diff options
author | Tomas Babej <tbabej@redhat.com> | 2014-05-14 13:22:20 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-25 20:14:51 +0200 |
commit | 9bb88a15e0297e3a3e8e713267bc399164e0cdd6 (patch) | |
tree | e7e794a3126c157e60445265380d669fd1886459 /ipalib | |
parent | af2eb4d69506b641504d076e79b80c7ee54eeda9 (diff) | |
download | freeipa-9bb88a15e0297e3a3e8e713267bc399164e0cdd6.tar.gz freeipa-9bb88a15e0297e3a3e8e713267bc399164e0cdd6.tar.xz freeipa-9bb88a15e0297e3a3e8e713267bc399164e0cdd6.zip |
sudorule: Make sure all the relevant attributes are checked when setting category to ALL
https://fedorahosted.org/freeipa/ticket/4341
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Diffstat (limited to 'ipalib')
-rw-r--r-- | ipalib/plugins/sudorule.py | 53 |
1 files changed, 41 insertions, 12 deletions
diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 95631a4b6..3d6bc7042 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -1,7 +1,7 @@ # Authors: # Jr Aquino <jr.aquino@citrixonline.com> # -# Copyright (C) 2010 Red Hat +# Copyright (C) 2010-2014 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -404,22 +404,51 @@ class sudorule_mod(LDAPUpdate): self.obj.check_order_uniqueness(*keys, **options) else: self.obj.check_order_uniqueness(*keys, **options) + try: _entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: self.obj.handle_not_found(*keys) - if is_all(options, 'usercategory') and 'memberuser' in _entry_attrs: - raise errors.MutuallyExclusiveError(reason=_("user category cannot be set to 'all' while there are allowed users")) - if is_all(options, 'hostcategory') and 'memberhost' in _entry_attrs: - raise errors.MutuallyExclusiveError(reason=_("host category cannot be set to 'all' while there are allowed hosts")) - if is_all(options, 'cmdcategory') and ('memberallowcmd' or - 'memberdenywcmd') in _entry_attrs: - raise errors.MutuallyExclusiveError(reason=_("command category cannot be set to 'all' while there are allow or deny commands")) - if is_all(options, 'ipasudorunasusercategory') and 'ipasudorunas' in _entry_attrs: - raise errors.MutuallyExclusiveError(reason=_("user runAs category cannot be set to 'all' while there are users")) - if is_all(options, 'ipasudorunasgroupcategory') and 'ipasudorunasgroup' in _entry_attrs: - raise errors.MutuallyExclusiveError(reason=_("group runAs category cannot be set to 'all' while there are groups")) + error = _("%(type)s category cannot be set to 'all' " + "while there are allowed %(objects)s") + + category_info = [( + 'usercategory', + ['memberuser', 'externaluser'], + error % {'type': _('user'), 'objects': _('users')} + ), + ( + 'hostcategory', + ['memberhost', 'externalhost', 'hostmask'], + error % {'type': _('host'), 'objects': _('hosts')} + ), + ( + 'cmdcategory', + ['memberallowcmd'], + error % {'type': _('command'), 'objects': _('commands')} + ), + ( + 'ipasudorunasusercategory', + ['ipasudorunas', 'ipasudorunasextuser', + 'ipasudorunasextusergroup'], + error % {'type': _('runAs user'), 'objects': _('runAs users')} + ), + ( + 'ipasudorunasgroupcategory', + ['ipasudorunasgroup', 'ipasudorunasextgroup'], + error % {'type': _('group runAs'), 'objects': _('runAs groups')} + ), + ] + + + # Enforce the checks for all the categories + for category, member_attrs, error in category_info: + any_member_attrs_set = any(attr in _entry_attrs + for attr in member_attrs) + + if is_all(options, category) and any_member_attrs_set: + raise errors.MutuallyExclusiveError(reason=error) return dn |