diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-09-15 09:20:14 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2010-10-08 10:11:41 -0400 |
| commit | bed6e81935a43e0661faf2391c2494b230222c17 (patch) | |
| tree | 400e05f426b6fbfe97327ef6e1fbcf6990b06cea /ipalib | |
| parent | b09467e44809a0858657e71c0c92852e1d483c5f (diff) | |
| download | freeipa-bed6e81935a43e0661faf2391c2494b230222c17.tar.gz freeipa-bed6e81935a43e0661faf2391c2494b230222c17.tar.xz freeipa-bed6e81935a43e0661faf2391c2494b230222c17.zip | |
If an HBAC category is 'all' don't allow individual objects to be added.
Basically, make 'all' mutually exclusive. This makes debugging lots easier.
If say usercat='all' there is no point adding specific users to the rule
because it will always apply to everyone.
ticket 164
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/errors.py | 17 | ||||
| -rw-r--r-- | ipalib/plugins/hbac.py | 44 |
2 files changed, 61 insertions, 0 deletions
diff --git a/ipalib/errors.py b/ipalib/errors.py index efd0d640f..0d1304e0d 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -1221,6 +1221,23 @@ class CertificateOperationError(ExecutionError): format = _('Certificate operation cannot be completed: %(error)s') +class MutuallyExclusiveError(ExecutionError): + """ + **4302** Raised when an operation would result in setting two attributes which are mutually exlusive. + + For example: + + >>> raise MutuallyExclusiveError(reason=u'hosts may not be added when hostcategory=all') + Traceback (most recent call last): + ... + MutuallyExclusiveError: hosts may not be added when hostcategory=all + + """ + + errno = 4302 + format = _('%(reason)s') + + ############################################################################## # 5000 - 5999: Generic errors diff --git a/ipalib/plugins/hbac.py b/ipalib/plugins/hbac.py index 94fa76227..00743aedc 100644 --- a/ipalib/plugins/hbac.py +++ b/ipalib/plugins/hbac.py @@ -231,6 +231,22 @@ class hbac_mod(LDAPUpdate): Modify an HBAC rule. """ + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + (dn, entry_attrs) = ldap.get_entry(dn, attrs_list) + if 'usercategory' in options and options['usercategory'].lower() == 'all' and \ + 'memberuser' in entry_attrs: + raise errors.MutuallyExclusiveError(reason="user category cannot be set to 'all' while there are allowed users") + if 'hostcategory' in options and options['hostcategory'].lower() == 'all' and \ + 'memberhost' in entry_attrs: + raise errors.MutuallyExclusiveError(reason="host category cannot be set to 'all' while there are allowed hosts") + if 'sourcehostcategory' in options and options['sourcehostcategory'].lower() == 'all' and \ + 'sourcehost' in entry_attrs: + raise errors.MutuallyExclusiveError(reason="sourcehost category cannot be set to 'all' while there are allowed source hosts") + if 'servicecategory' in options and options['servicecategory'].lower() == 'all' and \ + 'memberservice' in entry_attrs: + raise errors.MutuallyExclusiveError(reason="service category cannot be set to 'all' while there are allowed services") + return dn + api.register(hbac_mod) @@ -382,6 +398,13 @@ class hbac_add_user(LDAPAddMember): member_attributes = ['memberuser'] member_count_out = ('%i object added.', '%i objects added.') + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) + if 'usercategory' in entry_attrs and \ + entry_attrs['usercategory'][0].lower() == 'all': + raise errors.MutuallyExclusiveError(reason="users cannot be added when user category='all'") + return dn + api.register(hbac_add_user) @@ -402,6 +425,13 @@ class hbac_add_host(LDAPAddMember): member_attributes = ['memberhost'] member_count_out = ('%i object added.', '%i objects added.') + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) + if 'hostcategory' in entry_attrs and \ + entry_attrs['hostcategory'][0].lower() == 'all': + raise errors.MutuallyExclusiveError(reason="hosts cannot be added when host category='all'") + return dn + api.register(hbac_add_host) @@ -422,6 +452,13 @@ class hbac_add_sourcehost(LDAPAddMember): member_attributes = ['sourcehost'] member_count_out = ('%i object added.', '%i objects added.') + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) + if 'sourcehostcategory' in entry_attrs and \ + entry_attrs['sourcehostcategory'][0].lower() == 'all': + raise errors.MutuallyExclusiveError(reason="source hosts cannot be added when sourcehost category='all'") + return dn + api.register(hbac_add_sourcehost) @@ -442,6 +479,13 @@ class hbac_add_service(LDAPAddMember): member_attributes = ['memberservice'] member_count_out = ('%i object added.', '%i objects added.') + def pre_callback(self, ldap, dn, found, not_found, *keys, **options): + (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes) + if 'servicecategory' in entry_attrs and \ + entry_attrs['servicecategory'][0].lower() == 'all': + raise errors.MutuallyExclusiveError(reason="services cannot be added when service category='all'") + return dn + api.register(hbac_add_service) |