mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
2cf7c7b4ac
Bundle remote plugin interface definitions for servers which lack API schema support. These server API versions are included: * 2.49: IPA 3.1.0 on RHEL/CentOS 6.5+, * 2.114: IPA 4.1.4 on Fedora 22, * 2.156: IPA 4.2.0 on RHEL/CentOS 7.2 and IPA 4.2.4 on Fedora 23, * 2.164: IPA 4.3.1 on Fedora 23. For servers with other API versions, the closest lower API version is used. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
214 lines
6.4 KiB
Python
214 lines
6.4 KiB
Python
#
|
|
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
# pylint: disable=unused-import
|
|
import six
|
|
|
|
from . import Command, Method, Object
|
|
from ipalib import api, parameters, output
|
|
from ipalib.parameters import DefaultFrom
|
|
from ipalib.plugable import Registry
|
|
from ipalib.text import _
|
|
from ipapython.dn import DN
|
|
from ipapython.dnsutil import DNSName
|
|
|
|
if six.PY3:
|
|
unicode = str
|
|
|
|
__doc__ = _("""
|
|
Simulate use of Host-based access controls
|
|
|
|
HBAC rules control who can access what services on what hosts and from where.
|
|
You can use HBAC to control which users or groups can access a service,
|
|
or group of services, on a target host.
|
|
|
|
Since applying HBAC rules implies use of a production environment,
|
|
this plugin aims to provide simulation of HBAC rules evaluation without
|
|
having access to the production environment.
|
|
|
|
Test user coming to a service on a named host against
|
|
existing enabled rules.
|
|
|
|
ipa hbactest --user= --host= --service=
|
|
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
|
|
[--srchost= ] [--sizelimit= ]
|
|
|
|
--user, --host, and --service are mandatory, others are optional.
|
|
|
|
If --rules is specified simulate enabling of the specified rules and test
|
|
the login of the user using only these rules.
|
|
|
|
If --enabled is specified, all enabled HBAC rules will be added to simulation
|
|
|
|
If --disabled is specified, all disabled HBAC rules will be added to simulation
|
|
|
|
If --nodetail is specified, do not return information about rules matched/not matched.
|
|
|
|
If both --rules and --enabled are specified, apply simulation to --rules _and_
|
|
all IPA enabled rules.
|
|
|
|
If no --rules specified, simulation is run against all IPA enabled rules.
|
|
By default there is a IPA-wide limit to number of entries fetched, you can change it
|
|
with --sizelimit option.
|
|
|
|
If --srchost is specified, it will be ignored. It is left because of compatibility reasons only.
|
|
|
|
EXAMPLES:
|
|
|
|
1. Use all enabled HBAC rules in IPA database to simulate:
|
|
$ ipa hbactest --user=a1a --host=bar --service=sshd
|
|
--------------------
|
|
Access granted: True
|
|
--------------------
|
|
notmatched: my-second-rule
|
|
notmatched: my-third-rule
|
|
notmatched: myrule
|
|
matched: allow_all
|
|
|
|
2. Disable detailed summary of how rules were applied:
|
|
$ ipa hbactest --user=a1a --host=bar --service=sshd --nodetail
|
|
--------------------
|
|
Access granted: True
|
|
--------------------
|
|
|
|
3. Test explicitly specified HBAC rules:
|
|
$ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule
|
|
---------------------
|
|
Access granted: False
|
|
---------------------
|
|
notmatched: my-second-rule
|
|
notmatched: myrule
|
|
|
|
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
|
|
$ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule --enabled
|
|
--------------------
|
|
Access granted: True
|
|
--------------------
|
|
notmatched: my-second-rule
|
|
notmatched: my-third-rule
|
|
notmatched: myrule
|
|
matched: allow_all
|
|
|
|
5. Test all disabled HBAC rules in IPA database:
|
|
$ ipa hbactest --user=a1a --host=bar --service=sshd --disabled
|
|
---------------------
|
|
Access granted: False
|
|
---------------------
|
|
notmatched: new-rule
|
|
|
|
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
|
|
$ ipa hbactest --user=a1a --host=bar --service=sshd --rules=my-second-rule,myrule --disabled
|
|
---------------------
|
|
Access granted: False
|
|
---------------------
|
|
notmatched: my-second-rule
|
|
notmatched: my-third-rule
|
|
notmatched: myrule
|
|
|
|
7. Test all (enabled and disabled) HBAC rules in IPA database:
|
|
$ ipa hbactest --user=a1a --host=bar --service=sshd --enabled --disabled
|
|
--------------------
|
|
Access granted: True
|
|
--------------------
|
|
notmatched: my-second-rule
|
|
notmatched: my-third-rule
|
|
notmatched: myrule
|
|
notmatched: new-rule
|
|
matched: allow_all
|
|
""")
|
|
|
|
register = Registry()
|
|
|
|
|
|
@register()
|
|
class hbactest(Command):
|
|
__doc__ = _("Simulate use of Host-based access controls")
|
|
|
|
takes_options = (
|
|
parameters.Str(
|
|
'user',
|
|
label=_(u'User name'),
|
|
),
|
|
parameters.Str(
|
|
'sourcehost',
|
|
required=False,
|
|
cli_name='srchost',
|
|
label=_(u'Source host'),
|
|
),
|
|
parameters.Str(
|
|
'targethost',
|
|
cli_name='host',
|
|
label=_(u'Target host'),
|
|
),
|
|
parameters.Str(
|
|
'service',
|
|
label=_(u'Service'),
|
|
),
|
|
parameters.Str(
|
|
'rules',
|
|
required=False,
|
|
multivalue=True,
|
|
label=_(u'Rules to test. If not specified, --enabled is assumed'),
|
|
),
|
|
parameters.Flag(
|
|
'nodetail',
|
|
required=False,
|
|
label=_(u'Hide details which rules are matched, not matched, or invalid'),
|
|
default=False,
|
|
autofill=True,
|
|
),
|
|
parameters.Flag(
|
|
'enabled',
|
|
required=False,
|
|
label=_(u'Include all enabled IPA rules into test [default]'),
|
|
default=False,
|
|
autofill=True,
|
|
),
|
|
parameters.Flag(
|
|
'disabled',
|
|
required=False,
|
|
label=_(u'Include all disabled IPA rules into test'),
|
|
default=False,
|
|
autofill=True,
|
|
),
|
|
parameters.Int(
|
|
'sizelimit',
|
|
required=False,
|
|
label=_(u'Size Limit'),
|
|
doc=_(u'Maximum number of rules to process when no --rules is specified'),
|
|
),
|
|
)
|
|
has_output = (
|
|
output.Output(
|
|
'summary',
|
|
(unicode, type(None)),
|
|
doc=_(u'User-friendly description of action performed'),
|
|
),
|
|
output.Output(
|
|
'warning',
|
|
(list, tuple, type(None)),
|
|
doc=_(u'Warning'),
|
|
),
|
|
output.Output(
|
|
'matched',
|
|
(list, tuple, type(None)),
|
|
doc=_(u'Matched rules'),
|
|
),
|
|
output.Output(
|
|
'notmatched',
|
|
(list, tuple, type(None)),
|
|
doc=_(u'Not matched rules'),
|
|
),
|
|
output.Output(
|
|
'error',
|
|
(list, tuple, type(None)),
|
|
doc=_(u'Non-existent or invalid rules'),
|
|
),
|
|
output.Output(
|
|
'value',
|
|
bool,
|
|
doc=_(u'Result of simulation'),
|
|
),
|
|
)
|