On 05/21/2014 08:08 AM, Martin Kosek wrote:
On 05/19/2014 03:27 PM, Petr Viktorin wrote:
On 05/16/2014 02:00 PM, Martin Kosek wrote:
On 04/29/2014 11:02 PM, Petr Viktorin wrote:
I didn't test this as much as I'd like to, but it might come in handy when
testing my earlier patches.

The ACI is removed in the managed permissions plugin because I want to make
sure it's done after all the managed permission updates, which query it.

It worked in my case (I tested upgrade from 3.3.5). What do we do about other
permissions we will want to remove? I am talking about following ACIs:

- no anonymous access to roles
- no anonymous access to sudo
- no anonymous access to hbac
- no anonymous access to member information

I would like to remove them in 544 as well as otherwise they would bias the
testing.

Right. Here is the updated patch.

I tested upgrade from 3.3.5 to 4.0 and in SUFFIX I still had some of the ACIs 
left:

(targetattr = "*")(target =
"ldap:///cn=*,cn=roles,cn=accounts,dc=mkosek-fedora20,dc=test";)(version 3.0;
acl "No anonymous access to roles"; deny (read,search,compare) userdn !=
"ldap:///all";;)

(targetattr = "*")(target =
"ldap:///cn=*,ou=SUDOers,dc=mkosek-fedora20,dc=test";)(version 3.0; acl "No
anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)

The problem is that you used your testing suffix instead of suffix variable.

Shame on me. I've updated & rebased the patch.

I've also made a git hook yell at me when I commit something containing "BRQ", hopefully this won't happen again.

--
Petr³

From 0802e5ae783703c6f1d05ac3f961e41233884a10 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Tue, 29 Apr 2014 21:46:26 +0200
Subject: [PATCH] Remove the global anonymous read ACI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
---
 install/share/default-aci.ldif                     | 13 ---
 install/share/delegation.ldif                      |  5 --
 install/updates/20-aci.update                      | 11 +++
 install/updates/60-trusts.update                   |  1 -
 ipaserver/install/plugins/update_anonymous_aci.py  | 96 ----------------------
 .../install/plugins/update_managed_permissions.py  | 19 +++++
 6 files changed, 30 insertions(+), 115 deletions(-)
 delete mode 100644 ipaserver/install/plugins/update_anonymous_aci.py

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index 480facf3294c593c6a2bcf326e20c32157d6d3c6..04fc185f785ee71246c6cc4f958c754158f16302 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -3,10 +3,7 @@
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetfilter = "(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))")(target != "ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash || ipaNTTrustAuthOutgoing || ipaNTTrustAuthIncoming")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
-aci: (targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";;)
 aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";;)
-aci: (targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX";)(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)
 
 dn: $SUFFIX
 changetype: modify
@@ -65,16 +62,6 @@ dn: cn=computers,cn=accounts,$SUFFIX
 add: aci
 aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "Admins can manage host keytab";allow (write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
 
-dn: cn=hbac,$SUFFIX
-changetype: modify
-add: aci
-aci: (targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";;)
-
-dn: cn=sudo,$SUFFIX
-changetype: modify
-add: aci
-aci: (targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)
-
 # This is used for the host/service one-time passwordn and keytab indirectors.
 # We can do a query on a DN to see if an attribute exists.
 dn: cn=accounts,$SUFFIX
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index 7bd4e1e2d93b1dde4122ad1bfbe889625d983544..43d13974ffd63ea6ee554c815b911715609149b8 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -580,11 +580,6 @@ dn: $SUFFIX
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";;)
-
-dn: $SUFFIX
-changetype: modify
-add: aci
 aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Add Roles";allow (add) groupdn = "ldap:///cn=Add Roles,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Remove Roles";allow (delete) groupdn = "ldap:///cn=Remove Roles,cn=permissions,cn=pbac,$SUFFIX";)
 aci: (targetattr = "cn || description")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0; acl "permission:Modify Roles";allow (write) groupdn = "ldap:///cn=Modify Roles,cn=permissions,cn=pbac,$SUFFIX";)
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index f31c2017796d17ab988f0426fa2e6617bbc50062..34cba4cc82454bed3ff7bd523a0356d7dfdd42b7 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -51,3 +51,14 @@ dn: $SUFFIX
 dn: cn=config
 # Replaced by 'System: Read Replication Agreements'
 remove:aci: '(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)'
+
+dn: $SUFFIX
+remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX";)(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";;)'
+remove:aci: '(targetattr = "memberOf || memberHost || memberUser")(version 3.0; acl "No anonymous access to member information"; deny (read,search,compare) userdn != "ldap:///all";;)'
+remove:aci: '(targetattr = "*")(target = "ldap:///cn=*,ou=SUDOers,$SUFFIX";)(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)'
+
+dn: cn=hbac,$SUFFIX
+remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to hbac"; deny (read,search,compare) userdn != "ldap:///all";;)'
+
+dn: cn=sudo,$SUFFIX
+remove:aci: '(targetattr = "*")(version 3.0; acl "No anonymous access to sudo"; deny (read,search,compare) userdn != "ldap:///all";;)'
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 77c2104ffa62462634438f7b729cdfd71cd27eb3..371bf656fcdea6b7ec54aeb42c5afd25ef1b90f9 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -34,7 +34,6 @@ dn: cn=trusts,$SUFFIX
 dn: $SUFFIX
 add:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read and write NT passwords"; allow (read,write) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
 remove:aci: '(targetattr = "ipaNTHash")(version 3.0; acl "Samba system principals can read NT passwords"; allow (read) groupdn="ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)'
-replace:aci:'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)::(target != "ldap:///idnsname=*,cn=dns,$SUFFIX";)(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || userPKCS12 || ipaNTHash")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)'
 
 # Add the default PAC type to configuration
 dn: cn=ipaConfig,cn=etc,$SUFFIX
diff --git a/ipaserver/install/plugins/update_anonymous_aci.py b/ipaserver/install/plugins/update_anonymous_aci.py
deleted file mode 100644
index 943b2457774c964fa66d97496bb66ef1f4e80f1c..0000000000000000000000000000000000000000
--- a/ipaserver/install/plugins/update_anonymous_aci.py
+++ /dev/null
@@ -1,96 +0,0 @@
-# Authors:
-#   Rob Crittenden <rcrit...@redhat.com>
-#
-# Copyright (C) 2013  Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-from copy import deepcopy
-from ipaserver.install.plugins import FIRST, LAST
-from ipaserver.install.plugins.baseupdate import PostUpdate
-from ipalib import api, errors
-from ipalib.aci import ACI
-from ipalib.plugins import aci
-from ipapython.ipa_log_manager import *
-
-class update_anonymous_aci(PostUpdate):
-    """
-    Update the Anonymous ACI to ensure that all secrets are protected.
-    """
-    order = FIRST
-
-    def execute(self, **options):
-        aciname = u'Enable Anonymous access'
-        aciprefix = u'none'
-        ldap = self.obj.backend
-        targetfilter = '(&(!(objectClass=ipaToken))(!(objectClass=ipatokenTOTP))(!(objectClass=ipatokenHOTP))(!(objectClass=ipatokenRadiusConfiguration)))'
-        filter = None
-
-        entry_attrs = ldap.get_entry(api.env.basedn, ['aci'])
-
-        acistrs = entry_attrs.get('aci', [])
-        acilist = aci._convert_strings_to_acis(entry_attrs.get('aci', []))
-        try:
-            rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
-        except errors.NotFound:
-            root_logger.error('Anonymous ACI not found, cannot update it')
-            return False, False, []
-
-        attrs = rawaci.target['targetattr']['expression']
-        rawfilter = rawaci.target.get('targetfilter', None)
-        if rawfilter is not None:
-            filter = rawfilter['expression']
-
-        update_attrs = deepcopy(attrs)
-
-        needed_attrs = []
-        for attr in ('ipaNTTrustAuthOutgoing', 'ipaNTTrustAuthIncoming'):
-            if attr not in attrs:
-                needed_attrs.append(attr)
-
-        update_attrs.extend(needed_attrs)
-        if (len(attrs) == len(update_attrs) and
-            filter == targetfilter):
-            root_logger.debug("Anonymous ACI already update-to-date")
-            return (False, False, [])
-
-        for tmpaci in acistrs:
-            candidate = ACI(tmpaci)
-            if rawaci.isequal(candidate):
-                acistrs.remove(tmpaci)
-                break
-
-        if len(attrs) != len(update_attrs):
-            root_logger.debug("New Anonymous ACI attributes needed: %s",
-                needed_attrs)
-
-            rawaci.target['targetattr']['expression'] = update_attrs
-
-        if filter != targetfilter:
-            root_logger.debug("New Anonymous ACI targetfilter needed.")
-
-            rawaci.set_target_filter(targetfilter)
-
-        acistrs.append(unicode(rawaci))
-        entry_attrs['aci'] = acistrs
-
-        try:
-            ldap.update_entry(entry_attrs)
-        except Exception, e:
-            root_logger.error("Failed to update Anonymous ACI: %s" % e)
-
-        return (False, False, [])
-
-api.register(update_anonymous_aci)
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 72c1b131fdbc27d10cbf0f0b2bd9eeab44d73ba4..c9994c77d390a85bfa954231dc8114aeb19709d6 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -81,6 +81,7 @@
 from ipalib.plugable import Registry
 from ipalib.plugins import aci
 from ipalib.plugins.permission import permission
+from ipalib.aci import ACI
 from ipaserver.plugins.ldap2 import ldap2
 from ipaserver.install.plugins import LAST
 from ipaserver.install.plugins.baseupdate import PostUpdate
@@ -250,6 +251,21 @@ def get_anonymous_read_aci(self, ldap):
         except errors.NotFound:
             return None
 
+    def remove_anonymous_read_aci(self, ldap, anonymous_read_aci):
+        base_entry = ldap.get_entry(self.api.env.basedn, ['aci'])
+
+        acistrs = base_entry.get('aci', [])
+
+        for acistr in acistrs:
+            if ACI(acistr).isequal(anonymous_read_aci):
+                self.log.info('Removing anonymous ACI: %s', acistr)
+                acistrs.remove(acistr)
+                break
+        else:
+            return
+
+        ldap.update_entry(base_entry)
+
     def execute(self, **options):
         ldap = self.api.Backend[ldap2]
 
@@ -276,6 +292,9 @@ def execute(self, **options):
             self.update_permission(ldap, None, unicode(name), template,
                                    anonymous_read_aci)
 
+        if anonymous_read_aci:
+            self.remove_anonymous_read_aci(ldap, anonymous_read_aci)
+
         return False, False, ()
 
     def update_permission(self, ldap, obj, name, template, anonymous_read_aci):
-- 
1.9.0

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to