From db37d25bdc35fb54a8ff1a65c8dcb48f53e02525 Mon Sep 17 00:00:00 2001
From: Lukas Hellebrandt <lhellebr@redhat.com>
Date: Thu, 18 Feb 2016 18:43:59 +0100
Subject: [PATCH] Adding URI to HBAC rule

---
 ACI.txt                            |  2 +-
 API.txt                            | 12 +++++++++---
 VERSION                            |  8 ++++----
 install/share/60basev2.ldif        |  4 +++-
 install/ui/src/freeipa/hbac.js     | 24 ++++++++++++++++++++++--
 install/ui/test/data/ipa_init.json |  4 +++-
 ipalib/plugins/hbacrule.py         | 10 ++++++++--
 ipalib/plugins/internal.py         |  2 ++
 8 files changed, 52 insertions(+), 14 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 24cb332ce6e10c82a5bfab76d084fb6c0277800d..39f331264e3d724bae7d47a3bcbc9e42da93bbcd 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -93,7 +93,7 @@ aci: (targetattr = "externalhost || memberhost || memberservice || memberuser")(
 dn: cn=hbac,dc=ipa,dc=example
 aci: (targetattr = "accessruletype || accesstime || cn || description || hostcategory || ipaenabledflag || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Modify HBAC Rule";allow (write) groupdn = "ldap:///cn=System: Modify HBAC Rule,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hbac,dc=ipa,dc=example
-aci: (targetattr = "accessruletype || accesstime || cn || createtimestamp || description || entryusn || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "accessruletype || accesstime || cn || createtimestamp || description || entryusn || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || modifytimestamp || objectclass || schemeandhost || servicecategory || sourcehost || sourcehostcategory || url || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=hbacservices,cn=hbac,dc=ipa,dc=example
 aci: (targetfilter = "(objectclass=ipahbacservice)")(version 3.0;acl "permission:System: Add HBAC Services";allow (add) groupdn = "ldap:///cn=System: Add HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=hbacservices,cn=hbac,dc=ipa,dc=example
diff --git a/API.txt b/API.txt
index 3598b08198cae536754259f7463669052efa3f86..ab65e2dc63128dcde215084cd455c685a9287c0a 100644
--- a/API.txt
+++ b/API.txt
@@ -1656,7 +1656,7 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: hbacrule_add
-args: 1,16,3
+args: 1,18,3
 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, required=True)
 option: StrEnum('accessruletype', attribute=True, autofill=True, cli_name='type', default=u'allow', exclude='webui', multivalue=False, required=True, values=(u'allow', u'deny'))
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -1667,11 +1667,13 @@ option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', multivalue=F
 option: Bool('ipaenabledflag', attribute=True, cli_name='ipaenabledflag', multivalue=False, required=False)
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Str('schemeandhost', attribute=True, cli_name='schemeandhost', multivalue=False, required=False)
 option: StrEnum('servicecategory', attribute=True, cli_name='servicecat', multivalue=False, required=False, values=(u'all',))
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: DeprecatedParam('sourcehost_host', attribute=True, cli_name='sourcehost_host', multivalue=False, required=False)
 option: DeprecatedParam('sourcehost_hostgroup', attribute=True, cli_name='sourcehost_hostgroup', multivalue=False, required=False)
 option: DeprecatedParam('sourcehostcategory', attribute=True, cli_name='sourcehostcategory', multivalue=False, required=False)
+option: Str('url', attribute=True, cli_name='url', multivalue=False, required=False)
 option: StrEnum('usercategory', attribute=True, cli_name='usercat', multivalue=False, required=False, values=(u'all',))
 option: Str('version?', exclude='webui')
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
@@ -1748,7 +1750,7 @@ output: Output('result', <type 'bool'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: hbacrule_find
-args: 1,18,4
+args: 1,20,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: StrEnum('accessruletype', attribute=True, autofill=False, cli_name='type', default=u'allow', exclude='webui', multivalue=False, query=True, required=False, values=(u'allow', u'deny'))
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
@@ -1760,12 +1762,14 @@ option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenab
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
+option: Str('schemeandhost', attribute=True, autofill=False, cli_name='schemeandhost', multivalue=False, query=True, required=False)
 option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, query=True, required=False, values=(u'all',))
 option: Int('sizelimit?', autofill=False, minvalue=0)
 option: DeprecatedParam('sourcehost_host', attribute=True, autofill=False, cli_name='sourcehost_host', multivalue=False, query=True, required=False)
 option: DeprecatedParam('sourcehost_hostgroup', attribute=True, autofill=False, cli_name='sourcehost_hostgroup', multivalue=False, query=True, required=False)
 option: DeprecatedParam('sourcehostcategory', attribute=True, autofill=False, cli_name='sourcehostcategory', multivalue=False, query=True, required=False)
 option: Int('timelimit?', autofill=False, minvalue=0)
+option: Str('url', attribute=True, autofill=False, cli_name='url', multivalue=False, query=True, required=False)
 option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, query=True, required=False, values=(u'all',))
 option: Str('version?', exclude='webui')
 output: Output('count', <type 'int'>, None)
@@ -1773,7 +1777,7 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('truncated', <type 'bool'>, None)
 command: hbacrule_mod
-args: 1,18,3
+args: 1,20,3
 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
 option: StrEnum('accessruletype', attribute=True, autofill=False, cli_name='type', default=u'allow', exclude='webui', multivalue=False, required=False, values=(u'allow', u'deny'))
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -1786,11 +1790,13 @@ option: Bool('ipaenabledflag', attribute=True, autofill=False, cli_name='ipaenab
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Flag('rights', autofill=True, default=False)
+option: Str('schemeandhost', attribute=True, autofill=False, cli_name='schemeandhost', multivalue=False, required=False)
 option: StrEnum('servicecategory', attribute=True, autofill=False, cli_name='servicecat', multivalue=False, required=False, values=(u'all',))
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: DeprecatedParam('sourcehost_host', attribute=True, autofill=False, cli_name='sourcehost_host', multivalue=False, required=False)
 option: DeprecatedParam('sourcehost_hostgroup', attribute=True, autofill=False, cli_name='sourcehost_hostgroup', multivalue=False, required=False)
 option: DeprecatedParam('sourcehostcategory', attribute=True, autofill=False, cli_name='sourcehostcategory', multivalue=False, required=False)
+option: Str('url', attribute=True, autofill=False, cli_name='url', multivalue=False, required=False)
 option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', multivalue=False, required=False, values=(u'all',))
 option: Str('version?', exclude='webui')
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
diff --git a/VERSION b/VERSION
index aedebd185821d42fa48608f4c5fdf9ff510ace3f..543a5241d9ee6f75a88d0d1486c93875821ab0a5 100644
--- a/VERSION
+++ b/VERSION
@@ -16,12 +16,12 @@
 #                                                      #
 # e.g. IPA_VERSION_MAJOR=1                             #
 #      IPA_VERSION_MINOR=0                             #
-#      IPA_VERSION_RELEASE=0                           #
+
 #  ->  "1.0.0"                                         #
 ########################################################
 IPA_VERSION_MAJOR=4
 IPA_VERSION_MINOR=3
-IPA_VERSION_RELEASE=90
+IPA_VERSION_RELEASE=105
 
 ########################################################
 # For 'alpha' releases the version will be             #
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=165
-# Last change: mbasti - limit ipamaxusernamelength value to 255
+IPA_API_VERSION_MINOR=166
+# Last change: lhellebr - add URL to HBAC rule
diff --git a/install/share/60basev2.ldif b/install/share/60basev2.ldif
index 00712ddda2c548b7f7924a012f3f68499f2f01da..ff30b7ea0bd04b783d19048c1745c1486807d834 100644
--- a/install/share/60basev2.ldif
+++ b/install/share/60basev2.ldif
@@ -37,7 +37,9 @@ attributeTypes: (2.16.840.1.113730.3.8.3.11 NAME 'externalHost' DESC 'Multivalue
 attributeTypes: (2.16.840.1.113730.3.8.3.12 NAME 'sourceHostCategory' DESC 'Additional classification for hosts' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.13 NAME 'accessRuleType' DESC 'The flag to represent if it is allow or deny rule.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.14 NAME 'accessTime' DESC 'Access time' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
-objectClasses: (2.16.840.1.113730.3.8.4.7 NAME 'ipaHBACRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( sourceHost $ sourceHostCategory $ serviceCategory $ memberService $ externalHost $ accessTime ) X-ORIGIN 'IPA v2' )
+attributeTypes: (2.16.840.1.113730.3.8.11.74 NAME 'schemeAndHost' DESC 'Schema and host part of the URI' EQUALITY caseIgnoretMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
+attributeTypes: (2.16.840.1.113730.3.8.11.73 NAME 'url' DESC 'Path part of URI (prefix)' EQUALITY caseExactMatch ORDERING caseExactOrderingMatch SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
+objectClasses: (2.16.840.1.113730.3.8.4.7 NAME 'ipaHBACRule' SUP ipaAssociation STRUCTURAL MUST accessRuleType MAY ( sourceHost $ sourceHostCategory $ serviceCategory $ memberService $ externalHost $ accessTime $ schemeAndHost $ url) X-ORIGIN 'IPA v2' )
 attributeTypes: (2.16.840.1.113730.3.8.3.15 NAME 'nisDomainName' DESC 'NIS domain name.' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v2' )
 objectClasses: (2.16.840.1.113730.3.8.4.8 NAME 'ipaNISNetgroup' DESC 'IPA version of NIS netgroup' SUP ipaAssociation STRUCTURAL MAY ( externalHost $ nisDomainName $ member $ memberOf ) X-ORIGIN 'IPA v2' )
 attributeTypes: (1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE X-ORIGIN 'RFC 2307bis' )
diff --git a/install/ui/src/freeipa/hbac.js b/install/ui/src/freeipa/hbac.js
index 6161942b93fce654830330fdbdf6853ce9e428ff..c56ded20ec0064e586fa01b169fa82f86d5ac549 100644
--- a/install/ui/src/freeipa/hbac.js
+++ b/install/ui/src/freeipa/hbac.js
@@ -52,7 +52,9 @@ var spec =  {
                     label: '@i18n:status.label',
                     formatter: 'boolean_status'
                 },
-                'description'
+                'description',
+                'schemeandhost',
+		'url'
             ],
             actions: [
                 'batch_disable',
@@ -244,6 +246,16 @@ var add_hbacrule_details_facet_widgets = function (spec) {
             $type: 'textarea',
             name: 'description',
             widget: 'general.description'
+        },
+        {
+            $type: 'textarea',
+            name: 'schemeandhost',
+            widget: 'general.schemeandhost'
+        },
+        {
+            $type: 'textarea',
+            name: 'url',
+            widget: 'general.url'
         }
     ];
 
@@ -259,6 +271,14 @@ var add_hbacrule_details_facet_widgets = function (spec) {
                 {
                     $type: 'textarea',
                     name: 'description'
+                },
+                {
+                    $type: 'textarea',
+                    name: 'schemeandhost'
+                },
+                {
+                    $type: 'textarea',
+                    name: 'url'
                 }
             ]
         }
@@ -503,4 +523,4 @@ exp.register = function() {
 phases.on('registration', exp.register);
 
 return exp;
-});
\ No newline at end of file
+});
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index 1b9b69ff909a9668c1e1867008459d25d5e062a9..bdc98afc4fa750e6fd951e5753c6f83db9a79ba0 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -354,7 +354,9 @@
                             "specified_hosts": "Specified Hosts and Groups",
                             "specified_services": "Specified Services and Groups",
                             "specified_users": "Specified Users and Groups",
-                            "user": "Who"
+                            "user": "Who",
+                            "schemeandhost": "Scheme and host part of URI",
+                            "url": "Path part of URI (prefix)"
                         },
                         "hbacsvc": {},
                         "hbacsvcgroup": {
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index 54487eded21637bcd9d78179ad51c4abdedfc561..79be7fec8c87080ffa424efb53e2a3e79b3268fd 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -137,7 +137,7 @@ class hbacrule(LDAPObject):
         'description', 'usercategory', 'hostcategory',
         'servicecategory', 'ipaenabledflag',
         'memberuser', 'sourcehost', 'memberhost', 'memberservice',
-        'externalhost',
+        'externalhost','schemeandhost','url',
     ]
     uuid_attribute = 'ipauniqueid'
     rdn_attribute = 'ipauniqueid'
@@ -157,7 +157,7 @@ class hbacrule(LDAPObject):
                 'externalhost', 'hostcategory', 'ipaenabledflag',
                 'ipauniqueid', 'memberhost', 'memberservice', 'memberuser',
                 'servicecategory', 'sourcehost', 'sourcehostcategory',
-                'usercategory', 'objectclass', 'member',
+                'usercategory', 'objectclass', 'member', 'schemeandhost', 'url',
             },
         },
         'System: Add HBAC Rule': {
@@ -275,6 +275,12 @@ class hbacrule(LDAPObject):
             label=_('Service Groups'),
             flags=['no_create', 'no_update', 'no_search'],
         ),
+	Str('schemeandhost?',
+		label=_('Scheme and host part of URI'),
+	),
+	Str('url?',
+		label=_('Path part of URI (prefix)'),
+	),
         external_host_param,
     )
 
diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
index 54871f76de99d92f0f23129b4d636cc4fccfbb8b..4dcce84f9b39f66c99b3f0b2129e3f75c4adc784 100644
--- a/ipalib/plugins/internal.py
+++ b/ipalib/plugins/internal.py
@@ -499,6 +499,8 @@ class i18n_messages(Command):
                 "specified_services": _("Specified Services and Groups"),
                 "specified_users": _("Specified Users and Groups"),
                 "user": _("Who"),
+                "schemeandhost": _("Scheme and host part of URI"),
+                "url": _("Path part of URI (prefix)"),
             },
             "hbacsvc": {
             },
-- 
2.4.3