URL: https://github.com/freeipa/freeipa/pull/2746
Author: tiran
 Title: #2746: Create systemd-user HBAC service and rule
Action: opened

PR body:
"""
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <chei...@redhat.com>
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2746/head:pr2746
git checkout pr2746
From 05b9c01265cf12b32bfdb345756001aa10cd6cba Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Fri, 11 Jan 2019 11:18:05 +0100
Subject: [PATCH] Create systemd-user HBAC service and rule

Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <chei...@redhat.com>
---
 install/share/bootstrap-template.ldif      |  8 ++++
 install/share/default-hbac.ldif            | 13 ++++++
 ipaserver/install/server/upgrade.py        | 29 +++++++++++++
 ipatests/test_integration/test_commands.py | 49 ++++++++++++++++++++++
 4 files changed, 99 insertions(+)

diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index d48c4fafc0..6cd17e37ef 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -346,6 +346,14 @@ cn: sudo-i
 description: sudo-i
 ipauniqueid:autogenerate
 
+dn: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
+changetype: add
+objectclass: ipahbacservice
+objectclass: ipaobject
+cn: systemd-user
+description: pam_systemd and systemd user@.service
+ipauniqueid:autogenerate
+
 dn: cn=gdm,cn=hbacservices,cn=hbac,$SUFFIX
 changetype: add
 objectclass: ipahbacservice
diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif
index 52fd30ec9a..8dd90685cc 100644
--- a/install/share/default-hbac.ldif
+++ b/install/share/default-hbac.ldif
@@ -12,3 +12,16 @@ ipaenabledflag: TRUE
 description: Allow all users to access any host from any host
 ipauniqueid: autogenerate
 
+# default HBAC policy for pam_systemd
+dn: ipauniqueid=autogenerate,cn=hbac,$SUFFIX
+changetype: add
+objectclass: ipaassociation
+objectclass: ipahbacrule
+cn: allow_systemd-user
+accessruletype: allow
+usercategory: all
+hostcategory: all
+servicecategory: systemd-user
+ipaenabledflag: TRUE
+description: Allow pam_systemd to run user@.service to create a system user session
+ipauniqueid: autogenerate
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index ae6fcc77e7..265c6f5d33 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1735,6 +1735,34 @@ def migrate_to_authselect():
     sysupgrade.set_upgrade_state('authcfg', 'migrated_to_authselect', True)
 
 
+def add_systemd_user_hbac():
+    logger.info('[Create systemd-user hbac service and rule]')
+    try:
+        api.Command.hbacsvc_add(
+            'systemd-user',
+            description='pam_systemd and systemd user@.service'
+        )
+    except ipalib.errors.DuplicateEntry:
+        logger.info('hbac service systemd-user already exists')
+        # Don't create hbac rule when hbacsvc already exists, so the rule
+        # does not get re-created after it has been deleted by an admin.
+        return
+    else:
+        logger.info('Created hbacsvc systemd-user')
+
+    try:
+        api.Command.hbacrule_add(
+            'allow_systemd-user',
+            description=('Allow pam_systemd to run user@.service to create '
+                         'a system user session'),
+            servicecategory=['systemd-user']
+        )
+    except ipalib.errors.DuplicateEntry:
+        logger.info('hbac rule allow_systemd-user already exists')
+    else:
+        logger.info('Created hbac rule allow_systemd-user')
+
+
 def fix_permissions():
     """Fix permission of public accessible files and directories
 
@@ -2050,6 +2078,7 @@ def upgrade_configuration():
         cainstance.ensure_ipa_authority_entry()
 
     migrate_to_authselect()
+    add_systemd_user_hbac()
 
     sssd_update()
 
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index cfb2fa48d8..324c1ad3dd 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -495,3 +495,52 @@ def test_ipa_cacert_manage_install(self):
             assert result.returncode == 1
 
         self.master.run_command(['rm', '-f', filename])
+
+    def test_hbac_systemd_user(self):
+        # check for presence
+        self.master.run_command(
+            ['ipa', 'hbacrule-show', 'allow_systemd-user']
+        )
+        self.master.run_command(
+            ['ipa', 'hbacsvc-show', 'systemd-user']
+        )
+
+        # delete both
+        self.master.run_command(
+            ['ipa', 'hbacrule-del', 'allow_systemd-user']
+        )
+        self.master.run_command(
+            ['ipa', 'hbacsvc-del', 'systemd-user']
+        )
+
+        # run upgrade
+        result = self.master.run_command(['ipa-server-upgrade'])
+        assert 'Created hbacsvc systemd-user' in result.stdout_text
+        assert 'Created hbac rule allow_systemd-user' in result.stdout_text
+
+        # check for presence
+        self.master.run_command(
+            ['ipa', 'hbacrule-show', 'allow_systemd-user']
+        )
+        self.master.run_command(
+            ['ipa', 'hbacsvc-show', 'systemd-user']
+        )
+
+        # only delete rule
+        self.master.run_command(
+            ['ipa', 'hbacrule-del', 'allow_systemd-user']
+        )
+
+        # run upgrade
+        result = self.master.run_command(['ipa-server-upgrade'])
+        assert (
+            'hbac service systemd-user already exists' in result.stdout_text
+        )
+        assert (
+            'Created hbac rule allow_systemd-user' not in result.stdout_text
+        )
+        result = self.master.run_command(
+            ['ipa', 'hbacrule-show', 'allow_systemd-user'],
+            raiseonerr=True
+        )
+        assert result.returncode != 0
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

Reply via email to