https://fedorahosted.org/freeipa/ticket/2085
New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. For every such a rule warning is displayed to inform the user about changes. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada
From fd585c817c57596cba1caaee86f41d8b115040e6 Mon Sep 17 00:00:00 2001 From: Ondrej Hamada <oham...@redhat.com> Date: Thu, 5 Jan 2012 17:03:53 +0100 Subject: [PATCH] HBAC test optional sourcehost option New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. For every such a rule warning is displayed to inform the user about changes. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. https://fedorahosted.org/freeipa/ticket/2085 --- API.txt | 5 +- VERSION | 2 +- ipalib/plugins/hbactest.py | 35 ++++++++++------- tests/test_xmlrpc/test_hbactest_plugin.py | 60 +++++++++++++++++++++++++++++ 4 files changed, 85 insertions(+), 17 deletions(-) diff --git a/API.txt b/API.txt index aba3d8aa0250113d137878c97903922ff14ee664..493d5a3ff235e2a6f2599896114365af54086d16 100644 --- a/API.txt +++ b/API.txt @@ -1455,9 +1455,9 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('value', <type 'unicode'>, None) command: hbactest -args: 0,8,5 +args: 0,8,6 option: Str('user', cli_name='user', primary_key=True) -option: Str('sourcehost', cli_name='srchost') +option: Str('sourcehost?', cli_name='srchost') option: Str('targethost', cli_name='host') option: Str('service', cli_name='service') option: Str('rules*', cli_name='rules', csv=True) @@ -1465,6 +1465,7 @@ option: Flag('nodetail?', autofill=True, cli_name='nodetail', default=False) option: Flag('enabled?', autofill=True, cli_name='enabled', default=False) option: Flag('disabled?', autofill=True, cli_name='disabled', default=False) output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) +output: Output('warning', (<type 'list'>, <type 'tuple'>, <type 'NoneType'>), None) output: Output('matched', (<type 'list'>, <type 'tuple'>, <type 'NoneType'>), None) output: Output('notmatched', (<type 'list'>, <type 'tuple'>, <type 'NoneType'>), None) output: Output('error', (<type 'list'>, <type 'tuple'>, <type 'NoneType'>), None) diff --git a/VERSION b/VERSION index 081643745c47e78e7739f2b1092be762acd14e5f..b6ef09fc5119d04cc54e031762fa3e21987d2867 100644 --- a/VERSION +++ b/VERSION @@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=18 +IPA_API_VERSION_MINOR=19 diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index fbc3dbb2e15076665bf712ce94821d46bf52f6df..4152507f3ca3fa0a2ccebe0272010839ecd3a56c 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -139,8 +139,9 @@ def convert_to_ipa_rule(rule): ) for element in structure: category = '%scategory' % (element[0]) - if category in rule and rule[category][0] == u'all': + if (category in rule and rule[category][0] == u'all') or (element[0] == 'sourcehost'): # rule applies to all elements + # sourcehost is always set to 'all' element[4].category = set([pyhbac.HBAC_CATEGORY_ALL]) else: # rule is about specific entities @@ -162,6 +163,7 @@ class hbactest(Command): has_output = ( output.summary, + output.Output('warning', (list, tuple, NoneType), _('Warning')), output.Output('matched', (list, tuple, NoneType), _('Matched rules')), output.Output('notmatched', (list, tuple, NoneType), _('Not matched rules')), output.Output('error', (list, tuple, NoneType), _('Non-existent or invalid rules')), @@ -174,7 +176,7 @@ class hbactest(Command): label=_('User name'), primary_key=True, ), - Str('sourcehost', + Str('sourcehost?', cli_name='srchost', label=_('Source host'), ), @@ -265,7 +267,7 @@ class hbactest(Command): # Error, unresolved rules are left in --rules return {'summary' : unicode(_(u'Unresolved rules in --rules')), 'error': testrules, 'matched': None, 'notmatched': None, - 'value' : False} + 'warning' : None, 'value' : False} # Rules are converted to pyhbac format, build request and then test it request = pyhbac.HbacRequest() @@ -290,16 +292,17 @@ class hbactest(Command): except: pass - if options['sourcehost'] != u'all': - try: - request.srchost.name = self.canonicalize(options['sourcehost']) - srchost_result = self.api.Command.host_show(request.srchost.name)['result'] - groups = srchost_result['memberof_hostgroup'] - if 'memberofindirect_hostgroup' in srchost_result: - groups += search_result['memberofindirect_hostgroup'] - request.srchost.groups = sorted(set(groups)) - except: - pass + if options.get('sourcehost'): + if options['sourcehost'] != u'all': + try: + request.srchost.name = self.canonicalize(options['sourcehost']) + srchost_result = self.api.Command.host_show(request.srchost.name)['result'] + groups = srchost_result['memberof_hostgroup'] + if 'memberofindirect_hostgroup' in srchost_result: + groups += search_result['memberofindirect_hostgroup'] + request.srchost.groups = sorted(set(groups)) + except: + pass if options['targethost'] != u'all': try: @@ -315,8 +318,9 @@ class hbactest(Command): matched_rules = [] notmatched_rules = [] error_rules = [] + warning_rules = [] - result = {'matched':None, 'notmatched':None, 'error':None} + result = {'warning':None, 'matched':None, 'notmatched':None, 'error':None} if not options['nodetail']: # Validate runs rules one-by-one and reports failed ones for ipa_rule in rules: @@ -326,6 +330,7 @@ class hbactest(Command): matched_rules.append(ipa_rule.name) if res == pyhbac.HBAC_EVAL_DENY: notmatched_rules.append(ipa_rule.name) + warning_rules.append(u'Sourcehost value of rule "%s" is ignored' % (ipa_rule.name)) except pyhbac.HbacError as (code, rule_name): if code == pyhbac.HBAC_EVAL_ERROR: error_rules.append(rule_name) @@ -348,6 +353,8 @@ class hbactest(Command): result['notmatched'] = notmatched_rules if len(error_rules) > 0: result['error'] = error_rules + if len(warning_rules) > 0: + result['warning'] = warning_rules result['value'] = access_granted return result diff --git a/tests/test_xmlrpc/test_hbactest_plugin.py b/tests/test_xmlrpc/test_hbactest_plugin.py index 7e4607c858dec9c08021e30c326b042b1831c4c7..b809521e42739ae7c3a57e200aa417e2c2abb0d0 100644 --- a/tests/test_xmlrpc/test_hbactest_plugin.py +++ b/tests/test_xmlrpc/test_hbactest_plugin.py @@ -115,6 +115,18 @@ class test_hbactest(XMLRPC_test): for i in [0,1,2,3]: assert self.rule_names[i] in ret['matched'] + # same test without sourcehost value + ret = api.Command['hbactest']( + user=self.test_user, + targethost=self.test_host, + service=self.test_service, + rules=self.rule_names + ) + assert ret['value'] == True + assert type(ret['error']) == NoneType + for i in [0,1,2,3]: + assert self.rule_names[i] in ret['matched'] + def test_b_hbactest_check_rules_nodetail(self): """ Test 'ipa hbactest --rules --nodetail' (explicit IPA rules, no detailed output) @@ -132,6 +144,19 @@ class test_hbactest(XMLRPC_test): assert ret['matched'] == None assert ret['notmatched'] == None + # same test without sourcehost value + ret = api.Command['hbactest']( + user=self.test_user, + targethost=self.test_host, + service=self.test_service, + rules=self.rule_names, + nodetail=True + ) + assert ret['value'] == True + assert ret['error'] == None + assert ret['matched'] == None + assert ret['notmatched'] == None + def test_c_hbactest_check_rules_enabled_detail(self): """ Test 'ipa hbactest --enabled' (all enabled IPA rules, detailed output) @@ -149,6 +174,16 @@ class test_hbactest(XMLRPC_test): for i in [0,2]: assert self.rule_names[i] in ret['matched'] + # same test without sourcehost value + ret = api.Command['hbactest']( + user=self.test_user, + targethost=self.test_host, + service=self.test_service, + enabled=True + ) + for i in [0,2]: + assert self.rule_names[i] in ret['matched'] + def test_d_hbactest_check_rules_disabled_detail(self): """ Test 'ipa hbactest --disabled' (all disabled IPA rules, detailed output) @@ -166,6 +201,16 @@ class test_hbactest(XMLRPC_test): for i in [1,3]: assert self.rule_names[i] in ret['matched'] + # same test without sourcehost value + ret = api.Command['hbactest']( + user=self.test_user, + targethost=self.test_host, + service=self.test_service, + disabled=True + ) + for i in [1,3]: + assert self.rule_names[i] in ret['matched'] + def test_e_hbactest_check_non_existing_rule_detail(self): """ Test running 'ipa hbactest' with non-existing rule in --rules @@ -185,6 +230,21 @@ class test_hbactest(XMLRPC_test): for rule in self.rule_names: assert u'%s_1x1' % (rule) in ret['error'] + # same test without sourcehost value + ret = api.Command['hbactest']( + user=self.test_user, + targethost=self.test_host, + service=self.test_service, + rules=[u'%s_1x1' % (rule) for rule in self.rule_names], + nodetail=True + ) + + assert ret['value'] == False + assert ret['matched'] == None + assert ret['notmatched'] == None + for rule in self.rule_names: + assert u'%s_1x1' % (rule) in ret['error'] + def test_f_hbactest_clear_testing_data(self): """ Clear data for HBAC test plugin testing. -- 1.7.6.5
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
