[Freeipa-devel] Sudorules user validation help
Drew Erny
derny at redhat.com
Thu May 28 13:40:10 UTC 2015
OK, I see now what you mean by that. That is a simpler solution. I'll do
it that way.
On 05/28/2015 04:44 AM, Martin Kosek wrote:
> On 05/27/2015 08:41 PM, Drew Erny wrote:
>> Hey, Freeipa-devel,
>>
>> I'm working on ticket #3226 (https://fedorahosted.org/freeipa/ticket/3226)
>>
>> I've identified the problem. The sudorules add user command adds the user
>> validations at the end of it's pre-callback using add_external_pre_callback.
>> However, the "user" plugin pattern-matches a string for the "uid" param,
>> because it only allows certain characters.
>>
>> I've been picking through the codebase and I think I have enough understanding
>> to ask this: What if we changed the user "uid" validation to a standalone
>> "rule" function (you can do that, right? pass in a function as a validation
>> rule?) that would normally just assert that the pattern matches, but could have
>> that pattern matching validation overridden in some cases. I think that's the
>> easiest, cleanest way to change user so that sudorules and other plugins can
>> ignore this validation if necessary (I'm trying to figure out exactly how to
>> implement this without changing any APIs).
>>
>> Am I understanding the plugin params API correctly, and can I do this? Is this
>> the best way to do this?
>>
>> The only other solution I see is to write sudorules-specific code in some
>> plugin-related (either user.py or baseldap.py module, which would create
>> unwanted coupling.
>>
>> Most specifically, this would be a change to the object instantiated at
>> ipalib/plugins/user.py line 467
>>
>> Thoughts and suggestions?
> I think it would make sense to follow the example with validate_hostname and
> prepare a function validate_username(username, upn=False, netbios_name=False) [1].
>
> where upn would allow using "@." on top of current validator (i.e.
> user at Domain.test) and netbios_name would allow the "DOMAIN\user" style. I would
> just suggest making sure the standard user validation error message is still
> the same to avoid unnecessary QE fail positives.
>
> In add_external_pre_callback you could then just simply call
>
> validate_username(user, True, True)
>
> just like it is already done with hostname.
>
> My 2 cents.
>
> Martin
>
> [1] https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx
More information about the Freeipa-devel
mailing list