[Freeipa-devel] [WIP] Time-Based HBAC Policies

Stanislav Laznicka slaznick at redhat.com
Fri Mar 4 13:53:33 UTC 2016 

Hello,

So in the previous month and a bit I was reworking the time-based 
policies according to the changes we agreed on 
(http://pad.engineering.redhat.com/ipa-time-based-HBAC-design, line 83). 
Let me briefly walk you through what was done (no TLDR, sorry, but split 
the text in chapters):

*Time rule templates*
In the attachment is the proposal how this could be done using 
costemplates. Currently, the time rule templates have their own 
directory in the realm tree. The idea is that it could be used for both 
HBAC and Sudo rules so it needs to be in a location both should be able 
to reach. Should we not want them used in Sudo rules, the template 
directory could be moved to HBAC directory. There are also some new 
permissions for accessing these time rule templates which may need to be 
revised if the templates should be used both for sudo and HBAC rules.

*iCalendar format validation
*So there is an iCalendar string validation now. During its creation, I 
came across several issues with python-icalendar which is basically why 
it took me so long to write the validation. I made several fixes to the 
python-icalendar library, most of them are already merged in the 
repository master (https://github.com/collective/icalendar), one should 
be pushed in the next library major release.

My pull requests:
https://github.com/collective/icalendar/pull/175
https://github.com/collective/icalendar/pull/179
https://github.com/collective/icalendar/pull/180
https://github.com/collective/icalendar/pull/183
https://github.com/collective/icalendar/pull/189

I still have one fix in the making, that one should force the strong 
types in iCalendar as these are also missing in python-icalendar but 
required by the RFC.

Also, obviously, if you want to try the patches, you will need the 
current python-icalendar implementation from Github. I haven't put 
python-icalendar dependency into the .spec file yet for this reason.
*
**Summary
*We are now able to import iCalendar strings from files and more or less 
be sure that the parts we need will be consistent with the RFC 5545 
(basically, we are only checking that VEVENT components are correct, to 
bring strict checking to python-icalendar would take some time and I 
believe I spent way too much time with it already (there is an issue on 
their github page, though, it's 4 years old)).

*TODO now
*0)**Update the design*
*1a) The hbacrule-*-accesstime should probably be split into 2 commands, 
one that reads iCalendar strings from files, and one that creates those 
strings from "some kind of user input" (similarly for timeruletemplates).
1b) Create the format of user input we could expect for the second kind 
of command from 1a). We need to be able to convert it to iCalendar 
string and back so that we are able to present the data stored on the 
server in human readable form. http://jkbrzt.github.io/rrule/ NL part 
might be of help although it aims mostly on RRULE property of VEVENT 
components, whereas we may want to use DTEND, EXDATE, RDATE and DURATION 
as well to be able to specify events more properly.
2) Represent the HBAC time rules on SSSD side. I already have a skeleton 
of this based on libical (https://github.com/libical/libical), which 
hopefully seems to be more viable than python-icalendar. I do not mean 
to do the validation of received iCalendar string on the SSSD side 
anymore (at least not in an excessive way), just get the required 
properties from VEVENT components and evaluate them accordingly.

*Discuss
*I would really appreciate your input on these topics:*
*1)**How to represent the iCalendar strings on the client side in CLI 
(while thinking about WebUI as well)?
2a) Do we want to use the time rules for Sudo rules as well?
2b) If 2a), is the proposed location of time rule templates along with 
the privileges ok?

Standa
**
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160304/ab24a720/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-HBAC-Access-Time-Rules-icalendar-format-validation.patch
Type: text/x-patch
Size: 14926 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160304/ab24a720/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Templating-of-access-time-rules-for-HBAC.patch
Type: text/x-patch
Size: 22745 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160304/ab24a720/attachment-0001.bin>

More information about the Freeipa-devel mailing list