SSSD patch adding URI to HBAC rule

1. diff --git a/src/providers/ipa/hbac_evaluator.c b/src/providers/ipa/hbac_evaluator.c
2. index a497304..e77fbf0 100644
3. --- a/src/providers/ipa/hbac_evaluator.c
4. +++ b/src/providers/ipa/hbac_evaluator.c
5. @@ -224,7 +224,8 @@ enum hbac_eval_result_int hbac_evaluate_rule(struct hbac_rule *rule,
6. if (!rule->users
7. || !rule->services
8. || !rule->targethosts
9. - || !rule->srchosts) {
10. + || !rule->srchosts
11. + || !rule->url) {
12. *error = HBAC_ERROR_UNPARSEABLE_RULE;
13. return HBAC_EVAL_MATCH_ERROR;
14. }
15. @@ -272,6 +273,12 @@ enum hbac_eval_result_int hbac_evaluate_rule(struct hbac_rule *rule,
16. } else if (!matched) {
17. return HBAC_EVAL_UNMATCHED;
18. }
19. +
20. + /* Check URL */
21. + if (hbac_req->url!=NULL && sss_utf8_case_eq(rule->url, hbac_req->url) != EOK) {
22. + return HBAC_EVAL_UNMATCHED;
23. + }
24. +
25. return HBAC_EVAL_MATCHED;
26. }
27.  
28. diff --git a/src/providers/ipa/ipa_access.c b/src/providers/ipa/ipa_access.c
29. index 65a791c..dc6630c 100644
30. --- a/src/providers/ipa/ipa_access.c
31. +++ b/src/providers/ipa/ipa_access.c
32. @@ -484,6 +484,7 @@ static void hbac_get_rule_info_step(struct tevent_req *req)
33. goto fail;
34. }
35.  
36. + /*TODO*/
37. for (i = 0; i < hbac_ctx->host_count; i++) {
38. ret = sysdb_attrs_get_string(hbac_ctx->hosts[i],
39. SYSDB_FQDN,
40. @@ -504,6 +505,7 @@ static void hbac_get_rule_info_step(struct tevent_req *req)
41. }
42.  
43.  
44. + /*TODO*/
45. /* Get the list of applicable rules */
46. req = ipa_hbac_rule_info_send(hbac_ctx,
47. be_ctx->ev,
48. @@ -736,6 +738,7 @@ errno_t hbac_get_cached_rules(TALLOC_CTX *mem_ctx,
49. IPA_EXTERNAL_HOST,
50. IPA_MEMBER_HOST,
51. IPA_HOST_CATEGORY,
52. + IPA_URL,
53. NULL };
54.  
55. tmp_ctx = talloc_new(NULL);
56. diff --git a/src/providers/ipa/ipa_hbac.h b/src/providers/ipa/ipa_hbac.h
57. index 9e85890..ce45451 100644
58. --- a/src/providers/ipa/ipa_hbac.h
59. +++ b/src/providers/ipa/ipa_hbac.h
60. @@ -130,6 +130,8 @@ struct hbac_rule_element {
61. * - Services: PAM service groups.
62. */
63. const char **groups;
64. +
65. + char *url;
66. };
67.  
68. /**
69. @@ -139,6 +141,8 @@ struct hbac_rule {
70. const char *name;
71. bool enabled;
72.  
73. + const char *url;
74. +
75. /**
76. * Services and service groups
77. * for which this rule applies
78. @@ -196,6 +200,9 @@ struct hbac_request_element {
79. *
80. */
81. struct hbac_eval_req {
82. +
83. + const char *url;
84. +
85. /** This is a list of service DNs to check,
86. * it must consist of the actual service
87. * requested, as well as all parent groups
88. diff --git a/src/providers/ipa/ipa_hbac_common.c b/src/providers/ipa/ipa_hbac_common.c
89. index 72a620e..184f74d 100644
90. --- a/src/providers/ipa/ipa_hbac_common.c
91. +++ b/src/providers/ipa/ipa_hbac_common.c
92. @@ -354,6 +354,24 @@ hbac_attrs_to_rule(TALLOC_CTX *mem_ctx,
93. goto done;
94. }
95.  
96. + /* Get URL */
97. +
98. + ret = sysdb_attrs_get_el(hbac_ctx->rules[idx],
99. + IPA_URL, &el);
100. + if (ret != EOK) {
101. + DEBUG(SSSDBG_CRIT_FAILURE, "Could not get URL for rule [%s]\n",
102. + new_rule->name);
103. + goto done;
104. + }
105. + if (el->num_values == 0) {
106. + DEBUG(SSSDBG_CONF_SETTINGS, "URL for rule [%s] is empty.\n", new_rule->name);
107. + new_rule->url = talloc_strdup(new_rule, "");
108. + } else {
109. + new_rule->url = talloc_strndup(new_rule,
110. + (const char*) el->values[0].data,
111. + el->values[0].length);
112. + }
113. +
114. *rule = new_rule;
115. ret = EOK;
116.  
117. diff --git a/src/providers/ipa/ipa_hbac_private.h b/src/providers/ipa/ipa_hbac_private.h
118. index c831cd5..d563aee 100644
119. --- a/src/providers/ipa/ipa_hbac_private.h
120. +++ b/src/providers/ipa/ipa_hbac_private.h
121. @@ -54,6 +54,7 @@
122. #define IPA_MEMBER_SERVICE "memberService"
123. #define IPA_SERVICE_CATEGORY "serviceCategory"
124. #define IPA_TRUE_VALUE "TRUE"
125. +#define IPA_URL "url"
126.  
127. #define IPA_HBAC_BASE_TMPL "cn=hbac,%s"
128. #define IPA_SERVICES_BASE_TMPL "cn=hbacservices,cn=accounts,%s"
129. diff --git a/src/providers/ipa/ipa_hbac_rules.c b/src/providers/ipa/ipa_hbac_rules.c
130. index 7912dbe..2277eb4 100644
131. --- a/src/providers/ipa/ipa_hbac_rules.c
132. +++ b/src/providers/ipa/ipa_hbac_rules.c
133. @@ -113,7 +113,8 @@ ipa_hbac_rule_info_send(TALLOC_CTX *mem_ctx,
134. state->attrs[11] = IPA_EXTERNAL_HOST;
135. state->attrs[12] = IPA_MEMBER_HOST;
136. state->attrs[13] = IPA_HOST_CATEGORY;
137. - state->attrs[14] = NULL;
138. + state->attrs[14] = IPA_URL;
139. + state->attrs[15] = NULL;
140.  
141. rule_filter = talloc_asprintf(tmp_ctx,
142. "(&(objectclass=%s)"
143. diff --git a/src/python/pyhbac.c b/src/python/pyhbac.c
144. index 820ef11..6b91fee 100644
145. --- a/src/python/pyhbac.c
146. +++ b/src/python/pyhbac.c
147. @@ -348,6 +348,7 @@ hbac_rule_element_set_names(HbacRuleElement *self, PyObject *names,
148. static int
149. hbac_rule_element_set_groups(HbacRuleElement *self, PyObject *groups,
150. void *closure);
151. +
152. static int
153. hbac_rule_element_set_category(HbacRuleElement *self, PyObject *category,
154. void *closure);
155. @@ -631,6 +632,7 @@ typedef struct {
156. PyObject_HEAD
157.  
158. PyObject *name;
159. + PyObject *url;
160. bool enabled;
161.  
162. HbacRuleElement *users;
163. @@ -662,6 +664,13 @@ HbacRule_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
164. return NULL;
165. }
166.  
167. + self->url = PyUnicode_FromString("");
168. + if (self->url == NULL) {
169. + Py_DECREF(self);
170. + PyErr_NoMemory();
171. + return NULL;
172. + }
173. +
174. self->enabled = false;
175.  
176. self->services = (HbacRuleElement *) HbacRuleElement_new(
177. @@ -683,6 +692,7 @@ HbacRule_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
178. Py_XDECREF(self->targethosts);
179. Py_XDECREF(self->srchosts);
180. Py_DECREF(self->name);
181. + Py_DECREF(self->url);
182. Py_DECREF(self);
183. PyErr_NoMemory();
184. return NULL;
185. @@ -695,6 +705,7 @@ static int
186. HbacRule_clear(HbacRuleObject *self)
187. {
188. Py_CLEAR(self->name);
189. + Py_CLEAR(self->url);
190. Py_CLEAR(self->services);
191. Py_CLEAR(self->users);
192. Py_CLEAR(self->targethosts);
193. @@ -713,6 +724,7 @@ static int
194. HbacRule_traverse(HbacRuleObject *self, visitproc visit, void *arg)
195. {
196. Py_VISIT((PyObject *) self->name);
197. + Py_VISIT((PyObject *) self->url);
198. Py_VISIT((PyObject *) self->services);
199. Py_VISIT((PyObject *) self->users);
200. Py_VISIT((PyObject *) self->targethosts);
201. @@ -724,19 +736,22 @@ static int
202. hbac_rule_set_enabled(HbacRuleObject *self, PyObject *enabled, void *closure);
203. static int
204. hbac_rule_set_name(HbacRuleObject *self, PyObject *name, void *closure);
205. +static int
206. +hbac_rule_set_url(HbacRuleObject *self, PyObject *name, void *closure);
207.  
208. static int
209. HbacRule_init(HbacRuleObject *self, PyObject *args, PyObject *kwargs)
210. {
211. - const char * const kwlist[] = { "name", "enabled", NULL };
212. + const char * const kwlist[] = { "name", "enabled", "url", NULL };
213. PyObject *name = NULL;
214. + PyObject *url = NULL;
215. PyObject *empty_tuple = NULL;
216. PyObject *enabled=NULL;
217.  
218. if (!PyArg_ParseTupleAndKeywords(args, kwargs,
219. - sss_py_const_p(char, "O|O"),
220. + sss_py_const_p(char, "O|O0"),
221. discard_const_p(char *, kwlist),
222. - &name, &enabled)) {
223. + &name, &enabled, &url)) {
224. return -1;
225. }
226.  
227. @@ -750,6 +765,18 @@ HbacRule_init(HbacRuleObject *self, PyObject *args, PyObject *kwargs)
228. return -1;
229. }
230.  
231. + if (!url) {
232. + url = PyUnicode_FromString("");
233. + if (url == NULL) {
234. + Py_DECREF(self);
235. + PyErr_NoMemory();
236. + return NULL;
237. + }
238. + }
239. + if (hbac_rule_set_url(self, url, NULL) == -1) {
240. + return -1;
241. + }
242. +
243. empty_tuple = PyTuple_New(0);
244. if (!empty_tuple) {
245. return -1;
246. @@ -864,6 +891,36 @@ hbac_rule_get_name(HbacRuleObject *self, void *closure)
247. return NULL;
248. }
249.  
250. +static int
251. +hbac_rule_set_url(HbacRuleObject *self, PyObject *url, void *closure)
252. +{
253. + CHECK_ATTRIBUTE_DELETE(url, "url");
254. +
255. + if (!PyBytes_Check(url) && !PyUnicode_Check(url)) {
256. + PyErr_Format(PyExc_TypeError, "URL must be a string or Unicode");
257. + return -1;
258. + }
259. +
260. + SAFE_SET(self->url, url);
261. + return 0;
262. +}
263. +
264. +static PyObject *
265. +hbac_rule_get_url(HbacRuleObject *self, void *closure)
266. +{
267. + if (PyUnicode_Check(self->url)) {
268. + Py_INCREF(self->url);
269. + return self->url;
270. + } else if (PyBytes_Check(self->url)) {
271. + return PyUnicode_FromEncodedObject(self->url,
272. + PYHBAC_ENCODING, PYHBAC_ENCODING_ERRORS);
273. + }
274. +
275. + /* setter does typechecking but let us be paranoid */
276. + PyErr_Format(PyExc_TypeError, "URL must be a string or Unicode");
277. + return NULL;
278. +}
279. +
280. static PyObject *
281. HbacRule_repr(HbacRuleObject *self)
282. {
283. @@ -1032,6 +1089,8 @@ PyDoc_STRVAR(HbacRuleObject_enabled__doc__,
284. "(bool) Is the rule enabled");
285. PyDoc_STRVAR(HbacRuleObject_name__doc__,
286. "(string) The name of the rule");
287. +PyDoc_STRVAR(HbacRuleObject_url__doc__,
288. +"(string) The URL set for the rule");
289.  
290. static PyGetSetDef py_hbac_rule_getset[] = {
291. { discard_const_p(char, "enabled"),
292. @@ -1046,6 +1105,12 @@ static PyGetSetDef py_hbac_rule_getset[] = {
293. HbacRuleObject_name__doc__,
294. NULL },
295.  
296. + { discard_const_p(char, "url"),
297. + (getter) hbac_rule_get_url,
298. + (setter) hbac_rule_set_url,
299. + HbacRuleObject_url__doc__,
300. + NULL },
301. +
302. {NULL, 0, 0, 0, NULL} /* Sentinel */
303. };
304.  
305. @@ -1092,6 +1157,7 @@ HbacRule_to_native(HbacRuleObject *pyrule)
306. {
307. struct hbac_rule *rule = NULL;
308. PyObject *utf_name;
309. + PyObject *utf_url;
310.  
311. rule = PyMem_Malloc(sizeof(struct hbac_rule));
312. if (!rule) {
313. @@ -1117,6 +1183,17 @@ HbacRule_to_native(HbacRuleObject *pyrule)
314. goto fail;
315. }
316.  
317. + utf_url = get_utf8_string(pyrule->url, "url");
318. + if (utf_url == NULL) {
319. + return NULL;
320. + }
321. +
322. + rule->url = py_strdup(PyBytes_AsString(utf_url));
323. + Py_DECREF(utf_url);
324. + if (rule->url == NULL) {
325. + goto fail;
326. + }
327. +
328. rule->services = HbacRuleElement_to_native(pyrule->services);
329. rule->users = HbacRuleElement_to_native(pyrule->users);
330. rule->targethosts = HbacRuleElement_to_native(pyrule->targethosts);
331. @@ -1424,6 +1501,7 @@ typedef struct {
332. HbacRequestElement *srchost;
333.  
334. PyObject *rule_name;
335. + PyObject *url;
336. } HbacRequest;
337.  
338. static PyObject *
339. @@ -1471,6 +1549,7 @@ HbacRequest_clear(HbacRequest *self)
340. Py_CLEAR(self->targethost);
341. Py_CLEAR(self->srchost);
342. Py_CLEAR(self->rule_name);
343. + Py_CLEAR(self->url);
344. return 0;
345. }
346.  
347. @@ -1492,6 +1571,10 @@ HbacRequest_traverse(HbacRequest *self, visitproc visit, void *arg)
348. }
349.  
350. static int
351. +hbac_request_set_url(HbacRequest *self, PyObject *url,
352. + void *closure);
353. +
354. +static int
355. HbacRequest_init(HbacRequest *self, PyObject *args, PyObject *kwargs)
356. {
357. PyObject *empty_tuple = NULL;
358. @@ -1504,6 +1587,13 @@ HbacRequest_init(HbacRequest *self, PyObject *args, PyObject *kwargs)
359.  
360. self->rule_name = NULL;
361.  
362. + self->url = PyUnicode_FromString("");
363. + if (self->url == NULL) {
364. + Py_DECREF(self);
365. + PyErr_NoMemory();
366. + return NULL;
367. + }
368. +
369. if (HbacRequestElement_init(self->user, empty_tuple, NULL) == -1 ||
370. HbacRequestElement_init(self->service, empty_tuple, NULL) == -1 ||
371. HbacRequestElement_init(self->targethost, empty_tuple, NULL) == -1 ||
372. @@ -1643,7 +1733,7 @@ fail:
373. }
374.  
375. static PyObject *
376. -hbac_request_element_get_rule_name(HbacRequest *self, void *closure)
377. +hbac_request_get_rule_name(HbacRequest *self, void *closure)
378. {
379. if (self->rule_name == NULL) {
380. Py_INCREF(Py_None);
381. @@ -1658,6 +1748,36 @@ hbac_request_element_get_rule_name(HbacRequest *self, void *closure)
382. }
383.  
384. static PyObject *
385. +hbac_request_get_url(HbacRequest *self, void *closure)
386. +{
387. + //if (PyUnicode_Check(self->url)) {
388. + Py_INCREF(self->url);
389. + return self->url;
390. + //}
391. +
392. + PyErr_Format(PyExc_TypeError, "url is not Unicode");
393. + return NULL;
394. +}
395. +
396. +static int
397. +hbac_request_set_url(HbacRequest *self, PyObject *url, void *closure)
398. +{
399. + CHECK_ATTRIBUTE_DELETE(url, "url");
400. +
401. + if(url==NULL){
402. + PyErr_Format(PyExc_TypeError, "URL must not be NULL");
403. + return -1;
404. + }
405. + if (!PyBytes_Check(url) && !PyUnicode_Check(url)) {
406. + PyErr_Format(PyExc_TypeError, "URL must be a string or Unicode");
407. + return -1;
408. + }
409. +
410. + SAFE_SET(self->url, url);
411. + return 0;
412. +}
413. +
414. +static PyObject *
415. HbacRequest_repr(HbacRequest *self)
416. {
417. PyObject *user_repr;
418. @@ -1760,7 +1880,14 @@ PyDoc_STRVAR(HbacRequest_rule_name__doc__,
419.  
420. static PyGetSetDef py_hbac_request_getset[] = {
421. { discard_const_p(char, "rule_name"),
422. - (getter) hbac_request_element_get_rule_name,
423. + (getter) hbac_request_get_rule_name,
424. + NULL, /* read only */
425. + HbacRequest_rule_name__doc__,
426. + NULL },
427. +
428. + { discard_const_p(char, "url"),
429. + (getter) hbac_request_get_url,
430. + (setter) hbac_request_set_url,
431. NULL, /* read only */
432. HbacRequest_rule_name__doc__,
433. NULL },
434. @@ -1805,6 +1932,7 @@ free_hbac_eval_req(struct hbac_eval_req *req)
435. static struct hbac_eval_req *
436. HbacRequest_to_native(HbacRequest *pyreq)
437. {
438. + PyObject *utf_url;
439. struct hbac_eval_req *req = NULL;
440.  
441. req = PyMem_Malloc(sizeof(struct hbac_eval_req));
442. @@ -1820,6 +1948,21 @@ HbacRequest_to_native(HbacRequest *pyreq)
443. goto fail;
444. }
445.  
446. + if(pyreq->url==NULL){
447. + PyErr_Format(PyExc_TypeError, "URL is NULL\n");
448. + goto fail;
449. + }
450. +
451. + utf_url = get_utf8_string(pyreq->url, "url");
452. + if (utf_url == NULL) {
453. + return NULL;
454. + }
455. +
456. + req->url = py_strdup(PyBytes_AsString(utf_url));
457. + Py_DECREF(utf_url);
458. + if (req->url == NULL) {
459. + goto fail;
460. + }
461. req->service = HbacRequestElement_to_native(pyreq->service);
462. req->user = HbacRequestElement_to_native(pyreq->user);
463. req->targethost = HbacRequestElement_to_native(pyreq->targethost);
464. diff --git a/src/tests/ipa_hbac-tests.c b/src/tests/ipa_hbac-tests.c
465. index f2192a6..e0ab1f9 100644
466. --- a/src/tests/ipa_hbac-tests.c
467. +++ b/src/tests/ipa_hbac-tests.c
468. @@ -54,6 +54,8 @@
469. /* These don't make sense for a user/group/service but they do the job and
470. * every one is from a different codepage */
471. /* Latin Extended A - "Czech" */
472. +const uint8_t url_utf8_lowcase[] = { '/', 't', 'e', 's', 't', 'u', 'r', 0xC4, 0x8D, 'l', 0x0};
473. +const uint8_t url_utf8_upcase[] = { '/', 'T', 'E', 'S', 'T', 'U', 'R', 0xC4, 0x8C, 'L', 0x0};
474. const uint8_t user_utf8_lowcase[] = { 0xC4, 0x8D, 'e', 'c', 'h', 0x0 };
475. const uint8_t user_utf8_upcase[] = { 0xC4, 0x8C, 'e', 'c', 'h', 0x0 };
476. const uint8_t user_utf8_lowcase_neg[] = { 0xC4, 0x8E, 'e', 'c', 'h', 0x0 };
477. @@ -202,6 +204,8 @@ START_TEST(ipa_hbac_test_allow_all)
478. get_test_user(eval_req, &eval_req->user);
479. get_test_service(eval_req, &eval_req->service);
480. get_test_srchost(eval_req, &eval_req->srchost);
481. + eval_req->url = talloc_strdup(eval_req, "/testurl");
482. + fail_if(eval_req->url == NULL);
483.  
484. /* Create the rules to evaluate against */
485. rules = talloc_array(test_ctx, struct hbac_rule *, 2);
486. @@ -210,6 +214,8 @@ START_TEST(ipa_hbac_test_allow_all)
487. get_allow_all_rule(rules, &rules[0]);
488. rules[0]->name = talloc_strdup(rules[0], "Allow All");
489. fail_if(rules[0]->name == NULL);
490. + rules[0]->url = talloc_strdup(rules[0], "/testurl");
491. + fail_if(rules[0]->url == NULL);
492. rules[1] = NULL;
493.  
494. /* Validate this rule */
495. @@ -250,6 +256,8 @@ START_TEST(ipa_hbac_test_allow_user)
496. get_test_user(eval_req, &eval_req->user);
497. get_test_service(eval_req, &eval_req->service);
498. get_test_srchost(eval_req, &eval_req->srchost);
499. + eval_req->url = talloc_strdup(eval_req, "/testurl");
500. + fail_if(eval_req->url == NULL);
501.  
502. /* Create the rules to evaluate against */
503. rules = talloc_array(test_ctx, struct hbac_rule *, 2);
504. @@ -260,6 +268,8 @@ START_TEST(ipa_hbac_test_allow_user)
505. /* Modify the rule to allow only a specific user */
506. rules[0]->name = talloc_strdup(rules[0], "Allow user");
507. fail_if(rules[0]->name == NULL);
508. + rules[0]->url = talloc_strdup(rules[0], "/testurl");
509. + fail_if(rules[0]->url == NULL);
510. rules[0]->users->category = HBAC_CATEGORY_NULL;
511.  
512. rules[0]->users->names = talloc_array(rules[0], const char *, 2);
513. @@ -333,6 +343,7 @@ START_TEST(ipa_hbac_test_allow_utf8)
514. eval_req->user->name = (const char *) &user_utf8_lowcase;
515. eval_req->srchost->name = (const char *) &srchost_utf8_lowcase;
516. eval_req->service->name = (const char *) &service_utf8_lowcase;
517. + eval_req->url = (const char *) &url_utf8_lowcase;
518.  
519. /* Create the rules to evaluate against */
520. rules = talloc_array(test_ctx, struct hbac_rule *, 2);
521. @@ -343,6 +354,7 @@ START_TEST(ipa_hbac_test_allow_utf8)
522. rules[0]->name = talloc_strdup(rules[0], "Allow user");
523. fail_if(rules[0]->name == NULL);
524. rules[0]->users->category = HBAC_CATEGORY_NULL;
525. + rules[0]->url = (const char *) &url_utf8_upcase;
526.  
527. /* Modify the rule to allow only a specific user */
528. rules[0]->users->names = talloc_array(rules[0], const char *, 2);
529. @@ -446,6 +458,8 @@ START_TEST(ipa_hbac_test_allow_group)
530. get_test_user(eval_req, &eval_req->user);
531. get_test_service(eval_req, &eval_req->service);
532. get_test_srchost(eval_req, &eval_req->srchost);
533. + eval_req->url = talloc_strdup(eval_req, "/testurl");
534. + fail_if(eval_req->url == NULL);
535.  
536. /* Create the rules to evaluate against */
537. rules = talloc_array(test_ctx, struct hbac_rule *, 2);
538. @@ -456,6 +470,8 @@ START_TEST(ipa_hbac_test_allow_group)
539. /* Modify the rule to allow only a group of users */
540. rules[0]->name = talloc_strdup(rules[0], "Allow group");
541. fail_if(rules[0]->name == NULL);
542. + rules[0]->url = talloc_strdup(rules[0], "/testurl");
543. + fail_if(rules[0]->url == NULL);
544. rules[0]->users->category = HBAC_CATEGORY_NULL;
545.  
546. rules[0]->users->names = NULL;
547. @@ -525,6 +541,8 @@ START_TEST(ipa_hbac_test_allow_svc)
548. get_test_user(eval_req, &eval_req->user);
549. get_test_service(eval_req, &eval_req->service);
550. get_test_srchost(eval_req, &eval_req->srchost);
551. + eval_req->url = talloc_strdup(eval_req, "/testurl");
552. + fail_if(eval_req->url == NULL);
553.  
554. /* Create the rules to evaluate against */
555. rules = talloc_array(test_ctx, struct hbac_rule *, 2);
556. @@ -535,6 +553,8 @@ START_TEST(ipa_hbac_test_allow_svc)
557. /* Modify the rule to allow only a specific service */
558. rules[0]->name = talloc_strdup(rules[0], "Allow service");
559. fail_if(rules[0]->name == NULL);
560. + rules[0]->url = talloc_strdup(rules[0], "/testurl");
561. + fail_if(rules[0]->url == NULL);
562. rules[0]->services->category = HBAC_CATEGORY_NULL;
563.  
564. rules[0]->services->names = talloc_array(rules[0], const char *, 2);
565. @@ -603,6 +623,8 @@ START_TEST(ipa_hbac_test_allow_svcgroup)
566. get_test_user(eval_req, &eval_req->user);
567. get_test_service(eval_req, &eval_req->service);
568. get_test_srchost(eval_req, &eval_req->srchost);
569. + eval_req->url = talloc_strdup(eval_req, "/testurl");
570. + fail_if(eval_req->url == NULL);
571.  
572. /* Create the rules to evaluate against */
573. rules = talloc_array(test_ctx, struct hbac_rule *, 2);
574. @@ -613,6 +635,8 @@ START_TEST(ipa_hbac_test_allow_svcgroup)
575. /* Modify the rule to allow only a group of users */
576. rules[0]->name = talloc_strdup(rules[0], "Allow servicegroup");
577. fail_if(rules[0]->name == NULL);
578. + rules[0]->url = talloc_strdup(rules[0], "/testurl");
579. + fail_if(rules[0]->url == NULL);
580. rules[0]->services->category = HBAC_CATEGORY_NULL;
581.  
582. rules[0]->services->names = NULL;
583. @@ -682,6 +706,8 @@ START_TEST(ipa_hbac_test_allow_srchost)
584. get_test_user(eval_req, &eval_req->user);
585. get_test_service(eval_req, &eval_req->service);
586. get_test_srchost(eval_req, &eval_req->srchost);
587. + eval_req->url = talloc_strdup(eval_req, "/testurl");
588. + fail_if(eval_req->url == NULL);
589.  
590. /* Create the rules to evaluate against */
591. rules = talloc_array(test_ctx, struct hbac_rule *, 2);
592. @@ -692,6 +718,8 @@ START_TEST(ipa_hbac_test_allow_srchost)
593. /* Modify the rule to allow only a specific service */
594. rules[0]->name = talloc_strdup(rules[0], "Allow srchost");
595. fail_if(rules[0]->name == NULL);
596. + rules[0]->url = talloc_strdup(rules[0], "/testurl");
597. + fail_if(rules[0]->url == NULL);
598. rules[0]->srchosts->category = HBAC_CATEGORY_NULL;
599.  
600. rules[0]->srchosts->names = talloc_array(rules[0], const char *, 2);
601. @@ -760,6 +788,8 @@ START_TEST(ipa_hbac_test_allow_srchostgroup)
602. get_test_user(eval_req, &eval_req->user);
603. get_test_service(eval_req, &eval_req->service);
604. get_test_srchost(eval_req, &eval_req->srchost);
605. + eval_req->url = talloc_strdup(eval_req, "/testurl");
606. + fail_if(eval_req->url == NULL);
607.  
608. /* Create the rules to evaluate against */
609. rules = talloc_array(test_ctx, struct hbac_rule *, 2);
610. @@ -770,6 +800,8 @@ START_TEST(ipa_hbac_test_allow_srchostgroup)
611. /* Modify the rule to allow only a group of users */
612. rules[0]->name = talloc_strdup(rules[0], "Allow srchostgroup");
613. fail_if(rules[0]->name == NULL);
614. + rules[0]->url = talloc_strdup(rules[0], "/testurl");
615. + fail_if(rules[0]->url == NULL);
616. rules[0]->srchosts->category = HBAC_CATEGORY_NULL;
617.  
618. rules[0]->srchosts->names = NULL;
619. diff --git a/src/tests/pyhbac-test.py b/src/tests/pyhbac-test.py
620. index e34f055..d72d879 100755
621. --- a/src/tests/pyhbac-test.py
622. +++ b/src/tests/pyhbac-test.py
623. @@ -156,6 +156,16 @@ class PyHbacRuleTest(unittest.TestCase):
624. rule.name = new_name
625. self.assertEqual(rule.name, unicode(new_name))
626.  
627. + def testRuleGetSetUrl(self):
628. + name = "someName"
629. + url = "/testurl"
630. +
631. + rule = pyhbac.HbacRule(name)
632. + self.assertEqual(rule.url, unicode(""))
633. +
634. + rule.url = url
635. + self.assertEqual(rule.url, unicode(url))
636. +
637. def testRuleGetSetEnabled(self):
638. rule = pyhbac.HbacRule("testRuleGetSetEnabled")
639.  
640. @@ -367,23 +377,38 @@ class PyHbacRequestTest(unittest.TestCase):
641. # python 2.4 raises TypError, 2.7 raises AttributeError
642. self.assertRaises((TypeError, AttributeError), req.__setattr__, "rule_name", "foo")
643.  
644. + def testRuleUrl(self):
645. + url = "/testurl"
646. + req = pyhbac.HbacRequest()
647. + self.assertEqual(req.url, "")
648. + req.url = url
649. + self.assertEqual(req.url, url)
650. + # python 2.4 raises TypError, 2.7 raises AttributeError
651. + self.assertRaises((TypeError, AttributeError), req.__setattr__, "rule_name", "foo")
652. +
653. def testEvaluate(self):
654. name = "someuser"
655. service = "ssh"
656. srchost = "host1"
657. targethost = "host2"
658. + url = "/testurl"
659.  
660. allow_rule = pyhbac.HbacRule("allowRule", enabled=True)
661. allow_rule.users.names = [ name ]
662. allow_rule.services.names = [ service ]
663. allow_rule.srchosts.names = [ srchost ]
664. allow_rule.targethosts.names = [ targethost ]
665. + allow_rule.url = url
666.  
667. req = pyhbac.HbacRequest()
668. req.user.name = name
669. req.service.name = service
670. req.srchost.name = srchost
671. req.targethost.name = targethost
672. + req.url = url
673. +
674. + # The URL of the rule should match the required URL
675. + self.assertEqual(req.url, allow_rule.url)
676.  
677. # Test that an allow rule on its own allows access
678. res = req.evaluate((allow_rule,))