Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- diff --git a/src/providers/ipa/hbac_evaluator.c b/src/providers/ipa/hbac_evaluator.c
- index a497304..e77fbf0 100644
- --- a/src/providers/ipa/hbac_evaluator.c
- +++ b/src/providers/ipa/hbac_evaluator.c
- @@ -224,7 +224,8 @@ enum hbac_eval_result_int hbac_evaluate_rule(struct hbac_rule *rule,
- if (!rule->users
- || !rule->services
- || !rule->targethosts
- - || !rule->srchosts) {
- + || !rule->srchosts
- + || !rule->url) {
- *error = HBAC_ERROR_UNPARSEABLE_RULE;
- return HBAC_EVAL_MATCH_ERROR;
- }
- @@ -272,6 +273,12 @@ enum hbac_eval_result_int hbac_evaluate_rule(struct hbac_rule *rule,
- } else if (!matched) {
- return HBAC_EVAL_UNMATCHED;
- }
- +
- + /* Check URL */
- + if (hbac_req->url!=NULL && sss_utf8_case_eq(rule->url, hbac_req->url) != EOK) {
- + return HBAC_EVAL_UNMATCHED;
- + }
- +
- return HBAC_EVAL_MATCHED;
- }
- diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
- index 65a791c..dc6630c 100644
- --- a/src/providers/ipa/ipa_access.c
- +++ b/src/providers/ipa/ipa_access.c
- @@ -484,6 +484,7 @@ static void hbac_get_rule_info_step(struct tevent_req *req)
- goto fail;
- }
- + /*TODO*/
- for (i = 0; i < hbac_ctx->host_count; i++) {
- ret = sysdb_attrs_get_string(hbac_ctx->hosts[i],
- SYSDB_FQDN,
- @@ -504,6 +505,7 @@ static void hbac_get_rule_info_step(struct tevent_req *req)
- }
- + /*TODO*/
- /* Get the list of applicable rules */
- req = ipa_hbac_rule_info_send(hbac_ctx,
- be_ctx->ev,
- @@ -736,6 +738,7 @@ errno_t hbac_get_cached_rules(TALLOC_CTX *mem_ctx,
- IPA_EXTERNAL_HOST,
- IPA_MEMBER_HOST,
- IPA_HOST_CATEGORY,
- + IPA_URL,
- NULL };
- tmp_ctx = talloc_new(NULL);
- diff --git a/src/providers/ipa/ipa_hbac.h b/src/providers/ipa/ipa_hbac.h
- index 9e85890..ce45451 100644
- --- a/src/providers/ipa/ipa_hbac.h
- +++ b/src/providers/ipa/ipa_hbac.h
- @@ -130,6 +130,8 @@ struct hbac_rule_element {
- * - Services: PAM service groups.
- */
- const char **groups;
- +
- + char *url;
- };
- /**
- @@ -139,6 +141,8 @@ struct hbac_rule {
- const char *name;
- bool enabled;
- + const char *url;
- +
- /**
- * Services and service groups
- * for which this rule applies
- @@ -196,6 +200,9 @@ struct hbac_request_element {
- *
- */
- struct hbac_eval_req {
- +
- + const char *url;
- +
- /** This is a list of service DNs to check,
- * it must consist of the actual service
- * requested, as well as all parent groups
- diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
- index 72a620e..184f74d 100644
- --- a/src/providers/ipa/ipa_hbac_common.c
- +++ b/src/providers/ipa/ipa_hbac_common.c
- @@ -354,6 +354,24 @@ hbac_attrs_to_rule(TALLOC_CTX *mem_ctx,
- goto done;
- }
- + /* Get URL */
- +
- + ret = sysdb_attrs_get_el(hbac_ctx->rules[idx],
- + IPA_URL, &el);
- + if (ret != EOK) {
- + DEBUG(SSSDBG_CRIT_FAILURE, "Could not get URL for rule [%s]\n",
- + new_rule->name);
- + goto done;
- + }
- + if (el->num_values == 0) {
- + DEBUG(SSSDBG_CONF_SETTINGS, "URL for rule [%s] is empty.\n", new_rule->name);
- + new_rule->url = talloc_strdup(new_rule, "");
- + } else {
- + new_rule->url = talloc_strndup(new_rule,
- + (const char*) el->values[0].data,
- + el->values[0].length);
- + }
- +
- *rule = new_rule;
- ret = EOK;
- diff --git a/src/providers/ipa/ipa_hbac_private.h b/src/providers/ipa/ipa_hbac_private.h
- index c831cd5..d563aee 100644
- --- a/src/providers/ipa/ipa_hbac_private.h
- +++ b/src/providers/ipa/ipa_hbac_private.h
- @@ -54,6 +54,7 @@
- #define IPA_MEMBER_SERVICE "memberService"
- #define IPA_SERVICE_CATEGORY "serviceCategory"
- #define IPA_TRUE_VALUE "TRUE"
- +#define IPA_URL "url"
- #define IPA_HBAC_BASE_TMPL "cn=hbac,%s"
- #define IPA_SERVICES_BASE_TMPL "cn=hbacservices,cn=accounts,%s"
- diff --git a/src/providers/ipa/ipa_hbac_rules.c b/src/providers/ipa/ipa_hbac_rules.c
- index 7912dbe..2277eb4 100644
- --- a/src/providers/ipa/ipa_hbac_rules.c
- +++ b/src/providers/ipa/ipa_hbac_rules.c
- @@ -113,7 +113,8 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
- state->attrs[11] = IPA_EXTERNAL_HOST;
- state->attrs[12] = IPA_MEMBER_HOST;
- state->attrs[13] = IPA_HOST_CATEGORY;
- - state->attrs[14] = NULL;
- + state->attrs[14] = IPA_URL;
- + state->attrs[15] = NULL;
- rule_filter = talloc_asprintf(tmp_ctx,
- "(&(objectclass=%s)"
- diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
- index 820ef11..6b91fee 100644
- --- a/src/python/pyhbac.c
- +++ b/src/python/pyhbac.c
- @@ -348,6 +348,7 @@ hbac_rule_element_set_names(HbacRuleElement *self, PyObject *names,
- static int
- hbac_rule_element_set_groups(HbacRuleElement *self, PyObject *groups,
- void *closure);
- +
- static int
- hbac_rule_element_set_category(HbacRuleElement *self, PyObject *category,
- void *closure);
- @@ -631,6 +632,7 @@ typedef struct {
- PyObject_HEAD
- PyObject *name;
- + PyObject *url;
- bool enabled;
- HbacRuleElement *users;
- @@ -662,6 +664,13 @@ HbacRule_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
- return NULL;
- }
- + self->url = PyUnicode_FromString("");
- + if (self->url == NULL) {
- + Py_DECREF(self);
- + PyErr_NoMemory();
- + return NULL;
- + }
- +
- self->enabled = false;
- self->services = (HbacRuleElement *) HbacRuleElement_new(
- @@ -683,6 +692,7 @@ HbacRule_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
- Py_XDECREF(self->targethosts);
- Py_XDECREF(self->srchosts);
- Py_DECREF(self->name);
- + Py_DECREF(self->url);
- Py_DECREF(self);
- PyErr_NoMemory();
- return NULL;
- @@ -695,6 +705,7 @@ static int
- HbacRule_clear(HbacRuleObject *self)
- {
- Py_CLEAR(self->name);
- + Py_CLEAR(self->url);
- Py_CLEAR(self->services);
- Py_CLEAR(self->users);
- Py_CLEAR(self->targethosts);
- @@ -713,6 +724,7 @@ static int
- HbacRule_traverse(HbacRuleObject *self, visitproc visit, void *arg)
- {
- Py_VISIT((PyObject *) self->name);
- + Py_VISIT((PyObject *) self->url);
- Py_VISIT((PyObject *) self->services);
- Py_VISIT((PyObject *) self->users);
- Py_VISIT((PyObject *) self->targethosts);
- @@ -724,19 +736,22 @@ static int
- hbac_rule_set_enabled(HbacRuleObject *self, PyObject *enabled, void *closure);
- static int
- hbac_rule_set_name(HbacRuleObject *self, PyObject *name, void *closure);
- +static int
- +hbac_rule_set_url(HbacRuleObject *self, PyObject *name, void *closure);
- static int
- HbacRule_init(HbacRuleObject *self, PyObject *args, PyObject *kwargs)
- {
- - const char * const kwlist[] = { "name", "enabled", NULL };
- + const char * const kwlist[] = { "name", "enabled", "url", NULL };
- PyObject *name = NULL;
- + PyObject *url = NULL;
- PyObject *empty_tuple = NULL;
- PyObject *enabled=NULL;
- if (!PyArg_ParseTupleAndKeywords(args, kwargs,
- - sss_py_const_p(char, "O|O"),
- + sss_py_const_p(char, "O|O0"),
- discard_const_p(char *, kwlist),
- - &name, &enabled)) {
- + &name, &enabled, &url)) {
- return -1;
- }
- @@ -750,6 +765,18 @@ HbacRule_init(HbacRuleObject *self, PyObject *args, PyObject *kwargs)
- return -1;
- }
- + if (!url) {
- + url = PyUnicode_FromString("");
- + if (url == NULL) {
- + Py_DECREF(self);
- + PyErr_NoMemory();
- + return NULL;
- + }
- + }
- + if (hbac_rule_set_url(self, url, NULL) == -1) {
- + return -1;
- + }
- +
- empty_tuple = PyTuple_New(0);
- if (!empty_tuple) {
- return -1;
- @@ -864,6 +891,36 @@ hbac_rule_get_name(HbacRuleObject *self, void *closure)
- return NULL;
- }
- +static int
- +hbac_rule_set_url(HbacRuleObject *self, PyObject *url, void *closure)
- +{
- + CHECK_ATTRIBUTE_DELETE(url, "url");
- +
- + if (!PyBytes_Check(url) && !PyUnicode_Check(url)) {
- + PyErr_Format(PyExc_TypeError, "URL must be a string or Unicode");
- + return -1;
- + }
- +
- + SAFE_SET(self->url, url);
- + return 0;
- +}
- +
- +static PyObject *
- +hbac_rule_get_url(HbacRuleObject *self, void *closure)
- +{
- + if (PyUnicode_Check(self->url)) {
- + Py_INCREF(self->url);
- + return self->url;
- + } else if (PyBytes_Check(self->url)) {
- + return PyUnicode_FromEncodedObject(self->url,
- + PYHBAC_ENCODING, PYHBAC_ENCODING_ERRORS);
- + }
- +
- + /* setter does typechecking but let us be paranoid */
- + PyErr_Format(PyExc_TypeError, "URL must be a string or Unicode");
- + return NULL;
- +}
- +
- static PyObject *
- HbacRule_repr(HbacRuleObject *self)
- {
- @@ -1032,6 +1089,8 @@ PyDoc_STRVAR(HbacRuleObject_enabled__doc__,
- "(bool) Is the rule enabled");
- PyDoc_STRVAR(HbacRuleObject_name__doc__,
- "(string) The name of the rule");
- +PyDoc_STRVAR(HbacRuleObject_url__doc__,
- +"(string) The URL set for the rule");
- static PyGetSetDef py_hbac_rule_getset[] = {
- { discard_const_p(char, "enabled"),
- @@ -1046,6 +1105,12 @@ static PyGetSetDef py_hbac_rule_getset[] = {
- HbacRuleObject_name__doc__,
- NULL },
- + { discard_const_p(char, "url"),
- + (getter) hbac_rule_get_url,
- + (setter) hbac_rule_set_url,
- + HbacRuleObject_url__doc__,
- + NULL },
- +
- {NULL, 0, 0, 0, NULL} /* Sentinel */
- };
- @@ -1092,6 +1157,7 @@ HbacRule_to_native(HbacRuleObject *pyrule)
- {
- struct hbac_rule *rule = NULL;
- PyObject *utf_name;
- + PyObject *utf_url;
- rule = PyMem_Malloc(sizeof(struct hbac_rule));
- if (!rule) {
- @@ -1117,6 +1183,17 @@ HbacRule_to_native(HbacRuleObject *pyrule)
- goto fail;
- }
- + utf_url = get_utf8_string(pyrule->url, "url");
- + if (utf_url == NULL) {
- + return NULL;
- + }
- +
- + rule->url = py_strdup(PyBytes_AsString(utf_url));
- + Py_DECREF(utf_url);
- + if (rule->url == NULL) {
- + goto fail;
- + }
- +
- rule->services = HbacRuleElement_to_native(pyrule->services);
- rule->users = HbacRuleElement_to_native(pyrule->users);
- rule->targethosts = HbacRuleElement_to_native(pyrule->targethosts);
- @@ -1424,6 +1501,7 @@ typedef struct {
- HbacRequestElement *srchost;
- PyObject *rule_name;
- + PyObject *url;
- } HbacRequest;
- static PyObject *
- @@ -1471,6 +1549,7 @@ HbacRequest_clear(HbacRequest *self)
- Py_CLEAR(self->targethost);
- Py_CLEAR(self->srchost);
- Py_CLEAR(self->rule_name);
- + Py_CLEAR(self->url);
- return 0;
- }
- @@ -1492,6 +1571,10 @@ HbacRequest_traverse(HbacRequest *self, visitproc visit, void *arg)
- }
- static int
- +hbac_request_set_url(HbacRequest *self, PyObject *url,
- + void *closure);
- +
- +static int
- HbacRequest_init(HbacRequest *self, PyObject *args, PyObject *kwargs)
- {
- PyObject *empty_tuple = NULL;
- @@ -1504,6 +1587,13 @@ HbacRequest_init(HbacRequest *self, PyObject *args, PyObject *kwargs)
- self->rule_name = NULL;
- + self->url = PyUnicode_FromString("");
- + if (self->url == NULL) {
- + Py_DECREF(self);
- + PyErr_NoMemory();
- + return NULL;
- + }
- +
- if (HbacRequestElement_init(self->user, empty_tuple, NULL) == -1 ||
- HbacRequestElement_init(self->service, empty_tuple, NULL) == -1 ||
- HbacRequestElement_init(self->targethost, empty_tuple, NULL) == -1 ||
- @@ -1643,7 +1733,7 @@ fail:
- }
- static PyObject *
- -hbac_request_element_get_rule_name(HbacRequest *self, void *closure)
- +hbac_request_get_rule_name(HbacRequest *self, void *closure)
- {
- if (self->rule_name == NULL) {
- Py_INCREF(Py_None);
- @@ -1658,6 +1748,36 @@ hbac_request_element_get_rule_name(HbacRequest *self, void *closure)
- }
- static PyObject *
- +hbac_request_get_url(HbacRequest *self, void *closure)
- +{
- + //if (PyUnicode_Check(self->url)) {
- + Py_INCREF(self->url);
- + return self->url;
- + //}
- +
- + PyErr_Format(PyExc_TypeError, "url is not Unicode");
- + return NULL;
- +}
- +
- +static int
- +hbac_request_set_url(HbacRequest *self, PyObject *url, void *closure)
- +{
- + CHECK_ATTRIBUTE_DELETE(url, "url");
- +
- + if(url==NULL){
- + PyErr_Format(PyExc_TypeError, "URL must not be NULL");
- + return -1;
- + }
- + if (!PyBytes_Check(url) && !PyUnicode_Check(url)) {
- + PyErr_Format(PyExc_TypeError, "URL must be a string or Unicode");
- + return -1;
- + }
- +
- + SAFE_SET(self->url, url);
- + return 0;
- +}
- +
- +static PyObject *
- HbacRequest_repr(HbacRequest *self)
- {
- PyObject *user_repr;
- @@ -1760,7 +1880,14 @@ PyDoc_STRVAR(HbacRequest_rule_name__doc__,
- static PyGetSetDef py_hbac_request_getset[] = {
- { discard_const_p(char, "rule_name"),
- - (getter) hbac_request_element_get_rule_name,
- + (getter) hbac_request_get_rule_name,
- + NULL, /* read only */
- + HbacRequest_rule_name__doc__,
- + NULL },
- +
- + { discard_const_p(char, "url"),
- + (getter) hbac_request_get_url,
- + (setter) hbac_request_set_url,
- NULL, /* read only */
- HbacRequest_rule_name__doc__,
- NULL },
- @@ -1805,6 +1932,7 @@ free_hbac_eval_req(struct hbac_eval_req *req)
- static struct hbac_eval_req *
- HbacRequest_to_native(HbacRequest *pyreq)
- {
- + PyObject *utf_url;
- struct hbac_eval_req *req = NULL;
- req = PyMem_Malloc(sizeof(struct hbac_eval_req));
- @@ -1820,6 +1948,21 @@ HbacRequest_to_native(HbacRequest *pyreq)
- goto fail;
- }
- + if(pyreq->url==NULL){
- + PyErr_Format(PyExc_TypeError, "URL is NULL\n");
- + goto fail;
- + }
- +
- + utf_url = get_utf8_string(pyreq->url, "url");
- + if (utf_url == NULL) {
- + return NULL;
- + }
- +
- + req->url = py_strdup(PyBytes_AsString(utf_url));
- + Py_DECREF(utf_url);
- + if (req->url == NULL) {
- + goto fail;
- + }
- req->service = HbacRequestElement_to_native(pyreq->service);
- req->user = HbacRequestElement_to_native(pyreq->user);
- req->targethost = HbacRequestElement_to_native(pyreq->targethost);
- diff --git a/src/tests/ipa_hbac-tests.c b/src/tests/ipa_hbac-tests.c
- index f2192a6..e0ab1f9 100644
- --- a/src/tests/ipa_hbac-tests.c
- +++ b/src/tests/ipa_hbac-tests.c
- @@ -54,6 +54,8 @@
- /* These don't make sense for a user/group/service but they do the job and
- * every one is from a different codepage */
- /* Latin Extended A - "Czech" */
- +const uint8_t url_utf8_lowcase[] = { '/', 't', 'e', 's', 't', 'u', 'r', 0xC4, 0x8D, 'l', 0x0};
- +const uint8_t url_utf8_upcase[] = { '/', 'T', 'E', 'S', 'T', 'U', 'R', 0xC4, 0x8C, 'L', 0x0};
- const uint8_t user_utf8_lowcase[] = { 0xC4, 0x8D, 'e', 'c', 'h', 0x0 };
- const uint8_t user_utf8_upcase[] = { 0xC4, 0x8C, 'e', 'c', 'h', 0x0 };
- const uint8_t user_utf8_lowcase_neg[] = { 0xC4, 0x8E, 'e', 'c', 'h', 0x0 };
- @@ -202,6 +204,8 @@ START_TEST(ipa_hbac_test_allow_all)
- get_test_user(eval_req, &eval_req->user);
- get_test_service(eval_req, &eval_req->service);
- get_test_srchost(eval_req, &eval_req->srchost);
- + eval_req->url = talloc_strdup(eval_req, "/testurl");
- + fail_if(eval_req->url == NULL);
- /* Create the rules to evaluate against */
- rules = talloc_array(test_ctx, struct hbac_rule *, 2);
- @@ -210,6 +214,8 @@ START_TEST(ipa_hbac_test_allow_all)
- get_allow_all_rule(rules, &rules[0]);
- rules[0]->name = talloc_strdup(rules[0], "Allow All");
- fail_if(rules[0]->name == NULL);
- + rules[0]->url = talloc_strdup(rules[0], "/testurl");
- + fail_if(rules[0]->url == NULL);
- rules[1] = NULL;
- /* Validate this rule */
- @@ -250,6 +256,8 @@ START_TEST(ipa_hbac_test_allow_user)
- get_test_user(eval_req, &eval_req->user);
- get_test_service(eval_req, &eval_req->service);
- get_test_srchost(eval_req, &eval_req->srchost);
- + eval_req->url = talloc_strdup(eval_req, "/testurl");
- + fail_if(eval_req->url == NULL);
- /* Create the rules to evaluate against */
- rules = talloc_array(test_ctx, struct hbac_rule *, 2);
- @@ -260,6 +268,8 @@ START_TEST(ipa_hbac_test_allow_user)
- /* Modify the rule to allow only a specific user */
- rules[0]->name = talloc_strdup(rules[0], "Allow user");
- fail_if(rules[0]->name == NULL);
- + rules[0]->url = talloc_strdup(rules[0], "/testurl");
- + fail_if(rules[0]->url == NULL);
- rules[0]->users->category = HBAC_CATEGORY_NULL;
- rules[0]->users->names = talloc_array(rules[0], const char *, 2);
- @@ -333,6 +343,7 @@ START_TEST(ipa_hbac_test_allow_utf8)
- eval_req->user->name = (const char *) &user_utf8_lowcase;
- eval_req->srchost->name = (const char *) &srchost_utf8_lowcase;
- eval_req->service->name = (const char *) &service_utf8_lowcase;
- + eval_req->url = (const char *) &url_utf8_lowcase;
- /* Create the rules to evaluate against */
- rules = talloc_array(test_ctx, struct hbac_rule *, 2);
- @@ -343,6 +354,7 @@ START_TEST(ipa_hbac_test_allow_utf8)
- rules[0]->name = talloc_strdup(rules[0], "Allow user");
- fail_if(rules[0]->name == NULL);
- rules[0]->users->category = HBAC_CATEGORY_NULL;
- + rules[0]->url = (const char *) &url_utf8_upcase;
- /* Modify the rule to allow only a specific user */
- rules[0]->users->names = talloc_array(rules[0], const char *, 2);
- @@ -446,6 +458,8 @@ START_TEST(ipa_hbac_test_allow_group)
- get_test_user(eval_req, &eval_req->user);
- get_test_service(eval_req, &eval_req->service);
- get_test_srchost(eval_req, &eval_req->srchost);
- + eval_req->url = talloc_strdup(eval_req, "/testurl");
- + fail_if(eval_req->url == NULL);
- /* Create the rules to evaluate against */
- rules = talloc_array(test_ctx, struct hbac_rule *, 2);
- @@ -456,6 +470,8 @@ START_TEST(ipa_hbac_test_allow_group)
- /* Modify the rule to allow only a group of users */
- rules[0]->name = talloc_strdup(rules[0], "Allow group");
- fail_if(rules[0]->name == NULL);
- + rules[0]->url = talloc_strdup(rules[0], "/testurl");
- + fail_if(rules[0]->url == NULL);
- rules[0]->users->category = HBAC_CATEGORY_NULL;
- rules[0]->users->names = NULL;
- @@ -525,6 +541,8 @@ START_TEST(ipa_hbac_test_allow_svc)
- get_test_user(eval_req, &eval_req->user);
- get_test_service(eval_req, &eval_req->service);
- get_test_srchost(eval_req, &eval_req->srchost);
- + eval_req->url = talloc_strdup(eval_req, "/testurl");
- + fail_if(eval_req->url == NULL);
- /* Create the rules to evaluate against */
- rules = talloc_array(test_ctx, struct hbac_rule *, 2);
- @@ -535,6 +553,8 @@ START_TEST(ipa_hbac_test_allow_svc)
- /* Modify the rule to allow only a specific service */
- rules[0]->name = talloc_strdup(rules[0], "Allow service");
- fail_if(rules[0]->name == NULL);
- + rules[0]->url = talloc_strdup(rules[0], "/testurl");
- + fail_if(rules[0]->url == NULL);
- rules[0]->services->category = HBAC_CATEGORY_NULL;
- rules[0]->services->names = talloc_array(rules[0], const char *, 2);
- @@ -603,6 +623,8 @@ START_TEST(ipa_hbac_test_allow_svcgroup)
- get_test_user(eval_req, &eval_req->user);
- get_test_service(eval_req, &eval_req->service);
- get_test_srchost(eval_req, &eval_req->srchost);
- + eval_req->url = talloc_strdup(eval_req, "/testurl");
- + fail_if(eval_req->url == NULL);
- /* Create the rules to evaluate against */
- rules = talloc_array(test_ctx, struct hbac_rule *, 2);
- @@ -613,6 +635,8 @@ START_TEST(ipa_hbac_test_allow_svcgroup)
- /* Modify the rule to allow only a group of users */
- rules[0]->name = talloc_strdup(rules[0], "Allow servicegroup");
- fail_if(rules[0]->name == NULL);
- + rules[0]->url = talloc_strdup(rules[0], "/testurl");
- + fail_if(rules[0]->url == NULL);
- rules[0]->services->category = HBAC_CATEGORY_NULL;
- rules[0]->services->names = NULL;
- @@ -682,6 +706,8 @@ START_TEST(ipa_hbac_test_allow_srchost)
- get_test_user(eval_req, &eval_req->user);
- get_test_service(eval_req, &eval_req->service);
- get_test_srchost(eval_req, &eval_req->srchost);
- + eval_req->url = talloc_strdup(eval_req, "/testurl");
- + fail_if(eval_req->url == NULL);
- /* Create the rules to evaluate against */
- rules = talloc_array(test_ctx, struct hbac_rule *, 2);
- @@ -692,6 +718,8 @@ START_TEST(ipa_hbac_test_allow_srchost)
- /* Modify the rule to allow only a specific service */
- rules[0]->name = talloc_strdup(rules[0], "Allow srchost");
- fail_if(rules[0]->name == NULL);
- + rules[0]->url = talloc_strdup(rules[0], "/testurl");
- + fail_if(rules[0]->url == NULL);
- rules[0]->srchosts->category = HBAC_CATEGORY_NULL;
- rules[0]->srchosts->names = talloc_array(rules[0], const char *, 2);
- @@ -760,6 +788,8 @@ START_TEST(ipa_hbac_test_allow_srchostgroup)
- get_test_user(eval_req, &eval_req->user);
- get_test_service(eval_req, &eval_req->service);
- get_test_srchost(eval_req, &eval_req->srchost);
- + eval_req->url = talloc_strdup(eval_req, "/testurl");
- + fail_if(eval_req->url == NULL);
- /* Create the rules to evaluate against */
- rules = talloc_array(test_ctx, struct hbac_rule *, 2);
- @@ -770,6 +800,8 @@ START_TEST(ipa_hbac_test_allow_srchostgroup)
- /* Modify the rule to allow only a group of users */
- rules[0]->name = talloc_strdup(rules[0], "Allow srchostgroup");
- fail_if(rules[0]->name == NULL);
- + rules[0]->url = talloc_strdup(rules[0], "/testurl");
- + fail_if(rules[0]->url == NULL);
- rules[0]->srchosts->category = HBAC_CATEGORY_NULL;
- rules[0]->srchosts->names = NULL;
- diff --git a/src/tests/pyhbac-test.py b/src/tests/pyhbac-test.py
- index e34f055..d72d879 100755
- --- a/src/tests/pyhbac-test.py
- +++ b/src/tests/pyhbac-test.py
- @@ -156,6 +156,16 @@ class PyHbacRuleTest(unittest.TestCase):
- rule.name = new_name
- self.assertEqual(rule.name, unicode(new_name))
- + def testRuleGetSetUrl(self):
- + name = "someName"
- + url = "/testurl"
- +
- + rule = pyhbac.HbacRule(name)
- + self.assertEqual(rule.url, unicode(""))
- +
- + rule.url = url
- + self.assertEqual(rule.url, unicode(url))
- +
- def testRuleGetSetEnabled(self):
- rule = pyhbac.HbacRule("testRuleGetSetEnabled")
- @@ -367,23 +377,38 @@ class PyHbacRequestTest(unittest.TestCase):
- # python 2.4 raises TypError, 2.7 raises AttributeError
- self.assertRaises((TypeError, AttributeError), req.__setattr__, "rule_name", "foo")
- + def testRuleUrl(self):
- + url = "/testurl"
- + req = pyhbac.HbacRequest()
- + self.assertEqual(req.url, "")
- + req.url = url
- + self.assertEqual(req.url, url)
- + # python 2.4 raises TypError, 2.7 raises AttributeError
- + self.assertRaises((TypeError, AttributeError), req.__setattr__, "rule_name", "foo")
- +
- def testEvaluate(self):
- name = "someuser"
- service = "ssh"
- srchost = "host1"
- targethost = "host2"
- + url = "/testurl"
- allow_rule = pyhbac.HbacRule("allowRule", enabled=True)
- allow_rule.users.names = [ name ]
- allow_rule.services.names = [ service ]
- allow_rule.srchosts.names = [ srchost ]
- allow_rule.targethosts.names = [ targethost ]
- + allow_rule.url = url
- req = pyhbac.HbacRequest()
- req.user.name = name
- req.service.name = service
- req.srchost.name = srchost
- req.targethost.name = targethost
- + req.url = url
- +
- + # The URL of the rule should match the required URL
- + self.assertEqual(req.url, allow_rule.url)
- # Test that an allow rule on its own allows access
- res = req.evaluate((allow_rule,))
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement