Netgroup nisdomain and hosts validation

nisdomain validation: Added pattern to the 'nisdomain' parameter to validate the specified nisdomain name. According to most common use cases the same pattern as for netgroup should fit. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2448 'add_external_pre_callback' function was created to allow validation of all external members. Validation is based on usage of objects primary key parameter. The 'add_external_pre_callback' fucntion has to be called directly from in the 'pre_callback' function. This change affects netgroup, hbacrule and sudorule commands. For hostname, the validator allows non-fqdn and underscore characters. validate_hostname function in ipalib.util was modified and contains additional option that allows hostname to contain underscore characters. This option is disabled by default. Unit-tests added. https://fedorahosted.org/freeipa/ticket/2447
author: Ondrej Hamada <ohamada@redhat.com> 2012-03-27 15:15:20 +0200
committer: Martin Kosek <mkosek@redhat.com> 2012-03-28 16:23:37 +0200
commit: 5cfee2338d548035151926c5c235f3426fca0499 (patch)
tree: bfaf5b0b796d398386e971c1ba272bb748e91145 /ipalib
parent: 159e848d85779e8fb3a9b2ed84490423014bf609 (diff)
download: freeipa-5cfee2338d548035151926c5c235f3426fca0499.tar.gz
freeipa-5cfee2338d548035151926c5c235f3426fca0499.tar.xz
freeipa-5cfee2338d548035151926c5c235f3426fca0499.zip
5 files changed, 47 insertions, 11 deletions
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index a09e00fef..38f369a77 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -33,7 +33,7 @@ from ipalib.base import NameSpace
 from ipalib.cli import to_cli, from_cli
 from ipalib import output
 from ipalib.text import _
-from ipalib.util import json_serialize
+from ipalib.util import json_serialize, validate_hostname
 from ipalib.dn import *
 
 global_output_params = (
@@ -313,6 +313,33 @@ def wait_for_value(ldap, dn, attr, value):
 
     return entry_attrs
 
+def add_external_pre_callback(membertype, ldap, dn, keys, options):
+    """
+    Pre callback to validate external members.
+
+    This should be called by a command pre callback directly.
+
+    membertype is the type of member
+    """
+    # validate hostname with allowed underscore characters, non-fqdn
+    # hostnames are allowed
+    def validate_host(hostname):
+        validate_hostname(hostname, check_fqdn=False, allow_underscore=True)
+
+    if membertype in options:
+        if membertype == 'host':
+            validator = validate_host
+        else:
+            validator = api.Object[membertype].primary_key
+        for value in options[membertype]:
+            try:
+                validator(value)
+            except errors.ValidationError as e:
+                raise errors.ValidationError(name=membertype, error=e.error)
+            except ValueError as e:
+                raise errors.ValidationError(name=membertype, error=e)
+    return dn
+
 def add_external_post_callback(memberattr, membertype, externalattr, ldap, completed, failed, dn, entry_attrs, *keys, **options):
     """
     Post callback to add failed members as external members.
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index 466648556..eb5cb696e 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -498,7 +498,7 @@ class hbacrule_add_sourcehost(LDAPAddMember):
         if 'sourcehostcategory' in entry_attrs and \
             entry_attrs['sourcehostcategory'][0].lower() == 'all':
             raise errors.MutuallyExclusiveError(reason="source hosts cannot be added when sourcehost category='all'")
-        return dn
+        return add_external_pre_callback('host', ldap, dn, keys, options)
 
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         return add_external_post_callback('sourcehost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options)
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index 2ba154649..06372a592 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -53,6 +53,11 @@ EXAMPLES:
 NETGROUP_PATTERN='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]+$'
 NETGROUP_PATTERN_ERRMSG='may only include letters, numbers, _, -, and .'
 
+# according to most common use cases the netgroup pattern should fit
+# also the nisdomain pattern
+NISDOMAIN_PATTERN=NETGROUP_PATTERN
+NISDOMAIN_PATTERN_ERRMSG=NETGROUP_PATTERN_ERRMSG
+
 output_params = (
         Str('memberuser_user?',
             label='Member User',
@@ -118,6 +123,8 @@ class netgroup(LDAPObject):
             doc=_('Netgroup description'),
         ),
         Str('nisdomainname?',
+            pattern=NISDOMAIN_PATTERN,
+            pattern_errmsg=NISDOMAIN_PATTERN_ERRMSG,
             cli_name='nisdomain',
             label=_('NIS domain name'),
         ),
@@ -255,6 +262,8 @@ class netgroup_add_member(LDAPAddMember):
 
     member_attributes = ['memberuser', 'memberhost', 'member']
     has_output_params = LDAPAddMember.has_output_params + output_params
+    def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
+        return add_external_pre_callback('host', ldap, dn, keys, options)
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         return add_external_post_callback('memberhost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options)
 
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index de7a7af37..7432bc42b 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -431,7 +431,7 @@ class sudorule_add_user(LDAPAddMember):
             self.obj.handle_not_found(*keys)
         if is_all(_entry_attrs, 'usercategory'):
             raise errors.MutuallyExclusiveError(reason=_("users cannot be added when user category='all'"))
-        return dn
+        return add_external_pre_callback('user', ldap, dn, keys, options)
 
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         return add_external_post_callback('memberuser', 'user', 'externaluser', ldap, completed, failed, dn, entry_attrs, keys, options)
@@ -464,7 +464,7 @@ class sudorule_add_host(LDAPAddMember):
             self.obj.handle_not_found(*keys)
         if is_all(_entry_attrs, 'hostcategory'):
             raise errors.MutuallyExclusiveError(reason=_("hosts cannot be added when host category='all'"))
-        return dn
+        return add_external_pre_callback('host', ldap, dn, keys, options)
 
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         return add_external_post_callback('memberhost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options)
@@ -517,7 +517,7 @@ class sudorule_add_runasuser(LDAPAddMember):
                           error=unicode(_("RunAsUser does not accept '%(name)s' as a group name")) %
                           dict(name=name))
 
-        return dn
+        return add_external_pre_callback('user', ldap, dn, keys, options)
 
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         return add_external_post_callback('ipasudorunas', 'user', 'ipasudorunasextuser', ldap, completed, failed, dn, entry_attrs, keys, options)
@@ -565,7 +565,7 @@ class sudorule_add_runasgroup(LDAPAddMember):
                           error=unicode(_("RunAsGroup does not accept '%(name)s' as a group name")) %
                           dict(name=name))
 
-        return dn
+        return add_external_pre_callback('group', ldap, dn, keys, options)
 
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         return add_external_post_callback('ipasudorunasgroup', 'group', 'ipasudorunasextgroup', ldap, completed, failed, dn, entry_attrs, keys, options)
diff --git a/ipalib/util.py b/ipalib/util.py
index bbc0fa674..a79f41cc3 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -230,14 +230,14 @@ def validate_dns_label(dns_label, allow_underscore=False):
                            '- must not be the DNS label character') \
                            % dict(underscore=underscore_err_msg))
 
-def validate_domain_name(domain_name):
+def validate_domain_name(domain_name, allow_underscore=False):
     if domain_name.endswith('.'):
         domain_name = domain_name[:-1]
 
     domain_name = domain_name.split(".")
 
     # apply DNS name validator to every name part
-    map(lambda label:validate_dns_label(label), domain_name)
+    map(lambda label:validate_dns_label(label,allow_underscore), domain_name)
 
     if not domain_name[-1].isalpha():
         # see RFC 1123
@@ -284,7 +284,7 @@ def validate_zonemgr(zonemgr):
 
     validate_domain_name(domain)
 
-def validate_hostname(hostname, check_fqdn=True):
+def validate_hostname(hostname, check_fqdn=True, allow_underscore=False):
     """ See RFC 952, 1123
 
     :param hostname Checked value
@@ -299,9 +299,9 @@ def validate_hostname(hostname, check_fqdn=True):
     if '.' not in hostname:
         if check_fqdn:
             raise ValueError(_('not fully qualified'))
-        validate_dns_label(hostname)
+        validate_dns_label(hostname,allow_underscore)
     else:
-        validate_domain_name(hostname)
+        validate_domain_name(hostname,allow_underscore)
 
 def validate_sshpubkey(ugettext, pubkey):
     try:
author	Ondrej Hamada <ohamada@redhat.com>	2012-03-27 15:15:20 +0200
committer	Martin Kosek <mkosek@redhat.com>	2012-03-28 16:23:37 +0200
commit	5cfee2338d548035151926c5c235f3426fca0499 (patch)
tree	bfaf5b0b796d398386e971c1ba272bb748e91145 /ipalib
parent	159e848d85779e8fb3a9b2ed84490423014bf609 (diff)
download	freeipa-5cfee2338d548035151926c5c235f3426fca0499.tar.gz freeipa-5cfee2338d548035151926c5c235f3426fca0499.tar.xz freeipa-5cfee2338d548035151926c5c235f3426fca0499.zip