[Freeipa-devel] [PATCH, master] 0039 Allow hbactest to work with HBAC rules exceeding default IPA limits

Tue Jan 10 09:24:56 UTC 2012

When multiple HBAC rules are defined, IPA default limits to retrieve 
objects may limit the scope of HBAC testing. To allow full range of 
rules to be tested support for --sizelimit option is added.

In addition, when --rules option is specified, make sure only those 
rules are retrieved regardless total number of rules defined. This 
should also speed up HBAC test performance for real life scenarios 
when few new rules are added to large collection of rules.

https://fedorahosted.org/freeipa/ticket/2230

-- 
/ Alexander Bokovoy
-------------- next part --------------
>From 44261e7c9263cc6d4e1ca8132750ff29228dfa82 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Tue, 10 Jan 2012 11:15:26 +0200
Subject: [PATCH] Allow hbactest to work with HBAC rules exceeding default IPA
 limits

When multiple HBAC rules are defined, IPA default limits to retrieve
objects may limit the scope of HBAC testing. To allow full range of rules
to be tested support for --sizelimit option is added.

In addition, when --rules option is specified, make sure only those rules
are retrieved regardless total number of rules defined. This should also
speed up HBAC test performance for real life scenarios when few new rules
are added to large collection of rules.

https://fedorahosted.org/freeipa/ticket/2230
---
 API.txt                    |    3 ++-
 ipalib/plugins/hbactest.py |   28 +++++++++++++++++++++++++---
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 493d5a3ff235e2a6f2599896114365af54086d16..60e6316e1c7f5de3adaeeecd3896fe8a422c4c38 100644
--- a/API.txt
+++ b/API.txt
@@ -1455,7 +1455,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', <type 'unicode'>, None)
 command: hbactest
-args: 0,8,6
+args: 0,9,6
 option: Str('user', cli_name='user', primary_key=True)
 option: Str('sourcehost?', cli_name='srchost')
 option: Str('targethost', cli_name='host')
@@ -1464,6 +1464,7 @@ option: Str('rules*', cli_name='rules', csv=True)
 option: Flag('nodetail?', autofill=True, cli_name='nodetail', default=False)
 option: Flag('enabled?', autofill=True, cli_name='enabled', default=False)
 option: Flag('disabled?', autofill=True, cli_name='disabled', default=False)
+option: Int('sizelimit?', autofill=False, minvalue=0)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('warning', (<type 'list'>, <type 'tuple'>, <type 'NoneType'>), None)
 output: Output('matched', (<type 'list'>, <type 'tuple'>, <type 'NoneType'>), None)
diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
index f1b608d21a69bbd57577455157d8e78e11a54733..92b7145a3fca717b4699749c2ec2b88ae3647cd5 100644
--- a/ipalib/plugins/hbactest.py
+++ b/ipalib/plugins/hbactest.py
@@ -18,7 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from ipalib import api, errors, output
-from ipalib import Command, Str, Flag
+from ipalib import Command, Str, Flag, Int
 from types import NoneType
 from ipalib.cli import to_cli
 from ipalib import _, ngettext
@@ -40,7 +40,7 @@ having access to the production environment.
 
  ipa hbactest --user= --host= --service=
               [--rules=rules-list] [--nodetail] [--enabled] [--disabled]
-              [--srchost= ]
+              [--srchost= ] [--sizelimit= ]
 
  --user, --host, and --service are mandatory, others are optional.
 
@@ -57,6 +57,8 @@ having access to the production environment.
  all IPA enabled rules.
 
  If no --rules specified, simulation is run against all IPA enabled rules.
+ By default there is a IPA-wide limit to number of entries fetched, you can change it
+ with --sizelimit option.
 
  If --srchost is specified, it will be ignored. It is left because of compatibility reasons only.
 
@@ -208,6 +210,13 @@ class hbactest(Command):
              cli_name='disabled',
              label=_('Include all disabled IPA rules into test'),
         ),
+        Int('sizelimit?',
+            label=_('Size Limit'),
+            doc=_('Maximum number of rules to process when no --rules is specified'),
+            flags=['no_display'],
+            minvalue=0,
+            autofill=False,
+        ),
     )
 
     def canonicalize(self, host):
@@ -224,7 +233,6 @@ class hbactest(Command):
         # 2. Required options are (user, source host, target host, service)
         # 3. Options: rules to test (--rules, --enabled, --disabled), request for detail output
         rules = []
-        hbacset = self.api.Command.hbacrule_find()['result']
 
         # Use all enabled IPA rules by default
         all_enabled = True
@@ -238,6 +246,10 @@ class hbactest(Command):
             all_enabled = False
             all_disabled = False
 
+        sizelimit = None
+        if 'sizelimit' in options:
+            sizelimit = int(options['sizelimit'])
+
         # Check if --disabled is specified, include all disabled IPA rules
         if options['disabled']:
             all_disabled = True
@@ -247,6 +259,16 @@ class hbactest(Command):
         if options['enabled']:
             all_enabled = True
 
+        hbacset = []
+        if len(testrules) == 0:
+            hbacset = self.api.Command.hbacrule_find(sizelimit=sizelimit)['result']
+        else:
+            for rule in testrules:
+                try:
+                    hbacset.append(self.api.Command.hbacrule_show(rule)['result'])
+                except:
+                    pass
+
         # We have some rules, import them
         # --enabled will import all enabled rules (default)
         # --disabled will import all disabled rules
-- 
1.7.8

