Include indirect membership and canonicalize hosts during HBAC rules testing

When users and hosts are included into groups indirectly, make sure that during HBAC test e fill in all indirect groups properly into an HBAC request. Also, if hosts provided for test are not specified fully, canonicalize them using IPA domain. This makes possible following requests: ipa hbactest --user foobar --srchost vm-101 --host vm-101 --service sshd Request to evaluate: <user <name foobar groups [hbacusers,ipausers]> service <name sshd groups []> targethost <name vm-101.ipa.local groups []> srchost <name vm-101.ipa.local groups []> > Fixes: https://fedorahosted.org/freeipa/ticket/1862 https://fedorahosted.org/freeipa/ticket/1949
2025-02-25 18:55:28 -06:00 · 2011-10-11 11:25:24 +03:00 · 2011-10-11 11:25:24 +03:00 · 3e1c04f933
commit 3e1c04f933
parent ff3d3c0ab3
1 changed files with 23 additions and 7 deletions
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@ -204,6 +204,14 @@ class hbactest(Command):
        ),
    )

+    def canonicalize(self, host):
+        """
+        Canonicalize the host name -- add default IPA domain if that is missing
+        """
+        if host.find('.') == -1:
+            return u'%s.%s' % (host, self.env.domain)
+        return host
+
    def execute(self, *args, **options):
        # First receive all needed information:
        # 1. HBAC rules (whether enabled or disabled)
@ -264,7 +272,11 @@ class hbactest(Command):
        if options['user'] != u'all':
            try:
                request.user.name = options['user']
-                request.user.groups = self.api.Command.user_show(request.user.name)['result']['memberof_group']
+                search_result = self.api.Command.user_show(request.user.name)['result']
+                groups = search_result['memberof_group']
+                if 'memberofindirect_group' in search_result:
+                    groups += search_result['memberofindirect_group']
+                request.user.groups = sorted(set(groups))
            except:
                pass

@ -278,19 +290,23 @@ class hbactest(Command):

        if options['sourcehost'] != u'all':
            try:
-                request.srchost.name = options['sourcehost']
+                request.srchost.name = self.canonicalize(options['sourcehost'])
                srchost_result = self.api.Command.host_show(request.srchost.name)['result']
-                srchost_groups = srchost_result['memberof_hostgroup']
-                request.srchost.groups = sorted(set(srchost_groups))
+                groups = srchost_result['memberof_hostgroup']
+                if 'memberofindirect_hostgroup' in srchost_result:
+                    groups += search_result['memberofindirect_hostgroup']
+                request.srchost.groups = sorted(set(groups))
            except:
                 pass

        if options['targethost'] != u'all':
            try:
-                request.targethost.name = options['targethost']
+                request.targethost.name = self.canonicalize(options['targethost'])
                tgthost_result = self.api.Command.host_show(request.targethost.name)['result']
-                tgthost_groups = tgthost_result['memberof_hostgroup']
-                request.targethost.groups = sorted(set(tgthost_groups))
+                groups = tgthost_result['memberof_hostgroup']
+                if 'memberofindirect_hostgroup' in tgthost_result:
+                    groups += search_result['memberofindirect_hostgroup']
+                request.targethost.groups = sorted(set(groups))
            except:
                pass