[Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules
Alexander Bokovoy
abokovoy at redhat.com
Wed Jul 27 13:12:16 UTC 2011
On 26.07.2011 22:55, Dmitri Pal wrote:
> The tests imply that there are deny rules. We removed them so very soon
> there would be no deny rules. Should the results of the test show
> something like:
>
> ------------------------------
> Access granted : True
> ------------------------------
> Granted by:
> ------------------------------
> X
> Y
> Z
>
> Or
> ------------------------------
> Access granted : False
> ------------------------------
> Access not granted by any allow rule
> ------------------------------
>
>
> (I do not think you have a test for this case...)
>
>
> Or (for backward compatibility)
> ------------------------------
> Access granted : False
> ------------------------------
> Granted by:
> ------------------------------
> X
> Y
> Z
> ------------------------------
> Denied by:
> ------------------------------
> A
> B
> C
>
>
> This format seems to be more scriptable. You do not need to deal with
> excaping commas if they are used in the name of the rule.
> But I do not insist - this is just an example of potential output. Rob,
> Martin do you have any comments, suggestions?
I decided to go with prefixed one rule per line output with
'matched'/'notmatched'/'error' prefix. I also changed default for
detailed output and exposed --nodetail to inhibit it, as Rob has pointed
out.
$ ./ipa hbactest --user=a1a --host=f1f --srchost=f2f --service=ssh
--------------------
Access granted: True
--------------------
matched: allow_all
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: кошка, кот
This is scriptable and also returns granted/not-granted result in $? so
you can easily test in shell whether ipa command was successful or not.
Attached is the patch with unit tests and it can be considered for
inclusion.
--
/ Alexander Bokovoy
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: freeipa-abbra-0007-3-add-hbactest-command.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110727/5bec0103/attachment.ksh>
More information about the Freeipa-devel
mailing list