From 9765f5729bca58fd9bc57d315377ce143891d774 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 8 Oct 2008 11:42:22 +0200 Subject: more metadata and policy fixes --- sudoers/ipa.rng | 42 --- sudoers/netgroup.rng | 49 --- sudoers/options.rng | 448 ----------------------- sudoers/policy_metadata.rng | 31 +- sudoers/posixGroup.rng | 49 --- sudoers/sudoOptions.rng | 73 ---- sudoers/sudoers.rng | 874 ++++++++++++++++++++++---------------------- sudoers/ttygroup.rng | 49 --- sudoers/user.rng | 49 --- sudoers/username.rng | 11 - sudoers/validate.py | 89 ----- 11 files changed, 463 insertions(+), 1301 deletions(-) delete mode 100644 sudoers/ipa.rng delete mode 100644 sudoers/netgroup.rng delete mode 100644 sudoers/options.rng delete mode 100644 sudoers/posixGroup.rng delete mode 100644 sudoers/sudoOptions.rng delete mode 100644 sudoers/ttygroup.rng delete mode 100644 sudoers/user.rng delete mode 100644 sudoers/username.rng delete mode 100755 sudoers/validate.py diff --git a/sudoers/ipa.rng b/sudoers/ipa.rng deleted file mode 100644 index 759caee..0000000 --- a/sudoers/ipa.rng +++ /dev/null @@ -1,42 +0,0 @@ - - top (root) level IPA pattern - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/sudoers/netgroup.rng b/sudoers/netgroup.rng deleted file mode 100644 index 24e0171..0000000 --- a/sudoers/netgroup.rng +++ /dev/null @@ -1,49 +0,0 @@ - - - - netgroup configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/sudoers/options.rng b/sudoers/options.rng deleted file mode 100644 index e2782e1..0000000 --- a/sudoers/options.rng +++ /dev/null @@ -1,448 +0,0 @@ - - - - - - - - - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - on - off - - - - - - - - 1 - 65535 - - - - - - - - 0 - 65535 - - - - - - 0 - 65535 - - - - - - -1 - 65535 - - - - - - (0[0-7]{3}) - - - - - - - - - - - - - - - - - - - - /.* - - - - - - - - - - - - - - - - - - emerg - alert - crit - err - warning - notice - info - debug - - - - - - emerg - alert - crit - err - warning - notice - info - debug - - - - - - /.* - - - - - - - - - - - - - - - - - - - - - always - never - once - - - - - - (/.*|built-in) - - - - - - - all - always - any - never - - - - - - (/.*|off) - - - - - - - - - - - - - - auth - authpriv - daemon - user - local0 - local1 - local2 - local3 - local4 - local5 - local6 - local7 - off - - - - - - all - always - any - never - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/sudoers/policy_metadata.rng b/sudoers/policy_metadata.rng index 5deb0e8..810d32c 100644 --- a/sudoers/policy_metadata.rng +++ b/sudoers/policy_metadata.rng @@ -1,10 +1,12 @@ - + + + The metadata information should be generic for all policies. The RelaxNG schema can be found in a separate file (this file :) and can be included by the schema file of a specific policy with the externalRef pattern. With this separation the policy and the metadata schema can be modified independently and the metadata schema can be used by the UI to render a separate page for the metadata of a policy. @@ -21,14 +23,17 @@ xmlns:ui="http://freeipa.org/xml/rng/ns/ui/1.0"> - - - host - user - hostAndUser - + + should be added automatically from RelaxNG metadata + + + + + should be added automatically from RelaxNG metadata + + exclusive @@ -45,13 +50,11 @@ xmlns:ui="http://freeipa.org/xml/rng/ns/ui/1.0"> - - should be added automatically from RelaxNG metadata - - - - + + + + diff --git a/sudoers/posixGroup.rng b/sudoers/posixGroup.rng deleted file mode 100644 index e3f4d86..0000000 --- a/sudoers/posixGroup.rng +++ /dev/null @@ -1,49 +0,0 @@ - - - - posixGroup configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/sudoers/sudoOptions.rng b/sudoers/sudoOptions.rng deleted file mode 100644 index c87c02b..0000000 --- a/sudoers/sudoOptions.rng +++ /dev/null @@ -1,73 +0,0 @@ - - - - Sudo options configuration (Defaults) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/sudoers/sudoers.rng b/sudoers/sudoers.rng index e865118..9720a68 100644 --- a/sudoers/sudoers.rng +++ b/sudoers/sudoers.rng @@ -13,443 +13,461 @@ xmlns:ui="http://freeipa.org/xml/rng/ns/ui/1.0"> sudoers.xsl 0.5 - + sudoers.rng + sudoers.xslt + + + Doc test. - - - + - + - Here the definition for the generic part of the policy starts. - - - - - - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - on - off - - - - - - 1 - 65535 - - - - - - - 0 - 65535 - - - - - - 0 - 65535 - - - - - - -1 - 65535 - - - - - - (0[0-7]{3}) - - - - - - - - - - - - - - - - /.* - - - - - - - - - - - - [A-Za-z0-9_-]{1,16} - - - - - emerg - alert - crit - err - warning - notice - info - debug - - - - - emerg - alert - crit - err - warning - notice - info - debug - - - - - /.* - - - - - - [A-Za-z0-9_-]{1,16} - - - - - - - - - - - - - always - never - once - - - - - (/.*|built-in) - - - - - - all - always - any - never - - - - - (/.*|off) - - - - - - - - - - - auth - authpriv - daemon - user - local0 - local1 - local2 - local3 - local4 - local5 - local6 - local7 - off - - - - - all - always - any - never - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + Here the definition for the sudo specific part of the policy starts. + + + + + + - - - + - NOPASSWD - PASSWD - NOEXEC - EXEC - SETENV - NOSETENV + posixUser + posixGroup + netgroup + IPAgroup + ALL - - - - - - [A-Za-z0-9_-]{1,16} - - - + + + + + + + + + + + + + + + + + + NOPASSWD + PASSWD + NOEXEC + EXEC + SETENV + NOSETENV + + + + + + + + [A-Za-z0-9_-]{1,16} + + + + + + + + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + - - - - - - + --> + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + on + off + + + + + + 1 + 65535 + + + + + + + 0 + 65535 + + + + + + 0 + 65535 + + + + + + -1 + 65535 + + + + + + (0[0-7]{3}) + + + + + + + + + + + + + + + + /.* + + + + + + + + + + + + [A-Za-z0-9_-]{1,16} + + + + + emerg + alert + crit + err + warning + notice + info + debug + + + + + emerg + alert + crit + err + warning + notice + info + debug + + + + + /.* + + + + + + [A-Za-z0-9_-]{1,16} + + + + + + + + + + + + + always + never + once + + + + + (/.*|built-in) + + + + + + all + always + any + never + + + + + (/.*|off) + + + + + + + + + + + auth + authpriv + daemon + user + local0 + local1 + local2 + local3 + local4 + local5 + local6 + local7 + off + + + + + all + always + any + never + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/sudoers/ttygroup.rng b/sudoers/ttygroup.rng deleted file mode 100644 index c8dfce6..0000000 --- a/sudoers/ttygroup.rng +++ /dev/null @@ -1,49 +0,0 @@ - - - - ttygroup configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/sudoers/user.rng b/sudoers/user.rng deleted file mode 100644 index b0aec32..0000000 --- a/sudoers/user.rng +++ /dev/null @@ -1,49 +0,0 @@ - - - - user configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/sudoers/username.rng b/sudoers/username.rng deleted file mode 100644 index 9b3f37f..0000000 --- a/sudoers/username.rng +++ /dev/null @@ -1,11 +0,0 @@ - - - - - [A-Za-z0-9_-]{1,16} - - - - diff --git a/sudoers/validate.py b/sudoers/validate.py deleted file mode 100755 index 9844e92..0000000 --- a/sudoers/validate.py +++ /dev/null @@ -1,89 +0,0 @@ -#!/usr/bin/python - -import os, sys -import re -from lxml import etree - -def decompose(tag): - """ - Separate a tag (element name) into its namespace and unadorned tag. - """ - m = re.match('\{([^}]+)\}(.*)', tag) - try: - return (m.group(1), m.group(2)) - except: - return (None, tag) - -def validate(root, parent_ns=None): - """ - Recursively validate an XML Element object. - """ - # In order to allow "ipa global" patterns to enclose domain- or - # service-specific patterns (whose names are arbitrary and cannot be - # known beforehand since end users can add new ones at will), all of - # the ipa-provided global shemas contain a pattern which allows any - # valid XML (in some other namespace) to be present at the level at which - # the global pattern groups the service-specific elements. The simplest - # example is the top level pattern which simply allows anything to - # be enclosed inside of it. - # - # The downside of this is that those "anything" elements will always - # validate as long as they are valid XML. - # - # So we have to walk the element tree and for each child element in - # a different namespace, revalidate it with the correct schema. It - # doesn't seem to really matter if we go breadth-first or depth-first. - - # only operate on elements, not comments or other stuff we don't know about - if type(root) is not etree._Element: - return True - - # Is this a new namespace? - (ns, tag) = decompose(root.tag) - if parent_ns == ns: - # Same ns, therefore this element has already been validated. Just descend. - for e in root: - if validate(e, ns) == False: - return False - return True - - # We found a new namespace; load the schema. - # To keep the example simple, we just use the tag to find the schema. - # IRL we would parse the ns to locate the schema in a local cache. - print "found namespace %s" % tag - parser = etree.RelaxNG(etree.parse(file("%s.rng" % tag))) - - # What we actually came here for; validate this element tree. - # Obviously, on error we would actually do something useful here. - try: - parser.assertValid(root) - except: - return False - - # Descend. - for e in root: - if validate(e, ns) == False: - return False - - return True - -def main(argv=None): - if argv is None: - argv = sys.argv - - try: - xmldoc = argv[1] - except: - xmldoc = "ipa.xml" - - root = etree.parse(file(xmldoc)).getroot() - if validate(root): - print "XML is valid" - sys.exit(0) - else: - print "try again, loser!" - sys.exit(1) - -if __name__ == "__main__": - sys.exit(main()) - -- cgit