From d893b77fb69ef2e0aedf823e7cd82ca86a2971af Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Wed, 26 Mar 2014 17:11:23 +0100
Subject: Add several managed read permissions under cn=etc

This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 install/updates/40-delegation.update               |  7 ++
 .../install/plugins/update_managed_permissions.py  | 79 +++++++++++++++++++++-
 2 files changed, 84 insertions(+), 2 deletions(-)

diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index 33383038c..7f0f85124 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -461,3 +461,10 @@ default:objectClass: groupofnames
 default:objectClass: top
 default:cn: Automember Readers
 default:description: Read Automember definitions
+
+dn: cn=IPA Masters Readers,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: nestedgroup
+default:objectClass: groupofnames
+default:objectClass: top
+default:cn: IPA Masters Readers
+default:description: Read list of IPA masters
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 438767f1c..bffd9bbf4 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -68,7 +68,7 @@ The template dictionary can have the following keys:
 No other keys are allowed in the template
 """
 
-from ipalib import errors
+from ipalib import api, errors
 from ipapython.dn import DN
 from ipalib.plugable import Registry
 from ipalib.plugins import aci
@@ -80,7 +80,82 @@ from ipaserver.install.plugins.baseupdate import PostUpdate
 
 register = Registry()
 
-NONOBJECT_PERMISSIONS = {}
+NONOBJECT_PERMISSIONS = {
+    'System: Read IPA Masters': {
+        'replaces_global_anonymous_aci': True,
+        'ipapermlocation': DN('cn=masters,cn=ipa,cn=etc', api.env.basedn),
+        'ipapermtargetfilter': {'(objectclass=nscontainer)'},
+        'ipapermbindruletype': 'permission',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'cn', 'objectclass', 'ipaconfigstring',
+        },
+        'default_privileges': {'IPA Masters Readers'},
+    },
+    'System: Read DNA Configuration': {
+        'replaces_global_anonymous_aci': True,
+        'ipapermlocation': DN('cn=dna,cn=ipa,cn=etc', api.env.basedn),
+        'ipapermtargetfilter': {'(objectclass=dnasharedconfig)'},
+        'ipapermbindruletype': 'all',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'cn', 'objectclass', 'dnaHostname', 'dnaPortNum',
+            'dnaSecurePortNum', 'dnaRemoteBindMethod', 'dnaRemoteConnProtocol',
+            'dnaRemainingValues',
+        },
+    },
+    'System: Read CA Renewal Information': {
+        'replaces_global_anonymous_aci': True,
+        'ipapermlocation': DN('cn=ca_renewal,cn=ipa,cn=etc', api.env.basedn),
+        'ipapermtargetfilter': {'(objectclass=pkiuser)'},
+        'ipapermbindruletype': 'all',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'cn', 'objectclass', 'usercertificate',
+        },
+    },
+    'System: Read CA Certificate': {
+        'replaces_global_anonymous_aci': True,
+        'ipapermlocation': DN('cn=CAcert,cn=ipa,cn=etc', api.env.basedn),
+        'ipapermtargetfilter': {'(objectclass=pkica)'},
+        'ipapermbindruletype': 'anonymous',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'cn', 'objectclass', 'cacertificate', 'certificaterevocationlist',
+            'authorityrevocationlist', 'crosscertificatepair',
+        },
+    },
+    'System: Read Replication Information': {
+        'replaces_global_anonymous_aci': True,
+        'ipapermlocation': DN('cn=replication,cn=etc', api.env.basedn),
+        'ipapermtargetfilter': {'(objectclass=nsds5replica)'},
+        'ipapermbindruletype': 'all',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'cn', 'objectclass', 'nsds5replicaroot', 'nsds5replicaid',
+            'nsds5replicacleanruv', 'nsds5replicaabortcleanruv',
+            'nsds5replicatype', 'nsds5replicabinddn', 'nsstate',
+            'nsds5replicaname', 'nsds5flags', 'nsds5task',
+            'nsds5replicareferral', 'nsds5replicaautoreferral',
+            'nsds5replicapurgedelay', 'nsds5replicatombstonepurgeinterval',
+            'nsds5replicachangecount', 'nsds5replicalegacyconsumer',
+            'nsds5replicaprotocoltimeout', 'nsds5replicabackoffmin',
+            'nsds5replicabackoffmax',
+        },
+    },
+    'System: Read AD Domains': {
+        'replaces_global_anonymous_aci': True,
+        'ipapermlocation': DN('cn=etc', api.env.basedn),
+        'ipapermtarget': DN('cn=ad,cn=etc', api.env.basedn),
+        'ipapermtargetfilter': {'(objectclass=ipantdomainattrs)'},
+        'ipapermbindruletype': 'all',
+        'ipapermright': {'read', 'search', 'compare'},
+        'ipapermdefaultattr': {
+            'cn', 'objectclass', 'ipantsecurityidentifier', 'ipantflatname',
+            'ipantdomainguid', 'ipantfallbackprimarygroup',
+        },
+    },
+}
 
 
 @register()
-- 
cgit