diff options
| -rw-r--r-- | ipalib/plugins/config.py | 35 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_config_plugin.py | 28 |
2 files changed, 48 insertions, 15 deletions
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py index c8230e23a..d632e2edf 100644 --- a/ipalib/plugins/config.py +++ b/ipalib/plugins/config.py @@ -250,30 +250,35 @@ class config_mod(LDAPUpdate): error=_('%(obj)s default attribute %(attr)s would not be allowed!') \ % dict(obj=obj, attr=obj_attr)) - if 'ipaselinuxusermapdefault' in options and options['ipaselinuxusermapdefault'] is None: - raise errors.ValidationError(name='ipaselinuxusermapdefault', - error=_('SELinux user map default user may not be empty')) - - # Make sure the default user is in the list - if 'ipaselinuxusermapdefault' in options or \ - 'ipaselinuxusermaporder' in options: + # Combine the current entry and options into a single object to + # evaluate. This covers changes via setattr and options. + # Note: this is not done in a validator because we may be changing + # the default user and map list at the same time and we don't + # have both values in a validator. + validate = dict(options) + validate.update(entry_attrs) + if ('ipaselinuxusermapdefault' in validate or + 'ipaselinuxusermaporder' in validate): config = None - if 'ipaselinuxusermapdefault' in options: - defaultuser = options['ipaselinuxusermapdefault'] + failedattr = 'ipaselinuxusermaporder' + if 'ipaselinuxusermapdefault' in validate: + defaultuser = validate['ipaselinuxusermapdefault'] + failedattr = 'ipaselinuxusermapdefault' else: config = ldap.get_ipa_config()[1] - defaultuser = config['ipaselinuxusermapdefault'] + defaultuser = config['ipaselinuxusermapdefault'][0] - if 'ipaselinuxusermaporder' in options: - order = options['ipaselinuxusermaporder'] + if 'ipaselinuxusermaporder' in validate: + order = validate['ipaselinuxusermaporder'] + userlist = order.split('$') else: if not config: config = ldap.get_ipa_config()[1] order = config['ipaselinuxusermaporder'] - userlist = order[0].split('$') + userlist = order[0].split('$') if defaultuser not in userlist: - raise errors.ValidationError(name='ipaselinuxusermaporder', - error=_('Default SELinux user map default user not in order list')) + raise errors.ValidationError(name=failedattr, + error=_('SELinux user map default user not in order list')) return dn diff --git a/tests/test_xmlrpc/test_config_plugin.py b/tests/test_xmlrpc/test_config_plugin.py index da549bfb3..6d83f047e 100644 --- a/tests/test_xmlrpc/test_config_plugin.py +++ b/tests/test_xmlrpc/test_config_plugin.py @@ -60,4 +60,32 @@ class test_config(Declarative): expected=errors.RequirementError(name='ipausersearchfields'), ), + dict( + desc='Try to set invalid ipaselinuxusermapdefault', + command=('config_mod', [], + dict(ipaselinuxusermapdefault=u'unknown_u:s0')), + expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'), + ), + + dict( + desc='Try to set invalid ipaselinuxusermapdefault with setattr', + command=('config_mod', [], + dict(setattr=u'ipaselinuxusermapdefault=unknown_u:s0')), + expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'), + ), + + dict( + desc='Try to set invalid ipaselinuxusermaporder', + command=('config_mod', [], + dict(ipaselinuxusermaporder=u'notfound_u:s0')), + expected=errors.ValidationError(name='ipaselinuxusermaporder', error='SELinux user map default user not in order list'), + ), + + dict( + desc='Try to set new selinux order and invalid default user', + command=('config_mod', [], + dict(ipaselinuxusermaporder=u'$xguest_u:s0$guest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023', ipaselinuxusermapdefault=u'unknown_u:s0')), + expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'), + ), + ] |