Re: [Freeipa-devel] [PATCH] 0044 Validate externalhost (when added by --addattr/--setattr)
On Thu, 2012-05-10 at 18:22 +0200, Ondrej Hamada wrote: > On 05/10/2012 01:40 PM, Petr Viktorin wrote: > > On 05/10/2012 12:05 PM, Ondrej Hamada wrote: > > > On 05/09/2012 04:49 PM, Petr Viktorin wrote: > > > > On 05/04/2012 01:25 PM, Ondrej Hamada wrote: > > > > > On 04/30/2012 02:13 PM, Petr Viktorin wrote: > > > > > > > > > > > > Change the externalhost attribute of hbacrule, netgroup > > > > > > and sudorule into a full-fledged Parameter, and attach > > > > > > a validator to it. > > > > > > > > > > > > RFC 1123 specifies that only [-a-z0-9] are allowed, but > > > > > > apparently > > > > > > Windows and some phones also use underscores in hostnames. > > > > > > So the new validator allows the underscore. > > > > > > > > > > > > > > > > > > https://fedorahosted.org/freeipa/ticket/2649 > > > > > > > > > > > > > > > > > > > > > > > > ___ > > > > > > Freeipa-devel mailing list > > > > > > Freeipa-devel@redhat.com > > > > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > > > 1) Current validation of external hostnames does not require > > > > > them to be > > > > > fully qualified, but you do. It's inconsistent. > > > > > > > > > > 2) one test case failed: > > > > > FAIL: Test adding an invalid external host to Sudo rule using > > > > > -- > > > > > > > > > > Traceback (most recent call last): > > > > > File "/usr/lib/python2.7/site-packages/nose/case.py", line > > > > > 197, in > > > > > runTest > > > > > self.test(*self.arg) > > > > > File > > > > > "/home/ohamada/2649/tests/test_xmlrpc/test_sudorule_plugin.py", > > > > > line 500, in test_a_sudorule_mod_externalhost_invalid_addattr > > > > > "character") > > > > > AssertionError > > > > > > > > > > > > > Thanks. Attaching updated patch. > > > > > > > > > > > > > > > > > > > > ___ > > > > Freeipa-devel mailing list > > > > Freeipa-devel@redhat.com > > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Suggestion: you can use ipalib.utils.validate_hostname function > > > with > > > check_fqdn param set to False. Sorry for not mentioning it > > > before. > > > > > > Otherwise ACK > > > > > > > Attached patch uses your suggestion. Thanks. > > > > > > > > > > ___ > > Freeipa-devel mailing list > > Freeipa-devel@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > ACK > Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0044 Validate externalhost (when added by --addattr/--setattr)
On 05/10/2012 01:40 PM, Petr Viktorin wrote: On 05/10/2012 12:05 PM, Ondrej Hamada wrote: On 05/09/2012 04:49 PM, Petr Viktorin wrote: On 05/04/2012 01:25 PM, Ondrej Hamada wrote: On 04/30/2012 02:13 PM, Petr Viktorin wrote: Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. RFC 1123 specifies that only [-a-z0-9] are allowed, but apparently Windows and some phones also use underscores in hostnames. So the new validator allows the underscore. https://fedorahosted.org/freeipa/ticket/2649 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel 1) Current validation of external hostnames does not require them to be fully qualified, but you do. It's inconsistent. 2) one test case failed: FAIL: Test adding an invalid external host to Sudo rule using -- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest self.test(*self.arg) File "/home/ohamada/2649/tests/test_xmlrpc/test_sudorule_plugin.py", line 500, in test_a_sudorule_mod_externalhost_invalid_addattr "character") AssertionError Thanks. Attaching updated patch. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Suggestion: you can use ipalib.utils.validate_hostname function with check_fqdn param set to False. Sorry for not mentioning it before. Otherwise ACK Attached patch uses your suggestion. Thanks. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0044 Validate externalhost (when added by --addattr/--setattr)
On 05/10/2012 12:05 PM, Ondrej Hamada wrote: On 05/09/2012 04:49 PM, Petr Viktorin wrote: On 05/04/2012 01:25 PM, Ondrej Hamada wrote: On 04/30/2012 02:13 PM, Petr Viktorin wrote: Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. RFC 1123 specifies that only [-a-z0-9] are allowed, but apparently Windows and some phones also use underscores in hostnames. So the new validator allows the underscore. https://fedorahosted.org/freeipa/ticket/2649 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel 1) Current validation of external hostnames does not require them to be fully qualified, but you do. It's inconsistent. 2) one test case failed: FAIL: Test adding an invalid external host to Sudo rule using -- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest self.test(*self.arg) File "/home/ohamada/2649/tests/test_xmlrpc/test_sudorule_plugin.py", line 500, in test_a_sudorule_mod_externalhost_invalid_addattr "character") AssertionError Thanks. Attaching updated patch. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Suggestion: you can use ipalib.utils.validate_hostname function with check_fqdn param set to False. Sorry for not mentioning it before. Otherwise ACK Attached patch uses your suggestion. Thanks. -- Petr³ From 3324c86b05f372d41766da6d3ca2ef0076d6ccea Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 30 Apr 2012 07:29:08 -0400 Subject: [PATCH] Validate externalhost (when added by --addattr/--setattr) Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. The validator is relaxed to allow underscores, so that some hosts with nonstandard names can be added. Tests included. https://fedorahosted.org/freeipa/ticket/2649 --- ipalib/plugins/baseldap.py| 17 ++-- ipalib/plugins/hbacrule.py|1 + ipalib/plugins/netgroup.py|1 + ipalib/plugins/sudorule.py|1 + tests/test_xmlrpc/test_hbac_plugin.py |9 + tests/test_xmlrpc/test_netgroup_plugin.py | 62 + tests/test_xmlrpc/test_sudorule_plugin.py | 17 7 files changed, 105 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 85a81723175f38f10c711530971f173a54f1150a..895ec682ac2ee1d6b57e48711e22c75cb5f05105 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -157,9 +157,6 @@ Str('memberofindirect_hbacrule?', label='Indirect Member of HBAC rule', ), -Str('externalhost?', -label=_('External host'), -), Str('sourcehost', label=_('Failed source hosts/hostgroups'), ), @@ -313,6 +310,20 @@ def wait_for_value(ldap, dn, attr, value): return entry_attrs + +def validate_externalhost(ugettext, hostname): +try: +validate_hostname(hostname, check_fqdn=False, allow_underscore=True) +except ValueError, e: +return unicode(e) + + +external_host_param = Str('externalhost*', validate_externalhost, +label=_('External host'), +flags=['no_create', 'no_update', 'no_search'], +) + + def add_external_pre_callback(membertype, ldap, dn, keys, options): """ Pre callback to validate external members. diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index eb5cb696eb835c717d734d31ee2c6333ac177030..33440ccde9ef63df7d087d17f0d5d224c75833fa 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -219,6 +219,7 @@ class hbacrule(LDAPObject): label=_('Service Groups'), flags=['no_create', 'no_update', 'no_search'], ), +external_host_param, ) api.register(hbacrule) diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py index d2a78098018fe23653fdfdd17ad73b9245905992..4236feeb7e557cfc3891329971ece419c14ba685 100644 --- a/ipalib/plugins/netgroup.py +++ b/ipalib/plugins/netgroup.py @@ -146,6 +146,7 @@ class netgroup(LDAPObject): doc=_('Host category the rule applies to'), values=(u'all', ), ), +external_host_param, ) api.register(netgroup) diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 7432bc42bbb945cd0e8d25f3e320987af7fef26b..2c0358e879fc203106731ce966ed697e85c4e84f 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -217,6 +217,7 @@ class sudorule(LDAPObject): doc=_('Run with the gid of a specified POSIX group'), flags=['no_create', 'no_update',
Re: [Freeipa-devel] [PATCH] 0044 Validate externalhost (when added by --addattr/--setattr)
On 05/10/2012 12:05 PM, Ondrej Hamada wrote: On 05/09/2012 04:49 PM, Petr Viktorin wrote: On 05/04/2012 01:25 PM, Ondrej Hamada wrote: On 04/30/2012 02:13 PM, Petr Viktorin wrote: Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. RFC 1123 specifies that only [-a-z0-9] are allowed, but apparently Windows and some phones also use underscores in hostnames. So the new validator allows the underscore. https://fedorahosted.org/freeipa/ticket/2649 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel 1) Current validation of external hostnames does not require them to be fully qualified, but you do. It's inconsistent. 2) one test case failed: FAIL: Test adding an invalid external host to Sudo rule using -- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest self.test(*self.arg) File "/home/ohamada/2649/tests/test_xmlrpc/test_sudorule_plugin.py", line 500, in test_a_sudorule_mod_externalhost_invalid_addattr "character") AssertionError Thanks. Attaching updated patch. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Suggestion: you can use ipalib.utils.validate_hostname function with check_fqdn param set to False. Sorry for not mentioning it before. Otherwise ACK Attached patch uses your suggestion. Thanks. -- Petr³ From 3324c86b05f372d41766da6d3ca2ef0076d6ccea Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 30 Apr 2012 07:29:08 -0400 Subject: [PATCH] Validate externalhost (when added by --addattr/--setattr) Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. The validator is relaxed to allow underscores, so that some hosts with nonstandard names can be added. Tests included. https://fedorahosted.org/freeipa/ticket/2649 --- ipalib/plugins/baseldap.py| 17 ++-- ipalib/plugins/hbacrule.py|1 + ipalib/plugins/netgroup.py|1 + ipalib/plugins/sudorule.py|1 + tests/test_xmlrpc/test_hbac_plugin.py |9 + tests/test_xmlrpc/test_netgroup_plugin.py | 62 + tests/test_xmlrpc/test_sudorule_plugin.py | 17 7 files changed, 105 insertions(+), 3 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 85a81723175f38f10c711530971f173a54f1150a..895ec682ac2ee1d6b57e48711e22c75cb5f05105 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -157,9 +157,6 @@ Str('memberofindirect_hbacrule?', label='Indirect Member of HBAC rule', ), -Str('externalhost?', -label=_('External host'), -), Str('sourcehost', label=_('Failed source hosts/hostgroups'), ), @@ -313,6 +310,20 @@ def wait_for_value(ldap, dn, attr, value): return entry_attrs + +def validate_externalhost(ugettext, hostname): +try: +validate_hostname(hostname, check_fqdn=False, allow_underscore=True) +except ValueError, e: +return unicode(e) + + +external_host_param = Str('externalhost*', validate_externalhost, +label=_('External host'), +flags=['no_create', 'no_update', 'no_search'], +) + + def add_external_pre_callback(membertype, ldap, dn, keys, options): """ Pre callback to validate external members. diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index eb5cb696eb835c717d734d31ee2c6333ac177030..33440ccde9ef63df7d087d17f0d5d224c75833fa 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -219,6 +219,7 @@ class hbacrule(LDAPObject): label=_('Service Groups'), flags=['no_create', 'no_update', 'no_search'], ), +external_host_param, ) api.register(hbacrule) diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py index d2a78098018fe23653fdfdd17ad73b9245905992..4236feeb7e557cfc3891329971ece419c14ba685 100644 --- a/ipalib/plugins/netgroup.py +++ b/ipalib/plugins/netgroup.py @@ -146,6 +146,7 @@ class netgroup(LDAPObject): doc=_('Host category the rule applies to'), values=(u'all', ), ), +external_host_param, ) api.register(netgroup) diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 7432bc42bbb945cd0e8d25f3e320987af7fef26b..2c0358e879fc203106731ce966ed697e85c4e84f 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -217,6 +217,7 @@ class sudorule(LDAPObject): doc=_('Run with the gid of a specified POSIX group'), flags=['no_create', 'no_update'
Re: [Freeipa-devel] [PATCH] 0044 Validate externalhost (when added by --addattr/--setattr)
On 05/09/2012 04:49 PM, Petr Viktorin wrote: On 05/04/2012 01:25 PM, Ondrej Hamada wrote: On 04/30/2012 02:13 PM, Petr Viktorin wrote: Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. RFC 1123 specifies that only [-a-z0-9] are allowed, but apparently Windows and some phones also use underscores in hostnames. So the new validator allows the underscore. https://fedorahosted.org/freeipa/ticket/2649 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel 1) Current validation of external hostnames does not require them to be fully qualified, but you do. It's inconsistent. 2) one test case failed: FAIL: Test adding an invalid external host to Sudo rule using -- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest self.test(*self.arg) File "/home/ohamada/2649/tests/test_xmlrpc/test_sudorule_plugin.py", line 500, in test_a_sudorule_mod_externalhost_invalid_addattr "character") AssertionError Thanks. Attaching updated patch. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Suggestion: you can use ipalib.utils.validate_hostname function with check_fqdn param set to False. Sorry for not mentioning it before. Otherwise ACK -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0044 Validate externalhost (when added by --addattr/--setattr)
On 05/04/2012 01:25 PM, Ondrej Hamada wrote: On 04/30/2012 02:13 PM, Petr Viktorin wrote: Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. RFC 1123 specifies that only [-a-z0-9] are allowed, but apparently Windows and some phones also use underscores in hostnames. So the new validator allows the underscore. https://fedorahosted.org/freeipa/ticket/2649 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel 1) Current validation of external hostnames does not require them to be fully qualified, but you do. It's inconsistent. 2) one test case failed: FAIL: Test adding an invalid external host to Sudo rule using -- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest self.test(*self.arg) File "/home/ohamada/2649/tests/test_xmlrpc/test_sudorule_plugin.py", line 500, in test_a_sudorule_mod_externalhost_invalid_addattr "character") AssertionError Thanks. Attaching updated patch. -- Petr³ From de7c93062120a32f828fdc6aa82c0794b42aff26 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 30 Apr 2012 07:29:08 -0400 Subject: [PATCH] Validate externalhost (when added by --addattr/--setattr) Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. The validator is relaxed to allow underscores, so that some hosts with nonstandard names can be added. Tests included. https://fedorahosted.org/freeipa/ticket/2649 --- ipalib/plugins/baseldap.py| 19 +++-- ipalib/plugins/hbacrule.py|1 + ipalib/plugins/netgroup.py|1 + ipalib/plugins/sudorule.py|1 + tests/test_xmlrpc/test_hbac_plugin.py |9 + tests/test_xmlrpc/test_netgroup_plugin.py | 62 + tests/test_xmlrpc/test_sudorule_plugin.py | 17 7 files changed, 106 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 85a81723175f38f10c711530971f173a54f1150a..353613b2b3dd9eed9ecf8e3ea42bca9d4e2e0cdf 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -33,7 +33,7 @@ from ipalib.cli import to_cli, from_cli from ipalib import output from ipalib.text import _ -from ipalib.util import json_serialize, validate_hostname +from ipalib.util import json_serialize, validate_hostname, validate_dns_label from ipalib.dn import * global_output_params = ( @@ -157,9 +157,6 @@ Str('memberofindirect_hbacrule?', label='Indirect Member of HBAC rule', ), -Str('externalhost?', -label=_('External host'), -), Str('sourcehost', label=_('Failed source hosts/hostgroups'), ), @@ -313,6 +310,20 @@ def wait_for_value(ldap, dn, attr, value): return entry_attrs + +def validate_externalhost(ugettext, hostname): +try: +validate_dns_label(hostname, allow_underscore=True) +except ValueError, e: +return unicode(e) + + +external_host_param = Str('externalhost*', validate_externalhost, +label=_('External host'), +flags=['no_create', 'no_update', 'no_search'], +) + + def add_external_pre_callback(membertype, ldap, dn, keys, options): """ Pre callback to validate external members. diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index eb5cb696eb835c717d734d31ee2c6333ac177030..33440ccde9ef63df7d087d17f0d5d224c75833fa 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -219,6 +219,7 @@ class hbacrule(LDAPObject): label=_('Service Groups'), flags=['no_create', 'no_update', 'no_search'], ), +external_host_param, ) api.register(hbacrule) diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py index d2a78098018fe23653fdfdd17ad73b9245905992..4236feeb7e557cfc3891329971ece419c14ba685 100644 --- a/ipalib/plugins/netgroup.py +++ b/ipalib/plugins/netgroup.py @@ -146,6 +146,7 @@ class netgroup(LDAPObject): doc=_('Host category the rule applies to'), values=(u'all', ), ), +external_host_param, ) api.register(netgroup) diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 7432bc42bbb945cd0e8d25f3e320987af7fef26b..2c0358e879fc203106731ce966ed697e85c4e84f 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -217,6 +217,7 @@ class sudorule(LDAPObject): doc=_('Run with the gid of a specified POSIX group'), flags=['no_create', 'no_update', 'no_search'], ), +external_host_param, ) order_not_unique_msg = _( diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_x
Re: [Freeipa-devel] [PATCH] 0044 Validate externalhost (when added by --addattr/--setattr)
On 04/30/2012 02:13 PM, Petr Viktorin wrote: Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. RFC 1123 specifies that only [-a-z0-9] are allowed, but apparently Windows and some phones also use underscores in hostnames. So the new validator allows the underscore. https://fedorahosted.org/freeipa/ticket/2649 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel 1) Current validation of external hostnames does not require them to be fully qualified, but you do. It's inconsistent. 2) one test case failed: FAIL: Test adding an invalid external host to Sudo rule using -- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest self.test(*self.arg) File "/home/ohamada/2649/tests/test_xmlrpc/test_sudorule_plugin.py", line 500, in test_a_sudorule_mod_externalhost_invalid_addattr "character") AssertionError -- Regards, Ondrej Hamada FreeIPA team jabber: oh...@jabbim.cz IRC: ohamada ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0044 Validate externalhost (when added by --addattr/--setattr)
Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. RFC 1123 specifies that only [-a-z0-9] are allowed, but apparently Windows and some phones also use underscores in hostnames. So the new validator allows the underscore. https://fedorahosted.org/freeipa/ticket/2649 -- Petr³ From b20a48c5d9ef3161d7c4070c33287f1acb3f8e50 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 30 Apr 2012 07:29:08 -0400 Subject: [PATCH] Validate externalhost (when added by --addattr/--setattr) Change the externalhost attribute of hbacrule, netgroup and sudorule into a full-fledged Parameter, and attach a validator to it. The validator is relaxed to allow underscores, so that some hosts with nonstandard names can be added. Tests included. https://fedorahosted.org/freeipa/ticket/2649 --- ipalib/plugins/baseldap.py| 18 ++ ipalib/plugins/hbacrule.py|1 + ipalib/plugins/netgroup.py|1 + ipalib/plugins/sudorule.py|1 + tests/test_xmlrpc/test_hbac_plugin.py |9 + tests/test_xmlrpc/test_netgroup_plugin.py | 11 +++ tests/test_xmlrpc/test_sudorule_plugin.py | 17 + 7 files changed, 54 insertions(+), 4 deletions(-) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index d37a20d1faefce75e90bbffeb1a79204a933f508..63ea4c8d575fe88e6bf28f8c4e754cd778dd154c 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -157,9 +157,6 @@ Str('memberofindirect_hbacrule?', label='Indirect Member of HBAC rule', ), -Str('externalhost?', -label=_('External host'), -), Str('sourcehost', label=_('Failed source hosts/hostgroups'), ), @@ -313,6 +309,20 @@ def wait_for_value(ldap, dn, attr, value): return entry_attrs + +def validate_externalhost(ugettext, hostname): +try: +validate_hostname(hostname, allow_underscore=True) +except ValueError, e: +return unicode(e) + + +external_host_param = Str('externalhost*', validate_externalhost, +label=_('External host'), +flags=['no_create', 'no_update', 'no_search'], +) + + def add_external_pre_callback(membertype, ldap, dn, keys, options): """ Pre callback to validate external members. diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index eb5cb696eb835c717d734d31ee2c6333ac177030..33440ccde9ef63df7d087d17f0d5d224c75833fa 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -219,6 +219,7 @@ class hbacrule(LDAPObject): label=_('Service Groups'), flags=['no_create', 'no_update', 'no_search'], ), +external_host_param, ) api.register(hbacrule) diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py index 693c00c1a83339cbe9056f10af61bd4e1c1712d1..2d736caf491fd6c5e212edf21815fdc58530e4d0 100644 --- a/ipalib/plugins/netgroup.py +++ b/ipalib/plugins/netgroup.py @@ -146,6 +146,7 @@ class netgroup(LDAPObject): doc=_('Host category the rule applies to'), values=(u'all', ), ), +external_host_param, ) api.register(netgroup) diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 7432bc42bbb945cd0e8d25f3e320987af7fef26b..2c0358e879fc203106731ce966ed697e85c4e84f 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -217,6 +217,7 @@ class sudorule(LDAPObject): doc=_('Run with the gid of a specified POSIX group'), flags=['no_create', 'no_update', 'no_search'], ), +external_host_param, ) order_not_unique_msg = _( diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py index c7cb55bad4309f05fc0d9651f9e97d37ffe866ae..5ecb9014deae302404656e95bbd7b2ffd282f799 100644 --- a/tests/test_xmlrpc/test_hbac_plugin.py +++ b/tests/test_xmlrpc/test_hbac_plugin.py @@ -377,6 +377,15 @@ def test_c_hbacrule_add_same_external(self): entry = ret['result'] assert_attr_equal(entry, 'externalhost', self.test_host_external) +@raises(errors.ValidationError) +def test_c_hbacrule_mod_invalid_external_setattr(self): +""" +Test adding the same external host using `xmlrpc.hbacrule_add_host`. +""" +ret = api.Command['hbacrule_mod']( +self.rule_name, setattr=self.test_invalid_sourcehost +) + def test_c_hbacrule_remove_external_host(self): """ Test removing external source host using `xmlrpc.hbacrule_remove_host`. diff --git a/tests/test_xmlrpc/test_netgroup_plugin.py b/tests/test_xmlrpc/test_netgroup_plugin.py index afb2ac73429100b99515b9c5e25c8695fa798b8c..3190345a736aa2bf2731f13d09f31ab669771084 100644 --- a/tests/test_xmlrpc/test_netgroup_plugin.py +++ b/tests/test_xmlrpc/test_netgroup_plugin.py @@ -796,6