Rob Crittenden wrote:
Remove deny from the available type options and prevent new ones from
being created (either directly or via a mod).
Type now defaults to allow and will autofill so on the cli the user
won't be prompted for it in interactive mode.
deny is still a valid type for searching, so hbacrule-find --type=deny
works.
ticket https://fedorahosted.org/freeipa/ticket/1432
rob
I forgot to include an updated API.txt in the change.
I tested with an old client and it does the right thing if you try to
create a deny rule. The API change affects only validation so I don't
need to bump up the version.
rob
>From 29ab4886823d3bced879e3d9138514667ca1490b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 6 Jul 2011 17:45:53 -0400
Subject: [PATCH] Remove the ability to create new HBAC deny rules.
New rules will all be allow type. Existing rules cannot be changed to
deny.
The type attribute now defaults to allow with autofill so it won't be
prompted in interactive mode in the cli.
https://fedorahosted.org/freeipa/ticket/1432
---
API.txt | 6 +++---
ipalib/plugins/hbacrule.py | 10 ++++++++--
tests/test_xmlrpc/test_hbac_plugin.py | 25 +++++++++++++++++++++++++
3 files changed, 36 insertions(+), 5 deletions(-)
diff --git a/API.txt b/API.txt
index 1e2b3d8584b9bc76de5b3add7d43faab2e042855..587ef6cfb68295b1897c6125cdc073d1dbf31784 100644
--- a/API.txt
+++ b/API.txt
@@ -973,7 +973,7 @@ output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e
command: hbacrule_add
args: 1,11,3
arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, required=True)
-option: StrEnum('accessruletype', attribute=True, cli_name='type', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=True, values=(u'allow', u'deny'))
+option: StrEnum('accessruletype', validate_type, attribute=True, autofill=True, cli_name='type', default=u'allow', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=True, values=(u'allow', u'deny'))
option: StrEnum('usercategory', attribute=True, cli_name='usercat', label=Gettext('User category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', label=Gettext('Host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
option: StrEnum('sourcehostcategory', attribute=True, cli_name='srchostcat', label=Gettext('Source host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
@@ -1054,7 +1054,7 @@ command: hbacrule_find
args: 1,12,4
arg: Str('criteria?')
option: Str('cn', attribute=True, autofill=False, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=False)
-option: StrEnum('accessruletype', attribute=True, autofill=False, cli_name='type', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'allow', u'deny'))
+option: StrEnum('accessruletype', validate_type, attribute=True, autofill=False, cli_name='type', default=u'allow', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'allow', u'deny'))
option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', label=Gettext('User category', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'all',))
option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', label=Gettext('Host category', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'all',))
option: StrEnum('sourcehostcategory', attribute=True, autofill=False, cli_name='srchostcat', label=Gettext('Source host category', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'all',))
@@ -1072,7 +1072,7 @@ output: Output('truncated', <type 'bool'>, 'True if not all results were returne
command: hbacrule_mod
args: 1,12,3
arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True)
-option: StrEnum('accessruletype', attribute=True, autofill=False, cli_name='type', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'allow', u'deny'))
+option: StrEnum('accessruletype', validate_type, attribute=True, autofill=False, cli_name='type', default=u'allow', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'allow', u'deny'))
option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', label=Gettext('User category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', label=Gettext('Host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
option: StrEnum('sourcehostcategory', attribute=True, autofill=False, cli_name='srchostcat', label=Gettext('Source host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index 3eff396fc74f99750840c42c1406ae7614708799..005fdd4dc42a71c6765ef93299009176df0aa007 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -87,6 +87,10 @@ from ipalib import _, ngettext
topic = ('hbac', 'Host-based access control commands')
+def validate_type(ugettext, type):
+ if type.lower() == 'deny':
+ raise errors.ValidationError(name='type', error=_('The deny type has been deprecated.'))
+
def is_all(options, attribute):
"""
See if options[attribute] is lower-case 'all' in a safe way.
@@ -132,11 +136,13 @@ class hbacrule(LDAPObject):
label=_('Rule name'),
primary_key=True,
),
- StrEnum('accessruletype',
+ StrEnum('accessruletype', validate_type,
cli_name='type',
- doc=_('Rule type (allow or deny)'),
+ doc=_('Rule type (allow)'),
label=_('Rule type'),
values=(u'allow', u'deny'),
+ default=u'allow',
+ autofill=True,
),
# FIXME: {user,host,sourcehost,service}categories should expand in the future
StrEnum('usercategory?',
diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py
index b2345cc4a5ede84138b56ef1b15d678192edcf7f..29e9f6c4880f6c8711975fb2ee23016496e1b8ee 100644
--- a/tests/test_xmlrpc/test_hbac_plugin.py
+++ b/tests/test_xmlrpc/test_hbac_plugin.py
@@ -436,6 +436,31 @@ class test_hbac(XMLRPC_test):
finally:
api.Command['hbacrule_remove_service'](self.rule_name, hbacsvc=self.test_service)
+ def test_l_hbacrule_add(self):
+ """
+ Test adding a new HBAC rule with a deny type.
+ """
+ try:
+ api.Command['hbacrule_add'](
+ u'denyrule',
+ accessruletype=u'deny',
+ description=self.rule_desc,
+ )
+ except errors.ValidationError:
+ pass
+
+ def test_m_hbacrule_add(self):
+ """
+ Test changing an HBAC rule to the deny type
+ """
+ try:
+ api.Command['hbacrule_mod'](
+ self.rule_name,
+ accessruletype=u'deny',
+ )
+ except errors.ValidationError:
+ pass
+
def test_z_hbacrule_del(self):
"""
Test deleting a HBAC rule using `xmlrpc.hbacrule_del`.
--
1.7.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
