3:37 p.m.
From: Royce Lv <lvroyce(a)linux.vnet.ibm.com>
Put validation in user and group class instead of validate
in metadata update, so that different type of authorization
can use their own authentication to validate input value.
Signed-off-by: Royce Lv <lvroyce(a)linux.vnet.ibm.com>
---
src/kimchi/model/host.py | 30 ++++++++++++++++++++++++++++++
src/kimchi/model/vms.py | 16 ++++++++--------
2 files changed, 38 insertions(+), 8 deletions(-)
diff --git a/src/kimchi/model/host.py b/src/kimchi/model/host.py
index a2f0941..cd47118 100644
--- a/src/kimchi/model/host.py
+++ b/src/kimchi/model/host.py
@@ -470,6 +470,9 @@ class UsersModel(object):
def get_list(self, **args):
return self.user._get_list(**args)
+ def validate(self, user):
+ return self.user.validate(user)
+
class PAMUsersModel(UsersModel):
auth_type = 'pam'
@@ -480,6 +483,13 @@ class PAMUsersModel(UsersModel):
return [user.pw_name for user in pwd.getpwall()
if user.pw_shell.rsplit("/")[-1] not in ["nologin",
"false"]]
+ def validate(self, user):
+ try:
+ user = pwd.getpwnam(user)
+ return user.pw_shell.rsplit("/")[-1] not in ["nologin",
"false"]
+ except:
+ return False
+
class LDAPUsersModel(UsersModel):
auth_type = 'ldap'
@@ -489,6 +499,13 @@ class LDAPUsersModel(UsersModel):
def _get_list(self, _user_id=''):
return self._get_user(_user_id)
+ def validate(self, user):
+ try:
+ self._get_user(user)
+ return True
+ except NotFoundError:
+ return False
+
def _get_user(self, _user_id):
ldap_server = config.get("authentication",
"ldap_server").strip('"')
ldap_search_base = config.get(
@@ -522,6 +539,9 @@ class GroupsModel(object):
else:
return list()
+ def validate(self, gid):
+ return self.grp.validate(gid)
+
class PAMGroupsModel(GroupsModel):
auth_type = 'pam'
@@ -531,8 +551,18 @@ class PAMGroupsModel(GroupsModel):
def _get_list(self):
return [group.gr_name for group in grp.getgrall()]
+ def validate(self, gid):
+ try:
+ grp.getgrnam(gid)
+ except KeyError:
+ return False
+ return True
+
class LDAPGroupsModel(GroupsModel):
auth_type = 'ldap'
def __init__(self, **kargs):
pass
+
+ def validate(self, gid):
+ return False
diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
index 58686cd..777930d 100644
--- a/src/kimchi/model/vms.py
+++ b/src/kimchi/model/vms.py
@@ -266,16 +266,16 @@ class VMModel(object):
users = groups = None
if "users" in params:
users = params["users"]
- invalid_users = set(users) - set(self.users.get_list())
- if len(invalid_users) != 0:
- raise InvalidParameter("KCHVM0027E",
- {'users': ",
".join(invalid_users)})
+ for user in users:
+ if not self.users.validate(user):
+ raise InvalidParameter("KCHVM0027E",
+ {'users': user})
if "groups" in params:
groups = params["groups"]
- invalid_groups = set(groups) - set(self.groups.get_list())
- if len(invalid_groups) != 0:
- raise InvalidParameter("KCHVM0028E",
- {'groups': ",
".join(invalid_groups)})
+ for group in groups:
+ if not self.groups.validate(group):
+ raise InvalidParameter("KCHVM0028E",
+ {'groups': group})
if users is None and groups is None:
return
--
1.8.3.2