From 0a75647f61820b4952da4ea61707e533550bf84e Mon Sep 17 00:00:00 2001 From: Jr Aquino Date: Mon, 4 Oct 2010 15:56:40 -0700 Subject: [PATCH] Added modifications to the sudorule plugin to reflect the schema update. --- ipalib/plugins/sudorule.py | 58 +++++++++++----- tests/test_xmlrpc/test_sudorule_plugin.py | 112 ++++++++++++++++++++--------- 2 files changed, 118 insertions(+), 52 deletions(-) diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 3e70386..434e23a 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -34,14 +34,15 @@ class sudorule(LDAPObject): object_name_plural = 'Sudo Rules' object_class = ['ipaassociation', 'ipasudorule'] default_attributes = [ - 'cn', 'accessruletype', 'description', + 'cn', 'description', ] uuid_attribute = 'ipauniqueid' attribute_members = { 'memberuser': ['user', 'group'], 'memberhost': ['host', 'hostgroup'], - 'membercmd': ['sudocmd', 'sudocmdgroup'], + 'memberallowcmd': ['sudocmd', 'sudocmdgroup'], + 'memberdenycmd': ['sudocmd', 'sudocmdgroup'], } label = _('SudoRule') @@ -56,12 +57,6 @@ class sudorule(LDAPObject): cli_name='desc', label=_('Description'), ), - StrEnum('accessruletype', - cli_name='type', - doc=_('Rule type (allow or deny)'), - label=_('Rule type'), - values=(u'allow', u'deny'), - ), Str('memberuser_user?', label=_('Users'), flags=['no_create', 'no_update', 'no_search'], @@ -74,14 +69,23 @@ class sudorule(LDAPObject): label=_('Host Groups'), flags=['no_create', 'no_update', 'no_search'], ), - Str('membercmd_sudocmd?', - label=_('Sudo Commands'), + Str('memberallowcmd_sudocmd?', + label=_('Sudo Allow Commands'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberdenycmd_sudocmd?', + label=_('Sudo Deny Commands'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str('memberallowcmd_sudocmdgroup?', + label=_('Sudo Command Groups'), flags=['no_create', 'no_update', 'no_search'], ), - Str('membercmd_sudocmdgroup?', + Str('memberdenycmd_sudocmdgroup?', label=_('Sudo Command Groups'), flags=['no_create', 'no_update', 'no_search'], ), + ) def get_dn(self, *keys, **kwargs): @@ -139,24 +143,44 @@ class sudorule_show(LDAPRetrieve): api.register(sudorule_show) -class sudorule_add_command(LDAPAddMember): +class sudorule_add_allow_command(LDAPAddMember): + """ + Add commands and sudo command groups affected by Sudo Rule. + """ + member_attributes = ['memberallowcmd'] + member_count_out = ('%i object added.', '%i objects added.') + +api.register(sudorule_add_allow_command) + + +class sudorule_remove_allow_command(LDAPRemoveMember): + """ + Remove commands and sudo command groups affected by Sudo Rule. + """ + member_attributes = ['memberallowcmd'] + member_count_out = ('%i object removed.', '%i objects removed.') + +api.register(sudorule_remove_allow_command) + + +class sudorule_add_deny_command(LDAPAddMember): """ Add commands and sudo command groups affected by Sudo Rule. """ - member_attributes = ['membercmd'] + member_attributes = ['memberdenycmd'] member_count_out = ('%i object added.', '%i objects added.') -api.register(sudorule_add_command) +api.register(sudorule_add_deny_command) -class sudorule_remove_command(LDAPRemoveMember): +class sudorule_remove_deny_command(LDAPRemoveMember): """ Remove commands and sudo command groups affected by Sudo Rule. """ - member_attributes = ['membercmd'] + member_attributes = ['memberdenycmd'] member_count_out = ('%i object removed.', '%i objects removed.') -api.register(sudorule_remove_command) +api.register(sudorule_remove_deny_command) class sudorule_add_user(LDAPAddMember): diff --git a/tests/test_xmlrpc/test_sudorule_plugin.py b/tests/test_xmlrpc/test_sudorule_plugin.py index 7ab372b..b047899 100644 --- a/tests/test_xmlrpc/test_sudorule_plugin.py +++ b/tests/test_xmlrpc/test_sudorule_plugin.py @@ -31,8 +31,6 @@ class test_sudorule(XMLRPC_test): Test the `sudorule` plugin. """ rule_name = u'testing_sudorule1' - rule_type = u'allow' - rule_type_fail = u'value not allowed' rule_command = u'/usr/bin/testsudocmd1' rule_desc = u'description' rule_desc_mod = u'description modified' @@ -41,8 +39,10 @@ class test_sudorule(XMLRPC_test): test_group = u'sudorule_test_group' test_host = u'sudorule._test_host' test_hostgroup = u'sudorule_test_hostgroup' - test_sudocmdgroup = u'sudorule_test_cmdgroup' + test_sudoallowcmdgroup = u'sudorule_test_allowcmdgroup' + test_sudodenycmdgroup = u'sudorule_test_denycmdgroup' test_command = u'/usr/bin/testsudocmd1' + test_denycommand = u'/usr/bin/testdenysudocmd1' def test_0_sudorule_add(self): """ @@ -50,12 +50,10 @@ class test_sudorule(XMLRPC_test): """ ret = self.failsafe_add(api.Object.sudorule, self.rule_name, - accessruletype=self.rule_type, description=self.rule_desc, ) entry = ret['result'] assert_attr_equal(entry, 'cn', self.rule_name) - assert_attr_equal(entry, 'accessruletype', self.rule_type) assert_attr_equal(entry, 'description', self.rule_desc) def test_1_sudorule_add(self): @@ -64,7 +62,7 @@ class test_sudorule(XMLRPC_test): """ try: api.Command['sudorule_add']( - self.rule_name, accessruletype=self.rule_type + self.rule_name ) except errors.DuplicateEntry: pass @@ -77,7 +75,6 @@ class test_sudorule(XMLRPC_test): """ entry = api.Command['sudorule_show'](self.rule_name)['result'] assert_attr_equal(entry, 'cn', self.rule_name) - assert_attr_equal(entry, 'accessruletype', self.rule_type) assert_attr_equal(entry, 'description', self.rule_desc) def test_3_sudorule_mod(self): @@ -95,13 +92,12 @@ class test_sudorule(XMLRPC_test): Test searching for Sudo rules using `xmlrpc.sudorule_find`. """ ret = api.Command['sudorule_find']( - name=self.rule_name, accessruletype=self.rule_type, + name=self.rule_name, description=self.rule_desc_mod ) assert ret['truncated'] is False entries = ret['result'] assert_attr_equal(entries[0], 'cn', self.rule_name) - assert_attr_equal(entries[0], 'accessruletype', self.rule_type) assert_attr_equal(entries[0], 'description', self.rule_desc_mod) def test_7_sudorule_init_testing_data(self): @@ -121,7 +117,10 @@ class test_sudorule(XMLRPC_test): self.test_hostgroup, description=u'description' ) self.failsafe_add(api.Object.sudocmdgroup, - self.test_sudocmdgroup, description=u'desc' + self.test_sudoallowcmdgroup, description=u'desc' + ) + self.failsafe_add(api.Object.sudocmdgroup, + self.test_sudodenycmdgroup, description=u'desc' ) self.failsafe_add(api.Object.sudocmd, self.test_command, description=u'desc', force=True @@ -203,46 +202,87 @@ class test_sudorule(XMLRPC_test): assert 'memberhost_host' not in entry assert 'memberhost_hostgroup' not in entry - def test_a_sudorule_add_command(self): + def test_a_sudorule_add_allow_command(self): """ - Test adding command and cmdgroup to Sudo rule using - `xmlrpc.sudorule_add_command`. + Test adding allow command and cmdgroup to Sudo rule using + `xmlrpc.sudorule_add_allow_command`. """ - ret = api.Command['sudorule_add_command']( + ret = api.Command['sudorule_add_allow_command']( self.rule_name, sudocmd=self.test_command, - sudocmdgroup=self.test_sudocmdgroup + sudocmdgroup=self.test_sudoallowcmdgroup ) assert ret['completed'] == 2 failed = ret['failed'] - assert 'membercmd' in failed - assert 'sudocmd' in failed['membercmd'] - assert not failed['membercmd']['sudocmd'] - assert 'sudocmdgroup' in failed['membercmd'] - assert not failed['membercmd']['sudocmdgroup'] + assert 'memberallowcmd' in failed + assert 'sudocmd' in failed['memberallowcmd'] + assert not failed['memberallowcmd']['sudocmd'] + assert 'sudocmdgroup' in failed['memberallowcmd'] + assert not failed['memberallowcmd']['sudocmdgroup'] entry = ret['result'] - assert_attr_equal(entry, 'membercmd_sudocmd', self.test_command) - assert_attr_equal(entry, 'membercmd_sudocmdgroup', - self.test_sudocmdgroup) + assert_attr_equal(entry, 'memberallowcmd_sudocmd', self.test_command) + assert_attr_equal(entry, 'memberallowcmd_sudocmdgroup', + self.test_sudoallowcmdgroup) - def test_a_sudorule_remove_command(self): + def test_a_sudorule_remove_allow_command(self): """ - Test removing command and sudocmdgroup from Sudo rule using + Test removing allow command and sudocmdgroup from Sudo rule using `xmlrpc.sudorule_remove_command`. """ - ret = api.Command['sudorule_remove_command']( + ret = api.Command['sudorule_remove_allow_command']( + self.rule_name, sudocmd=self.test_command, + sudocmdgroup=self.test_sudoallowcmdgroup + ) + assert ret['completed'] == 2 + failed = ret['failed'] + assert 'memberallowcmd' in failed + assert 'sudocmd' in failed['memberallowcmd'] + assert not failed['memberallowcmd']['sudocmd'] + assert 'sudocmdgroup' in failed['memberallowcmd'] + assert not failed['memberallowcmd']['sudocmdgroup'] + entry = ret['result'] + assert 'memberallowcmd_sudocmd' not in entry + assert 'memberallowcmd_sudocmdgroup' not in entry + + def test_b_sudorule_add_deny_command(self): + """ + Test adding deny command and cmdgroup to Sudo rule using + `xmlrpc.sudorule_add_deny_command`. + """ + ret = api.Command['sudorule_add_deny_command']( self.rule_name, sudocmd=self.test_command, - sudocmdgroup=self.test_sudocmdgroup + sudocmdgroup=self.test_sudodenycmdgroup ) assert ret['completed'] == 2 failed = ret['failed'] - assert 'membercmd' in failed - assert 'sudocmd' in failed['membercmd'] - assert not failed['membercmd']['sudocmd'] - assert 'sudocmdgroup' in failed['membercmd'] - assert not failed['membercmd']['sudocmdgroup'] + assert 'memberdenycmd' in failed + assert 'sudocmd' in failed['memberdenycmd'] + assert not failed['memberdenycmd']['sudocmd'] + assert 'sudocmdgroup' in failed['memberdenycmd'] + assert not failed['memberdenycmd']['sudocmdgroup'] entry = ret['result'] - assert 'membercmd_sudocmd' not in entry - assert 'membercmd_sudocmdgroup' not in entry + assert_attr_equal(entry, 'memberdenycmd_sudocmd', self.test_command) + assert_attr_equal(entry, 'memberdenycmd_sudocmdgroup', + self.test_sudodenycmdgroup) + + def test_b_sudorule_remove_deny_command(self): + """ + Test removing deny command and sudocmdgroup from Sudo rule using + `xmlrpc.sudorule_remove_deny_command`. + """ + ret = api.Command['sudorule_remove_deny_command']( + self.rule_name, sudocmd=self.test_command, + sudocmdgroup=self.test_sudodenycmdgroup + ) + assert ret['completed'] == 2 + failed = ret['failed'] + assert 'memberdenycmd' in failed + assert 'sudocmd' in failed['memberdenycmd'] + assert not failed['memberdenycmd']['sudocmd'] + assert 'sudocmdgroup' in failed['memberdenycmd'] + assert not failed['memberdenycmd']['sudocmdgroup'] + entry = ret['result'] + assert 'memberdenycmd_sudocmd' not in entry + assert 'memberdenycmd_sudocmdgroup' not in entry def test_c_sudorule_clear_testing_data(self): """ @@ -253,7 +293,9 @@ class test_sudorule(XMLRPC_test): api.Command['host_del'](self.test_host) api.Command['hostgroup_del'](self.test_hostgroup) api.Command['sudocmd_del'](self.test_command) - api.Command['sudocmdgroup_del'](self.test_sudocmdgroup) + api.Command['sudocmdgroup_del'](self.test_sudoallowcmdgroup) + api.Command['sudocmdgroup_del'](self.test_sudodenycmdgroup) + def test_f_sudorule_del(self): """ -- 1.7.2.3