Validate sudo RunAsUser/RunAsGroup arguments

FreeIPA SUDO rules use --usercat/--groupcat to specify that rule
applies to all users or groups. Thus, sudorule-add-runasuser and
sudorule-add-runasgroup accept specific groups and users and do not
accept ALL reserved word.

The patch validates user and group passed to these commands and
reports appropriate errors when these are ALL.

Ticket #1496
https://fedorahosted.org/freeipa/ticket/1496

1 files changed, 38 insertions, 1 deletions

diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 93ca03f0..65a1d854 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -472,13 +472,34 @@ class sudorule_remove_host(LDAPRemoveMember):
 
 api.register(sudorule_remove_host)
 
-
 class sudorule_add_runasuser(LDAPAddMember):
     __doc__ = _('Add users and groups for Sudo to execute as.')
 
     member_attributes = ['ipasudorunas']
     member_count_out = ('%i object added.', '%i objects added.')
 
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        def check_validity(runas):
+            v = unicode(runas)
+            if v.upper() == u'ALL':
+                return False
+            return True
+
+        if 'user' in options:
+            for name in options['user']:
+                if not check_validity(name):
+                    raise errors.ValidationError(name='runas-user',
+                          error=unicode(_("RunAsUser does not accept '%(name)s' as a user name")) %
+                          dict(name=name))
+        if 'group' in options:
+            for name in options['group']:
+                if not check_validity(name):
+                    raise errors.ValidationError(name='runas-user',
+                          error=unicode(_("RunAsUser does not accept '%(name)s' as a group name")) %
+                          dict(name=name))
+
+        return dn
+
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         completed_external = 0
         # Sift through the user failures. We assume that these are all
@@ -547,6 +568,22 @@ class sudorule_add_runasgroup(LDAPAddMember):
     member_attributes = ['ipasudorunasgroup']
     member_count_out = ('%i object added.', '%i objects added.')
 
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        def check_validity(runas):
+            v = unicode(runas)
+            if v.upper() == u'ALL':
+                return False
+            return True
+
+        if 'group' in options:
+            for name in options['group']:
+                if not check_validity(name):
+                    raise errors.ValidationError(name='runas-group',
+                          error=unicode(_("RunAsGroup does not accept '%(name)s' as a group name")) %
+                          dict(name=name))
+
+        return dn
+
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         completed_external = 0
         # Sift through the group failures. We assume that these are all