[Freeipa-devel] [PATCHES 0002-0008] [RFE] Implement iCal based time managment in HBAC

Stanislav Laznicka slaznick at redhat.com
Wed Oct 7 07:55:13 UTC 2015


Hi,

The moment's here, I'd like to share my code with you now. Let me 
comment on some additions from my last post here in August.

The methods for testing HBAC rules in hbactest module were modified so 
that a time zone can now also be picked in case there are some rules 
with the "host" time zone in the rule time policy. I also added few 
tests that test setting accessTime values.

The most important update of the previous month is the addition of 
negative values to the time rules language. Most of the keywords (all, 
except for timeofday and year) now accept negative values and negative 
value ranges. This should be useful for cases when the user should only 
be allowed access e.g. in the last 7 days of a month, last few weeks of 
a year etc. Also, it is a similar behavior to what iCalendar has.

The addition of negative values also made me re-think the ways the week 
of a year should be calculated. There are no 0th weeks of year anymore, 
a week of year can hold values ranging from 1 to 53 where the 1st week 
of a year may appear even on a date of the previous year (if 1st January 
is Tue-Thu) or the 52nd or 53rd week may appear on a date of the 
following year (when 31st December is Thu-Sat). If my explanation seems 
rather rough, please see 
https://docs.oracle.com/javase/8/docs/api/java/time/temporal/WeekFields.html.

The latter caused some changes to be made in my SSSD code. These changes 
took the most of my time last month alongside with generally polishing 
the code and adding comments where I thought necessary. I will push my 
SSSD code to the sssd-devel mailing list as a follow-up to this mail.

Another thing - I updated the design page on the FreeIPA wiki, so please 
check it out, too 
(http://www.freeipa.org/page/V4/Time-Based_Account_Policies).

Last thing I would like to mention - there is now a copr repo with both 
sssd and freeipa with time-based policies 
(https://copr.fedoraproject.org/coprs/stlaz/freeipa-sssd-timerules/). 
This was Martin K.'s idea and I think it's pretty dandy :) As the 
patches I am posting only contain CLI for HBAC time policies, you might 
be pleased that the repo includes at least basic WebUI for this purpose 
(although the WebUI is for some reason not updating the page on rule 
addition properly, I will be hopefully looking into that shortly). You 
will still need mkosek/freeipa-master copr repo for some dependencies. 
Should it not work properly for you, please, send me an email, it's my 
first time taking care of a copr repo.

That's it from me for now, thank you for your patience with my emails,
Standa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0002-Added-time-based-policies-types-to-LDAP-schema.patch
Type: text/x-patch
Size: 3028 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151007/3d4e9635/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0003-Added-methods-for-setting-time-based-policies.patch
Type: text/x-patch
Size: 33972 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151007/3d4e9635/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0004-Added-the-repeat-keyword.patch
Type: text/x-patch
Size: 5556 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151007/3d4e9635/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0005-HBAC-test-module-support-for-time-based-policies.patch
Type: text/x-patch
Size: 4118 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151007/3d4e9635/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0006-Removed-old-AccessTime-parameter-tests.patch
Type: text/x-patch
Size: 2389 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151007/3d4e9635/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0007-Tests-for-HBAC-time-rules-language.patch
Type: text/x-patch
Size: 10201 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151007/3d4e9635/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-stlaz-0008-Added-negative-values-to-the-HBAC-time-policies.patch
Type: text/x-patch
Size: 9477 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151007/3d4e9635/attachment-0006.bin>


More information about the Freeipa-devel mailing list