Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it.
RFC 1123 specifies that only [-a-z0-9] are allowed, but apparently Windows and some phones also use underscores in hostnames.
So the new validator allows the underscore. https://fedorahosted.org/freeipa/ticket/2649 -- PetrĀ³
From b20a48c5d9ef3161d7c4070c33287f1acb3f8e50 Mon Sep 17 00:00:00 2001 From: Petr Viktorin <pvikt...@redhat.com> Date: Mon, 30 Apr 2012 07:29:08 -0400 Subject: [PATCH] Validate externalhost (when added by --addattr/--setattr) Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. The validator is relaxed to allow underscores, so that some hosts with nonstandard names can be added. Tests included. https://fedorahosted.org/freeipa/ticket/2649 --- ipalib/plugins/baseldap.py | 18 ++++++++++++++---- ipalib/plugins/hbacrule.py | 1 + ipalib/plugins/netgroup.py | 1 + ipalib/plugins/sudorule.py | 1 + tests/test_xmlrpc/test_hbac_plugin.py | 9 +++++++++ tests/test_xmlrpc/test_netgroup_plugin.py | 11 +++++++++++ tests/test_xmlrpc/test_sudorule_plugin.py | 17 +++++++++++++++++ 7 files changed, 54 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index d37a20d1faefce75e90bbffeb1a79204a933f508..63ea4c8d575fe88e6bf28f8c4e754cd778dd154c 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -157,9 +157,6 @@ Str('memberofindirect_hbacrule?', label='Indirect Member of HBAC rule', ), - Str('externalhost?', - label=_('External host'), - ), Str('sourcehost', label=_('Failed source hosts/hostgroups'), ), @@ -313,6 +309,20 @@ def wait_for_value(ldap, dn, attr, value): return entry_attrs + +def validate_externalhost(ugettext, hostname): + try: + validate_hostname(hostname, allow_underscore=True) + except ValueError, e: + return unicode(e) + + +external_host_param = Str('externalhost*', validate_externalhost, + label=_('External host'), + flags=['no_create', 'no_update', 'no_search'], +) + + def add_external_pre_callback(membertype, ldap, dn, keys, options): """ Pre callback to validate external members. diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index eb5cb696eb835c717d734d31ee2c6333ac177030..33440ccde9ef63df7d087d17f0d5d224c75833fa 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -219,6 +219,7 @@ class hbacrule(LDAPObject): label=_('Service Groups'), flags=['no_create', 'no_update', 'no_search'], ), + external_host_param, ) api.register(hbacrule) diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py index 693c00c1a83339cbe9056f10af61bd4e1c1712d1..2d736caf491fd6c5e212edf21815fdc58530e4d0 100644 --- a/ipalib/plugins/netgroup.py +++ b/ipalib/plugins/netgroup.py @@ -146,6 +146,7 @@ class netgroup(LDAPObject): doc=_('Host category the rule applies to'), values=(u'all', ), ), + external_host_param, ) api.register(netgroup) diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 7432bc42bbb945cd0e8d25f3e320987af7fef26b..2c0358e879fc203106731ce966ed697e85c4e84f 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -217,6 +217,7 @@ class sudorule(LDAPObject): doc=_('Run with the gid of a specified POSIX group'), flags=['no_create', 'no_update', 'no_search'], ), + external_host_param, ) order_not_unique_msg = _( diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py index c7cb55bad4309f05fc0d9651f9e97d37ffe866ae..5ecb9014deae302404656e95bbd7b2ffd282f799 100644 --- a/tests/test_xmlrpc/test_hbac_plugin.py +++ b/tests/test_xmlrpc/test_hbac_plugin.py @@ -377,6 +377,15 @@ def test_c_hbacrule_add_same_external(self): entry = ret['result'] assert_attr_equal(entry, 'externalhost', self.test_host_external) + @raises(errors.ValidationError) + def test_c_hbacrule_mod_invalid_external_setattr(self): + """ + Test adding the same external host using `xmlrpc.hbacrule_add_host`. + """ + ret = api.Command['hbacrule_mod']( + self.rule_name, setattr=self.test_invalid_sourcehost + ) + def test_c_hbacrule_remove_external_host(self): """ Test removing external source host using `xmlrpc.hbacrule_remove_host`. diff --git a/tests/test_xmlrpc/test_netgroup_plugin.py b/tests/test_xmlrpc/test_netgroup_plugin.py index afb2ac73429100b99515b9c5e25c8695fa798b8c..3190345a736aa2bf2731f13d09f31ab669771084 100644 --- a/tests/test_xmlrpc/test_netgroup_plugin.py +++ b/tests/test_xmlrpc/test_netgroup_plugin.py @@ -796,6 +796,17 @@ class test_netgroup(Declarative): ), dict( + desc='Add invalid host %r to netgroup %r using setattr' % + (unknown_host, netgroup1), + command=( + 'netgroup_mod', [netgroup1], + dict(setattr='externalhost=%s' % unknown_host) + ), + expected=errors.ValidationError(name='externalhost', + error='not fully qualified'), + ), + + dict( desc='Retrieve %r' % netgroup1, command=('netgroup_show', [netgroup1], {}), expected=dict( diff --git a/tests/test_xmlrpc/test_sudorule_plugin.py b/tests/test_xmlrpc/test_sudorule_plugin.py index 6aabd2b278fb1c4ef9c87587d70f2b8996595415..04f8f07f37148555a953d0775b01a28af84a244a 100644 --- a/tests/test_xmlrpc/test_sudorule_plugin.py +++ b/tests/test_xmlrpc/test_sudorule_plugin.py @@ -484,6 +484,23 @@ def test_a_sudorule_add_externalhost_invalid(self): else: assert False + def test_a_sudorule_mod_externalhost_invalid_addattr(self): + """ + Test adding an invalid external host to Sudo rule using + `xmlrpc.sudorule_mod --addattr`. + """ + try: + api.Command['sudorule_mod']( + self.rule_name, + addattr='externalhost=%s' % self.test_invalid_host + ) + except errors.ValidationError, e: + assert unicode(e) == ("invalid 'externalhost': only letters, " + + "numbers, _, and - are allowed. - must not be the DNS label " + + "character") + else: + assert False + def test_b_sudorule_remove_externalhost(self): """ Test removing an external host from Sudo rule using -- 1.7.7.6
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel