diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2011-09-12 17:23:56 +0300 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-09-11 21:08:19 -0400 |
| commit | 1bdb5d04fe14c92c57a4ef151be9c2eda7ca705f (patch) | |
| tree | 2db468ee7c39fedfe5c6e1a4ccc5755760ea6a6b /ipalib | |
| parent | 8f0a7bd646aedb3a33ac2b2335972454b8ed3925 (diff) | |
| download | freeipa-1bdb5d04fe14c92c57a4ef151be9c2eda7ca705f.tar.gz freeipa-1bdb5d04fe14c92c57a4ef151be9c2eda7ca705f.tar.xz freeipa-1bdb5d04fe14c92c57a4ef151be9c2eda7ca705f.zip | |
Unroll groups when testing HBAC rules
Fixes https://fedorahosted.org/freeipa/ticket/1740
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/hbactest.py | 39 |
1 files changed, 34 insertions, 5 deletions
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index d0078459..5fce2e5f 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -255,12 +255,41 @@ class hbactest(Command): 'error': testrules, 'matched': None, 'notmatched': None, 'value' : False} - # Rules are converted to pyhbac format, we can test them + # Rules are converted to pyhbac format, build request and then test it request = pyhbac.HbacRequest() - request.user.name = options['user'] - request.service.name = options['service'] - request.srchost.name = options['sourcehost'] - request.targethost.name = options['targethost'] + + if options['user'] != u'all': + try: + request.user.name = options['user'] + request.user.groups = self.api.Command.user_show(request.user.name)['result']['memberof_group'] + except: + pass + + if options['service'] != u'all': + try: + request.service.name = options['service'] + request.service.groups = \ + self.api.Command.hbacsvcgroup_show(request.service.name)['result']['member_hbacsvc'] + except: + pass + + if options['sourcehost'] != u'all': + try: + request.srchost.name = options['sourcehost'] + srchost_result = self.api.Command.host_show(request.srchost.name)['result'] + srchost_groups = srchost_result['memberof_hostgroup'] + request.srchost.groups = sorted(set(srchost_groups)) + except: + pass + + if options['targethost'] != u'all': + try: + request.targethost.name = options['targethost'] + tgthost_result = self.api.Command.host_show(request.targethost.name)['result'] + tgthost_groups = tgthost_result['memberof_hostgroup'] + request.targethost.groups = sorted(set(tgthost_groups)) + except: + pass matched_rules = [] notmatched_rules = [] |