Deprecate HBAC source hosts from CLI

Hide the commands and options listed below from the CLI, but keep them in the API. When called directly from the API, raise appropriate exceptions informing the user that the functionality has been deprecated. Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost. Affected options: sourcehostcategory, sourcehost_host and sourcehost_hostgroup (hbacrule); sourcehost (hbactest). https://fedorahosted.org/freeipa/ticket/3528
author: Ana Krivokapic <akrivoka@redhat.com> 2013-04-12 17:38:09 +0200
committer: Rob Crittenden <rcritten@redhat.com> 2013-04-12 14:07:55 -0400
commit: b8b573a966f4be268031ccca5abce09767928ff7 (patch)
tree: 8f0e2b55e7ff18c4ba4274153fbc3ac8d80e42f1 /ipalib
parent: d03255571c9d4c81d92c692fd0b6db6539856cf8 (diff)
download: freeipa-b8b573a966f4be268031ccca5abce09767928ff7.tar.gz
freeipa-b8b573a966f4be268031ccca5abce09767928ff7.tar.xz
freeipa-b8b573a966f4be268031ccca5abce09767928ff7.zip
5 files changed, 47 insertions, 62 deletions
diff --git a/ipalib/__init__.py b/ipalib/__init__.py
index aab740081..57f784721 100644
--- a/ipalib/__init__.py
+++ b/ipalib/__init__.py
@@ -885,7 +885,7 @@ from backend import Backend
 from frontend import Command, LocalOrRemote, Updater
 from frontend import Object, Method, Property
 from crud import Create, Retrieve, Update, Delete, Search
-from parameters import DefaultFrom, Bool, Flag, Int, Decimal, Bytes, Str, IA5Str, Password, DNParam
+from parameters import DefaultFrom, Bool, Flag, Int, Decimal, Bytes, Str, IA5Str, Password, DNParam, DeprecatedParam
 from parameters import BytesEnum, StrEnum, AccessTime, File
 from errors import SkipPluginModule
 from text import _, ngettext, GettextFactory, NGettextFactory
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 658c8cbc2..716decb2b 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -796,6 +796,21 @@ class PromptFailed(InvocationError):
     format = _('Could not get %(name)s interactively')
 
 
+class DeprecationError(InvocationError):
+    """
+    **3015** Raise when a command has been deprecated
+
+    For example:
+
+    >>> raise DeprecationError(name='hbacrule_add_sourcehost')
+    Traceback (most recent call last):
+      ...
+    DeprecationError: Command 'hbacrule_add_sourcehost' has been deprecated
+    """
+    errno = 3015
+    format = _("Command '%(name)s' has been deprecated")
+
+
 ##############################################################################
 # 4000 - 4999: Execution errors
 
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index a934a8fb2..ab4b83216 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -1800,6 +1800,23 @@ class DNParam(Param):
                                   error=ugettext(e))
         return dn
 
+
+class DeprecatedParam(Any):
+    kwargs = Param.kwargs + (
+        ('deprecate', bool, True),
+    )
+
+    def __init__(self, name, *rules, **kw):
+        if 'flags' in kw:
+            kw['flags'] = list(kw['flags']) + ['no_option']
+        else:
+            kw['flags'] = ['no_option']
+
+        super(DeprecatedParam, self).__init__(name, *rules, **kw)
+
+    def _rule_deprecate(self, _, value):
+        return _('this option is deprecated')
+
 def create_param(spec):
     """
     Create an `Str` instance from the shorthand ``spec``.
diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
index 41aaf97ee..5cc8bc1a3 100644
--- a/ipalib/plugins/hbacrule.py
+++ b/ipalib/plugins/hbacrule.py
@@ -18,7 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from ipalib import api, errors
-from ipalib import AccessTime, Password, Str, StrEnum, Bool
+from ipalib import AccessTime, Password, Str, StrEnum, Bool, DeprecatedParam
 from ipalib.plugins.baseldap import *
 from ipalib import _, ngettext
 
@@ -150,7 +150,7 @@ class hbacrule(LDAPObject):
             exclude='webui',
             flags=['no_option', 'no_output'],
         ),
-        # FIXME: {user,host,sourcehost,service}categories should expand in the future
+        # FIXME: {user,host,service}categories should expand in the future
         StrEnum('usercategory?',
             cli_name='usercat',
             label=_('User category'),
@@ -163,12 +163,7 @@ class hbacrule(LDAPObject):
             doc=_('Host category the rule applies to'),
             values=(u'all', ),
         ),
-        StrEnum('sourcehostcategory?',
-            cli_name='srchostcat',
-            label=_('Source host category'),
-            doc=_('Source host category the rule applies to'),
-            values=(u'all', ),
-        ),
+        DeprecatedParam('sourcehostcategory?'),
         StrEnum('servicecategory?',
             cli_name='servicecat',
             label=_('Service category'),
@@ -203,14 +198,8 @@ class hbacrule(LDAPObject):
             label=_('Host Groups'),
             flags=['no_create', 'no_update', 'no_search'],
         ),
-        Str('sourcehost_host?',
-            label=_('Source Hosts'),
-            flags=['no_create', 'no_update', 'no_search'],
-        ),
-        Str('sourcehost_hostgroup?',
-            label=_('Source Host Groups'),
-            flags=['no_create', 'no_update', 'no_search'],
-        ),
+        DeprecatedParam('sourcehost_host?'),
+        DeprecatedParam('sourcehost_hostgroup?'),
         Str('memberservice_hbacsvc?',
             label=_('Services'),
             flags=['no_create', 'no_update', 'no_search'],
@@ -272,8 +261,6 @@ class hbacrule_mod(LDAPUpdate):
             raise errors.MutuallyExclusiveError(reason=_("user category cannot be set to 'all' while there are allowed users"))
         if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs:
             raise errors.MutuallyExclusiveError(reason=_("host category cannot be set to 'all' while there are allowed hosts"))
-        if is_all(options, 'sourcehostcategory') and 'sourcehost' in entry_attrs:
-            raise errors.MutuallyExclusiveError(reason=_("sourcehost category cannot be set to 'all' while there are allowed sourcehosts"))
         if is_all(options, 'servicecategory') and 'memberservice' in entry_attrs:
             raise errors.MutuallyExclusiveError(reason=_("service category cannot be set to 'all' while there are allowed services"))
         return dn
@@ -493,39 +480,25 @@ api.register(hbacrule_remove_host)
 
 
 class hbacrule_add_sourcehost(LDAPAddMember):
-    __doc__ = _('Add source hosts and hostgroups from a HBAC rule.')
+    NO_CLI = True
 
     member_attributes = ['sourcehost']
     member_count_out = ('%i object added.', '%i objects added.')
 
-    def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
-        assert isinstance(dn, DN)
-        try:
-            (dn, entry_attrs) = ldap.get_entry(dn, self.obj.default_attributes)
-        except errors.NotFound:
-            self.obj.handle_not_found(*keys)
-        if 'sourcehostcategory' in entry_attrs and \
-            entry_attrs['sourcehostcategory'][0].lower() == 'all':
-            raise errors.MutuallyExclusiveError(reason=_(
-                "source hosts cannot be added when sourcehost category='all'"))
-        return add_external_pre_callback('host', ldap, dn, keys, options)
-
-    def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
-        assert isinstance(dn, DN)
-        return add_external_post_callback('sourcehost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options)
+    def validate(self, **kw):
+        raise errors.DeprecationError(name='hbacrule_add_sourcehost')
 
 api.register(hbacrule_add_sourcehost)
 
 
 class hbacrule_remove_sourcehost(LDAPRemoveMember):
-    __doc__ = _('Remove source hosts and hostgroups from an HBAC rule.')
+    NO_CLI = True
 
     member_attributes = ['sourcehost']
     member_count_out = ('%i object removed.', '%i objects removed.')
 
-    def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
-        assert isinstance(dn, DN)
-        return remove_external_post_callback('sourcehost', 'host', 'externalhost', ldap, completed, failed, dn, entry_attrs, keys, options)
+    def validate(self, **kw):
+        raise errors.DeprecationError(name='hbacrule_remove_sourcehost')
 
 api.register(hbacrule_remove_sourcehost)
 
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
index 25c64ea4d..eeb0281f5 100644
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -18,7 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from ipalib import api, errors, output, util
-from ipalib import Command, Str, Flag, Int
+from ipalib import Command, Str, Flag, Int, DeprecatedParam
 from types import NoneType
 from ipalib.cli import to_cli
 from ipalib import _, ngettext
@@ -255,10 +255,7 @@ class hbactest(Command):
             label=_('User name'),
             primary_key=True,
         ),
-        Str('sourcehost?',
-            cli_name='srchost',
-            label=_('Source host'),
-        ),
+        DeprecatedParam('sourcehost?'),
         Str('targethost',
             cli_name='host',
             label=_('Target host'),
@@ -304,7 +301,7 @@ class hbactest(Command):
     def execute(self, *args, **options):
         # First receive all needed information:
         # 1. HBAC rules (whether enabled or disabled)
-        # 2. Required options are (user, source host, target host, service)
+        # 2. Required options are (user, target host, service)
         # 3. Options: rules to test (--rules, --enabled, --disabled), request for detail output
         rules = []
 
@@ -436,21 +433,6 @@ class hbactest(Command):
             except:
                 pass
 
-        if options.get('sourcehost'):
-            warning_flag = True
-            if options['sourcehost'] != u'all':
-                try:
-                    request.srchost.name = self.canonicalize(options['sourcehost'])
-                    srchost_result = self.api.Command.host_show(request.srchost.name)['result']
-                    groups = srchost_result['memberof_hostgroup']
-                    if 'memberofindirect_hostgroup' in srchost_result:
-                        groups += srchost_result['memberofindirect_hostgroup']
-                    request.srchost.groups = sorted(set(groups))
-                except:
-                     pass
-        else:
-            warning_flag = False
-
         if options['targethost'] != u'all':
             try:
                 request.targethost.name = self.canonicalize(options['targethost'])
@@ -477,8 +459,6 @@ class hbactest(Command):
                         matched_rules.append(ipa_rule.name)
                     if res == pyhbac.HBAC_EVAL_DENY:
                         notmatched_rules.append(ipa_rule.name)
-                    if warning_flag:
-                        warning_rules.append(_(u'Sourcehost value of rule "%s" is ignored') % (ipa_rule.name))
                 except pyhbac.HbacError as (code, rule_name):
                     if code == pyhbac.HBAC_EVAL_ERROR:
                         error_rules.append(rule_name)
author	Ana Krivokapic <akrivoka@redhat.com>	2013-04-12 17:38:09 +0200
committer	Rob Crittenden <rcritten@redhat.com>	2013-04-12 14:07:55 -0400
commit	b8b573a966f4be268031ccca5abce09767928ff7 (patch)
tree	8f0e2b55e7ff18c4ba4274153fbc3ac8d80e42f1 /ipalib
parent	d03255571c9d4c81d92c692fd0b6db6539856cf8 (diff)
download	freeipa-b8b573a966f4be268031ccca5abce09767928ff7.tar.gz freeipa-b8b573a966f4be268031ccca5abce09767928ff7.tar.xz freeipa-b8b573a966f4be268031ccca5abce09767928ff7.zip