8:20 a.m.
On 2014年10月31日 01:04, Aline Manera wrote:
On 10/28/2014 11:37 AM, lvroyce0210(a)gmail.com wrote:
> From: Royce Lv <lvroyce(a)linux.vnet.ibm.com>
>
> Put validation in user and group class instead of validate
> in metadata update, so that different type of authorization
> can use their own authentication to validate input value.
>
> Signed-off-by: Royce Lv <lvroyce(a)linux.vnet.ibm.com>
> ---
> src/kimchi/model/host.py | 30 ++++++++++++++++++++++++++++++
> src/kimchi/model/vms.py | 16 ++++++++--------
> 2 files changed, 38 insertions(+), 8 deletions(-)
>
> diff --git a/src/kimchi/model/host.py b/src/kimchi/model/host.py
> index a2f0941..cd47118 100644
> --- a/src/kimchi/model/host.py
> +++ b/src/kimchi/model/host.py
> @@ -470,6 +470,9 @@ class UsersModel(object):
> def get_list(self, **args):
> return self.user._get_list(**args)
>
> + def validate(self, user):
> + return self.user.validate(user)
> +
>
> class PAMUsersModel(UsersModel):
> auth_type = 'pam'
> @@ -480,6 +483,13 @@ class PAMUsersModel(UsersModel):
> return [user.pw_name for user in pwd.getpwall()
> if user.pw_shell.rsplit("/")[-1] not in ["nologin",
"false"]]
> + def validate(self, user):
> + try:
> + user = pwd.getpwnam(user)
> + return user.pw_shell.rsplit("/")[-1] not in ["nologin",
"false"]
> + except:
> + return False
> +
You can use _get_list() to do it:
return user in self.get_list()
ACK, it changed from getpwall to getpwnam just for
efficiency.
> class LDAPUsersModel(UsersModel):
> auth_type = 'ldap'
> @@ -489,6 +499,13 @@ class LDAPUsersModel(UsersModel):
> def _get_list(self, _user_id=''):
> return self._get_user(_user_id)
>
> + def validate(self, user):
> + try:
> + self._get_user(user)
> + return True
> + except NotFoundError:
> + return False
> +
> def _get_user(self, _user_id):
> ldap_server = config.get("authentication",
"ldap_server").strip('"')
> ldap_search_base = config.get(
> @@ -522,6 +539,9 @@ class GroupsModel(object):
> else:
> return list()
>
> + def validate(self, gid):
> + return self.grp.validate(gid)
> +
>
> class PAMGroupsModel(GroupsModel):
> auth_type = 'pam'
> @@ -531,8 +551,18 @@ class PAMGroupsModel(GroupsModel):
> def _get_list(self):
> return [group.gr_name for group in grp.getgrall()]
>
> + def validate(self, gid):
> + try:
> + grp.getgrnam(gid)
> + except KeyError:
> + return False
> + return True
> +
>
> class LDAPGroupsModel(GroupsModel):
> auth_type = 'ldap'
> def __init__(self, **kargs):
> pass
> +
> + def validate(self, gid):
> + return False
> diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
> index 58686cd..777930d 100644
> --- a/src/kimchi/model/vms.py
> +++ b/src/kimchi/model/vms.py
> @@ -266,16 +266,16 @@ class VMModel(object):
> users = groups = None
> if "users" in params:
> users = params["users"]
> - invalid_users = set(users) - set(self.users.get_list())
> - if len(invalid_users) != 0:
> - raise InvalidParameter("KCHVM0027E",
> - {'users': ", ".join(invalid_users)})
> + for user in users:
> + if not self.users.validate(user):
> + raise InvalidParameter("KCHVM0027E",
> + {'users': user})
> if "groups" in params:
> groups = params["groups"]
> - invalid_groups = set(groups) - set(self.groups.get_list())
> - if len(invalid_groups) != 0:
> - raise InvalidParameter("KCHVM0028E",
> - {'groups': ", ".join(invalid_groups)})
> + for group in groups:
> + if not self.groups.validate(group):
> + raise InvalidParameter("KCHVM0028E",
> + {'groups': group})
>
> if users is None and groups is None:
> return
_______________________________________________
Kimchi-devel mailing list
Kimchi-devel(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/kimchi-devel