diff options
-rw-r--r-- | ipalib/plugins/hbac.py | 96 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_hbac_plugin.py | 29 |
2 files changed, 108 insertions, 17 deletions
diff --git a/ipalib/plugins/hbac.py b/ipalib/plugins/hbac.py index 34dbae07e..12be2eb6c 100644 --- a/ipalib/plugins/hbac.py +++ b/ipalib/plugins/hbac.py @@ -73,9 +73,25 @@ class hbac(LDAPObject): cli_name='service', doc='name of service the rule applies to (e.g. ssh)', ), - GeneralizedTime('accesstime?', + # FIXME: {user,host,sourcehost}categories should expand in the future + StrEnum('usercategory?', + cli_name='usercat', + doc='user category the rule applies to', + values=(u'all', ), + ), + StrEnum('hostcategory?', + cli_name='hostcat', + doc='host category the rule applies to', + values=(u'all', ), + ), + StrEnum('sourcehostcategory?', + cli_name='srchostcat', + doc='source host category the rule applies to', + values=(u'all', ), + ), + AccessTime('accesstime?', cli_name='time', - doc='access time in generalizedTime format (RFC 4517)', + doc='access time', ), Str('description?', cli_name='desc', @@ -201,6 +217,82 @@ class hbac_disable(LDAPQuery): api.register(hbac_disable) +class hbac_add_accesstime(LDAPQuery): + """ + Add access time to HBAC rule. + """ + takes_options = ( + GeneralizedTime('accesstime', + cli_name='time', + doc='access time', + ), + ) + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + + (dn, entry_attrs) = ldap.get_entry(dn, ['accesstime']) + entry_attrs.setdefault('accesstime', []).append( + options['accesstime'] + ) + try: + ldap.update_entry(dn, entry_attrs) + except errors.EmptyModlist: + pass + + return True + + def output_for_cli(self, textui, result, cn, **options): + textui.print_name(self.name) + textui.print_dashed( + 'Added access time "%s" to HBAC rule "%s"' % ( + options['accesstime'], cn + ) + ) + +api.register(hbac_add_accesstime) + + +class hbac_remove_accesstime(LDAPQuery): + """ + Remove access time to HBAC rule. + """ + takes_options = ( + GeneralizedTime('accesstime?', + cli_name='time', + doc='access time', + ), + ) + + def execute(self, cn, **options): + ldap = self.obj.backend + + dn = self.obj.get_dn(cn) + + (dn, entry_attrs) = ldap.get_entry(dn, ['accesstime']) + try: + entry_attrs.setdefault('accesstime', []).remove( + options['accesstime'] + ) + ldap.update_entry(dn, entry_attrs) + except (ValueError, errors.EmptyModlist): + pass + + return True + + def output_for_cli(self, textui, result, cn, **options): + textui.print_name(self.name) + textui.print_dashed( + 'Removed access time "%s" from HBAC rule "%s"' % ( + options['accesstime'], cn + ) + ) + +api.register(hbac_remove_accesstime) + + class hbac_add_user(LDAPAddMember): """ Add users and groups affected by HBAC rule. diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py index caa916acf..0393d68d2 100644 --- a/tests/test_xmlrpc/test_hbac_plugin.py +++ b/tests/test_xmlrpc/test_hbac_plugin.py @@ -34,6 +34,7 @@ class test_hbac(XMLRPC_test): rule_type_fail = u'value not allowed' rule_service = u'ssh' rule_time = u'absolute 20081010000000 ~ 20081015120000' + rule_time2 = u'absolute 20081010000000 ~ 20081016120000' # wrong time, has 30th day in February in first date rule_time_fail = u'absolute 20080230000000 ~ 20081015120000' rule_desc = u'description' @@ -59,8 +60,8 @@ class test_hbac(XMLRPC_test): assert_attr_equal(res, 'cn', self.rule_name) assert_attr_equal(res, 'accessruletype', self.rule_type) assert_attr_equal(res, 'servicename', self.rule_service) - assert_attr_equal(res, 'ipaenabledflag', 'enabled') assert_attr_equal(res, 'accesstime', self.rule_time) + assert_attr_equal(res, 'ipaenabledflag', 'TRUE') assert_attr_equal(res, 'description', self.rule_desc) def test_1_hbac_add(self): @@ -85,8 +86,8 @@ class test_hbac(XMLRPC_test): assert_attr_equal(res, 'cn', self.rule_name) assert_attr_equal(res, 'accessruletype', self.rule_type) assert_attr_equal(res, 'servicename', self.rule_service) - assert_attr_equal(res, 'ipaenabledflag', 'enabled') assert_attr_equal(res, 'accesstime', self.rule_time) + assert_attr_equal(res, 'ipaenabledflag', 'TRUE') assert_attr_equal(res, 'description', self.rule_desc) def test_3_hbac_mod(self): @@ -99,25 +100,23 @@ class test_hbac(XMLRPC_test): assert res assert_attr_equal(res, 'description', self.rule_desc_mod) - def test_4_hbac_mod(self): + def test_4_hbac_add_accesstime(self): """ - Test setting invalid type of HBAC rule using `xmlrpc.hbac_mod`. + Test adding access time to HBAC rule using `xmlrpc.hbac_add_accesstime`. """ - try: - (dn, res) = api.Command['hbac_mod']( - self.rule_name, accessruletype=self.rule_type_fail - ) - except errors.ValidationError: - pass - else: - assert False + (dn, res) = api.Command['hbac_add_accesstime']( + self.rule_name, accesstime=self.rule_time2 + ) + assert res + assert_attr_equal(res, 'accesstime', self.rule_time); + assert_attr_equal(res, 'accesstime', self.rule_time2); - def test_5_hbac_mod(self): + def test_5_hbac_add_accesstime(self): """ - Test setting invalid time in HBAC rule using `xmlrpc.hbac_mod`. + Test adding invalid access time to HBAC rule using `xmlrpc.hbac_add_accesstime`. """ try: - (dn, res) = api.Command['hbac_mod']( + api.Command['hbac_add_accesstime']( self.rule_name, accesstime=self.rule_time_fail ) except errors.ValidationError: |