[Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules

Alexander Bokovoy abokovoy at redhat.com
Wed Jul 27 13:12:16 UTC 2011 

On 26.07.2011 22:55, Dmitri Pal wrote:
> The tests imply that there are deny rules. We removed them so very soon
> there would be no deny rules. Should the results of the test show
> something like:
> 
> ------------------------------
> Access granted : True
> ------------------------------
> Granted by:
> ------------------------------
> X
> Y
> Z
> 
> Or
> ------------------------------
> Access granted : False
> ------------------------------
> Access not granted by any allow rule
> ------------------------------
> 
> 
> (I do not think you have a test for this case...)
> 
>  
> Or (for backward compatibility)
> ------------------------------
> Access granted : False
> ------------------------------
> Granted by:
> ------------------------------
> X
> Y
> Z
> ------------------------------
> Denied by:
> ------------------------------
> A
> B
> C
> 
> 
> This format seems to be more scriptable. You do not need to deal with
> excaping commas if they are used in the name of the rule.
> But I do not insist - this is just an example of potential output. Rob,
> Martin do you have any comments, suggestions?
I decided to go with prefixed one rule per line output with
'matched'/'notmatched'/'error' prefix. I also changed default for
detailed output and exposed --nodetail to inhibit it, as Rob has pointed
out.

$ ./ipa hbactest --user=a1a --host=f1f --srchost=f2f --service=ssh
--------------------
Access granted: True
--------------------
  matched: allow_all
  notmatched: my-second-rule
  notmatched: my-third-rule
  notmatched: myrule
  notmatched: кошка, кот

This is scriptable and also returns granted/not-granted result in $? so
you can easily test in shell whether ipa command was successful or not.

Attached is the patch with unit tests and it can be considered for
inclusion.
-- 
/ Alexander Bokovoy
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: freeipa-abbra-0007-3-add-hbactest-command.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110727/5bec0103/attachment.ksh>

More information about the Freeipa-devel mailing list