<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 03/09/2016 05:24 PM, Martin Basti wrote:<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<br>
<div class="moz-cite-prefix">On 04.03.2016 14:53, Stanislav
Laznicka wrote:<br>
</div>
<blockquote cite="mid:56D9935D.9050507@redhat.com" type="cite">
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
Hello,<br>
<br>
So in the previous month and a bit I was reworking the
time-based policies according to the changes we agreed on (<a
class="moz-txt-link-freetext"
href="http://pad.engineering.redhat.com/ipa-time-based-HBAC-design"><a class="moz-txt-link-freetext" href="http://pad.engineering.redhat.com/ipa-time-based-HBAC-design">http://pad.engineering.redhat.com/ipa-time-based-HBAC-design</a></a>,
line 83). Let me briefly walk you through what was done (no
TLDR, sorry, but split the text in chapters):<br>
<br>
<b>Time rule templates</b><br>
In the attachment is the proposal how this could be done using
costemplates. Currently, the time rule templates have their own
directory in the realm tree. The idea is that it could be used
for both HBAC and Sudo rules so it needs to be in a location
both should be able to reach. Should we not want them used in
Sudo rules, the template directory could be moved to HBAC
directory. There are also some new permissions for accessing
these time rule templates which may need to be revised if the
templates should be used both for sudo and HBAC rules.<br>
<br>
<b>iCalendar format validation<br>
</b>So there is an iCalendar string validation now. During its
creation, I came across several issues with python-icalendar
which is basically why it took me so long to write the
validation. I made several fixes to the python-icalendar
library, most of them are already merged in the repository
master (<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/collective/icalendar">https://github.com/collective/icalendar</a>),
one should be pushed in the next library major release.<br>
<br>
My pull requests:<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/collective/icalendar/pull/175">https://github.com/collective/icalendar/pull/175</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/collective/icalendar/pull/179">https://github.com/collective/icalendar/pull/179</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/collective/icalendar/pull/180">https://github.com/collective/icalendar/pull/180</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/collective/icalendar/pull/183">https://github.com/collective/icalendar/pull/183</a><br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://github.com/collective/icalendar/pull/189">https://github.com/collective/icalendar/pull/189</a><br>
<br>
I still have one fix in the making, that one should force the
strong types in iCalendar as these are also missing in
python-icalendar but required by the RFC.<br>
<br>
Also, obviously, if you want to try the patches, you will need
the current python-icalendar implementation from Github. I
haven't put python-icalendar dependency into the .spec file yet
for this reason.<br>
<b><br>
</b><b>Summary<br>
</b>We are now able to import iCalendar strings from files and
more or less be sure that the parts we need will be consistent
with the RFC 5545 (basically, we are only checking that VEVENT
components are correct, to bring strict checking to
python-icalendar would take some time and I believe I spent way
too much time with it already (there is an issue on their github
page, though, it's 4 years old)).<br>
<br>
<b>TODO now<br>
</b>0)<b> </b>Update the design<b><br>
</b>1a) The hbacrule-*-accesstime should probably be split into
2 commands, one that reads iCalendar strings from files, and one
that creates those strings from "some kind of user input"
(similarly for timeruletemplates).<br>
1b) Create the format of user input we could expect for the
second kind of command from 1a). We need to be able to convert
it to iCalendar string and back so that we are able to present
the data stored on the server in human readable form. <a
class="moz-txt-link-freetext"
href="http://jkbrzt.github.io/rrule/"><a class="moz-txt-link-freetext" href="http://jkbrzt.github.io/rrule/">http://jkbrzt.github.io/rrule/</a></a>
NL part might be of help although it aims mostly on RRULE
property of VEVENT components, whereas we may want to use DTEND,
EXDATE, RDATE and DURATION as well to be able to specify events
more properly.<br>
2) Represent the HBAC time rules on SSSD side. I already have a
skeleton of this based on libical (<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://github.com/libical/libical">https://github.com/libical/libical</a>),
which hopefully seems to be more viable than python-icalendar. I
do not mean to do the validation of received iCalendar string on
the SSSD side anymore (at least not in an excessive way), just
get the required properties from VEVENT components and evaluate
them accordingly.<br>
<br>
<b>Discuss<br>
</b>I would really appreciate your input on these topics:<b><br>
</b>1)<b> </b>How to represent the iCalendar strings on the
client side in CLI (while thinking about WebUI as well)?<br>
2a) Do we want to use the time rules for Sudo rules as well?<br>
2b) If 2a), is the proposed location of time rule templates
along with the privileges ok?<br>
<br>
Standa<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Hello,<br>
thank you for the patchset, I have a few comments :)<b><br>
</b><b> </b><b><br>
</b><b> </b>1)<br>
+attributeTypes: (2.16.840.1.113730.3.8.11.72 NAME 'timeruleClass'
DESC 'CNs of the timerule classes'<br>
<br>
OID above is registered as:<br>
2.16.840.1.113730.3.8.11.72 accessTimeExclude<br>
Access time - exclude these
values<br>
</blockquote>
I would like to stick with a known OID before we decide that the
patch is in final version but it's of course a right point until
then.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"> <b><br>
</b><b> </b>2)<b><br>
</b><b> </b>please add requires and buildrequires to specfile
(python-icalendar)<br>
</blockquote>
Done.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"> <br>
3)<br>
Pylint is running, please wait ...<br>
************* Module ipalib.plugins.hbacrule<br>
ipalib/plugins/hbacrule.py:166: [E1101(no-member),
validate_icalfile] Instance of 'list' has no 'name' member)<br>
ipalib/plugins/hbacrule.py:175: [E1101(no-member),
validate_icalfile] Instance of 'list' has no 'subcomponents'
member)<br>
ipalib/plugins/hbacrule.py:177: [E1601(print-statement),
validate_icalfile] print statement used)<br>
ipalib/plugins/hbacrule.py:190: [E1601(print-statement),
validate_icalfile] print statement used)<br>
<br>
first two errors must be disabled by # pylint: disable=no-member
because it is too complicated for pylint<br>
<br>
I'm pretty sure that print should not be in plugin implementation<br>
</blockquote>
Done, replaced the prints with root_logger.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"> <br>
4)<br>
PEP8<br>
<br>
./ipalib/plugins/hbacrule.py:255:80: E501 line too long (216 >
79 characters)<br>
./ipalib/plugins/hbacrule.py:262:80: E501 line too long (225 >
79 characters)<br>
./ipalib/plugins/hbacrule.py:270:80: E501 line too long (251 >
79 characters)<b><br>
</b><b> </b>./ipalib/plugins/hbacrule.py:456:17: E127
continuation line over-indented for visual indent<b><br>
</b><b> </b>./ipalib/plugins/hbacrule.py:646:80: E501 line too
long (80 > 79 characters)<b><br>
</b><b> </b>./ipalib/plugins/hbacrule.py:657:1: E302 expected 2
blank lines, found 1<br>
./ipalib/plugins/hbacrule.py:663:1: E302 expected 2 blank lines,
found 1<b><br>
</b><b> </b><b><br>
</b><b> </b>./ipalib/plugins/hbacrule.py:177:80: E501 line too
long (80 > 79 characters)<b><br>
</b><b> </b>./ipalib/plugins/hbacrule.py:215:80: E501 line too
long (80 > 79 characters)<b><br>
</b></blockquote>
Do you want me to fix this last 1 letter overflow as well? It would
probably look worse if I did.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"><b> </b><b>
</b>./ipalib/plugins/hbacrule.py:542:80: E501 line too long (127
> 79 characters)<br>
./ipalib/plugins/hbacrule.py:544:80: E501 line too long (127 >
79 characters)<br>
</blockquote>
These two were not really caused by me but I can fix these PEP8
errors along with some others in a separate patch if you want to.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"><b> </b><b>
</b>./ipalib/plugins/hbacrule.py:551:1: E303 too many blank lines
(3)<br>
<br>
5)<br>
Following imports in hbac rule should be before ipalib imports<br>
<br>
+import icalendar<br>
+from datetime import date<br>
+<br>
<br>
</blockquote>
Done.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"> 6)<br>
+ ical_errors = ('{comp}: {err}'<br>
+ .format(comp=x, err=y) for x, y in
comp.errors)<br>
<br>
it is not clear for me what is x, and y. A component of the
component?<br>
can you named it better than x,y. We are not limited by length of
identifiers in python too much :)<br>
</blockquote>
Good eye, it was actually a property of a component. Modified it a
bit. Components may appear in components too, though.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"> <br>
<i>7)</i><i><br>
</i><i> ugettext string is wrong (all places)</i><i><br>
</i><i> + error=_('There were errors parsing the
iCalendar string:\n{errs}'</i><i><br>
</i><i> + .format(errs='\n'.join(ical_errors)))</i><i><br>
</i><i> it should be</i><i><br>
</i><i> </i><i><br>
</i><i> error=_('There were errors parsing the iCalendar
string:\n{errs}').format(errs='\n'.join(ical_errors))</i><i><br>
</i></blockquote>
<i> </i>Had to go with the "%" syntax in the end because "Instance
of 'Gettext' has no 'format' member". However, this brought kind of
inconsistency of how strings are handled in my code. Would it be
better to use the "%" syntax everywhere, then?<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"> <br>
8)<br>
+ # TODO: comp.required might be removed when<br>
+ # <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://github.com/collective/icalendar/pull/183">https://github.com/collective/icalendar/pull/183</a>
is merged<br>
<br>
I'm not fan of TODO's in code, you provides copr repo anyway, so
please build package with this merge and remove TODO, we should
create workaround when upstream refuse your patches.<br>
</blockquote>
Let me just leave that there as long as we're in WIP phase so that I
might eventually remove that part of code when the mentioned patch
is merged or just remove the comments if not.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"> <i><br>
</i><i> </i>9)<br>
+ if api.env.context == 'cli':<br>
+ if ics and os.path.exists(ics):<br>
+ return<br>
<br>
The param is File class, so this check should eb done
automatically<br>
</blockquote>
Done. I just followed the code from cert.py.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"> <br>
10)<br>
+ icalstr = ics<br>
<br>
this statement is useless, please use ics directly<br>
<br>
</blockquote>
Done, of course.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"> 11)<br>
+def validate_icalfile(ugettext, ics):<br>
<br>
This and other similar restriction are required by IPA or it is
invalid icalfile? (sorry for question but I'm not familiar with
icalendar enough yet)<br>
</blockquote>
It is an invalid icalfile.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite">
+ error=_('A VEVENT component can\'t contain '<br>
+ 'subcomponent
"{}".'.format(sub.name))<br>
+ )<br>
<br>
In second case (icalfile is invalid) shouldn't be this validation
done in python-icalendar module instead of IPA validators?<br>
</blockquote>
I believe all (or most of) the checks should be done in
python-icalendar, actually. As I started working with libical again,
I am getting the impression that the iCalendar parsers are there
only to get the information from what seems to be an iCalendar
string by any means possible no matter how wrong the input is. I
believe that theory tells us that parser should be able to
distinguish invalid input from valid one, yet this is not true at
all for python-icalendar and for libical. While such behavior might
be desirable in some cases, these parsers should at least have means
to check the validity of the input if it's not performed by default.
Yet they don't and I can say it literally drives me insane.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"> <br>
12)<br>
+ if 'DTEND' in comp.keys() and 'DURATION' in comp.keys():<br>
+ raise errors.ValidationError(<br>
+ name=name,<br>
+ error=_('Both DURATION and DTEND set in a
VEVENT.')<br>
+ )<br>
+<br>
+ elif 'DTEND' in comp.keys():<br>
+ if type(comp['DTSTART'].dt) !=
type(comp['DTEND'].dt):<br>
+ raise errors.ValidationError(<br>
+ name=name,<br>
+ error=_('Different types of DTSTART and DTEND
'<br>
+ 'component in VEVENT.')<br>
+ )<br>
<br>
IMO following way is better for readability<br>
if 'DTEND' in comp.keys():<br>
if 'DURATION' in comp.keys():<br>
something1<br>
elif type(comp['DTSTART'].dt) != type(comp['DTEND'].dt):<br>
something2<br>
</blockquote>
You're right, modified it.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"> <br>
13)<br>
PATCH: Templating of access time rules for HBAC<br>
There is missing upgrade path for:<br>
+dn: cn=timeruleTemplates,$SUFFIX<br>
+dn: cn=cosTimerulesDef,cn=hbac,$SUFFIX<br>
</blockquote>
Should be ok now.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"><b> </b><b>
</b><b><br>
</b><b> </b>14)<br>
+ container_dn = DN(('cn', 'timeruletemplates'))<br>
Please define this in constants.py<b><br>
</b></blockquote>
Done.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"><b> <br>
</b>15)<br>
Your managed ACI are completely new, so there should not be
'replaces' definition (several times)<br>
+ 'replaces': [<br>
+ '(target = <a class="moz-txt-link-rfc2396E"
href="ldap:///cn=*,cn=timeruletemplates,$SUFFIX">"ldap:///cn=*,cn=timeruletemplates,$SUFFIX"</a>)(version
3.0;acl "permission:Delete Time Rule Template";allow (delete)
groupdn = <a moz-do-not-send="true" class="moz-txt-link-rfc2396E"
href="ldap:///cn=DeleteTimeRuleTemplate,cn=permissions,cn=pbac,$SUFFIX">"ldap:///cn=Delete
Time Rule Template,cn=permissions,cn=pbac,$SUFFIX"</a>;)',<br>
+ ],<br>
<b><br>
</b></blockquote>
Oh ok.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"><b> </b>16)<br>
+ 'System: Read Time Rule Template' should have also
'objectclass' as allowed attribute<br>
</blockquote>
Seems like it's already there.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"><b> </b>
<br>
<i>17)</i><i><br>
</i><i> </i><i><br>
</i><i> </i>+ File('accesstime', validate_icalfile,<br>
+ cli_name='time',<br>
+ label=_('Access time'),<br>
+ ),<br>
I prefer to have file option named like icalfile, instead of
accesstime, as you mentioned we may need to add more options to be
UX friendly<br>
<br>
Should we have option, which will take ical string directly from
CLI, IMO yes.<br>
(this applies for both, hbacrule, and timerule template)<br>
</blockquote>
While I might be wrong here, it seems that the api commands won't
accept newline as a part of a single input, separating the input as
multivalued by newlines. Typical iCalendar string is a lot of
newlines.<br>
<br>
I currently left the 'accesstime' option there. Probably, in the
end, there will have to be a separate method to load the content
from an iCalendar file and store it to the database. So the current
accesstime methods are mere placeholders. <br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"> <br>
18)<br>
IMO timeruletemplate should be in separate module, we may reuse
this later, and I don't see why it should be in HBAC module<b><br>
</b></blockquote>
There's the validation part that's the same for both adding
accesstime from ical file to hbacrule and for adding it to timerule
template. A possible solution for splitting the modules would be to
add a certain class to parameters.py just for validation. Then
timerule_templates could have their own module as well as the
validation would be usable in multiple other places. There's
probably another way around this, though. Ideas are welcome :) <br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"><b> </b><b>
</b><b><br>
</b><b> </b>19)<br>
+ Str('timeruleclass*',<br>
+ cli_name='class'),<br>
<br>
why option --class? it does not look descriptive enough for me.
How about --timerule-template. Also timeruletemplate instead of
timeruleclass looks better to me.<br>
<b><br>
</b></blockquote>
That seems right, modified it to timeruletemplate.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"><b> </b><b>
</b>20)<br>
+ result = ldap.get_entry(DN(('cn',
options['timeruleclass'][0]),<br>
+ ('cn',
'timeruletemplates'),<br>
+ api.env.basedn))<br>
Please use constants for container timeruletemplates<br>
result is unused var, remove it please.<br>
</blockquote>
Done.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"><b> </b><b>
</b><b><br>
</b><b> </b><br>
I have to look closer to icalendar and DS templates :)<br>
So review is not finished, but feel free to fix issues I listed.<br>
</blockquote>
For iCalendar, there's of course the RFC: <a
class="moz-txt-link-freetext"
href="http://tools.ietf.org/html/rfc5545"><a class="moz-txt-link-freetext" href="http://tools.ietf.org/html/rfc5545">http://tools.ietf.org/html/rfc5545</a></a>
and the Class of Service is thoroughly described at
<a class="moz-txt-link-freetext"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management-Assigning_Class_of_Service.html">https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Advanced_Entry_Management-Assigning_Class_of_Service.html</a>.<br>
<blockquote cite="mid:56E04E38.8080804@redhat.com" type="cite"> <br>
Martin^2<br>
</blockquote>
<br>
</body>
</html>