IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

UI for SELinux user mapping

Browse Source 
This patch adds UI for SELinux user mapping. Its design is based on HBAC Rule design.

https://fedorahosted.org/freeipa/ticket/2145
This commit is contained in:
Petr Voborník 2012-01-13 15:34:55 +01:00
parent 2c1f21a14b
commit d906fa50c1
20 changed files with 9130 additions and 2878 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
install/ui/Makefile.am
View File

@ -51,6 +51,7 @@ app_DATA = \
policy.js \
rule.js \
search.js \
selinux.js \
serverconfig.js \
service.js \
sudo.js \

2
install/ui/hbac.js
View File

@ -205,7 +205,7 @@ IPA.hbacrule_details_facet = function(spec) {
{
type: 'enable',
name: 'ipaenabledflag',
priority: IPA.sudo.enable_priority,
priority: IPA.hbac.enable_priority,
widget: 'general.ipaenabledflag'
}
];

1
install/ui/index.html
View File

@ -35,6 +35,7 @@
<script type="text/javascript" src="host.js"></script>
<script type="text/javascript" src="hostgroup.js"></script>
<script type="text/javascript" src="netgroup.js"></script>
<script type="text/javascript" src="selinux.js"></script>
<script type="text/javascript" src="service.js"></script>
<script type="text/javascript" src="serverconfig.js"></script>
<script type="text/javascript" src="sudo.js"></script>

1
install/ui/jsl.conf
View File

@ -147,6 +147,7 @@
+process host.js
+process hostgroup.js
+process netgroup.js
+process selinux.js
+process service.js
+process serverconfig.js
+process sudo.js

291
install/ui/selinux.js Normal file
View File

@ -0,0 +1,291 @@
/*jsl:import ipa.js */
/* Authors:
* Petr Vobornik <pvoborni@redhat.com>
*
* Copyright (C) 2012 Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/* REQUIRES: ipa.js, details.js, search.js, add.js, facet.js, entity.js */
IPA.selinux = {
remove_method_priority: IPA.config.default_priority - 1,
enable_priority: IPA.config.default_priority + 1
};
IPA.selinux.selinuxusermap_entity = function(spec) {
var that = IPA.entity(spec);
that.init = function() {
that.entity_init();
that.builder.search_facet({
search_all: true,
columns: [
'cn',
'ipaselinuxuser',
{
name: 'ipaenabledflag',
format: IPA.boolean_format()
},
'description'
]
}).
details_facet({
factory: IPA.selinux_details_facet,
entity: that,
command_mode: 'info'
}).
adder_dialog({
fields: [
'cn',
'ipaselinuxuser'
]
});
};
return that;
};
IPA.selinux_details_facet = function(spec) {
var entity_name = spec.entity.name;
//
// General
//
spec.fields = [
{
name: 'cn',
read_only: true,
widget: 'general.cn'
},
{
type: 'textarea',
name: 'description',
widget: 'general.description'
},
{
name: 'ipaselinuxuser',
widget: 'general.ipaselinuxuser'
},
{
type: 'entity_select',
name: 'seealso',
widget: 'general.seealso'
},
{
type: 'enable',
name: 'ipaenabledflag',
priority: IPA.selinux.enable_priority,
widget: 'general.ipaenabledflag'
}
];
spec.widgets = [
{
type: 'details_table_section',
name: 'general',
label: IPA.messages.details.general,
widgets: [
{
name: 'cn'
},
{
type: 'textarea',
name: 'description'
},
{
name: 'ipaselinuxuser',
widget: 'general.ipaselinuxuser'
},
{
type: 'entity_select',
name: 'seealso',
other_entity: 'hbacrule',
other_field: 'cn'
},
{
type: 'enable',
name: 'ipaenabledflag',
options: [
{ value: 'TRUE', label: IPA.get_message('true') },
{ value: 'FALSE', label: IPA.get_message('false') }
]
}
]
}
];
//
// Users
//
spec.fields.push(
{
type: 'radio',
name: 'usercategory',
widget: 'user.rule.usercategory'
},
{
type: 'rule_association_table',
name: 'memberuser_user',
widget: 'user.rule.memberuser_user',
priority: IPA.selinux.remove_method_priority
},
{
type: 'rule_association_table',
name: 'memberuser_group',
widget: 'user.rule.memberuser_group',
priority: IPA.selinux.remove_method_priority
}
);
spec.widgets.push(
{
factory: IPA.collapsible_section,
name: 'user',
label: IPA.messages.objects.selinuxusermap.user,
widgets: [
{
factory: IPA.rule_details_widget,
name: 'rule',
radio_name: 'usercategory',
options: [
{ value: 'all',
label: IPA.messages.objects.selinuxusermap.anyone },
{ value: '',
label: IPA.messages.objects.selinuxusermap.specified_users }
],
tables: [
{ name: 'memberuser_user' },
{ name: 'memberuser_group' }
],
widgets: [
{
type: 'rule_association_table',
id: entity_name+'-memberuser_user',
name: 'memberuser_user',
add_method: 'add_user',
remove_method: 'remove_user',
add_title: IPA.messages.association.add.member,
remove_title: IPA.messages.association.remove.member
},
{
type: 'rule_association_table',
id: entity_name+'-memberuser_group',
name: 'memberuser_group',
add_method: 'add_user',
remove_method: 'remove_user',
add_title: IPA.messages.association.add.member,
remove_title: IPA.messages.association.remove.member
}
]
}
]
}
);
//
// Hosts
//
spec.fields.push(
{
type: 'radio',
name: 'hostcategory',
widget: 'host.rule.hostcategory'
},
{
type: 'rule_association_table',
name: 'memberhost_host',
widget: 'host.rule.memberhost_host',
priority: IPA.selinux.remove_method_priority
},
{
type: 'rule_association_table',
name: 'memberhost_hostgroup',
widget: 'host.rule.memberhost_hostgroup',
priority: IPA.selinux.remove_method_priority
}
);
spec.widgets.push(
{
factory: IPA.collapsible_section,
name: 'host',
label: IPA.messages.objects.selinuxusermap.host,
widgets: [
{
factory: IPA.rule_details_widget,
name: 'rule',
radio_name: 'hostcategory',
options: [
{
'value': 'all',
'label': IPA.messages.objects.selinuxusermap.any_host
},
{
'value': '',
'label': IPA.messages.objects.selinuxusermap.specified_hosts
}
],
tables: [
{ 'name': 'memberhost_host' },
{ 'name': 'memberhost_hostgroup' }
],
widgets: [
{
type: 'rule_association_table',
id: entity_name+'-memberuser_user',
name: 'memberhost_host',
add_method: 'add_host',
remove_method: 'remove_host',
add_title: IPA.messages.association.add.member,
remove_title: IPA.messages.association.remove.member
},
{
type: 'rule_association_table',
id: entity_name+'-memberuser_group',
name: 'memberhost_hostgroup',
add_method: 'add_host',
remove_method: 'remove_host',
add_title: IPA.messages.association.add.member,
remove_title: IPA.messages.association.remove.member
}
]
}
]
}
);
var that = IPA.details_facet(spec);
that.update_on_success = function(data, text_status, xhr) {
that.refresh();
};
that.update_on_error = function(xhr, text_status, error_thrown) {
that.refresh();
};
return that;
};
IPA.register('selinuxusermap', IPA.selinux.selinuxusermap_entity);

33
install/ui/test/data/ipa_init.json
View File

@ -281,6 +281,14 @@
"identity": "Role Settings"
},
"selfservice": {},
"selinuxusermap": {
"any_host": "Any Host",
"anyone": "Anyone",
"host": "Host",
"specified_hosts": "Specified Hosts and Groups",
"specified_users": "Specified Users and Groups",
"user": "User"
},
"service": {
"certificate": "Service Certificate",
"delete_key_unprovision": "Delete Key, Unprovision",
@ -394,7 +402,7 @@
"cn": [
"Administrator"
],
"dn": "uid=admin,cn=users,cn=accounts,dc=example,dc=com",
"dn": "uid=admin,cn=users,cn=accounts,dc=dev,dc=example,dc=com",
"gecos": [
"Administrator"
],
@ -418,16 +426,13 @@
}
],
"krblastpwdchange": [
"20110913052109Z"
],
"krblastsuccessfulauth": [
"20110913053553Z"
"20120110142413Z"
],
"krbpasswordexpiration": [
"20111212052109Z"
],
"krbprincipalname": [
"admin@EXAMPLE.COM"
"admin@DEV.EXAMPLE.COM"
],
"loginshell": [
"/bin/bash"
@ -460,10 +465,10 @@
"truncated": false
},
{
"count": 72,
"count": 75,
"error": null,
"result": {
"basedn": "dc=example,dc=com",
"basedn": "dc=dev,dc=example,dc=com",
"bin": "/var/www",
"ca_agent_install_port": 9443,
"ca_agent_port": 443,
@ -497,6 +502,7 @@
"container_privilege": "cn=privileges,cn=pbac",
"container_rolegroup": "cn=roles,cn=accounts",
"container_roles": "cn=roles,cn=policies",
"container_selinux": "cn=usermap,cn=selinux",
"container_service": "cn=services,cn=accounts",
"container_sudocmd": "cn=sudocmds,cn=sudo",
"container_sudocmdgroup": "cn=sudocmdgroups,cn=sudo",
@ -515,16 +521,17 @@
"in_tree": false,
"interactive": true,
"ipalib": "/usr/lib/python2.7/site-packages/ipalib",
"ldap_uri": "ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket",
"ldap_uri": "ldapi://%2fvar%2frun%2fslapd-DEV-EXAMPLE-COM.socket",
"log": null,
"logdir": "/var/log/ipa",
"mode": "production",
"mount_ipa": "/ipa/",
"mount_jsonserver": "json",
"mount_xmlserver": "xml",
"plugins_on_demand": false,
"prompt_all": false,
"ra_plugin": "selfsign",
"realm": "EXAMPLE.COM",
"ra_plugin": "dogtag",
"realm": "DEV.EXAMPLE.COM",
"rpc_json_uri": "http://localhost:8888/ipa/json",
"script": "/var/www/mod_wsgi",
"site_packages": "/usr/lib/python2.7/site-packages",
@ -536,8 +543,8 @@
"webui_prod": true,
"xmlrpc_uri": "https://dev.example.com/ipa/xml"
},
"summary": "72 variables",
"total": 72
"summary": "75 variables",
"total": 75
},
{
"error": null,

5004
install/ui/test/data/ipa_init_commands.json
View File

File diff suppressed because it is too large Load Diff

4979
install/ui/test/data/ipa_init_methods.json
View File

File diff suppressed because it is too large Load Diff

1347
install/ui/test/data/ipa_init_objects.json
View File

File diff suppressed because it is too large Load Diff

35
install/ui/test/data/selinuxusermap_add_host.json Normal file
View File

@ -0,0 +1,35 @@
{
"error": null,
"id": null,
"result": {
"completed": 1,
"failed": {
"memberhost": {
"host": [],
"hostgroup": []
}
},
"result": {
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com",
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"memberhost_host": [
"dev.example.com"
],
"memberuser_user": [
"karel",
"admin"
]
}
}
}

38
install/ui/test/data/selinuxusermap_add_user.json Normal file
View File

@ -0,0 +1,38 @@
{
"error": null,
"id": null,
"result": {
"completed": 1,
"failed": {
"memberuser": {
"group": [],
"user": []
}
},
"result": {
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com",
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"memberhost_host": [
"dev.example.com"
],
"memberuser_group": [
"user-group"
],
"memberuser_user": [
"karel",
"admin"
]
}
}
}

47
install/ui/test/data/selinuxusermap_details_update.json Normal file
View File

@ -0,0 +1,47 @@
{
"error": null,
"id": null,
"result": {
"result": {
"attributelevelrights": {
"accesstime": "rscwo",
"aci": "rscwo",
"cn": "rscwo",
"description": "rscwo",
"hostcategory": "rscwo",
"ipaenabledflag": "rscwo",
"ipaselinuxuser": "rscwo",
"ipauniqueid": "rsc",
"memberhost": "rscwo",
"memberuser": "rscwo",
"nsaccountlock": "rscwo",
"seealso": "rscwo",
"usercategory": "rscwo"
},
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"ipauniqueid": [
"dbe2ffa0-3c2c-11e1-ad81-00163e6185c4"
],
"memberuser_user": [
"karel"
],
"objectclass": [
"ipaassociation",
"ipaselinuxusermap"
]
},
"summary": "Modified SELinux User Map \"karel_unconfined\"",
"value": "karel_unconfined"
}
}

17
install/ui/test/data/selinuxusermap_find_pkeys.json Normal file
View File

@ -0,0 +1,17 @@
{
"error": null,
"id": null,
"result": {
"count": 1,
"result": [
{
"cn": [
"karel_unconfined"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com"
}
],
"summary": "1 SELinux User Map matched",
"truncated": false
}
}

39
install/ui/test/data/selinuxusermap_get_records.json Normal file
View File

@ -0,0 +1,39 @@
{
"error": null,
"id": null,
"result": {
"count": 1,
"results": [
{
"error": null,
"result": {
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com",
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"ipauniqueid": [
"dbe2ffa0-3c2c-11e1-ad81-00163e6185c4"
],
"memberuser_user": [
"karel"
],
"objectclass": [
"ipaassociation",
"ipaselinuxusermap"
]
},
"summary": null,
"value": "karel_unconfined"
}
]
}
}

47
install/ui/test/data/selinuxusermap_mod.json Normal file
View File

@ -0,0 +1,47 @@
{
"error": null,
"id": null,
"result": {
"result": {
"attributelevelrights": {
"accesstime": "rscwo",
"aci": "rscwo",
"cn": "rscwo",
"description": "rscwo",
"hostcategory": "rscwo",
"ipaenabledflag": "rscwo",
"ipaselinuxuser": "rscwo",
"ipauniqueid": "rsc",
"memberhost": "rscwo",
"memberuser": "rscwo",
"nsaccountlock": "rscwo",
"seealso": "rscwo",
"usercategory": "rscwo"
},
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"ipauniqueid": [
"dbe2ffa0-3c2c-11e1-ad81-00163e6185c4"
],
"memberuser_user": [
"karel"
],
"objectclass": [
"ipaassociation",
"ipaselinuxusermap"
]
},
"summary": "Modified SELinux User Map \"karel_unconfined\"",
"value": "karel_unconfined"
}
}

35
install/ui/test/data/selinuxusermap_remove_host.json Normal file
View File

@ -0,0 +1,35 @@
{
"error": null,
"id": null,
"result": {
"completed": 1,
"failed": {
"memberhost": {
"host": [],
"hostgroup": []
}
},
"result": {
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com",
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"memberuser_group": [
"user-group"
],
"memberuser_user": [
"karel",
"admin"
]
}
}
}

32
install/ui/test/data/selinuxusermap_remove_user.json Normal file
View File

@ -0,0 +1,32 @@
{
"error": null,
"id": null,
"result": {
"completed": 1,
"failed": {
"memberuser": {
"group": [],
"user": []
}
},
"result": {
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com",
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"memberuser_user": [
"karel",
"admin"
]
}
}
}

48
install/ui/test/data/selinuxusermap_show.json Normal file
View File

@ -0,0 +1,48 @@
{
"error": null,
"id": null,
"result": {
"result": {
"attributelevelrights": {
"accesstime": "rscwo",
"aci": "rscwo",
"cn": "rscwo",
"description": "rscwo",
"hostcategory": "rscwo",
"ipaenabledflag": "rscwo",
"ipaselinuxuser": "rscwo",
"ipauniqueid": "rsc",
"memberhost": "rscwo",
"memberuser": "rscwo",
"nsaccountlock": "rscwo",
"seealso": "rscwo",
"usercategory": "rscwo"
},
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com",
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"ipauniqueid": [
"dbe2ffa0-3c2c-11e1-ad81-00163e6185c4"
],
"memberuser_user": [
"karel"
],
"objectclass": [
"ipaassociation",
"ipaselinuxusermap"
]
},
"summary": null,
"value": "karel_unconfined"
}
}

3
install/ui/webui.js
View File

@ -67,7 +67,8 @@ IPA.admin_navigation = function(spec) {
{entity: 'automountmap', hidden: true},
{entity: 'automountkey', hidden: true}]},
{entity: 'pwpolicy'},
{entity: 'krbtpolicy'}
{entity: 'krbtpolicy'},
{entity: 'selinuxusermap'}
]},
{name: 'ipaserver', label: IPA.messages.tabs.ipaserver, children: [
{name: 'rolebased', label: IPA.messages.tabs.role, children: [

8
ipalib/plugins/internal.py
View File

@ -420,6 +420,14 @@ class i18n_messages(Command):
},
"selfservice": {
},
"selinuxusermap": {
"any_host": _("Any Host"),
"anyone": _("Anyone"),
"host": _("Host"),
"specified_hosts": _("Specified Hosts and Groups"),
"specified_users": _("Specified Users and Groups"),
"user": _("User"),
},
"service": {
"certificate": _("Service Certificate"),
"delete_key_unprovision": _("Delete Key, Unprovision"),