Remove the ability to create new HBAC deny rules.

New rules will all be allow type. Existing rules cannot be changed to
deny.

The type attribute now defaults to allow with autofill so it won't be
prompted in interactive mode in the cli.

https://fedorahosted.org/freeipa/ticket/1432

API.txt

@@ -1018,7 +1018,7 @@ output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e
 command: hbacrule_add
 args: 1,11,3
 arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, required=True)
-option: StrEnum('accessruletype', attribute=True, cli_name='type', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=True, values=(u'allow', u'deny'))
+option: StrEnum('accessruletype', validate_type, attribute=True, autofill=True, cli_name='type', default=u'allow', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=True, values=(u'allow', u'deny'))
 option: StrEnum('usercategory', attribute=True, cli_name='usercat', label=Gettext('User category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
 option: StrEnum('hostcategory', attribute=True, cli_name='hostcat', label=Gettext('Host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
 option: StrEnum('sourcehostcategory', attribute=True, cli_name='srchostcat', label=Gettext('Source host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
@@ -1099,7 +1099,7 @@ command: hbacrule_find
 args: 1,12,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: Str('cn', attribute=True, autofill=False, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=False)
-option: StrEnum('accessruletype', attribute=True, autofill=False, cli_name='type', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'allow', u'deny'))
+option: StrEnum('accessruletype', validate_type, attribute=True, autofill=False, cli_name='type', default=u'allow', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'allow', u'deny'))
 option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', label=Gettext('User category', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'all',))
 option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', label=Gettext('Host category', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'all',))
 option: StrEnum('sourcehostcategory', attribute=True, autofill=False, cli_name='srchostcat', label=Gettext('Source host category', domain='ipa', localedir=None), multivalue=False, query=True, required=False, values=(u'all',))
@@ -1117,7 +1117,7 @@ output: Output('truncated', <type 'bool'>, 'True if not all results were returne
 command: hbacrule_mod
 args: 1,12,3
 arg: Str('cn', attribute=True, cli_name='name', label=Gettext('Rule name', domain='ipa', localedir=None), multivalue=False, primary_key=True, query=True, required=True)
-option: StrEnum('accessruletype', attribute=True, autofill=False, cli_name='type', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'allow', u'deny'))
+option: StrEnum('accessruletype', validate_type, attribute=True, autofill=False, cli_name='type', default=u'allow', label=Gettext('Rule type', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'allow', u'deny'))
 option: StrEnum('usercategory', attribute=True, autofill=False, cli_name='usercat', label=Gettext('User category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
 option: StrEnum('hostcategory', attribute=True, autofill=False, cli_name='hostcat', label=Gettext('Host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))
 option: StrEnum('sourcehostcategory', attribute=True, autofill=False, cli_name='srchostcat', label=Gettext('Source host category', domain='ipa', localedir=None), multivalue=False, required=False, values=(u'all',))

ipalib/plugins/hbacrule.py

@@ -87,6 +87,10 @@ from ipalib import _, ngettext
 
 topic = ('hbac', 'Host-based access control commands')
 
+def validate_type(ugettext, type):
+    if type.lower() == 'deny':
+        raise errors.ValidationError(name='type', error=_('The deny type has been deprecated.'))
+
 def is_all(options, attribute):
     """
     See if options[attribute] is lower-case 'all' in a safe way.
@@ -132,11 +136,13 @@ class hbacrule(LDAPObject):
             label=_('Rule name'),
             primary_key=True,
         ),
-        StrEnum('accessruletype',
+        StrEnum('accessruletype', validate_type,
             cli_name='type',
-            doc=_('Rule type (allow or deny)'),
+            doc=_('Rule type (allow)'),
             label=_('Rule type'),
             values=(u'allow', u'deny'),
+            default=u'allow',
+            autofill=True,
         ),
         # FIXME: {user,host,sourcehost,service}categories should expand in the future
         StrEnum('usercategory?',

tests/test_xmlrpc/test_hbac_plugin.py

@@ -436,6 +436,31 @@ class test_hbac(XMLRPC_test):
         finally:
             api.Command['hbacrule_remove_service'](self.rule_name, hbacsvc=self.test_service)
 
+    def test_l_hbacrule_add(self):
+        """
+        Test adding a new HBAC rule with a deny type.
+        """
+        try:
+            api.Command['hbacrule_add'](
+                u'denyrule',
+                accessruletype=u'deny',
+                description=self.rule_desc,
+            )
+        except errors.ValidationError:
+            pass
+
+    def test_m_hbacrule_add(self):
+        """
+        Test changing an HBAC rule to the deny type
+        """
+        try:
+            api.Command['hbacrule_mod'](
+                self.rule_name,
+                accessruletype=u'deny',
+            )
+        except errors.ValidationError:
+            pass
+
     def test_z_hbacrule_del(self):
         """
         Test deleting a HBAC rule using `xmlrpc.hbacrule_del`.