From 04d1ec6a009c0a1b3cd31dfe1202e2e18cf703d2 Mon Sep 17 00:00:00 2001 From: Louis Abel Date: Wed, 17 Jul 2024 15:30:24 -0700 Subject: [PATCH] add query ability --- mangle/ipa/ipaaudit | 1 + mangle/ipa/ipaauditor.py | 71 ++++++++++++++++++++++++++++++++++++++-- mangle/ipa/ipaquery | 3 +- 3 files changed, 71 insertions(+), 4 deletions(-) diff --git a/mangle/ipa/ipaaudit b/mangle/ipa/ipaaudit index bbb4320..9ef91e5 100755 --- a/mangle/ipa/ipaaudit +++ b/mangle/ipa/ipaaudit @@ -1,6 +1,7 @@ #!/bin/bash # Wrapper for ipaauditor.py audit +source /etc/os-release case "$ID" in rocky|centos|rhel) case "${VERSION_ID:0:1}" in diff --git a/mangle/ipa/ipaauditor.py b/mangle/ipa/ipaauditor.py index 3ab0d2d..7b95c2a 100644 --- a/mangle/ipa/ipaauditor.py +++ b/mangle/ipa/ipaauditor.py @@ -55,10 +55,10 @@ subparser.required = True info_parser = subparser.add_parser('info', epilog='Use this to get IPA client information.') query_parser = subparser.add_parser('query', epilog='Use this to perform simple IPA queries.') audit_parser = subparser.add_parser('audit', epilog='Use this to perform audits of IPA policies') +parser.add_argument('--library', type=str, default='ipalib', + help='Choose the ipa library to use for the auditor', + choices=('ipalib', 'python_freeipa')) -audit_parser.add_argument('--library', type=str, default='ipalib', - help='Choose the ipa library to use for the auditor', - choices=('ipalib', 'python_freeipa')) audit_parser.add_argument('--type', type=str, required=True, help='Type of audit: hbac, rbac, group, user', choices=('hbac', 'rbac', 'group', 'user')) @@ -67,6 +67,17 @@ audit_parser.add_argument('--name', type=str, default='', audit_parser.add_argument('--deep', action='store_true', help='Name of the object you want to audit') +# all query related subparsers +# pylint: disable=line-too-long +query_subparser = query_parser.add_subparsers(dest='query_cmd') +user_query_parser = query_subparser.add_parser('user', epilog="Use this to get user information.") +user_query_parser.add_argument('-A', '--all', action='store_true', help='Get everything about the user') +user_query_parser.add_argument('name', nargs='?', help='User name') +group_query_parser = query_subparser.add_parser('group', epilog="Use this to get group information.") +group_query_parser.add_argument('-A', '--all', action='store_true', help='Get everything about the group') +group_query_parser.add_argument('name', nargs='?', help='Group name') + +known = parser.parse_known_args() results = parser.parse_args() command = parser.parse_args().cmd @@ -431,6 +442,58 @@ class IPAQuery: """ This is for getting query data """ + @staticmethod + def entry(api, control, name, deep): + """ + Gets us started on the query + """ + #user_data = IPAQuery.user_data(api, name) + if control == 'user': + IPAQuery.user_pull(api, name, deep) + if control == 'group': + IPAQuery.group_pull(api, name, deep) + + @staticmethod + def user_pull(api, name, deep): + """ + Gets requested rbac info + """ + user_results = IPAQuery.user_data(api, name) + uid = user_results['uid'][0] + uid_number = user_results['uidnumber'][0] + gid_number = user_results['gidnumber'][0] + first_name = user_results['givenname'][0] + last_name = user_results['sn'][0] + homedir = user_results['homedirectory'][0] + loginshell = user_results['loginshell'][0] + full_name = f'{first_name} {last_name}' + krbprincipal = user_results['krbprincipalname'][0] + groups = ','.join(user_results['memberof_group']) + getent_string = f'{uid}:x:{uid_number}:{gid_number}:{full_name}:{homedir}:{loginshell}' + if not deep: + print(getent_string) + else: + outter = f""" +unixname:{uid} +uid:{uid_number} +gid:{gid_number} +gecos:{full_name} +displayName:{full_name} +home:{homedir} +shell:{loginshell} +userPrincipalName:{krbprincipal} +memberOf:{groups} + """ + print(outter) + + + @staticmethod + def group_pull(api, name, deep): + """ + Gets requested rbac info + """ + print() + @staticmethod def user_data(api, user): """ @@ -516,6 +579,8 @@ def main(): IPAAudit.entry(command_api, results.type, results.name, results.deep) elif command == 'info': IPAInfo.basic_ipa_info(command_api) + elif command == 'query': + IPAQuery.entry(command_api, results.query_cmd, results.name, results.all) # When root, kdestroy the host keytab if os.getuid() == 0: diff --git a/mangle/ipa/ipaquery b/mangle/ipa/ipaquery index cc538c0..3203bb6 100755 --- a/mangle/ipa/ipaquery +++ b/mangle/ipa/ipaquery @@ -1,6 +1,7 @@ #!/bin/bash # Wrapper for ipaauditor.py query +source /etc/os-release case "$ID" in rocky|centos|rhel) case "${VERSION_ID:0:1}" in @@ -22,4 +23,4 @@ case "$ID" in PYTHON_EXEC="/usr/bin/python3" esac -$PYTHON_EXEC ipaquery.py query "$@" +$PYTHON_EXEC ipaauditor.py query "$@"