IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Removed HBAC deny rule warning.

Browse Source 
The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.

Ticket #1444
This commit is contained in:
Endi S. Dewata 2011-10-24 18:18:10 -05:00
parent 0450934e36
commit f168afbeb6
12 changed files with 32 additions and 205 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
freeipa.spec.in
View File

@ -342,8 +342,6 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
%{buildroot}%{_usr}/share/ipa/html/unauthorized.html
ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
%{buildroot}%{_usr}/share/ipa/html/browserconfig.html
ln -s ../../../..%{_sysconfdir}/ipa/html/hbac-deny-remove.html \
%{buildroot}%{_usr}/share/ipa/html/hbac-deny-remove.html
ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
%{buildroot}%{_usr}/share/ipa/html/ipa_error.css
@ -501,7 +499,6 @@ fi
%{_usr}/share/ipa/html/ssbrowser.html
%{_usr}/share/ipa/html/browserconfig.html
%{_usr}/share/ipa/html/unauthorized.html
%{_usr}/share/ipa/html/hbac-deny-remove.html
%{_usr}/share/ipa/html/ipa_error.css
%dir %{_usr}/share/ipa/migration
%{_usr}/share/ipa/migration/error.html
@ -526,7 +523,6 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
@ -619,6 +615,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog
* Mon Oct 24 2011 Endi S. Dewata <edewata@redhat.com> - 2.99.0-9
- Removed hbac-deny-remove.html
* Fri Oct 21 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.99.0-8
- Default to systemd for Fedora 16 and onwards

1
install/html/Makefile.am
View File

@ -5,7 +5,6 @@ app_DATA = \
ssbrowser.html \
browserconfig.html \
unauthorized.html \
hbac-deny-remove.html \
ipa_error.css \
$(NULL)

83
install/html/hbac-deny-remove.html
View File

@ -1,83 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>IPA: Identity Policy Audit</title>
<script type="text/javascript" src="../ui/jquery.js"></script>
<link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
<link rel="stylesheet" type="text/css" href="../ui/ipa.css" />
<link rel="stylesheet" type="text/css" href="ipa_error.css" />
</head>
<body class="info-page">
<div class="container_1">
<div class="header-logo">
<img src="../ui/ipalogo.png" /><img src="../ui/ipabanner.png" />
</div>
<div class="textblockkrb">
<h1>Removal of HBAC Deny Rules.</h1>
<p>FreeIPA has dropped support for DENY rules from the HBAC
specification. </p>
<p>The former design of HBAC specifies that<p>
<ol>
<li> If no ALLOW rules match, access is denied</li>
<li> If one or more ALLOW rules match and no DENY rules match,
access is allowed</li>
<li>If one or more DENY rules match, access is denied</li>
</ol>
<p>Thus, DENY rules exist only to provide exceptions from the ALLOW
rules. There exists no ALLOW+DENY combination that cannot be
constructed from ALLOW rules only.[1]</P>
<p>DENY rules introduce a lot of edge-cases for evaluation. The most
important of which is the availability of the group membership for
the user logging in. Depending on the mechanism used to log in (for
example, GSSAPI over SSH or cross-realm Kerberos trust where the
user is provided by the PAC), SSSD's cache may not have a complete
list of groups for this user. If the login is occurring during
offline mode (where SSSD cannot contact the LDAP server to refresh
the user's groups), SSSD cannot determine whether DENY rules would
match for the user. This therefore translates into a potential
security issue.</p>
<p>We implemented a workaround in the SSSD evaluator to resolve this by
guaranteeing that we do a full lookup of all groups referenced by
rules while we are retrieving the rules from FreeIPA. However, this
requires at least one additional lookup against the LDAP server
(possibly many if there is need to resolve nestings). This results
in a significantly slower login while online.</p>
<p>We also have issues related to source host evaluation. Some
applications will provide an IP address instead of a hostname in the
pam_rhost attribute. Our only recourse here is to perform a
reverse-DNS lookup to try and identify the real hostname(s) of the
server. However, in many real-world environments, reverse DNS is
unavailable or misconfigured. In the case of ALLOW rules, this would
lead to a match failure and an implicit denial. However, a failure
to properly match a DENY rule can result in unexpected access being
granted. This is a potentially serious security issue.</p>
<p>Given these edge cases (and performance issues of the noted
workaround), The FreeIPA team decided to drop DENY rules from the
HBAC specification and limit HBAC only to ALLOW rules (which are
much safer). Beyond the obvious advantages for our implementation,
this should make it less complex for users to write their rules.</p>
<p>[1] Some rules are complex to simulate, such as "Allow access from
all PAM services EXCEPT telnet". But a safer and clearer
implementation approach does all access via whitelist. If a FreeIPA
implementation is using an exception rule, the administrators
should re-evaluate the justification.
</p>
</div>
</div>
</body>
</html>

44
install/ui/hbac.js
View File

@ -554,47 +554,3 @@ IPA.hbacrule_details_facet = function(spec) {
return that;
};
IPA.hbac_deny_warning_dialog = function(container) {
var dialog = IPA.dialog({
'title': 'HBAC Deny Rules found'
});
var link_path = "config";
if (IPA.use_static_files){
link_path = "html";
}
dialog.create = function() {
dialog.container.append(
"HBAC rules with type deny have been found."+
" These rules have been deprecated." +
" Please remove them, and restructure the HBAC rules." );
$('<p/>').append($('<a/>',{
text: 'Click here for more information',
href: '../' +link_path +'/hbac-deny-remove.html',
target: "_blank",
style: 'target: tab; color: blue; '
})).appendTo(dialog.container);
};
dialog.create_button({
name: 'edit',
label: 'Edit HBAC Rules',
click: function() {
dialog.close();
IPA.nav.show_page('hbacrule', 'search');
}
});
dialog.create_button({
name: 'ignore',
label: 'Ignore for now',
click: function() {
dialog.close();
}
});
dialog.open();
};

5
install/ui/ipa.css
View File

@ -696,11 +696,6 @@ span.main-nav-off > a:visited {
padding-left: 0.5em;
}
.hbac-deny-rule {
color: red;
}
.search-table tfoot td {
padding: 0.5em 0 0 1em;
border-top: 1px solid #dfdfdf;

9
install/ui/ipa.js
View File

@ -169,15 +169,6 @@ var IPA = ( function () {
}
}));
batch.add_command(IPA.command({
entity: 'hbacrule',
method: 'find',
options:{"accessruletype":"deny"},
on_success: function(data, text_status, xhr) {
that.hbac_deny_rules = data;
}
}));
batch.execute();
};

27
install/ui/test/bin/update_ipa_init.sh
View File

@ -15,7 +15,30 @@ then
exit 1
fi
json="{
\"method\": \"batch\",
\"params\": [
[
{
\"method\": \"i18n_messages\",
\"params\": [[], {}]
},
{
\"method\": \"user_find\",
\"params\":[[], { \"whoami\": true, \"all\": true }]
},
{
\"method\": \"env\",
\"params\": [[], {}]
},
{
\"method\": \"dns_is_enabled\",
\"params\": [[], {}]
}
],
{}
]
}"
curl -v\
-H "Content-Type: application/json"\
@ -24,6 +47,6 @@ curl -v\
--delegation always\
-u :\
--cacert /etc/ipa/ca.crt\
-d '{"method":"batch","params":[[{"method":"json_metadata","params":[[],{}]},{"method":"i18n_messages","params":[[],{}]},{"method":"user_find","params":[[],{"whoami":true,"all":true}]},{"method":"env","params":[[],{}]},{"method":"dns_is_enabled","params":[[],{}]},{"method":"hbacrule_find","params":[[],{"accessruletype":"deny"}]}],{}]}'\
-d "$json"\
-X POST\
https://`hostname`/ipa/json | sed 's/[ \t]*$//' > $INIT_FILE

40
install/ui/test/data/hbacrule_find.json
View File

@ -2,7 +2,7 @@
"error": null,
"id": null,
"result": {
"count": 4,
"count": 1,
"result": [
{
"accessruletype": [
@ -30,45 +30,9 @@
"usercategory": [
"all"
]
},
{
"accessruletype": [
"deny"
],
"cn": [
"deny1"
],
"dn": "ipauniqueid=8af3e23c-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"ipaenabledflag": [
"TRUE"
]
},
{
"accessruletype": [
"deny"
],
"cn": [
"deny2"
],
"dn": "ipauniqueid=8f05d042-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"ipaenabledflag": [
"TRUE"
]
},
{
"accessruletype": [
"deny"
],
"cn": [
"deny3"
],
"dn": "ipauniqueid=92dcf9fc-a7e2-11e0-8dac-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
"ipaenabledflag": [
"TRUE"
]
}
],
"summary": "4 HBAC rules matched",
"summary": "1 HBAC rule matched",
"truncated": false
}
}

2
install/ui/test/data/hbacrule_show.json
View File

@ -4,7 +4,7 @@
"result": {
"result": {
"accessruletype": [
"deny"
"allow"
],
"accesstime": [
"periodic daily 0800-1400",

11
install/ui/test/data/ipa_init.json
View File

@ -2,7 +2,7 @@
"error": null,
"id": null,
"result": {
"count": 5,
"count": 4,
"results": [
{
"error": null,
@ -204,11 +204,9 @@
},
"hbacrule": {
"active": "Active",
"allow": "Allow",
"any_host": "Any Host",
"any_service": "Any Service",
"anyone": "Anyone",
"deny": "Deny",
"host": "Accessing",
"inactive": "Inactive",
"ipaenabledflag": "Rule status",
@ -533,13 +531,6 @@
"result": true,
"summary": null,
"value": ""
},
{
"count": 0,
"error": null,
"result": [],
"summary": "0 HBAC rules matched",
"truncated": false
}
]
}

6
install/ui/webui.js
View File

@ -167,12 +167,6 @@ $(function() {
IPA.nav.update();
$('#login_header').html(IPA.messages.login.header);
if (IPA.hbac_deny_rules && IPA.hbac_deny_rules.count > 0){
if (IPA.nav.name === 'admin'){
IPA.hbac_deny_warning_dialog();
}
}
}

2
ipalib/plugins/internal.py
View File

@ -296,11 +296,9 @@ class i18n_messages(Command):
},
"hbacrule": {
"active": _("Active"),
"allow": _("Allow"),
"any_host": _("Any Host"),
"any_service": _("Any Service"),
"anyone": _("Anyone"),
"deny": _("Deny"),
"host": _("Accessing"),
"inactive": _("Inactive"),
"ipaenabledflag": _("Rule status"),