Ledger Nano X - The secure hardware wallet
SHARE
TWEET

SSSD patch adding URI to HBAC rule

a guest Feb 26th, 2016 73 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. diff --git a/src/providers/ipa/hbac_evaluator.c b/src/providers/ipa/hbac_evaluator.c
  2. index a497304..e77fbf0 100644
  3. --- a/src/providers/ipa/hbac_evaluator.c
  4. +++ b/src/providers/ipa/hbac_evaluator.c
  5. @@ -224,7 +224,8 @@ enum hbac_eval_result_int hbac_evaluate_rule(struct hbac_rule *rule,
  6.      if (!rule->users
  7.       || !rule->services
  8.       || !rule->targethosts
  9. -     || !rule->srchosts) {
  10. +     || !rule->srchosts
  11. +     || !rule->url) {
  12.          *error = HBAC_ERROR_UNPARSEABLE_RULE;
  13.          return HBAC_EVAL_MATCH_ERROR;
  14.      }
  15. @@ -272,6 +273,12 @@ enum hbac_eval_result_int hbac_evaluate_rule(struct hbac_rule *rule,
  16.      } else if (!matched) {
  17.          return HBAC_EVAL_UNMATCHED;
  18.      }
  19. +
  20. +    /* Check URL */
  21. +    if (hbac_req->url!=NULL &&  sss_utf8_case_eq(rule->url, hbac_req->url) != EOK) {
  22. +        return HBAC_EVAL_UNMATCHED;
  23. +    }
  24. +
  25.      return HBAC_EVAL_MATCHED;
  26.  }
  27.  
  28. diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
  29. index 65a791c..dc6630c 100644
  30. --- a/src/providers/ipa/ipa_access.c
  31. +++ b/src/providers/ipa/ipa_access.c
  32. @@ -484,6 +484,7 @@ static void hbac_get_rule_info_step(struct tevent_req *req)
  33.          goto fail;
  34.      }
  35.  
  36. +    /*TODO*/
  37.      for (i = 0; i < hbac_ctx->host_count; i++) {
  38.          ret = sysdb_attrs_get_string(hbac_ctx->hosts[i],
  39.                                       SYSDB_FQDN,
  40. @@ -504,6 +505,7 @@ static void hbac_get_rule_info_step(struct tevent_req *req)
  41.      }
  42.  
  43.  
  44. +    /*TODO*/
  45.      /* Get the list of applicable rules */
  46.      req = ipa_hbac_rule_info_send(hbac_ctx,
  47.                                    be_ctx->ev,
  48. @@ -736,6 +738,7 @@ errno_t hbac_get_cached_rules(TALLOC_CTX *mem_ctx,
  49.                              IPA_EXTERNAL_HOST,
  50.                              IPA_MEMBER_HOST,
  51.                              IPA_HOST_CATEGORY,
  52. +                            IPA_URL,
  53.                              NULL };
  54.  
  55.      tmp_ctx = talloc_new(NULL);
  56. diff --git a/src/providers/ipa/ipa_hbac.h b/src/providers/ipa/ipa_hbac.h
  57. index 9e85890..ce45451 100644
  58. --- a/src/providers/ipa/ipa_hbac.h
  59. +++ b/src/providers/ipa/ipa_hbac.h
  60. @@ -130,6 +130,8 @@ struct hbac_rule_element {
  61.       *  - Services: PAM service groups.
  62.       */
  63.      const char **groups;
  64. +
  65. +    char *url;
  66.  };
  67.  
  68.  /**
  69. @@ -139,6 +141,8 @@ struct hbac_rule {
  70.      const char *name;
  71.      bool enabled;
  72.  
  73. +    const char *url;
  74. +
  75.      /**
  76.       * Services and service groups
  77.       * for which this rule applies
  78. @@ -196,6 +200,9 @@ struct hbac_request_element {
  79.   *
  80.   */
  81.  struct hbac_eval_req {
  82. +
  83. +    const char *url;
  84. +
  85.      /** This is a list of service DNs to check,
  86.       * it must consist of the actual service
  87.       * requested, as well as all parent groups
  88. diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
  89. index 72a620e..184f74d 100644
  90. --- a/src/providers/ipa/ipa_hbac_common.c
  91. +++ b/src/providers/ipa/ipa_hbac_common.c
  92. @@ -354,6 +354,24 @@ hbac_attrs_to_rule(TALLOC_CTX *mem_ctx,
  93.          goto done;
  94.      }
  95.  
  96. +    /* Get URL */
  97. +
  98. +    ret = sysdb_attrs_get_el(hbac_ctx->rules[idx],
  99. +                             IPA_URL, &el);
  100. +    if (ret != EOK) {
  101. +        DEBUG(SSSDBG_CRIT_FAILURE, "Could not get URL for rule [%s]\n",
  102. +                  new_rule->name);
  103. +        goto done;
  104. +    }
  105. +    if (el->num_values == 0) {
  106. +        DEBUG(SSSDBG_CONF_SETTINGS, "URL for rule [%s] is empty.\n", new_rule->name);
  107. +        new_rule->url = talloc_strdup(new_rule, "");
  108. +    } else {
  109. +        new_rule->url = talloc_strndup(new_rule,
  110. +                                        (const char*) el->values[0].data,
  111. +                                        el->values[0].length);
  112. +    }
  113. +
  114.      *rule = new_rule;
  115.      ret = EOK;
  116.  
  117. diff --git a/src/providers/ipa/ipa_hbac_private.h b/src/providers/ipa/ipa_hbac_private.h
  118. index c831cd5..d563aee 100644
  119. --- a/src/providers/ipa/ipa_hbac_private.h
  120. +++ b/src/providers/ipa/ipa_hbac_private.h
  121. @@ -54,6 +54,7 @@
  122.  #define IPA_MEMBER_SERVICE "memberService"
  123.  #define IPA_SERVICE_CATEGORY "serviceCategory"
  124.  #define IPA_TRUE_VALUE "TRUE"
  125. +#define IPA_URL "url"
  126.  
  127.  #define IPA_HBAC_BASE_TMPL "cn=hbac,%s"
  128.  #define IPA_SERVICES_BASE_TMPL "cn=hbacservices,cn=accounts,%s"
  129. diff --git a/src/providers/ipa/ipa_hbac_rules.c b/src/providers/ipa/ipa_hbac_rules.c
  130. index 7912dbe..2277eb4 100644
  131. --- a/src/providers/ipa/ipa_hbac_rules.c
  132. +++ b/src/providers/ipa/ipa_hbac_rules.c
  133. @@ -113,7 +113,8 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
  134.      state->attrs[11] = IPA_EXTERNAL_HOST;
  135.      state->attrs[12] = IPA_MEMBER_HOST;
  136.      state->attrs[13] = IPA_HOST_CATEGORY;
  137. -    state->attrs[14] = NULL;
  138. +    state->attrs[14] = IPA_URL;
  139. +    state->attrs[15] = NULL;
  140.  
  141.      rule_filter = talloc_asprintf(tmp_ctx,
  142.                                    "(&(objectclass=%s)"
  143. diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
  144. index 820ef11..6b91fee 100644
  145. --- a/src/python/pyhbac.c
  146. +++ b/src/python/pyhbac.c
  147. @@ -348,6 +348,7 @@ hbac_rule_element_set_names(HbacRuleElement *self, PyObject *names,
  148.  static int
  149.  hbac_rule_element_set_groups(HbacRuleElement *self, PyObject *groups,
  150.                               void *closure);
  151. +
  152.  static int
  153.  hbac_rule_element_set_category(HbacRuleElement *self, PyObject *category,
  154.                                 void *closure);
  155. @@ -631,6 +632,7 @@ typedef struct {
  156.      PyObject_HEAD
  157.  
  158.      PyObject *name;
  159. +    PyObject *url;
  160.      bool enabled;
  161.  
  162.      HbacRuleElement *users;
  163. @@ -662,6 +664,13 @@ HbacRule_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
  164.          return NULL;
  165.      }
  166.  
  167. +    self->url = PyUnicode_FromString("");
  168. +    if (self->url == NULL) {
  169. +        Py_DECREF(self);
  170. +        PyErr_NoMemory();
  171. +        return NULL;
  172. +    }
  173. +
  174.      self->enabled = false;
  175.  
  176.      self->services = (HbacRuleElement *) HbacRuleElement_new(
  177. @@ -683,6 +692,7 @@ HbacRule_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
  178.          Py_XDECREF(self->targethosts);
  179.          Py_XDECREF(self->srchosts);
  180.          Py_DECREF(self->name);
  181. +        Py_DECREF(self->url);
  182.          Py_DECREF(self);
  183.          PyErr_NoMemory();
  184.          return NULL;
  185. @@ -695,6 +705,7 @@ static int
  186.  HbacRule_clear(HbacRuleObject *self)
  187.  {
  188.      Py_CLEAR(self->name);
  189. +    Py_CLEAR(self->url);
  190.      Py_CLEAR(self->services);
  191.      Py_CLEAR(self->users);
  192.      Py_CLEAR(self->targethosts);
  193. @@ -713,6 +724,7 @@ static int
  194.  HbacRule_traverse(HbacRuleObject *self, visitproc visit, void *arg)
  195.  {
  196.      Py_VISIT((PyObject *) self->name);
  197. +    Py_VISIT((PyObject *) self->url);
  198.      Py_VISIT((PyObject *) self->services);
  199.      Py_VISIT((PyObject *) self->users);
  200.      Py_VISIT((PyObject *) self->targethosts);
  201. @@ -724,19 +736,22 @@ static int
  202.  hbac_rule_set_enabled(HbacRuleObject *self, PyObject *enabled, void *closure);
  203.  static int
  204.  hbac_rule_set_name(HbacRuleObject *self, PyObject *name, void *closure);
  205. +static int
  206. +hbac_rule_set_url(HbacRuleObject *self, PyObject *name, void *closure);
  207.  
  208.  static int
  209.  HbacRule_init(HbacRuleObject *self, PyObject *args, PyObject *kwargs)
  210.  {
  211. -    const char * const kwlist[] = { "name", "enabled", NULL };
  212. +    const char * const kwlist[] = { "name", "enabled", "url", NULL };
  213.      PyObject *name = NULL;
  214. +    PyObject *url = NULL;
  215.      PyObject *empty_tuple = NULL;
  216.      PyObject *enabled=NULL;
  217.  
  218.      if (!PyArg_ParseTupleAndKeywords(args, kwargs,
  219. -                                     sss_py_const_p(char, "O|O"),
  220. +                                     sss_py_const_p(char, "O|O0"),
  221.                                       discard_const_p(char *, kwlist),
  222. -                                     &name, &enabled)) {
  223. +                                     &name, &enabled, &url)) {
  224.          return -1;
  225.      }
  226.  
  227. @@ -750,6 +765,18 @@ HbacRule_init(HbacRuleObject *self, PyObject *args, PyObject *kwargs)
  228.          return -1;
  229.      }
  230.  
  231. +    if (!url) {
  232. +        url = PyUnicode_FromString("");
  233. +        if (url == NULL) {
  234. +            Py_DECREF(self);
  235. +            PyErr_NoMemory();
  236. +            return NULL;
  237. +        }
  238. +    }
  239. +    if (hbac_rule_set_url(self, url, NULL) == -1) {
  240. +        return -1;
  241. +    }
  242. +
  243.      empty_tuple = PyTuple_New(0);
  244.      if (!empty_tuple) {
  245.          return -1;
  246. @@ -864,6 +891,36 @@ hbac_rule_get_name(HbacRuleObject *self, void *closure)
  247.      return NULL;
  248.  }
  249.  
  250. +static int
  251. +hbac_rule_set_url(HbacRuleObject *self, PyObject *url, void *closure)
  252. +{
  253. +    CHECK_ATTRIBUTE_DELETE(url, "url");
  254. +
  255. +    if (!PyBytes_Check(url) && !PyUnicode_Check(url)) {
  256. +        PyErr_Format(PyExc_TypeError, "URL must be a string or Unicode");
  257. +        return -1;
  258. +    }
  259. +
  260. +    SAFE_SET(self->url, url);
  261. +    return 0;
  262. +}
  263. +
  264. +static PyObject *
  265. +hbac_rule_get_url(HbacRuleObject *self, void *closure)
  266. +{
  267. +    if (PyUnicode_Check(self->url)) {
  268. +        Py_INCREF(self->url);
  269. +        return self->url;
  270. +    } else if (PyBytes_Check(self->url)) {
  271. +        return PyUnicode_FromEncodedObject(self->url,
  272. +                                           PYHBAC_ENCODING, PYHBAC_ENCODING_ERRORS);
  273. +    }
  274. +
  275. +    /* setter does typechecking but let us be paranoid */
  276. +    PyErr_Format(PyExc_TypeError, "URL must be a string or Unicode");
  277. +    return NULL;
  278. +}
  279. +
  280.  static PyObject *
  281.  HbacRule_repr(HbacRuleObject *self)
  282.  {
  283. @@ -1032,6 +1089,8 @@ PyDoc_STRVAR(HbacRuleObject_enabled__doc__,
  284.  "(bool) Is the rule enabled");
  285.  PyDoc_STRVAR(HbacRuleObject_name__doc__,
  286.  "(string) The name of the rule");
  287. +PyDoc_STRVAR(HbacRuleObject_url__doc__,
  288. +"(string) The URL set for the rule");
  289.  
  290.  static PyGetSetDef py_hbac_rule_getset[] = {
  291.      { discard_const_p(char, "enabled"),
  292. @@ -1046,6 +1105,12 @@ static PyGetSetDef py_hbac_rule_getset[] = {
  293.        HbacRuleObject_name__doc__,
  294.        NULL },
  295.  
  296. +    { discard_const_p(char, "url"),
  297. +      (getter) hbac_rule_get_url,
  298. +      (setter) hbac_rule_set_url,
  299. +      HbacRuleObject_url__doc__,
  300. +      NULL },
  301. +
  302.      {NULL, 0, 0, 0, NULL} /* Sentinel */
  303.  };
  304.  
  305. @@ -1092,6 +1157,7 @@ HbacRule_to_native(HbacRuleObject *pyrule)
  306.  {
  307.      struct hbac_rule *rule = NULL;
  308.      PyObject *utf_name;
  309. +    PyObject *utf_url;
  310.  
  311.      rule = PyMem_Malloc(sizeof(struct hbac_rule));
  312.      if (!rule) {
  313. @@ -1117,6 +1183,17 @@ HbacRule_to_native(HbacRuleObject *pyrule)
  314.          goto fail;
  315.      }
  316.  
  317. +    utf_url = get_utf8_string(pyrule->url, "url");
  318. +    if (utf_url == NULL) {
  319. +        return NULL;
  320. +    }
  321. +
  322. +    rule->url = py_strdup(PyBytes_AsString(utf_url));
  323. +    Py_DECREF(utf_url);
  324. +    if (rule->url == NULL) {
  325. +        goto fail;
  326. +    }
  327. +
  328.      rule->services = HbacRuleElement_to_native(pyrule->services);
  329.      rule->users = HbacRuleElement_to_native(pyrule->users);
  330.      rule->targethosts = HbacRuleElement_to_native(pyrule->targethosts);
  331. @@ -1424,6 +1501,7 @@ typedef struct {
  332.      HbacRequestElement *srchost;
  333.  
  334.      PyObject *rule_name;
  335. +    PyObject *url;
  336.  } HbacRequest;
  337.  
  338.  static PyObject *
  339. @@ -1471,6 +1549,7 @@ HbacRequest_clear(HbacRequest *self)
  340.      Py_CLEAR(self->targethost);
  341.      Py_CLEAR(self->srchost);
  342.      Py_CLEAR(self->rule_name);
  343. +    Py_CLEAR(self->url);
  344.      return 0;
  345.  }
  346.  
  347. @@ -1492,6 +1571,10 @@ HbacRequest_traverse(HbacRequest *self, visitproc visit, void *arg)
  348.  }
  349.  
  350.  static int
  351. +hbac_request_set_url(HbacRequest *self, PyObject *url,
  352. +                            void *closure);
  353. +
  354. +static int
  355.  HbacRequest_init(HbacRequest *self, PyObject *args, PyObject *kwargs)
  356.  {
  357.      PyObject *empty_tuple = NULL;
  358. @@ -1504,6 +1587,13 @@ HbacRequest_init(HbacRequest *self, PyObject *args, PyObject *kwargs)
  359.  
  360.      self->rule_name = NULL;
  361.  
  362. +    self->url = PyUnicode_FromString("");
  363. +    if (self->url == NULL) {
  364. +        Py_DECREF(self);
  365. +        PyErr_NoMemory();
  366. +        return NULL;
  367. +    }
  368. +
  369.      if (HbacRequestElement_init(self->user, empty_tuple, NULL) == -1 ||
  370.          HbacRequestElement_init(self->service, empty_tuple, NULL) == -1 ||
  371.          HbacRequestElement_init(self->targethost, empty_tuple, NULL) == -1 ||
  372. @@ -1643,7 +1733,7 @@ fail:
  373.  }
  374.  
  375.  static PyObject *
  376. -hbac_request_element_get_rule_name(HbacRequest *self, void *closure)
  377. +hbac_request_get_rule_name(HbacRequest *self, void *closure)
  378.  {
  379.      if (self->rule_name == NULL) {
  380.          Py_INCREF(Py_None);
  381. @@ -1658,6 +1748,36 @@ hbac_request_element_get_rule_name(HbacRequest *self, void *closure)
  382.  }
  383.  
  384.  static PyObject *
  385. +hbac_request_get_url(HbacRequest *self, void *closure)
  386. +{
  387. +    //if (PyUnicode_Check(self->url)) {
  388. +        Py_INCREF(self->url);
  389. +        return self->url;
  390. +    //}
  391. +
  392. +    PyErr_Format(PyExc_TypeError, "url is not Unicode");
  393. +    return NULL;
  394. +}
  395. +
  396. +static int
  397. +hbac_request_set_url(HbacRequest *self, PyObject *url, void *closure)
  398. +{
  399. +    CHECK_ATTRIBUTE_DELETE(url, "url");
  400. +
  401. +    if(url==NULL){
  402. +        PyErr_Format(PyExc_TypeError, "URL must not be NULL");
  403. +        return -1;
  404. +    }
  405. +    if (!PyBytes_Check(url) && !PyUnicode_Check(url)) {
  406. +        PyErr_Format(PyExc_TypeError, "URL must be a string or Unicode");
  407. +        return -1;
  408. +    }
  409. +
  410. +    SAFE_SET(self->url, url);
  411. +    return 0;
  412. +}
  413. +
  414. +static PyObject *
  415.  HbacRequest_repr(HbacRequest *self)
  416.  {
  417.      PyObject *user_repr;
  418. @@ -1760,7 +1880,14 @@ PyDoc_STRVAR(HbacRequest_rule_name__doc__,
  419.  
  420.  static PyGetSetDef py_hbac_request_getset[] = {
  421.      { discard_const_p(char, "rule_name"),
  422. -      (getter) hbac_request_element_get_rule_name,
  423. +      (getter) hbac_request_get_rule_name,
  424. +      NULL, /* read only */
  425. +      HbacRequest_rule_name__doc__,
  426. +      NULL },
  427. +
  428. +    { discard_const_p(char, "url"),
  429. +      (getter) hbac_request_get_url,
  430. +      (setter) hbac_request_set_url,
  431.        NULL, /* read only */
  432.        HbacRequest_rule_name__doc__,
  433.        NULL },
  434. @@ -1805,6 +1932,7 @@ free_hbac_eval_req(struct hbac_eval_req *req)
  435.  static struct hbac_eval_req *
  436.  HbacRequest_to_native(HbacRequest *pyreq)
  437.  {
  438. +    PyObject *utf_url;
  439.      struct hbac_eval_req *req = NULL;
  440.  
  441.      req = PyMem_Malloc(sizeof(struct hbac_eval_req));
  442. @@ -1820,6 +1948,21 @@ HbacRequest_to_native(HbacRequest *pyreq)
  443.          goto fail;
  444.      }
  445.  
  446. +    if(pyreq->url==NULL){
  447. +        PyErr_Format(PyExc_TypeError, "URL is NULL\n");
  448. +        goto fail;
  449. +    }
  450. +
  451. +    utf_url = get_utf8_string(pyreq->url, "url");
  452. +    if (utf_url == NULL) {
  453. +        return NULL;
  454. +    }
  455. +
  456. +    req->url = py_strdup(PyBytes_AsString(utf_url));
  457. +    Py_DECREF(utf_url);
  458. +    if (req->url == NULL) {
  459. +        goto fail;
  460. +    }
  461.      req->service = HbacRequestElement_to_native(pyreq->service);
  462.      req->user = HbacRequestElement_to_native(pyreq->user);
  463.      req->targethost = HbacRequestElement_to_native(pyreq->targethost);
  464. diff --git a/src/tests/ipa_hbac-tests.c b/src/tests/ipa_hbac-tests.c
  465. index f2192a6..e0ab1f9 100644
  466. --- a/src/tests/ipa_hbac-tests.c
  467. +++ b/src/tests/ipa_hbac-tests.c
  468. @@ -54,6 +54,8 @@
  469.  /* These don't make sense for a user/group/service but they do the job and
  470.   * every one is from a different codepage */
  471.  /* Latin Extended A - "Czech" */
  472. +const uint8_t url_utf8_lowcase[] = { '/', 't', 'e', 's', 't', 'u', 'r', 0xC4, 0x8D, 'l', 0x0};
  473. +const uint8_t url_utf8_upcase[] = { '/', 'T', 'E', 'S', 'T', 'U', 'R', 0xC4, 0x8C, 'L', 0x0};
  474.  const uint8_t user_utf8_lowcase[] = { 0xC4, 0x8D, 'e', 'c', 'h', 0x0 };
  475.  const uint8_t user_utf8_upcase[] = { 0xC4, 0x8C, 'e', 'c', 'h', 0x0 };
  476.  const uint8_t user_utf8_lowcase_neg[] = { 0xC4, 0x8E, 'e', 'c', 'h', 0x0 };
  477. @@ -202,6 +204,8 @@ START_TEST(ipa_hbac_test_allow_all)
  478.      get_test_user(eval_req, &eval_req->user);
  479.      get_test_service(eval_req, &eval_req->service);
  480.      get_test_srchost(eval_req, &eval_req->srchost);
  481. +    eval_req->url = talloc_strdup(eval_req, "/testurl");
  482. +    fail_if(eval_req->url == NULL);
  483.  
  484.      /* Create the rules to evaluate against */
  485.      rules = talloc_array(test_ctx, struct hbac_rule *, 2);
  486. @@ -210,6 +214,8 @@ START_TEST(ipa_hbac_test_allow_all)
  487.      get_allow_all_rule(rules, &rules[0]);
  488.      rules[0]->name = talloc_strdup(rules[0], "Allow All");
  489.      fail_if(rules[0]->name == NULL);
  490. +    rules[0]->url = talloc_strdup(rules[0], "/testurl");
  491. +    fail_if(rules[0]->url == NULL);
  492.      rules[1] = NULL;
  493.  
  494.      /* Validate this rule */
  495. @@ -250,6 +256,8 @@ START_TEST(ipa_hbac_test_allow_user)
  496.      get_test_user(eval_req, &eval_req->user);
  497.      get_test_service(eval_req, &eval_req->service);
  498.      get_test_srchost(eval_req, &eval_req->srchost);
  499. +    eval_req->url = talloc_strdup(eval_req, "/testurl");
  500. +    fail_if(eval_req->url == NULL);
  501.  
  502.      /* Create the rules to evaluate against */
  503.      rules = talloc_array(test_ctx, struct hbac_rule *, 2);
  504. @@ -260,6 +268,8 @@ START_TEST(ipa_hbac_test_allow_user)
  505.      /* Modify the rule to allow only a specific user */
  506.      rules[0]->name = talloc_strdup(rules[0], "Allow user");
  507.      fail_if(rules[0]->name == NULL);
  508. +    rules[0]->url = talloc_strdup(rules[0], "/testurl");
  509. +    fail_if(rules[0]->url == NULL);
  510.      rules[0]->users->category = HBAC_CATEGORY_NULL;
  511.  
  512.      rules[0]->users->names = talloc_array(rules[0], const char *, 2);
  513. @@ -333,6 +343,7 @@ START_TEST(ipa_hbac_test_allow_utf8)
  514.      eval_req->user->name = (const char *) &user_utf8_lowcase;
  515.      eval_req->srchost->name = (const char *) &srchost_utf8_lowcase;
  516.      eval_req->service->name = (const char *) &service_utf8_lowcase;
  517. +    eval_req->url = (const char *) &url_utf8_lowcase;
  518.  
  519.      /* Create the rules to evaluate against */
  520.      rules = talloc_array(test_ctx, struct hbac_rule *, 2);
  521. @@ -343,6 +354,7 @@ START_TEST(ipa_hbac_test_allow_utf8)
  522.      rules[0]->name = talloc_strdup(rules[0], "Allow user");
  523.      fail_if(rules[0]->name == NULL);
  524.      rules[0]->users->category = HBAC_CATEGORY_NULL;
  525. +    rules[0]->url = (const char *) &url_utf8_upcase;
  526.  
  527.      /* Modify the rule to allow only a specific user */
  528.      rules[0]->users->names = talloc_array(rules[0], const char *, 2);
  529. @@ -446,6 +458,8 @@ START_TEST(ipa_hbac_test_allow_group)
  530.      get_test_user(eval_req, &eval_req->user);
  531.      get_test_service(eval_req, &eval_req->service);
  532.      get_test_srchost(eval_req, &eval_req->srchost);
  533. +    eval_req->url = talloc_strdup(eval_req, "/testurl");
  534. +    fail_if(eval_req->url == NULL);
  535.  
  536.      /* Create the rules to evaluate against */
  537.      rules = talloc_array(test_ctx, struct hbac_rule *, 2);
  538. @@ -456,6 +470,8 @@ START_TEST(ipa_hbac_test_allow_group)
  539.      /* Modify the rule to allow only a group of users */
  540.      rules[0]->name = talloc_strdup(rules[0], "Allow group");
  541.      fail_if(rules[0]->name == NULL);
  542. +    rules[0]->url = talloc_strdup(rules[0], "/testurl");
  543. +    fail_if(rules[0]->url == NULL);
  544.      rules[0]->users->category = HBAC_CATEGORY_NULL;
  545.  
  546.      rules[0]->users->names = NULL;
  547. @@ -525,6 +541,8 @@ START_TEST(ipa_hbac_test_allow_svc)
  548.      get_test_user(eval_req, &eval_req->user);
  549.      get_test_service(eval_req, &eval_req->service);
  550.      get_test_srchost(eval_req, &eval_req->srchost);
  551. +    eval_req->url = talloc_strdup(eval_req, "/testurl");
  552. +    fail_if(eval_req->url == NULL);
  553.  
  554.      /* Create the rules to evaluate against */
  555.      rules = talloc_array(test_ctx, struct hbac_rule *, 2);
  556. @@ -535,6 +553,8 @@ START_TEST(ipa_hbac_test_allow_svc)
  557.      /* Modify the rule to allow only a specific service */
  558.      rules[0]->name = talloc_strdup(rules[0], "Allow service");
  559.      fail_if(rules[0]->name == NULL);
  560. +    rules[0]->url = talloc_strdup(rules[0], "/testurl");
  561. +    fail_if(rules[0]->url == NULL);
  562.      rules[0]->services->category = HBAC_CATEGORY_NULL;
  563.  
  564.      rules[0]->services->names = talloc_array(rules[0], const char *, 2);
  565. @@ -603,6 +623,8 @@ START_TEST(ipa_hbac_test_allow_svcgroup)
  566.      get_test_user(eval_req, &eval_req->user);
  567.      get_test_service(eval_req, &eval_req->service);
  568.      get_test_srchost(eval_req, &eval_req->srchost);
  569. +    eval_req->url = talloc_strdup(eval_req, "/testurl");
  570. +    fail_if(eval_req->url == NULL);
  571.  
  572.      /* Create the rules to evaluate against */
  573.      rules = talloc_array(test_ctx, struct hbac_rule *, 2);
  574. @@ -613,6 +635,8 @@ START_TEST(ipa_hbac_test_allow_svcgroup)
  575.      /* Modify the rule to allow only a group of users */
  576.      rules[0]->name = talloc_strdup(rules[0], "Allow servicegroup");
  577.      fail_if(rules[0]->name == NULL);
  578. +    rules[0]->url = talloc_strdup(rules[0], "/testurl");
  579. +    fail_if(rules[0]->url == NULL);
  580.      rules[0]->services->category = HBAC_CATEGORY_NULL;
  581.  
  582.      rules[0]->services->names = NULL;
  583. @@ -682,6 +706,8 @@ START_TEST(ipa_hbac_test_allow_srchost)
  584.      get_test_user(eval_req, &eval_req->user);
  585.      get_test_service(eval_req, &eval_req->service);
  586.      get_test_srchost(eval_req, &eval_req->srchost);
  587. +    eval_req->url = talloc_strdup(eval_req, "/testurl");
  588. +    fail_if(eval_req->url == NULL);
  589.  
  590.      /* Create the rules to evaluate against */
  591.      rules = talloc_array(test_ctx, struct hbac_rule *, 2);
  592. @@ -692,6 +718,8 @@ START_TEST(ipa_hbac_test_allow_srchost)
  593.      /* Modify the rule to allow only a specific service */
  594.      rules[0]->name = talloc_strdup(rules[0], "Allow srchost");
  595.      fail_if(rules[0]->name == NULL);
  596. +    rules[0]->url = talloc_strdup(rules[0], "/testurl");
  597. +    fail_if(rules[0]->url == NULL);
  598.      rules[0]->srchosts->category = HBAC_CATEGORY_NULL;
  599.  
  600.      rules[0]->srchosts->names = talloc_array(rules[0], const char *, 2);
  601. @@ -760,6 +788,8 @@ START_TEST(ipa_hbac_test_allow_srchostgroup)
  602.      get_test_user(eval_req, &eval_req->user);
  603.      get_test_service(eval_req, &eval_req->service);
  604.      get_test_srchost(eval_req, &eval_req->srchost);
  605. +    eval_req->url = talloc_strdup(eval_req, "/testurl");
  606. +    fail_if(eval_req->url == NULL);
  607.  
  608.      /* Create the rules to evaluate against */
  609.      rules = talloc_array(test_ctx, struct hbac_rule *, 2);
  610. @@ -770,6 +800,8 @@ START_TEST(ipa_hbac_test_allow_srchostgroup)
  611.      /* Modify the rule to allow only a group of users */
  612.      rules[0]->name = talloc_strdup(rules[0], "Allow srchostgroup");
  613.      fail_if(rules[0]->name == NULL);
  614. +    rules[0]->url = talloc_strdup(rules[0], "/testurl");
  615. +    fail_if(rules[0]->url == NULL);
  616.      rules[0]->srchosts->category = HBAC_CATEGORY_NULL;
  617.  
  618.      rules[0]->srchosts->names = NULL;
  619. diff --git a/src/tests/pyhbac-test.py b/src/tests/pyhbac-test.py
  620. index e34f055..d72d879 100755
  621. --- a/src/tests/pyhbac-test.py
  622. +++ b/src/tests/pyhbac-test.py
  623. @@ -156,6 +156,16 @@ class PyHbacRuleTest(unittest.TestCase):
  624.          rule.name = new_name
  625.          self.assertEqual(rule.name, unicode(new_name))
  626.  
  627. +    def testRuleGetSetUrl(self):
  628. +        name = "someName"
  629. +        url = "/testurl"
  630. +    
  631. +        rule = pyhbac.HbacRule(name)
  632. +        self.assertEqual(rule.url, unicode(""))
  633. +    
  634. +        rule.url = url
  635. +        self.assertEqual(rule.url, unicode(url))
  636. +
  637.      def testRuleGetSetEnabled(self):
  638.          rule = pyhbac.HbacRule("testRuleGetSetEnabled")
  639.  
  640. @@ -367,23 +377,38 @@ class PyHbacRequestTest(unittest.TestCase):
  641.          # python 2.4 raises TypError, 2.7 raises AttributeError
  642.          self.assertRaises((TypeError, AttributeError), req.__setattr__, "rule_name", "foo")
  643.  
  644. +    def testRuleUrl(self):
  645. +        url = "/testurl"
  646. +        req = pyhbac.HbacRequest()
  647. +        self.assertEqual(req.url, "")
  648. +        req.url = url
  649. +        self.assertEqual(req.url, url)
  650. +        # python 2.4 raises TypError, 2.7 raises AttributeError
  651. +        self.assertRaises((TypeError, AttributeError), req.__setattr__, "rule_name", "foo")
  652. +
  653.      def testEvaluate(self):
  654.          name = "someuser"
  655.          service = "ssh"
  656.          srchost = "host1"
  657.          targethost = "host2"
  658. +        url = "/testurl"
  659.  
  660.          allow_rule = pyhbac.HbacRule("allowRule", enabled=True)
  661.          allow_rule.users.names = [ name ]
  662.          allow_rule.services.names = [ service ]
  663.          allow_rule.srchosts.names = [ srchost ]
  664.          allow_rule.targethosts.names = [ targethost ]
  665. +        allow_rule.url = url
  666.  
  667.          req = pyhbac.HbacRequest()
  668.          req.user.name = name
  669.          req.service.name = service
  670.          req.srchost.name = srchost
  671.          req.targethost.name = targethost
  672. +        req.url = url
  673. +
  674. +        # The URL of the rule should match the required URL
  675. +        self.assertEqual(req.url, allow_rule.url)
  676.  
  677.          # Test that an allow rule on its own allows access
  678.          res = req.evaluate((allow_rule,))
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top