[Freeipa-devel] Sudorules user validation help

Drew Erny derny at redhat.com
Thu May 28 14:27:22 UTC 2015 

In the ticket, however, it's stated that if the user wants to use any 
combination of weird characters, they should be able to. Would it be 
better to just define a function like

def validate_username(username, ignore_pattern=False):

and have it ignore all username validation?

On 05/28/2015 09:40 AM, Drew Erny wrote:
> OK, I see now what you mean by that. That is a simpler solution. I'll 
> do it that way.
>
> On 05/28/2015 04:44 AM, Martin Kosek wrote:
>> On 05/27/2015 08:41 PM, Drew Erny wrote:
>>> Hey, Freeipa-devel,
>>>
>>> I'm working on ticket #3226 
>>> (https://fedorahosted.org/freeipa/ticket/3226)
>>>
>>> I've identified the problem. The sudorules add user command adds the 
>>> user
>>> validations at the end of it's pre-callback using 
>>> add_external_pre_callback.
>>> However, the "user" plugin pattern-matches a string for the "uid" 
>>> param,
>>> because it only allows certain characters.
>>>
>>> I've been picking through the codebase and I think I have enough 
>>> understanding
>>> to ask this: What if we changed the user "uid" validation to a 
>>> standalone
>>> "rule" function (you can do that, right? pass in a function as a 
>>> validation
>>> rule?) that would normally just assert that the pattern matches, but 
>>> could have
>>> that pattern matching validation overridden in some cases. I think 
>>> that's the
>>> easiest, cleanest way to change user so that sudorules and other 
>>> plugins can
>>> ignore this validation if necessary (I'm trying to figure out 
>>> exactly how to
>>> implement this without changing any APIs).
>>>
>>> Am I understanding the plugin params API correctly, and can I do 
>>> this? Is this
>>> the best way to do this?
>>>
>>> The only other solution I see is to write sudorules-specific code in 
>>> some
>>> plugin-related (either user.py or baseldap.py module, which would 
>>> create
>>> unwanted coupling.
>>>
>>> Most specifically, this would be a change to the object instantiated at
>>> ipalib/plugins/user.py line 467
>>>
>>> Thoughts and suggestions?
>> I think it would make sense to follow the example with 
>> validate_hostname and
>> prepare a function validate_username(username, upn=False, 
>> netbios_name=False) [1].
>>
>> where upn would allow using "@." on top of current validator (i.e.
>> user at Domain.test) and netbios_name would allow the "DOMAIN\user" 
>> style. I would
>> just suggest making sure the standard user validation error message 
>> is still
>> the same to avoid unnecessary QE fail positives.
>>
>> In add_external_pre_callback you could then just simply call
>>
>> validate_username(user, True, True)
>>
>> just like it is already done with hostname.
>>
>> My 2 cents.
>>
>> Martin
>>
>> [1] 
>> https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx
>

More information about the Freeipa-devel mailing list