[Freeipa-devel] [PATCH] 927 fix deleting hbac rules when selinux user maps are involved

[Martin Kosek]

On Tue, 2012-01-17 at 17:59 -0500, Rob Crittenden wrote:
> When deleting an HBAC rule we need to ensure that an SELinux user map 
> isn't pointing at it. The search for this didn't work well at all.
> 
> This patch corrects the search and makes it more specific.
> 
> I also tested that it works with the --continue flag of hbacrule-del.
> 
> The ticket has instructions on testing.
> 
> rob

Works fine. There is just one part that is IMO too complicated:

+            hbacrule = options['seealso']
+            kw = dict(cn=hbacrule, all=True)
             _entries = api.Command.hbacrule_find(None, **kw)['result']
             del options['seealso']
-            if _entries:
-                options['seealso'] = _entries[0]['dn']
+            found = False
+            # look for an exact match. The search may return partial
+            # matches.
+            for entry in _entries:
+                if entry['cn'][0] == hbacrule:
+                    found = True
+                    options['seealso'] = entry['dn']
+            if not found:
+                return dict(count=0, result=[], truncated=False)

I think hbacrule_find(None, cn=HBACRULE) should not return partial
matches, but just the exact match (tried with hbacrule-find
--name=HBACRULE). Then the loop over entries wouldn't be needed.

Couldn't we simply call hbacrule_show since we want just one HBAC rule
with a known primary key?

Martin