OK, I see now what you mean by that. That is a simpler solution. I'll do it that way.

On 05/28/2015 04:44 AM, Martin Kosek wrote:
On 05/27/2015 08:41 PM, Drew Erny wrote:
Hey, Freeipa-devel,

I'm working on ticket #3226 (https://fedorahosted.org/freeipa/ticket/3226)

I've identified the problem. The sudorules add user command adds the user
validations at the end of it's pre-callback using add_external_pre_callback.
However, the "user" plugin pattern-matches a string for the "uid" param,
because it only allows certain characters.

I've been picking through the codebase and I think I have enough understanding
to ask this: What if we changed the user "uid" validation to a standalone
"rule" function (you can do that, right? pass in a function as a validation
rule?) that would normally just assert that the pattern matches, but could have
that pattern matching validation overridden in some cases. I think that's the
easiest, cleanest way to change user so that sudorules and other plugins can
ignore this validation if necessary (I'm trying to figure out exactly how to
implement this without changing any APIs).

Am I understanding the plugin params API correctly, and can I do this? Is this
the best way to do this?

The only other solution I see is to write sudorules-specific code in some
plugin-related (either user.py or baseldap.py module, which would create
unwanted coupling.

Most specifically, this would be a change to the object instantiated at
ipalib/plugins/user.py line 467

Thoughts and suggestions?
I think it would make sense to follow the example with validate_hostname and
prepare a function validate_username(username, upn=False, netbios_name=False) 
[1].

where upn would allow using "@." on top of current validator (i.e.
u...@domain.test) and netbios_name would allow the "DOMAIN\user" style. I would
just suggest making sure the standard user validation error message is still
the same to avoid unnecessary QE fail positives.

In add_external_pre_callback you could then just simply call

validate_username(user, True, True)

just like it is already done with hostname.

My 2 cents.

Martin

[1] 
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to