Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- From db37d25bdc35fb54a8ff1a65c8dcb48f53e02525 Mon Sep 17 00:00:00 2001
- From: Lukas Hellebrandt <lhellebr@redhat.com>
- Date: Thu, 18 Feb 2016 18:43:59 +0100
- Subject: [PATCH] Adding URI to HBAC rule
- ---
- ACI.txt | 2 +-
- API.txt | 12 +++++++++---
- VERSION | 8 ++++----
- install/share/60basev2.ldif | 4 +++-
- install/ui/src/freeipa/hbac.js | 24 ++++++++++++++++++++++--
- install/ui/test/data/ipa_init.json | 4 +++-
- ipalib/plugins/hbacrule.py | 10 ++++++++--
- ipalib/plugins/internal.py | 2 ++
- 8 files changed, 52 insertions(+), 14 deletions(-)
- diff --git a/ACI.txt b/ACI.txt
- index 24cb332ce6e10c82a5bfab76d084fb6c0277800d..39f331264e3d724bae7d47a3bcbc9e42da93bbcd 100644
- --- a/ACI.txt
- +++ b/ACI.txt
- @@ -93,7 +93,7 @@ aci: (targetattr = "externalhost || memberhost || memberservice || memberuser")(
- dn: cn=hbac,dc=ipa,dc=example
- aci: (targetattr = "accessruletype || accesstime || cn || description || hostcategory || ipaenabledflag || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Modify HBAC Rule";allow (write) groupdn = "ldap:///cn=System: Modify HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
- dn: cn=hbac,dc=ipa,dc=example
- -aci: (targetattr = "accessruletype || accesstime || cn || createtimestamp || description || entryusn || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
- +aci: (targetattr = "accessruletype || accesstime || cn || createtimestamp || description || entryusn || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || schemeandhost || servicecategory || sourcehost || sourcehostcategory || url || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
- dn: cn=hbacservices,cn=hbac,dc=ipa,dc=example
- aci: (targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Add HBAC Services";allow (add) groupdn = "ldap:///cn=System: Add HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
- dn: cn=hbacservices,cn=hbac,dc=ipa,dc=example
- diff --git a/API.txt b/API.txt
- index 3598b08198cae536754259f7463669052efa3f86..ab65e2dc63128dcde215084cd455c685a9287c0a 100644
- --- a/API.txt
- +++ b/API.txt
- @@ -1656,7 +1656,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
- output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
- output: PrimaryKey('value', None, None)
- command: hbacrule_add
- -args: 1,16,3
- +args: 1,18,3
- arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True)
- option: StrEnum('accessruletype', attribute=True, autofill=True, cli_name='type', default=u'allow', exclude='webui', multivalue=False, required=True, values=(u'allow', u'deny'))
- option: Str('addattr*', cli_name='addattr', exclude='webui')
- @@ -1667,11 +1667,13 @@ option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', multivalue=F
- option: Bool('ipaenabledflag', attribute=True, cli_name='ipaenabledflag', multivalue=False, required=False)
- option: Flag('no_members', autofill=True, default=False, exclude='webui')
- option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
- +option: Str('schemeandhost', attribute=True, cli_name='schemeandhost', multivalue=False, required=False)
- option: StrEnum('servicecategory', attribute=True, cli_name='servicecat', multivalue=False, required=False, values=(u'all',))
- option: Str('setattr*', cli_name='setattr', exclude='webui')
- option: DeprecatedParam('sourcehost_host', attribute=True, cli_name='sourcehost_host', multivalue=False, required=False)
- option: DeprecatedParam('sourcehost_hostgroup', attribute=True, cli_name='sourcehost_hostgroup', multivalue=False, required=False)
- option: DeprecatedParam('sourcehostcategory', attribute=True, cli_name='sourcehostcategory', multivalue=False, required=False)
- +option: Str('url', attribute=True, cli_name='url', multivalue=False, required=False)
- option: StrEnum('usercategory', attribute=True, cli_name='usercat', multivalue=False, required=False, values=(u'all',))
- option: Str('version?', exclude='webui')
- output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
- @@ -1748,7 +1750,7 @@ output: Output('result', <type 'bool'>, None)
- output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
- output: PrimaryKey('value', None, None)
- command: hbacrule_find
- -args: 1,18,4
- +args: 1,20,4
- arg: Str('criteria?', noextrawhitespace=False)
- option: StrEnum('accessruletype', attribute=True, autofill=False, cli_name='type', default=u'allow', exclude='webui', multivalue=False, query=True, required=False, values=(u'allow', u'deny'))
- option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
- @@ -1760,12 +1762,14 @@ option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenab
- option: Flag('no_members', autofill=True, default=False, exclude='webui')
- option: Flag('pkey_only?', autofill=True, default=False)
- option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
- +option: Str('schemeandhost', attribute=True, autofill=False, cli_name='schemeandhost', multivalue=False, query=True, required=False)
- option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, query=True, required=False, values=(u'all',))
- option: Int('sizelimit?', autofill=False, minvalue=0)
- option: DeprecatedParam('sourcehost_host', attribute=True, autofill=False, cli_name='sourcehost_host', multivalue=False, query=True, required=False)
- option: DeprecatedParam('sourcehost_hostgroup', attribute=True, autofill=False, cli_name='sourcehost_hostgroup', multivalue=False, query=True, required=False)
- option: DeprecatedParam('sourcehostcategory', attribute=True, autofill=False, cli_name='sourcehostcategory', multivalue=False, query=True, required=False)
- option: Int('timelimit?', autofill=False, minvalue=0)
- +option: Str('url', attribute=True, autofill=False, cli_name='url', multivalue=False, query=True, required=False)
- option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, query=True, required=False, values=(u'all',))
- option: Str('version?', exclude='webui')
- output: Output('count', <type 'int'>, None)
- @@ -1773,7 +1777,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
- output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
- output: Output('truncated', <type 'bool'>, None)
- command: hbacrule_mod
- -args: 1,18,3
- +args: 1,20,3
- arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
- option: StrEnum('accessruletype', attribute=True, autofill=False, cli_name='type', default=u'allow', exclude='webui', multivalue=False, required=False, values=(u'allow', u'deny'))
- option: Str('addattr*', cli_name='addattr', exclude='webui')
- @@ -1786,11 +1790,13 @@ option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenab
- option: Flag('no_members', autofill=True, default=False, exclude='webui')
- option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
- option: Flag('rights', autofill=True, default=False)
- +option: Str('schemeandhost', attribute=True, autofill=False, cli_name='schemeandhost', multivalue=False, required=False)
- option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, required=False, values=(u'all',))
- option: Str('setattr*', cli_name='setattr', exclude='webui')
- option: DeprecatedParam('sourcehost_host', attribute=True, autofill=False, cli_name='sourcehost_host', multivalue=False, required=False)
- option: DeprecatedParam('sourcehost_hostgroup', attribute=True, autofill=False, cli_name='sourcehost_hostgroup', multivalue=False, required=False)
- option: DeprecatedParam('sourcehostcategory', attribute=True, autofill=False, cli_name='sourcehostcategory', multivalue=False, required=False)
- +option: Str('url', attribute=True, autofill=False, cli_name='url', multivalue=False, required=False)
- option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, required=False, values=(u'all',))
- option: Str('version?', exclude='webui')
- output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
- diff --git a/VERSION b/VERSION
- index aedebd185821d42fa48608f4c5fdf9ff510ace3f..543a5241d9ee6f75a88d0d1486c93875821ab0a5 100644
- --- a/VERSION
- +++ b/VERSION
- @@ -16,12 +16,12 @@
- # #
- # e.g. IPA_VERSION_MAJOR=1 #
- # IPA_VERSION_MINOR=0 #
- -# IPA_VERSION_RELEASE=0 #
- +
- # -> "1.0.0" #
- ########################################################
- IPA_VERSION_MAJOR=4
- IPA_VERSION_MINOR=3
- -IPA_VERSION_RELEASE=90
- +IPA_VERSION_RELEASE=105
- ########################################################
- # For 'alpha' releases the version will be #
- @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
- # #
- ########################################################
- IPA_API_VERSION_MAJOR=2
- -IPA_API_VERSION_MINOR=165
- -# Last change: mbasti - limit ipamaxusernamelength value to 255
- +IPA_API_VERSION_MINOR=166
- +# Last change: lhellebr - add URL to HBAC rule
- diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
- index 00712ddda2c548b7f7924a012f3f68499f2f01da..ff30b7ea0bd04b783d19048c1745c1486807d834 100644
- --- a/install/share/60basev2.ldif
- +++ b/install/share/60basev2.ldif
- @@ -37,7 +37,9 @@ attributeTypes: (2.16.840.1.113730.3.8.3.11 NAME 'externalHost' DESC 'Multivalue
- attributeTypes: (2.16.840.1.113730.3.8.3.12 NAME 'sourceHostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
- attributeTypes: (2.16.840.1.113730.3.8.3.13 NAME 'accessRuleType' DESC 'The flag to represent if it is allow or deny rule.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
- attributeTypes: (2.16.840.1.113730.3.8.3.14 NAME 'accessTime' DESC 'Access time' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
- -objectClasses: (2.16.840.1.113730.3.8.4.7 NAME 'ipaHBACRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( sourceHost $ sourceHostCategory $ serviceCategory $ memberService $ externalHost $ accessTime ) X-ORIGIN 'IPA v2' )
- +attributeTypes: (2.16.840.1.113730.3.8.11.74 NAME 'schemeAndHost' DESC 'Schema and host part of the URI' EQUALITY caseIgnoretMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
- +attributeTypes: (2.16.840.1.113730.3.8.11.73 NAME 'url' DESC 'Path part of URI (prefix)' EQUALITY caseExactMatch ORDERING caseExactOrderingMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
- +objectClasses: (2.16.840.1.113730.3.8.4.7 NAME 'ipaHBACRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( sourceHost $ sourceHostCategory $ serviceCategory $ memberService $ externalHost $ accessTime $ schemeAndHost $ url) X-ORIGIN 'IPA v2' )
- attributeTypes: (2.16.840.1.113730.3.8.3.15 NAME 'nisDomainName' DESC 'NIS domain name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
- objectClasses: (2.16.840.1.113730.3.8.4.8 NAME 'ipaNISNetgroup' DESC 'IPA version of NIS netgroup' SUP ipaAssociation STRUCTURAL MAY ( externalHost $ nisDomainName $ member $ memberOf ) X-ORIGIN 'IPA v2' )
- attributeTypes: (1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 2307bis' )
- diff --git a/install/ui/src/freeipa/hbac.js b/install/ui/src/freeipa/hbac.js
- index 6161942b93fce654830330fdbdf6853ce9e428ff..c56ded20ec0064e586fa01b169fa82f86d5ac549 100644
- --- a/install/ui/src/freeipa/hbac.js
- +++ b/install/ui/src/freeipa/hbac.js
- @@ -52,7 +52,9 @@ var spec = {
- label: '@i18n:status.label',
- formatter: 'boolean_status'
- },
- - 'description'
- + 'description',
- + 'schemeandhost',
- + 'url'
- ],
- actions: [
- 'batch_disable',
- @@ -244,6 +246,16 @@ var add_hbacrule_details_facet_widgets = function (spec) {
- $type: 'textarea',
- name: 'description',
- widget: 'general.description'
- + },
- + {
- + $type: 'textarea',
- + name: 'schemeandhost',
- + widget: 'general.schemeandhost'
- + },
- + {
- + $type: 'textarea',
- + name: 'url',
- + widget: 'general.url'
- }
- ];
- @@ -259,6 +271,14 @@ var add_hbacrule_details_facet_widgets = function (spec) {
- {
- $type: 'textarea',
- name: 'description'
- + },
- + {
- + $type: 'textarea',
- + name: 'schemeandhost'
- + },
- + {
- + $type: 'textarea',
- + name: 'url'
- }
- ]
- }
- @@ -503,4 +523,4 @@ exp.register = function() {
- phases.on('registration', exp.register);
- return exp;
- -});
- \ No newline at end of file
- +});
- diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
- index 1b9b69ff909a9668c1e1867008459d25d5e062a9..bdc98afc4fa750e6fd951e5753c6f83db9a79ba0 100644
- --- a/install/ui/test/data/ipa_init.json
- +++ b/install/ui/test/data/ipa_init.json
- @@ -354,7 +354,9 @@
- "specified_hosts": "Specified Hosts and Groups",
- "specified_services": "Specified Services and Groups",
- "specified_users": "Specified Users and Groups",
- - "user": "Who"
- + "user": "Who",
- + "schemeandhost": "Scheme and host part of URI",
- + "url": "Path part of URI (prefix)"
- },
- "hbacsvc": {},
- "hbacsvcgroup": {
- diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
- index 54487eded21637bcd9d78179ad51c4abdedfc561..79be7fec8c87080ffa424efb53e2a3e79b3268fd 100644
- --- a/ipalib/plugins/hbacrule.py
- +++ b/ipalib/plugins/hbacrule.py
- @@ -137,7 +137,7 @@ class hbacrule(LDAPObject):
- 'description', 'usercategory', 'hostcategory',
- 'servicecategory', 'ipaenabledflag',
- 'memberuser', 'sourcehost', 'memberhost', 'memberservice',
- - 'externalhost',
- + 'externalhost','schemeandhost','url',
- ]
- uuid_attribute = 'ipauniqueid'
- rdn_attribute = 'ipauniqueid'
- @@ -157,7 +157,7 @@ class hbacrule(LDAPObject):
- 'externalhost', 'hostcategory', 'ipaenabledflag',
- 'ipauniqueid', 'memberhost', 'memberservice', 'memberuser',
- 'servicecategory', 'sourcehost', 'sourcehostcategory',
- - 'usercategory', 'objectclass', 'member',
- + 'usercategory', 'objectclass', 'member', 'schemeandhost', 'url',
- },
- },
- 'System: Add HBAC Rule': {
- @@ -275,6 +275,12 @@ class hbacrule(LDAPObject):
- label=_('Service Groups'),
- flags=['no_create', 'no_update', 'no_search'],
- ),
- + Str('schemeandhost?',
- + label=_('Scheme and host part of URI'),
- + ),
- + Str('url?',
- + label=_('Path part of URI (prefix)'),
- + ),
- external_host_param,
- )
- diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
- index 54871f76de99d92f0f23129b4d636cc4fccfbb8b..4dcce84f9b39f66c99b3f0b2129e3f75c4adc784 100644
- --- a/ipalib/plugins/internal.py
- +++ b/ipalib/plugins/internal.py
- @@ -499,6 +499,8 @@ class i18n_messages(Command):
- "specified_services": _("Specified Services and Groups"),
- "specified_users": _("Specified Users and Groups"),
- "user": _("Who"),
- + "schemeandhost": _("Scheme and host part of URI"),
- + "url": _("Path part of URI (prefix)"),
- },
- "hbacsvc": {
- },
- --
- 2.4.3
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement