Validate externalhost (when added by --addattr/--setattr)

Change the externalhost attribute of hbacrule, netgroup
and sudorule into a full-fledged Parameter, and attach
a validator to it.
The validator is relaxed to allow underscores, so that
some hosts with nonstandard names can be added.

Tests included.

https://fedorahosted.org/freeipa/ticket/2649

ipalib/plugins/baseldap.py

@@ -157,9 +157,6 @@ global_output_params = (
     Str('memberofindirect_hbacrule?',
         label='Indirect Member of HBAC rule',
     ),
-    Str('externalhost?',
-        label=_('External host'),
-    ),
     Str('sourcehost',
         label=_('Failed source hosts/hostgroups'),
     ),
@@ -313,6 +310,20 @@ def wait_for_value(ldap, dn, attr, value):
 
     return entry_attrs
 
+
+def validate_externalhost(ugettext, hostname):
+    try:
+        validate_hostname(hostname, check_fqdn=False, allow_underscore=True)
+    except ValueError, e:
+        return unicode(e)
+
+
+external_host_param = Str('externalhost*', validate_externalhost,
+        label=_('External host'),
+        flags=['no_create', 'no_update', 'no_search'],
+)
+
+
 def add_external_pre_callback(membertype, ldap, dn, keys, options):
     """
     Pre callback to validate external members.

ipalib/plugins/hbacrule.py

@@ -219,6 +219,7 @@ class hbacrule(LDAPObject):
             label=_('Service Groups'),
             flags=['no_create', 'no_update', 'no_search'],
         ),
+        external_host_param,
     )
 
 api.register(hbacrule)

ipalib/plugins/netgroup.py

@@ -146,6 +146,7 @@ class netgroup(LDAPObject):
             doc=_('Host category the rule applies to'),
             values=(u'all', ),
         ),
+        external_host_param,
     )
 
 api.register(netgroup)

ipalib/plugins/sudorule.py

@@ -217,6 +217,7 @@ class sudorule(LDAPObject):
             doc=_('Run with the gid of a specified POSIX group'),
             flags=['no_create', 'no_update', 'no_search'],
         ),
+        external_host_param,
     )
 
     order_not_unique_msg = _(

tests/test_xmlrpc/test_hbac_plugin.py

@@ -377,6 +377,15 @@ class test_hbac(XMLRPC_test):
         entry = ret['result']
         assert_attr_equal(entry, 'externalhost', self.test_host_external)
 
+    @raises(errors.ValidationError)
+    def test_c_hbacrule_mod_invalid_external_setattr(self):
+        """
+        Test adding the same external host using `xmlrpc.hbacrule_add_host`.
+        """
+        ret = api.Command['hbacrule_mod'](
+            self.rule_name, setattr=self.test_invalid_sourcehost
+        )
+
     def test_c_hbacrule_remove_external_host(self):
         """
         Test removing external source host using `xmlrpc.hbacrule_remove_host`.

tests/test_xmlrpc/test_netgroup_plugin.py

@@ -46,6 +46,8 @@ host_dn1 = DN(('fqdn',host1),('cn','computers'),('cn','accounts'),
 
 unknown_host = u'unknown'
 
+unknown_host2 = u'unknown2'
+
 hostgroup1 = u'hg1'
 hostgroup_dn1 = DN(('cn',hostgroup1),('cn','hostgroups'),('cn','accounts'),
                    api.env.basedn)
@@ -828,6 +830,66 @@ class test_netgroup(Declarative):
             ),
         ),
 
+        dict(
+            desc='Add invalid host %r to netgroup %r using setattr' %
+                (invalidhost, netgroup1),
+            command=(
+                'netgroup_mod', [netgroup1],
+                dict(setattr='externalhost=%s' % invalidhost)
+            ),
+            expected=errors.ValidationError(name='externalhost',
+                error='only letters, numbers, _, and - are allowed. ' +
+                    'DNS label may not start or end with -'),
+        ),
+
+        dict(
+            desc='Add unknown host %r to netgroup %r using addattr' %
+                (unknown_host2, netgroup1),
+            command=(
+                'netgroup_mod', [netgroup1],
+                dict(addattr='externalhost=%s' % unknown_host2)
+            ),
+            expected=dict(
+                value=u'netgroup1',
+                summary=u'Modified netgroup "netgroup1"',
+                result={
+                        'memberhost_host': (host1,),
+                        'memberhost_hostgroup': (hostgroup1,),
+                        'memberuser_user': (user1,),
+                        'memberuser_group': (group1,),
+                        'member_netgroup': (netgroup2,),
+                        'cn': [netgroup1],
+                        'description': [u'Test netgroup 1'],
+                        'nisdomainname': [u'%s' % api.env.domain],
+                        'externalhost': [unknown_host, unknown_host2],
+                },
+            )
+        ),
+
+        dict(
+            desc='Remove unknown host %r from netgroup %r using delattr' %
+                (unknown_host2, netgroup1),
+            command=(
+                'netgroup_mod', [netgroup1],
+                dict(delattr='externalhost=%s' % unknown_host2)
+            ),
+            expected=dict(
+                value=u'netgroup1',
+                summary=u'Modified netgroup "netgroup1"',
+                result={
+                        'memberhost_host': (host1,),
+                        'memberhost_hostgroup': (hostgroup1,),
+                        'memberuser_user': (user1,),
+                        'memberuser_group': (group1,),
+                        'member_netgroup': (netgroup2,),
+                        'cn': [netgroup1],
+                        'description': [u'Test netgroup 1'],
+                        'nisdomainname': [u'%s' % api.env.domain],
+                        'externalhost': [unknown_host],
+                },
+            )
+        ),
+
         dict(
             desc='Retrieve %r' % netgroup1,
             command=('netgroup_show', [netgroup1], {}),

tests/test_xmlrpc/test_sudorule_plugin.py

@@ -484,6 +484,23 @@ class test_sudorule(XMLRPC_test):
         else:
             assert False
 
+    def test_a_sudorule_mod_externalhost_invalid_addattr(self):
+        """
+        Test adding an invalid external host to Sudo rule using
+        `xmlrpc.sudorule_mod --addattr`.
+        """
+        try:
+            api.Command['sudorule_mod'](
+                self.rule_name,
+                addattr='externalhost=%s' % self.test_invalid_host
+            )
+        except errors.ValidationError, e:
+            assert unicode(e) == ("invalid 'externalhost': only letters, " +
+                "numbers, _, and - are allowed. " +
+                "DNS label may not start or end with -")
+        else:
+            assert False
+
     def test_b_sudorule_remove_externalhost(self):
         """
         Test removing an external host from Sudo rule using