On 26.07.2011 06:23, Alexander Bokovoy wrote: > I'll send updated patch proposal today. Here is new patch.
$ ipa hbactest --help Usage: ipa [global-options] hbactest [options] Options: -h, --help show this help message and exit --user=STR User name --srchost=STR Source host --host=STR Target host --service=STR Service --rules=LIST Rules to test. If not specified, --enabled is assumed --detail Show which rules are passed, denied, or invalid --enabled Include all enabled IPA rules into test [default] --disabled Include all disabled IPA rules into test Following modes are implemented by the plugin given (user, source host, target host, service), attempt to login user coming from source host to target host's service: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- 2. Show detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail -------------------- Access granted: True -------------------- denied: my-second-rule, my-third-rule, myrule passed: allow_all 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- denied: my-second-rule, myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- denied: my-second-rule, my-third-rule, myrule passed: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --disabled --------------------- Access granted: False --------------------- denied: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- denied: my-second-rule, myrule, new-rule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --enabled --disabled -------------------- Access granted: True -------------------- denied: my-second-rule, my-third-rule, myrule, new-rule passed: allow_all -- / Alexander Bokovoy
From 35f381fe653a4ee7f24809116da4ea76cddea276 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Fri, 22 Jul 2011 16:30:44 +0300 Subject: [PATCH] Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 The idea behind this plugin is to re-use pyhbac module provided by SSSD project which is Python bindings for SSSD's libipa_hbac code used for actual HBAC rule execution. This requires libipa_hbac-python package. $ ipa hbactest --help Usage: ipa [global-options] hbactest [options] Options: -h, --help show this help message and exit --user=STR User name --srchost=STR Source host --host=STR Target host --service=STR Service --rules=LIST Rules to test. If not specified, --enabled is assumed --detail Show which rules are passed, denied, or invalid --enabled Include all enabled IPA rules into test [default] --disabled Include all disabled IPA rules into test Following modes are implemented by the plugin given (user, source host, target host, service), attempt to login user coming from source host to target host's service: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- 2. Show detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail -------------------- Access granted: True -------------------- denied: my-second-rule, my-third-rule, myrule passed: allow_all 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- denied: my-second-rule, myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- denied: my-second-rule, my-third-rule, myrule passed: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --disabled --------------------- Access granted: False --------------------- denied: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- denied: my-second-rule, myrule, new-rule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --detail --enabled --disabled -------------------- Access granted: True -------------------- denied: my-second-rule, my-third-rule, myrule, new-rule passed: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will generate a deny result and report non-existing rules in detailed output. --- API.txt | 13 +++ VERSION | 2 +- freeipa.spec.in | 5 + ipalib/plugins/hbactest.py | 255 ++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 274 insertions(+), 1 deletions(-) create mode 100644 ipalib/plugins/hbactest.py diff --git a/API.txt b/API.txt index 42a212b1ebda0f8e1f45b016c5ba421f16ffb24c..8aa97baf46bfe893e82ab988a07d4a2b228ceffe 100644 --- a/API.txt +++ b/API.txt @@ -1321,6 +1321,19 @@ option: Str('version?', exclude='webui', flags=['no_option', 'no_output']) output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly description of action performed') output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user") +command: hbactest +args: 0,8,3 +option: Str('user', cli_name='user', label=Gettext('User name', domain='ipa', localedir=None), primary_key=True) +option: Str('sourcehost', cli_name='srchost', label=Gettext('Source host', domain='ipa', localedir=None)) +option: Str('targethost', cli_name='host', label=Gettext('Target host', domain='ipa', localedir=None)) +option: Str('service', cli_name='service', label=Gettext('Service', domain='ipa', localedir=None)) +option: List('testrules?', cli_name='rules', label=Gettext('Rules to test. If not specified, --enabled is assumed', domain='ipa', localedir=None), multivalue=True) +option: Flag('detail?', autofill=True, cli_name='detail', default=False, label=Gettext('Show which rules are passed, denied, or invalid', domain='ipa', localedir=None)) +option: Flag('enabled?', autofill=True, cli_name='enabled', default=False, label=Gettext('Include all enabled IPA rules into test [default]', domain='ipa', localedir=None)) +option: Flag('disabled?', autofill=True, cli_name='disabled', default=False, label=Gettext('Include all disabled IPA rules into test', domain='ipa', localedir=None)) +output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly description of action performed') +output: Output('result', <type 'dict'>, Gettext('Details of simulation', domain='ipa', localedir=None)) +output: Output('value', <type 'unicode'>, Gettext('Result of simulation', domain='ipa', localedir=None)) command: host_add args: 1,14,3 arg: Str('fqdn', validate_host, attribute=True, cli_name='hostname', label=Gettext('Host name', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, required=True) diff --git a/VERSION b/VERSION index 98e92c5dd3a6902e8552fa81f491fec6e1633c12..0abf5962f983e42cdcef50e65ecdbd06c9a85030 100644 --- a/VERSION +++ b/VERSION @@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=10 +IPA_API_VERSION_MINOR=11 diff --git a/freeipa.spec.in b/freeipa.spec.in index 35ff84576da61cdd83875ca318e04998f9bef6a7..5276d1d169a3d8399e940ad8e1805a43f0b01d28 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -59,6 +59,7 @@ BuildRequires: python-kerberos BuildRequires: python-rhsm BuildRequires: pyOpenSSL BuildRequires: pylint +BuildRequires: libipa_hbac-python %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -201,6 +202,7 @@ Requires: python-netaddr >= 0.7.5-3 %else Requires: python-netaddr %endif +Requires: libipa_hbac-python Obsoletes: ipa-python >= 1.0 @@ -511,6 +513,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %changelog +* Fri Jul 22 2011 Alexander Bokovoy <aboko...@redhat.com> - 2.0.90-7 +- Add libipa_hbac-python dependency for hbactest plugin + * Thu Jul 14 2011 Rob Crittenden <rcrit...@redhat.com> - 2.0.90-6 - Add ipa-csreplica-manage tool. diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py new file mode 100644 index 0000000000000000000000000000000000000000..8ca81ca571c2307bf3c521e8208e23e5638ff2d2 --- /dev/null +++ b/ipalib/plugins/hbactest.py @@ -0,0 +1,255 @@ +# Authors: +# Alexander Bokovoy <aboko...@redhat.com> +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +""" +Simulate use of Host-based access controls + +HBAC rules control who can access what services on what hosts and from where. +You can use HBAC to control which users or groups on a source host can +access a service, or group of services, on a target host. + +Since applying HBAC rules implies use of a production environment, +this plugin aims to provide simulation of HBAC rules evaluation without +having access to the production environment. + +EXAMPLES: + + Test user coming from source host to a service on a named host against + existing enabled rules. + + If --rules is specified simulate enabling of the specified rules and test + the login of the user using only these rules. + + If --enabled is specified, all enabled HBAC rules will be added to simulation + + If --disabled is specified, all disabled HBAC rules will be added to simulation + + If --detail is specified, return information about rules passed/denied. + + If both --rules and --enabled are specified, apply simulation to --rules _and_ + all IPA enabled rules. + + If no --rules specified, simulation is run against all IPA enabled rules. + + ipa hbactest --user= --srchost= --host= --service= + [--rules=rules-list] [--detail] [--enabled] [--disabled] +""" + +from ipalib import api, errors, output +from ipalib import Command, List, Str, Flag +from ipalib.cli import to_cli +from ipalib import _, ngettext +import pyhbac + +def convert_to_ipa_rule(rule): + # convert a dict with a rule to an pyhbac rule + ipa_rule = pyhbac.HbacRule(rule['cn'][0]) + ipa_rule.enabled = rule['ipaenabledflag'][0] + # Following code attempts to process rule systematically + structure = (('user', 'memberuser', 'user', 'group', ipa_rule.users), + ('host', 'memberhost', 'host', 'hostgroup', ipa_rule.targethosts), + ('sourcehost', 'sourcehost', 'host', 'hostgroup', ipa_rule.srchosts), + ('service', 'memberservice', 'hbacsvc', 'hbacsvcgroup', ipa_rule.services), + ) + for element in structure: + category = '%scategory' % (element[0]) + if category in rule and rule[category][0] == u'all': + # rule applies to all elements + element[4].category = set([pyhbac.HBAC_CATEGORY_ALL]) + else: + # rule is about specific entities + # Check if there are explicitly listed entities + attr_name = '%s_%s' % (element[1], element[2]) + if attr_name in rule: + element[4].names = rule[attr_name] + # Now add groups of entities if they are there + attr_name = '%s_%s' % (element[1], element[3]) + if attr_name in rule: + element[4].groups = rule[attr_name] + return ipa_rule + + +class hbactest(Command): + + has_output = ( + output.summary, + output.Output('result', dict, _('Details of simulation')), + output.Output('value', unicode, _('Result of simulation'), ['no_display']), + ) + + takes_options = ( + Str('user', + cli_name='user', + label=_('User name'), + primary_key=True, + ), + Str('sourcehost', + cli_name='srchost', + label=_('Source host'), + ), + Str('targethost', + cli_name='host', + label=_('Target host'), + ), + Str('service', + cli_name='service', + label=_('Service'), + ), + List('testrules?', + cli_name='rules', + label=_('Rules to test. If not specified, --enabled is assumed'), + ), + Flag('detail?', + cli_name='detail', + label=_('Show which rules are passed, denied, or invalid'), + ), + Flag('enabled?', + cli_name='enabled', + label=_('Include all enabled IPA rules into test [default]'), + ), + Flag('disabled?', + cli_name='disabled', + label=_('Include all disabled IPA rules into test'), + ), + ) + + def execute(self, *args, **options): + # First receive all needed information: + # 1. HBAC rules (whether enabled or disabled) + # 2. Required options are (user, source host, target host, service) + # 3. Options: rules to test (--rules, --enabled, --disabled), request for detail output + rules = [] + hbacset = self.api.Command.hbacrule_find()['result'] + + # Use all enabled IPA rules by default + all_enabled = True + all_disabled = False + + # We need a local copy of test rules in order find incorrect ones + testrules = {} + if 'testrules' in options: + testrules = list(options['testrules']) + # When explicit rules are provided, disable assumptions + all_enabled = False + all_disabled = False + + # Check if --disabled is specified, include all disabled IPA rules + if options['disabled']: + all_disabled = True + all_enabled = False + + # Finally, if enabled is specified implicitly, override above decisions + if options['enabled']: + all_enabled = True + + # We have some rules, import them + # --enabled will import all enabled rules (default) + # --disabled will import all disabled rules + # --rules will implicitly add the rules from a rule list + for rule in hbacset: + ipa_rule = convert_to_ipa_rule(rule) + if ipa_rule.name in testrules: + ipa_rule.enabled = True + rules.append(ipa_rule) + testrules.remove(ipa_rule.name) + elif all_enabled and ipa_rule.enabled: + # Option --enabled forces to include all enabled IPA rules into test + rules.append(ipa_rule) + elif all_disabled and not ipa_rule.enabled: + # Option --disabled forces to include all disabled IPA rules into test + rules.append(ipa_rule) + + # Check if there are unresolved rules left + if len(testrules) > 0: + # Error, unresolved rules are left in --rules + return {'summary' : unicode(_(u'Unresolved rules in --rules')), + 'result' : {'error': testrules}, + 'value' : unicode(False)} + + # Rules are converted to pyhbac format, we can test them + request = pyhbac.HbacRequest() + request.user.name = options['user'] + request.service.name = options['service'] + request.srchost.name = options['sourcehost'] + request.targethost.name = options['targethost'] + + passed_rules = [] + denied_rules = [] + error_rules = [] + if options['detail']: + # Validate runs rules one-by-one and reports failed ones + for ipa_rule in rules: + res = request.evaluate([ipa_rule]) + self.log.info("Evaluated rule %s, result: %d" % (ipa_rule.name, res)) + if res == pyhbac.HBAC_EVAL_ALLOW: + passed_rules.append(ipa_rule.name) + if res == pyhbac.HBAC_EVAL_DENY: + denied_rules.append(ipa_rule.name) + if res == pyhbac.HBAC_EVAL_ERROR: + error_rules.append(ipa_rule.name) + access_granted = len(passed_rules) > 0 + else: + res = request.evaluate(rules) + access_granted = (res == pyhbac.HBAC_EVAL_ALLOW) + + result = {} + + result['summary'] = _(u'Access granted: %s') % (access_granted) + + result['result'] = {} + if len(passed_rules) > 0: + result['result']['passed'] = passed_rules + if len(denied_rules) > 0: + result['result']['denied'] = denied_rules + if len(error_rules) > 0: + result['result']['error'] = error_rules + + result['value'] = unicode(access_granted) + return result + + def output_for_cli(self, textui, output, *args, **options): + """ + Command.output_for_cli() uses --all option to decide whether to print detailed output. + We use --detail to allow that, thus we need to redefine output_for_cli(). + """ + labels = dict((p.name, unicode(p.label)) for p in self.output_params()) #pylint: disable=E1102 + flags = dict((p.name, p.flags) for p in self.output_params()) #pylint: disable=E1102 + + if options.get('detail', False): + print_all = True + else: + print_all = False + + order = [p.name for p in self.output_params()] #pylint: disable=E1102 + for o in self.output: + outp = self.output[o] + if 'no_display' in outp.flags: + continue + result = output[o] + if isinstance(result, dict): + textui.print_entry(result, order, labels, flags, print_all) + elif isinstance(result, unicode): + if o == 'summary': + textui.print_summary(result) + else: + textui.print_indented(result) + return 0 + +api.register(hbactest) + + -- 1.7.6
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel