[Freeipa-devel] [PATCH] 822 remove deny hbac rule type

Wed, 06 Jul 2011 14:51:42 -0700

Remove deny from the available type options and prevent new ones from being created (either directly or via a mod).
Type now defaults to allow and will autofill so on the cli the user won't be prompted for it in interactive mode. 


deny is still a valid type for searching, so hbacrule-find --type=deny 
works.


ticket https://fedorahosted.org/freeipa/ticket/1432

rob

>From 58c3ba688696828c18ea51b689cb7dcca9413ffe Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 6 Jul 2011 17:45:53 -0400
Subject: [PATCH] Remove the ability to create new HBAC deny rules.

New rules will all be allow type. Existing rules cannot be changed to
deny.

The type attribute now defaults to allow with autofill so it won't be
prompted in interactive mode in the cli.

https://fedorahosted.org/freeipa/ticket/1432
---
 ipalib/plugins/hbacrule.py            |   10 ++++++++--
 tests/test_xmlrpc/test_hbac_plugin.py |   25 +++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index 3eff396fc74f99750840c42c1406ae7614708799..005fdd4dc42a71c6765ef93299009176df0aa007 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -87,6 +87,10 @@ from ipalib import _, ngettext
 
 topic = ('hbac', 'Host-based access control commands')
 
+def validate_type(ugettext, type):
+    if type.lower() == 'deny':
+        raise errors.ValidationError(name='type', error=_('The deny type has been deprecated.'))
+
 def is_all(options, attribute):
     """
     See if options[attribute] is lower-case 'all' in a safe way.
@@ -132,11 +136,13 @@ class hbacrule(LDAPObject):
             label=_('Rule name'),
             primary_key=True,
         ),
-        StrEnum('accessruletype',
+        StrEnum('accessruletype', validate_type,
             cli_name='type',
-            doc=_('Rule type (allow or deny)'),
+            doc=_('Rule type (allow)'),
             label=_('Rule type'),
             values=(u'allow', u'deny'),
+            default=u'allow',
+            autofill=True,
         ),
         # FIXME: {user,host,sourcehost,service}categories should expand in the future
         StrEnum('usercategory?',
diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py
index b2345cc4a5ede84138b56ef1b15d678192edcf7f..29e9f6c4880f6c8711975fb2ee23016496e1b8ee 100644
--- a/tests/test_xmlrpc/test_hbac_plugin.py
+++ b/tests/test_xmlrpc/test_hbac_plugin.py
@@ -436,6 +436,31 @@ class test_hbac(XMLRPC_test):
         finally:
             api.Command['hbacrule_remove_service'](self.rule_name, hbacsvc=self.test_service)
 
+    def test_l_hbacrule_add(self):
+        """
+        Test adding a new HBAC rule with a deny type.
+        """
+        try:
+            api.Command['hbacrule_add'](
+                u'denyrule',
+                accessruletype=u'deny',
+                description=self.rule_desc,
+            )
+        except errors.ValidationError:
+            pass
+
+    def test_m_hbacrule_add(self):
+        """
+        Test changing an HBAC rule to the deny type
+        """
+        try:
+            api.Command['hbacrule_mod'](
+                self.rule_name,
+                accessruletype=u'deny',
+            )
+        except errors.ValidationError:
+            pass
+
     def test_z_hbacrule_del(self):
         """
         Test deleting a HBAC rule using `xmlrpc.hbacrule_del`.
-- 
1.7.4


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel





















					Reply via email to