Validate externalhost (when added by --addattr/--setattr)

Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.
The validator is relaxed to allow underscores, so that
some hosts with nonstandard names can be added.

Tests included.

https://fedorahosted.org/freeipa/ticket/2649

3 files changed, 88 insertions, 0 deletions

diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py
index c7cb55bad..5ecb9014d 100644
--- a/tests/test_xmlrpc/test_hbac_plugin.py
+++ b/tests/test_xmlrpc/test_hbac_plugin.py
@@ -377,6 +377,15 @@ class test_hbac(XMLRPC_test):
         entry = ret['result']
         assert_attr_equal(entry, 'externalhost', self.test_host_external)
 
+    @raises(errors.ValidationError)
+    def test_c_hbacrule_mod_invalid_external_setattr(self):
+        """
+        Test adding the same external host using `xmlrpc.hbacrule_add_host`.
+        """
+        ret = api.Command['hbacrule_mod'](
+            self.rule_name, setattr=self.test_invalid_sourcehost
+        )
+
     def test_c_hbacrule_remove_external_host(self):
         """
         Test removing external source host using `xmlrpc.hbacrule_remove_host`.
diff --git a/tests/test_xmlrpc/test_netgroup_plugin.py b/tests/test_xmlrpc/test_netgroup_plugin.py
index 03d5b9fa3..d51287bcd 100644
--- a/tests/test_xmlrpc/test_netgroup_plugin.py
+++ b/tests/test_xmlrpc/test_netgroup_plugin.py
@@ -46,6 +46,8 @@ host_dn1 = DN(('fqdn',host1),('cn','computers'),('cn','accounts'),
 
 unknown_host = u'unknown'
 
+unknown_host2 = u'unknown2'
+
 hostgroup1 = u'hg1'
 hostgroup_dn1 = DN(('cn',hostgroup1),('cn','hostgroups'),('cn','accounts'),
                    api.env.basedn)
@@ -829,6 +831,66 @@ class test_netgroup(Declarative):
         ),
 
         dict(
+            desc='Add invalid host %r to netgroup %r using setattr' %
+                (invalidhost, netgroup1),
+            command=(
+                'netgroup_mod', [netgroup1],
+                dict(setattr='externalhost=%s' % invalidhost)
+            ),
+            expected=errors.ValidationError(name='externalhost',
+                error='only letters, numbers, _, and - are allowed. ' +
+                    'DNS label may not start or end with -'),
+        ),
+
+        dict(
+            desc='Add unknown host %r to netgroup %r using addattr' %
+                (unknown_host2, netgroup1),
+            command=(
+                'netgroup_mod', [netgroup1],
+                dict(addattr='externalhost=%s' % unknown_host2)
+            ),
+            expected=dict(
+                value=u'netgroup1',
+                summary=u'Modified netgroup "netgroup1"',
+                result={
+                        'memberhost_host': (host1,),
+                        'memberhost_hostgroup': (hostgroup1,),
+                        'memberuser_user': (user1,),
+                        'memberuser_group': (group1,),
+                        'member_netgroup': (netgroup2,),
+                        'cn': [netgroup1],
+                        'description': [u'Test netgroup 1'],
+                        'nisdomainname': [u'%s' % api.env.domain],
+                        'externalhost': [unknown_host, unknown_host2],
+                },
+            )
+        ),
+
+        dict(
+            desc='Remove unknown host %r from netgroup %r using delattr' %
+                (unknown_host2, netgroup1),
+            command=(
+                'netgroup_mod', [netgroup1],
+                dict(delattr='externalhost=%s' % unknown_host2)
+            ),
+            expected=dict(
+                value=u'netgroup1',
+                summary=u'Modified netgroup "netgroup1"',
+                result={
+                        'memberhost_host': (host1,),
+                        'memberhost_hostgroup': (hostgroup1,),
+                        'memberuser_user': (user1,),
+                        'memberuser_group': (group1,),
+                        'member_netgroup': (netgroup2,),
+                        'cn': [netgroup1],
+                        'description': [u'Test netgroup 1'],
+                        'nisdomainname': [u'%s' % api.env.domain],
+                        'externalhost': [unknown_host],
+                },
+            )
+        ),
+
+        dict(
             desc='Retrieve %r' % netgroup1,
             command=('netgroup_show', [netgroup1], {}),
             expected=dict(
diff --git a/tests/test_xmlrpc/test_sudorule_plugin.py b/tests/test_xmlrpc/test_sudorule_plugin.py
index 6aabd2b27..f0e6cd34f 100644
--- a/tests/test_xmlrpc/test_sudorule_plugin.py
+++ b/tests/test_xmlrpc/test_sudorule_plugin.py
@@ -484,6 +484,23 @@ class test_sudorule(XMLRPC_test):
         else:
             assert False
 
+    def test_a_sudorule_mod_externalhost_invalid_addattr(self):
+        """
+        Test adding an invalid external host to Sudo rule using
+        `xmlrpc.sudorule_mod --addattr`.
+        """
+        try:
+            api.Command['sudorule_mod'](
+                self.rule_name,
+                addattr='externalhost=%s' % self.test_invalid_host
+            )
+        except errors.ValidationError, e:
+            assert unicode(e) == ("invalid 'externalhost': only letters, " +
+                "numbers, _, and - are allowed. " +
+                "DNS label may not start or end with -")
+        else:
+            assert False
+
     def test_b_sudorule_remove_externalhost(self):
         """
         Test removing an external host from Sudo rule using