<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Based on Alexander's suggestion I created a copr repo with latest
python-icalendar version.<br>
<br>
<a class="moz-txt-link-freetext" href="https://copr.fedorainfracloud.org/coprs/stlaz/python-icalendar/packages/">https://copr.fedorainfracloud.org/coprs/stlaz/python-icalendar/packages/</a><br>
<br>
<div class="moz-cite-prefix">On 03/04/2016 02:53 PM, Stanislav
Laznicka wrote:<br>
</div>
<blockquote cite="mid:56D9935D.9050507@redhat.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
Hello,<br>
<br>
So in the previous month and a bit I was reworking the time-based
policies according to the changes we agreed on (<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://pad.engineering.redhat.com/ipa-time-based-HBAC-design"><a class="moz-txt-link-freetext" href="http://pad.engineering.redhat.com/ipa-time-based-HBAC-design">http://pad.engineering.redhat.com/ipa-time-based-HBAC-design</a></a>,
line 83). Let me briefly walk you through what was done (no TLDR,
sorry, but split the text in chapters):<br>
<br>
<b>Time rule templates</b><br>
In the attachment is the proposal how this could be done using
costemplates. Currently, the time rule templates have their own
directory in the realm tree. The idea is that it could be used for
both HBAC and Sudo rules so it needs to be in a location both
should be able to reach. Should we not want them used in Sudo
rules, the template directory could be moved to HBAC directory.
There are also some new permissions for accessing these time rule
templates which may need to be revised if the templates should be
used both for sudo and HBAC rules.<br>
<br>
<b>iCalendar format validation<br>
</b>So there is an iCalendar string validation now. During its
creation, I came across several issues with python-icalendar which
is basically why it took me so long to write the validation. I
made several fixes to the python-icalendar library, most of them
are already merged in the repository master (<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/collective/icalendar"><a class="moz-txt-link-freetext" href="https://github.com/collective/icalendar">https://github.com/collective/icalendar</a></a>),
one should be pushed in the next library major release.<br>
<br>
My pull requests:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/collective/icalendar/pull/175">https://github.com/collective/icalendar/pull/175</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/collective/icalendar/pull/179">https://github.com/collective/icalendar/pull/179</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/collective/icalendar/pull/180">https://github.com/collective/icalendar/pull/180</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/collective/icalendar/pull/183">https://github.com/collective/icalendar/pull/183</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/collective/icalendar/pull/189">https://github.com/collective/icalendar/pull/189</a><br>
<br>
I still have one fix in the making, that one should force the
strong types in iCalendar as these are also missing in
python-icalendar but required by the RFC.<br>
<br>
Also, obviously, if you want to try the patches, you will need the
current python-icalendar implementation from Github. I haven't put
python-icalendar dependency into the .spec file yet for this
reason.<br>
<b><br>
</b><b>Summary<br>
</b>We are now able to import iCalendar strings from files and
more or less be sure that the parts we need will be consistent
with the RFC 5545 (basically, we are only checking that VEVENT
components are correct, to bring strict checking to
python-icalendar would take some time and I believe I spent way
too much time with it already (there is an issue on their github
page, though, it's 4 years old)).<br>
<br>
<b>TODO now<br>
</b>0)<b> </b>Update the design<b><br>
</b>1a) The hbacrule-*-accesstime should probably be split into 2
commands, one that reads iCalendar strings from files, and one
that creates those strings from "some kind of user input"
(similarly for timeruletemplates).<br>
1b) Create the format of user input we could expect for the second
kind of command from 1a). We need to be able to convert it to
iCalendar string and back so that we are able to present the data
stored on the server in human readable form. <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://jkbrzt.github.io/rrule/"><a class="moz-txt-link-freetext" href="http://jkbrzt.github.io/rrule/">http://jkbrzt.github.io/rrule/</a></a>
NL part might be of help although it aims mostly on RRULE property
of VEVENT components, whereas we may want to use DTEND, EXDATE,
RDATE and DURATION as well to be able to specify events more
properly.<br>
2) Represent the HBAC time rules on SSSD side. I already have a
skeleton of this based on libical (<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://github.com/libical/libical">https://github.com/libical/libical</a>),
which hopefully seems to be more viable than python-icalendar. I
do not mean to do the validation of received iCalendar string on
the SSSD side anymore (at least not in an excessive way), just get
the required properties from VEVENT components and evaluate them
accordingly.<br>
<br>
<b>Discuss<br>
</b>I would really appreciate your input on these topics:<b><br>
</b>1)<b> </b>How to represent the iCalendar strings on the
client side in CLI (while thinking about WebUI as well)?<br>
2a) Do we want to use the time rules for Sudo rules as well?<br>
2b) If 2a), is the proposed location of time rule templates along
with the privileges ok?<br>
<br>
Standa<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>