diff options
| author | Alexander Bokovoy <abokovoy@redhat.com> | 2011-10-11 11:25:24 +0300 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2011-10-10 17:09:22 -0400 |
| commit | 3e1c04f9333ac3f4333d5cf99579e85a44c9573b (patch) | |
| tree | f4e707706ae2d43f2c3629f51c3088e080e44fb5 | |
| parent | ff3d3c0ab376ead2d48513c18cdd82c86ccf1382 (diff) | |
| download | freeipa-3e1c04f9333ac3f4333d5cf99579e85a44c9573b.tar.gz freeipa-3e1c04f9333ac3f4333d5cf99579e85a44c9573b.tar.xz freeipa-3e1c04f9333ac3f4333d5cf99579e85a44c9573b.zip | |
Include indirect membership and canonicalize hosts during HBAC rules testing
When users and hosts are included into groups indirectly, make sure that
during HBAC test e fill in all indirect groups properly into an HBAC request.
Also, if hosts provided for test are not specified fully, canonicalize them
using IPA domain.
This makes possible following requests:
ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd
Request to evaluate:
<user <name foobar groups [hbacusers,ipausers]>
service <name sshd groups []>
targethost <name vm-101.ipa.local groups []>
srchost <name vm-101.ipa.local groups []>
>
Fixes:
https://fedorahosted.org/freeipa/ticket/1862
https://fedorahosted.org/freeipa/ticket/1949
| -rw-r--r-- | ipalib/plugins/hbactest.py | 30 |
1 files changed, 23 insertions, 7 deletions
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py index 75442451c..9b33dafa4 100644 --- a/ipalib/plugins/hbactest.py +++ b/ipalib/plugins/hbactest.py @@ -204,6 +204,14 @@ class hbactest(Command): ), ) + def canonicalize(self, host): + """ + Canonicalize the host name -- add default IPA domain if that is missing + """ + if host.find('.') == -1: + return u'%s.%s' % (host, self.env.domain) + return host + def execute(self, *args, **options): # First receive all needed information: # 1. HBAC rules (whether enabled or disabled) @@ -264,7 +272,11 @@ class hbactest(Command): if options['user'] != u'all': try: request.user.name = options['user'] - request.user.groups = self.api.Command.user_show(request.user.name)['result']['memberof_group'] + search_result = self.api.Command.user_show(request.user.name)['result'] + groups = search_result['memberof_group'] + if 'memberofindirect_group' in search_result: + groups += search_result['memberofindirect_group'] + request.user.groups = sorted(set(groups)) except: pass @@ -278,19 +290,23 @@ class hbactest(Command): if options['sourcehost'] != u'all': try: - request.srchost.name = options['sourcehost'] + request.srchost.name = self.canonicalize(options['sourcehost']) srchost_result = self.api.Command.host_show(request.srchost.name)['result'] - srchost_groups = srchost_result['memberof_hostgroup'] - request.srchost.groups = sorted(set(srchost_groups)) + groups = srchost_result['memberof_hostgroup'] + if 'memberofindirect_hostgroup' in srchost_result: + groups += search_result['memberofindirect_hostgroup'] + request.srchost.groups = sorted(set(groups)) except: pass if options['targethost'] != u'all': try: - request.targethost.name = options['targethost'] + request.targethost.name = self.canonicalize(options['targethost']) tgthost_result = self.api.Command.host_show(request.targethost.name)['result'] - tgthost_groups = tgthost_result['memberof_hostgroup'] - request.targethost.groups = sorted(set(tgthost_groups)) + groups = tgthost_result['memberof_hostgroup'] + if 'memberofindirect_hostgroup' in tgthost_result: + groups += search_result['memberofindirect_hostgroup'] + request.targethost.groups = sorted(set(groups)) except: pass |