On 11/06/2014 04:20 AM, Royce Lv wrote:
On 2014年10月31日 01:04, Aline Manera wrote:
>
> On 10/28/2014 11:37 AM, lvroyce0210(a)gmail.com wrote:
>> From: Royce Lv <lvroyce(a)linux.vnet.ibm.com>
>>
>> Put validation in user and group class instead of validate
>> in metadata update, so that different type of authorization
>> can use their own authentication to validate input value.
>>
>> Signed-off-by: Royce Lv <lvroyce(a)linux.vnet.ibm.com>
>> ---
>> src/kimchi/model/host.py | 30 ++++++++++++++++++++++++++++++
>> src/kimchi/model/vms.py | 16 ++++++++--------
>> 2 files changed, 38 insertions(+), 8 deletions(-)
>>
>> diff --git a/src/kimchi/model/host.py b/src/kimchi/model/host.py
>> index a2f0941..cd47118 100644
>> --- a/src/kimchi/model/host.py
>> +++ b/src/kimchi/model/host.py
>> @@ -470,6 +470,9 @@ class UsersModel(object):
>> def get_list(self, **args):
>> return self.user._get_list(**args)
>>
>> + def validate(self, user):
>> + return self.user.validate(user)
>> +
>>
>> class PAMUsersModel(UsersModel):
>> auth_type = 'pam'
>> @@ -480,6 +483,13 @@ class PAMUsersModel(UsersModel):
>> return [user.pw_name for user in pwd.getpwall()
>> if user.pw_shell.rsplit("/")[-1] not in ["nologin",
"false"]]
>
>> + def validate(self, user):
>> + try:
>> + user = pwd.getpwnam(user)
>> + return user.pw_shell.rsplit("/")[-1] not in ["nologin",
"false"]
>> + except:
>> + return False
>> +
>
> You can use _get_list() to do it:
>
> return user in self.get_list()
ACK, it changed from getpwall to getpwnam just for efficiency.
OK.
>
>> class LDAPUsersModel(UsersModel):
>> auth_type = 'ldap'
>> @@ -489,6 +499,13 @@ class LDAPUsersModel(UsersModel):
>> def _get_list(self, _user_id=''):
>> return self._get_user(_user_id)
>>
>> + def validate(self, user):
>> + try:
>> + self._get_user(user)
>> + return True
>> + except NotFoundError:
>> + return False
>> +
>> def _get_user(self, _user_id):
>> ldap_server = config.get("authentication",
"ldap_server").strip('"')
>> ldap_search_base = config.get(
>> @@ -522,6 +539,9 @@ class GroupsModel(object):
>> else:
>> return list()
>>
>> + def validate(self, gid):
>> + return self.grp.validate(gid)
>> +
>>
>> class PAMGroupsModel(GroupsModel):
>> auth_type = 'pam'
>> @@ -531,8 +551,18 @@ class PAMGroupsModel(GroupsModel):
>> def _get_list(self):
>> return [group.gr_name for group in grp.getgrall()]
>>
>> + def validate(self, gid):
>> + try:
>> + grp.getgrnam(gid)
>> + except KeyError:
>> + return False
>> + return True
>> +
>>
>> class LDAPGroupsModel(GroupsModel):
>> auth_type = 'ldap'
>> def __init__(self, **kargs):
>> pass
>> +
>> + def validate(self, gid):
>> + return False
>> diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
>> index 58686cd..777930d 100644
>> --- a/src/kimchi/model/vms.py
>> +++ b/src/kimchi/model/vms.py
>> @@ -266,16 +266,16 @@ class VMModel(object):
>> users = groups = None
>> if "users" in params:
>> users = params["users"]
>> - invalid_users = set(users) - set(self.users.get_list())
>> - if len(invalid_users) != 0:
>> - raise InvalidParameter("KCHVM0027E",
>> - {'users': ", ".join(invalid_users)})
>> + for user in users:
>> + if not self.users.validate(user):
>> + raise InvalidParameter("KCHVM0027E",
>> + {'users': user})
>> if "groups" in params:
>> groups = params["groups"]
>> - invalid_groups = set(groups) - set(self.groups.get_list())
>> - if len(invalid_groups) != 0:
>> - raise InvalidParameter("KCHVM0028E",
>> - {'groups': ", ".join(invalid_groups)})
>> + for group in groups:
>> + if not self.groups.validate(group):
>> + raise InvalidParameter("KCHVM0028E",
>> + {'groups': group})
>>
>> if users is None and groups is None:
>> return
>
> _______________________________________________
> Kimchi-devel mailing list
> Kimchi-devel(a)ovirt.org
>
http://lists.ovirt.org/mailman/listinfo/kimchi-devel
>