[Kimchi-devel] [PATCHv2 6/7] Move validation to user and host

[Aline Manera]

On 11/06/2014 04:20 AM, Royce Lv wrote:
> On 2014年10月31日 01:04, Aline Manera wrote:
>>
>> On 10/28/2014 11:37 AM, lvroyce0210 at gmail.com wrote:
>>> From: Royce Lv <lvroyce at linux.vnet.ibm.com>
>>>
>>> Put validation in user and group class instead of validate
>>> in metadata update, so that different type of authorization
>>> can use their own authentication to validate input value.
>>>
>>> Signed-off-by: Royce Lv <lvroyce at linux.vnet.ibm.com>
>>> ---
>>> src/kimchi/model/host.py | 30 ++++++++++++++++++++++++++++++
>>> src/kimchi/model/vms.py | 16 ++++++++--------
>>> 2 files changed, 38 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/src/kimchi/model/host.py b/src/kimchi/model/host.py
>>> index a2f0941..cd47118 100644
>>> --- a/src/kimchi/model/host.py
>>> +++ b/src/kimchi/model/host.py
>>> @@ -470,6 +470,9 @@ class UsersModel(object):
>>> def get_list(self, **args):
>>> return self.user._get_list(**args)
>>>
>>> + def validate(self, user):
>>> + return self.user.validate(user)
>>> +
>>>
>>> class PAMUsersModel(UsersModel):
>>> auth_type = 'pam'
>>> @@ -480,6 +483,13 @@ class PAMUsersModel(UsersModel):
>>> return [user.pw_name for user in pwd.getpwall()
>>> if user.pw_shell.rsplit("/")[-1] not in ["nologin", "false"]]
>>
>>> + def validate(self, user):
>>> + try:
>>> + user = pwd.getpwnam(user)
>>> + return user.pw_shell.rsplit("/")[-1] not in ["nologin", "false"]
>>> + except:
>>> + return False
>>> +
>>
>> You can use _get_list() to do it:
>>
>> return user in self.get_list()
> ACK, it changed from getpwall to getpwnam just for efficiency.

OK.

>>
>>> class LDAPUsersModel(UsersModel):
>>> auth_type = 'ldap'
>>> @@ -489,6 +499,13 @@ class LDAPUsersModel(UsersModel):
>>> def _get_list(self, _user_id=''):
>>> return self._get_user(_user_id)
>>>
>>> + def validate(self, user):
>>> + try:
>>> + self._get_user(user)
>>> + return True
>>> + except NotFoundError:
>>> + return False
>>> +
>>> def _get_user(self, _user_id):
>>> ldap_server = config.get("authentication", "ldap_server").strip('"')
>>> ldap_search_base = config.get(
>>> @@ -522,6 +539,9 @@ class GroupsModel(object):
>>> else:
>>> return list()
>>>
>>> + def validate(self, gid):
>>> + return self.grp.validate(gid)
>>> +
>>>
>>> class PAMGroupsModel(GroupsModel):
>>> auth_type = 'pam'
>>> @@ -531,8 +551,18 @@ class PAMGroupsModel(GroupsModel):
>>> def _get_list(self):
>>> return [group.gr_name for group in grp.getgrall()]
>>>
>>> + def validate(self, gid):
>>> + try:
>>> + grp.getgrnam(gid)
>>> + except KeyError:
>>> + return False
>>> + return True
>>> +
>>>
>>> class LDAPGroupsModel(GroupsModel):
>>> auth_type = 'ldap'
>>> def __init__(self, **kargs):
>>> pass
>>> +
>>> + def validate(self, gid):
>>> + return False
>>> diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
>>> index 58686cd..777930d 100644
>>> --- a/src/kimchi/model/vms.py
>>> +++ b/src/kimchi/model/vms.py
>>> @@ -266,16 +266,16 @@ class VMModel(object):
>>> users = groups = None
>>> if "users" in params:
>>> users = params["users"]
>>> - invalid_users = set(users) - set(self.users.get_list())
>>> - if len(invalid_users) != 0:
>>> - raise InvalidParameter("KCHVM0027E",
>>> - {'users': ", ".join(invalid_users)})
>>> + for user in users:
>>> + if not self.users.validate(user):
>>> + raise InvalidParameter("KCHVM0027E",
>>> + {'users': user})
>>> if "groups" in params:
>>> groups = params["groups"]
>>> - invalid_groups = set(groups) - set(self.groups.get_list())
>>> - if len(invalid_groups) != 0:
>>> - raise InvalidParameter("KCHVM0028E",
>>> - {'groups': ", ".join(invalid_groups)})
>>> + for group in groups:
>>> + if not self.groups.validate(group):
>>> + raise InvalidParameter("KCHVM0028E",
>>> + {'groups': group})
>>>
>>> if users is None and groups is None:
>>> return
>>
>> _______________________________________________
>> Kimchi-devel mailing list
>> Kimchi-devel at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>>
>