On 07/06/2011 11:13 AM, Adam Young wrote:



_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Rebased. Also, updated the hbacrule_find.json sample data to show to the deny rules in static view
From 480dcbe25309e4c4529ef043f7ff44cb15ae2a68 Mon Sep 17 00:00:00 2001
From: Adam Young <ayo...@redhat.com>
Date: Tue, 5 Jul 2011 17:59:05 -0400
Subject: [PATCH] HBAC deny warning

shows dialog if there are any HBAC deny rules.  Dialog provides option to navigate to the HBAC page.  Deny rules have their rule type value show up in red.

https://fedorahosted.org/freeipa/ticket/1421
---
 install/ui/hbac.js                      |   42 ++++++++++++++++-
 install/ui/ipa.css                      |    6 ++
 install/ui/ipa.js                       |    9 ++++
 install/ui/test/bin/update_ipa_init.sh  |    2 +-
 install/ui/test/data/hbacrule_find.json |   58 +++++++++++++++--------
 install/ui/test/data/ipa_init.json      |   78 ++++++++++++++++++++++---------
 install/ui/webui.js                     |    4 ++
 install/ui/widget.js                    |    5 +-
 8 files changed, 159 insertions(+), 45 deletions(-)

diff --git a/install/ui/hbac.js b/install/ui/hbac.js
index c082056bb5005d6698eea1015fa50586ad9c415d..4386a4e94c24f753a55740aaa1b331e84812e4c5 100644
--- a/install/ui/hbac.js
+++ b/install/ui/hbac.js
@@ -26,7 +26,21 @@ IPA.entity_factories.hbacrule = function () {
     return IPA.entity_builder().
         entity('hbacrule').
         search_facet({
-            columns:['cn','usercategory','hostcategory','ipaenabledflag',
+            columns:['cn',
+                     {
+                         factory: IPA.column,
+                         name:'accessruletype',
+                         setup : function(container,record){
+                             container.empty();
+                             var value = record[this.name];
+                             value = value ? value.toString() : '';
+                             if (value === 'deny'){
+                                 container.addClass('hbac-deny-rule');
+                             }
+                             container.append(value);
+                         }
+                     },
+                     'usercategory','hostcategory','ipaenabledflag',
                      'servicecategory','sourcehostcategory']
         }).
         details_facet({
@@ -996,3 +1010,29 @@ IPA.hbacrule_accesstime_widget = function (spec) {
 
     return that;
 };
+
+IPA.hbac_deny_warning_dialog = function (container) {
+    var dialog = IPA.dialog({
+        'title': 'HBAC Deny Rules found'
+    });
+
+    dialog.create = function() {
+        dialog.container.append(
+            "HBAC rules with type deny have been found."+
+                "  These rules have been deprecated." +
+                "  Please remove them, and restructure the HBAC rules." );
+    };
+
+    dialog.add_button('Edit HBAC Rules', function() {
+        dialog.close();
+        IPA.nav.show_page('hbacrule', 'search');
+    });
+
+    dialog.add_button('Ignore for now', function() {
+        dialog.close();
+    });
+
+    dialog.init();
+
+    dialog.open();
+};
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 38b5a9118c63c8e1909e91a3e669a233c5ea1cb4..599441b2216f2a00b23856cb83ef29d4ae8cf087 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -645,6 +645,12 @@ div.tabs {
     padding-left: 0.5em;
 }
 
+.hbac-deny-rule {
+    padding-left: 0.5em;
+    color: red;
+}
+
+
 .search-table tfoot td {
     padding: 0.5em 0 0 1em;
     border-top: 1px solid #dfdfdf;
diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index 4f194739b817f80779ff49af5a5092339ddca80f..4b505235bcc8467d50e9143a0842982a5ed81628 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -123,6 +123,15 @@ var IPA = ( function () {
             }
         }));
 
+        batch.add_command(IPA.command({
+            entity: 'hbacrule',
+            method: 'find',
+            options:{"accessruletype":"deny"},
+            on_success: function(data, text_status, xhr) {
+                that.hbac_deny_rules = data;
+            }
+        }));
+
         batch.execute();
     };
 
diff --git a/install/ui/test/bin/update_ipa_init.sh b/install/ui/test/bin/update_ipa_init.sh
index 5cdeacaa42137572c96f4fe9dd5a7a3b3a120153..23852a2693ac72fb29a6bf468e05caedb7851065 100755
--- a/install/ui/test/bin/update_ipa_init.sh
+++ b/install/ui/test/bin/update_ipa_init.sh
@@ -17,4 +17,4 @@ fi
 
 
 
-curl -v -H "Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u :  --cacert /etc/ipa/ca.crt  -d '{"method":"batch","params":[[ {"method":"json_metadata","params":[[],{}]}, {"method":"i18n_messages","params":[[],{}]}, {"method":"user_find","params":[[],{"whoami":"true","all":"true"}]}, {"method":"env","params":[[],{}]}, {"method":"dns_is_enabled","params":[[],{}]} ],{}],"id":1}'  -X POST  https://`hostname`/ipa/json  | sed 's/[ \t]*$//' >   $INIT_FILE
+curl -v -H "Content-Type:application/json" -H "Accept:applicaton/json" --negotiate -u :  --cacert /etc/ipa/ca.crt  -d '{"method":"batch","params":[[{"method":"json_metadata","params":[[],{}]},{"method":"i18n_messages","params":[[],{}]},{"method":"user_find","params":[[],{"whoami":true,"all":true}]},{"method":"env","params":[[],{}]},{"method":"dns_is_enabled","params":[[],{}]},{"method":"hbacrule_find","params":[[],{"accessruletype":"deny"}]}],{}]}'  -X POST  https://`hostname`/ipa/json  | sed 's/[ \t]*$//' >   $INIT_FILE
diff --git a/install/ui/test/data/hbacrule_find.json b/install/ui/test/data/hbacrule_find.json
index fd95d9f572877fb0f7d82002f58b7db2076dc9c2..3801a7d448c4990f7218a32ccc817479b91898d7 100644
--- a/install/ui/test/data/hbacrule_find.json
+++ b/install/ui/test/data/hbacrule_find.json
@@ -1,54 +1,74 @@
 {
-    "error": null, 
-    "id": 0,
+    "error": null,
+    "id": null,
     "result": {
-        "count": 2,
+        "count": 4,
         "result": [
             {
                 "accessruletype": [
                     "allow"
-                ], 
+                ],
                 "cn": [
                     "allow_all"
-                ], 
+                ],
                 "description": [
                     "Allow all users to access any host from any host"
-                ], 
-                "dn": "ipauniqueid=b7567b5a-e39311df-bfde9b13-2b28c216,cn=hbac,dc=dev,dc=example,dc=com",
+                ],
+                "dn": "ipauniqueid=ca842a42-a445-11e0-87ff-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
                 "hostcategory": [
                     "all"
-                ], 
+                ],
                 "ipaenabledflag": [
                     "TRUE"
-                ], 
+                ],
                 "servicecategory": [
                     "all"
-                ], 
+                ],
                 "sourcehostcategory": [
                     "all"
-                ], 
+                ],
                 "usercategory": [
                     "all"
                 ]
             },
             {
                 "accessruletype": [
-                    "allow"
+                    "deny"
                 ],
-                "accesstime": [
-                    "periodic daily 0800-1400",
-                    "absolute 201012161032 ~ 201012161033"
+                "cn": [
+                    "deny1"
+                ],
+                "dn": "ipauniqueid=8af3e23c-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+                "ipaenabledflag": [
+                    "TRUE"
+                ]
+            },
+            {
+                "accessruletype": [
+                    "deny"
+                ],
+                "cn": [
+                    "deny2"
+                ],
+                "dn": "ipauniqueid=8f05d042-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+                "ipaenabledflag": [
+                    "TRUE"
+                ]
+            },
+            {
+                "accessruletype": [
+                    "deny"
                 ],
                 "cn": [
-                    "test"
+                    "deny3"
                 ],
-                "dn": "ipauniqueid=3b6d2a82-e3b511df-bfde9b13-2b28c216,cn=hbac,dc=dev,dc=example,dc=com",
+                "dn": "ipauniqueid=92dcf9fc-a7e2-11e0-8dac-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
                 "ipaenabledflag": [
                     "TRUE"
                 ]
             }
-        ], 
-        "summary": null, 
+        ],
+        "summary": "4 HBAC rules matched",
         "truncated": false
     }
 }
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 5b4dadfca42a43acad4d857fe4bb9bbba771512d..4bf197202b3ea297ac8c63d96fd603aa5c9bd3fd 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -1,8 +1,8 @@
 {
     "error": null,
-    "id": 1,
+    "id": null,
     "result": {
-        "count": 5,
+        "count": 6,
         "results": [
             {
                 "error": null,
@@ -1761,6 +1761,10 @@
                             }
                         ]
                     },
+                    "dnsrecord_mod": {
+                        "takes_args": [],
+                        "takes_options": []
+                    },
                     "dnsrecord_show": {
                         "takes_args": [],
                         "takes_options": [
@@ -9896,6 +9900,7 @@
                             "del",
                             "delentry",
                             "find",
+                            "mod",
                             "show"
                         ],
                         "name": "dnsrecord",
@@ -11333,8 +11338,8 @@
                             "ipahbacservice"
                         ],
                         "object_class_config": null,
-                        "object_name": "HBAC service",
-                        "object_name_plural": "HBAC services",
+                        "object_name": "hbacsvc",
+                        "object_name_plural": "hbacsvcs",
                         "parent_object": "",
                         "primary_key": "cn",
                         "rdn_attribute": "",
@@ -11462,8 +11467,8 @@
                             "ipahbacservicegroup"
                         ],
                         "object_class_config": null,
-                        "object_name": "HBAC service group",
-                        "object_name_plural": "HBAC service groups",
+                        "object_name": "hbacsvcgroup",
+                        "object_name_plural": "hbacsvcgroups",
                         "parent_object": "",
                         "primary_key": "cn",
                         "rdn_attribute": "",
@@ -12030,8 +12035,8 @@
                             "ipahostgroup"
                         ],
                         "object_class_config": null,
-                        "object_name": "host group",
-                        "object_name_plural": "host groups",
+                        "object_name": "hostgroup",
+                        "object_name_plural": "hostgroups",
                         "parent_object": "",
                         "primary_key": "cn",
                         "rdn_attribute": "",
@@ -12117,7 +12122,7 @@
                         "aciattrs": [],
                         "attribute_members": {},
                         "bindable": false,
-                        "container_dn": "cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos",
+                        "container_dn": "cn=SERVER15.AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos",
                         "default_attributes": [
                             "krbmaxticketlife",
                             "krbmaxrenewableage"
@@ -12962,7 +12967,7 @@
                         ],
                         "attribute_members": {},
                         "bindable": false,
-                        "container_dn": "cn=IDM.LAB.BOS.REDHAT.COM,cn=kerberos",
+                        "container_dn": "cn=SERVER15.AYOUNG.BOSTON.DEVEL.REDHAT.COM,cn=kerberos",
                         "default_attributes": [
                             "cn",
                             "cospriority",
@@ -13412,10 +13417,10 @@
                         ],
                         "name": "selfservice",
                         "object_name": [
-                            "self service permission"
+                            "selfservice"
                         ],
                         "object_name_plural": [
-                            "self service permissions"
+                            "selfservice"
                         ],
                         "primary_key": "aciname",
                         "takes_params": [
@@ -13670,8 +13675,8 @@
                             "ipasudocmd"
                         ],
                         "object_class_config": null,
-                        "object_name": "sudo command",
-                        "object_name_plural": "sudo commands",
+                        "object_name": "sudocmd",
+                        "object_name_plural": "sudocmds",
                         "parent_object": "",
                         "primary_key": "sudocmd",
                         "rdn_attribute": "",
@@ -13799,8 +13804,8 @@
                             "ipasudocmdgrp"
                         ],
                         "object_class_config": null,
-                        "object_name": "sudo command group",
-                        "object_name_plural": "sudo command groups",
+                        "object_name": "sudocmdgroup",
+                        "object_name_plural": "sudocmdgroups",
                         "parent_object": "",
                         "primary_key": "cn",
                         "rdn_attribute": "",
@@ -14041,8 +14046,8 @@
                             "ipasudorule"
                         ],
                         "object_class_config": null,
-                        "object_name": "sudo rule",
-                        "object_name_plural": "sudo rules",
+                        "object_name": "Sudo Rule",
+                        "object_name_plural": "Sudo Rules",
                         "parent_object": "",
                         "primary_key": "cn",
                         "rdn_attribute": "ipauniqueid",
@@ -15889,15 +15894,12 @@
                             {
                                 "__base64__": "AAL2bA5Ocm9vdC9hZG1pbkBTRVJWRVIxNS5BWU9VTkcuQk9TVE9OLkRFVkVMLlJFREhBVC5DT00A"
                             },
-                            {
-                                "__base64__": "AAgBAA=="
-                            }
                         ],
                         "krblastpwdchange": [
                             "20110702005726Z"
                         ],
                         "krblastsuccessfulauth": [
-                            "20110705172822Z"
+                            "20110705180548Z"
                         ],
                         "krbpasswordexpiration": [
                             "20110930005726Z"
@@ -16017,6 +16019,38 @@
                 "result": true,
                 "summary": null,
                 "value": ""
+            },
+            {
+                "count": 2,
+                "error": null,
+                "result": [
+                    {
+                        "accessruletype": [
+                            "deny"
+                        ],
+                        "cn": [
+                            "testdeny"
+                        ],
+                        "dn": "ipauniqueid=d0ecd398-a747-11e0-8634-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+                        "ipaenabledflag": [
+                            "TRUE"
+                        ]
+                    },
+                    {
+                        "accessruletype": [
+                            "deny"
+                        ],
+                        "cn": [
+                            "testdeny2"
+                        ],
+                        "dn": "ipauniqueid=d5231d5a-a747-11e0-a9b2-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
+                        "ipaenabledflag": [
+                            "TRUE"
+                        ]
+                    }
+                ],
+                "summary": "2 HBAC rules matched",
+                "truncated": false
             }
         ]
     }
diff --git a/install/ui/webui.js b/install/ui/webui.js
index 2c4451489fd4a3acb00621ab57824e051952cf0f..11f4b8bb167d189a70aa21580aa437e6eecd3a5c 100644
--- a/install/ui/webui.js
+++ b/install/ui/webui.js
@@ -158,6 +158,10 @@ $(function() {
         IPA.nav.update();
 
         $('#login_header').html(IPA.messages.login.header);
+
+        if (IPA.hbac_deny_rules  && IPA.hbac_deny_rules.count > 0){
+            IPA.hbac_deny_warning_dialog();
+        }
     }
 
 
diff --git a/install/ui/widget.js b/install/ui/widget.js
index cd3a5c60e2153b25c0fce58ebaf94cf3f51f1ffe..9142a26a90927ecaa845c25b80f94f6938209f12 100644
--- a/install/ui/widget.js
+++ b/install/ui/widget.js
@@ -1156,7 +1156,7 @@ IPA.column = function (spec) {
         }
     };
 
-    that.setup = function(container, record) {
+    function setup(container, record) {
         container.empty();
 
         var value = record[that.name];
@@ -1177,8 +1177,9 @@ IPA.column = function (spec) {
         } else {
             container.append(value);
         }
+    }
 
-    };
+    that.setup = spec.setup || setup;
 
     that.link_handler = function(value) {
         return false;
-- 
1.7.5.2

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to