From: Royce Lv <lvroyce@linux.vnet.ibm.com> Put validation in user and group class instead of validate in metadata update, so that different type of authorization can use their own authentication to validate input value. Signed-off-by: Royce Lv <lvroyce@linux.vnet.ibm.com> --- src/kimchi/model/host.py | 30 ++++++++++++++++++++++++++++++ src/kimchi/model/vms.py | 16 ++++++++-------- 2 files changed, 38 insertions(+), 8 deletions(-) diff --git a/src/kimchi/model/host.py b/src/kimchi/model/host.py index a2f0941..cd47118 100644 --- a/src/kimchi/model/host.py +++ b/src/kimchi/model/host.py @@ -470,6 +470,9 @@ class UsersModel(object): def get_list(self, **args): return self.user._get_list(**args) + def validate(self, user): + return self.user.validate(user) + class PAMUsersModel(UsersModel): auth_type = 'pam' @@ -480,6 +483,13 @@ class PAMUsersModel(UsersModel): return [user.pw_name for user in pwd.getpwall() if user.pw_shell.rsplit("/")[-1] not in ["nologin", "false"]] + def validate(self, user): + try: + user = pwd.getpwnam(user) + return user.pw_shell.rsplit("/")[-1] not in ["nologin", "false"] + except: + return False + class LDAPUsersModel(UsersModel): auth_type = 'ldap' @@ -489,6 +499,13 @@ class LDAPUsersModel(UsersModel): def _get_list(self, _user_id=''): return self._get_user(_user_id) + def validate(self, user): + try: + self._get_user(user) + return True + except NotFoundError: + return False + def _get_user(self, _user_id): ldap_server = config.get("authentication", "ldap_server").strip('"') ldap_search_base = config.get( @@ -522,6 +539,9 @@ class GroupsModel(object): else: return list() + def validate(self, gid): + return self.grp.validate(gid) + class PAMGroupsModel(GroupsModel): auth_type = 'pam' @@ -531,8 +551,18 @@ class PAMGroupsModel(GroupsModel): def _get_list(self): return [group.gr_name for group in grp.getgrall()] + def validate(self, gid): + try: + grp.getgrnam(gid) + except KeyError: + return False + return True + class LDAPGroupsModel(GroupsModel): auth_type = 'ldap' def __init__(self, **kargs): pass + + def validate(self, gid): + return False diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py index 58686cd..777930d 100644 --- a/src/kimchi/model/vms.py +++ b/src/kimchi/model/vms.py @@ -266,16 +266,16 @@ class VMModel(object): users = groups = None if "users" in params: users = params["users"] - invalid_users = set(users) - set(self.users.get_list()) - if len(invalid_users) != 0: - raise InvalidParameter("KCHVM0027E", - {'users': ", ".join(invalid_users)}) + for user in users: + if not self.users.validate(user): + raise InvalidParameter("KCHVM0027E", + {'users': user}) if "groups" in params: groups = params["groups"] - invalid_groups = set(groups) - set(self.groups.get_list()) - if len(invalid_groups) != 0: - raise InvalidParameter("KCHVM0028E", - {'groups': ", ".join(invalid_groups)}) + for group in groups: + if not self.groups.validate(group): + raise InvalidParameter("KCHVM0028E", + {'groups': group}) if users is None and groups is None: return -- 1.8.3.2