From 366a208f9d7bbbf637d192d1dfcab4482f69c441 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 11 Aug 2015 08:19:59 +0200 Subject: [PATCH] Added CLI param and ACL for vault service operations. The CLIs to manage vault owners and members have been modified to accept services with a new parameter. A new ACL has been added to allow a service to create its own service container. https://fedorahosted.org/freeipa/ticket/5172 Reviewed-By: Jan Cholasta Reviewed-By: Martin Kosek --- API.txt | 12 ++- VERSION | 4 +- install/share/vault.update | 1 + ipalib/plugins/vault.py | 177 +++++++++++++++++++++------------------------ 4 files changed, 94 insertions(+), 100 deletions(-) diff --git a/API.txt b/API.txt index 2e19d6b2f1e16cc1c89d71ed7d443145426a28e3..71df3a56595a012e6382414ad4453d30ede8155b 100644 --- a/API.txt +++ b/API.txt @@ -5434,13 +5434,14 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_add_member -args: 1,9,3 +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') +option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False) option: Flag('shared?', autofill=True, default=False) option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('username?', cli_name='user') @@ -5449,13 +5450,14 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_add_owner -args: 1,9,3 +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') +option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False) option: Flag('shared?', autofill=True, default=False) option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('username?', cli_name='user') @@ -5547,13 +5549,14 @@ output: Entry('result', , Gettext('A dictionary representing an LDA output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_remove_member -args: 1,9,3 +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') +option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False) option: Flag('shared?', autofill=True, default=False) option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('username?', cli_name='user') @@ -5562,13 +5565,14 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_remove_owner -args: 1,9,3 +args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') +option: Str('services', alwaysask=True, cli_name='services', csv=True, multivalue=True, required=False) option: Flag('shared?', autofill=True, default=False) option: Str('user*', alwaysask=True, cli_name='users', csv=True) option: Str('username?', cli_name='user') diff --git a/VERSION b/VERSION index ca43f3e0c06880d355c068514134187c5edda175..69351a8fa8e27c884c130ab49d3fab541cd09ff9 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=148 -# Last change: ftweedal - add --out option to user-show +IPA_API_VERSION_MINOR=149 +# Last change: edewata - Added CLI param and ACL for vault service operations diff --git a/install/share/vault.update b/install/share/vault.update index 61a8940b544fbc839b931f337389ac35dc2d1ffa..14421b5189efe9b3d9491e845e74debca6e18941 100644 --- a/install/share/vault.update +++ b/install/share/vault.update @@ -8,6 +8,7 @@ default: objectClass: top default: objectClass: ipaVaultContainer default: cn: vaults default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";) +default: aci: (target="ldap:///cn=*,cn=services,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow services to create private container"; allow (add) userdn = "ldap:///krbprincipalname=($$attr.cn)@$REALM,cn=services,cn=accounts,$SUFFIX";) default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";) default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";) default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";) diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index ac608f5c7e2779da138c75a0f02bd5546f4aeffd..01c6096335d47b337253d4f2d1e0571200383c7a 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -44,7 +44,7 @@ from ipalib.crud import PKQuery, Retrieve, Update from ipalib.plugable import Registry from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember,\ - pkey_to_value + LDAPModMember, pkey_to_value from ipalib.request import context from ipalib.plugins.user import split_principal from ipalib import _, ngettext @@ -93,122 +93,91 @@ The secret can only be retrieved using the private key. """) + _(""" EXAMPLES: """) + _(""" - List private vaults: + List vaults: ipa vault-find + [--user |--service |--shared] """) + _(""" - List service vaults: - ipa vault-find --service -""") + _(""" - List shared vaults: - ipa vault-find --shared -""") + _(""" - List user vaults: - ipa vault-find --user -""") + _(""" - Add a private vault: + Add a standard vault: ipa vault-add -""") + _(""" - Add a service vault: - ipa vault-add --service -""") + _(""" - Add a shared vault: - ipa vault-add --shared -""") + _(""" - Add a user vault: - ipa vault-add --user + [--user |--service |--shared] """) + _(""" Add a symmetric vault: - ipa vault-add --type symmetric --password-file password.txt + ipa vault-add + [--user |--service |--shared] + --type symmetric --password-file password.txt """) + _(""" Add an asymmetric vault: - ipa vault-add --type asymmetric --public-key-file public.pem + ipa vault-add + [--user |--service |--shared] + --type asymmetric --public-key-file public.pem """) + _(""" - Show a private vault: + Show a vault: ipa vault-show + [--user |--service |--shared] """) + _(""" - Show a service vault: - ipa vault-show --service + Modify a vault: + ipa vault-mod + [--user |--service |--shared] + --desc """) + _(""" - Show a shared vault: - ipa vault-show --shared -""") + _(""" - Show a user vault: - ipa vault-show --user -""") + _(""" - Modify a private vault: - ipa vault-mod --desc -""") + _(""" - Modify a service vault: - ipa vault-mod --service --desc -""") + _(""" - Modify a shared vault: - ipa vault-mod --shared --desc -""") + _(""" - Modify a user vault: - ipa vault-mod --user --desc -""") + _(""" - Delete a private vault: + Delete a vault: ipa vault-del -""") + _(""" - Delete a service vault: - ipa vault-del --service -""") + _(""" - Delete a shared vault: - ipa vault-del --shared -""") + _(""" - Delete a user vault: - ipa vault-del --user + [--user |--service |--shared] """) + _(""" Display vault configuration: ipa vaultconfig-show """) + _(""" - Archive data into private vault: - ipa vault-archive --in -""") + _(""" - Archive data into service vault: - ipa vault-archive --service --in -""") + _(""" - Archive data into shared vault: - ipa vault-archive --shared --in -""") + _(""" - Archive data into user vault: - ipa vault-archive --user --in + Archive data into standard vault: + ipa vault-archive + [--user |--service |--shared] + --in """) + _(""" Archive data into symmetric vault: - ipa vault-archive --in + ipa vault-archive + [--user |--service |--shared] + --in + --password-file password.txt """) + _(""" Archive data into asymmetric vault: - ipa vault-archive --in -""") + _(""" - Retrieve data from private vault: - ipa vault-retrieve --out -""") + _(""" - Retrieve data from service vault: - ipa vault-retrieve --service --out -""") + _(""" - Retrieve data from shared vault: - ipa vault-retrieve --shared --out + ipa vault-archive + [--user |--service |--shared] + --in """) + _(""" - Retrieve data from user vault: - ipa vault-retrieve --user --out + Retrieve data from standard vault: + ipa vault-retrieve + [--user |--service |--shared] + --out """) + _(""" Retrieve data from symmetric vault: - ipa vault-retrieve --out data.bin + ipa vault-retrieve + [--user |--service |--shared] + --out + --password-file password.txt """) + _(""" Retrieve data from asymmetric vault: - ipa vault-retrieve --out data.bin --private-key-file private.pem + ipa vault-retrieve + [--user |--service |--shared] + --out --private-key-file private.pem """) + _(""" - Add a vault owner: - ipa vault-add-owner --users + Add vault owners: + ipa vault-add-owner + [--user |--service |--shared] + [--users ] [--groups ] [--services ] """) + _(""" - Delete a vault owner: - ipa vault-remove-owner --users + Delete vault owners: + ipa vault-remove-owner + [--user |--service |--shared] + [--users ] [--groups ] [--services ] """) + _(""" - Add a vault member: - ipa vault-add-member --users + Add vault members: + ipa vault-add-member + [--user |--service |--shared] + [--users ] [--groups ] [--services ] """) + _(""" - Delete a vault member: - ipa vault-remove-member --users + Delete vault members: + ipa vault-remove-member + [--user |--service |--shared] + [--users ] [--groups ] [--services ] """) @@ -285,8 +254,8 @@ class vault(LDAPObject): 'ipavaulttype', ] attribute_members = { - 'owner': ['user', 'group'], - 'member': ['user', 'group'], + 'owner': ['user', 'group', 'service'], + 'member': ['user', 'group', 'service'], } label = _('Vaults') @@ -340,6 +309,11 @@ class vault(LDAPObject): label=_('Owner groups'), flags=['no_create', 'no_update', 'no_search'], ), + Str( + 'owner_service?', + label=_('Owner services'), + flags=['no_create', 'no_update', 'no_search'], + ), ) def get_dn(self, *keys, **options): @@ -1432,8 +1406,23 @@ class vault_retrieve_internal(PKQuery): return response +class VaultModMember(LDAPModMember): + def get_options(self): + for param in super(VaultModMember, self).get_options(): + if param.name == 'service' and param not in vault_options: + param = param.clone_rename('services') + yield param + + def get_member_dns(self, **options): + if 'services' in options: + options['service'] = options.pop('services') + else: + options.pop('service', None) + return super(VaultModMember, self).get_member_dns(**options) + + @register() -class vault_add_owner(LDAPAddMember): +class vault_add_owner(VaultModMember, LDAPAddMember): __doc__ = _('Add owners to a vault.') takes_options = LDAPAddMember.takes_options + vault_options @@ -1457,7 +1446,7 @@ class vault_add_owner(LDAPAddMember): @register() -class vault_remove_owner(LDAPRemoveMember): +class vault_remove_owner(VaultModMember, LDAPRemoveMember): __doc__ = _('Remove owners from a vault.') takes_options = LDAPRemoveMember.takes_options + vault_options @@ -1481,14 +1470,14 @@ class vault_remove_owner(LDAPRemoveMember): @register() -class vault_add_member(LDAPAddMember): +class vault_add_member(VaultModMember, LDAPAddMember): __doc__ = _('Add members to a vault.') takes_options = LDAPAddMember.takes_options + vault_options @register() -class vault_remove_member(LDAPRemoveMember): +class vault_remove_member(VaultModMember, LDAPRemoveMember): __doc__ = _('Remove members from a vault.') takes_options = LDAPRemoveMember.takes_options + vault_options -- 2.4.3