="ipaaction:ipa"/> + </xsl:template> + + <xsl:template match="ipaaction:ipa"> + <xsl:apply-templates> + <xsl:with-param name="ipaaction:ipaaction"/> + </xsl:apply-templates> + </xsl:template> + + <xsl:template match="ipaaction:metadata"> + </xsl:template> + + <xsl:template match="ipaaction:ipaaction"> + <xsl:choose> + <xsl:when test="$output_selector='file'"> + <xsl:apply-templates select="ipaaction:file"/> + </xsl:when> + <xsl:when test="$output_selector='run'"> + <xsl:apply-templates select="ipaaction:run"/> + </xsl:when> + <xsl:otherwise> + <xsl:text># unknown output_selector
</xsl:text> + </xsl:otherwise> + </xsl:choose> + </xsl:template> + + <xsl:template match="ipaaction:file"> + <xsl:choose> + <xsl:when test="name(./*[1])='url'"> + <xsl:text>su - nobody 'curl -o /tmp/SAFE_TEMP_FILE </xsl:text> + <xsl:value-of select="ipaaction:url"/> + <xsl:text>'
</xsl:text> + </xsl:when> + <xsl:when test="name(./*[1])='data'"> + <xsl:text>cat << EOF | base64 -d > /tmp/SAFE_TEMP_FILE
</xsl:text> + <xsl:value-of select="ipaaction:data"/> + <xsl:text>
EOF
</xsl:text> + </xsl:when> + <xsl:otherwise> + <xsl:text># unknown element: </xsl:text> + <xsl:value-of select="name(./*[1])"/> + <xsl:text>
</xsl:text> + </xsl:otherwise> + </xsl:choose> + + <xsl:text>mv /tmp/SAFE_TEMP_FILE </xsl:text> + <xsl:value-of select="ipaaction:path"/> + <xsl:text>
</xsl:text> + + <xsl:text>chown </xsl:text> + <xsl:value-of select="ipaaction:owner"/> + <xsl:text>:</xsl:text> + <xsl:value-of select="ipaaction:group"/> + <xsl:text> </xsl:text> + <xsl:value-of select="ipaaction:path"/> + <xsl:text>
</xsl:text> + </xsl:template> + + <xsl:template match="ipaaction:run"> + <xsl:variable name="user"> + <xsl:choose> + <xsl:when test="ipaaction:user != ''"> + <xsl:value-of select="ipaaction:user"/> + </xsl:when> + <xsl:otherwise> + <xsl:text>nobody</xsl:text> + </xsl:otherwise> + </xsl:choose> + </xsl:variable> + <xsl:text>su - </xsl:text> + <xsl:value-of select="$user"/> + <xsl:text> '</xsl:text> + <xsl:value-of select="ipaaction:command"/> + <xsl:text>'
</xsl:text> + </xsl:template> + +</xsl:stylesheet> diff --git a/ipaaction/ipaaction_example_policy.xml b/ipaaction/ipaaction_example_policy.xml new file mode 100644 index 0000000..7198992 --- /dev/null +++ b/ipaaction/ipaaction_example_policy.xml @@ -0,0 +1,33 @@ +<?xml version="1.0" encoding="UTF-8"?> +<ipa xmlns="http://freeipa.org/xml/rng/ipaaction/1.0"> + <metadata> + <name>simple ipaaction example</name> + <author>sbose@redhat.com</author> + <version>0.7071</version> + <RNGfile>ipaaction.rng</RNGfile> + <XSLTfile>ipaaction.xslt</XSLTfile> + <app>ipaaction</app> + </metadata> + + <ipaaction> + <file> + <url>http://my.server.org/something.txt</url> + <path>/tmp/something.txt</path> + <owner>nobody</owner> + <group>nogroup</group> + <access>0444</access> + </file> + <run> + <command>/bin/rm /tmp/something.txt</command> + <user>admin</user> + </run> + <file> + <data>VGhpcyBpcyBhIHRlc3QK</data> + <path>/tmp/something_other.txt</path> + <owner>nobody</owner> + <group>nogroup</group> + <access>0444</access> + </file> + </ipaaction> + +</ipa> |