The configuration options for the default user and map order were a bit
broken in several ways.
I wasn't handling the case where one of the values was coming from LDAP
so was a list vs as an option which was a string, so all sorts of bad
interesting things were happening.
There is also the setattr problem. We would normally handle that in a
validator so it is not a problem but in this case we may need to compare
two options passed in and we can't do that in a validator. So
potentially changes may come in as a option, in entry_attrs or from config.
I added a few tests to help keep this robust.
When testing this remember that the user map order list needs to be
quoted otherwise the shell is going to interpret the $.
rob
>From db602a401955dd65b2608afd7e3e90750fba590e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 24 Jul 2012 22:55:27 -0400
Subject: [PATCH] Fix validator for SELinux user map settings in config
plugin.
We need to compare two values and need to be aware of where those
values are coming from. They may come from options, setattr or
existing config. The format of that data is going to be different
depending on its source (always a list internally).
One may also set both at the same time so a standard validator cannot
be used because it lacks the context of the other value being set.
https://fedorahosted.org/freeipa/ticket/2938
https://fedorahosted.org/freeipa/ticket/2940
---
ipalib/plugins/config.py | 36 ++++++++++++++++++-------------
tests/test_xmlrpc/test_config_plugin.py | 28 ++++++++++++++++++++++++
2 files changed, 49 insertions(+), 15 deletions(-)
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index d4d6ba7b58f473fe1f8990f6dbfb8a71ab395cc9..a94241b170457126987d6289202dfb5b462c859e 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -18,6 +18,7 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+import copy
from ipalib import api
from ipalib import Bool, Int, Str, IA5Str, StrEnum
from ipalib.plugins.baseldap import *
@@ -257,30 +258,35 @@ class config_mod(LDAPUpdate):
error=_('%(obj)s default attribute %(attr)s would not be allowed!') \
% dict(obj=obj, attr=obj_attr))
- if 'ipaselinuxusermapdefault' in options and options['ipaselinuxusermapdefault'] is None:
- raise errors.ValidationError(name='ipaselinuxusermapdefault',
- error=_('SELinux user map default user may not be empty'))
-
- # Make sure the default user is in the list
- if 'ipaselinuxusermapdefault' in options or \
- 'ipaselinuxusermaporder' in options:
+ # Combine the current entry and options into a single object to
+ # evaluate. This covers changes via setattr and options.
+ # Note: this is not done in a validator because we may be changing
+ # the default user and map list at the same time and we don't
+ # have both values in a validator.
+ validate = copy.deepcopy(options)
+ validate.update(entry_attrs)
+ if 'ipaselinuxusermapdefault' in validate or \
+ 'ipaselinuxusermaporder' in validate:
config = None
- if 'ipaselinuxusermapdefault' in options:
- defaultuser = options['ipaselinuxusermapdefault']
+ failedattr = 'ipaselinuxusermaporder'
+ if 'ipaselinuxusermapdefault' in validate:
+ defaultuser = validate['ipaselinuxusermapdefault']
+ failedattr = 'ipaselinuxusermapdefault'
else:
config = ldap.get_ipa_config()[1]
- defaultuser = config['ipaselinuxusermapdefault']
+ defaultuser = config['ipaselinuxusermapdefault'][0]
- if 'ipaselinuxusermaporder' in options:
- order = options['ipaselinuxusermaporder']
+ if 'ipaselinuxusermaporder' in validate:
+ order = validate['ipaselinuxusermaporder']
+ userlist = order.split('$')
else:
if not config:
config = ldap.get_ipa_config()[1]
order = config['ipaselinuxusermaporder']
- userlist = order[0].split('$')
+ userlist = order[0].split('$')
if defaultuser not in userlist:
- raise errors.ValidationError(name='ipaselinuxusermaporder',
- error=_('Default SELinux user map default user not in order list'))
+ raise errors.ValidationError(name=failedattr,
+ error=_('SELinux user map default user not in order list'))
return dn
diff --git a/tests/test_xmlrpc/test_config_plugin.py b/tests/test_xmlrpc/test_config_plugin.py
index da549bfb3efb56b05546ba32e7ce57414a586160..6d83f047e0e647270712003d77c40f3c1014f90f 100644
--- a/tests/test_xmlrpc/test_config_plugin.py
+++ b/tests/test_xmlrpc/test_config_plugin.py
@@ -60,4 +60,32 @@ class test_config(Declarative):
expected=errors.RequirementError(name='ipausersearchfields'),
),
+ dict(
+ desc='Try to set invalid ipaselinuxusermapdefault',
+ command=('config_mod', [],
+ dict(ipaselinuxusermapdefault=u'unknown_u:s0')),
+ expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'),
+ ),
+
+ dict(
+ desc='Try to set invalid ipaselinuxusermapdefault with setattr',
+ command=('config_mod', [],
+ dict(setattr=u'ipaselinuxusermapdefault=unknown_u:s0')),
+ expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'),
+ ),
+
+ dict(
+ desc='Try to set invalid ipaselinuxusermaporder',
+ command=('config_mod', [],
+ dict(ipaselinuxusermaporder=u'notfound_u:s0')),
+ expected=errors.ValidationError(name='ipaselinuxusermaporder', error='SELinux user map default user not in order list'),
+ ),
+
+ dict(
+ desc='Try to set new selinux order and invalid default user',
+ command=('config_mod', [],
+ dict(ipaselinuxusermaporder=u'$xguest_u:s0$guest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023', ipaselinuxusermapdefault=u'unknown_u:s0')),
+ expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'),
+ ),
+
]
--
1.7.10.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
