diff options
| -rw-r--r-- | ipalib/plugins/hbacrule.py | 2 | ||||
| -rw-r--r-- | ipalib/plugins/selinuxusermap.py | 23 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_selinuxusermap_plugin.py | 35 |
3 files changed, 52 insertions, 8 deletions
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index 0fa44a590..53d25aac6 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -243,7 +243,7 @@ class hbacrule_del(LDAPDelete): msg_summary = _('Deleted HBAC rule "%(value)s"') def pre_callback(self, ldap, dn, *keys, **options): - kw = dict(seealso=dn) + kw = dict(seealso=keys[0]) _entries = api.Command.selinuxusermap_find(None, **kw) if _entries['count']: raise errors.DependentEntry(key=keys[0], label=self.api.Object['selinuxusermap'].label_singular, dependent=_entries['result'][0]['cn'][0]) diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py index 475376f6e..ee9a8133f 100644 --- a/ipalib/plugins/selinuxusermap.py +++ b/ipalib/plugins/selinuxusermap.py @@ -29,7 +29,9 @@ SELinux User Mapping Map IPA users to SELinux users by host. Hosts, hostgroups, users and groups can be either defined within -the rule or it may point to an existing HBAC rule. +the rule or it may point to an existing HBAC rule. When using +--hbacrule option to selinuxusermap-find an exact match is made on the +HBAC rule name, so only one or zero entries will be returned. EXAMPLES: @@ -54,6 +56,9 @@ EXAMPLES: Enable a named rule: ipa selinuxusermap-enable test1 + Find a rule referencing a specific HBAC rule: + ipa selinuxusermap-find --hbacrule=allow_some + Remove a named rule: ipa selinuxusermap-del john_unconfined @@ -298,12 +303,16 @@ class selinuxusermap_find(LDAPSearch): def execute(self, *args, **options): # If searching on hbacrule we need to find the uuid to search on - if 'seealso' in options: - kw = dict(cn=options['seealso'], all=True) - _entries = api.Command.hbacrule_find(None, **kw)['result'] - del options['seealso'] - if _entries: - options['seealso'] = _entries[0]['dn'] + if options.get('seealso'): + hbacrule = options['seealso'] + + try: + hbac = api.Command['hbacrule_show'](hbacrule, +all=True)['result'] + dn = hbac['dn'] + except errors.NotFound: + return dict(count=0, result=[], truncated=False) + options['seealso'] = dn return super(selinuxusermap_find, self).execute(*args, **options) diff --git a/tests/test_xmlrpc/test_selinuxusermap_plugin.py b/tests/test_xmlrpc/test_selinuxusermap_plugin.py index 368037dbe..2fdccf3ef 100644 --- a/tests/test_xmlrpc/test_selinuxusermap_plugin.py +++ b/tests/test_xmlrpc/test_selinuxusermap_plugin.py @@ -36,6 +36,7 @@ host1 = u'testhost1.%s' % api.env.domain hostdn1 = DN(('fqdn',host1),('cn','computers'),('cn','accounts'), api.env.basedn) hbacrule1 = u'testhbacrule1' +hbacrule2 = u'testhbacrule12' fuzzy_selinuxusermapdn = Fuzzy( 'ipauniqueid=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12},%s,%s' % (api.env.container_selinux, api.env.basedn) @@ -51,6 +52,7 @@ class test_selinuxusermap(Declarative): ('user_del', [user1], {}), ('host_del', [host1], {}), ('hbacrule_del', [hbacrule1], {}), + ('hbacrule_del', [hbacrule2], {}), ] tests = [ @@ -310,6 +312,26 @@ class test_selinuxusermap(Declarative): ), + dict( + desc='Create HBAC rule %r' % hbacrule2, + command=( + 'hbacrule_add', [hbacrule2], {} + ), + expected=dict( + value=hbacrule2, + summary=u'Added HBAC rule "%s"' % hbacrule2, + result=dict( + cn=[hbacrule2], + objectclass=objectclasses.hbacrule, + ipauniqueid=[fuzzy_uuid], + accessruletype=[u'allow'], + ipaenabledflag=[u'TRUE'], + dn=fuzzy_hbacruledn, + ), + ), + ), + + ############### # Fill out rule with members and/or pointers to HBAC rules dict( @@ -542,6 +564,19 @@ class test_selinuxusermap(Declarative): ), + # This tests selinuxusermap-find --hbacrule=<foo> returns an + # exact match + dict( + desc='Try to delete similarly named HBAC rule %r' % hbacrule2, + command=('hbacrule_del', [hbacrule2], {}), + expected=dict( + result=dict(failed=u''), + value=hbacrule2, + summary=u'Deleted HBAC rule "%s"' % hbacrule2, + ) + ), + + # Test clean up dict( desc='Delete %r' % rule1, |