On 08/30/2016 03:34 PM, Simo Sorce wrote:
On Tue, 2016-08-30 at 08:47 +0200, Standa Laznicka wrote:
On 08/26/2016 05:37 PM, Simo Sorce wrote:
On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote:
On Fri, 2016-08-26 at 18:09 +0300, Alexander Bokovoy wrote:
On Fri, 26 Aug 2016, Simo Sorce wrote:
On Fri, 2016-08-26 at 12:39 +0200, Martin Basti wrote:
I miss "why" part of "To be able to handle backward compatibility
with
ease, a new object called ipaHBACRulev2 is introduced. " in the
design
page. If the reason is the above - old client's should ignore time
rules
then it has to be mentioned there. Otherwise I don't see a reason to
introduce a new object type instead of extending the current.
How do you want to enforce HBAC rule that have set time from 10 to 14
everyday? With the same objectclass old clients will allow this HBAC
for
all day. Isn't this CVE?
This is a discussion worth having.

In general it is a CVE only if an authorization mechanism fails to work
as advertised.

If you make it clear that old clients *DO NOT* respect time rules then
there is no CVE material, it is working as "described".

The admins already have a way to not set those rules for older clients
by simply grouping newer clients in a different host group and applying
time rules only there.

So the question really is: should we allow admins to apply an HBAC Rule
potentially to older clients that do not understand it and will
therefore allow access at any time of the day, or should we prevent it ?

This is a hard question to answer and can go both ways.

A time rule may be something that admins want to enforce at all cost or
deny access. In this case a client that fails to handle it would be a
problem.

But it may be something that is just used for defense in depth and not a
strictly hard requirement. In this case allowing older clients would
make it an easy transition as you just set up the rule and the client
will start enforcing the time when it is upgraded but work otherwise
with the same rules.

I am a bit conflicted on trying to decide what scenario we should
target, but the second one appeals to me because host groups do already
give admins a good way to apply rules to a specific set of hosts and
exclude old clients w/o us making it a hard rule.
OTOH if an admin does not understand this difference, they may be
surprised to find out there are clients that do not honor it.

Perhaps we could find a way to set a flag on the rule such that when set
(and only when set) older clients get excluded by way of changing the
objectlass or something else to similar effect.

Open to discussion.
At this point using new object class becomes an attractive approach. We
don't have means to exclude HBAC rules other than applying them
per-host/hostgroup. We also have no deny rules.

I have another idea: what about enforcing time rules always to apply
per-host or per-hostgroup by default? Add --force option to override the
behavior but default to not allow --hostcat=all. This would raise
awareness and make sure admins are actually applying these rules with
intention.
This sounds like a good idea, but it is not a silver bullet I am afraid.

Simo.
I was thinking that for future proofing we could add a version field,
then reasoned more and realized that changing the object class is
basically the same thing.

There is only one big problem, ipaHBACRule is a STRUCTURAL objectclass.
(I know 389ds allows us to do an LDAPv3 illegal operation and change it,
but I do not like to depend on that behavoir).

Now looking into this I had an idea to solve the problem of legacy
clients without having to swap classes.
We can redefine the accessRuleType attribute to be a "capability" type.

Ie rules that have a timeAccess component will be of type
"allow_with_time" instead of just "allow".
Old clients are supposed to search with accessRuleType=allow (and I can
see that SSSD does that), so an older client will fail to get those
rules as they won't match.

New clients instead can recognize both types.

Also if we need a future extension we will simpy add a new access rule
type and we can have the same effect.
The nice thing is that accessRyleType is defined as multivalue (no
SINGLE in schema) so we may actually create compatible rules if we want
to.
Ie we could set both "allow" and "allow_with_time" on an object for
cases where the admin wants to enforce the time part only o newer client
but otherwise apply the rule to any client.

This should give us the best of all options at once.

Thoughts ?

Simo.

Sorry to join the discussion so late, I was away yesterday.

I have to say I too like this idea much better than fiddling with the
objectClasses. Also, I believe that accessRuleType was originally
actually used to distinguish newer version of HBAC rules from the older
so we may just do this again and profit from its original purpose. To
top it off, this change should be really easy to implement to what I
currently have on SSSD side.

I was just wondering - would you propose for every newly created rule to
have the new accessRuleType set to "allow_with_time" or should the type
change with addition of time rules to the HBAC rule as it does
currently? Also, should the user be able to modify the type so that a
rule with the new type is also visible for older clients (=> he could
add "allow" to type anytime)?
Rules of type allow_with_time will not work on older clients, so we
should probably default to just the old "allow" schema.

I think in the first implementation the framework/cli/ui should not
emphasize this attribute but simply replace allow -> allow_with_time if
a time attribute is added.

In future we may give control of it and allow even to set multiple
values, after we discuss better if that should be done, and with ample
warnings to admins.

Also setting a time rule makes a rule incompatible with older clients so
we should spell it clearly in the CLI/UI with a warning message that
this rule will not apply at all to older clients.

Thanks for your ideas, I am very happy with what you suggested here :)
Thank you.

Simo.

So - can we all agree on a solution?

I took an extra half an hour and created the accessRuleType solution on top of what I currently have, see patches attached to get the picture what the change would mean for what I currently have in https://github.com/stlaz/freeipa/tree/timerules_2 and https://github.com/stlaz/sssd/tree/freeipa-trac-547_2. Note that the sssd patch is really just to get a picture, it currently causes sssd_be to core dump, not sure why and don't want to waste time debugging it right now.

I myself would in the end rather go for objectClasses implementation as new rules are not shown to old clients which seems correct as there's no confusion for admins who might scratch their heads at old clients with no idea why their HBAC rules don't apply otherwise.

From 43fd57d87d427be6c3c8bb133e2863106463b597 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 31 Aug 2016 12:15:04 +0200
Subject: [PATCH] HBAC Rules versioning based on accessRuleType

---
 Makefile.am                          | 2 --
 src/providers/ipa/ipa_access.c       | 4 ++--
 src/providers/ipa/ipa_hbac_common.c  | 5 +++--
 src/providers/ipa/ipa_hbac_private.h | 2 +-
 src/providers/ipa/ipa_hbac_rules.c   | 7 ++++---
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index 2ccb7fb2894784900314d81256cbe567cf1cf05f..88c9b9eaa678ee22987ad108db45f21cef509b75 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -304,13 +304,11 @@ PYTHON_TESTS =
 
 if BUILD_PYTHON2_BINDINGS
 PYTHON_TESTS += src/config/SSSDConfigTest.py2.sh \
-                src/tests/pyhbac-test.py2.sh \
                 src/tests/pysss_murmur-test.py2.sh \
                 $(NULL)
 endif
 if BUILD_PYTHON3_BINDINGS
 PYTHON_TESTS += src/config/SSSDConfigTest.py3.sh \
-                src/tests/pyhbac-test.py3.sh \
                 src/tests/pysss_murmur-test.py3.sh \
                 $(NULL)
 endif
diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
index b6052e29512383b797fa57e22e8bdd789f013b6b..b40e5579f378a4dc7d22899a8d339f0564c53f54 100644
--- a/src/providers/ipa/ipa_access.c
+++ b/src/providers/ipa/ipa_access.c
@@ -726,8 +726,8 @@ errno_t hbac_get_cached_rules(TALLOC_CTX *mem_ctx,
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) return ENOMEM;
 
-    filter = talloc_asprintf(tmp_ctx, "(|(objectClass=%s)(objectClass=%s))",
-                             IPA_HBAC_RULE, IPA_HBAC_RULEV2);
+    filter = talloc_asprintf(tmp_ctx, "(objectClass=%s)",
+                             IPA_HBAC_RULE);
     if (filter == NULL) {
         ret = ENOMEM;
         goto done;
diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
index e5d0823952eebbbe920dcd511976419f1b248bf3..826f4771f8f0c4bf43fe79a4da6bfd0901e040fc 100644
--- a/src/providers/ipa/ipa_hbac_common.c
+++ b/src/providers/ipa/ipa_hbac_common.c
@@ -296,9 +296,10 @@ hbac_attrs_to_rule(TALLOC_CTX *mem_ctx,
                                  &rule_type);
     if (ret != EOK) goto done;
 
-    if (strcasecmp(rule_type, IPA_HBAC_ALLOW) != 0) {
+    if ((strcasecmp(rule_type, IPA_HBAC_ALLOW) != 0) &&
+            strcasecmp(rule_type, IPA_HBAC_ALLOW_WITH_TIME != 0)) {
         DEBUG(SSSDBG_TRACE_LIBS,
-              "Rule [%s] is not an ALLOW rule\n", new_rule->name);
+              "Rule [%s] is not an ALLOW or ALLOW_WITH_TIME rule\n", new_rule->name);
         ret = EPERM;
         goto done;
     }
diff --git a/src/providers/ipa/ipa_hbac_private.h b/src/providers/ipa/ipa_hbac_private.h
index e5144fc5f3da742e8b72c387c2424eb3361a9287..5199054b6883ed9592f3d97353576eda98d2ff93 100644
--- a/src/providers/ipa/ipa_hbac_private.h
+++ b/src/providers/ipa/ipa_hbac_private.h
@@ -27,7 +27,6 @@
 #include "lib/ipa_hbac/ipa_hbac.h"
 
 #define IPA_HBAC_RULE "ipaHBACRule"
-#define IPA_HBAC_RULEV2 "ipaHBACRulev2"
 
 #define IPA_TIMERULE "ipaTimeRule"
 
@@ -44,6 +43,7 @@
 #define IPA_MEMBEROF "memberOf"
 #define IPA_ACCESS_RULE_TYPE "accessRuleType"
 #define IPA_HBAC_ALLOW "allow"
+#define IPA_HBAC_ALLOW_WITH_TIME "allow_with_time"
 #define IPA_MEMBER_USER "memberUser"
 #define IPA_USER_CATEGORY "userCategory"
 #define IPA_SERVICE_NAME "serviceName"
diff --git a/src/providers/ipa/ipa_hbac_rules.c b/src/providers/ipa/ipa_hbac_rules.c
index 01ca86c8b855c98f05556c6af4b4d02419f0d111..617045b5f5c7e836526da41781bd05eb2b9ba74d 100644
--- a/src/providers/ipa/ipa_hbac_rules.c
+++ b/src/providers/ipa/ipa_hbac_rules.c
@@ -118,12 +118,13 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
     state->attrs[16] = NULL;
 
     rule_filter = talloc_asprintf(tmp_ctx,
-                                  "(&(|(objectclass=%s)(objectclass=%s))"
-                                  "(%s=%s)(%s=%s)"
+                                  "(&(objectclass=%s)"
+                                  "(%s=%s)(|(%s=%s)(%s=%s))"
                                   "(|(%s=%s)(%s=%s)",
-                                  IPA_HBAC_RULE, IPA_HBAC_RULEV2,
+                                  IPA_HBAC_RULE,
                                   IPA_ENABLED_FLAG, IPA_TRUE_VALUE,
                                   IPA_ACCESS_RULE_TYPE, IPA_HBAC_ALLOW,
+                                  IPA_ACCESS_RULE_TYPE, IPA_HBAC_ALLOW_WITH_TIME,
                                   IPA_HOST_CATEGORY, "all",
                                   IPA_MEMBER_HOST, host_dn_clean);
     if (rule_filter == NULL) {
-- 
2.7.4

From b67d49bb0b065af39a6e340cc6a1cca252758c64 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 31 Aug 2016 12:39:59 +0200
Subject: [PATCH] HBAC Rules versioning based on accessRuleType attribute

---
 ACI.txt                       | 10 ++++----
 API.txt                       |  6 ++---
 install/share/60basev2.ldif   |  3 +--
 ipaserver/plugins/hbacrule.py | 58 ++++++++++++++++---------------------------
 4 files changed, 31 insertions(+), 46 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 95f4643c46a1a10ccba25e6ad6999b56e4f70d81..9d72fc02a04485906262c31da6e2815755ce7859 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -97,15 +97,15 @@ aci: (targetattr = "businesscategory || cn || createtimestamp || description ||
 dn: cn=groups,cn=accounts,dc=ipa,dc=example
 aci: (targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Remove Groups";allow (delete) groupdn = "ldap:///cn=System: Remove Groups,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hbac,dc=ipa,dc=example
-aci: (targetfilter = "(|(objectclass=ipahbacrule)(objectclass=ipahbacrulev2))")(version 3.0;acl "permission:System: Add HBAC Rule";allow (add) groupdn = "ldap:///cn=System: Add HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Add HBAC Rule";allow (add) groupdn = "ldap:///cn=System: Add HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hbac,dc=ipa,dc=example
-aci: (targetfilter = "(|(objectclass=ipahbacrule)(objectclass=ipahbacrulev2))")(version 3.0;acl "permission:System: Delete HBAC Rule";allow (delete) groupdn = "ldap:///cn=System: Delete HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Delete HBAC Rule";allow (delete) groupdn = "ldap:///cn=System: Delete HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hbac,dc=ipa,dc=example
-aci: (targetattr = "externalhost || ipamembertimerule || memberhost || memberservice || memberuser")(targetfilter = "(|(objectclass=ipahbacrule)(objectclass=ipahbacrulev2))")(version 3.0;acl "permission:System: Manage HBAC Rule Membership";allow (write) groupdn = "ldap:///cn=System: Manage HBAC Rule Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "externalhost || ipamembertimerule || memberhost || memberservice || memberuser")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Manage HBAC Rule Membership";allow (write) groupdn = "ldap:///cn=System: Manage HBAC Rule Membership,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hbac,dc=ipa,dc=example
-aci: (targetattr = "accessruletype || accesstime || cn || description || hostcategory || ipaenabledflag || ipamembertimerule || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(|(objectclass=ipahbacrule)(objectclass=ipahbacrulev2))")(version 3.0;acl "permission:System: Modify HBAC Rule";allow (write) groupdn = "ldap:///cn=System: Modify HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "accessruletype || accesstime || cn || description || hostcategory || ipaenabledflag || ipamembertimerule || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Modify HBAC Rule";allow (write) groupdn = "ldap:///cn=System: Modify HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hbac,dc=ipa,dc=example
-aci: (targetattr = "accessruletype || accesstime || cn || createtimestamp || description || entryusn || externalhost || hostcategory || ipaenabledflag || ipamembertimerule || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(|(objectclass=ipahbacrule)(objectclass=ipahbacrulev2))")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";;)
+aci: (targetattr = "accessruletype || accesstime || cn || createtimestamp || description || entryusn || externalhost || hostcategory || ipaenabledflag || ipamembertimerule || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";;)
 dn: cn=hbacservices,cn=hbac,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Add HBAC Services";allow (add) groupdn = "ldap:///cn=System: Add HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hbacservices,cn=hbac,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 8e4c16c922066d2920fe3ce59fdd67364fee18c7..b09d5bdea5c09d6aae468cb208908f2d2b6af28a 100644
--- a/API.txt
+++ b/API.txt
@@ -1902,7 +1902,7 @@ output: PrimaryKey('value')
 command: hbacrule_add/1
 args: 1,14,3
 arg: Str('cn', cli_name='name')
-option: StrEnum('accessruletype', autofill=True, cli_name='type', default=u'allow', values=[u'allow', u'deny'])
+option: StrEnum('accessruletype', autofill=True, cli_name='type', default=u'allow', values=[u'allow', u'deny', u'allow_with_time'])
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('description?', cli_name='desc')
@@ -2003,7 +2003,7 @@ output: PrimaryKey('value')
 command: hbacrule_find/1
 args: 1,16,4
 arg: Str('criteria?')
-option: StrEnum('accessruletype?', autofill=False, cli_name='type', default=u'allow', values=[u'allow', u'deny'])
+option: StrEnum('accessruletype?', autofill=False, cli_name='type', default=u'allow', values=[u'allow', u'deny', u'allow_with_time'])
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('cn?', autofill=False, cli_name='name')
 option: Str('description?', autofill=False, cli_name='desc')
@@ -2026,7 +2026,7 @@ output: Output('truncated', type=[<type 'bool'>])
 command: hbacrule_mod/1
 args: 1,16,3
 arg: Str('cn', cli_name='name')
-option: StrEnum('accessruletype?', autofill=False, cli_name='type', default=u'allow', values=[u'allow', u'deny'])
+option: StrEnum('accessruletype?', autofill=False, cli_name='type', default=u'allow', values=[u'allow', u'deny', u'allow_with_time'])
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('delattr*', cli_name='delattr')
diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
index 27f7b0025171e0af9dbd7d34c32daf9069146e7e..2792b0aa7940e438bd92e11eaa7659cb80aa0e97 100644
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@@ -37,10 +37,9 @@ attributeTypes: (2.16.840.1.113730.3.8.3.11 NAME 'externalHost' DESC 'Multivalue
 attributeTypes: (2.16.840.1.113730.3.8.3.12 NAME 'sourceHostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.13 NAME 'accessRuleType' DESC 'The flag to represent if it is allow or deny rule.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.14 NAME 'accessTime' DESC 'Access time' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
-objectClasses: (2.16.840.1.113730.3.8.4.7 NAME 'ipaHBACRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( sourceHost $ sourceHostCategory $ serviceCategory $ memberService $ externalHost $ accessTime ) X-ORIGIN 'IPA v2' )
+objectClasses: (2.16.840.1.113730.3.8.4.7 NAME 'ipaHBACRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( sourceHost $ sourceHostCategory $ serviceCategory $ memberService $ externalHost $ accessTime $ ipaMemberTimeRule ) X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.12.37 NAME 'ipaTimeRule' SUP top STRUCTURAL MUST ( cn $ accessTime ) MAY ( memberOf $ description ) X-ORIGIN 'IPA v4.4')
 attributeTypes: (2.16.840.1.113730.3.8.11.76 NAME 'ipaMemberTimeRule' DESC 'Reference to a time rule describing some period of time' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.4' )
-objectClasses: (2.16.840.1.113730.3.8.12.38 NAME 'ipaHBACRuleV2' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( sourceHost $ sourceHostCategory $ serviceCategory $ memberService $ externalHost $ accessTime $ ipaMemberTimeRule ) X-ORIGIN 'IPA v4.4' )
 attributeTypes: (2.16.840.1.113730.3.8.3.15 NAME 'nisDomainName' DESC 'NIS domain name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.8 NAME 'ipaNISNetgroup' DESC 'IPA version of NIS netgroup' SUP ipaAssociation STRUCTURAL MAY ( externalHost $ nisDomainName $ member $ memberOf ) X-ORIGIN 'IPA v2' )
 attributeTypes: (1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 2307bis' )
diff --git a/ipaserver/plugins/hbacrule.py b/ipaserver/plugins/hbacrule.py
index 9ab8aa2ee4844ed6fcb2fdb0a399042ae41700a5..7bb69b48052c3e0ef91b8d98ea98ebc2e94bd8f1 100644
--- a/ipaserver/plugins/hbacrule.py
+++ b/ipaserver/plugins/hbacrule.py
@@ -115,9 +115,8 @@ class hbacrule(LDAPObject):
     container_dn = api.env.container_hbac
     object_name = _('HBAC rule')
     object_name_plural = _('HBAC rules')
-    object_class = ['ipaassociation']
-    possible_objectclasses = ['ipahbacrule', 'ipahbacrulev2']
-    permission_filter_objectclasses = ['ipahbacrule', 'ipahbacrulev2']
+    object_class = ['ipaassociation', 'ipahbacrule']
+    permission_filter_objectclasses = ['ipahbacrule']
     default_attributes = [
         'cn', 'ipaenabledflag',
         'description', 'usercategory', 'hostcategory',
@@ -200,7 +199,7 @@ class hbacrule(LDAPObject):
             cli_name='type',
             doc=_('Rule type (allow)'),
             label=_('Rule type'),
-            values=(u'allow', u'deny'),
+            values=(u'allow', u'deny', u'allow_with_time'),
             default=u'allow',
             autofill=True,
             exclude='webui',
@@ -294,8 +293,6 @@ class hbacrule_add(LDAPCreate):
         assert isinstance(dn, DN)
         # HBAC rules are enabled by default
         entry_attrs['ipaenabledflag'] = 'TRUE'
-        # start as an old type HBAC
-        entry_attrs['objectclass'].append('ipahbacrule')
         return dn
 
 
@@ -348,17 +345,6 @@ class hbacrule_find(LDAPSearch):
         '%(count)d HBAC rule matched', '%(count)d HBAC rules matched', 0
     )
 
-    def pre_callback(self, ldap, filter, attrs_list, base_dn,
-                     scope, *args, **options):
-        assert isinstance(base_dn, DN)
-        filters = [
-            ldap.make_filter({'objectclass': ['ipahbacrule', 'ipahbacrulev2']},
-                             rules=ldap.MATCH_ANY)
-        ]
-        filters.append(filter)
-        filter = ldap.combine_filters(filters, rules=ldap.MATCH_ALL)
-        return (filter, base_dn, scope)
-
 
 @register()
 class hbacrule_show(LDAPRetrieve):
@@ -438,18 +424,18 @@ class hbacrule_add_timerule(LDAPAddMember):
         assert(isinstance(dn, DN))
 
         try:
-            entry_attrs = ldap.get_entry(dn, ['objectclass'])
+            entry_attrs = ldap.get_entry(dn, ['accessruletype'])
         except errors.NotFound:
             self.obj.handle_not_found(*args)
         objclass_updated = False
-        # ipaHBACRuleV2 objectclass marks new version HBAC rules with new
+        # allow_with_time type marks new version HBAC rules with new
         # capabilities such as time policies
-        if ('ipahbacrulev2' not in
-                (o.lower() for o in entry_attrs['objectclass'])):
-            entry_attrs['objectclass'] = [cls for cls in
-                                          entry_attrs['objectclass']
-                                          if cls != 'ipahbacrule']
-            entry_attrs['objectclass'].append('ipahbacrulev2')
+        if ('allow_with_time' not in
+                (o.lower() for o in entry_attrs['accessruletype'])):
+            entry_attrs['accessruletype'] = [t for t in
+                                             entry_attrs['accessruletype']
+                                             if t != 'allow']
+            entry_attrs['accessruletype'].append('allow_with_time')
             ldap.update_entry(entry_attrs)
             objclass_updated = True
 
@@ -460,10 +446,10 @@ class hbacrule_add_timerule(LDAPAddMember):
             if objclass_updated:
                 # there was an error adding time rule to an HBAC rule which was
                 # of old version before, switch it back to ipaHBACRule class
-                entry_attrs['objectclass'] = [cls for cls in
-                                              entry_attrs['objectclass']
-                                              if cls != 'ipahbacrulev2']
-                entry_attrs['objectclass'].append('ipahbacrule')
+                entry_attrs['accessruletype'] = [t for t in
+                                                 entry_attrs['accessruletype']
+                                                 if t != 'allow_with_time']
+                entry_attrs['accessruletype'].append('allow')
                 ldap.update_entry(entry_attrs)
             raise
         return result
@@ -484,15 +470,15 @@ class hbacrule_remove_timerule(LDAPRemoveMember):
         timerules = result['result'].get('membertimerule_timerule', [])
 
         ldap = self.obj.backend
-        entry_attrs = ldap.get_entry(dn, ['objectclass'])
-        if (not timerules and 'ipahbacrulev2' in
-           (o.lower() for o in entry_attrs['objectclass'])):
+        entry_attrs = ldap.get_entry(dn, ['accessruletype'])
+        if (not timerules and 'allow_with_time' in
+           (o.lower() for o in entry_attrs['accessruletype'])):
             # there are no more time rules left in the HBAC rule, switch
             # to old type rules
-            entry_attrs['objectclass'] = [cls for cls in
-                                          entry_attrs['objectclass']
-                                          if cls != 'ipahbacrulev2']
-            entry_attrs['objectclass'].append('ipahbacrule')
+            entry_attrs['accessruletype'] = [t for t in
+                                             entry_attrs['accessruletype']
+                                             if t != 'allow_with_time']
+            entry_attrs['accessruletype'].append('allow')
             ldap.update_entry(entry_attrs)
         return result
 
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to