[Freeipa-devel] [WIP] Add command to test HBAC rules

[Alexander Bokovoy]

On 25.07.2011 17:13, Dmitri Pal wrote:
> On 07/25/2011 10:12 AM, Rob Crittenden wrote:
>> My only problem with --all is it means we'd have an option with
>> different meaning in different contexts. Would this cause confusion?
> 
> Yes this is exactly where I am coming from too.
I see where you are going but the problem here is that original --all
has one important issue:
- it changes CLI output even if I don't use output.Entry() in the
plugin's has_output spec.

This creates confusion from other perspective -- we can't use --all for
saying 'I want the simulation to apply to ALL IPA enabled rules' and
this makes impossible to distinguish two cases:
  - I want to run simulation against enabled IPA rules and the ones I
specified in --rules command *with* detailed information which rules
passed and which are not (ipa hbactest --rules=[list] --all --detail).
  - I want to run simulation against enabled IPA rules and the ones I
specified in --rules command *without* detailed information which rules
passed and which are not (ipa hbactest --rules=[list] --all).

I had to override output_for_cli() to disable this behavior.

I'd love to disable standard --all and --raw for hbactest command
because they make little sense for it. If --all is seen as confusion
with regards to uniform handling with other options, I can propose two
following options:

--enabled -- add all enabled IPA rules into simulation
--disabled -- add all disabled IPA rules into simulation

ipa [...] --rules=[list] --[enabled|disabled] [--detail]

would cover:

1. Test user against rules specified in --rules, optionally adding all
enabled (disabled) IPA rules and show detailed information which rules
passed and which not.

2. Test user against rules specified in --rules, optionally adding all
enabled (disabled) IPA rules and report whether user would pass the check.

-- 
/ Alexander Bokovoy