Remove the ability to create new HBAC deny rules.

New rules will all be allow type. Existing rules cannot be changed to deny. The type attribute now defaults to allow with autofill so it won't be prompted in interactive mode in the cli. https://fedorahosted.org/freeipa/ticket/1432
author: Rob Crittenden <rcritten@redhat.com> 2011-07-06 17:45:53 -0400
committer: Rob Crittenden <rcritten@redhat.com> 2011-07-14 19:23:17 -0400
commit: bea7818adde2712be3ee052634bdf314fd63b5da (patch)
tree: 6a81f97e87e9ef1b6795eebac4bc0e53cec20a6a
parent: 9dfdf55034223e05c72e59239169be8cf315fc29 (diff)
download: freeipa-bea7818adde2712be3ee052634bdf314fd63b5da.tar.gz
freeipa-bea7818adde2712be3ee052634bdf314fd63b5da.tar.xz
freeipa-bea7818adde2712be3ee052634bdf314fd63b5da.zip
3 files changed, 36 insertions, 5 deletions
diff --git a/API.txt b/API.txt
index 70bb7782f..a8669b64c 100644
--- a/API.txt
+++ b/API.txt
@@ -1018,7 +1018,7 @@ output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e
 command: hbacrule_add
 args: 1,11,3
 arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, required=True)
-option: StrEnum('accessruletype', attribute=True, cli_name='type', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=True, values=(u'allow', u'deny'))
+option: StrEnum('accessruletype', validate_type, attribute=True, autofill=True, cli_name='type', default=u'allow', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=True, values=(u'allow', u'deny'))
 option: StrEnum('usercategory', attribute=True, cli_name='usercat', label=Gettext('User category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
 option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', label=Gettext('Host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
 option: StrEnum('sourcehostcategory', attribute=True, cli_name='srchostcat', label=Gettext('Source host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
@@ -1099,7 +1099,7 @@ command: hbacrule_find
 args: 1,12,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: Str('cn', attribute=True, autofill=False, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=False)
-option: StrEnum('accessruletype', attribute=True, autofill=False, cli_name='type', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'allow', u'deny'))
+option: StrEnum('accessruletype', validate_type, attribute=True, autofill=False, cli_name='type', default=u'allow', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'allow', u'deny'))
 option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', label=Gettext('User category', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'all',))
 option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', label=Gettext('Host category', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'all',))
 option: StrEnum('sourcehostcategory', attribute=True, autofill=False, cli_name='srchostcat', label=Gettext('Source host category', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'all',))
@@ -1117,7 +1117,7 @@ output: Output('truncated', <type 'bool'>, 'True if not all results were returne
 command: hbacrule_mod
 args: 1,12,3
 arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True)
-option: StrEnum('accessruletype', attribute=True, autofill=False, cli_name='type', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'allow', u'deny'))
+option: StrEnum('accessruletype', validate_type, attribute=True, autofill=False, cli_name='type', default=u'allow', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'allow', u'deny'))
 option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', label=Gettext('User category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
 option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', label=Gettext('Host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
 option: StrEnum('sourcehostcategory', attribute=True, autofill=False, cli_name='srchostcat', label=Gettext('Source host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index 2488b1d91..2dcdddd58 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -87,6 +87,10 @@ from ipalib import _, ngettext
 
 topic = ('hbac', 'Host-based access control commands')
 
+def validate_type(ugettext, type):
+    if type.lower() == 'deny':
+        raise errors.ValidationError(name='type', error=_('The deny type has been deprecated.'))
+
 def is_all(options, attribute):
     """
     See if options[attribute] is lower-case 'all' in a safe way.
@@ -132,11 +136,13 @@ class hbacrule(LDAPObject):
             label=_('Rule name'),
             primary_key=True,
         ),
-        StrEnum('accessruletype',
+        StrEnum('accessruletype', validate_type,
             cli_name='type',
-            doc=_('Rule type (allow or deny)'),
+            doc=_('Rule type (allow)'),
             label=_('Rule type'),
             values=(u'allow', u'deny'),
+            default=u'allow',
+            autofill=True,
         ),
         # FIXME: {user,host,sourcehost,service}categories should expand in the future
         StrEnum('usercategory?',
diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py
index b2345cc4a..29e9f6c48 100644
--- a/tests/test_xmlrpc/test_hbac_plugin.py
+++ b/tests/test_xmlrpc/test_hbac_plugin.py
@@ -436,6 +436,31 @@ class test_hbac(XMLRPC_test):
         finally:
             api.Command['hbacrule_remove_service'](self.rule_name, hbacsvc=self.test_service)
 
+    def test_l_hbacrule_add(self):
+        """
+        Test adding a new HBAC rule with a deny type.
+        """
+        try:
+            api.Command['hbacrule_add'](
+                u'denyrule',
+                accessruletype=u'deny',
+                description=self.rule_desc,
+            )
+        except errors.ValidationError:
+            pass
+
+    def test_m_hbacrule_add(self):
+        """
+        Test changing an HBAC rule to the deny type
+        """
+        try:
+            api.Command['hbacrule_mod'](
+                self.rule_name,
+                accessruletype=u'deny',
+            )
+        except errors.ValidationError:
+            pass
+
     def test_z_hbacrule_del(self):
         """
         Test deleting a HBAC rule using `xmlrpc.hbacrule_del`.
author	Rob Crittenden <rcritten@redhat.com>	2011-07-06 17:45:53 -0400
committer	Rob Crittenden <rcritten@redhat.com>	2011-07-14 19:23:17 -0400
commit	bea7818adde2712be3ee052634bdf314fd63b5da (patch)
tree	6a81f97e87e9ef1b6795eebac4bc0e53cec20a6a
parent	9dfdf55034223e05c72e59239169be8cf315fc29 (diff)
download	freeipa-bea7818adde2712be3ee052634bdf314fd63b5da.tar.gz freeipa-bea7818adde2712be3ee052634bdf314fd63b5da.tar.xz freeipa-bea7818adde2712be3ee052634bdf314fd63b5da.zip