[Freeipa-devel] [PATCH] 0007 Add command to test HBAC rules

[Alexander Bokovoy]

On 27.07.2011 18:37, Jakub Hrozek wrote:
> On 07/27/2011 03:12 PM, Alexander Bokovoy wrote:
>> +            for ipa_rule in rules:
>> +                try:
>> +                    res = request.evaluate([ipa_rule])
>> +                    if res == pyhbac.HBAC_EVAL_ALLOW:
>> +                        matched_rules.append(ipa_rule.name)
>> +                    if res == pyhbac.HBAC_EVAL_DENY:
>> +                        notmatched_rules.append(ipa_rule.name)
>> +                except pyhbac.HbacError as (code, rule_name):
>> +                    if code == pyhbac.HBAC_EVAL_ERROR:
>> +                        error_rules.append(rule_name)
>> +                except (TypeError, IOError) as (info):
>> +                    self.log.error('Native IPA HBAC module error: %s' % (info))
>> +
> 
> I think this is OK. The only other exception the bindings might raise is
> a MemoryError, but I think this should just propagate all the way up..
> 
> One suggestion might be to extend the branch that catches
> pyhbac.HbacError with a string representation of the error. Something like:
> 
> self.log.error("Error while evaluating rule %s: %s" % (rule_name,
> hbac_result_string(core))
Thanks. That was actually implied (with self.log.info() as we want to
continue and report them as 'error' rules in the command's result) but I
overlooked it.

Fixed this now and also removed some residual debug prints in unit
tests. Patch attached.

-- 
/ Alexander Bokovoy
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: freeipa-abbra-0007-4-add-hbactest-command.patch
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110728/765becce/attachment.ksh>