From 1e04e9f02978592d861895bd14e8b3a2ee2c7100 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 10 Jan 2012 11:15:26 +0200 Subject: Allow hbactest to work with HBAC rules exceeding default IPA limits When multiple HBAC rules are defined, IPA default limits to retrieve objects may limit the scope of HBAC testing. To allow full range of rules to be tested support for --sizelimit option is added. In addition, when --rules option is specified, make sure only those rules are retrieved regardless total number of rules defined. This should also speed up HBAC test performance for real life scenarios when few new rules are added to large collection of rules. https://fedorahosted.org/freeipa/ticket/2230 --- ipalib/plugins/hbactest.py | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) (limited to 'ipalib/plugins/hbactest.py') diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index f1b608d2..92b7145a 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -18,7 +18,7 @@ # along with this program. If not, see . from ipalib import api, errors, output -from ipalib import Command, Str, Flag +from ipalib import Command, Str, Flag, Int from types import NoneType from ipalib.cli import to_cli from ipalib import _, ngettext @@ -40,7 +40,7 @@ having access to the production environment. ipa hbactest --user= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] - [--srchost= ] + [--srchost= ] [--sizelimit= ] --user, --host, and --service are mandatory, others are optional. @@ -57,6 +57,8 @@ having access to the production environment. all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. + By default there is a IPA-wide limit to number of entries fetched, you can change it + with --sizelimit option. If --srchost is specified, it will be ignored. It is left because of compatibility reasons only. @@ -208,6 +210,13 @@ class hbactest(Command): cli_name='disabled', label=_('Include all disabled IPA rules into test'), ), + Int('sizelimit?', + label=_('Size Limit'), + doc=_('Maximum number of rules to process when no --rules is specified'), + flags=['no_display'], + minvalue=0, + autofill=False, + ), ) def canonicalize(self, host): @@ -224,7 +233,6 @@ class hbactest(Command): # 2. Required options are (user, source host, target host, service) # 3. Options: rules to test (--rules, --enabled, --disabled), request for detail output rules = [] - hbacset = self.api.Command.hbacrule_find()['result'] # Use all enabled IPA rules by default all_enabled = True @@ -238,6 +246,10 @@ class hbactest(Command): all_enabled = False all_disabled = False + sizelimit = None + if 'sizelimit' in options: + sizelimit = int(options['sizelimit']) + # Check if --disabled is specified, include all disabled IPA rules if options['disabled']: all_disabled = True @@ -247,6 +259,16 @@ class hbactest(Command): if options['enabled']: all_enabled = True + hbacset = [] + if len(testrules) == 0: + hbacset = self.api.Command.hbacrule_find(sizelimit=sizelimit)['result'] + else: + for rule in testrules: + try: + hbacset.append(self.api.Command.hbacrule_show(rule)['result']) + except: + pass + # We have some rules, import them # --enabled will import all enabled rules (default) # --disabled will import all disabled rules -- cgit