On 05/27/2015 08:41 PM, Drew Erny wrote:
> Hey, Freeipa-devel,
> I'm working on ticket #3226 (https://fedorahosted.org/freeipa/ticket/3226)
> I've identified the problem. The sudorules add user command adds the user
> validations at the end of it's pre-callback using add_external_pre_callback.
> However, the "user" plugin pattern-matches a string for the "uid" param,
> because it only allows certain characters.
> I've been picking through the codebase and I think I have enough understanding
> to ask this: What if we changed the user "uid" validation to a standalone
> "rule" function (you can do that, right? pass in a function as a validation
> rule?) that would normally just assert that the pattern matches, but could 
> have
> that pattern matching validation overridden in some cases. I think that's the
> easiest, cleanest way to change user so that sudorules and other plugins can
> ignore this validation if necessary (I'm trying to figure out exactly how to
> implement this without changing any APIs).
> Am I understanding the plugin params API correctly, and can I do this? Is this
> the best way to do this?
> The only other solution I see is to write sudorules-specific code in some
> plugin-related (either user.py or baseldap.py module, which would create
> unwanted coupling.
> Most specifically, this would be a change to the object instantiated at
> ipalib/plugins/user.py line 467
> Thoughts and suggestions?

I think it would make sense to follow the example with validate_hostname and
prepare a function validate_username(username, upn=False, netbios_name=False) 

where upn would allow using "@." on top of current validator (i.e.
u...@domain.test) and netbios_name would allow the "DOMAIN\user" style. I would
just suggest making sure the standard user validation error message is still
the same to avoid unnecessary QE fail positives.

In add_external_pre_callback you could then just simply call

validate_username(user, True, True)

just like it is already done with hostname.

My 2 cents.



Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to