<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 05/26/2014 06:20 PM, Petr Viktorin
wrote:<br>
</div>
<blockquote cite="mid:538369E1.5020300@redhat.com" type="cite">On
05/20/2014 06:15 PM, Tomas Babej wrote:
<br>
<blockquote type="cite">Hi,
<br>
<br>
the following set of patches fixes:
<br>
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/4274">https://fedorahosted.org/freeipa/ticket/4274</a>
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/4263">https://fedorahosted.org/freeipa/ticket/4263</a>
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/4324">https://fedorahosted.org/freeipa/ticket/4324</a>
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/4340">https://fedorahosted.org/freeipa/ticket/4340</a>
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/4341">https://fedorahosted.org/freeipa/ticket/4341</a>
<br>
<br>
and additional minor issues.
<br>
<br>
The improvemed CI test coverage for the sudorule plugin is added
as a bonus.
<br>
</blockquote>
<br>
Thanks!
<br>
I haven't tested yet; here are my comments on the code.
<br>
<br>
<br>
0187 - sudorule: PEP8 fixes in sudorule.py
<br>
<br>
This change:
<br>
<br>
<blockquote type="cite">@@ -527,11 +551,15 @@ def
pre_callback(self, ldap, dn, found, not_found, *keys,
**options):
<br>
_entry_attrs = ldap.get_entry(dn,
self.obj.default_attributes)
<br>
except errors.NotFound:
<br>
self.obj.handle_not_found(*keys)
<br>
- if is_all(_entry_attrs, 'hostcategory'):
<br>
- raise errors.MutuallyExclusiveError(reason=_("hosts
cannot be added when host category='all'"))
<br>
+
<br>
+ if is_all(self._entry_attrs, 'hostcategory'):
<br>
+ raise errors.MutuallyExclusiveError(
<br>
+ reason=_("hosts cannot be added when host
category='all'"))
<br>
+
<br>
return add_external_pre_callback('host', ldap, dn,
keys, options)
<br>
</blockquote>
<br>
adds `self` to `self._entry_attrs`. That should be a part of the
next patch.
<br>
Git tip: `git log --word-diff` helps a lot when you play with
whitespace
<br>
</blockquote>
Right, it's gone.<br>
<br>
<blockquote cite="mid:538369E1.5020300@redhat.com" type="cite">
<br>
(Speaking of PEP8, if you could remove the baseldap star import
from sudorule.py, it would be great...)
<br>
<br>
<br>
</blockquote>
This one did hurt, but the star disappeared.<br>
<br>
<blockquote cite="mid:538369E1.5020300@redhat.com" type="cite">
<br>
General thoughts:
<br>
<br>
Would it be possible to merge schema_compat.uldif and
install/updates/10-schema_compat.update into one file? Is the
uldif special somehow? I guess this is a question for Rob.
<br>
It would be nice to add a link to some
schema-compat-entry-attribute documentation to these files.
<br>
<br>
</blockquote>
I added Rob to cc. Rob, can you elaborate on this?<br>
<br>
<blockquote cite="mid:538369E1.5020300@redhat.com" type="cite">
<br>
<br>
0188 - sudorule: Allow using hostmasks for setting allowed hosts
<br>
<br>
Here:
<br>
<br>
<blockquote type="cite">--- a/install/updates/40-delegation.update
<br>
+++ b/install/updates/40-delegation.update
<br>
@@ -174,7 +174,7 @@ default:member: cn=Sudo
Administrator,cn=privileges,cn=pbac,$SUFFIX
<br>
dn: $SUFFIX
<br>
add:aci: '(target =
<a class="moz-txt-link-rfc2396E" href="ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX">"ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX"</a>)(version
3.0;acl "permission:Add Sudo rule";allow (add) groupdn =
<a class="moz-txt-link-rfc2396E" href="ldap:///cn=AddSudorule,cn=permissions,cn=pbac,$SUFFIX">"ldap:///cn=Add Sudo rule,cn=permissions,cn=pbac,$SUFFIX"</a>;)'
<br>
add:aci: '(target =
<a class="moz-txt-link-rfc2396E" href="ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX">"ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX"</a>)(version
3.0;acl "permission:Delete Sudo rule";allow (delete) groupdn =
<a class="moz-txt-link-rfc2396E" href="ldap:///cn=DeleteSudorule,cn=permissions,cn=pbac,$SUFFIX">"ldap:///cn=Delete Sudo rule,cn=permissions,cn=pbac,$SUFFIX"</a>;)'
<br>
-add:aci: '(targetattr = "description || ipaenabledflag ||
usercategory || hostcategory || cmdcategory ||
ipasudorunasusercategory || ipasudorunasgroupcategory ||
externaluser || ipasudorunasextuser || ipasudorunasextgroup ||
memberdenycmd || memberallowcmd || memberuser")(target =
<a class="moz-txt-link-rfc2396E" href="ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX">"ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX"</a>)(version
3.0;acl "permission:Modify Sudo rule";allow (write) groupdn =
<a class="moz-txt-link-rfc2396E" href="ldap:///cn=ModifySudorule,cn=permissions,cn=pbac,$SUFFIX">"ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,$SUFFIX"</a>;)'
<br>
+add:aci: '(targetattr = "description || ipaenabledflag ||
usercategory || hostcategory || cmdcategory ||
ipasudorunasusercategory || ipasudorunasgroupcategory ||
externaluser || ipasudorunasextuser || ipasudorunasextgroup ||
memberdenycmd || memberallowcmd || memberuser ||
hostmask")(target =
<a class="moz-txt-link-rfc2396E" href="ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX">"ldap:///ipauniqueid=*,cn=sudorules,cn=sudo,$SUFFIX"</a>)(version
3.0;acl "permission:Modify Sudo rule";allow (write) groupdn =
<a class="moz-txt-link-rfc2396E" href="ldap:///cn=ModifySudorule,cn=permissions,cn=pbac,$SUFFIX">"ldap:///cn=Modify Sudo rule,cn=permissions,cn=pbac,$SUFFIX"</a>;)'
<br>
<br>
remove:aci: '(targetattr = "description")(target =
<a class="moz-txt-link-rfc2396E" href="ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX">"ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX"</a>)(version 3.0;acl
"permission:Modify Sudo command";allow (write) groupdn =
<a class="moz-txt-link-rfc2396E" href="ldap:///cn=ModifySudocommand,cn=permissions,cn=pbac,$SUFFIX">"ldap:///cn=Modify Sudo
command,cn=permissions,cn=pbac,$SUFFIX"</a>;)'
<br>
remove:aci: '(target =
<a class="moz-txt-link-rfc2396E" href="ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX">"ldap:///sudocmd=*,cn=sudocmds,cn=sudo,$SUFFIX"</a>)(version 3.0;acl
"permission:Delete Sudo command";allow (delete) groupdn =
<a class="moz-txt-link-rfc2396E" href="ldap:///cn=DeleteSudocommand,cn=permissions,cn=pbac,$SUFFIX">"ldap:///cn=Delete Sudo
command,cn=permissions,cn=pbac,$SUFFIX"</a>;)'
<br>
</blockquote>
<br>
you'll want to remove the old ACI before adding the new version.
<br>
<br>
</blockquote>
This is irrelevant since we're rebased on top of your ACI
refactoring now.<br>
<br>
<blockquote cite="mid:538369E1.5020300@redhat.com" type="cite">In
get_options of sudorule_add_host and sudorule_remove_host, it
would be DRY-er to put the hostmask in a shared variable.
<br>
<br>
You write:
<br>
<blockquote type="cite">- _entry_attrs =
ldap.get_entry(dn, self.obj.default_attributes)
<br>
+ self._entry_attrs = ldap.get_entry(dn,
self.obj.default_attributes)
<br>
</blockquote>
<br>
Never store anything on the Command object. They're currently
singletons. Another thread could change _entry_attrs to a
different value.
<br>
This affects all the other uses of self._entry_attrs, of course.
<br>
</blockquote>
Fixed.<br>
<br>
<blockquote cite="mid:538369E1.5020300@redhat.com" type="cite">
<br>
In:
<br>
<blockquote type="cite">+ num_added =
len(new_masks.difference(old_masks))
<br>
</blockquote>
and:
<br>
<blockquote type="cite">+ entry_attrs['hostmask'] =
list(old_masks.union(new_masks))
<br>
</blockquote>
and:
<br>
<blockquote type="cite">+ num_added =
len(removed_masks.intersection(old_masks))
<br>
</blockquote>
etc.: with two sets, you can use the `-`, `|`, and `&`
operators.
<br>
<br>
</blockquote>
Cool tip, replaced!<br>
<br>
<blockquote cite="mid:538369E1.5020300@redhat.com" type="cite">
<br>
Since you're touching this:
<br>
<blockquote type="cite">+ return
add_external_post_callback('memberhost', 'host', 'externalhost',
<br>
+ ldap, completed,
failed, dn,
<br>
+ entry_attrs, keys,
options)
<br>
</blockquote>
it would be nice to pass the arguments by name, for clarity and to
avoid mistakes. I guess this should be in the PEP8 patch, too.
<br>
<br>
</blockquote>
Done, part of patch 225.<br>
<br>
<blockquote cite="mid:538369E1.5020300@redhat.com" type="cite">
<br>
<br>
<br>
0189 sudorule: Allow using external groups as groups of runAsUsers
<br>
<br>
In sudorule_add_runasuser and sudorule_remove_runasuser, could you
again pass the arguments by name?
<br>
I'd welcome comment explaining why completed=0. If you could throw
in a comment for add_external_post_callback explaining the inputs
and outputs, it would be great -- I'm getting quite lost in this
code.
<br>
(I'd even go as far as changing the signature of
*_external_post_callback -- AFAICS, in all the places we call it,
we do `*keys, **options` wrong, and the `completed` argument is
not useful at all. Most of the calls are from sudorule so it would
make sense to do it in this patchset.)
<br>
<br>
</blockquote>
This is done in the new attached patch 225.<br>
<br>
<blockquote cite="mid:538369E1.5020300@redhat.com" type="cite">And a
heads-up: the change to "permission:Modify Sudo rule" conflicts
with my ACI work. Let me know if there are problems.
<br>
<br>
<br>
<br>
<br>
0190 sudorule: Make sure sudoRunAsGroup is dereferencing the
correct attribute
<br>
<br>
Looks good
<br>
<br>
<br>
<br>
<br>
0191 sudorule: Include externalhost and ipasudorunasextgroup in
the list of default attributes
<br>
<br>
Looks good
<br>
<br>
<br>
<br>
<br>
0192 sudorule: Allow adding deny commands when command category
set to ALL
<br>
<br>
Looks good
<br>
<br>
<br>
<br>
<br>
0193 sudorule: Make sure all the relevant attributes are checked
when setting category to ALL
<br>
<br>
Wow, haven't seen a copyright year change in some time. We are
sloppy with those. Portions of the file are still from 2010 so you
should definitely leave that year in, though. Actually I think the
proper year field would read "2010,2011,2012,2013,2014".
<br>
I am not a lawyer.
<br>
<br>
You're missing the `_` for the hostcategory error message.
<br>
Did you think about using something like _("%s cannot be set to
'all' while there are %s")?
<br>
<br>
</blockquote>
Fixed. Initially, I changed the message as you suggested, but then I
realized, that this might pose a problem for translations that do
not follow the word order in the sentence as it is defined in
English language.<br>
<br>
<blockquote cite="mid:538369E1.5020300@redhat.com" type="cite">
<br>
<br>
0194 sudorule: Fix the order of the parameters to have less
chaotic output
<br>
<br>
Looks fine
<br>
<br>
<br>
<br>
<br>
0195-sudorule-Enforce-category-ALL-checks-on-dirsrv-level.patch
<br>
<br>
Looks fine
<br>
<br>
<br>
<br>
<br>
0196-0198 (Add tests)
<br>
<br>
Looks fine. Just remind me, why is this all in integration tests?
Couldn't it at least some of it be in the main test suite? It
looks to me like most of it doesn't need multiple machines.
<br>
<br>
<br>
</blockquote>
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<p>
We need to check that the rules are actually enforced on the
client setup to look them up on the IPA server. This tests compat
tree entry generation, SSSD-sudo integration and the actual rule
enforcement. All sudo commands are executed on the client machine.</p>
<br>
<blockquote cite="mid:538369E1.5020300@redhat.com" type="cite">
<br>
<br>
0199-0201 (test fixes)
<br>
<br>
OK
<br>
<br>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org </pre>
</body>
</html>