IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Remove accessTime from HBAC.

Browse Source 
ticket 545
This commit is contained in:
Rob Crittenden
2010-12-03 13:57:19 -05:00
parent 19049d1a64
commit bfb3e46996
2 changed files with 47 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
ipalib/plugins/hbac.py
View File

@@ -21,16 +21,12 @@ Host-based access control
Control who can access what services on what hosts and from where. You
can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host. You can also
control the times that the rule is active.
access a service, or group of services, on a target host.
You can also specify a category of users, target hosts, and source
hosts. This is currently limited to "all", but might be expanded in the
future.
The access time(s) of a host are cumulative and are not guaranteed to be
applied in the order displayed.
Target hosts and source hosts in HBAC rules must be hosts managed by IPA.
The available services and groups of services are controlled by the
@@ -46,13 +42,6 @@ EXAMPLES:
Display the properties of a named HBAC rule:
ipa hbac-show test1
Specify that the rule "test1" be active every day between 0800 and 1400:
ipa hbac-add-accesstime --time='periodic daily 0800-1400' test1
Specify that the rule "test1" be active once, from 10:32 until 10:33 on
December 16, 2010:
ipa hbac-add-accesstime --time='absolute 201012161032 ~ 201012161033' test1
Create a rule for a specific service. This lets the user john access
the sshd service on any machine from any machine:
ipa hbac-add --type=allow --hostcat=all --srchostcat=all john_sshd
@@ -75,6 +64,22 @@ EXAMPLES:
ipa hbac-del allow_server
"""
# AccessTime support is being removed for now.
#
# You can also control the times that the rule is active.
#
# The access time(s) of a host are cumulative and are not guaranteed to be
# applied in the order displayed.
#
# Specify that the rule "test1" be active every day between 0800 and 1400:
# ipa hbac-add-accesstime --time='periodic daily 0800-1400' test1
#
# Specify that the rule "test1" be active once, from 10:32 until 10:33 on
# December 16, 2010:
# ipa hbac-add-accesstime --time='absolute 201012161032 ~ 201012161033' test1
from ipalib import api, errors
from ipalib import AccessTime, Password, Str, StrEnum
from ipalib.plugins.baseldap import *
@@ -102,7 +107,7 @@ class hbac(LDAPObject):
object_class = ['ipaassociation', 'ipahbacrule']
default_attributes = [
'cn', 'accessruletype', 'ipaenabledflag',
'accesstime', 'description', 'usercategory', 'hostcategory',
'description', 'usercategory', 'hostcategory',
'sourcehostcategory', 'servicecategory', 'ipaenabledflag',
'memberuser', 'sourcehost', 'memberhost', 'memberservice',
'memberhostgroup',
@@ -155,10 +160,10 @@ class hbac(LDAPObject):
doc=_('Service category the rule applies to'),
values=(u'all', ),
),
AccessTime('accesstime?',
cli_name='time',
label=_('Access time'),
),
# AccessTime('accesstime?',
# cli_name='time',
# label=_('Access time'),
# ),
Str('description?',
cli_name='desc',
label=_('Description'),
@@ -346,7 +351,7 @@ class hbac_add_accesstime(LDAPQuery):
)
)
api.register(hbac_add_accesstime)
#api.register(hbac_add_accesstime)
class hbac_remove_accesstime(LDAPQuery):
@@ -386,7 +391,7 @@ class hbac_remove_accesstime(LDAPQuery):
)
)
api.register(hbac_remove_accesstime)
#api.register(hbac_remove_accesstime)
class hbac_add_user(LDAPAddMember):

49
tests/test_xmlrpc/test_hbac_plugin.py
View File

@@ -55,13 +55,11 @@ class test_hbac(XMLRPC_test):
ret = self.failsafe_add(api.Object.hbac,
self.rule_name,
accessruletype=self.rule_type,
accesstime=self.rule_time,
description=self.rule_desc,
)
entry = ret['result']
assert_attr_equal(entry, 'cn', self.rule_name)
assert_attr_equal(entry, 'accessruletype', self.rule_type)
assert_attr_equal(entry, 'accesstime', self.rule_time)
assert_attr_equal(entry, 'ipaenabledflag', 'TRUE')
assert_attr_equal(entry, 'description', self.rule_desc)
@@ -85,7 +83,6 @@ class test_hbac(XMLRPC_test):
entry = api.Command['hbac_show'](self.rule_name)['result']
assert_attr_equal(entry, 'cn', self.rule_name)
assert_attr_equal(entry, 'accessruletype', self.rule_type)
assert_attr_equal(entry, 'accesstime', self.rule_time)
assert_attr_equal(entry, 'ipaenabledflag', 'TRUE')
assert_attr_equal(entry, 'description', self.rule_desc)
@@ -99,30 +96,30 @@ class test_hbac(XMLRPC_test):
entry = ret['result']
assert_attr_equal(entry, 'description', self.rule_desc_mod)
def test_4_hbac_add_accesstime(self):
"""
Test adding access time to HBAC rule using `xmlrpc.hbac_add_accesstime`.
"""
return
ret = api.Command['hbac_add_accesstime'](
self.rule_name, accesstime=self.rule_time2
)
entry = ret['result']
assert_attr_equal(entry, 'accesstime', self.rule_time);
assert_attr_equal(entry, 'accesstime', self.rule_time2);
# def test_4_hbac_add_accesstime(self):
# """
# Test adding access time to HBAC rule using `xmlrpc.hbac_add_accesstime`.
# """
# return
# ret = api.Command['hbac_add_accesstime'](
# self.rule_name, accesstime=self.rule_time2
# )
# entry = ret['result']
# assert_attr_equal(entry, 'accesstime', self.rule_time);
# assert_attr_equal(entry, 'accesstime', self.rule_time2);
def test_5_hbac_add_accesstime(self):
"""
Test adding invalid access time to HBAC rule using `xmlrpc.hbac_add_accesstime`.
"""
try:
api.Command['hbac_add_accesstime'](
self.rule_name, accesstime=self.rule_time_fail
)
except errors.ValidationError:
pass
else:
assert False
# def test_5_hbac_add_accesstime(self):
# """
# Test adding invalid access time to HBAC rule using `xmlrpc.hbac_add_accesstime`.
# """
# try:
# api.Command['hbac_add_accesstime'](
# self.rule_name, accesstime=self.rule_time_fail
# )
# except errors.ValidationError:
# pass
# else:
# assert False
def test_6_hbac_find(self):
"""