From 1af36da933cd3c788e3a48257e2f5c286e985e22 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mon, 21 May 2012 05:03:21 -0400 Subject: Disallow setattr on no_update/no_create params Make --{set,add,del}attr fail on parameters with the no_update/no_create flag for the respective command. For attributes that can be modified, but we just don't want to display in the CLI, use the 'no_option' flag. These are "locking" attributes (ipaenabledflag, nsaccountlock) and externalhost. Document the 'no_option' flag. Add some tests. https://fedorahosted.org/freeipa/ticket/2580 --- ipalib/plugins/baseldap.py | 18 ++++++++---------- ipalib/plugins/hbacrule.py | 6 +++--- ipalib/plugins/selinuxusermap.py | 6 +++--- ipalib/plugins/sudorule.py | 6 +++--- ipalib/plugins/user.py | 2 +- 5 files changed, 18 insertions(+), 20 deletions(-) (limited to 'ipalib/plugins') diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 2851f0f27..7664928be 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -320,7 +320,7 @@ def validate_externalhost(ugettext, hostname): external_host_param = Str('externalhost*', validate_externalhost, label=_('External host'), - flags=['no_create', 'no_update', 'no_search'], + flags=['no_option'], ) @@ -819,6 +819,11 @@ last, after all sets and adds."""), m = re.match("\s*(.*?)\s*=\s*(.*?)\s*$", a) attr = str(m.group(1)).lower() value = m.group(2) + if attr in self.obj.params and attr not in self.params: + # The attribute is managed by IPA, but it didn't get cloned + # to the command. This happens with no_update/no_create attrs. + raise errors.ValidationError( + name=attr, error=_('attribute is not configurable')) if len(value) == 0: # None means "delete this attribute" value = None @@ -919,17 +924,10 @@ last, after all sets and adds."""), # normalize all values changedattrs = setattrs | addattrs | delattrs for attr in changedattrs: - if attr in self.obj.params: + if attr in self.params and self.params[attr].attribute: # convert single-value params to scalars + param = self.params[attr] value = entry_attrs[attr] - try: - param = self.params[attr] - except KeyError: - # The CRUD classes filter their disallowed parameters out. - # Yet {set,add,del}attr are powerful enough to change these - # (e.g. Config's ipacertificatesubjectbase) - # So, use the parent's attribute - param = self.obj.params[attr] if not param.multivalue: if len(value) == 1: value = value[0] diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py index 33440ccde..460083622 100644 --- a/ipalib/plugins/hbacrule.py +++ b/ipalib/plugins/hbacrule.py @@ -18,7 +18,7 @@ # along with this program. If not, see . from ipalib import api, errors -from ipalib import AccessTime, Password, Str, StrEnum +from ipalib import AccessTime, Password, Str, StrEnum, Bool from ipalib.plugins.baseldap import * from ipalib import _, ngettext @@ -183,9 +183,9 @@ class hbacrule(LDAPObject): cli_name='desc', label=_('Description'), ), - Flag('ipaenabledflag?', + Bool('ipaenabledflag?', label=_('Enabled'), - flags=['no_create', 'no_update', 'no_search'], + flags=['no_option'], ), Str('memberuser_user?', label=_('Users'), diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py index e33e10161..e6179cee9 100644 --- a/ipalib/plugins/selinuxusermap.py +++ b/ipalib/plugins/selinuxusermap.py @@ -18,7 +18,7 @@ # along with this program. If not, see . from ipalib import api, errors -from ipalib import Str, StrEnum +from ipalib import Str, StrEnum, Bool from ipalib.plugins.baseldap import * from ipalib import _, ngettext from ipalib.plugins.hbacrule import is_all @@ -172,9 +172,9 @@ class selinuxusermap(LDAPObject): cli_name='desc', label=_('Description'), ), - Flag('ipaenabledflag?', + Bool('ipaenabledflag?', label=_('Enabled'), - flags=['no_create', 'no_update', 'no_search'], + flags=['no_option'], ), Str('memberuser_user?', label=_('Users'), diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 2c0358e87..723cce2e4 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -18,7 +18,7 @@ # along with this program. If not, see . from ipalib import api, errors -from ipalib import Str, StrEnum +from ipalib import Str, StrEnum, Bool from ipalib.plugins.baseldap import * from ipalib.plugins.hbacrule import is_all from ipalib import _, ngettext @@ -110,9 +110,9 @@ class sudorule(LDAPObject): cli_name='desc', label=_('Description'), ), - Flag('ipaenabledflag?', + Bool('ipaenabledflag?', label=_('Enabled'), - flags=['no_create', 'no_update', 'no_search'], + flags=['no_option'], ), StrEnum('usercategory?', cli_name='usercat', diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 3bea7af6f..2e069bde3 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -338,7 +338,7 @@ class user(LDAPObject): ), Bool('nsaccountlock?', label=_('Account disabled'), - flags=['no_create', 'no_update', 'no_search'], + flags=['no_option'], ), Bytes('ipasshpubkey*', validate_sshpubkey, cli_name='sshpubkey', -- cgit