On 10/25/2011 10:40 AM, Petr Vobornik wrote:
1) Some references remained in testing data: hbacrule_find.json,
hbacrule_show.json. Anyway these don't do any harm.


Fixed.

2) Remaining string in internal.py: hbacrule.deny (couldn't find any
usage).

The hbacrule.allow isn't used either. Fixed ipa_init.json too.

--
Endi S. Dewata
From d15c1a02d6bce6df246688cb0fed9fbc76ccd216 Mon Sep 17 00:00:00 2001
From: Endi S. Dewata <edew...@redhat.com>
Date: Mon, 24 Oct 2011 18:18:10 -0500
Subject: [PATCH] Removed HBAC deny rule warning.

The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.

Ticket #1444
---
 freeipa.spec.in                         |    7 +--
 install/html/Makefile.am                |    1 -
 install/html/hbac-deny-remove.html      |   83 -------------------------------
 install/ui/hbac.js                      |   44 ----------------
 install/ui/ipa.css                      |    5 --
 install/ui/ipa.js                       |    9 ---
 install/ui/test/bin/update_ipa_init.sh  |   27 +++++++++-
 install/ui/test/data/hbacrule_find.json |   40 +--------------
 install/ui/test/data/hbacrule_show.json |    2 +-
 install/ui/test/data/ipa_init.json      |   11 +----
 install/ui/webui.js                     |    6 --
 ipalib/plugins/internal.py              |    2 -
 12 files changed, 32 insertions(+), 205 deletions(-)
 delete mode 100644 install/html/hbac-deny-remove.html

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 56127037e31a9ed91c9f305f2e80b6f0ccb40189..11729b23a1030c9bf97f991a70e5bbef4f1229fd 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -342,8 +342,6 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/unauthorized.html \
     %{buildroot}%{_usr}/share/ipa/html/unauthorized.html
 ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
     %{buildroot}%{_usr}/share/ipa/html/browserconfig.html
-ln -s ../../../..%{_sysconfdir}/ipa/html/hbac-deny-remove.html \
-    %{buildroot}%{_usr}/share/ipa/html/hbac-deny-remove.html
 ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
     %{buildroot}%{_usr}/share/ipa/html/ipa_error.css
 
@@ -501,7 +499,6 @@ fi
 %{_usr}/share/ipa/html/ssbrowser.html
 %{_usr}/share/ipa/html/browserconfig.html
 %{_usr}/share/ipa/html/unauthorized.html
-%{_usr}/share/ipa/html/hbac-deny-remove.html
 %{_usr}/share/ipa/html/ipa_error.css
 %dir %{_usr}/share/ipa/migration
 %{_usr}/share/ipa/migration/error.html
@@ -526,7 +523,6 @@ fi
 %config(noreplace) %{_sysconfdir}/ipa/html/ipa_error.css
 %config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
 %config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
-%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
@@ -619,6 +615,9 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Mon Oct 24 2011 Endi S. Dewata <edew...@redhat.com> - 2.99.0-9
+- Removed hbac-deny-remove.html
+
 * Fri Oct 21 2011 Alexander Bokovoy <aboko...@redhat.com> - 2.99.0-8
 - Default to systemd for Fedora 16 and onwards
 
diff --git a/install/html/Makefile.am b/install/html/Makefile.am
index c310be6d2351bd8268368f971e93d33ec1e6bf20..46e8683c855bd093cf609b1fbc5e3df2d771e9de 100644
--- a/install/html/Makefile.am
+++ b/install/html/Makefile.am
@@ -5,7 +5,6 @@ app_DATA =                              \
 	ssbrowser.html			\
 	browserconfig.html       	\
 	unauthorized.html       	\
-        hbac-deny-remove.html		\
 	ipa_error.css			\
 	$(NULL)
 
diff --git a/install/html/hbac-deny-remove.html b/install/html/hbac-deny-remove.html
deleted file mode 100644
index 7debfea769503035e1c402dccd082eb1721a80f5..0000000000000000000000000000000000000000
--- a/install/html/hbac-deny-remove.html
+++ /dev/null
@@ -1,83 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-<meta charset="utf-8">
-    <title>IPA: Identity Policy Audit</title>
-
-    <script type="text/javascript" src="../ui/jquery.js"></script>
-
-    <link rel="stylesheet" type="text/css" href="../ui/jquery-ui.css" />
-    <link rel="stylesheet" type="text/css" href="../ui/ipa.css" />
-    <link rel="stylesheet" type="text/css" href="ipa_error.css" />
-
-
-</head>
-
-<body class="info-page">
-
-  <div class="container_1">
-    <div class="header-logo">
-            <img src="../ui/ipalogo.png" /><img src="../ui/ipabanner.png" />
-        </div>
-       <div class="textblockkrb">
-        <h1>Removal of HBAC Deny Rules.</h1>
-        <p>FreeIPA has dropped support for DENY rules from the HBAC
-          specification. </p>
-        <p>The former design of HBAC specifies that<p>
-           <ol>
-             <li> If no ALLOW rules match, access is denied</li>
-             <li> If one or more ALLOW rules match and no DENY rules match,
-               access is  allowed</li>
-             <li>If one or more DENY rules match, access is denied</li>
-           </ol>
-        <p>Thus, DENY rules exist only to provide exceptions from the ALLOW
-          rules. There exists no ALLOW+DENY combination that cannot be
-          constructed from ALLOW rules only.[1]</P>
-
-        <p>DENY rules introduce a lot of edge-cases for evaluation. The most
-          important of which is the availability of the group membership for
-          the user logging in. Depending on the mechanism used to log in (for
-          example, GSSAPI over SSH or cross-realm Kerberos trust where the
-          user is provided by the PAC), SSSD's cache may not have a complete
-          list of groups for this user. If the login is occurring during
-          offline mode (where SSSD cannot contact the LDAP server to refresh
-          the user's groups), SSSD cannot determine whether DENY rules would
-          match for the user. This therefore translates into a potential
-          security issue.</p>
-
-        <p>We implemented a workaround in the SSSD evaluator to resolve this by
-          guaranteeing that we do a full lookup of all groups referenced by
-          rules while we are retrieving the rules from FreeIPA. However, this
-          requires at least one additional lookup against the LDAP server
-          (possibly many if there is need to resolve nestings). This results
-          in a significantly slower login while online.</p>
-
-        <p>We also have issues related to source host evaluation. Some
-          applications will provide an IP address instead of a hostname in the
-          pam_rhost attribute. Our only recourse here is to perform a
-          reverse-DNS lookup to try and identify the real hostname(s) of the
-          server. However, in many real-world environments, reverse DNS is
-          unavailable or misconfigured. In the case of ALLOW rules, this would
-          lead to a match failure and an implicit denial. However, a failure
-          to properly match a DENY rule can result in unexpected access being
-          granted. This is a potentially serious security issue.</p>
-
-        <p>Given these edge cases (and performance issues of the noted
-          workaround),  The FreeIPA team decided to drop DENY rules from the
-          HBAC specification and   limit HBAC only to ALLOW rules (which are
-          much safer). Beyond the obvious advantages for our implementation,
-          this should make it less complex for users to write their rules.</p>
-
-        <p>[1] Some rules are complex to simulate, such as "Allow access from
-          all PAM services EXCEPT telnet". But a safer and clearer
-          implementation approach does all access via whitelist. If a FreeIPA
-          implementation  is using an exception rule, the administrators
-          should re-evaluate the justification.
-        </p>
-        </div>
-
-   </div>
-
-</body>
-
-</html>
diff --git a/install/ui/hbac.js b/install/ui/hbac.js
index fb57dd1582c70aaf3c18eaee087751b1dd4c3b49..e05e43f6b06651c4fe390526dba2262e1f088922 100644
--- a/install/ui/hbac.js
+++ b/install/ui/hbac.js
@@ -554,47 +554,3 @@ IPA.hbacrule_details_facet = function(spec) {
 
     return that;
 };
-
-
-IPA.hbac_deny_warning_dialog = function(container) {
-    var dialog = IPA.dialog({
-        'title': 'HBAC Deny Rules found'
-    });
-
-    var link_path = "config";
-    if (IPA.use_static_files){
-        link_path = "html";
-    }
-
-    dialog.create = function() {
-        dialog.container.append(
-            "HBAC rules with type deny have been found."+
-                "  These rules have been deprecated." +
-                "  Please remove them, and restructure the HBAC rules." );
-        $('<p/>').append($('<a/>',{
-            text: 'Click here for more information',
-            href: '../' +link_path +'/hbac-deny-remove.html',
-            target: "_blank",
-            style: 'target: tab; color: blue; '
-        })).appendTo(dialog.container);
-    };
-
-    dialog.create_button({
-        name: 'edit',
-        label: 'Edit HBAC Rules',
-        click: function() {
-            dialog.close();
-            IPA.nav.show_page('hbacrule', 'search');
-        }
-    });
-
-    dialog.create_button({
-        name: 'ignore',
-        label: 'Ignore for now',
-        click: function() {
-            dialog.close();
-        }
-    });
-
-    dialog.open();
-};
diff --git a/install/ui/ipa.css b/install/ui/ipa.css
index 0652b375aec447166c34920ff190679a366886f6..86d3b9db52cb40433d1004ff8040bddfeb4b059f 100644
--- a/install/ui/ipa.css
+++ b/install/ui/ipa.css
@@ -696,11 +696,6 @@ span.main-nav-off > a:visited {
     padding-left: 0.5em;
 }
 
-.hbac-deny-rule {
-    color: red;
-}
-
-
 .search-table tfoot td {
     padding: 0.5em 0 0 1em;
     border-top: 1px solid #dfdfdf;
diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index 381f128c2b2f441669c2f660ccce882ab2ce288c..15088f61abb275d69514bef1814b5e6e3df9b889 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -169,15 +169,6 @@ var IPA = ( function () {
             }
         }));
 
-        batch.add_command(IPA.command({
-            entity: 'hbacrule',
-            method: 'find',
-            options:{"accessruletype":"deny"},
-            on_success: function(data, text_status, xhr) {
-                that.hbac_deny_rules = data;
-            }
-        }));
-
         batch.execute();
     };
 
diff --git a/install/ui/test/bin/update_ipa_init.sh b/install/ui/test/bin/update_ipa_init.sh
index 2fc9c217075f5cd7fcd8fa07b031a0d6861a5ad4..26cbc9679f6cef6b17adc4003b9f98a9197cfec9 100755
--- a/install/ui/test/bin/update_ipa_init.sh
+++ b/install/ui/test/bin/update_ipa_init.sh
@@ -15,7 +15,30 @@ then
         exit 1
 fi
 
-
+json="{
+    \"method\": \"batch\",
+    \"params\": [
+        [
+            {
+                \"method\": \"i18n_messages\",
+                \"params\": [[], {}]
+            },
+            {
+                \"method\": \"user_find\",
+                \"params\":[[], { \"whoami\": true, \"all\": true }]
+            },
+            {
+                \"method\": \"env\",
+                \"params\": [[], {}]
+            },
+            {
+                \"method\": \"dns_is_enabled\",
+                \"params\": [[], {}]
+            }
+        ],
+        {}
+    ]
+}"
 
 curl -v\
  -H "Content-Type: application/json"\
@@ -24,6 +47,6 @@ curl -v\
  --delegation always\
  -u :\
  --cacert /etc/ipa/ca.crt\
- -d '{"method":"batch","params":[[{"method":"json_metadata","params":[[],{}]},{"method":"i18n_messages","params":[[],{}]},{"method":"user_find","params":[[],{"whoami":true,"all":true}]},{"method":"env","params":[[],{}]},{"method":"dns_is_enabled","params":[[],{}]},{"method":"hbacrule_find","params":[[],{"accessruletype":"deny"}]}],{}]}'\
+ -d "$json"\
  -X POST\
  https://`hostname`/ipa/json | sed 's/[ \t]*$//' >   $INIT_FILE
diff --git a/install/ui/test/data/hbacrule_find.json b/install/ui/test/data/hbacrule_find.json
index 3801a7d448c4990f7218a32ccc817479b91898d7..1775119c834b17b343736e6beafd739149b5be23 100644
--- a/install/ui/test/data/hbacrule_find.json
+++ b/install/ui/test/data/hbacrule_find.json
@@ -2,7 +2,7 @@
     "error": null,
     "id": null,
     "result": {
-        "count": 4,
+        "count": 1,
         "result": [
             {
                 "accessruletype": [
@@ -30,45 +30,9 @@
                 "usercategory": [
                     "all"
                 ]
-            },
-            {
-                "accessruletype": [
-                    "deny"
-                ],
-                "cn": [
-                    "deny1"
-                ],
-                "dn": "ipauniqueid=8af3e23c-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
-                "ipaenabledflag": [
-                    "TRUE"
-                ]
-            },
-            {
-                "accessruletype": [
-                    "deny"
-                ],
-                "cn": [
-                    "deny2"
-                ],
-                "dn": "ipauniqueid=8f05d042-a7e2-11e0-b394-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
-                "ipaenabledflag": [
-                    "TRUE"
-                ]
-            },
-            {
-                "accessruletype": [
-                    "deny"
-                ],
-                "cn": [
-                    "deny3"
-                ],
-                "dn": "ipauniqueid=92dcf9fc-a7e2-11e0-8dac-525400b55a47,cn=hbac,dc=server15,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com",
-                "ipaenabledflag": [
-                    "TRUE"
-                ]
             }
         ],
-        "summary": "4 HBAC rules matched",
+        "summary": "1 HBAC rule matched",
         "truncated": false
     }
 }
diff --git a/install/ui/test/data/hbacrule_show.json b/install/ui/test/data/hbacrule_show.json
index 2c0b64b39cb213eae6587ee6191f91bb84883b72..293ed0031ff8755211cfc824ce04814c012e13f3 100644
--- a/install/ui/test/data/hbacrule_show.json
+++ b/install/ui/test/data/hbacrule_show.json
@@ -4,7 +4,7 @@
     "result": {
         "result": {
             "accessruletype": [
-                "deny"
+                "allow"
             ],
             "accesstime": [
                 "periodic daily 0800-1400",
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 78b18ee118e563d4b118028ba36c41d7d8593a39..dfd1fa68a2a4a65eef53ee2e265dac27ccc5589b 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -2,7 +2,7 @@
     "error": null,
     "id": null,
     "result": {
-        "count": 5,
+        "count": 4,
         "results": [
             {
                 "error": null,
@@ -204,11 +204,9 @@
                         },
                         "hbacrule": {
                             "active": "Active",
-                            "allow": "Allow",
                             "any_host": "Any Host",
                             "any_service": "Any Service",
                             "anyone": "Anyone",
-                            "deny": "Deny",
                             "host": "Accessing",
                             "inactive": "Inactive",
                             "ipaenabledflag": "Rule status",
@@ -533,13 +531,6 @@
                 "result": true,
                 "summary": null,
                 "value": ""
-            },
-            {
-                "count": 0,
-                "error": null,
-                "result": [],
-                "summary": "0 HBAC rules matched",
-                "truncated": false
             }
         ]
     }
diff --git a/install/ui/webui.js b/install/ui/webui.js
index 189cddda1bc21ca01583802301fbfddcbb846e51..daa22b22a5fb42edc7cc624715b14a911361cd07 100644
--- a/install/ui/webui.js
+++ b/install/ui/webui.js
@@ -167,12 +167,6 @@ $(function() {
         IPA.nav.update();
 
         $('#login_header').html(IPA.messages.login.header);
-
-        if (IPA.hbac_deny_rules  && IPA.hbac_deny_rules.count > 0){
-            if (IPA.nav.name === 'admin'){
-                IPA.hbac_deny_warning_dialog();
-            }
-        }
     }
 
 
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index bf2417638adc3565dbef26da10c91f81141c5673..e613bc4441b68a2e3c78b048bd1dfa0306f3b6b9 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -296,11 +296,9 @@ class i18n_messages(Command):
             },
             "hbacrule": {
                 "active": _("Active"),
-                "allow": _("Allow"),
                 "any_host": _("Any Host"),
                 "any_service": _("Any Service"),
                 "anyone": _("Anyone"),
-                "deny": _("Deny"),
                 "host": _("Accessing"),
                 "inactive": _("Inactive"),
                 "ipaenabledflag": _("Rule status"),
-- 
1.7.5.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to