Add {user,host,sourcehost}Category to HBAC and make accessTime multivalue.

ipalib/plugins/hbac.py

@@ -73,9 +73,25 @@ class hbac(LDAPObject):
             cli_name='service',
             doc='name of service the rule applies to (e.g. ssh)',
         ),
-        GeneralizedTime('accesstime?',
+        # FIXME: {user,host,sourcehost}categories should expand in the future
+        StrEnum('usercategory?',
+            cli_name='usercat',
+            doc='user category the rule applies to',
+            values=(u'all', ),
+        ),
+        StrEnum('hostcategory?',
+            cli_name='hostcat',
+            doc='host category the rule applies to',
+            values=(u'all', ),
+        ),
+        StrEnum('sourcehostcategory?',
+            cli_name='srchostcat',
+            doc='source host category the rule applies to',
+            values=(u'all', ),
+        ),
+        AccessTime('accesstime?',
             cli_name='time',
-            doc='access time in generalizedTime format (RFC 4517)',
+            doc='access time',
         ),
         Str('description?',
             cli_name='desc',
@@ -201,6 +217,82 @@ class hbac_disable(LDAPQuery):
 api.register(hbac_disable)
 
 
+class hbac_add_accesstime(LDAPQuery):
+    """
+    Add access time to HBAC rule.
+    """
+    takes_options = (
+        GeneralizedTime('accesstime',
+            cli_name='time',
+            doc='access time',
+        ),
+    )
+
+    def execute(self, cn, **options):
+        ldap = self.obj.backend
+
+        dn = self.obj.get_dn(cn)
+
+        (dn, entry_attrs) = ldap.get_entry(dn, ['accesstime'])
+        entry_attrs.setdefault('accesstime', []).append(
+            options['accesstime']
+        )
+        try:
+            ldap.update_entry(dn, entry_attrs)
+        except errors.EmptyModlist:
+            pass
+
+        return True
+
+    def output_for_cli(self, textui, result, cn, **options):
+        textui.print_name(self.name)
+        textui.print_dashed(
+            'Added access time "%s" to HBAC rule "%s"' % (
+                options['accesstime'], cn
+            )
+        )
+
+api.register(hbac_add_accesstime)
+
+
+class hbac_remove_accesstime(LDAPQuery):
+    """
+    Remove access time to HBAC rule.
+    """
+    takes_options = (
+        GeneralizedTime('accesstime?',
+            cli_name='time',
+            doc='access time',
+        ),
+    )
+
+    def execute(self, cn, **options):
+        ldap = self.obj.backend
+
+        dn = self.obj.get_dn(cn)
+
+        (dn, entry_attrs) = ldap.get_entry(dn, ['accesstime'])
+        try:
+            entry_attrs.setdefault('accesstime', []).remove(
+                options['accesstime']
+            )
+            ldap.update_entry(dn, entry_attrs)
+        except (ValueError, errors.EmptyModlist):
+            pass
+
+        return True
+
+    def output_for_cli(self, textui, result, cn, **options):
+        textui.print_name(self.name)
+        textui.print_dashed(
+            'Removed access time "%s" from HBAC rule "%s"' % (
+                options['accesstime'], cn
+            )
+        )
+
+api.register(hbac_remove_accesstime)
+
+
 class hbac_add_user(LDAPAddMember):
     """
     Add users and groups affected by HBAC rule.

tests/test_xmlrpc/test_hbac_plugin.py

@@ -34,6 +34,7 @@ class test_hbac(XMLRPC_test):
     rule_type_fail = u'value not allowed'
     rule_service = u'ssh'
     rule_time = u'absolute 20081010000000 ~ 20081015120000'
+    rule_time2 = u'absolute 20081010000000 ~ 20081016120000'
     # wrong time, has 30th day in February in first date
     rule_time_fail = u'absolute 20080230000000 ~ 20081015120000'
     rule_desc = u'description'
@@ -59,8 +60,8 @@ class test_hbac(XMLRPC_test):
         assert_attr_equal(res, 'cn', self.rule_name)
         assert_attr_equal(res, 'accessruletype', self.rule_type)
         assert_attr_equal(res, 'servicename', self.rule_service)
-        assert_attr_equal(res, 'ipaenabledflag', 'enabled')
         assert_attr_equal(res, 'accesstime', self.rule_time)
+        assert_attr_equal(res, 'ipaenabledflag', 'TRUE')
         assert_attr_equal(res, 'description', self.rule_desc)
 
     def test_1_hbac_add(self):
@@ -85,8 +86,8 @@ class test_hbac(XMLRPC_test):
         assert_attr_equal(res, 'cn', self.rule_name)
         assert_attr_equal(res, 'accessruletype', self.rule_type)
         assert_attr_equal(res, 'servicename', self.rule_service)
-        assert_attr_equal(res, 'ipaenabledflag', 'enabled')
         assert_attr_equal(res, 'accesstime', self.rule_time)
+        assert_attr_equal(res, 'ipaenabledflag', 'TRUE')
         assert_attr_equal(res, 'description', self.rule_desc)
 
     def test_3_hbac_mod(self):
@@ -99,25 +100,23 @@ class test_hbac(XMLRPC_test):
         assert res
         assert_attr_equal(res, 'description', self.rule_desc_mod)
 
-    def test_4_hbac_mod(self):
+    def test_4_hbac_add_accesstime(self):
         """
-        Test setting invalid type of HBAC rule using `xmlrpc.hbac_mod`.
+        Test adding access time to HBAC rule using `xmlrpc.hbac_add_accesstime`.
         """
-        try:
-            (dn, res) = api.Command['hbac_mod'](
-                self.rule_name, accessruletype=self.rule_type_fail
-            )
-        except errors.ValidationError:
-            pass
-        else:
-            assert False
+        (dn, res) = api.Command['hbac_add_accesstime'](
+            self.rule_name, accesstime=self.rule_time2
+        )
+        assert res
+        assert_attr_equal(res, 'accesstime', self.rule_time);
+        assert_attr_equal(res, 'accesstime', self.rule_time2);
 
-    def test_5_hbac_mod(self):
+    def test_5_hbac_add_accesstime(self):
         """
-        Test setting invalid time in HBAC rule using `xmlrpc.hbac_mod`.
+        Test adding invalid access time to HBAC rule using `xmlrpc.hbac_add_accesstime`.
         """
         try:
-            (dn, res) = api.Command['hbac_mod'](
+            api.Command['hbac_add_accesstime'](
                 self.rule_name, accesstime=self.rule_time_fail
             )
         except errors.ValidationError: