[Freeipa-devel] [WIP] Time-Based HBAC Policies

Stanislav Laznicka slaznick at redhat.com
Fri Mar 4 14:39:33 UTC 2016 

Based on Alexander's suggestion  I created a copr repo with latest 
python-icalendar version.

https://copr.fedorainfracloud.org/coprs/stlaz/python-icalendar/packages/

On 03/04/2016 02:53 PM, Stanislav Laznicka wrote:
> Hello,
>
> So in the previous month and a bit I was reworking the time-based 
> policies according to the changes we agreed on 
> (http://pad.engineering.redhat.com/ipa-time-based-HBAC-design, line 
> 83). Let me briefly walk you through what was done (no TLDR, sorry, 
> but split the text in chapters):
>
> *Time rule templates*
> In the attachment is the proposal how this could be done using 
> costemplates. Currently, the time rule templates have their own 
> directory in the realm tree. The idea is that it could be used for 
> both HBAC and Sudo rules so it needs to be in a location both should 
> be able to reach. Should we not want them used in Sudo rules, the 
> template directory could be moved to HBAC directory. There are also 
> some new permissions for accessing these time rule templates which may 
> need to be revised if the templates should be used both for sudo and 
> HBAC rules.
>
> *iCalendar format validation
> *So there is an iCalendar string validation now. During its creation, 
> I came across several issues with python-icalendar which is basically 
> why it took me so long to write the validation. I made several fixes 
> to the python-icalendar library, most of them are already merged in 
> the repository master (https://github.com/collective/icalendar), one 
> should be pushed in the next library major release.
>
> My pull requests:
> https://github.com/collective/icalendar/pull/175
> https://github.com/collective/icalendar/pull/179
> https://github.com/collective/icalendar/pull/180
> https://github.com/collective/icalendar/pull/183
> https://github.com/collective/icalendar/pull/189
>
> I still have one fix in the making, that one should force the strong 
> types in iCalendar as these are also missing in python-icalendar but 
> required by the RFC.
>
> Also, obviously, if you want to try the patches, you will need the 
> current python-icalendar implementation from Github. I haven't put 
> python-icalendar dependency into the .spec file yet for this reason.
> *
> **Summary
> *We are now able to import iCalendar strings from files and more or 
> less be sure that the parts we need will be consistent with the RFC 
> 5545 (basically, we are only checking that VEVENT components are 
> correct, to bring strict checking to python-icalendar would take some 
> time and I believe I spent way too much time with it already (there is 
> an issue on their github page, though, it's 4 years old)).
>
> *TODO now
> *0)**Update the design*
> *1a) The hbacrule-*-accesstime should probably be split into 2 
> commands, one that reads iCalendar strings from files, and one that 
> creates those strings from "some kind of user input" (similarly for 
> timeruletemplates).
> 1b) Create the format of user input we could expect for the second 
> kind of command from 1a). We need to be able to convert it to 
> iCalendar string and back so that we are able to present the data 
> stored on the server in human readable form. 
> http://jkbrzt.github.io/rrule/ NL part might be of help although it 
> aims mostly on RRULE property of VEVENT components, whereas we may 
> want to use DTEND, EXDATE, RDATE and DURATION as well to be able to 
> specify events more properly.
> 2) Represent the HBAC time rules on SSSD side. I already have a 
> skeleton of this based on libical 
> (https://github.com/libical/libical), which hopefully seems to be more 
> viable than python-icalendar. I do not mean to do the validation of 
> received iCalendar string on the SSSD side anymore (at least not in an 
> excessive way), just get the required properties from VEVENT 
> components and evaluate them accordingly.
>
> *Discuss
> *I would really appreciate your input on these topics:*
> *1)**How to represent the iCalendar strings on the client side in CLI 
> (while thinking about WebUI as well)?
> 2a) Do we want to use the time rules for Sudo rules as well?
> 2b) If 2a), is the proposed location of time rule templates along with 
> the privileges ok?
>
> Standa
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160304/a92c20f7/attachment.htm>

More information about the Freeipa-devel mailing list