diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-07-06 17:45:53 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-07-14 19:23:17 -0400 |
commit | bea7818adde2712be3ee052634bdf314fd63b5da (patch) | |
tree | 6a81f97e87e9ef1b6795eebac4bc0e53cec20a6a | |
parent | 9dfdf55034223e05c72e59239169be8cf315fc29 (diff) | |
download | freeipa-bea7818adde2712be3ee052634bdf314fd63b5da.tar.gz freeipa-bea7818adde2712be3ee052634bdf314fd63b5da.tar.xz freeipa-bea7818adde2712be3ee052634bdf314fd63b5da.zip |
Remove the ability to create new HBAC deny rules.
New rules will all be allow type. Existing rules cannot be changed to
deny.
The type attribute now defaults to allow with autofill so it won't be
prompted in interactive mode in the cli.
https://fedorahosted.org/freeipa/ticket/1432
-rw-r--r-- | API.txt | 6 | ||||
-rw-r--r-- | ipalib/plugins/hbacrule.py | 10 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_hbac_plugin.py | 25 |
3 files changed, 36 insertions, 5 deletions
@@ -1018,7 +1018,7 @@ output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e command: hbacrule_add args: 1,11,3 arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, required=True) -option: StrEnum('accessruletype', attribute=True, cli_name='type', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=True, values=(u'allow', u'deny')) +option: StrEnum('accessruletype', validate_type, attribute=True, autofill=True, cli_name='type', default=u'allow', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=True, values=(u'allow', u'deny')) option: StrEnum('usercategory', attribute=True, cli_name='usercat', label=Gettext('User category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',)) option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', label=Gettext('Host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',)) option: StrEnum('sourcehostcategory', attribute=True, cli_name='srchostcat', label=Gettext('Source host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',)) @@ -1099,7 +1099,7 @@ command: hbacrule_find args: 1,12,4 arg: Str('criteria?', noextrawhitespace=False) option: Str('cn', attribute=True, autofill=False, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=False) -option: StrEnum('accessruletype', attribute=True, autofill=False, cli_name='type', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'allow', u'deny')) +option: StrEnum('accessruletype', validate_type, attribute=True, autofill=False, cli_name='type', default=u'allow', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'allow', u'deny')) option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', label=Gettext('User category', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'all',)) option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', label=Gettext('Host category', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'all',)) option: StrEnum('sourcehostcategory', attribute=True, autofill=False, cli_name='srchostcat', label=Gettext('Source host category', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'all',)) @@ -1117,7 +1117,7 @@ output: Output('truncated', <type 'bool'>, 'True if not all results were returne command: hbacrule_mod args: 1,12,3 arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True) -option: StrEnum('accessruletype', attribute=True, autofill=False, cli_name='type', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'allow', u'deny')) +option: StrEnum('accessruletype', validate_type, attribute=True, autofill=False, cli_name='type', default=u'allow', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'allow', u'deny')) option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', label=Gettext('User category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',)) option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', label=Gettext('Host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',)) option: StrEnum('sourcehostcategory', attribute=True, autofill=False, cli_name='srchostcat', label=Gettext('Source host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',)) diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index 2488b1d91..2dcdddd58 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -87,6 +87,10 @@ from ipalib import _, ngettext topic = ('hbac', 'Host-based access control commands') +def validate_type(ugettext, type): + if type.lower() == 'deny': + raise errors.ValidationError(name='type', error=_('The deny type has been deprecated.')) + def is_all(options, attribute): """ See if options[attribute] is lower-case 'all' in a safe way. @@ -132,11 +136,13 @@ class hbacrule(LDAPObject): label=_('Rule name'), primary_key=True, ), - StrEnum('accessruletype', + StrEnum('accessruletype', validate_type, cli_name='type', - doc=_('Rule type (allow or deny)'), + doc=_('Rule type (allow)'), label=_('Rule type'), values=(u'allow', u'deny'), + default=u'allow', + autofill=True, ), # FIXME: {user,host,sourcehost,service}categories should expand in the future StrEnum('usercategory?', diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py index b2345cc4a..29e9f6c48 100644 --- a/tests/test_xmlrpc/test_hbac_plugin.py +++ b/tests/test_xmlrpc/test_hbac_plugin.py @@ -436,6 +436,31 @@ class test_hbac(XMLRPC_test): finally: api.Command['hbacrule_remove_service'](self.rule_name, hbacsvc=self.test_service) + def test_l_hbacrule_add(self): + """ + Test adding a new HBAC rule with a deny type. + """ + try: + api.Command['hbacrule_add']( + u'denyrule', + accessruletype=u'deny', + description=self.rule_desc, + ) + except errors.ValidationError: + pass + + def test_m_hbacrule_add(self): + """ + Test changing an HBAC rule to the deny type + """ + try: + api.Command['hbacrule_mod']( + self.rule_name, + accessruletype=u'deny', + ) + except errors.ValidationError: + pass + def test_z_hbacrule_del(self): """ Test deleting a HBAC rule using `xmlrpc.hbacrule_del`. |