[Kimchi-devel] [PATCHv2 6/7] Move validation to user and host

Aline Manera alinefm at linux.vnet.ibm.com
Thu Oct 30 17:04:31 UTC 2014


On 10/28/2014 11:37 AM, lvroyce0210 at gmail.com wrote:
> From: Royce Lv <lvroyce at linux.vnet.ibm.com>
>
> Put validation in user and group class instead of validate
> in metadata update, so that different type of authorization
> can use their own authentication to validate input value.
>
> Signed-off-by: Royce Lv <lvroyce at linux.vnet.ibm.com>
> ---
>   src/kimchi/model/host.py | 30 ++++++++++++++++++++++++++++++
>   src/kimchi/model/vms.py  | 16 ++++++++--------
>   2 files changed, 38 insertions(+), 8 deletions(-)
>
> diff --git a/src/kimchi/model/host.py b/src/kimchi/model/host.py
> index a2f0941..cd47118 100644
> --- a/src/kimchi/model/host.py
> +++ b/src/kimchi/model/host.py
> @@ -470,6 +470,9 @@ class UsersModel(object):
>       def get_list(self, **args):
>           return self.user._get_list(**args)
>
> +    def validate(self, user):
> +        return self.user.validate(user)
> +
>
>   class PAMUsersModel(UsersModel):
>       auth_type = 'pam'
> @@ -480,6 +483,13 @@ class PAMUsersModel(UsersModel):
>           return [user.pw_name for user in pwd.getpwall()
>                   if user.pw_shell.rsplit("/")[-1] not in ["nologin", "false"]]

> +    def validate(self, user):
> +        try:
> +            user = pwd.getpwnam(user)
> +            return user.pw_shell.rsplit("/")[-1] not in ["nologin", "false"]
> +        except:
> +            return False
> +

You can use _get_list() to do it:

return user in self.get_list()

>   class LDAPUsersModel(UsersModel):
>       auth_type = 'ldap'
> @@ -489,6 +499,13 @@ class LDAPUsersModel(UsersModel):
>       def _get_list(self, _user_id=''):
>           return self._get_user(_user_id)
>
> +    def validate(self, user):
> +        try:
> +            self._get_user(user)
> +            return True
> +        except NotFoundError:
> +            return False
> +
>       def _get_user(self, _user_id):
>           ldap_server = config.get("authentication", "ldap_server").strip('"')
>           ldap_search_base = config.get(
> @@ -522,6 +539,9 @@ class GroupsModel(object):
>           else:
>               return list()
>
> +    def validate(self, gid):
> +        return self.grp.validate(gid)
> +
>
>   class PAMGroupsModel(GroupsModel):
>       auth_type = 'pam'
> @@ -531,8 +551,18 @@ class PAMGroupsModel(GroupsModel):
>       def _get_list(self):
>           return [group.gr_name for group in grp.getgrall()]
>
> +    def validate(self, gid):
> +        try:
> +            grp.getgrnam(gid)
> +        except KeyError:
> +            return False
> +        return True
> +
>
>   class LDAPGroupsModel(GroupsModel):
>       auth_type = 'ldap'
>       def __init__(self, **kargs):
>           pass
> +
> +    def validate(self, gid):
> +        return False
> diff --git a/src/kimchi/model/vms.py b/src/kimchi/model/vms.py
> index 58686cd..777930d 100644
> --- a/src/kimchi/model/vms.py
> +++ b/src/kimchi/model/vms.py
> @@ -266,16 +266,16 @@ class VMModel(object):
>           users = groups = None
>           if "users" in params:
>               users = params["users"]
> -            invalid_users = set(users) - set(self.users.get_list())
> -            if len(invalid_users) != 0:
> -                raise InvalidParameter("KCHVM0027E",
> -                                       {'users': ", ".join(invalid_users)})
> +            for user in users:
> +                if not self.users.validate(user):
> +                    raise InvalidParameter("KCHVM0027E",
> +                                           {'users': user})
>           if "groups" in params:
>               groups = params["groups"]
> -            invalid_groups = set(groups) - set(self.groups.get_list())
> -            if len(invalid_groups) != 0:
> -                raise InvalidParameter("KCHVM0028E",
> -                                       {'groups': ", ".join(invalid_groups)})
> +            for group in groups:
> +                if not self.groups.validate(group):
> +                    raise InvalidParameter("KCHVM0028E",
> +                                           {'groups': group})
>
>           if users is None and groups is None:
>               return




More information about the Kimchi-devel mailing list