Hi,
two improvements for hbactest command:
1. Include indirect membership for users and hosts
2. Append FreeIPA default domain to hosts in hbactest request if they
are not fully qualified ones.
Fixes
https://fedorahosted.org/freeipa/ticket/1862
https://fedorahosted.org/freeipa/ticket/1949
Two patches in the same commit because they affect the same code and
otherwise would have created dependency between the patches anyway.
--
/ Alexander Bokovoy
From 09ccb28ab1f6fb5c5d2ee41b583125e95bd23a62 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Tue, 11 Oct 2011 11:25:24 +0300
Subject: [PATCH] Include indirect membership and canonicalize hosts during
HBAC rules testing
When users and hosts are included into groups indirectly, make sure that
during HBAC test e fill in all indirect groups properly into an HBAC request.
Also, if hosts provided for test are not specified fully, canonicalize them
using IPA domain.
This makes possible following requests:
ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd
Request to evaluate:
user name foobar groups [hbacusers,ipausers]
service name sshd groups []
targethost name vm-101.ipa.local groups []
srchost name vm-101.ipa.local groups []
Fixes:
https://fedorahosted.org/freeipa/ticket/1862
https://fedorahosted.org/freeipa/ticket/1949
---
ipalib/plugins/hbactest.py | 30 +++---
1 files changed, 23 insertions(+), 7 deletions(-)
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
index
75442451ca91783718942f78738170f399ef8ca9..9b33dafa4424c2919732dd9e5161806b31fc5568
100644
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -204,6 +204,14 @@ class hbactest(Command):
),
)
+def canonicalize(self, host):
+
+Canonicalize the host name -- add default IPA domain if that is missing
+
+if host.find('.') == -1:
+return u'%s.%s' % (host, self.env.domain)
+return host
+
def execute(self, *args, **options):
# First receive all needed information:
# 1. HBAC rules (whether enabled or disabled)
@@ -264,7 +272,11 @@ class hbactest(Command):
if options['user'] != u'all':
try:
request.user.name = options['user']
-request.user.groups =
self.api.Command.user_show(request.user.name)['result']['memberof_group']
+search_result =
self.api.Command.user_show(request.user.name)['result']
+groups = search_result['memberof_group']
+if 'memberofindirect_group' in search_result:
+groups += search_result['memberofindirect_group']
+request.user.groups = sorted(set(groups))
except:
pass
@@ -278,19 +290,23 @@ class hbactest(Command):
if options['sourcehost'] != u'all':
try:
-request.srchost.name = options['sourcehost']
+request.srchost.name = self.canonicalize(options['sourcehost'])
srchost_result =
self.api.Command.host_show(request.srchost.name)['result']
-srchost_groups = srchost_result['memberof_hostgroup']
-request.srchost.groups = sorted(set(srchost_groups))
+groups = srchost_result['memberof_hostgroup']
+if 'memberofindirect_hostgroup' in srchost_result:
+groups += search_result['memberofindirect_hostgroup']
+request.srchost.groups = sorted(set(groups))
except:
pass
if options['targethost'] != u'all':
try:
-request.targethost.name = options['targethost']
+request.targethost.name =
self.canonicalize(options['targethost'])
tgthost_result =
self.api.Command.host_show(request.targethost.name)['result']
-tgthost_groups = tgthost_result['memberof_hostgroup']
-request.targethost.groups = sorted(set(tgthost_groups))
+groups = tgthost_result['memberof_hostgroup']
+if 'memberofindirect_hostgroup' in tgthost_result:
+groups += search_result['memberofindirect_hostgroup']
+request.targethost.groups = sorted(set(groups))
except:
pass
--
1.7.6.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
