diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2012-05-21 05:03:21 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-05-29 09:23:26 +0200 |
| commit | 1af36da933cd3c788e3a48257e2f5c286e985e22 (patch) | |
| tree | 472816360fa7ad147e958b63e240f45ed04a72b0 /ipalib/plugins | |
| parent | e0930d42a54e586a0170c853fbc9e66f9193d5b0 (diff) | |
| download | freeipa-1af36da933cd3c788e3a48257e2f5c286e985e22.tar.gz freeipa-1af36da933cd3c788e3a48257e2f5c286e985e22.tar.xz freeipa-1af36da933cd3c788e3a48257e2f5c286e985e22.zip | |
Disallow setattr on no_update/no_create params
Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.
For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.
Document the 'no_option' flag. Add some tests.
https://fedorahosted.org/freeipa/ticket/2580
Diffstat (limited to 'ipalib/plugins')
| -rw-r--r-- | ipalib/plugins/baseldap.py | 18 | ||||
| -rw-r--r-- | ipalib/plugins/hbacrule.py | 6 | ||||
| -rw-r--r-- | ipalib/plugins/selinuxusermap.py | 6 | ||||
| -rw-r--r-- | ipalib/plugins/sudorule.py | 6 | ||||
| -rw-r--r-- | ipalib/plugins/user.py | 2 |
5 files changed, 18 insertions, 20 deletions
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 2851f0f27..7664928be 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -320,7 +320,7 @@ def validate_externalhost(ugettext, hostname): external_host_param = Str('externalhost*', validate_externalhost, label=_('External host'), - flags=['no_create', 'no_update', 'no_search'], + flags=['no_option'], ) @@ -819,6 +819,11 @@ last, after all sets and adds."""), m = re.match("\s*(.*?)\s*=\s*(.*?)\s*$", a) attr = str(m.group(1)).lower() value = m.group(2) + if attr in self.obj.params and attr not in self.params: + # The attribute is managed by IPA, but it didn't get cloned + # to the command. This happens with no_update/no_create attrs. + raise errors.ValidationError( + name=attr, error=_('attribute is not configurable')) if len(value) == 0: # None means "delete this attribute" value = None @@ -919,17 +924,10 @@ last, after all sets and adds."""), # normalize all values changedattrs = setattrs | addattrs | delattrs for attr in changedattrs: - if attr in self.obj.params: + if attr in self.params and self.params[attr].attribute: # convert single-value params to scalars + param = self.params[attr] value = entry_attrs[attr] - try: - param = self.params[attr] - except KeyError: - # The CRUD classes filter their disallowed parameters out. - # Yet {set,add,del}attr are powerful enough to change these - # (e.g. Config's ipacertificatesubjectbase) - # So, use the parent's attribute - param = self.obj.params[attr] if not param.multivalue: if len(value) == 1: value = value[0] diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index 33440ccde..460083622 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -18,7 +18,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from ipalib import api, errors -from ipalib import AccessTime, Password, Str, StrEnum +from ipalib import AccessTime, Password, Str, StrEnum, Bool from ipalib.plugins.baseldap import * from ipalib import _, ngettext @@ -183,9 +183,9 @@ class hbacrule(LDAPObject): cli_name='desc', label=_('Description'), ), - Flag('ipaenabledflag?', + Bool('ipaenabledflag?', label=_('Enabled'), - flags=['no_create', 'no_update', 'no_search'], + flags=['no_option'], ), Str('memberuser_user?', label=_('Users'), diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py index e33e10161..e6179cee9 100644 --- a/ipalib/plugins/selinuxusermap.py +++ b/ipalib/plugins/selinuxusermap.py @@ -18,7 +18,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from ipalib import api, errors -from ipalib import Str, StrEnum +from ipalib import Str, StrEnum, Bool from ipalib.plugins.baseldap import * from ipalib import _, ngettext from ipalib.plugins.hbacrule import is_all @@ -172,9 +172,9 @@ class selinuxusermap(LDAPObject): cli_name='desc', label=_('Description'), ), - Flag('ipaenabledflag?', + Bool('ipaenabledflag?', label=_('Enabled'), - flags=['no_create', 'no_update', 'no_search'], + flags=['no_option'], ), Str('memberuser_user?', label=_('Users'), diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 2c0358e87..723cce2e4 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -18,7 +18,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from ipalib import api, errors -from ipalib import Str, StrEnum +from ipalib import Str, StrEnum, Bool from ipalib.plugins.baseldap import * from ipalib.plugins.hbacrule import is_all from ipalib import _, ngettext @@ -110,9 +110,9 @@ class sudorule(LDAPObject): cli_name='desc', label=_('Description'), ), - Flag('ipaenabledflag?', + Bool('ipaenabledflag?', label=_('Enabled'), - flags=['no_create', 'no_update', 'no_search'], + flags=['no_option'], ), StrEnum('usercategory?', cli_name='usercat', diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 3bea7af6f..2e069bde3 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -338,7 +338,7 @@ class user(LDAPObject): ), Bool('nsaccountlock?', label=_('Account disabled'), - flags=['no_create', 'no_update', 'no_search'], + flags=['no_option'], ), Bytes('ipasshpubkey*', validate_sshpubkey, cli_name='sshpubkey', |