Dne 11.10.2011 15:19, Rob Crittenden napsal(a):
Jan Cholasta wrote:
Don't allow "ipa pwpolicy-del global_policy".

https://fedorahosted.org/freeipa/ticket/1936

Can you add a unit test case for this? Then ack.


Questions:

Is it possible to disallow deletion of specific objects on LDAP level
instead?

Well, that would be ideal in some cases. We'd need to write a plugin to
intercept changes and have it compare it to a list of "no deletes". You
can file an RFE if you want, this might be handy to have.


The default HBAC rule, allow_all, can also be deleted - should it be
disallowed too?

This is one we want to be removable. Before we had this the default HBAC
stance was "nobody can log in" and it was jarring to most folks.

It is possible to install without this rule using the option
--no_hbac_allow

rob

Unit test added.

Honza

--
Jan Cholasta
>From 760a83aac0704d59c40fd788c4b2d097a03a2bc9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 11 Oct 2011 14:28:17 +0200
Subject: [PATCH] Disallow deletion of global password policy.

ticket 1936
---
 ipalib/plugins/pwpolicy.py         |    8 ++++++++
 tests/test_xmlrpc/test_pwpolicy.py |   13 +++++++++++++
 2 files changed, 21 insertions(+), 0 deletions(-)

diff --git a/ipalib/plugins/pwpolicy.py b/ipalib/plugins/pwpolicy.py
index 79ea44d..f261de5 100644
--- a/ipalib/plugins/pwpolicy.py
+++ b/ipalib/plugins/pwpolicy.py
@@ -366,6 +366,14 @@ class pwpolicy_del(LDAPDelete):
             attribute=True, required=True, multivalue=True
         )
 
+    def pre_callback(self, ldap, dn, *keys, **options):
+        if dn.lower() == global_policy_dn.lower():
+            raise errors.ValidationError(
+                name='group',
+                error=_('cannot delete global password policy')
+            )
+        return dn
+
     def post_callback(self, ldap, dn, *keys, **options):
         try:
             self.api.Command.cosentry_del(keys[-1])
diff --git a/tests/test_xmlrpc/test_pwpolicy.py b/tests/test_xmlrpc/test_pwpolicy.py
index 3cfc311..c0ead9f 100644
--- a/tests/test_xmlrpc/test_pwpolicy.py
+++ b/tests/test_xmlrpc/test_pwpolicy.py
@@ -36,6 +36,7 @@ class test_pwpolicy(XMLRPC_test):
     user = u'testuser12'
     kw = {'cospriority': 1, 'krbminpwdlife': 30, 'krbmaxpwdlife': 40, 'krbpwdhistorylength': 5, 'krbpwdminlength': 6 }
     kw2 = {'cospriority': 2, 'krbminpwdlife': 40, 'krbmaxpwdlife': 60, 'krbpwdhistorylength': 8, 'krbpwdminlength': 9 }
+    global_policy = u'global_policy'
 
     def test_1_pwpolicy_add(self):
         """
@@ -173,6 +174,18 @@ class test_pwpolicy(XMLRPC_test):
         else:
             assert False
 
+        # Verify that global policy cannot be deleted
+        try:
+            api.Command['pwpolicy_del'](self.global_policy)
+        except errors.ValidationError:
+            pass
+        else:
+            assert False
+        try:
+            api.Command['pwpolicy_show'](self.global_policy)
+        except errors.NotFound:
+            assert False
+
         # Remove the groups we created
         api.Command['group_del'](self.group)
         api.Command['group_del'](self.group2)
-- 
1.7.7

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to