diff options
-rw-r--r-- | ipalib/plugins/hbac.py | 43 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_hbac_plugin.py | 49 |
2 files changed, 47 insertions, 45 deletions
diff --git a/ipalib/plugins/hbac.py b/ipalib/plugins/hbac.py index 117b0753..8e3e44e4 100644 --- a/ipalib/plugins/hbac.py +++ b/ipalib/plugins/hbac.py @@ -21,16 +21,12 @@ Host-based access control Control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can -access a service, or group of services, on a target host. You can also -control the times that the rule is active. +access a service, or group of services, on a target host. You can also specify a category of users, target hosts, and source hosts. This is currently limited to "all", but might be expanded in the future. -The access time(s) of a host are cumulative and are not guaranteed to be -applied in the order displayed. - Target hosts and source hosts in HBAC rules must be hosts managed by IPA. The available services and groups of services are controlled by the @@ -46,13 +42,6 @@ EXAMPLES: Display the properties of a named HBAC rule: ipa hbac-show test1 - Specify that the rule "test1" be active every day between 0800 and 1400: - ipa hbac-add-accesstime --time='periodic daily 0800-1400' test1 - - Specify that the rule "test1" be active once, from 10:32 until 10:33 on - December 16, 2010: - ipa hbac-add-accesstime --time='absolute 201012161032 ~ 201012161033' test1 - Create a rule for a specific service. This lets the user john access the sshd service on any machine from any machine: ipa hbac-add --type=allow --hostcat=all --srchostcat=all john_sshd @@ -75,6 +64,22 @@ EXAMPLES: ipa hbac-del allow_server """ + +# AccessTime support is being removed for now. +# +# You can also control the times that the rule is active. +# +# The access time(s) of a host are cumulative and are not guaranteed to be +# applied in the order displayed. +# +# Specify that the rule "test1" be active every day between 0800 and 1400: +# ipa hbac-add-accesstime --time='periodic daily 0800-1400' test1 +# +# Specify that the rule "test1" be active once, from 10:32 until 10:33 on +# December 16, 2010: +# ipa hbac-add-accesstime --time='absolute 201012161032 ~ 201012161033' test1 + + from ipalib import api, errors from ipalib import AccessTime, Password, Str, StrEnum from ipalib.plugins.baseldap import * @@ -102,7 +107,7 @@ class hbac(LDAPObject): object_class = ['ipaassociation', 'ipahbacrule'] default_attributes = [ 'cn', 'accessruletype', 'ipaenabledflag', - 'accesstime', 'description', 'usercategory', 'hostcategory', + 'description', 'usercategory', 'hostcategory', 'sourcehostcategory', 'servicecategory', 'ipaenabledflag', 'memberuser', 'sourcehost', 'memberhost', 'memberservice', 'memberhostgroup', @@ -155,10 +160,10 @@ class hbac(LDAPObject): doc=_('Service category the rule applies to'), values=(u'all', ), ), - AccessTime('accesstime?', - cli_name='time', - label=_('Access time'), - ), +# AccessTime('accesstime?', +# cli_name='time', +# label=_('Access time'), +# ), Str('description?', cli_name='desc', label=_('Description'), @@ -346,7 +351,7 @@ class hbac_add_accesstime(LDAPQuery): ) ) -api.register(hbac_add_accesstime) +#api.register(hbac_add_accesstime) class hbac_remove_accesstime(LDAPQuery): @@ -386,7 +391,7 @@ class hbac_remove_accesstime(LDAPQuery): ) ) -api.register(hbac_remove_accesstime) +#api.register(hbac_remove_accesstime) class hbac_add_user(LDAPAddMember): diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py index 3c1cfaed..51591ea8 100644 --- a/tests/test_xmlrpc/test_hbac_plugin.py +++ b/tests/test_xmlrpc/test_hbac_plugin.py @@ -55,13 +55,11 @@ class test_hbac(XMLRPC_test): ret = self.failsafe_add(api.Object.hbac, self.rule_name, accessruletype=self.rule_type, - accesstime=self.rule_time, description=self.rule_desc, ) entry = ret['result'] assert_attr_equal(entry, 'cn', self.rule_name) assert_attr_equal(entry, 'accessruletype', self.rule_type) - assert_attr_equal(entry, 'accesstime', self.rule_time) assert_attr_equal(entry, 'ipaenabledflag', 'TRUE') assert_attr_equal(entry, 'description', self.rule_desc) @@ -85,7 +83,6 @@ class test_hbac(XMLRPC_test): entry = api.Command['hbac_show'](self.rule_name)['result'] assert_attr_equal(entry, 'cn', self.rule_name) assert_attr_equal(entry, 'accessruletype', self.rule_type) - assert_attr_equal(entry, 'accesstime', self.rule_time) assert_attr_equal(entry, 'ipaenabledflag', 'TRUE') assert_attr_equal(entry, 'description', self.rule_desc) @@ -99,30 +96,30 @@ class test_hbac(XMLRPC_test): entry = ret['result'] assert_attr_equal(entry, 'description', self.rule_desc_mod) - def test_4_hbac_add_accesstime(self): - """ - Test adding access time to HBAC rule using `xmlrpc.hbac_add_accesstime`. - """ - return - ret = api.Command['hbac_add_accesstime']( - self.rule_name, accesstime=self.rule_time2 - ) - entry = ret['result'] - assert_attr_equal(entry, 'accesstime', self.rule_time); - assert_attr_equal(entry, 'accesstime', self.rule_time2); +# def test_4_hbac_add_accesstime(self): +# """ +# Test adding access time to HBAC rule using `xmlrpc.hbac_add_accesstime`. +# """ +# return +# ret = api.Command['hbac_add_accesstime']( +# self.rule_name, accesstime=self.rule_time2 +# ) +# entry = ret['result'] +# assert_attr_equal(entry, 'accesstime', self.rule_time); +# assert_attr_equal(entry, 'accesstime', self.rule_time2); - def test_5_hbac_add_accesstime(self): - """ - Test adding invalid access time to HBAC rule using `xmlrpc.hbac_add_accesstime`. - """ - try: - api.Command['hbac_add_accesstime']( - self.rule_name, accesstime=self.rule_time_fail - ) - except errors.ValidationError: - pass - else: - assert False +# def test_5_hbac_add_accesstime(self): +# """ +# Test adding invalid access time to HBAC rule using `xmlrpc.hbac_add_accesstime`. +# """ +# try: +# api.Command['hbac_add_accesstime']( +# self.rule_name, accesstime=self.rule_time_fail +# ) +# except errors.ValidationError: +# pass +# else: +# assert False def test_6_hbac_find(self): """ |