2 files changed, 22 insertions, 50 deletions

diff --git a/cobbler/modules/authz_ownership.py b/cobbler/modules/authz_ownership.py
index 43cf523..3befc4a 100644
--- a/cobbler/modules/authz_ownership.py
+++ b/cobbler/modules/authz_ownership.py
@@ -35,7 +35,7 @@ def register():
     """
     return "authz"
 
-def __parse_config(debug=False):
+def __parse_config():
     etcfile='/etc/cobbler/users.conf'
     if not os.path.exists(etcfile):
         raise CX(_("/etc/cobbler/users.conf does not exist"))
@@ -43,29 +43,21 @@ def __parse_config(debug=False):
     config.read(etcfile)
     alldata = {}
     sections = config.sections()
-    if debug:
-       print "[OWNERSHIP] sections=%s" % sections
     for g in sections:
        alldata[str(g)] = {}
        opts = config.options(g)
-       if debug:
-          print "[OWNERSHIP] for group %s, users: %s" % (g,opts)
        for o in opts:
            alldata[g][o] = 1
     return alldata 
 
 
-def authorize(api_handle,user,resource,arg1=None,arg2=None,debug=False):
+def authorize(api_handle,user,resource,arg1=None,arg2=None):
     """
     Validate a user against a resource.
     All users in the file are permitted by this module.
     """
 
-    user_groups = __parse_config(debug)
-    if debug:
-        print "[OWNERSHIP] ------------"
-        print "can user %s do %s (arg1=%s)?" % (user,resource,arg1)
-        print "consult db: %s" % user_groups
+    user_groups = __parse_config()
 
     # classify the type of operation
     save_or_remove = False
@@ -79,29 +71,21 @@ def authorize(api_handle,user,resource,arg1=None,arg2=None,debug=False):
     found_user = False
     for g in user_groups:
         for x in user_groups[g]:
-           if debug:
-               print "[OWNERSHIP] noted user %s in group %s" % (x,g)
            if x == user:
                found_user = True
                # if user is in the admin group, always authorize
                # regardless of the ownership of the object.
                if g == "admins" or g == "admin":
-                   if debug:
-                       print "[OWNERSHIP] user %s is an admin, PASS" % user
                    return 1
                break
 
     if not found_user:
         # if the user isn't anywhere in the file, reject regardless
         # they can still use read-only XMLRPC
-        if debug:
-           print "[OWNERSHIP] user %s not found in list, FAIL" % user
         return 0
     if not save_or_remove:
         # sufficient to allow access for non save/remove ops to all
         # users for now, may want to refine later.
-        if debug:
-           print "[OWNERSHIP] user %s is cleared for non-edit ops, PASS" % user
         return 1 
 
     # now we have a save_or_remove op, so we must check ownership
@@ -110,8 +94,6 @@ def authorize(api_handle,user,resource,arg1=None,arg2=None,debug=False):
 
     obj = None
     if resource.find("remove") != -1:
-        if debug:
-           print "[OWNERSHIP] looking up object %s" % (arg1)
         if resource == "remove_distro":
            obj = api_handle.find_distro(arg1)
         elif resource == "remove_profile":
@@ -121,33 +103,23 @@ def authorize(api_handle,user,resource,arg1=None,arg2=None,debug=False):
         elif resource == "remove_repo":
            obj = api_handle.find_system(arg1)
     elif resource.find("save") != -1 or resource.find("modify") != -1:
-        if debug:
-           print "[OWNERSHIP] object being considered is: %s for %s" % (arg1, resource)
         obj = arg1
 
     # if the object has no ownership data, allow access regardless
     if obj.owners is None or obj.owners == []:
-        if debug:
-           print "[OWNERSHIP] user %s is cleared, object is not owned, PASS" % user
         return 1
      
     # otherwise, ownership by user/group
     for allowed in obj.owners:
         if user == allowed:
            # user match
-           if debug:
-              print "[OWNERSHIP] user %s in match list, PASS" % user
            return 1
         for group in user_groups:
            if group == allowed and user in user_groups[group]:
-              if debug:
-                 print "[OWNERSHIP] user %s matched by group (%s), PASS" % (user, group)
               return 1
     
     # can't find user or group in ownership list and ownership is defined
     # so reject the operation 
-    if debug:
-       print "[OWNERSHIP] user %s rejected by default policy, FAIL" % user
     return 0
            
 
@@ -160,5 +132,5 @@ if __name__ == "__main__":
     d = api.find_distro("F9B-i386")
     d.set_owners(["allowed"])
     api.add_distro(d)
-    print authorize(api, "admin1", "save_distro", d, debug=True)
-    print authorize(api, "basement2", "save_distro", d, debug=True)
+    print authorize(api, "admin1", "save_distro", d)
+    print authorize(api, "basement2", "save_distro", d)
diff --git a/tests/tests.py b/tests/tests.py
index 426ddf2..c3cbea7 100644
--- a/tests/tests.py
+++ b/tests/tests.py
@@ -126,8 +126,8 @@ class Ownership(BootTest):
         authorize = authz_module.authorize
 
         # if the users.conf file exists, back it up for the tests
-        #if os.path.exists("/etc/cobbler/users.conf"):
-        #   shutil.copyfile("/etc/cobbler/users.conf","/tmp/cobbler_ubak")
+        if os.path.exists("/etc/cobbler/users.conf"):
+           shutil.copyfile("/etc/cobbler/users.conf","/tmp/cobbler_ubak")
          
         fd = open("/etc/cobbler/users.conf","w+")
         fd.write("\n")
@@ -151,41 +151,41 @@ class Ownership(BootTest):
         # same applies to basement1 who is explicitly added as a user
         # and superlab1 who is in a group in the ownership list
         for user in ["admin1","superlab1","basement1"]:
-           self.assertTrue(1==authorize(self.api, user, "save_distro", xo, debug=True),"%s can save_distro" % user)
-           self.assertTrue(1==authorize(self.api, user, "modify_distro", xo, debug=True),"%s can modify_distro" % user)
-           self.assertTrue(1==authorize(self.api, user, "copy_distro", xo, debug=True),"%s can copy_distro" % user)
-           self.assertTrue(1==authorize(self.api, user, "remove_distro", xn, debug=True),"%s can remove_distro" % user)  
+           self.assertTrue(1==authorize(self.api, user, "save_distro", xo),"%s can save_distro" % user)
+           self.assertTrue(1==authorize(self.api, user, "modify_distro", xo),"%s can modify_distro" % user)
+           self.assertTrue(1==authorize(self.api, user, "copy_distro", xo),"%s can copy_distro" % user)
+           self.assertTrue(1==authorize(self.api, user, "remove_distro", xn),"%s can remove_distro" % user)  
 
         # ensure all users in the file can sync
         for user in [ "admin1", "superlab1", "basement1", "basement2" ]:     
-           self.assertTrue(1==authorize(self.api, user, "sync", debug=True))
+           self.assertTrue(1==authorize(self.api, user, "sync"))
 
         # make sure basement2 can't edit (not in group)
         # and same goes for "dne" (does not exist in users.conf)
         
         for user in [ "basement2", "dne" ]:
-           self.assertTrue(0==authorize(self.api, user, "save_distro", xo, debug=True), "user %s cannot save_distro" % user)
-           self.assertTrue(0==authorize(self.api, user, "modify_distro", xo, debug=True), "user %s cannot modify_distro" % user)
-           self.assertTrue(0==authorize(self.api, user, "remove_distro", xn, debug=True), "user %s cannot remove_distro" % user)
+           self.assertTrue(0==authorize(self.api, user, "save_distro", xo), "user %s cannot save_distro" % user)
+           self.assertTrue(0==authorize(self.api, user, "modify_distro", xo), "user %s cannot modify_distro" % user)
+           self.assertTrue(0==authorize(self.api, user, "remove_distro", xn), "user %s cannot remove_distro" % user)
  
         # basement2 is in the file so he can still copy
-        self.assertTrue(1==authorize(self.api, "basement2", "copy_distro", xo, debug=True), "basement2 can copy_distro")
+        self.assertTrue(1==authorize(self.api, "basement2", "copy_distro", xo), "basement2 can copy_distro")
 
         # dne can not copy or sync either (not in the users.conf)
-        self.assertTrue(0==authorize(self.api, "dne", "copy_distro", xo, debug=True), "dne cannot copy_distro")
-        self.assertTrue(0==authorize(self.api, "dne", "sync", debug=True), "dne cannot sync")
+        self.assertTrue(0==authorize(self.api, "dne", "copy_distro", xo), "dne cannot copy_distro")
+        self.assertTrue(0==authorize(self.api, "dne", "sync"), "dne cannot sync")
 
         # unlike the distro testdistro0, testrepo0 is unowned
         # so any user in the file will be able to edit it.
         for user in [ "admin1", "superlab1", "basement1", "basement2" ]:
-           self.assertTrue(1==authorize(self.api, user, "save_repo", ro, debug=True), "user %s can save_repo" % user)
+           self.assertTrue(1==authorize(self.api, user, "save_repo", ro), "user %s can save_repo" % user)
 
         # though dne is still not listed and will be denied
-        self.assertTrue(0==authorize(self.api, "dne", "save_repo", ro, debug=True), "dne cannot save_repo")
+        self.assertTrue(0==authorize(self.api, "dne", "save_repo", ro), "dne cannot save_repo")
 
         # if we survive, restore the users file as module testing is done
-        #if os.path.exists("/tmp/cobbler_ubak"):
-        #   shutil.copyfile("/etc/cobbler/users.conf","/tmp/cobbler_ubak")
+        if os.path.exists("/tmp/cobbler_ubak"):
+           shutil.copyfile("/etc/cobbler/users.conf","/tmp/cobbler_ubak")
 
 
 class MultiNIC(BootTest):