[Freeipa-devel] Sudorules user validation help
Martin Kosek
mkosek at redhat.com
Thu May 28 08:44:07 UTC 2015
On 05/27/2015 08:41 PM, Drew Erny wrote:
> Hey, Freeipa-devel,
>
> I'm working on ticket #3226 (https://fedorahosted.org/freeipa/ticket/3226)
>
> I've identified the problem. The sudorules add user command adds the user
> validations at the end of it's pre-callback using add_external_pre_callback.
> However, the "user" plugin pattern-matches a string for the "uid" param,
> because it only allows certain characters.
>
> I've been picking through the codebase and I think I have enough understanding
> to ask this: What if we changed the user "uid" validation to a standalone
> "rule" function (you can do that, right? pass in a function as a validation
> rule?) that would normally just assert that the pattern matches, but could have
> that pattern matching validation overridden in some cases. I think that's the
> easiest, cleanest way to change user so that sudorules and other plugins can
> ignore this validation if necessary (I'm trying to figure out exactly how to
> implement this without changing any APIs).
>
> Am I understanding the plugin params API correctly, and can I do this? Is this
> the best way to do this?
>
> The only other solution I see is to write sudorules-specific code in some
> plugin-related (either user.py or baseldap.py module, which would create
> unwanted coupling.
>
> Most specifically, this would be a change to the object instantiated at
> ipalib/plugins/user.py line 467
>
> Thoughts and suggestions?
I think it would make sense to follow the example with validate_hostname and
prepare a function validate_username(username, upn=False, netbios_name=False) [1].
where upn would allow using "@." on top of current validator (i.e.
user at Domain.test) and netbios_name would allow the "DOMAIN\user" style. I would
just suggest making sure the standard user validation error message is still
the same to avoid unnecessary QE fail positives.
In add_external_pre_callback you could then just simply call
validate_username(user, True, True)
just like it is already done with hostname.
My 2 cents.
Martin
[1] https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx
More information about the Freeipa-devel
mailing list