[Freeipa-devel] [PATCH] 0014 Unroll groups for users, hosts, and services when testing HBAC rules
Alexander Bokovoy
abokovoy at redhat.com
Mon Sep 12 14:52:18 UTC 2011
https://fedorahosted.org/freeipa/ticket/1740
--
/ Alexander Bokovoy
-------------- next part --------------
>From a87317a404717882e35cdeb9a9bc5aa3445e5353 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Mon, 12 Sep 2011 17:23:56 +0300
Subject: [PATCH 7/8] Unroll groups when testing HBAC rules
Fixes https://fedorahosted.org/freeipa/ticket/1741
Fixes https://fedorahosted.org/freeipa/ticket/1740
---
ipalib/plugins/hbactest.py | 39 ++++++++++++++++++++++++++++++++++-----
1 files changed, 34 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
index d007845926aaaf4241243e65d73d4759319a5e80..5fce2e5fbf89b19a315e721d5237c1f1b2267421 100644
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -255,12 +255,41 @@ class hbactest(Command):
'error': testrules, 'matched': None, 'notmatched': None,
'value' : False}
- # Rules are converted to pyhbac format, we can test them
+ # Rules are converted to pyhbac format, build request and then test it
request = pyhbac.HbacRequest()
- request.user.name = options['user']
- request.service.name = options['service']
- request.srchost.name = options['sourcehost']
- request.targethost.name = options['targethost']
+
+ if options['user'] != u'all':
+ try:
+ request.user.name = options['user']
+ request.user.groups = self.api.Command.user_show(request.user.name)['result']['memberof_group']
+ except:
+ pass
+
+ if options['service'] != u'all':
+ try:
+ request.service.name = options['service']
+ request.service.groups = \
+ self.api.Command.hbacsvcgroup_show(request.service.name)['result']['member_hbacsvc']
+ except:
+ pass
+
+ if options['sourcehost'] != u'all':
+ try:
+ request.srchost.name = options['sourcehost']
+ srchost_result = self.api.Command.host_show(request.srchost.name)['result']
+ srchost_groups = srchost_result['memberof_hostgroup']
+ request.srchost.groups = sorted(set(srchost_groups))
+ except:
+ pass
+
+ if options['targethost'] != u'all':
+ try:
+ request.targethost.name = options['targethost']
+ tgthost_result = self.api.Command.host_show(request.targethost.name)['result']
+ tgthost_groups = tgthost_result['memberof_hostgroup']
+ request.targethost.groups = sorted(set(tgthost_groups))
+ except:
+ pass
matched_rules = []
notmatched_rules = []
--
1.7.6.1
More information about the Freeipa-devel
mailing list