Command-line delegation tools with man pages

ipa-admintools/ipa-adddelegation

@@ -0,0 +1,114 @@
+#! /usr/bin/python -E
+# Authors: Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import sys
+from optparse import OptionParser
+import ipa
+import ipa.user
+import ipa.ipaclient as ipaclient
+import ipa.ipavalidate as ipavalidate
+import ipa.config
+import ipa.aci
+
+import xmlrpclib
+import kerberos
+import krbV
+import ldap
+
+def usage():
+    print "ipa-adddelgation [-a|--attributes attr1,attr2,..,attrn] [-s|--source STRING] [-t|--target STRING] name"
+    sys.exit(1)
+
+def parse_options():
+    parser = OptionParser()
+    parser.add_option("-a", "--attributes", dest="attributes",
+                      help="The attributes the source group may change in the target group")
+    parser.add_option("-s", "--source", dest="source",
+                      help="The source group name")
+    parser.add_option("-t", "--target", dest="target",
+                      help="The target group name")
+    parser.add_option("--usage", action="store_true",
+                      help="Program usage")
+
+    args = ipa.config.init_config(sys.argv)
+    options, args = parser.parse_args(args)
+
+    return options, args
+
+def main():
+
+    options, args = parse_options()
+
+    if len(args) != 2:
+        print "args is %s" % len(args)
+        usage()
+
+    if not options.attributes or not options.source or not options.target:
+        usage()
+
+    try:
+        client = ipaclient.IPAClient()
+
+        source_grp = client.find_groups(options.source)
+        if source_grp[0] > 1:
+            print "Multiple matches found for %s." % options.source
+            return 2
+        elif source_grp[0] == 0:
+            print "No matches found for %s." % options.source
+            return 2
+
+        target_grp = client.find_groups(options.target)
+        if target_grp[0] > 1:
+            print "Multiple matches found for %s." % options.target
+            return 3
+        elif target_grp[0] == 0:
+            print "No matches found for %s." % options.target
+            return 3
+
+        attr_list = options.attributes.split(',')
+
+        new_aci = ipa.aci.ACI()
+        new_aci.name = args[1]
+        new_aci.source_group = source_grp[1].dn
+        new_aci.dest_group = target_grp[1].dn
+        new_aci.attrs = attr_list
+
+        aci_entry = client.get_aci_entry(['dn'])
+        aci_entry.setValue('aci', new_aci.export_to_string())
+
+        client.update_entry(aci_entry)
+    except xmlrpclib.Fault, f:
+        print f.faultString
+        return 1
+    except kerberos.GSSError, e:
+        print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
+        return 1
+    except xmlrpclib.ProtocolError, e:
+        print "Unable to connect to IPA server: %s" % (e.errmsg)
+        return 1
+    except ipa.ipaerror.IPAError, e:
+        print "%s" % (e.message)
+        return 1
+
+    print "Delegation %s successfully added" % args[1]
+    return 0
+
+if __name__ == "__main__":
+    sys.exit(main())

ipa-admintools/ipa-deldelegation

@@ -0,0 +1,98 @@
+#! /usr/bin/python -E
+# Authors: Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#   
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#   
+
+import sys
+from optparse import OptionParser
+import ipa.ipaclient as ipaclient
+import ipa.config
+
+import xmlrpclib
+import kerberos
+import copy
+
+import ipa.aci
+from ipa import ipaerror
+
+aci_fields = ['*', 'aci']
+
+def usage():
+    print "ipa-deldelgation name"
+    sys.exit(1)
+
+def parse_options():
+    parser = OptionParser()
+    parser.add_option("--usage", action="store_true",
+                      help="Program usage")
+
+    args = ipa.config.init_config(sys.argv)
+    options, args = parser.parse_args(args)
+
+    return options, args
+
+def main():
+
+    options, args = parse_options()
+
+    if len(args) != 2:
+        print "args is %s" % len(args)
+        usage()
+
+    client = ipaclient.IPAClient()
+    try:
+        aci_entry = client.get_aci_entry(aci_fields)
+
+        aci_str_list = aci_entry.getValues('aci')
+        if aci_str_list is None:
+            aci_str_list = []
+        if not(isinstance(aci_str_list,list) or isinstance(aci_str_list,tuple)):
+            aci_str_list = [aci_str_list]
+
+        for aci_str in aci_str_list:
+            try:
+                aci = ipa.aci.ACI(aci_str)
+                if aci.name == args[1]:
+                    acistr = aci_str
+                    break
+            except SyntaxError:
+                # ignore aci_str's that ACI can't parse
+                pass
+
+        if acistr is None:
+            print "No delegation %s found." % args[1]
+            return 2
+
+        old_aci_index = aci_str_list.index(acistr)
+
+        new_aci_str_list = copy.deepcopy(aci_str_list)
+        del new_aci_str_list[old_aci_index]
+        aci_entry.setValue('aci', new_aci_str_list)
+
+        client.update_entry(aci_entry)
+    except (SyntaxError, ipaerror.IPAError), e:
+        print "Delegation deletion failed: " + str(e)
+        return 1
+    except kerberos.GSSError, e:
+        print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
+        return 1
+
+    return 0
+
+if __name__ == "__main__":
+    sys.exit(main())

ipa-admintools/ipa-listdelegation

@@ -0,0 +1,91 @@
+#! /usr/bin/python -E
+# Authors: Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#   
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#   
+
+import sys
+from optparse import OptionParser
+import ipa.ipaclient as ipaclient
+import ipa.config
+
+import xmlrpclib
+import kerberos
+
+import ipa.aci
+from ipa import ipaerror
+
+aci_fields = ['*', 'aci']
+def usage():
+    print "ipa-listdelgation"
+    sys.exit(1)
+
+def parse_options():
+    parser = OptionParser()
+    parser.add_option("--usage", action="store_true",
+                      help="Program usage")
+
+    args = ipa.config.init_config(sys.argv)
+    options, args = parser.parse_args(args)
+
+    return options, args
+
+def main():
+
+    options, args = parse_options()
+
+    client = ipaclient.IPAClient()
+    try:
+        aci_entry = client.get_aci_entry(aci_fields)
+    except ipaerror.IPAError, e:
+        print("Delegation list failed: " + str(e))
+        return 1
+    except kerberos.GSSError, e:
+        print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
+        return 1
+
+    aci_str_list = aci_entry.getValues('aci')
+    if aci_str_list is None:
+        aci_str_list = []
+    if not(isinstance(aci_str_list,list) or isinstance(aci_str_list,tuple)):
+        aci_str_list = [aci_str_list]
+
+    aci_list = []
+    for aci_str in aci_str_list:
+        try:
+            aci = ipa.aci.ACI(aci_str)
+            aci_list.append(aci)
+        except SyntaxError:
+            # ignore aci_str's that ACI can't parse
+            pass
+
+    group_dn_to_cn = ipa.aci.extract_group_cns(aci_list, client)
+
+    for a in aci_list:
+        labels = client.attrs_to_labels(a.attrs)
+        print "Delegation Name: " + a.name
+        print "Group " + group_dn_to_cn[a.source_group] 
+        print "  can modify these attributes: "
+        for l in labels:
+            print "\t" + labels[l]
+        print "  for group " + group_dn_to_cn[a.dest_group]
+        print
+
+    return 0
+
+if __name__ == "__main__":
+    sys.exit(main())

ipa-admintools/ipa-moddelegation

@@ -0,0 +1,162 @@
+#! /usr/bin/python -E
+# Authors: Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import sys
+from optparse import OptionParser
+import ipa
+import ipa.user
+import ipa.ipaclient as ipaclient
+import ipa.ipavalidate as ipavalidate
+import ipa.config
+import ipa.aci
+
+import xmlrpclib
+import kerberos
+import krbV
+import ldap
+import copy
+
+aci_fields = ['*', 'aci']
+
+def usage():
+    print "ipa-moddelgation [-a|--attributes attr1,attr2,..,attrn] [-s|--source STRING] [-t|--target STRING] name"
+    sys.exit(1)
+
+def parse_options():
+    parser = OptionParser()
+    parser.add_option("-a", "--attributes", dest="attributes",
+                      help="The attributes the source group may change in the target group")
+    parser.add_option("-s", "--source", dest="source",
+                      help="The source group name")
+    parser.add_option("-t", "--target", dest="target",
+                      help="The target group name")
+    parser.add_option("--usage", action="store_true",
+                      help="Program usage")
+
+    args = ipa.config.init_config(sys.argv)
+    options, args = parser.parse_args(args)
+
+    return options, args
+
+def main():
+
+    options, args = parse_options()
+
+    if len(args) != 2:
+        print "args is %s" % len(args)
+        usage()
+
+    if not options.attributes and not options.source and not options.target:
+        print "Missing something"
+        usage()
+
+    try:
+        client = ipaclient.IPAClient()
+
+        # first do some sanity checking
+
+        if options.source:
+            source_grp = client.find_groups(options.source)
+            if source_grp[0] > 1:
+                print "Multiple matches found for %s." % options.source
+                return 1
+            elif source_grp[0] == 0:
+                print "No matches found for %s." % options.source
+                return 1
+
+        if options.target:
+            target_grp = client.find_groups(options.target)
+            if target_grp[0] > 1:
+                print "Multiple matches found for %s." % options.target
+                return 1
+            elif target_grp[0] == 0:
+                print "No matches found for %s." % options.target
+                return 1
+
+        if options.attributes:
+            attr_list = options.attributes.split(',')
+
+        # find the old aci
+
+        aci_entry = client.get_aci_entry(aci_fields)
+
+        aci_str_list = aci_entry.getValues('aci')
+        if aci_str_list is None:
+            aci_str_list = []
+        if not(isinstance(aci_str_list,list) or isinstance(aci_str_list,tuple)):
+            aci_str_list = [aci_str_list]
+
+        old_aci = None
+        acistr = None
+        for aci_str in aci_str_list:
+            try:
+                old_aci = ipa.aci.ACI(aci_str)
+                if old_aci.name == args[1]:
+                    acistr = aci_str
+                    break
+            except SyntaxError:
+                # ignore aci_str's that ACI can't parse
+                pass
+
+        if acistr is None:
+            print "No delegation %s found." % args[1]
+            return 2
+
+        old_aci_index = aci_str_list.index(acistr)
+
+        new_aci = ipa.aci.ACI()
+        new_aci.name = args[1]
+        if options.source:
+            new_aci.source_group = source_grp[1].dn
+        else:
+            new_aci.source_group = old_aci.source_group
+        if options.target:
+            new_aci.dest_group = target_grp[1].dn
+        else:
+            new_aci.dest_group = old_aci.dest_group
+        if options.attributes:
+            new_aci.attrs = attr_list
+        else:
+            new_aci.attrs = old_aci.attrs
+        new_aci_str = new_aci.export_to_string()
+
+        new_aci_str_list = copy.deepcopy(aci_str_list)
+        new_aci_str_list[old_aci_index] = new_aci_str
+        aci_entry.setValue('aci', new_aci_str_list)
+
+        client.update_entry(aci_entry)
+    except xmlrpclib.Fault, f:
+        print f.faultString
+        return 1
+    except kerberos.GSSError, e:
+        print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
+        return 1
+    except xmlrpclib.ProtocolError, e:
+        print "Unable to connect to IPA server: %s" % (e.errmsg)
+        return 1
+    except ipa.ipaerror.IPAError, e:
+        print "%s" % (e.message)
+        return 1
+
+    print "Delegation %s successfully added" % args[1]
+    return 0
+
+if __name__ == "__main__":
+    sys.exit(main())

ipa-admintools/man/ipa-adddelegation.1

@@ -0,0 +1,55 @@
+.\" A man page for ipa-adddelegation
+.\" Copyright (C) 2007 Red Hat, Inc.
+.\" 
+.\" This is free software; you can redistribute it and/or modify it under
+.\" the terms of the GNU Library General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\" 
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\" 
+.\" You should have received a copy of the GNU Library General Public
+.\" License along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\" 
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\" 
+.TH "ipa-adddelegation" "1" "Oct 24 2007" "freeipa" ""
+.SH "NAME"
+ipa\-adddelegation \- Add a delegation
+
+.SH "SYNOPSIS"
+ipa\-adddelegation [\fIOPTION\fR]... \fIname\fR
+
+.SH "DESCRIPTION"
+Adds a delegation named \fIname\fR.
+
+A delegation is used to grant access to certain attributes from one group to another.
+
+For example, a secretary group may be granted access to modify the phone attribute of all users in a manager's group.
+.SH "OPTIONS"
+.TP 
+\fB\-a\fR, \fB\-\-attributes\fR=\fIATTRIBUTES\fR
+A comma\-separated list of the the \f[SM]attributes\fR that may be written by the source group.
+
+.TP 
+\fB\-s\fR, \fB\-\-source\fR=\fISOURCE\fR
+The name of the group that is being granted write permission.
+
+.TP 
+\fB\-t\fR, \fB\-\-target\fR=\fITARGET\fR
+The name of the group that will be written to.
+
+.PP 
+All arguments are mandatory.
+.SH "EXIT STATUS"
+0 if the delegation was added successfully
+
+1 if an error occurred
+
+2 if no not exactly one matching source group was found (0 or more than one)
+
+3 if no not exactly one matching target group was found (0 or more than one

ipa-admintools/man/ipa-deldelegation.1

@@ -0,0 +1,36 @@
+.\" A man page for ipa-deldelegation
+.\" Copyright (C) 2007 Red Hat, Inc.
+.\" 
+.\" This is free software; you can redistribute it and/or modify it under
+.\" the terms of the GNU Library General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\" 
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\" 
+.\" You should have received a copy of the GNU Library General Public
+.\" License along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\" 
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\" 
+.TH "ipa-deldelegation" "1" "Oct 24 2007" "freeipa" ""
+.SH "NAME"
+ipa\-deldelegation \- Remove a delegation
+
+.SH "SYNOPSIS"
+ipa\-deldelegation \fIname\fR
+
+.SH "DESCRIPTION"
+Removes an existing delegation named \fIname\fR.
+
+A delegation is used to grant access to certain attributes from one group to another. ipa\-deldelegation removes this access.
+.SH "EXIT STATUS"
+0 if the delegation was removed successfully
+
+1 if an error occurred
+
+2 if no matching delegation was found

ipa-admintools/man/ipa-listdelegation.1

@@ -0,0 +1,34 @@
+.\" A man page for ipa-listdelegation
+.\" Copyright (C) 2007 Red Hat, Inc.
+.\" 
+.\" This is free software; you can redistribute it and/or modify it under
+.\" the terms of the GNU Library General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\" 
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\" 
+.\" You should have received a copy of the GNU Library General Public
+.\" License along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\" 
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\" 
+.TH "ipa-listdelegation" "1" "Oct 24 2007" "freeipa" ""
+.SH "NAME"
+ipa\-listdelegation \- Lists all current delegations
+
+.SH "SYNOPSIS"
+ipa\-listdelegation
+
+.SH "DESCRIPTION"
+Lists all current delegations.
+
+No sorting is done.
+.SH "EXIT STATUS"
+0 if the delegations are listed successfully
+
+1 if an error occurred

ipa-admintools/man/ipa-moddelegation.1

@@ -0,0 +1,51 @@
+.\" A man page for ipa-moddelegation
+.\" Copyright (C) 2007 Red Hat, Inc.
+.\" 
+.\" This is free software; you can redistribute it and/or modify it under
+.\" the terms of the GNU Library General Public License as published by
+.\" the Free Software Foundation; either version 2 of the License, or
+.\" (at your option) any later version.
+.\" 
+.\" This program is distributed in the hope that it will be useful, but
+.\" WITHOUT ANY WARRANTY; without even the implied warranty of
+.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+.\" General Public License for more details.
+.\" 
+.\" You should have received a copy of the GNU Library General Public
+.\" License along with this program; if not, write to the Free Software
+.\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+.\" 
+.\" Author: Rob Crittenden <rcritten@redhat.com>
+.\" 
+.TH "ipa-moddelegation" "1" "Oct 24 2007" "freeipa" ""
+.SH "NAME"
+ipa\-moddelegation \- Modify an existing delegation
+
+.SH "SYNOPSIS"
+ipa\-moddelegation [\fIOPTION\fR]... \fIname\fR
+
+.SH "DESCRIPTION"
+Modifies an existing delegation named \fIname\fR.
+
+A delegation is used to grant access to certain attributes from one group to another.
+.SH "OPTIONS"
+.TP 
+\fB\-a\fR, \fB\-\-attributes\fR=\fIATTRIBUTES\fR
+A comma\-separated list of the the \f[SM]attributes\fR that may be written by the source group. This list of attributes replaces the list in the existing delegation.
+
+.TP 
+\fB\-s\fR, \fB\-\-source\fR=\fISOURCE\fR
+The name of the group that is being granted write permission.
+
+.TP 
+\fB\-t\fR, \fB\-\-target\fR=\fITARGET\fR
+The name of the group that will be written to.
+
+.PP 
+At least one of \-a, \-s or \-t is required.
+.SH "EXIT STATUS"
+0 if the delegation was updated successfully
+
+1 if an error occurred
+
+2 if no matching delegation was found