Re: [Freeipa-devel] [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr.
On 04/06/2011 05:08 PM, Pavel Zuna wrote: Ticket #744 Pavel New fixed version of patch attached. Pavel From c61c329c1fd4f806a64f4fa6b660b0baeea38377 Mon Sep 17 00:00:00 2001 From: Pavel Zuna pz...@redhat.com Date: Wed, 6 Apr 2011 09:08:03 -0400 Subject: [PATCH] Validate/Normalize user attributes if set using krbtpolicy set/add-attr. Ticket #744 --- ipalib/plugins/krbtpolicy.py | 20 ipalib/plugins/user.py |1 + 2 files changed, 21 insertions(+), 0 deletions(-) diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py index c9d86ea..8cefc90 100644 --- a/ipalib/plugins/krbtpolicy.py +++ b/ipalib/plugins/krbtpolicy.py @@ -83,6 +83,10 @@ class krbtpolicy(LDAPObject): label=_('User name'), doc=_('Manage ticket policy for specific user'), primary_key=True, +pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', +pattern_errmsg='may only include letters, numbers, _, -, . and $', +maxlength=255, +normalizer=lambda value: value.lower(), ), Int('krbmaxticketlife?', cli_name='maxlife', @@ -96,6 +100,14 @@ class krbtpolicy(LDAPObject): doc=_('Maximum renewable age (seconds)'), minvalue=1, ), +Int('uidnumber?', +minvalue=1, +flags=['no_create', 'no_update', 'no_search'], +), +Int('gidnumber?', +minvalue=1, +flags=['no_create', 'no_update', 'no_search'], +), ) def get_dn(self, *keys, **kwargs): @@ -115,6 +127,14 @@ class krbtpolicy_mod(LDAPUpdate): # ticket policies are attached to objects with unrelated attributes if options.get('all'): options['all'] = False +if keys[-1] is not None: +# we're modifying an user entry and it's possible to change its +# attribute unrelated to ticket policy using --{set,add}-attr +# we need to validate/normalize them here: +if 'mail' in entry_attrs: +entry_attrs['mail'] = self.api.Object['user']._normalize_email( +entry_attrs['mail'] +) return dn api.register(krbtpolicy_mod) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index e71c21b..d18ba18 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -176,6 +176,7 @@ class user(LDAPObject): label=_('GID'), doc=_('Group ID Number'), default_from=lambda uid: uid, +minvalue=1, ), Str('street?', cli_name='street', -- 1.7.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 6 Add lint script for static code analysis
This patch adds a script based on pylint for static code analysis during build. https://fedorahosted.org/freeipa/ticket/867 -- Jan Cholasta From 12e7ee4cd3b479c677fdbac10e99c223f1378da5 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 7 Apr 2011 16:49:05 +0200 Subject: [PATCH] Add lint script for static code analysis. ticket 867 --- Makefile |3 + make-lint | 183 + 2 files changed, 186 insertions(+), 0 deletions(-) create mode 100755 make-lint diff --git a/Makefile b/Makefile index 4cc9dea..f8f5987 100644 --- a/Makefile +++ b/Makefile @@ -72,6 +72,9 @@ client-install: client python setup-client.py install --root $(DESTDIR); \ fi +lint: + ./make-lint + test: $(MAKE) -C install/po test_lang ./make-test diff --git a/make-lint b/make-lint new file mode 100755 index 000..ee7577b --- /dev/null +++ b/make-lint @@ -0,0 +1,183 @@ +#!/usr/bin/python +# +# Authors: +# Jakub Hrozek jhro...@redhat.com +# Jan Cholasta jchol...@redhat.com +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. + +import os +import sys +from optparse import OptionParser +from fnmatch import fnmatch, fnmatchcase + +from pylint import checkers +from pylint.lint import PyLinter +from pylint.reporters.text import ParseableTextReporter +from pylint.checkers.typecheck import TypeChecker +from logilab.astng import Class, Instance, InferenceError + +# File names to ignore when searching for python source files +IGNORE_FILES = ('.*', '*~', '*.in', '*.pyc', '*.pyo') +IGNORE_PATHS = ('build', 'tests') + +class IPATypeChecker(TypeChecker): +# 'class': ('generated', 'properties',) +ignore = { +'ipalib.base.NameSpace': ('find',), +'ipalib.cli.Collector': ('__options',), +'ipalib.config.Env': ('*'), +'ipalib.plugable.API': ('Command', 'Object', 'Method', 'Property', +'Backend', 'log', 'plugins'), +'ipalib.plugable.Plugin': ('Command', 'Object', 'Method', 'Property', +'Backend', 'env', 'debug', 'info', 'warning', 'error', 'critical', +'exception', 'context', 'log'), +'ipalib.plugins.baseldap.CallbackInterface': ('pre_callback', +'post_callback', 'exc_callback'), +'ipalib.plugins.misc.env': ('env',), +'ipalib.parameters.Param': ('cli_name', 'cli_short_name', 'label', +'doc', 'required', 'multivalue', 'primary_key', 'normalizer', +'default', 'default_from', 'create_default', 'autofill', 'query', +'attribute', 'include', 'exclude', 'flags', 'hint', 'alwaysask'), +'ipalib.parameters.Bool': ('truths', 'falsehoods'), +'ipalib.parameters.Int': ('minvalue', 'maxvalue'), +'ipalib.parameters.Float': ('minvalue', 'maxvalue'), +'ipalib.parameters.Data': ('minlength', 'maxlength', 'length', +'pattern', 'pattern_errmsg'), +'ipalib.parameters.Enum': ('values',), +'ipalib.parameters.List': ('separator', 'skipspace'), +'ipalib.parameters.File': ('stdin_if_missing'), +'urlparse.SplitResult': ('netloc',), +} + +def _related_classes(self, klass): +yield klass +for base in klass.ancestors(): +yield base + +def _class_full_name(self, klass): +return klass.root().name + '.' + klass.name + +def _find_ignored_attrs(self, owner): +attrs = [] +for klass in self._related_classes(owner): +name = self._class_full_name(klass) +if name in self.ignore: +attrs += self.ignore[name] +return attrs + +def visit_getattr(self, node): +try: +infered = list(node.expr.infer()) +except InferenceError: +return + +for owner in infered: +if not isinstance(owner, Class) and not isinstance(owner, Instance): +continue + +ignored = self._find_ignored_attrs(owner) +for pattern in ignored: +if fnmatchcase(node.attrname, pattern): +return + +super(IPATypeChecker, self).visit_getattr(node) + +class IPALinter(PyLinter): +ignore = (TypeChecker,) + +def register_checker(self, checker): +if type(checker) in self.ignore: +
[Freeipa-devel] [PATCH] 8 Fix typo in ipa-server-install
Fixed typo in ipa-server-install. -- Jan Cholasta From 07ff87e1015d896e413e87a8c6b233978323f2a8 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Thu, 7 Apr 2011 17:26:15 +0200 Subject: [PATCH] Fix typo in ipa-server-install. --- install/tools/ipa-server-install |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index f3a01e8..d083058 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -183,7 +183,7 @@ def parse_options(): options.idmax = int(options.idstart) + 20 - 1 if options.idmax options.idstart: -parse.error(idmax (%u) cannot be smaller than idstart (%u) % +parser.error(idmax (%u) cannot be smaller than idstart (%u) % (options.idmax, options.idstart)) #Automatically disable pkinit w/ dogtag until that is supported -- 1.7.4.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership
On Mar 31, 2011, at 2:16 PM, JR Aquino wrote: On Mar 31, 2011, at 1:48 PM, Rob Crittenden wrote: JR Aquino wrote: The following patch Removes around 20 lines of code and provides a substantial increase in performance for FreeIPA member/memberof verification searches. The current code base blindly searches static containers for the possible presence of members. This patch provides a method for dynamically identifying the specific objects to verify memberships for. The attached patch addresses ticket: https://fedorahosted.org/freeipa/ticket/1139 Without patch ipa hostgroup-find ... - Number of entries returned 52 - real0m20.054s user0m0.934s sys 0m0.050s With Patch ipa find-hostgroup ... - Number of entries returned 52 - real0m15.064s user0m0.945s sys 0m0.057s -- Number of entries returned 100 -- real0m16.471s user0m0.814s sys 0m0.040s Without Patch ipa host-find ... -- Number of entries returned 100 -- real0m41.277s user0m0.806s sys 0m0.060s With Patch ipa host-find ... -- Number of entries returned 100 -- real0m16.385s user0m0.814s sys 0m0.053s There is a typo in the first block, memeber. Wouldn't it be clearer to do a negative test to continue: if not 'member' in r[1]: continue rob You're right! Corrected patch attached. Self Nack After cli and webui testing, it turned out there was a previous try / except block that was reseting the results value back to [] Corrected and reattaching new patch. Testing cli and webui checks out correctly. Speed AND accuracy are now addressed. It was also discovered during the course of testing that this patch addresses one of the causes for the bug thrown in: https://fedorahosted.org/freeipa/ticket/1133 -JR binSA4hqLnirf.bin Description: freeipa-jraquino-0023-Optimize-and-dynamically-verify-group-membership.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership
On Apr 7, 2011, at 3:42 PM, JR Aquino wrote: On Mar 31, 2011, at 2:16 PM, JR Aquino wrote: On Mar 31, 2011, at 1:48 PM, Rob Crittenden wrote: JR Aquino wrote: The following patch Removes around 20 lines of code and provides a substantial increase in performance for FreeIPA member/memberof verification searches. The current code base blindly searches static containers for the possible presence of members. This patch provides a method for dynamically identifying the specific objects to verify memberships for. The attached patch addresses ticket: https://fedorahosted.org/freeipa/ticket/1139 Without patch ipa hostgroup-find ... - Number of entries returned 52 - real 0m20.054s user 0m0.934s sys0m0.050s With Patch ipa find-hostgroup ... - Number of entries returned 52 - real 0m15.064s user 0m0.945s sys0m0.057s -- Number of entries returned 100 -- real 0m16.471s user 0m0.814s sys0m0.040s Without Patch ipa host-find ... -- Number of entries returned 100 -- real 0m41.277s user 0m0.806s sys0m0.060s With Patch ipa host-find ... -- Number of entries returned 100 -- real 0m16.385s user 0m0.814s sys0m0.053s There is a typo in the first block, memeber. Wouldn't it be clearer to do a negative test to continue: if not 'member' in r[1]: continue rob You're right! Corrected patch attached. Self Nack After cli and webui testing, it turned out there was a previous try / except block that was reseting the results value back to [] Corrected and reattaching new patch. Testing cli and webui checks out correctly. Speed AND accuracy are now addressed. It was also discovered during the course of testing that this patch addresses one of the causes for the bug thrown in: https://fedorahosted.org/freeipa/ticket/1133 -JR NACK Looks like there may still need to be work with the indirect / direct functions. Will revisit next week. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 23 Optimize and dynamically verify group membership
On Apr 7, 2011, at 4:04 PM, JR Aquino wrote: On Apr 7, 2011, at 3:42 PM, JR Aquino wrote: On Mar 31, 2011, at 2:16 PM, JR Aquino wrote: On Mar 31, 2011, at 1:48 PM, Rob Crittenden wrote: JR Aquino wrote: The following patch Removes around 20 lines of code and provides a substantial increase in performance for FreeIPA member/memberof verification searches. The current code base blindly searches static containers for the possible presence of members. This patch provides a method for dynamically identifying the specific objects to verify memberships for. The attached patch addresses ticket: https://fedorahosted.org/freeipa/ticket/1139 Without patch ipa hostgroup-find ... - Number of entries returned 52 - real 0m20.054s user 0m0.934s sys 0m0.050s With Patch ipa find-hostgroup ... - Number of entries returned 52 - real 0m15.064s user 0m0.945s sys 0m0.057s -- Number of entries returned 100 -- real 0m16.471s user 0m0.814s sys 0m0.040s Without Patch ipa host-find ... -- Number of entries returned 100 -- real 0m41.277s user 0m0.806s sys 0m0.060s With Patch ipa host-find ... -- Number of entries returned 100 -- real 0m16.385s user 0m0.814s sys 0m0.053s There is a typo in the first block, memeber. Wouldn't it be clearer to do a negative test to continue: if not 'member' in r[1]: continue rob You're right! Corrected patch attached. Self Nack After cli and webui testing, it turned out there was a previous try / except block that was reseting the results value back to [] Corrected and reattaching new patch. Testing cli and webui checks out correctly. Speed AND accuracy are now addressed. It was also discovered during the course of testing that this patch addresses one of the causes for the bug thrown in: https://fedorahosted.org/freeipa/ticket/1133 -JR NACK Looks like there may still need to be work with the indirect / direct functions. Will revisit next week. Ok I finally think I've got it. My for loop was in my try / except block. It has now been corrected. I've tested the searches for: users, groups, sudocmds, sudcmdgroups, sudorules, hosts, hostgroups, hbacrules, hbacsv, hbsvcgroups, and all return as expected. Please make sure that they return for you as well. Please let me know if there is anything else I have missed. binp6TOpOUCW5.bin Description: freeipa-jraquino-0023-Optimize-and-dynamically-verify-group-membership.patch ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel