Commit Graph

23 Commits

Author SHA1 Message Date
Nathaniel McCallum
255cbb4976 Update all remaining plugins to the new Registry API
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-11 09:24:22 +02:00
Jan Cholasta
c2bd6f365d Convert remaining frontend code to LDAPEntry API. 2014-01-24 20:38:15 +01:00
Martin Kosek
faa820f39e hbactest does not work for external users
Original patch for ticket #3803 implemented support to resolve SIDs
through SSSD. However, it also broke hbactest for external users. The
result of the updated external member group search must be local
non-external groups, not the external ones. Otherwise the rule is not
matched.

https://fedorahosted.org/freeipa/ticket/3803
2014-01-10 12:55:44 +01:00
Alexander Bokovoy
7b5cc3ed83 ipaserver/dcerpc: attempt to resolve SIDs through SSSD first
Attempt to resolve SIDs through SSSD first to avoid using trust
account password. This makes possible to run HBAC test requests
without being in 'trusted admins' group.

https://fedorahosted.org/freeipa/ticket/3803
2013-07-23 16:24:38 +03:00
Tomas Babej
78774916c8 Remove redundancy from hbactest help text
I modified the SID in the second example so that result corresponds
with the 5. example.

https://fedorahosted.org/freeipa/ticket/3625
2013-05-15 18:18:13 +02:00
Ana Krivokapic
b8b573a966 Deprecate HBAC source hosts from CLI
Hide the commands and options listed below from the CLI,
but keep them in the API. When called directly from the API,
raise appropriate exceptions informing the user that the
functionality has been deprecated.

Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost.
Affected options: sourcehostcategory, sourcehost_host and
sourcehost_hostgroup (hbacrule); sourcehost (hbactest).

https://fedorahosted.org/freeipa/ticket/3528
2013-04-12 14:07:55 -04:00
Ana Krivokapic
d03255571c Remove any reference to HBAC source hosts from help
https://fedorahosted.org/freeipa/ticket/3528
2013-04-12 14:07:55 -04:00
Petr Viktorin
f2f1ed63f5 Update plugin docstrings (topic help) to reflect dropped CSV support
https://fedorahosted.org/freeipa/ticket/3352
2013-02-22 17:20:35 +01:00
Martin Kosek
b8079f9ed4 Fix hbachelp examples formatting
Add correct labeling of matched/nonmatched output attributes. Also
make sure that "\" is not interpreted as newline escape character
but really as a "\" character.
2013-02-14 08:38:11 +01:00
Martin Kosek
85d16ad7de Add support for AD users to hbactest command
How this works:
  1. When a trusted domain user is tested, AD GC is searched
     for the user entry Distinguished Name
  2. The user entry is then read from AD GC and its SID and SIDs
     of all its assigned groups (tokenGroups attribute) are retrieved
  3. The SIDs are then used to search IPA LDAP database to find
     all external groups which have any of these SIDs as external
     members
  4. All these groups having these groups as direct or indirect
     members are added to hbactest allowing it to perform the search

LIMITATIONS:
- only Trusted Admins group members can use this function as it
  uses secret for IPA-Trusted domain link
- List of group SIDs does not contain group memberships outside
  of the trusted domain

https://fedorahosted.org/freeipa/ticket/2997
2013-02-14 08:38:11 +01:00
John Dennis
885bb07bb1 Fix name error in hbactest
Ticket #2512

In hbactest.py there is a name error wrapped inside a try/except block
that ignores all errors so the code block exits prematurely leaving a
critical variable uninitialized.

The name error is the result of a cut-n-paste error that references a
variable that had never been initialized in the scope of the code
block. Python generates an exception when this variable is referenced
but because it's wrapped in a try/except block that catches all errors
and ignores all errors there is no evidence that something went wrong.

The fix is to use the correct variables.

At some point we may want to revist if ignoring all errors and
proceding as if nothing happened is actually correct. Alexander tells
me this mimics what SSSD does in the hbac rule processing, thus the
ignoring of errors is intentional. But in a plugin whose purpose is to
test and exercise hbac rules I'm not sure ignoring all errors is
really the right behavior.
2012-04-19 15:22:49 +02:00
Petr Viktorin
528a94f839 Internationalization for HBAC and ipalib.output
* hbacrule: Internationalize HBAC rule "all" category exceptions
  https://fedorahosted.org/freeipa/ticket/2267

* hbactest: Use internationalized names (doc) instead of names
  for output items
  Also don't convert result to bool, `not` does it implicitly

* ipalib.output: Internationalize descriptions of some standard entries
2012-02-14 19:08:40 +01:00
Alexander Bokovoy
1e04e9f029 Allow hbactest to work with HBAC rules exceeding default IPA limits
When multiple HBAC rules are defined, IPA default limits to retrieve
objects may limit the scope of HBAC testing. To allow full range of rules
to be tested support for --sizelimit option is added.

In addition, when --rules option is specified, make sure only those rules
are retrieved regardless total number of rules defined. This should also
speed up HBAC test performance for real life scenarios when few new rules
are added to large collection of rules.

https://fedorahosted.org/freeipa/ticket/2230
2012-01-13 18:22:57 +02:00
Ondrej Hamada
0e037f24ce HBAC test optional sourcehost option
New version of SSSD begins ignoring sourcehost value of HBAC rules by
default. In order to match this behaviour the sourcehost option in
hbactest is optional now, but the value of sourcehost is ignored in all
rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost
value comparation off. If srchost option is used, warning is displayed to
inform the user about changes. Text of plugin help was also updated.

Also the unit tests for hbactest plugin were updated. Every test was
doubled. The second ones test the plugin without sourcehost option. They
are supposed to have the same result.

https://fedorahosted.org/freeipa/ticket/2085
2012-01-09 08:49:10 +02:00
Jan Cholasta
135ccf89de Parse comma-separated lists of values in all parameter types. This can be enabled for a specific parameter by setting the "csv" option to True.
Remove "List" parameter type and replace all occurences of it with appropriate
multi-valued parameter ("Str" in most cases) with csv enabled.

Add new parameter type "Any", capable of holding values of any type. This is
needed by the "batch" command, as "Str" is not suitable type for the "methods"
parameter.

ticket 2007
2011-11-30 17:08:35 +01:00
Alexander Bokovoy
c9ef39918a hbactest fails while you have svcgroup in hbacrule
https://fedorahosted.org/freeipa/ticket/1988
2011-10-20 17:23:21 -04:00
Alexander Bokovoy
3e1c04f933 Include indirect membership and canonicalize hosts during HBAC rules testing
When users and hosts are included into groups indirectly, make sure that
during HBAC test e fill in all indirect groups properly into an HBAC request.

Also, if hosts provided for test are not specified fully, canonicalize them
using IPA domain.

This makes possible following requests:
ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd

Request to evaluate:
 <user <name foobar groups [hbacusers,ipausers]>
  service <name sshd groups []>
  targethost <name vm-101.ipa.local groups []>
  srchost <name vm-101.ipa.local groups []>
 >

Fixes:
https://fedorahosted.org/freeipa/ticket/1862
https://fedorahosted.org/freeipa/ticket/1949
2011-10-10 17:09:22 -04:00
Martin Kosek
a40d4d4d64 Fix pylint false positive in hbactest module
https://fedorahosted.org/freeipa/ticket/1763
2011-09-13 13:49:43 +02:00
Alexander Bokovoy
261a41b3d4 When external host is specified in HBAC rule, allow its use in simulation
https://fedorahosted.org/freeipa/ticket/1763

When external host is specified in HBAC rule, it needs to be added to
the set of source hosts this rule applies to. Add (list of external hosts)
explicitly when converting FreeIPA rules to PyHBAC objects.
2011-09-13 13:14:53 +02:00
Alexander Bokovoy
1bdb5d04fe Unroll groups when testing HBAC rules
Fixes https://fedorahosted.org/freeipa/ticket/1740
2011-09-11 21:08:19 -04:00
Alexander Bokovoy
8f0a7bd646 Incorrect name in examples of ipa help hbactest
https://fedorahosted.org/freeipa/ticket/1741

HBAC rules address PAM services, thus service names should correspond to proper PAM names.
2011-09-11 20:31:42 -04:00
John Dennis
1b4eab0411 ticket 1669 - improve i18n docstring extraction
This patch reverts the use of pygettext for i18n string extraction. It
was originally introduced because the help documentation for commands
are in the class docstring and module docstring.

Docstrings are a Python construct whereby any string which immediately
follows a class declaration, function/method declaration or appears
first in a module is taken to be the documentation for that
object. Python automatically assigns that string to the __doc__
variable associated with the object. Explicitly assigning to the
__doc__ variable is equivalent and permitted.

We mark strings in the source for i18n translation by embedding them
in _() or ngettext(). Specialized extraction tools (e.g. xgettext)
scan the source code looking for strings with those markers and
extracts the string for inclusion in a translation catalog.

It was mistakingly assumed one could not mark for translation Python
docstrings. Since some docstrings are vital for our command help
system some method had to be devised to extract docstrings for the
translation catalog. pygettext has the ability to locate and extract
docstrings and it was introduced to acquire the documentation for our
commands located in module and class docstrings.

However pygettext was too large a hammer for this task, it lacked any
fined grained ability to extract only the docstrings we were
interested in. In practice it extracted EVERY docstring in each file
it was presented with. This caused a large number strings to be
extracted for translation which had no reason to be translated, the
string might have been internal code documentation never meant to be
seen by users. Often the superfluous docstrings were long, complex and
likely difficult to translate. This placed an unnecessary burden on
our volunteer translators.

Instead what is needed is some method to extract only those strings
intended for translation. We already have such a mechanism and it is
already widely used, namely wrapping strings intended for translation
in calls to _() or _negettext(), i.e. marking a string for i18n
translation. Thus the solution to the docstring translation problem is
to mark the docstrings exactly as we have been doing, it only requires
that instead of a bare Python docstring we instead assign the marked
string to the __doc__ variable. Using the hypothetical class foo as
an example.

class foo(Command):
    '''
    The foo command takes out the garbage.
    '''

Would become:

class foo(Command):
    __doc__ = _('The foo command takes out the garbage.')

But which docstrings need to be marked for translation? The makeapi
tool knows how to iterate over every command in our public API. It was
extended to validate every command's documentation and report if any
documentation is missing or not marked for translation. That
information was then used to identify each docstring in the code which
needed to be transformed.

In summary what this patch does is:

* Remove the use of pygettext (modification to install/po/Makefile.in)

* Replace every docstring with an explicit assignment to __doc__ where
  the rhs of the assignment is an i18n marking function.

* Single line docstrings appearing in multi-line string literals
  (e.g. ''' or """) were replaced with single line string literals
  because the multi-line literals were introducing unnecessary
  whitespace and newlines in the string extracted for translation. For
  example:

  '''
  The foo command takes out the garbage.
  '''

  Would appear in the translation catalog as:

"\n
  The foo command takes out the garbage.\n
  "

  The superfluous whitespace and newlines are confusing to translators
  and requires us to strip leading and trailing whitespace from the
  translation at run time.

* Import statements were moved from below the docstring to above
  it. This was necessary because the i18n markers are imported
  functions and must be available before the the doc is
  parsed. Technically only the import of the i18n markers had to
  appear before the doc but stylistically it's better to keep all the
  imports together.

* It was observed during the docstring editing process that the
  command documentation was inconsistent with respect to the use of
  periods to terminate a sentence. Some doc had a trailing period,
  others didn't. Consistency was enforced by adding a period to end of
  every docstring if one was missing.
2011-08-24 23:13:16 -04:00
Alexander Bokovoy
dd296eec13 Add hbactest command. https://fedorahosted.org/freeipa/ticket/386
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

 Test user coming from source host to a service on a named host against
 existing enabled rules.

 ipa hbactest --user= --srchost= --host= --service=
              [--rules=rules-list] [--nodetail] [--enabled] [--disabled]

 --user, --srchost, --host, and --service are mandatory, others are optional.

 If --rules is specified simulate enabling of the specified rules and test
 the login of the user using only these rules.

 If --enabled is specified, all enabled HBAC rules will be added to simulation

 If --disabled is specified, all disabled HBAC rules will be added to simulation

 If --nodetail is specified, do not return information about rules matched/not matched.

 If both --rules and --enabled are specified, apply simulation to --rules _and_
 all IPA enabled rules.

 If no --rules specified, simulation is run against all IPA enabled rules.

EXAMPLES:

    1. Use all enabled HBAC rules in IPA database to simulate:
    $ ipa  hbactest --user=a1a --srchost=foo --host=bar --service=ssh
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    2. Disable detailed summary of how rules were applied:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
    --------------------
    Access granted: True
    --------------------

    3. Test explicitly specified HBAC rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: myrule

    4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    5. Test all disabled HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: new-rule

    6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule

    7. Test all (enabled and disabled) HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      notmatched: new-rule
      matched: allow_all

Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.

Specifying them through --rules option explicitly enables them only in
simulation run.

Specifying non-existing rules will not grant access and report non-existing
rules in output.
2011-07-28 18:01:44 -04:00