API: add new commands for ipa passkeyconfig-show | mod

Currently supports a single parameter:
--require-user-verification [ 'on', 'off', 'default']

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

ACI.txt

@@ -224,6 +224,10 @@ dn: cn=ng,cn=alt,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipanisnetgroup)")(version 3.0;acl "permission:System: Remove Netgroups";allow (delete) groupdn = "ldap:///cn=System: Remove Netgroups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=otp,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || ipatokenhotpauthwindow || ipatokenhotpsyncwindow || ipatokentotpauthwindow || ipatokentotpsyncwindow")(targetfilter = "(objectclass=ipatokenotpconfig)")(version 3.0;acl "permission:System: Read OTP Configuration";allow (compare,read,search) userdn = "ldap:///all";)
+dn: cn=passkeyconfig,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "iparequireuserverification")(targetfilter = "(objectclass=ipapasskeyconfigobject)")(version 3.0;acl "permission:System: Modify Passkey Configuration";allow (write) groupdn = "ldap:///cn=System: Modify Passkey Configuration,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=passkeyconfig,cn=etc,dc=ipa,dc=example
+aci: (targetattr = "cn || iparequireuserverification")(targetfilter = "(objectclass=ipapasskeyconfigobject)")(version 3.0;acl "permission:System: Read Passkey Configuration";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "member")(targetfilter = "(objectclass=ipapermission)")(version 3.0;acl "permission:System: Modify Privilege Membership";allow (write) groupdn = "ldap:///cn=System: Modify Privilege Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example

API.txt

@@ -3819,6 +3819,28 @@ option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
+command: passkeyconfig_mod/1
+args: 0,8,3
+option: Str('addattr*', cli_name='addattr')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Str('delattr*', cli_name='delattr')
+option: StrEnum('iparequireuserverification?', autofill=False, cli_name='require_user_verification', values=[u'on', u'off', u'default'])
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Flag('rights', autofill=True, default=False)
+option: Str('setattr*', cli_name='setattr')
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
+command: passkeyconfig_show/1
+args: 0,4,3
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Flag('rights', autofill=True, default=False)
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
 command: passwd/1
 args: 3,2,3
 arg: Principal('principal', autofill=True, cli_name='user')
@@ -7295,6 +7317,9 @@ default: output_show/1
 default: param/1
 default: param_find/1
 default: param_show/1
+default: passkeyconfig/1
+default: passkeyconfig_mod/1
+default: passkeyconfig_show/1
 default: passwd/1
 default: permission/1
 default: permission_add/1

VERSION.m4

@@ -86,8 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
 #                                                      #
 ########################################################
 define(IPA_API_VERSION_MAJOR, 2)
-# Last change: RBCD implementation
-define(IPA_API_VERSION_MINOR, 252)
+# Last change: add passkey support
+define(IPA_API_VERSION_MINOR, 253)
 
 ########################################################
 # Following values are auto-generated from values above

doc/api/commands.rst

@@ -271,6 +271,8 @@ IPA API Commands
    output_show.md
    param_find.md
    param_show.md
+   passkeyconfig_mod.md
+   passkeyconfig_show.md
    passwd.md
    permission_add.md
    permission_add_member.md

doc/api/passkeyconfig_mod.md

@@ -0,0 +1,34 @@
+[//]: # (THE CONTENT BELOW IS GENERATED. DO NOT EDIT.)
+# passkeyconfig_mod
+Modify Passkey configuration.
+
+### Arguments
+No arguments.
+
+### Options
+* rights : :ref:`Flag<Flag>` **(Required)**
+ * Default: False
+* all : :ref:`Flag<Flag>` **(Required)**
+ * Default: False
+* raw : :ref:`Flag<Flag>` **(Required)**
+ * Default: False
+* iparequireuserverification : :ref:`StrEnum<StrEnum>`
+ * Values: ('on', 'off', 'default')
+* setattr : :ref:`Str<Str>`
+* addattr : :ref:`Str<Str>`
+* delattr : :ref:`Str<Str>`
+* version : :ref:`Str<Str>`
+
+### Output
+|Name|Type
+|-|-
+|result|Entry
+|summary|Output
+|value|PrimaryKey
+
+[//]: # (ADD YOUR NOTES BELOW. THESE WILL BE PICKED EVERY TIME THE DOCS ARE REGENERATED. //end)
+### Semantics
+
+### Notes
+
+### Version differences

doc/api/passkeyconfig_show.md

@@ -0,0 +1,29 @@
+[//]: # (THE CONTENT BELOW IS GENERATED. DO NOT EDIT.)
+# passkeyconfig_show
+Show the current Passkey configuration.
+
+### Arguments
+No arguments.
+
+### Options
+* rights : :ref:`Flag<Flag>` **(Required)**
+ * Default: False
+* all : :ref:`Flag<Flag>` **(Required)**
+ * Default: False
+* raw : :ref:`Flag<Flag>` **(Required)**
+ * Default: False
+* version : :ref:`Str<Str>`
+
+### Output
+|Name|Type
+|-|-
+|result|Entry
+|summary|Output
+|value|PrimaryKey
+
+[//]: # (ADD YOUR NOTES BELOW. THESE WILL BE PICKED EVERY TIME THE DOCS ARE REGENERATED. //end)
+### Semantics
+
+### Notes
+
+### Version differences

install/updates/73-passkey.update

@@ -0,0 +1,14 @@
+# Configuration for Passkey Authentication
+dn: cn=passkeyconfig,cn=etc,$SUFFIX
+default:objectclass: top
+default:objectclass: nscontainer
+default:objectclass: ipaPasskeyConfigObject
+default:ipaRequireUserVerification: default
+
+# Passkey Administrators
+dn: cn=Passkey Administrators,cn=privileges,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: nestedgroup
+default:cn: Passkey Administrators
+default:description: Passkey Administrators

install/updates/Makefile.am

@@ -66,6 +66,7 @@ app_DATA =				\
 	73-subid.update		\
 	73-winsync.update		\
 	73-certmap.update		\
+	73-passkey.update		\
 	75-user-trust-attributes.update	\
 	80-schema_compat.update 	\
 	81-externalmembers.update	\

ipalib/constants.py

@@ -156,6 +156,7 @@ DEFAULT_CONFIG = (
         DN(('cn', 'ca_renewal'), ('cn', 'ipa'), ('cn', 'etc'))),
     ('container_subids', DN(('cn', 'subids'), ('cn', 'accounts'))),
     ('container_idp', DN(('cn', 'idp'))),
+    ('container_passkey', DN(('cn', 'passkeyconfig'), ('cn', 'etc'))),
 
     # Ports, hosts, and URIs:
     # Following values do not have any reasonable default.

ipaserver/plugins/passkeyconfig.py

@@ -0,0 +1,95 @@
+#
+# Copyright (C) 2022  FreeIPA Contributors see COPYING for license
+#
+
+import logging
+
+from ipalib import api
+from ipalib.parameters import StrEnum
+from ipalib.plugable import Registry
+from .baseldap import (
+    LDAPObject,
+    LDAPRetrieve,
+    LDAPUpdate)
+from ipalib import _
+
+
+logger = logging.getLogger(__name__)
+
+__doc__ = _("""
+Passkey configuration
+""") + _("""
+Manage Passkey configuration.
+""") + _("""
+IPA supports the use of passkeys for authentication. A passkey
+device has to be registered to SSSD and the resulting authentication mapping
+stored in the user entry.
+The passkey authentication supports the following configuration option:
+require user verification. When set, the method for user verification depends
+on the type of device (PIN, fingerprint, external pad...)
+""") + _("""
+EXAMPLES:
+""") + _("""
+ Display the Passkey configuration:
+   ipa passkeyconfig-show
+""") + _("""
+ Modify the Passkey configuration to always require user verification:
+   ipa passkeyconfig-mod --require-user-verification=on
+""")
+
+register = Registry()
+
+
+@register()
+class passkeyconfig(LDAPObject):
+    """
+    Passkey configuration object
+    """
+    object_name = _('Passkey configuration options')
+    default_attributes = ['iparequireuserverification']
+
+    container_dn = api.env.container_passkey
+    label = _('Passkey Configuration')
+    label_singular = _('Passkey Configuration')
+
+    takes_params = (
+        StrEnum(
+            'iparequireuserverification',
+            cli_name="require_user_verification",
+            label=_("Require user verification"),
+            doc=_('Require user verification during authentication'),
+            values=('on', 'off', 'default'),
+        ),
+    )
+
+    permission_filter_objectclasses = ['ipapasskeyconfigobject']
+    managed_permissions = {
+        'System: Read Passkey Configuration': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermbindruletype': 'all',
+            'ipapermright': {'read', 'search', 'compare'},
+            'ipapermdefaultattr': {
+                'iparequireuserverification',
+                'cn',
+            },
+        },
+        'System: Modify Passkey Configuration': {
+            'replaces_global_anonymous_aci': True,
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'iparequireuserverification',
+            },
+            'default_privileges': {
+                'Passkey Administrators'},
+        },
+    }
+
+
+@register()
+class passkeyconfig_mod(LDAPUpdate):
+    __doc__ = _("Modify Passkey configuration.")
+
+
+@register()
+class passkeyconfig_show(LDAPRetrieve):
+    __doc__ = _("Show the current Passkey configuration.")

pylint_plugins.py

@@ -419,6 +419,7 @@ AstroidBuilder(MANAGER).string_build(textwrap.dedent(
     api.env.container_dna_posix_ids = DN()
     api.env.container_dns = DN()
     api.env.container_dnsservers = DN()
+    api.env.container_passkey = DN()
     api.env.container_group = DN()
     api.env.container_hbac = DN()
     api.env.container_hbacservice = DN()