[Freeipa-devel] [PATCH] 0014 Unroll groups for users, hosts, and services when testing HBAC rules

[Alexander Bokovoy]

https://fedorahosted.org/freeipa/ticket/1740

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From a87317a404717882e35cdeb9a9bc5aa3445e5353 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 12 Sep 2011 17:23:56 +0300
Subject: [PATCH 7/8] Unroll groups when testing HBAC rules

Fixes https://fedorahosted.org/freeipa/ticket/1741
Fixes https://fedorahosted.org/freeipa/ticket/1740
---
 ipalib/plugins/hbactest.py |   39 ++++++++++++++++++++++++++++++++++-----
 1 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
index d007845926aaaf4241243e65d73d4759319a5e80..5fce2e5fbf89b19a315e721d5237c1f1b2267421 100644
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -255,12 +255,41 @@ class hbactest(Command):
                     'error': testrules, 'matched': None, 'notmatched': None,
                     'value' : False}
 
-        # Rules are converted to pyhbac format, we can test them
+        # Rules are converted to pyhbac format, build request and then test it
         request = pyhbac.HbacRequest()
-        request.user.name = options['user']
-        request.service.name = options['service']
-        request.srchost.name = options['sourcehost']
-        request.targethost.name = options['targethost']
+
+        if options['user'] != u'all':
+            try:
+                request.user.name = options['user']
+                request.user.groups = self.api.Command.user_show(request.user.name)['result']['memberof_group']
+            except:
+                pass
+
+        if options['service'] != u'all':
+            try:
+                request.service.name = options['service']
+                request.service.groups = \
+                    self.api.Command.hbacsvcgroup_show(request.service.name)['result']['member_hbacsvc']
+            except:
+                pass
+
+        if options['sourcehost'] != u'all':
+            try:
+                request.srchost.name = options['sourcehost']
+                srchost_result = self.api.Command.host_show(request.srchost.name)['result']
+                srchost_groups = srchost_result['memberof_hostgroup']
+                request.srchost.groups = sorted(set(srchost_groups))
+            except:
+                 pass
+
+        if options['targethost'] != u'all':
+            try:
+                request.targethost.name = options['targethost']
+                tgthost_result = self.api.Command.host_show(request.targethost.name)['result']
+                tgthost_groups = tgthost_result['memberof_hostgroup']
+                request.targethost.groups = sorted(set(tgthost_groups))
+            except:
+                pass
 
         matched_rules = []
         notmatched_rules = []
-- 
1.7.6.1