I just read the code did not testing, maybe I will read design tomorrow.

I found a few minor issues

You use too much brackets in code, it looks more like C than python:
if not(elem):  --> if not elem
if(len(elempair) > 2) --> if len(elempair) > 2:
return(something) --> return something

+def _timearg_to_list(time):
+    '''
+    Parses the argument of either of the access time language keywords
+    Example: '1-5,12' into [[1,5], 12]
+    '''
+    return (t.split('-') for t in time.split(','))

This will return [['1', '5'], ['12']] please fix example

in function _validate_range(keyword, lst, r1, r2, unit, unitlen): I do not like that enumeration and this condition
+            if not(i):
+                elold = elnum

Can you use instead enumeration just None?
elold = None
if elold is None:
    elold = elnum

I do not like that enumerate (see 2) )

There is missing check for values like '1-2-5', '1-2,', (this check is in _validate_range)

I do not think that unitlen arg in _validate_range is needed, IMO this is duplicated check, comparison r1, r2 is enough

+def validate_accesstime(ugettext, value):
This function is not pythonic enough, it looks more like C

I suggest something like:

params = { name: {'found': False, 'method': method } for name, method in [
    ('dayofweek', _validate_dayofweek),
    ('timeofday', _validate_timeof...),

for i, el enumerate(ts):
    param_name, param_value = el.split('=', 1)
res = params[param_name]['method'](param_value) if not params[param_name]['found'] else _("multiple blablabla of {param}".format(param=param_name))
        params[param_name]['found'] = True
    except KeyError:
        res = _(Unknown.....)
    if res:
       return res

+            res = _validate_timeofday(el[10:]) if not(found[TOD]) else \
+                _("multiple appearance of timeofday")

Please don't use '\', use braces instead

-        'externalhost',
+        'memberhostgroup', 'externalhost', 'ipatimezone',
+        'accesstime', 'accesstimeexclude'

Are you sure that 'memberhostgroup' should be added there? I don't think so.

def normalize_accesstime(t):
IIRC normalize is called before validate, so your precious regular expression may not work as expected, namely:
+    t = re.sub(r'(\d)([a-z]{2})', r'\1 \2', t)
+    t = re.sub(r'(\d)\s(d|w|m|y)\s', r'\1\2', t)
However when normalization returns unexpected results, validation will be able catch it.

IMO we should not do any magic detection, we should force user to have keyword and value pairs separated by space

How about depending on '=' character in normalization?
parts = re.split('[\s=]', t)
eq_signs_pos = [i for i, part in enumeration(parts) if parts=="="]
<here join it based on = sign, something like
[year, '=', 'i', 'do', 'not', 'care', 'next', '=', 'lorem', 'ipsum']
[1, 7]
Test if keyword is on position 0: else raise conversionerror
normalized = " ".join(["".join([parts[0], .. parts[5]]), "".join([parts[6]..parts[9]])])

result "year=idonotcare next=loremipsum"


I know the solution above is not so detailed in what is wrong, but IMO to print that specified date is not valid should be enough for user.

in _validate_date function I see validation for case when dayofmonth is higher than, last day of month. I do not see this check for other cases than 'repeat'. Is it safe to ignore (for example: "dayofmonth=30 monthofyear=2" this HBACrule will never be executed)?

+    if not('1' <= t[ctlpos] <= '9'):
+        return _("'repeat': wrong syntax, expected a number after '+'")

IMO 0 is digit/number too, and we should allow initial 0 and just ignore them during execution

+def _validate_repeat(t):
+    date1 = t[0:8]

what if 't' is shorter than 8 characters?

+    date2 = t[9:17] if t[8] == '-' else None
What if t < 17 characters and t[8] == '-'?

+    if t[ctlpos] not in ('d', 'w', 'm', 'y'):
+        return _("'repeat': wrong syntax, d/w/m/y expected")

What if there is any continuation after? "repeat=20151003+2m-trolololo" (you can add this to tests :) )

IMO _validate_repeat check looks simple enough to be checked by regexp, and then separate parts tested extra (start, end date, repeat period)

+def _validate_ymd_range(y1, m1, d1, y2, m2, d2):

Can you instead of this black magic use python datetime object? https://docs.python.org/2/library/datetime.html And then just compare 2 objects with '>' and return error that second date is greater than first.

Also datetime object creation will check if date itself.

+    rule_time = u'timeofday=0000-2359 dayofmonth=1-15,16-31 ' \
+                 'dayofyear=23-47,26-77 year=1970-2563'
Please use () instead of \

+    # no spaces around - sign   <-- ~ should be there
+    t = re.sub(r'\s?~\s?', r'~', t)

wouldn't be better to work with ~ since first patch? I mean replace '-' -> '~' in first patch

Is common to specify date ranges with '~' ? Personally I wouldn't expected that.

Please add design page to the ticket (if exists) https://fedorahosted.org/freeipa/ticket/547


./ipalib/plugins/hbacrule.py:190:21: E265 block comment should start with '# ' ./ipatests/test_xmlrpc/test_hbac_plugin.py:38:18: E127 continuation line over-indented for visual indent ./ipatests/test_xmlrpc/test_hbac_plugin.py:38:18: E127 continuation line over-indented for visual indent ./ipatests/test_xmlrpc/test_hbac_plugin.py:101:80: E501 line too long (84 > 79 characters) ./ipalib/plugins/hbactest.py:281:9: E124 closing bracket does not match visual indentation
./ipalib/plugins/hbacrule.py:78:80: E501 line too long (80 > 79 characters)
./ipalib/plugins/hbacrule.py:190:21: E265 block comment should start with '# '
./ipalib/plugins/hbacrule.py:219:80: E501 line too long (84 > 79 characters)
./ipalib/plugins/hbacrule.py:592:9: E124 closing bracket does not match visual indentation ./ipalib/plugins/hbacrule.py:596:9: E124 closing bracket does not match visual indentation

Unwanted lines removal at the end of files/patches
* Added methods for setting time-based policies: hbacrule.py
* HBAC test module support for time-based policies: hbactest.py
* Tests for HBAC time rules language: test_hbactest_plugin.py

best regards

On 07.10.2015 09:55, Stanislav Laznicka wrote:

The moment's here, I'd like to share my code with you now. Let me comment on some additions from my last post here in August.

The methods for testing HBAC rules in hbactest module were modified so that a time zone can now also be picked in case there are some rules with the "host" time zone in the rule time policy. I also added few tests that test setting accessTime values.

The most important update of the previous month is the addition of negative values to the time rules language. Most of the keywords (all, except for timeofday and year) now accept negative values and negative value ranges. This should be useful for cases when the user should only be allowed access e.g. in the last 7 days of a month, last few weeks of a year etc. Also, it is a similar behavior to what iCalendar has.

The addition of negative values also made me re-think the ways the week of a year should be calculated. There are no 0th weeks of year anymore, a week of year can hold values ranging from 1 to 53 where the 1st week of a year may appear even on a date of the previous year (if 1st January is Tue-Thu) or the 52nd or 53rd week may appear on a date of the following year (when 31st December is Thu-Sat). If my explanation seems rather rough, please see https://docs.oracle.com/javase/8/docs/api/java/time/temporal/WeekFields.html.

The latter caused some changes to be made in my SSSD code. These changes took the most of my time last month alongside with generally polishing the code and adding comments where I thought necessary. I will push my SSSD code to the sssd-devel mailing list as a follow-up to this mail.

Another thing - I updated the design page on the FreeIPA wiki, so please check it out, too (http://www.freeipa.org/page/V4/Time-Based_Account_Policies).

Last thing I would like to mention - there is now a copr repo with both sssd and freeipa with time-based policies (https://copr.fedoraproject.org/coprs/stlaz/freeipa-sssd-timerules/). This was Martin K.'s idea and I think it's pretty dandy :) As the patches I am posting only contain CLI for HBAC time policies, you might be pleased that the repo includes at least basic WebUI for this purpose (although the WebUI is for some reason not updating the page on rule addition properly, I will be hopefully looking into that shortly). You will still need mkosek/freeipa-master copr repo for some dependencies. Should it not work properly for you, please, send me an email, it's my first time taking care of a copr repo.

That's it from me for now, thank you for your patience with my emails,

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to