diff options
author | Petr Viktorin <pviktori@redhat.com> | 2012-04-30 07:29:08 -0400 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-05-11 08:14:20 +0200 |
commit | 1565ce3a8c39326f814c9781b3df24c42402c1b5 (patch) | |
tree | 010f750b8f28cdc2cf53c465407cb302e8212880 | |
parent | f19218f7d87f5847d51f79b5d2850f90b0ae8407 (diff) | |
download | freeipa-1565ce3a8c39326f814c9781b3df24c42402c1b5.tar.gz freeipa-1565ce3a8c39326f814c9781b3df24c42402c1b5.tar.xz freeipa-1565ce3a8c39326f814c9781b3df24c42402c1b5.zip |
Validate externalhost (when added by --addattr/--setattr)
Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.
The validator is relaxed to allow underscores, so that
some hosts with nonstandard names can be added.
Tests included.
https://fedorahosted.org/freeipa/ticket/2649
-rw-r--r-- | ipalib/plugins/baseldap.py | 17 | ||||
-rw-r--r-- | ipalib/plugins/hbacrule.py | 1 | ||||
-rw-r--r-- | ipalib/plugins/netgroup.py | 1 | ||||
-rw-r--r-- | ipalib/plugins/sudorule.py | 1 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_hbac_plugin.py | 9 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_netgroup_plugin.py | 62 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_sudorule_plugin.py | 17 |
7 files changed, 105 insertions, 3 deletions
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 85a817231..895ec682a 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -157,9 +157,6 @@ global_output_params = ( Str('memberofindirect_hbacrule?', label='Indirect Member of HBAC rule', ), - Str('externalhost?', - label=_('External host'), - ), Str('sourcehost', label=_('Failed source hosts/hostgroups'), ), @@ -313,6 +310,20 @@ def wait_for_value(ldap, dn, attr, value): return entry_attrs + +def validate_externalhost(ugettext, hostname): + try: + validate_hostname(hostname, check_fqdn=False, allow_underscore=True) + except ValueError, e: + return unicode(e) + + +external_host_param = Str('externalhost*', validate_externalhost, + label=_('External host'), + flags=['no_create', 'no_update', 'no_search'], +) + + def add_external_pre_callback(membertype, ldap, dn, keys, options): """ Pre callback to validate external members. diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index eb5cb696e..33440ccde 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -219,6 +219,7 @@ class hbacrule(LDAPObject): label=_('Service Groups'), flags=['no_create', 'no_update', 'no_search'], ), + external_host_param, ) api.register(hbacrule) diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py index d2a780980..4236feeb7 100644 --- a/ipalib/plugins/netgroup.py +++ b/ipalib/plugins/netgroup.py @@ -146,6 +146,7 @@ class netgroup(LDAPObject): doc=_('Host category the rule applies to'), values=(u'all', ), ), + external_host_param, ) api.register(netgroup) diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 7432bc42b..2c0358e87 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -217,6 +217,7 @@ class sudorule(LDAPObject): doc=_('Run with the gid of a specified POSIX group'), flags=['no_create', 'no_update', 'no_search'], ), + external_host_param, ) order_not_unique_msg = _( diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py index c7cb55bad..5ecb9014d 100644 --- a/tests/test_xmlrpc/test_hbac_plugin.py +++ b/tests/test_xmlrpc/test_hbac_plugin.py @@ -377,6 +377,15 @@ class test_hbac(XMLRPC_test): entry = ret['result'] assert_attr_equal(entry, 'externalhost', self.test_host_external) + @raises(errors.ValidationError) + def test_c_hbacrule_mod_invalid_external_setattr(self): + """ + Test adding the same external host using `xmlrpc.hbacrule_add_host`. + """ + ret = api.Command['hbacrule_mod']( + self.rule_name, setattr=self.test_invalid_sourcehost + ) + def test_c_hbacrule_remove_external_host(self): """ Test removing external source host using `xmlrpc.hbacrule_remove_host`. diff --git a/tests/test_xmlrpc/test_netgroup_plugin.py b/tests/test_xmlrpc/test_netgroup_plugin.py index 03d5b9fa3..d51287bcd 100644 --- a/tests/test_xmlrpc/test_netgroup_plugin.py +++ b/tests/test_xmlrpc/test_netgroup_plugin.py @@ -46,6 +46,8 @@ host_dn1 = DN(('fqdn',host1),('cn','computers'),('cn','accounts'), unknown_host = u'unknown' +unknown_host2 = u'unknown2' + hostgroup1 = u'hg1' hostgroup_dn1 = DN(('cn',hostgroup1),('cn','hostgroups'),('cn','accounts'), api.env.basedn) @@ -829,6 +831,66 @@ class test_netgroup(Declarative): ), dict( + desc='Add invalid host %r to netgroup %r using setattr' % + (invalidhost, netgroup1), + command=( + 'netgroup_mod', [netgroup1], + dict(setattr='externalhost=%s' % invalidhost) + ), + expected=errors.ValidationError(name='externalhost', + error='only letters, numbers, _, and - are allowed. ' + + 'DNS label may not start or end with -'), + ), + + dict( + desc='Add unknown host %r to netgroup %r using addattr' % + (unknown_host2, netgroup1), + command=( + 'netgroup_mod', [netgroup1], + dict(addattr='externalhost=%s' % unknown_host2) + ), + expected=dict( + value=u'netgroup1', + summary=u'Modified netgroup "netgroup1"', + result={ + 'memberhost_host': (host1,), + 'memberhost_hostgroup': (hostgroup1,), + 'memberuser_user': (user1,), + 'memberuser_group': (group1,), + 'member_netgroup': (netgroup2,), + 'cn': [netgroup1], + 'description': [u'Test netgroup 1'], + 'nisdomainname': [u'%s' % api.env.domain], + 'externalhost': [unknown_host, unknown_host2], + }, + ) + ), + + dict( + desc='Remove unknown host %r from netgroup %r using delattr' % + (unknown_host2, netgroup1), + command=( + 'netgroup_mod', [netgroup1], + dict(delattr='externalhost=%s' % unknown_host2) + ), + expected=dict( + value=u'netgroup1', + summary=u'Modified netgroup "netgroup1"', + result={ + 'memberhost_host': (host1,), + 'memberhost_hostgroup': (hostgroup1,), + 'memberuser_user': (user1,), + 'memberuser_group': (group1,), + 'member_netgroup': (netgroup2,), + 'cn': [netgroup1], + 'description': [u'Test netgroup 1'], + 'nisdomainname': [u'%s' % api.env.domain], + 'externalhost': [unknown_host], + }, + ) + ), + + dict( desc='Retrieve %r' % netgroup1, command=('netgroup_show', [netgroup1], {}), expected=dict( diff --git a/tests/test_xmlrpc/test_sudorule_plugin.py b/tests/test_xmlrpc/test_sudorule_plugin.py index 6aabd2b27..f0e6cd34f 100644 --- a/tests/test_xmlrpc/test_sudorule_plugin.py +++ b/tests/test_xmlrpc/test_sudorule_plugin.py @@ -484,6 +484,23 @@ class test_sudorule(XMLRPC_test): else: assert False + def test_a_sudorule_mod_externalhost_invalid_addattr(self): + """ + Test adding an invalid external host to Sudo rule using + `xmlrpc.sudorule_mod --addattr`. + """ + try: + api.Command['sudorule_mod']( + self.rule_name, + addattr='externalhost=%s' % self.test_invalid_host + ) + except errors.ValidationError, e: + assert unicode(e) == ("invalid 'externalhost': only letters, " + + "numbers, _, and - are allowed. " + + "DNS label may not start or end with -") + else: + assert False + def test_b_sudorule_remove_externalhost(self): """ Test removing an external host from Sudo rule using |