From 58fed697684931e66ed054d0d5899301fd47b04d Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 14 May 2010 09:37:54 -0400 Subject: Add groups of services to HBAC Replace serviceName with memberService so we can assign individual services or groups of services to an HBAC rule. 588574 --- install/share/60basev2.ldif | 8 +- install/share/bootstrap-template.ldif | 12 +++ ipalib/constants.py | 2 + ipalib/plugins/hbac.py | 65 ++++++++++++--- ipalib/plugins/hbacsvc.py | 103 ++++++++++++++++++++++++ ipalib/plugins/hbacsvcgroup.py | 144 ++++++++++++++++++++++++++++++++++ 6 files changed, 323 insertions(+), 11 deletions(-) create mode 100644 ipalib/plugins/hbacsvc.py create mode 100644 ipalib/plugins/hbacsvcgroup.py diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif index a28a1615b..f456a313e 100644 --- a/install/share/60basev2.ldif +++ b/install/share/60basev2.ldif @@ -4,7 +4,7 @@ attributeTypes: (2.16.840.1.113730.3.8.3.2 NAME 'ipaClientVersion' DESC 'Text st attributeTypes: (2.16.840.1.113730.3.8.3.3 NAME 'enrolledBy' DESC 'DN of administrator who performed manual enrollment of the host' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.4 NAME 'enrollmentPwd' DESC 'Password used to bulk enroll machines' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.43 NAME 'fqdn' DESC 'FQDN' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) -attributeTypes: (2.16.840.1.113730.3.8.3.53 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2') +attributeTypes: (2.16.840.1.113730.3.8.3.54 NAME 'managedBy' DESC 'DNs of entries allowed to manage' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2') objectClasses: (2.16.840.1.113730.3.8.4.1 NAME 'ipaHost' AUXILIARY MUST ( fqdn ) MAY ( userPassword $ ipaClientVersion $ enrolledBy $ memberOf) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.44 NAME 'ipaObject' DESC 'IPA objectclass' AUXILIARY MUST ( ipaUniqueId ) X-ORIGIN 'IPA v2' ) objectClasses: (2.16.840.1.113730.3.8.4.2 NAME 'ipaService' DESC 'IPA service objectclass' AUXILIARY MAY ( memberOf $ managedBy ) X-ORIGIN 'IPA v2' ) @@ -15,8 +15,10 @@ attributeTypes: (2.16.840.1.113730.3.8.3.5 NAME 'memberUser' DESC 'Reference to attributeTypes: (2.16.840.1.113730.3.8.3.6 NAME 'userCategory' DESC 'Additional classification for users' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.7 NAME 'memberHost' DESC 'Reference to a device where the operation takes place (usually host).' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.8 NAME 'hostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +attributeTypes: (2.16.840.1.113730.3.8.3.53 NAME 'serviceCategory' DESC 'Additional classification for services' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) +attributeTypes: (2.16.840.1.113730.3.8.3.56 NAME 'memberService' DESC 'Reference to the pam service of this operation.' SUP distinguishedName EQUALITY distinguishedNameMatch ORDERING distinguishedNameMatch SUBSTR distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.9 NAME 'ipaEnabledFlag' DESC 'The flag to show if the association is active or should be ignored' EQUALITY booleanMatch ORDERING booleanMatch SUBSTR booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v2' ) -objectClasses: (2.16.840.1.113730.3.8.4.6 NAME 'ipaAssociation' ABSTRACT MUST ( ipaUniqueID $ cn ) MAY ( memberUser $ userCategory $ memberHost $ hostCategory $ ipaEnabledFlag $ description ) X-ORIGIN 'IPA v2' ) +objectClasses: (2.16.840.1.113730.3.8.4.6 NAME 'ipaAssociation' ABSTRACT MUST ( ipaUniqueID $ cn ) MAY ( memberUser $ userCategory $ memberHost $ hostCategory $ serviceCategory $ memberService $ ipaEnabledFlag $ description ) X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.10 NAME 'serviceName' DESC 'Name of the service used in HBAC in IPA' EQUALITY caseIgnoreMatch ORDERING caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.11 NAME 'sourceHost' DESC 'Link to the host or group of hosts' SUP memberHost SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v2' ) attributeTypes: (2.16.840.1.113730.3.8.3.12 NAME 'externalHost' DESC 'Multivalue string attribute that allows storing host names.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' ) @@ -79,3 +81,5 @@ attributeTypes: (2.16.840.1.113730.3.8.3.46 NAME 'ipaVolumeKeySecretType' DESC ' attributeTypes: (2.16.840.1.113730.3.8.3.47 NAME 'ipaVolumeInfo' DESC 'Information about a volume: NAME:VALUE' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40) attributeTypes: (2.16.840.1.113730.3.8.3.48 NAME 'ipaVolumeKeyObsoletionTimestamp' DESC 'Time when a key was marked as obsolete' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE) objectClasses: (2.16.840.1.113730.3.8.3.49 NAME 'ipaVolumeKey' SUP top STRUCTURAL MUST ( ipaUniqueID $ ipaVolumeHost $ ipaVolumeEscrowPacket ) MAY ( ipaVolumeKeySecretType $ ipaVolumeInfo $ ipaVolumeKeyObsoletionTimestamp )) +objectClasses: (2.16.840.1.113730.3.8.4.10 NAME 'ipaHBACService' AUXILIARY MUST ( cn ) MAY ( description ) X-ORIGIN 'IPA v2' ) +objectClasses: (2.16.840.1.113730.3.8.4.11 NAME 'ipaHBACServiceGroup' DESC 'IPA HBAC service group object class' SUP nestedGroup STRUCTURAL X-ORIGIN 'IPA v2' ) diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index bde1f20a0..0d16d1dfd 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -34,6 +34,18 @@ objectClass: top objectClass: nsContainer cn: computers +dn: cn=hbacservices,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: hbacservices + +dn: cn=hbacservicegroups,cn=accounts,$SUFFIX +changetype: add +objectClass: top +objectClass: nsContainer +cn: hbacservicegroups + dn: cn=hbac,$SUFFIX changetype: add objectClass: top diff --git a/ipalib/constants.py b/ipalib/constants.py index a94207696..02d9f6f7b 100644 --- a/ipalib/constants.py +++ b/ipalib/constants.py @@ -95,6 +95,8 @@ DEFAULT_CONFIG = ( ('container_policylinks', 'cn=policylinks,cn=configs,cn=policies'), ('container_netgroup', 'cn=ng,cn=alt'), ('container_hbac', 'cn=hbac'), + ('container_hbacservice', 'cn=hbacservices,cn=accounts'), + ('container_hbacservicegroup', 'cn=hbacservicegroups,cn=accounts'), ('container_dns', 'cn=dns'), ('container_virtual', 'cn=virtual operations'), diff --git a/ipalib/plugins/hbac.py b/ipalib/plugins/hbac.py index 7a76f72cc..1438ea955 100644 --- a/ipalib/plugins/hbac.py +++ b/ipalib/plugins/hbac.py @@ -34,16 +34,18 @@ class hbac(LDAPObject): object_name_plural = 'HBAC rules' object_class = ['ipaassociation', 'ipahbacrule'] default_attributes = [ - 'cn', 'accessruletype', 'ipaenabledflag', 'servicename', + 'cn', 'accessruletype', 'ipaenabledflag', 'accesstime', 'description', 'usercategory', 'hostcategory', - 'sourcehostcategory', 'ipaenabledflag', - + 'sourcehostcategory', 'servicecategory', 'ipaenabledflag', + 'memberuser', 'sourcehost', 'memberhost', 'memberservice', + 'memberhostgroup', ] uuid_attribute = 'ipauniqueid' attribute_members = { 'memberuser': ['user', 'group'], 'memberhost': ['host', 'hostgroup'], 'sourcehost': ['host', 'hostgroup'], + 'memberservice': ['hbacsvc', 'hbacsvcgroup'], } label = _('HBAC') @@ -60,12 +62,7 @@ class hbac(LDAPObject): label=_('Rule type'), values=(u'allow', u'deny'), ), - Str('servicename?', - cli_name='service', - label=_('Service name'), - doc=_('Name of service the rule applies to (e.g. ssh)'), - ), - # FIXME: {user,host,sourcehost}categories should expand in the future + # FIXME: {user,host,sourcehost,service}categories should expand in the future StrEnum('usercategory?', cli_name='usercat', label=_('User category'), @@ -84,6 +81,12 @@ class hbac(LDAPObject): doc=_('Source host category the rule applies to'), values=(u'all', ), ), + StrEnum('servicecategory?', + cli_name='servicecat', + label=_('Service category'), + doc=_('Service category the rule applies to'), + values=(u'all', ), + ), AccessTime('accesstime?', cli_name='time', label=_('Access time'), @@ -96,6 +99,30 @@ class hbac(LDAPObject): label=_('Enabled'), flags=['no_create', 'no_update', 'no_search'], ), + Str('memberuser_user?', + label=_('Users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_host?', + label=_('Hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberhost_hostgroup?', + label=_('Host Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('sourcehost_host?', + label=_('Source hosts'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberservice_service?', + label=_('Services'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberservice_servicegroup?', + label=_('Service Groups'), + flags=['no_create', 'no_update', 'no_search'], + ), ) def get_dn(self, *keys, **kwargs): @@ -351,3 +378,23 @@ class hbac_remove_sourcehost(LDAPRemoveMember): member_count_out = ('%i object removed.', '%i objects removed.') api.register(hbac_remove_sourcehost) + + +class hbac_add_service(LDAPAddMember): + """ + Add services affected by HBAC rule. + """ + member_attributes = ['memberservice'] + member_count_out = ('%i object added.', '%i objects added.') + +api.register(hbac_add_service) + + +class hbac_remove_service(LDAPRemoveMember): + """ + Remove source hosts and hostgroups affected by HBAC rule. + """ + member_attributes = ['memberservice'] + member_count_out = ('%i object removed.', '%i objects removed.') + +api.register(hbac_remove_service) diff --git a/ipalib/plugins/hbacsvc.py b/ipalib/plugins/hbacsvc.py new file mode 100644 index 000000000..a85d94019 --- /dev/null +++ b/ipalib/plugins/hbacsvc.py @@ -0,0 +1,103 @@ +# Authors: +# Rob Crittenden +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +HBAC Services +""" +import base64 + +from ipalib import api, errors +from ipalib import Str, Flag, Bytes +from ipalib.plugins.baseldap import * +from ipalib import x509 +from pyasn1.error import PyAsn1Error +from ipalib import _, ngettext + + +class hbacsvc(LDAPObject): + """ + HBAC Service object. + """ + container_dn = api.env.container_hbacservice + object_name = 'service' + object_name_plural = 'services' + object_class = [ + 'ipahbacservice', + ] + default_attributes = ['cn', 'description'] + + label = _('Services') + + takes_params = ( + Str('cn', + cli_name='service', + label=_('Service name'), + doc=_('HBAC Service'), + primary_key=True, + normalizer=lambda value: value.lower(), + ), + Str('description?', + cli_name='desc', + label=_('Description'), + doc=_('Description of service'), + ), + ) + +api.register(hbacsvc) + + +class hbacsvc_add(LDAPCreate): + """ + Add new HBAC service. + """ + msg_summary = _('Added service "%(value)s"') + +api.register(hbacsvc_add) + + +class hbacsvc_del(LDAPDelete): + """ + Delete an existing HBAC service. + """ + msg_summary = _('Deleted service "%(value)s"') + +api.register(hbacsvc_del) + + +class hbacsvc_mod(LDAPUpdate): + """ + Modify HBAC service. + """ + +api.register(hbacsvc_mod) + + +class hbacsvc_find(LDAPSearch): + """ + Search for HBAC services. + """ + +api.register(hbacsvc_find) + + +class hbacsvc_show(LDAPRetrieve): + """ + Display HBAC service. + """ + +api.register(hbacsvc_show) diff --git a/ipalib/plugins/hbacsvcgroup.py b/ipalib/plugins/hbacsvcgroup.py new file mode 100644 index 000000000..6e36f3a87 --- /dev/null +++ b/ipalib/plugins/hbacsvcgroup.py @@ -0,0 +1,144 @@ +# Authors: +# Rob Crittenden +# +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +""" +HBAC Service Groups +""" + +from ipalib import api, errors +from ipalib.plugins.baseldap import * +from ipalib import _, ngettext + + +class hbacsvcgroup(LDAPObject): + """ + HBAC service group object. + """ + container_dn = api.env.container_hbacservicegroup + object_name = 'servicegroup' + object_name_plural = 'servicegroups' + object_class = ['ipahbacservicegroup'] + default_attributes = [ 'cn', 'description', 'member', 'memberof', ] + attribute_members = { + 'member': ['hbacsvc', 'hbacsvcgroup'], + 'memberof': ['hbacsvcgroup'], + } + + label = _('HBAC Service Groups') + + takes_params = ( + Str('cn', + cli_name='name', + label=_('Service group name'), + primary_key=True, + normalizer=lambda value: value.lower(), + ), + Str('description', + cli_name='desc', + label=_('Description'), + doc=_('HBAC service group description'), + ), + Str('member_service?', + label=_('Member services'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('member_servicegroup?', + label=_('Member service groups'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberof_servicegroup?', + label='Member of service groups', + flags=['no_create', 'no_update', 'no_search'], + ), + ) + + def get_dn(self, *keys, **kwargs): + try: + (dn, entry_attrs) = self.backend.find_entry_by_attr( + self.primary_key.name, keys[-1], self.object_class, [''], + self.container_dn + ) + except errors.NotFound: + dn = super(hbacsvcgroup, self).get_dn(*keys, **kwargs) + return dn + + def get_primary_key_from_dn(self, dn): + pkey = self.primary_key.name + (dn, entry_attrs) = self.backend.get_entry(dn, [pkey]) + try: + return entry_attrs[pkey][0] + except (KeyError, IndexError): + return '' + +api.register(hbacsvcgroup) + + +class hbacsvcgroup_add(LDAPCreate): + """ + Create new hbacsvcgroup. + """ + +api.register(hbacsvcgroup_add) + + +class hbacsvcgroup_del(LDAPDelete): + """ + Delete hbacsvcgroup. + """ + +api.register(hbacsvcgroup_del) + + +class hbacsvcgroup_mod(LDAPUpdate): + """ + Modify hbacsvcgroup. + """ + +api.register(hbacsvcgroup_mod) + + +class hbacsvcgroup_find(LDAPSearch): + """ + Search the groups. + """ + +api.register(hbacsvcgroup_find) + + +class hbacsvcgroup_show(LDAPRetrieve): + """ + Display hbacsvcgroup. + """ + +api.register(hbacsvcgroup_show) + + +class hbacsvcgroup_add_member(LDAPAddMember): + """ + Add members to hbacsvcgroup. + """ + +api.register(hbacsvcgroup_add_member) + + +class hbacsvcgroup_remove_member(LDAPRemoveMember): + """ + Remove members from hbacsvcgroup. + """ + +api.register(hbacsvcgroup_remove_member) -- cgit