def testRuleElementInRule(self):
users = ["foo", "bar"]
user_groups = ["abc", "def"]
# rule should contain empty elements after instantiation
rule = pyhbac.HbacRule("testRuleElement")
self.assertIsInstance(rule.users, pyhbac.HbacRuleElement)
self.assertIsInstance(rule.services, pyhbac.HbacRuleElement)
self.assertIsInstance(rule.targethosts, pyhbac.HbacRuleElement)
self.assertIsInstance(rule.srchosts, pyhbac.HbacRuleElement)
self.assertIsInstance(rule.users.names, list)
self.assertIsInstance(rule.users.groups, list)
self.assertCountEqual(rule.users.names, [])
self.assertCountEqual(rule.users.groups, [])
# Assign by copying a HbacRuleElement
user_el = pyhbac.HbacRuleElement(names=users, groups=user_groups)
rule = pyhbac.HbacRule("testRuleElement")
rule.users = user_el
self.assertCountEqual(rule.users.names, users)
self.assertCountEqual(rule.users.groups, user_groups)
# Assign directly
rule = pyhbac.HbacRule("testRuleElement")
rule.users.names = users
rule.users.groups = user_groups
self.assertCountEqual(rule.users.names, users)
self.assertCountEqual(rule.users.groups, user_groups)
def convert_to_ipa_rule(self, rule):
# convert a dict with a rule to an pyhbac rule
ipa_rule = pyhbac.HbacRule(rule['cn'][0])
ipa_rule.enabled = rule['ipaenabledflag'][0]
# Following code attempts to process rule systematically
structure = \
(('user', 'memberuser', 'user', 'group', ipa_rule.users),
('host', 'memberhost', 'host', 'hostgroup', ipa_rule.targethosts),
('sourcehost', 'sourcehost', 'host', 'hostgroup', ipa_rule.srchosts),
('service', 'memberservice', 'hbacsvc', 'hbacsvcgroup', ipa_rule.services),
)
for element in structure:
category = '%scategory' % (element[0])
if (category in rule
and rule[category][0] == u'all') or (element[0]
== 'sourcehost'):
# rule applies to all elements
# sourcehost is always set to 'all'
element[4].category = set([pyhbac.HBAC_CATEGORY_ALL])
else:
# rule is about specific entities
# Check if there are explicitly listed entities
attr_name = '%s_%s' % (element[1], element[2])
if attr_name in rule:
element[4].names = rule[attr_name]
# Now add groups of entities if they are there
attr_name = '%s_%s' % (element[1], element[3])
if attr_name in rule:
element[4].groups = rule[attr_name]
if 'externalhost' in rule:
ipa_rule.srchosts.names.extend(rule['externalhost']) #pylint: disable=E1101
return ipa_rule
def testEvaluate(self):
name = "someuser"
service = "ssh"
srchost = "host1"
targethost = "host2"
allow_rule = pyhbac.HbacRule("allowRule", enabled=True)
allow_rule.users.names = [name]
allow_rule.services.names = [service]
allow_rule.srchosts.names = [srchost]
allow_rule.targethosts.names = [targethost]
req = pyhbac.HbacRequest()
req.user.name = name
req.service.name = service
req.srchost.name = srchost
req.targethost.name = targethost
# Test that an allow rule on its own allows access
res = req.evaluate((allow_rule, ))
self.assertEqual(res, pyhbac.HBAC_EVAL_ALLOW)
self.assertEqual(req.rule_name, "allowRule")
# Test that a user not in the rule is not allowed
savename = req.user.name
req.user.name = "someotheruser"
res = req.evaluate((allow_rule, ))
self.assertEqual(res, pyhbac.HBAC_EVAL_DENY)
self.assertEqual(req.rule_name, None)
# But allows if the rule is an ALL rule
allow_rule.users.category.add(pyhbac.HBAC_CATEGORY_ALL)
res = req.evaluate((allow_rule, ))
self.assertEqual(res, pyhbac.HBAC_EVAL_ALLOW)
def testRepr(self):
r = pyhbac.HbacRule('foo')
self.assertEqual(
r.__repr__(), u"<name foo enabled 0 "
"users <category 0 names [] groups []> "
"services <category 0 names [] groups []> "
"targethosts <category 0 names [] groups []> "
"srchosts <category 0 names [] groups []>>")
name = "someuser"
service = "ssh"
srchost = "host1"
targethost = "host2"
r.users.names = [name]
r.services.names = [service]
r.srchosts.names = [srchost]
r.targethosts.names = [targethost]
self.assertEqual(
r.__repr__(), u"<name foo enabled 0 "
"users <category 0 names [%s] groups []> "
"services <category 0 names [%s] groups []> "
"targethosts <category 0 names [%s] groups []> "
"srchosts <category 0 names [%s] groups []>>" %
(name, service, targethost, srchost))
def _get_rule():
users = ["foo", "bar"]
user_groups = ["abc", "def"]
el = pyhbac.HbacRuleElement(names=users, groups=user_groups)
rule = pyhbac.HbacRule("testRuleElement")
rule.users = el
return rule
def testRuleGetSetEnabled(self):
rule = pyhbac.HbacRule("testRuleGetSetEnabled")
rule.enabled = True
self.assertEqual(rule.enabled, True)
rule.enabled = False
self.assertEqual(rule.enabled, False)
rule.enabled = "TRUE"
self.assertEqual(rule.enabled, True)
rule.enabled = "FALSE"
self.assertEqual(rule.enabled, False)
rule.enabled = "true"
self.assertEqual(rule.enabled, True)
rule.enabled = "false"
self.assertEqual(rule.enabled, False)
rule.enabled = "True"
self.assertEqual(rule.enabled, True)
rule.enabled = "False"
self.assertEqual(rule.enabled, False)
rule.enabled = 1
self.assertEqual(rule.enabled, True)
rule.enabled = 0
self.assertEqual(rule.enabled, False)
# negative test
self.assertRaises(TypeError, rule.__setattr__, "enabled", None)
self.assertRaises(TypeError, rule.__setattr__, "enabled", [])
self.assertRaises(ValueError, rule.__setattr__, "enabled", "foo")
self.assertRaises(ValueError, rule.__setattr__, "enabled", 5)
def testRuleGetSetName(self):
name = "testGetRule"
new_name = "testGetNewRule"
rule = pyhbac.HbacRule(name)
self.assertEqual(rule.name, unicode(name))
rule.name = new_name
self.assertEqual(rule.name, unicode(new_name))
def _acl_make_rule(principal_type, obj):
"""Turn CA ACL object into HBAC rule.
``principal_type``
String in {'user', 'host', 'service'}
"""
rule = pyhbac.HbacRule(obj['cn'][0])
rule.enabled = obj['ipaenabledflag'][0]
rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL}
# add CA(s)
if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all':
rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL}
else:
# For compatibility with pre-lightweight-CAs CA ACLs,
# no CA members implies the host authority (only)
rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN])
# add profiles
if ('ipacertprofilecategory' in obj
and obj['ipacertprofilecategory'][0].lower() == 'all'):
rule.services.category = {pyhbac.HBAC_CATEGORY_ALL}
else:
attr = 'ipamembercertprofile_certprofile'
rule.services.names = obj.get(attr, [])
# add principals and principal's groups
category_attr = '{}category'.format(principal_type)
if category_attr in obj and obj[category_attr][0].lower() == 'all':
rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
else:
if principal_type == 'user':
rule.users.names = obj.get('memberuser_user', [])
rule.users.groups = obj.get('memberuser_group', [])
elif principal_type == 'host':
rule.users.names = obj.get('memberhost_host', [])
rule.users.groups = obj.get('memberhost_hostgroup', [])
elif principal_type == 'service':
rule.users.names = [
unicode(principal)
for principal in obj.get('memberservice_service', [])
]
return rule
def _acl_make_rule(principal_type, obj):
"""Turn CA ACL object into HBAC rule.
``principal_type``
String in {'user', 'host', 'service'}
"""
rule = pyhbac.HbacRule(obj['cn'][0])
rule.enabled = obj['ipaenabledflag'][0]
rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL}
# add CA(s)
# Hardcoded until caacl plugin arrives
rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL}
#if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all':
# rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL}
#else:
# rule.targethosts.names = obj.get('ipacaaclcaref', [])
# add profiles
if ('ipacertprofilecategory' in obj
and obj['ipacertprofilecategory'][0].lower() == 'all'):
rule.services.category = {pyhbac.HBAC_CATEGORY_ALL}
else:
attr = 'ipamembercertprofile_certprofile'
rule.services.names = obj.get(attr, [])
# add principals and principal's groups
m = {'user': '******', 'host': 'hostgroup', 'service': None}
category_attr = '{}category'.format(principal_type)
if category_attr in obj and obj[category_attr][0].lower() == 'all':
rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
else:
principal_attr = 'member{}_{}'.format(principal_type, principal_type)
rule.users.names = obj.get(principal_attr, [])
if m[principal_type] is not None:
group_attr = 'member{}_{}'.format(principal_type,
m[principal_type])
rule.users.groups = obj.get(group_attr, [])
return rule
def testValidate(self):
r = pyhbac.HbacRule('valid_rule')
valid, missing = r.validate()
self.assertEqual(valid, False)
self.assertItemsEqual(missing, ( pyhbac.HBAC_RULE_ELEMENT_USERS,
pyhbac.HBAC_RULE_ELEMENT_SERVICES,
pyhbac.HBAC_RULE_ELEMENT_TARGETHOSTS,
pyhbac.HBAC_RULE_ELEMENT_SOURCEHOSTS ))
r.users.names = [ "someuser" ]
r.services.names = [ "ssh" ]
valid, missing = r.validate()
self.assertEqual(valid, False)
self.assertItemsEqual(missing, ( pyhbac.HBAC_RULE_ELEMENT_TARGETHOSTS,
pyhbac.HBAC_RULE_ELEMENT_SOURCEHOSTS ))
r.srchosts.names = [ "host1" ]
r.targethosts.names = [ "host2" ]
valid, missing = r.validate()
self.assertEqual(valid, True)
def testEvaluateNegative(self):
name = "someuser"
service = "ssh"
srchost = "host1"
targethost = "host2"
allow_rule = pyhbac.HbacRule("allowRule", enabled=True)
allow_rule.users.names = [name]
allow_rule.services.names = [service]
allow_rule.srchosts.names = [srchost]
allow_rule.targethosts.names = [targethost]
req = pyhbac.HbacRequest()
req.service.name = service
req.srchost.name = srchost
req.targethost.name = targethost
req.user.name = name
saveuser = req.user
req.user = None # need to catch this
# catch invalid category value
savecat = copy.copy(allow_rule.users.category)
allow_rule.users.category.add(pyhbac.HBAC_EVAL_ERROR)
self.assertRaises(ValueError, req.evaluate, (allow_rule, ))
allow_rule.users.category = savecat
# Test that invalid type is raised
self.assertRaises(TypeError, req.evaluate, (allow_rule, ))
req.user = saveuser
allow_rule.users = None # need to catch this
self.assertRaises(TypeError, req.evaluate, (allow_rule, ))
# catch invalid rule type
self.assertRaises(TypeError, req.evaluate, (allow_rule, None))
