<pre>Generate an access control report for IPA domains
=================================================

Related ticket(s):
------------------
    https://pagure.io/SSSD/sssd/issue/2840

Problem statement
-----------------
Some environments require, for auditing reasons, to generate an access
control report on the IPA client itself. While it can be argued that
generating these reports on the IPA servers instead would provide a nicer
experience, the audits requirement sometimes need a tool to be run on the
host.

Use cases
---------
As an owner of an IPA client I need to know which users have access to
this client. I want to run a tool on the host and get a report who can
access it.

The reports must contain information about HBAC rules. In future, SUDO
rules would be nice to have as well.

Overview of the solution
------------------------
A new ``sssctl`` command called ``access-report``. will be added. This
command will only be implemented for IPA domains for now, other domain
types will just return an error.

In this version, only a human-readable output will be provided.

Configuration changes
---------------------
None, only the new tool will be implemented.

Implementation details
----------------------
In order to trigger the refresh of rules by ``sssd_be`` process,
the Data Provider will be enhanced with a new sbus method
``org.freedesktop.sssd.DataProvider.AccessControl``.

This method will trigger the same async requests that PAM access phase
normally calls which fetch and save the IPA HBAC rules. This means that
the same rate-limiting with the ``ipa_hbac_refresh`` applies to this
request as if it was called via PAM access phase. Additionally, this
method will be exposed over the public D-Bus InfoPipe responder via a new
``RefreshAccessRules`` method. As with all methods, only root can call
it by default.

Finally, this new D-Bus method will be called from the ``sssctl
access-report`` command when it&#39;s ran in order to populate the ldb cache
with fresh HBAC rules

For printing the rules, the tool will simply call ``ldb_search``,
retrieve all objects of objectclass ``ipaHbacRule`` and then print the RDN
value of ``memberUser`` (for users and user groups), ``memberService``
(for services and service groups) and ``category``. By default, groups
will not be unrolled, because the ``getgrnam`` interface limits the group
nesting by default, therefore it is better to just print the group name,
not all the group members.

Future enhancements
-------------------
In future, the tool should also print the output in both human-readable
and machine-readable formats. For machine readable output, JSON is the
best choice, since the KCM responder already depends on ``libjansson.``
This enhancement is tracked in ticket `#3581 &lt;https://pagure.io/SSSD/sssd/issue/3581&gt;`_.

Additionally, for HBAC rules which are linked to a group, it might
be handy to unroll the group members and print them if the administrator
wishes. This enhancement is tracked with ticket `#3580 &lt;https://pagure.io/SSSD/sssd/issue/3580&gt;`_

How To Test
-----------
Run ``sssctl access-report`` on an IPA client with different HBAC rules
stored in the cache. Make sure all options produce the desired results.


How To Debug
------------
Debug messages will be added to the tool itself. To compare the output
with the cache contents, the ``ldbsearch`` tool can be used. The ``ipa``
administration tool can be used to display the server-side HBAC rules.

Authors
-------
    * Jakub Hrozek &lt;jhrozek@redhat.com&gt;
</pre>