
On 10/28/2014 11:37 AM, lvroyce0210@gmail.com wrote:
From: Royce Lv <lvroyce@linux.vnet.ibm.com>
Put validation in user and group class instead of validate in metadata update, so that different type of authorization can use their own authentication to validate input value.
Signed-off-by: Royce Lv <lvroyce@linux.vnet.ibm.com> --- src/kimchi/model/host.py | 30 ++++++++++++++++++++++++++++++ src/kimchi/model/vms.py | 16 ++++++++-------- 2 files changed, 38 insertions(+), 8 deletions(-)
diff --git a/src/kimchi/model/host.py b/src/kimchi/model/host.py index a2f0941..cd47118 100644 --- a/src/kimchi/model/host.py +++ b/src/kimchi/model/host.py @@ -470,6 +470,9 @@ class UsersModel(object): def get_list(self, **args): return self.user._get_list(**args)
+ def validate(self, user): + return self.user.validate(user) +
class PAMUsersModel(UsersModel): auth_type = 'pam' @@ -480,6 +483,13 @@ class PAMUsersModel(UsersModel): return [user.pw_name for user in pwd.getpwall() if user.pw_shell.rsplit("/")[-1] not in ["nologin", "false"]]
+ def validate(self, user): + try: + user = pwd.getpwnam(user) + return user.pw_shell.rsplit("/")[-1] not in ["nologin", "false"] + except: + return False +
You can use _get_list() to do it: return user in self.get_list()
class LDAPUsersModel(UsersModel): auth_type = 'ldap' @@ -489,6 +499,13 @@ class LDAPUsersModel(UsersModel): def _get_list(self, _user_id=''): return self._get_user(_user_id)
+ def validate(self, user): + try: + self._get_user(user) + return True + except NotFoundError: + return False + def _get_user(self, _user_id): ldap_server = config.get("authentication", "ldap_server").strip('"') ldap_search_base = config.get( @@ -522,6 +539,9 @@ class GroupsModel(object): else: return list()
+ def validate(self, gid): + return self.grp.validate(gid) +
class PAMGroupsModel(GroupsModel): auth_type = 'pam' @@ -531,8 +551,18 @@ class PAMGroupsModel(GroupsModel): def _get_list(self): return [group.gr_name for group in grp.getgrall()]
+ def validate(self, gid): + try: + grp.getgrnam(gid) + except KeyError: + return False + return True +
class LDAPGroupsModel(GroupsModel): auth_type = 'ldap' def __init__(self, **kargs): pass + + def validate(self, gid): + return False diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py index 58686cd..777930d 100644 --- a/src/kimchi/model/vms.py +++ b/src/kimchi/model/vms.py @@ -266,16 +266,16 @@ class VMModel(object): users = groups = None if "users" in params: users = params["users"] - invalid_users = set(users) - set(self.users.get_list()) - if len(invalid_users) != 0: - raise InvalidParameter("KCHVM0027E", - {'users': ", ".join(invalid_users)}) + for user in users: + if not self.users.validate(user): + raise InvalidParameter("KCHVM0027E", + {'users': user}) if "groups" in params: groups = params["groups"] - invalid_groups = set(groups) - set(self.groups.get_list()) - if len(invalid_groups) != 0: - raise InvalidParameter("KCHVM0028E", - {'groups': ", ".join(invalid_groups)}) + for group in groups: + if not self.groups.validate(group): + raise InvalidParameter("KCHVM0028E", + {'groups': group})
if users is None and groups is None: return