Alexander Bokovoy wrote:
On 27.07.2011 18:37, Jakub Hrozek wrote:
On 07/27/2011 03:12 PM, Alexander Bokovoy wrote:
+            for ipa_rule in rules:
+                try:
+                    res = request.evaluate([ipa_rule])
+                    if res == pyhbac.HBAC_EVAL_ALLOW:
+                        matched_rules.append(ipa_rule.name)
+                    if res == pyhbac.HBAC_EVAL_DENY:
+                        notmatched_rules.append(ipa_rule.name)
+                except pyhbac.HbacError as (code, rule_name):
+                    if code == pyhbac.HBAC_EVAL_ERROR:
+                        error_rules.append(rule_name)
+                except (TypeError, IOError) as (info):
+                    self.log.error('Native IPA HBAC module error: %s' % (info))
+


I think this is OK. The only other exception the bindings might raise is
a MemoryError, but I think this should just propagate all the way up..

One suggestion might be to extend the branch that catches
pyhbac.HbacError with a string representation of the error. Something like:

self.log.error("Error while evaluating rule %s: %s" % (rule_name,
hbac_result_string(core))
Thanks. That was actually implied (with self.log.info() as we want to
continue and report them as 'error' rules in the command's result) but I
overlooked it.

Fixed this now and also removed some residual debug prints in unit
tests. Patch attached.


nack

There is an EXAMPLES section in the help but it just explains the options and provides no examples. I think we can just drop the EXAMPLES header. Providing examples for this might be rather convoluted, though seeing a couple of command-lines might provide enough context.

It should probably mention that user, srchost, host and service are all required but that becomes rather obvious when you try to execute the command.

If you provide a single, not found rule to test against a ValueError is thrown when validating that the output is valid.

$ ipa hbactest --user=rcrit --srchost=foo --host=bar --service=baz --rules=testnotfound

ipa: ERROR: non-public: ValueError: hbactest.validate_output(): missing keys ['matched', 'notmatched'] in {'error': [u'test22'], 'value': u'False', 'summary': u'Unresolved rules in --rules'}
Traceback (most recent call last):
File "/home/rcrit/redhat/freeipa-master/ipaserver/rpcserver.py", line 220, in wsgi_execute
    result = self.Command[name](*args, **options)
File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line 436, in __call__
    self.validate_output(ret)
File "/home/rcrit/redhat/freeipa-master/ipalib/frontend.py", line 883, in validate_output
    nice, missing, output)
ValueError: hbactest.validate_output(): missing keys ['matched', 'notmatched'] in {'error': [u'test22'], 'value': u'False', 'summary': u'Unresolved rules in --rules'}
ipa: DEBUG: response: InternalError: an internal error has occurred

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to