Remove deny from the available type options and prevent new ones from
being created (either directly or via a mod).
Type now defaults to allow and will autofill so on the cli the user
won't be prompted for it in interactive mode.
deny is still a valid type for searching, so hbacrule-find --type=deny
works.
ticket https://fedorahosted.org/freeipa/ticket/1432
rob
>From 58c3ba688696828c18ea51b689cb7dcca9413ffe Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 6 Jul 2011 17:45:53 -0400
Subject: [PATCH] Remove the ability to create new HBAC deny rules.
New rules will all be allow type. Existing rules cannot be changed to
deny.
The type attribute now defaults to allow with autofill so it won't be
prompted in interactive mode in the cli.
https://fedorahosted.org/freeipa/ticket/1432
---
ipalib/plugins/hbacrule.py | 10 ++++++++--
tests/test_xmlrpc/test_hbac_plugin.py | 25 +++++++++++++++++++++++++
2 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index 3eff396fc74f99750840c42c1406ae7614708799..005fdd4dc42a71c6765ef93299009176df0aa007 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -87,6 +87,10 @@ from ipalib import _, ngettext
topic = ('hbac', 'Host-based access control commands')
+def validate_type(ugettext, type):
+ if type.lower() == 'deny':
+ raise errors.ValidationError(name='type', error=_('The deny type has been deprecated.'))
+
def is_all(options, attribute):
"""
See if options[attribute] is lower-case 'all' in a safe way.
@@ -132,11 +136,13 @@ class hbacrule(LDAPObject):
label=_('Rule name'),
primary_key=True,
),
- StrEnum('accessruletype',
+ StrEnum('accessruletype', validate_type,
cli_name='type',
- doc=_('Rule type (allow or deny)'),
+ doc=_('Rule type (allow)'),
label=_('Rule type'),
values=(u'allow', u'deny'),
+ default=u'allow',
+ autofill=True,
),
# FIXME: {user,host,sourcehost,service}categories should expand in the future
StrEnum('usercategory?',
diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py
index b2345cc4a5ede84138b56ef1b15d678192edcf7f..29e9f6c4880f6c8711975fb2ee23016496e1b8ee 100644
--- a/tests/test_xmlrpc/test_hbac_plugin.py
+++ b/tests/test_xmlrpc/test_hbac_plugin.py
@@ -436,6 +436,31 @@ class test_hbac(XMLRPC_test):
finally:
api.Command['hbacrule_remove_service'](self.rule_name, hbacsvc=self.test_service)
+ def test_l_hbacrule_add(self):
+ """
+ Test adding a new HBAC rule with a deny type.
+ """
+ try:
+ api.Command['hbacrule_add'](
+ u'denyrule',
+ accessruletype=u'deny',
+ description=self.rule_desc,
+ )
+ except errors.ValidationError:
+ pass
+
+ def test_m_hbacrule_add(self):
+ """
+ Test changing an HBAC rule to the deny type
+ """
+ try:
+ api.Command['hbacrule_mod'](
+ self.rule_name,
+ accessruletype=u'deny',
+ )
+ except errors.ValidationError:
+ pass
+
def test_z_hbacrule_del(self):
"""
Test deleting a HBAC rule using `xmlrpc.hbacrule_del`.
--
1.7.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel