On 02/27/2013 10:28 AM, Martin Kosek wrote:
On 02/20/2013 12:31 PM, Tomas Babej wrote:
On 02/19/2013 10:33 PM, Rob Crittenden wrote:
Tomas Babej wrote:
On 02/06/2013 07:57 PM, Rob Crittenden wrote:
Tomas Babej wrote:
Hi,
this pair of patches improves HBAC rule handling in selinuxusermap
commands.
Patch 0031 deals with:
https://fedorahosted.org/freeipa/ticket/3349
Patch 0032 takes care of:
https://fedorahosted.org/freeipa/ticket/3348
and is to be applied on top of Patch 0031.
See commit messages for detailed info.
Tomas
ACK for patch 0032.
For patch 0031 we can't change the data type of an existing attribute.
It will break backwards compatibility. Can you test with an older
client to see if it cares (it may not care about the name of the
type). If older clients will work then this is probably ok.
I gather that seealso detected as a DN attribute and converted into a
DN class and this is blowing up the Str validator?
Yes, that was exactly the case.
rob
I added a workaround for older client versions, tested it with
freeipa-client/admintools 2.2, works as expeceted.
However, this only should be issue if there is older admintools package
on the client than on the server.
Outline is such as follows: I added a new flag for DNParam seelalso
attribute, called 'allow_malformed' that allows any string to be passed
to DNParam. Its value gets wrapped in 'malformed=yes,value=<value>'.
This allows to parse out the string in selinuxusermap-add/mod
pre_callback out of the DN and search for the rule with such name so
that it's DN gets in LDAP instead.
Updated patch attached.
Tomas
I like where you're going with this, just a couple of comments:
1. Should we come up with a more universal name for allow_malformed? Is this
something that we should allow at a higher level? I was thinking allow_raw,
or allow_non_dn, or something like that.
To me, allow_non_dn sounds is just as specific as allow_malformed,
they both refer to DN specifically.
I'd go with allow_raw, if need for such pattern may eventually arise for
other parameter classes than DNParam.
What do you mean by higher level, turning this hack into a feature
Param class? I don't see how this would work, each parameter
class that implements its own type validation as DNParam needs
to override _convert_scalar(). And in every such class we would need
to wrap our raw value so that it is represented in the type of this parameter,
as we do with DN(('malformed','yes'),('value',value)) now.
Maybe we could skip type validation in _convert_scalar default
implementation or catch the error raised somehow, and let the type be
invalid, but I'm not aware of the consenquences. I would need to investigate.
Wouldn't it cause failure deeper in the framework?
Or did you by higher level mean simply picking a more general name for the
flag so it can be reused in other parameter classes with the same name?
2. I think that if a bad dn is passed in as a Str the conversion into a DN
won't be handled:
+ if 'allow_malformed' in self.flags:
+ dn = DN(('malformed','yes'),('value',value))
Should this be wrapped in a try/except to raise a ConversionError if it fails?
Yes, thanks for that catch.
rob
Tomas
Is it just me, or does the 0031 look overengineered? I think this is a general
problem for each Str parameter which we then process/convert to DN in our
pre_callbacks.
selinuxusermap is one example where this does not work. This fix leaves other
examples not working:
# ipa trustconfig-mod --setattr "ipantfallbackprimarygroup=cn=Default SMB
Group,cn=groups,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
ipa: ERROR: invalid 'ipantfallbackprimarygroup': must be Unicode text
I would rather propose to not automatically encode DN of known attributes set
by *attr:
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 1ebbe7a..e4b9834 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -768,12 +768,6 @@ last, after all sets and adds."""),
# None means "delete this attribute"
value = None
- if ldap.has_dn_syntax(attr):
- try:
- value = DN(value)
- except ValueError:
- raise errors.InvalidSyntax(attr=attr)
-
if attr in newdict:
if type(value) in (tuple,):
newdict[attr] += list(value)
I think this conversion is just done too early as this Str param is processed
and converted later in the pre_callback, when needed. The code above introduced
inconsistent processing of IPA attributes with DN syntax coming from regular
option and from *attr option - Str
When I did this change, both selinuxusermap-mod and trustconfig-mod started
working:
# ipa selinuxusermap-mod foo
--setattr=seealso=ipaUniqueID=70e42636-75db-11e2-9df6-001a4a104edc,cn=hbac,dc=rhel64,dc=ad,dc=test
-------------------------------
Modified SELinux User Map "foo"
-------------------------------
Rule name: foo
SELinux User: unconfined_u:s0-s0:c0.c1023
HBAC Rule: allow_all
Enabled: TRUE
# ipa selinuxusermap-mod foo --setattr=seealso=allow_all
ipa: ERROR: no modifications to be performed
# ipa selinuxusermap-mod foo --hbacrule=allow_all
ipa: ERROR: no modifications to be performed
You would just need to investigate if this change would not have other
consequences.
Martin
Attaching a version of the patch based on the Martin's proposition.
This is indeed a simpler solution, that solves both problems. I
investigated whether removing
conversion into DN would have any consenquences. However, it turns out
that DNParam is
only used in contexts where usage of --*attr options is not allowed:
- cosentry class (no CLI)
- migration (no *attr options)
- ipacertificatesubjectbase in ipa config class (has no_update flag)
I refactored the patch and retained the unit tests.
Please note that pushing this renders 0032 invalid.
Tomas
>From 1933bfcae583e6aaef88ba927b233acbac76f834 Mon Sep 17 00:00:00 2001
From: Tomas Babej <[email protected]>
Date: Fri, 8 Mar 2013 18:23:19 +0100
Subject: [PATCH] Remove implicit Str to DN conversion using *-attr
DNs represented as strings and passed via --setattr or --addattr
are no longer implicitly converted to DN type. This solves various
errors associated with this behaviour, see tickets below.
Unit tests added.
https://fedorahosted.org/freeipa/ticket/3348
https://fedorahosted.org/freeipa/ticket/3349
---
ipalib/plugins/baseldap.py | 6 -
tests/test_xmlrpc/test_selinuxusermap_plugin.py | 220 +++++++++++++++++-------
2 files changed, 154 insertions(+), 72 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 1e71a64f4c15612f8e3ec2bb439c1b29f5ebb0b8..3d013ced9782b1d41b7c851006808c13e3ecdb6c 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -777,12 +777,6 @@ last, after all sets and adds."""),
# None means "delete this attribute"
value = None
- if ldap.has_dn_syntax(attr):
- try:
- value = DN(value)
- except ValueError:
- raise errors.InvalidSyntax(attr=attr)
-
if attr in newdict:
if type(value) in (tuple,):
newdict[attr] += list(value)
diff --git a/tests/test_xmlrpc/test_selinuxusermap_plugin.py b/tests/test_xmlrpc/test_selinuxusermap_plugin.py
index 816e7673584cc5adba4e40de4fcc9527e19ee2b2..ad3cb34651c907aeca53c22fa5cb4bb2cabc2a97 100644
--- a/tests/test_xmlrpc/test_selinuxusermap_plugin.py
+++ b/tests/test_xmlrpc/test_selinuxusermap_plugin.py
@@ -33,19 +33,26 @@ selinuxuser2 = u'xguest_u:s0'
user1 = u'tuser1'
group1 = u'testgroup1'
host1 = u'testhost1.%s' % api.env.domain
-hostdn1 = DN(('fqdn',host1),('cn','computers'),('cn','accounts'),
+hostdn1 = DN(('fqdn', host1), ('cn', 'computers'), ('cn', 'accounts'),
api.env.basedn)
hbacrule1 = u'testhbacrule1'
hbacrule2 = u'testhbacrule12'
# Note (?i) at the beginning of the regexp is the ingnore case flag
fuzzy_selinuxusermapdn = Fuzzy(
- '(?i)ipauniqueid=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12},%s,%s' % (api.env.container_selinux, api.env.basedn)
+ '(?i)ipauniqueid=[0-9a-f]{8}-[0-9a-f]{4}'
+ '-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12},%s,%s'
+ % (api.env.container_selinux, api.env.basedn)
)
fuzzy_hbacruledn = Fuzzy(
- '(?i)ipauniqueid=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12},%s,%s' % (api.env.container_hbac, api.env.basedn)
+ '(?i)ipauniqueid=[0-9a-f]{8}-[0-9a-f]{4}'
+ '-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12},%s,%s'
+ % (api.env.container_hbac, api.env.basedn)
)
+allow_all_rule_dn = api.Command['hbacrule_show'](u'allow_all')['result']['dn']
+
+
class test_selinuxusermap(Declarative):
cleanup_commands = [
('selinuxusermap_del', [rule1], {}),
@@ -85,7 +92,8 @@ class test_selinuxusermap(Declarative):
dict(
desc='Create rule %r' % rule1,
command=(
- 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1)
+ 'selinuxusermap_add', [rule1],
+ dict(ipaselinuxuser=selinuxuser1)
),
expected=dict(
value=rule1,
@@ -95,7 +103,7 @@ class test_selinuxusermap(Declarative):
ipaselinuxuser=[selinuxuser1],
objectclass=objectclasses.selinuxusermap,
ipauniqueid=[fuzzy_uuid],
- ipaenabledflag = [u'TRUE'],
+ ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
),
@@ -105,7 +113,8 @@ class test_selinuxusermap(Declarative):
dict(
desc='Try to create duplicate %r' % rule1,
command=(
- 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1)
+ 'selinuxusermap_add', [rule1],
+ dict(ipaselinuxuser=selinuxuser1)
),
expected=errors.DuplicateEntry(message=u'SELinux User Map rule ' +
u'with name "%s" already exists' % rule1),
@@ -121,7 +130,7 @@ class test_selinuxusermap(Declarative):
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser1],
- ipaenabledflag = [u'TRUE'],
+ ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
),
@@ -131,13 +140,14 @@ class test_selinuxusermap(Declarative):
dict(
desc='Update rule %r' % rule1,
command=(
- 'selinuxusermap_mod', [rule1], dict(ipaselinuxuser=selinuxuser2)
+ 'selinuxusermap_mod', [rule1],
+ dict(ipaselinuxuser=selinuxuser2)
),
expected=dict(
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
- ipaenabledflag = [u'TRUE'],
+ ipaenabledflag=[u'TRUE'],
),
summary=u'Modified SELinux User Map "%s"' % rule1,
value=rule1,
@@ -153,7 +163,7 @@ class test_selinuxusermap(Declarative):
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
- ipaenabledflag = [u'TRUE'],
+ ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
summary=None,
@@ -171,7 +181,7 @@ class test_selinuxusermap(Declarative):
dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
- ipaenabledflag = [u'TRUE'],
+ ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
],
@@ -206,12 +216,15 @@ class test_selinuxusermap(Declarative):
cn=[u'Test User1'],
initials=[u'TU'],
ipauniqueid=[fuzzy_uuid],
- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
- ('cn','kerberos'),api.env.basedn)],
- mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'),
- api.env.basedn)],
+ krbpwdpolicyreference=[DN(('cn', 'global_policy'),
+ ('cn', api.env.realm),
+ ('cn', 'kerberos'),
+ api.env.basedn)
+ ],
+ mepmanagedentry=[DN(('cn', user1), ('cn', 'groups'),
+ ('cn', 'accounts'), api.env.basedn)],
memberof_group=[u'ipausers'],
- dn=DN(('uid',user1),('cn','users'),('cn','accounts'),
+ dn=DN(('uid', user1), ('cn', 'users'), ('cn', 'accounts'),
api.env.basedn),
has_keytab=False,
has_password=False,
@@ -233,7 +246,7 @@ class test_selinuxusermap(Declarative):
gidnumber=[fuzzy_digits],
objectclass=objectclasses.group + [u'posixgroup'],
ipauniqueid=[fuzzy_uuid],
- dn=DN(('cn',group1),('cn','groups'),('cn','accounts'),
+ dn=DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'),
api.env.basedn),
),
),
@@ -254,8 +267,8 @@ class test_selinuxusermap(Declarative):
),
),
result={
- 'dn': DN(('cn',group1),('cn','groups'),('cn','accounts'),
- api.env.basedn),
+ 'dn': DN(('cn', group1), ('cn', 'groups'),
+ ('cn', 'accounts'), api.env.basedn),
'member_user': (user1,),
'gidnumber': [fuzzy_digits],
'cn': [group1],
@@ -344,8 +357,8 @@ class test_selinuxusermap(Declarative):
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
- ipaenabledflag = [u'TRUE'],
- memberuser_user = [user1],
+ ipaenabledflag=[u'TRUE'],
+ memberuser_user=[user1],
dn=fuzzy_selinuxusermapdn,
),
)
@@ -354,15 +367,19 @@ class test_selinuxusermap(Declarative):
dict(
desc='Add non-existent user to %r' % rule1,
- command=('selinuxusermap_add_user', [rule1], dict(user=u'notfound')),
+ command=('selinuxusermap_add_user', [rule1],
+ dict(user=u'notfound')),
expected=dict(
- failed=dict(memberuser=dict(group=[], user=[(u'notfound', u'no such entry')])),
+ failed=dict(
+ memberuser=dict(group=[],
+ user=[(u'notfound', u'no such entry')])
+ ),
completed=0,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
- ipaenabledflag = [u'TRUE'],
- memberuser_user = [user1],
+ ipaenabledflag=[u'TRUE'],
+ memberuser_user=[user1],
dn=fuzzy_selinuxusermapdn,
),
)
@@ -378,7 +395,7 @@ class test_selinuxusermap(Declarative):
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
- ipaenabledflag = [u'TRUE'],
+ ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
)
@@ -387,14 +404,19 @@ class test_selinuxusermap(Declarative):
dict(
desc='Remove non-existent user to %r' % rule1,
- command=('selinuxusermap_remove_user', [rule1], dict(user=u'notfound')),
+ command=('selinuxusermap_remove_user', [rule1],
+ dict(user=u'notfound')),
expected=dict(
- failed=dict(memberuser=dict(group=[], user=[(u'notfound', u'This entry is not a member')])),
+ failed=dict(
+ memberuser=dict(group=[],
+ user=[(u'notfound', u'This entry is not a member')]
+ )
+ ),
completed=0,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
- ipaenabledflag = [u'TRUE'],
+ ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
)
@@ -410,8 +432,8 @@ class test_selinuxusermap(Declarative):
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
- ipaenabledflag = [u'TRUE'],
- memberuser_group = [group1],
+ ipaenabledflag=[u'TRUE'],
+ memberuser_group=[group1],
dn=fuzzy_selinuxusermapdn,
),
)
@@ -427,9 +449,9 @@ class test_selinuxusermap(Declarative):
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
- ipaenabledflag = [u'TRUE'],
- memberhost_host = [host1],
- memberuser_group = [group1],
+ ipaenabledflag=[u'TRUE'],
+ memberhost_host=[host1],
+ memberuser_group=[group1],
dn=fuzzy_selinuxusermapdn,
),
)
@@ -494,8 +516,8 @@ class test_selinuxusermap(Declarative):
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
- ipaenabledflag = [u'TRUE'],
- memberuser_group = [group1],
+ ipaenabledflag=[u'TRUE'],
+ memberuser_group=[group1],
dn=fuzzy_selinuxusermapdn,
),
)
@@ -504,14 +526,15 @@ class test_selinuxusermap(Declarative):
dict(
desc='Remove group from %r' % rule1,
- command=('selinuxusermap_remove_user', [rule1], dict(group=group1)),
+ command=('selinuxusermap_remove_user', [rule1],
+ dict(group=group1)),
expected=dict(
failed=dict(memberuser=dict(group=[], user=[])),
completed=1,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
- ipaenabledflag = [u'TRUE'],
+ ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
)
@@ -537,8 +560,8 @@ class test_selinuxusermap(Declarative):
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
- ipaenabledflag = [u'TRUE'],
- seealso = hbacrule1,
+ ipaenabledflag=[u'TRUE'],
+ seealso=hbacrule1,
),
summary=u'Modified SELinux User Map "%s"' % rule1,
value=rule1,
@@ -565,7 +588,8 @@ class test_selinuxusermap(Declarative):
dict(
desc='Try to delete HBAC rule pointed to by %r' % rule1,
command=('hbacrule_del', [hbacrule1], {}),
- expected=errors.DependentEntry(key=hbacrule1, label=u'SELinux User Map', dependent=rule1)
+ expected=errors.DependentEntry(key=hbacrule1,
+ label=u'SELinux User Map', dependent=rule1)
),
@@ -606,10 +630,11 @@ class test_selinuxusermap(Declarative):
dict(
desc='Create rule with unknown user %r' % rule1,
command=(
- 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'notfound:s0:c0')
+ 'selinuxusermap_add', [rule1],
+ dict(ipaselinuxuser=u'notfound:s0:c0')
),
- expected=errors.NotFound(reason=u'SELinux user notfound:s0:c0 not ' +
- u'found in ordering list (in config)'),
+ expected=errors.NotFound(reason=u'SELinux user notfound:s0:c0 ' +
+ u'not found in ordering list (in config)'),
),
@@ -619,14 +644,16 @@ class test_selinuxusermap(Declarative):
'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'bad+user')
),
expected=errors.ValidationError(name='selinuxuser',
- error=u'Invalid SELinux user name, only a-Z and _ are allowed'),
+ error=u'Invalid SELinux user name, only a-Z and _ are allowed'
+ ),
),
dict(
desc='Create rule with invalid MCS xguest_u:s999',
command=(
- 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'xguest_u:s999')
+ 'selinuxusermap_add', [rule1],
+ dict(ipaselinuxuser=u'xguest_u:s999')
),
expected=errors.ValidationError(name='selinuxuser',
error=u'Invalid MLS value, must match s[0-15](-s[0-15])'),
@@ -636,7 +663,8 @@ class test_selinuxusermap(Declarative):
dict(
desc='Create rule with invalid MLS xguest_u:s0:p88',
command=(
- 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'xguest_u:s0:p88')
+ 'selinuxusermap_add', [rule1],
+ dict(ipaselinuxuser=u'xguest_u:s0:p88')
),
expected=errors.ValidationError(name='selinuxuser',
error=u'Invalid MCS value, must match c[0-1023].c[0-1023] ' +
@@ -647,7 +675,8 @@ class test_selinuxusermap(Declarative):
dict(
desc='Create rule with invalid MLS xguest_u:s0:c0.c1028',
command=(
- 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'xguest_u:s0-s0:c0.c1028')
+ 'selinuxusermap_add', [rule1],
+ dict(ipaselinuxuser=u'xguest_u:s0-s0:c0.c1028')
),
expected=errors.ValidationError(name='selinuxuser',
error=u'Invalid MCS value, must match c[0-1023].c[0-1023] ' +
@@ -658,7 +687,8 @@ class test_selinuxusermap(Declarative):
dict(
desc='Create rule with invalid user via setattr',
command=(
- 'selinuxusermap_mod', [rule1], dict(setattr=u'ipaselinuxuser=deny')
+ 'selinuxusermap_mod', [rule1],
+ dict(setattr=u'ipaselinuxuser=deny')
),
expected=errors.ValidationError(name='ipaselinuxuser',
error=u'Invalid MLS value, must match s[0-15](-s[0-15])'),
@@ -667,7 +697,10 @@ class test_selinuxusermap(Declarative):
dict(
desc='Create rule with both --hbacrule and --usercat set',
command=(
- 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,usercategory=u'all')
+ 'selinuxusermap_add', [rule1],
+ dict(ipaselinuxuser=selinuxuser1,
+ seealso=hbacrule1,
+ usercategory=u'all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
@@ -676,25 +709,36 @@ class test_selinuxusermap(Declarative):
dict(
desc='Create rule with both --hbacrule and --hostcat set',
command=(
- 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,hostcategory=u'all')
+ 'selinuxusermap_add', [rule1],
+ dict(ipaselinuxuser=selinuxuser1,
+ seealso=hbacrule1,
+ hostcategory=u'all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
- desc='Create rule with both --hbacrule and --usercat set via setattr',
+ desc='Create rule with both --hbacrule '
+ 'and --usercat set via setattr',
command=(
- 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,setattr=u'usercategory=all')
+ 'selinuxusermap_add', [rule1],
+ dict(ipaselinuxuser=selinuxuser1,
+ seealso=hbacrule1,
+ setattr=u'usercategory=all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
- desc='Create rule with both --hbacrule and --hostcat set via setattr',
+ desc='Create rule with both --hbacrule '
+ 'and --hostcat set via setattr',
command=(
- 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,setattr=u'hostcategory=all')
+ 'selinuxusermap_add', [rule1],
+ dict(ipaselinuxuser=selinuxuser1,
+ seealso=hbacrule1,
+ setattr=u'hostcategory=all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
@@ -703,7 +747,8 @@ class test_selinuxusermap(Declarative):
dict(
desc='Create rule %r with --hbacrule' % rule1,
command=(
- 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1)
+ 'selinuxusermap_add', [rule1],
+ dict(ipaselinuxuser=selinuxuser1, seealso=hbacrule1)
),
expected=dict(
value=rule1,
@@ -713,7 +758,7 @@ class test_selinuxusermap(Declarative):
ipaselinuxuser=[selinuxuser1],
objectclass=objectclasses.selinuxusermap,
ipauniqueid=[fuzzy_uuid],
- ipaenabledflag = [u'TRUE'],
+ ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
seealso=hbacrule1
),
@@ -741,7 +786,8 @@ class test_selinuxusermap(Declarative):
dict(
desc='Add an usercat via setattr to %r that has HBAC set' % rule1,
command=(
- 'selinuxusermap_mod', [rule1], dict(setattr=u'usercategory=all')
+ 'selinuxusermap_mod', [rule1],
+ dict(setattr=u'usercategory=all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
@@ -750,7 +796,8 @@ class test_selinuxusermap(Declarative):
dict(
desc='Add an hostcat via setattr to %r that has HBAC set' % rule1,
command=(
- 'selinuxusermap_mod', [rule1], dict(setattr=u'hostcategory=all')
+ 'selinuxusermap_mod', [rule1],
+ dict(setattr=u'hostcategory=all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
@@ -769,7 +816,10 @@ class test_selinuxusermap(Declarative):
dict(
desc='Create rule %r with usercat and hostcat set' % rule1,
command=(
- 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,usercategory=u'all',hostcategory=u'all')
+ 'selinuxusermap_add', [rule1],
+ dict(ipaselinuxuser=selinuxuser1,
+ usercategory=u'all',
+ hostcategory=u'all')
),
expected=dict(
value=rule1,
@@ -779,10 +829,10 @@ class test_selinuxusermap(Declarative):
ipaselinuxuser=[selinuxuser1],
objectclass=objectclasses.selinuxusermap,
ipauniqueid=[fuzzy_uuid],
- ipaenabledflag = [u'TRUE'],
+ ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
- usercategory = [u'all'],
- hostcategory = [u'all']
+ usercategory=[u'all'],
+ hostcategory=[u'all']
),
),
),
@@ -809,7 +859,8 @@ class test_selinuxusermap(Declarative):
dict(
desc='Create rule %r' % rule1,
command=(
- 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1)
+ 'selinuxusermap_add', [rule1],
+ dict(ipaselinuxuser=selinuxuser1)
),
expected=dict(
value=rule1,
@@ -819,7 +870,7 @@ class test_selinuxusermap(Declarative):
ipaselinuxuser=[selinuxuser1],
objectclass=objectclasses.selinuxusermap,
ipauniqueid=[fuzzy_uuid],
- ipaenabledflag = [u'TRUE'],
+ ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
),
@@ -828,7 +879,10 @@ class test_selinuxusermap(Declarative):
dict(
desc='Add HBAC rule, hostcat and usercat to %r' % rule1,
command=(
- 'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1,usercategory=u'all',hostcategory=u'all')
+ 'selinuxusermap_mod', [rule1],
+ dict(seealso=hbacrule1,
+ usercategory=u'all',
+ hostcategory=u'all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
@@ -843,4 +897,38 @@ class test_selinuxusermap(Declarative):
summary=u'Deleted SELinux User Map "%s"' % rule1,
)
),
+
+ dict(
+ desc='Create rule %r with '
+ '--setattr=seealso=<allow_all rule DN>' % rule1,
+ command=(
+ 'selinuxusermap_add',
+ [rule1],
+ dict(ipaselinuxuser=selinuxuser1,
+ setattr=u'seealso=%s' % allow_all_rule_dn)
+ ),
+ expected=dict(
+ value=rule1,
+ summary=u'Added SELinux User Map "%s"' % rule1,
+ result=dict(
+ cn=[rule1],
+ ipaselinuxuser=[selinuxuser1],
+ objectclass=objectclasses.selinuxusermap,
+ ipauniqueid=[fuzzy_uuid],
+ ipaenabledflag=[u'TRUE'],
+ dn=fuzzy_selinuxusermapdn,
+ seealso=u'allow_all',
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Delete %r' % rule1,
+ command=('selinuxusermap_del', [rule1], {}),
+ expected=dict(
+ result=dict(failed=u''),
+ value=rule1,
+ summary=u'Deleted SELinux User Map "%s"' % rule1,
+ )
+ ),
]
--
1.7.11.7
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
