On 07/10/2015 01:10 PM, Petr Vobornik wrote:
On 07/10/2015 12:43 PM, Alexander Bokovoy wrote:
On Fri, 10 Jul 2015, Stanislav Laznicka wrote:
Hi,
Long time no post from me, time to make it up to you.
Welcome back!
I have been working on the the implementation of the design of time
policies for HBAC rules on FreeIPA and SSSD sides. Attached is the
current state of the FreeIPA solution. My comments and notes to the
solution follow.
The FreeIPA side backend base for time policies in HBAC seems working
to me but still needs formal testing. Also, there is no conversion
from the iCal format as previously requested and I personally would
postpone this feature until the time policies functionality is rock
solid.
There were some uncertainties in the design as well. I ran into 2 of
these but more may come.
The first thing is how to deal with weeks in a month. There are two
possibilities. A week in month (as specified by the weekofmonth
keyword in the time policies) may be understood as a period of time
between two Sundays, so when a month starts on, say, Friday the 1st,
weekofmonth=1 would specify days Friday, Saturday, Sunday and anything
from that Sunday on would be a weekofmonth=2 and on. However, I think
a week in a month may also be considered a period of time that equals
7 days of a month. In the previous example, a weekofmonth=1 would
therefore also apply to the following days up until Friday the 8th,
excluding this last day. Although I implemented the first case in the
SSSD, I actually started thinking the second case scenario might be
the right or "better" one.
One thing you need to realize that there is no universal 'week starts on
Sunday'.
There are different ways of starting a week, some countries do it on
Sunday, some -- on Saturday, some -- on Monday. This means you need to
make possible to pull in a locale definition if you really want this
functionality and then it also becomes quite fuzzy as there are legal
definitions of what a week is (as well as a month and a work day).
Yes, it could be more complicated, e.g. see Week Of Month in Java:
"""
week-of-month: The calculation ensures that weeks never overlap a
month boundary. The month is divided into periods where each period
starts on the defined first day-of-week. The earliest period is
referred to as week 0 if it has less than the minimal number of days
and week 1 if it has at least the minimal number of days.
public int getMinimalDaysInFirstWeek():
Gets the minimal number of days in the first week.
The number of days considered to define the first week of a month or
year varies by culture. For example, the ISO-8601 requires 4 days
(more than half a week) to be present before counting the first week.
"""
https://docs.oracle.com/javase/8/docs/api/java/time/temporal/WeekFields.html
That is a pretty good example of what a week is, thanks.
I don't think I would want the functionality of having weeks begin with
different weekdays according to locale. I would rather stick to the ISO
8601 as described in the link Petr sent. I was rather wondering whether
weekofmonth should mean the x-th appearance of a day in a month or an
appearance of this day in x-th week of the month. However, the
definition above is quite strong and I think I could live with a week
starting only on Monday and having 0-th weeks in month.
The other thing is which years should be allowed to be the input of
the "year" keyword. Currently, I set the range for these values to
1970-2038 according to the Unix timestamp. I'm not sure if anyone
would want to set it less than 1970, setting it for a higher value
than 2038 might probably make sense in some very special cases,
although I really can't think of a one.
You certainly can set it more than 2038 (time doesn't stop there). What
you are limited with is Kerberos 32-bit time stamp, not HBAC policy time
definition. I would say we better set to 64-bit ourselves and handle
irregularities in SSSD.
Yes, we should talk.
Some comments from looking on patch 0004:
1. list of time zones should be moved to a module property so that it
can be reused else where if needed. Other possibility is to get this
list from backend, e.g. on Web UI load or something.
2. please don't do any changes to patternfly.js. It's updated only
when bundled PatternFly is updated. Long term goal is to get it out of
FreeIPA git.
All IPA css changes should be done in install/ui/less/*less files - as
you did in widgets.less. From these .less files an
install/ui/css/ipa.css file is created. Note that there is also
install/ui/ipa.css which contains most of the ipa specific styles.
It's planned to move these styles to .less files as well.
I put those 2 last commits together, the only difference there was that
once the styles were set correctly (0005) and incorrectly in the
previous patch (0004). Attaching the last commit, also hopefully with
correct formatting as pointed out by Martin Basti. I should add the list
of time zones to a module property in later commits.
From 48ff5bca197fb4989f7423b1e78aa688612435d3 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Fri, 10 Jul 2015 14:23:03 +0200
Subject: [PATCH 4/4] Created basic UI for setting time policies at HBAC rules
https://fedorahosted.org/freeipa/ticket/547
https://fedorahosted.org/freeipa/ticket/548
---
install/ui/less/widgets.less | 7 +-
install/ui/src/freeipa/hbac.js | 182 ++++++++++++++++++++++++++++++++++++++++-
install/ui/src/freeipa/rule.js | 85 ++++++++++++++++++-
3 files changed, 270 insertions(+), 4 deletions(-)
diff --git a/install/ui/less/widgets.less b/install/ui/less/widgets.less
index 99b22068d7b721d93e7b6901e262ad11781ffae7..be3ef16e0ffc1dde100d1f6375023ed12555f378 100644
--- a/install/ui/less/widgets.less
+++ b/install/ui/less/widgets.less
@@ -143,5 +143,10 @@
}
}
+.tz-select {
+ width:220px;
+ margin-bottom:2px
+}
+
// workaround for https://bugzilla.mozilla.org/show_bug.cgi?id=409254
-tbody:empty { display: none; }
\ No newline at end of file
+tbody:empty { display: none; }
diff --git a/install/ui/src/freeipa/hbac.js b/install/ui/src/freeipa/hbac.js
index 6161942b93fce654830330fdbdf6853ce9e428ff..e670705d8680f64dbd94295e213f53e0bf982b0b 100644
--- a/install/ui/src/freeipa/hbac.js
+++ b/install/ui/src/freeipa/hbac.js
@@ -472,6 +472,186 @@ var add_hbacrule_details_facet_widgets = function (spec) {
]
}
);
+
+ //
+ // AccessTime
+ //
+
+ spec.fields.push(
+ {
+ $type: 'select',
+ name: 'timezone',
+ widget: 'time_policies.timezone'
+ },
+ {
+ $type: 'time_rules_table',
+ name: 'accesstime',
+ widget: 'time_policies.accesstime',
+ priority: IPA.hbac.remove_method_priority
+ },
+ {
+ $type: 'time_rules_table',
+ name: 'accesstimeexclude',
+ widget: 'time_policies.accesstimeexclude',
+ priority: IPA.hbac.remove_method_priority
+ }
+ );
+
+ spec.widgets.push(
+ {
+ $factory: IPA.section,
+ name: 'time_policies',
+ label: 'When', // TODO: add text to i18n
+ widgets: [
+ {
+ $type: 'select',
+ name: 'timezone',
+ css_class: 'tz-select',
+ options: IPA.create_options([
+ '', 'UTC', 'Host', 'Africa/Abidjan', 'Africa/Accra', 'Africa/Addis_Ababa',
+ 'Africa/Algiers', 'Africa/Asmera', 'Africa/Bamako', 'Africa/Bangui',
+ 'Africa/Banjul', 'Africa/Bissau', 'Africa/Blantyre', 'Africa/Brazzaville',
+ 'Africa/Bujumbura', 'Africa/Cairo', 'Africa/Casablanca', 'Africa/Ceuta',
+ 'Africa/Conakry', 'Africa/Dakar', 'Africa/Dar_es_Salaam', 'Africa/Djibouti',
+ 'Africa/Douala', 'Africa/El_Aaiun', 'Africa/Freetown', 'Africa/Gaborone',
+ 'Africa/Harare', 'Africa/Johannesburg', 'Africa/Kampala', 'Africa/Khartoum',
+ 'Africa/Kigali', 'Africa/Kinshasa', 'Africa/Lagos', 'Africa/Libreville',
+ 'Africa/Lome', 'Africa/Luanda', 'Africa/Lubumbashi', 'Africa/Lusaka',
+ 'Africa/Malabo', 'Africa/Maputo', 'Africa/Maseru', 'Africa/Mbabane',
+ 'Africa/Mogadishu', 'Africa/Monrovia', 'Africa/Nairobi', 'Africa/Ndjamena',
+ 'Africa/Niamey', 'Africa/Nouakchott', 'Africa/Ouagadougou', 'Africa/Porto-Novo',
+ 'Africa/Sao_Tome', 'Africa/Timbuktu', 'Africa/Tripoli', 'Africa/Tunis', 'Africa/Windhoek',
+ 'America/Adak', 'America/Anchorage', 'America/Anguilla', 'America/Antigua',
+ 'America/Araguaina', 'America/Aruba', 'America/Asuncion', 'America/Barbados',
+ 'America/Belem', 'America/Belize', 'America/Boa_Vista', 'America/Bogota',
+ 'America/Boise', 'America/Buenos_Aires', 'America/Cambridge_Bay', 'America/Cancun',
+ 'America/Caracas', 'America/Catamarca', 'America/Cayenne', 'America/Cayman',
+ 'America/Chicago', 'America/Chihuahua', 'America/Cordoba', 'America/Costa_Rica',
+ 'America/Cuiaba', 'America/Curacao', 'America/Danmarkshavn', 'America/Dawson',
+ 'America/Dawson_Creek', 'America/Denver', 'America/Detroit', 'America/Dominica',
+ 'America/Edmonton', 'America/Eirunepe', 'America/El_Salvador', 'America/Fortaleza',
+ 'America/Glace_Bay', 'America/Godthab', 'America/Goose_Bay', 'America/Grand_Turk',
+ 'America/Grenada', 'America/Guadeloupe', 'America/Guatemala', 'America/Guayaquil',
+ 'America/Guyana', 'America/Halifax', 'America/Havana', 'America/Hermosillo',
+ 'America/Indiana/Indianapolis', 'America/Indiana/Knox', 'America/Indiana/Marengo',
+ 'America/Indiana/Vevay', 'America/Indianapolis', 'America/Inuvik', 'America/Iqaluit',
+ 'America/Jamaica', 'America/Jujuy', 'America/Juneau', 'America/Kentucky/Louisville',
+ 'America/Kentucky/Monticello', 'America/La_Paz', 'America/Lima', 'America/Los_Angeles',
+ 'America/Louisville', 'America/Maceio', 'America/Managua', 'America/Manaus',
+ 'America/Martinique', 'America/Mazatlan', 'America/Mendoza', 'America/Menominee',
+ 'America/Merida', 'America/Mexico_City', 'America/Miquelon', 'America/Monterrey',
+ 'America/Montevideo', 'America/Montreal', 'America/Montserrat', 'America/Nassau',
+ 'America/New_York', 'America/Nipigon', 'America/Nome', 'America/Noronha',
+ 'America/North_Dakota/Center', 'America/Panama', 'America/Pangnirtung',
+ 'America/Paramaribo', 'America/Phoenix', 'America/Port-au-Prince',
+ 'America/Port_of_Spain', 'America/Porto_Velho', 'America/Puerto_Rico',
+ 'America/Rainy_River', 'America/Rankin_Inlet', 'America/Recife',
+ 'America/Regina', 'America/Rio_Branco', 'America/Rosario', 'America/Santiago',
+ 'America/Santo_Domingo', 'America/Sao_Paulo', 'America/Scoresbysund',
+ 'America/Shiprock', 'America/St_Johns', 'America/St_Kitts', 'America/St_Lucia',
+ 'America/St_Thomas', 'America/St_Vincent', 'America/Swift_Current', 'America/Tegucigalpa',
+ 'America/Thule', 'America/Thunder_Bay', 'America/Tijuana', 'America/Tortola',
+ 'America/Vancouver', 'America/Whitehorse', 'America/Winnipeg', 'America/Yakutat',
+ 'America/Yellowknife', 'Antarctica/Casey', 'Antarctica/Davis', 'Antarctica/DumontDUrville',
+ 'Antarctica/Mawson', 'Antarctica/McMurdo', 'Antarctica/Palmer', 'Antarctica/South_Pole',
+ 'Antarctica/Syowa', 'Antarctica/Vostok', 'Arctic/Longyearbyen', 'Asia/Aden',
+ 'Asia/Almaty', 'Asia/Amman', 'Asia/Anadyr', 'Asia/Aqtau', 'Asia/Aqtobe',
+ 'Asia/Ashgabat', 'Asia/Baghdad', 'Asia/Bahrain', 'Asia/Baku', 'Asia/Bangkok',
+ 'Asia/Beirut', 'Asia/Bishkek', 'Asia/Brunei', 'Asia/Calcutta', 'Asia/Choibalsan',
+ 'Asia/Chongqing', 'Asia/Colombo', 'Asia/Damascus', 'Asia/Dhaka', 'Asia/Dili',
+ 'Asia/Dubai', 'Asia/Dushanbe', 'Asia/Gaza', 'Asia/Harbin', 'Asia/Hong_Kong',
+ 'Asia/Hovd', 'Asia/Irkutsk', 'Asia/Istanbul', 'Asia/Jakarta', 'Asia/Jayapura',
+ 'Asia/Jerusalem', 'Asia/Kabul', 'Asia/Kamchatka', 'Asia/Karachi', 'Asia/Kashgar',
+ 'Asia/Katmandu', 'Asia/Krasnoyarsk', 'Asia/Kuala_Lumpur', 'Asia/Kuching',
+ 'Asia/Kuwait', 'Asia/Macao', 'Asia/Macau', 'Asia/Magadan', 'Asia/Makassar',
+ 'Asia/Manila', 'Asia/Muscat', 'Asia/Nicosia', 'Asia/Novosibirsk', 'Asia/Omsk',
+ 'Asia/Oral', 'Asia/Phnom_Penh', 'Asia/Pontianak', 'Asia/Pyongyang', 'Asia/Qyzylorda',
+ 'Asia/Qatar', 'Asia/Rangoon', 'Asia/Riyadh', 'Asia/Saigon', 'Asia/Sakhalin',
+ 'Asia/Samarkand', 'Asia/Seoul', 'Asia/Shanghai', 'Asia/Singapore', 'Asia/Taipei',
+ 'Asia/Tashkent', 'Asia/Tbilisi', 'Asia/Tehran', 'Asia/Thimphu', 'Asia/Tokyo',
+ 'Asia/Ujung_Pandang', 'Asia/Ulaanbaatar', 'Asia/Urumqi', 'Asia/Vientiane',
+ 'Asia/Vladivostok', 'Asia/Yakutsk', 'Asia/Yekaterinburg', 'Asia/Yerevan',
+ 'Atlantic/Azores', 'Atlantic/Bermuda', 'Atlantic/Canary', 'Atlantic/Cape_Verde',
+ 'Atlantic/Faeroe', 'Atlantic/Jan_Mayen', 'Atlantic/Madeira', 'Atlantic/Reykjavik',
+ 'Atlantic/South_Georgia', 'Atlantic/St_Helena', 'Atlantic/Stanley', 'Australia/Adelaide',
+ 'Australia/Brisbane', 'Australia/Broken_Hill', 'Australia/Darwin', 'Australia/Hobart',
+ 'Australia/Lindeman', 'Australia/Lord_Howe', 'Australia/Melbourne', 'Australia/Perth',
+ 'Australia/Sydney', 'Europe/Amsterdam', 'Europe/Andorra', 'Europe/Athens',
+ 'Europe/Belfast', 'Europe/Belgrade', 'Europe/Berlin', 'Europe/Bratislava',
+ 'Europe/Brussels', 'Europe/Bucharest', 'Europe/Budapest', 'Europe/Chisinau',
+ 'Europe/Copenhagen', 'Europe/Dublin', 'Europe/Gibraltar', 'Europe/Helsinki',
+ 'Europe/Istanbul', 'Europe/Kaliningrad', 'Europe/Kiev', 'Europe/Lisbon',
+ 'Europe/Ljubljana', 'Europe/London', 'Europe/Luxembourg', 'Europe/Madrid',
+ 'Europe/Malta', 'Europe/Minsk', 'Europe/Monaco', 'Europe/Moscow', 'Europe/Nicosia',
+ 'Europe/Oslo', 'Europe/Paris', 'Europe/Prague', 'Europe/Riga', 'Europe/Rome',
+ 'Europe/Samara', 'Europe/San_Marino', 'Europe/Sarajevo', 'Europe/Simferopol',
+ 'Europe/Skopje', 'Europe/Sofia', 'Europe/Stockholm', 'Europe/Tallinn',
+ 'Europe/Tirane', 'Europe/Uzhgorod', 'Europe/Vaduz', 'Europe/Vatican',
+ 'Europe/Vienna', 'Europe/Vilnius', 'Europe/Warsaw', 'Europe/Zagreb',
+ 'Europe/Zaporozhye', 'Europe/Zurich', 'Indian/Antananarivo', 'Indian/Chagos',
+ 'Indian/Christmas', 'Indian/Cocos', 'Indian/Comoro', 'Indian/Kerguelen', 'Indian/Mahe',
+ 'Indian/Maldives', 'Indian/Mauritius', 'Indian/Mayotte', 'Indian/Reunion',
+ 'Pacific/Apia', 'Pacific/Auckland', 'Pacific/Chatham', 'Pacific/Easter',
+ 'Pacific/Efate', 'Pacific/Enderbury', 'Pacific/Fakaofo', 'Pacific/Fiji',
+ 'Pacific/Funafuti', 'Pacific/Galapagos', 'Pacific/Gambier', 'Pacific/Guadalcanal',
+ 'Pacific/Guam', 'Pacific/Honolulu', 'Pacific/Johnston', 'Pacific/Kiritimati',
+ 'Pacific/Kosrae', 'Pacific/Kwajalein', 'Pacific/Majuro', 'Pacific/Marquesas',
+ 'Pacific/Midway', 'Pacific/Nauru', 'Pacific/Niue', 'Pacific/Norfolk',
+ 'Pacific/Noumea', 'Pacific/Pago_Pago', 'Pacific/Palau', 'Pacific/Pitcairn',
+ 'Pacific/Ponape', 'Pacific/Port_Moresby', 'Pacific/Rarotonga', 'Pacific/Saipan',
+ 'Pacific/Tahiti', 'Pacific/Tarawa', 'Pacific/Tongatapu', 'Pacific/Truk',
+ 'Pacific/Wake', 'Pacific/Wallis', 'Pacific/Yap'
+ ])
+ },
+
+ {
+ $type: 'time_rules_table',
+ name: 'accesstime',
+ columns: [
+ {
+ name: 'time',
+ label: 'Access Time'
+ }],
+ add_command: 'add_accesstime',
+ remove_command: 'remove_accesstime',
+ add_title: '@i18n:association.add.member',
+ remove_title: '@i18n:association.remove.member',
+ adder_dialog: {
+ title: 'Add access time',
+ fields: [
+ {
+ name: 'accesstime',
+ title: 'Access Time',
+ }
+ ]
+ }
+ },
+
+ {
+ $type: 'time_rules_table',
+ name: 'accesstimeexclude',
+ columns: [
+ {
+ name: 'time',
+ label: 'Access Time Exception'
+ }],
+ add_command: 'add_exclude_accesstime',
+ remove_command: 'remove_exclude_accesstime',
+ add_title: '@i18n:association.add.member',
+ remove_title: '@i18n:association.remove.member',
+ adder_dialog: {
+ title: 'Add access time exception',
+ fields: [
+ {
+ name: 'accesstimeexclude',
+ title: 'Access Time Exception',
+ }
+ ]
+ }
+ }
+ ]
+ }
+ );
};
IPA.hbacrule_details_facet = function(spec) {
@@ -503,4 +683,4 @@ exp.register = function() {
phases.on('registration', exp.register);
return exp;
-});
\ No newline at end of file
+});
diff --git a/install/ui/src/freeipa/rule.js b/install/ui/src/freeipa/rule.js
index 706827190261efda136f6d1489bdb13543c00f7a..c5709a37a9d777644d3b753626b73333b5ecc47e 100644
--- a/install/ui/src/freeipa/rule.js
+++ b/install/ui/src/freeipa/rule.js
@@ -19,6 +19,8 @@
*/
define([
+ 'dojo/_base/declare',
+ './field',
'./ipa',
'./jquery',
'./phases',
@@ -28,7 +30,7 @@ define([
'./search',
'./association',
'./entity'],
- function(IPA, $, phases, reg, rpc) {
+ function(declare, field_mod, IPA, $, phases, reg, rpc) {
IPA.rule_details_widget = function(spec) {
@@ -265,13 +267,92 @@ IPA.rule_association_adder_dialog = function(spec) {
return that;
};
+IPA.time_rules_field = function(spec) {
+
+ spec = spec || {};
+ spec.adapter = spec.adapter || IPA.time_rules_adapter;
+ var that = IPA.field(spec);
+ return that;
+};
+
+IPA.time_rules_adapter = declare([field_mod.Adapter], {
+
+ load: function(data) {
+ var accesstimes = this.inherited(arguments);
+ var values = [];
+ if (accesstimes) {
+ for (var i=0, j=0; i<accesstimes.length; i++) {
+ if (accesstimes[i] === '') continue;
+ values.push({time: accesstimes[i]});
+ }
+ }
+
+ return values;
+ }
+});
+
+IPA.time_rules_table = function(spec) {
+
+ spec = spec || {};
+ spec.footer = spec.footer === undefined ? false : spec.footer;
+
+ spec.value_attribute = 'time';
+
+ var that = IPA.attribute_table_widget(spec);
+
+ that.on_add = function(data) {
+ that.refresh_facet();
+ };
+
+ that.on_remove = function(data) {
+
+ var results = data.result.results;
+
+ var i = results.length - 1;
+ while (i >= 0) {
+ if (results[i].completed === 1){
+ that.reload_facet({ result: results[i] });
+ return;
+ }
+ i--;
+ }
+
+ that.refresh_facet();
+ };
+
+ that.create_remove_command = function(values, on_success, on_error) {
+
+ var batch = rpc.batch_command({
+ name: 'hbacrule_remove_accesstime',
+ on_success: on_success,
+ on_error: on_error
+ });
+
+ var pkeys = that.get_pkeys();
+
+ for (var i=0; i<values.length; i++) {
+
+ var command = that.attribute_table_create_remove_command([]);
+ command.set_option(spec.name, values[i]);
+
+ batch.add_command(command);
+ }
+
+ return batch;
+ };
+
+ return that;
+};
+
phases.on('registration', function() {
var w = reg.widget;
var f = reg.field;
w.register('rule_association_table', IPA.rule_association_table_widget);
f.register('rule_association_table', IPA.rule_association_table_field);
+ w.register('time_rules_table', IPA.time_rules_table);
+ f.register('time_rules_table', IPA.time_rules_field);
});
return {};
-});
\ No newline at end of file
+});
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
