def testRuleElementInRule(self): users = ["foo", "bar"] user_groups = ["abc", "def"] # rule should contain empty elements after instantiation rule = pyhbac.HbacRule("testRuleElement") self.assertIsInstance(rule.users, pyhbac.HbacRuleElement) self.assertIsInstance(rule.services, pyhbac.HbacRuleElement) self.assertIsInstance(rule.targethosts, pyhbac.HbacRuleElement) self.assertIsInstance(rule.srchosts, pyhbac.HbacRuleElement) self.assertIsInstance(rule.users.names, list) self.assertIsInstance(rule.users.groups, list) self.assertCountEqual(rule.users.names, []) self.assertCountEqual(rule.users.groups, []) # Assign by copying a HbacRuleElement user_el = pyhbac.HbacRuleElement(names=users, groups=user_groups) rule = pyhbac.HbacRule("testRuleElement") rule.users = user_el self.assertCountEqual(rule.users.names, users) self.assertCountEqual(rule.users.groups, user_groups) # Assign directly rule = pyhbac.HbacRule("testRuleElement") rule.users.names = users rule.users.groups = user_groups self.assertCountEqual(rule.users.names, users) self.assertCountEqual(rule.users.groups, user_groups)
def convert_to_ipa_rule(self, rule): # convert a dict with a rule to an pyhbac rule ipa_rule = pyhbac.HbacRule(rule['cn'][0]) ipa_rule.enabled = rule['ipaenabledflag'][0] # Following code attempts to process rule systematically structure = \ (('user', 'memberuser', 'user', 'group', ipa_rule.users), ('host', 'memberhost', 'host', 'hostgroup', ipa_rule.targethosts), ('sourcehost', 'sourcehost', 'host', 'hostgroup', ipa_rule.srchosts), ('service', 'memberservice', 'hbacsvc', 'hbacsvcgroup', ipa_rule.services), ) for element in structure: category = '%scategory' % (element[0]) if (category in rule and rule[category][0] == u'all') or (element[0] == 'sourcehost'): # rule applies to all elements # sourcehost is always set to 'all' element[4].category = set([pyhbac.HBAC_CATEGORY_ALL]) else: # rule is about specific entities # Check if there are explicitly listed entities attr_name = '%s_%s' % (element[1], element[2]) if attr_name in rule: element[4].names = rule[attr_name] # Now add groups of entities if they are there attr_name = '%s_%s' % (element[1], element[3]) if attr_name in rule: element[4].groups = rule[attr_name] if 'externalhost' in rule: ipa_rule.srchosts.names.extend(rule['externalhost']) #pylint: disable=E1101 return ipa_rule
def testEvaluate(self): name = "someuser" service = "ssh" srchost = "host1" targethost = "host2" allow_rule = pyhbac.HbacRule("allowRule", enabled=True) allow_rule.users.names = [name] allow_rule.services.names = [service] allow_rule.srchosts.names = [srchost] allow_rule.targethosts.names = [targethost] req = pyhbac.HbacRequest() req.user.name = name req.service.name = service req.srchost.name = srchost req.targethost.name = targethost # Test that an allow rule on its own allows access res = req.evaluate((allow_rule, )) self.assertEqual(res, pyhbac.HBAC_EVAL_ALLOW) self.assertEqual(req.rule_name, "allowRule") # Test that a user not in the rule is not allowed savename = req.user.name req.user.name = "someotheruser" res = req.evaluate((allow_rule, )) self.assertEqual(res, pyhbac.HBAC_EVAL_DENY) self.assertEqual(req.rule_name, None) # But allows if the rule is an ALL rule allow_rule.users.category.add(pyhbac.HBAC_CATEGORY_ALL) res = req.evaluate((allow_rule, )) self.assertEqual(res, pyhbac.HBAC_EVAL_ALLOW)
def testRepr(self): r = pyhbac.HbacRule('foo') self.assertEqual( r.__repr__(), u"<name foo enabled 0 " "users <category 0 names [] groups []> " "services <category 0 names [] groups []> " "targethosts <category 0 names [] groups []> " "srchosts <category 0 names [] groups []>>") name = "someuser" service = "ssh" srchost = "host1" targethost = "host2" r.users.names = [name] r.services.names = [service] r.srchosts.names = [srchost] r.targethosts.names = [targethost] self.assertEqual( r.__repr__(), u"<name foo enabled 0 " "users <category 0 names [%s] groups []> " "services <category 0 names [%s] groups []> " "targethosts <category 0 names [%s] groups []> " "srchosts <category 0 names [%s] groups []>>" % (name, service, targethost, srchost))
def _get_rule(): users = ["foo", "bar"] user_groups = ["abc", "def"] el = pyhbac.HbacRuleElement(names=users, groups=user_groups) rule = pyhbac.HbacRule("testRuleElement") rule.users = el return rule
def testRuleGetSetEnabled(self): rule = pyhbac.HbacRule("testRuleGetSetEnabled") rule.enabled = True self.assertEqual(rule.enabled, True) rule.enabled = False self.assertEqual(rule.enabled, False) rule.enabled = "TRUE" self.assertEqual(rule.enabled, True) rule.enabled = "FALSE" self.assertEqual(rule.enabled, False) rule.enabled = "true" self.assertEqual(rule.enabled, True) rule.enabled = "false" self.assertEqual(rule.enabled, False) rule.enabled = "True" self.assertEqual(rule.enabled, True) rule.enabled = "False" self.assertEqual(rule.enabled, False) rule.enabled = 1 self.assertEqual(rule.enabled, True) rule.enabled = 0 self.assertEqual(rule.enabled, False) # negative test self.assertRaises(TypeError, rule.__setattr__, "enabled", None) self.assertRaises(TypeError, rule.__setattr__, "enabled", []) self.assertRaises(ValueError, rule.__setattr__, "enabled", "foo") self.assertRaises(ValueError, rule.__setattr__, "enabled", 5)
def testRuleGetSetName(self): name = "testGetRule" new_name = "testGetNewRule" rule = pyhbac.HbacRule(name) self.assertEqual(rule.name, unicode(name)) rule.name = new_name self.assertEqual(rule.name, unicode(new_name))
def _acl_make_rule(principal_type, obj): """Turn CA ACL object into HBAC rule. ``principal_type`` String in {'user', 'host', 'service'} """ rule = pyhbac.HbacRule(obj['cn'][0]) rule.enabled = obj['ipaenabledflag'][0] rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} # add CA(s) if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} else: # For compatibility with pre-lightweight-CAs CA ACLs, # no CA members implies the host authority (only) rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN]) # add profiles if ('ipacertprofilecategory' in obj and obj['ipacertprofilecategory'][0].lower() == 'all'): rule.services.category = {pyhbac.HBAC_CATEGORY_ALL} else: attr = 'ipamembercertprofile_certprofile' rule.services.names = obj.get(attr, []) # add principals and principal's groups category_attr = '{}category'.format(principal_type) if category_attr in obj and obj[category_attr][0].lower() == 'all': rule.users.category = {pyhbac.HBAC_CATEGORY_ALL} else: if principal_type == 'user': rule.users.names = obj.get('memberuser_user', []) rule.users.groups = obj.get('memberuser_group', []) elif principal_type == 'host': rule.users.names = obj.get('memberhost_host', []) rule.users.groups = obj.get('memberhost_hostgroup', []) elif principal_type == 'service': rule.users.names = [ unicode(principal) for principal in obj.get('memberservice_service', []) ] return rule
def _acl_make_rule(principal_type, obj): """Turn CA ACL object into HBAC rule. ``principal_type`` String in {'user', 'host', 'service'} """ rule = pyhbac.HbacRule(obj['cn'][0]) rule.enabled = obj['ipaenabledflag'][0] rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL} # add CA(s) # Hardcoded until caacl plugin arrives rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} #if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all': # rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL} #else: # rule.targethosts.names = obj.get('ipacaaclcaref', []) # add profiles if ('ipacertprofilecategory' in obj and obj['ipacertprofilecategory'][0].lower() == 'all'): rule.services.category = {pyhbac.HBAC_CATEGORY_ALL} else: attr = 'ipamembercertprofile_certprofile' rule.services.names = obj.get(attr, []) # add principals and principal's groups m = {'user': '******', 'host': 'hostgroup', 'service': None} category_attr = '{}category'.format(principal_type) if category_attr in obj and obj[category_attr][0].lower() == 'all': rule.users.category = {pyhbac.HBAC_CATEGORY_ALL} else: principal_attr = 'member{}_{}'.format(principal_type, principal_type) rule.users.names = obj.get(principal_attr, []) if m[principal_type] is not None: group_attr = 'member{}_{}'.format(principal_type, m[principal_type]) rule.users.groups = obj.get(group_attr, []) return rule
def testValidate(self): r = pyhbac.HbacRule('valid_rule') valid, missing = r.validate() self.assertEqual(valid, False) self.assertItemsEqual(missing, ( pyhbac.HBAC_RULE_ELEMENT_USERS, pyhbac.HBAC_RULE_ELEMENT_SERVICES, pyhbac.HBAC_RULE_ELEMENT_TARGETHOSTS, pyhbac.HBAC_RULE_ELEMENT_SOURCEHOSTS )) r.users.names = [ "someuser" ] r.services.names = [ "ssh" ] valid, missing = r.validate() self.assertEqual(valid, False) self.assertItemsEqual(missing, ( pyhbac.HBAC_RULE_ELEMENT_TARGETHOSTS, pyhbac.HBAC_RULE_ELEMENT_SOURCEHOSTS )) r.srchosts.names = [ "host1" ] r.targethosts.names = [ "host2" ] valid, missing = r.validate() self.assertEqual(valid, True)
def testEvaluateNegative(self): name = "someuser" service = "ssh" srchost = "host1" targethost = "host2" allow_rule = pyhbac.HbacRule("allowRule", enabled=True) allow_rule.users.names = [name] allow_rule.services.names = [service] allow_rule.srchosts.names = [srchost] allow_rule.targethosts.names = [targethost] req = pyhbac.HbacRequest() req.service.name = service req.srchost.name = srchost req.targethost.name = targethost req.user.name = name saveuser = req.user req.user = None # need to catch this # catch invalid category value savecat = copy.copy(allow_rule.users.category) allow_rule.users.category.add(pyhbac.HBAC_EVAL_ERROR) self.assertRaises(ValueError, req.evaluate, (allow_rule, )) allow_rule.users.category = savecat # Test that invalid type is raised self.assertRaises(TypeError, req.evaluate, (allow_rule, )) req.user = saveuser allow_rule.users = None # need to catch this self.assertRaises(TypeError, req.evaluate, (allow_rule, )) # catch invalid rule type self.assertRaises(TypeError, req.evaluate, (allow_rule, None))