From 9ac25c247afc348c90197f33039c066d2a9d4247 Mon Sep 17 00:00:00 2001 From: Richard Connon Date: Fri, 14 Feb 2014 12:04:43 +0000 Subject: Lint checking for invalid default ACLs --- src/lib/Bcfg2/Server/Lint/RequiredAttrs.py | 33 +++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) (limited to 'src/lib/Bcfg2/Server/Lint/RequiredAttrs.py') diff --git a/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py b/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py index e49779a10..77934d720 100644 --- a/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py +++ b/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py @@ -119,6 +119,7 @@ class RequiredAttrs(Bcfg2.Server.Lint.ServerPlugin): POSIXUser={None: dict(name=is_username)}) def Run(self): + self.check_default_acls() self.check_packages() if "Defaults" in self.core.plugins: self.logger.info("Defaults plugin enabled; skipping required " @@ -129,12 +130,42 @@ class RequiredAttrs(Bcfg2.Server.Lint.ServerPlugin): @classmethod def Errors(cls): - return {"unknown-entry-type": "error", + return {"missing-elements": "error", + "unknown-entry-type": "error", "unknown-entry-tag": "error", "required-attrs-missing": "error", "required-attr-format": "error", "extra-attrs": "warning"} + def check_default_acls(self): + """ Check Path entries have valid default ACLs """ + def check_acl(path): + """ Check that a default ACL contains either no entries or minimum + required entries """ + defaults = 1 if len(path.xpath( + "/ACL[@type='default' and @scope='user']")) else 0 + defaults += 1 if len(path.xpath( + "/ACL[@type='default' and @scope='user']")) else 0 + defaults += 1 if len(path.xpath( + "/ACL[@type='default' and @scope='user']")) else 0 + if defaults > 0 and defaults < 3: + self.LintError( + "missing-elements", + "A Path must have either no default ACLs or at" + " least default:user::, default:group:: and" + " default:other::") + + if 'Bundler' in self.core.plugins: + for bundle in self.core.plugins['Bundler'].entries.values(): + xdata = bundle.pnode.data + for path in xdata.xpath("//BoundPath"): + check_acl(path) + if 'Rules' in self.core.plugins: + for rules in self.core.plugins['Rules'].entries.values(): + xdata = rules.pnode.data + for path in xdata.xpath("//Path"): + check_acl(path) + def check_packages(self): """ Check Packages sources for Source entries with missing attributes. """ -- cgit v1.2.3-1-g7c22 From 06bc91f8a8c919e5e552f46386841a75fcc3619a Mon Sep 17 00:00:00 2001 From: Richard Connon Date: Fri, 14 Feb 2014 12:10:04 +0000 Subject: Correct XML source for bundles in default ACL Lint --- src/lib/Bcfg2/Server/Lint/RequiredAttrs.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/lib/Bcfg2/Server/Lint/RequiredAttrs.py') diff --git a/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py b/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py index 77934d720..fce90154e 100644 --- a/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py +++ b/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py @@ -157,7 +157,7 @@ class RequiredAttrs(Bcfg2.Server.Lint.ServerPlugin): if 'Bundler' in self.core.plugins: for bundle in self.core.plugins['Bundler'].entries.values(): - xdata = bundle.pnode.data + xdata = lxml.etree.XML(bundle.data) for path in xdata.xpath("//BoundPath"): check_acl(path) if 'Rules' in self.core.plugins: -- cgit v1.2.3-1-g7c22 From e4b2b05de382743883ee613236d4647c588d811d Mon Sep 17 00:00:00 2001 From: Richard Connon Date: Fri, 14 Feb 2014 23:29:48 +0000 Subject: Working lint check for invalid default ACLs --- src/lib/Bcfg2/Server/Lint/RequiredAttrs.py | 47 ++++++++++++------------------ 1 file changed, 18 insertions(+), 29 deletions(-) (limited to 'src/lib/Bcfg2/Server/Lint/RequiredAttrs.py') diff --git a/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py b/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py index fce90154e..bb0d6956a 100644 --- a/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py +++ b/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py @@ -119,7 +119,6 @@ class RequiredAttrs(Bcfg2.Server.Lint.ServerPlugin): POSIXUser={None: dict(name=is_username)}) def Run(self): - self.check_default_acls() self.check_packages() if "Defaults" in self.core.plugins: self.logger.info("Defaults plugin enabled; skipping required " @@ -137,34 +136,21 @@ class RequiredAttrs(Bcfg2.Server.Lint.ServerPlugin): "required-attr-format": "error", "extra-attrs": "warning"} - def check_default_acls(self): - """ Check Path entries have valid default ACLs """ - def check_acl(path): - """ Check that a default ACL contains either no entries or minimum - required entries """ - defaults = 1 if len(path.xpath( - "/ACL[@type='default' and @scope='user']")) else 0 - defaults += 1 if len(path.xpath( - "/ACL[@type='default' and @scope='user']")) else 0 - defaults += 1 if len(path.xpath( - "/ACL[@type='default' and @scope='user']")) else 0 - if defaults > 0 and defaults < 3: - self.LintError( - "missing-elements", - "A Path must have either no default ACLs or at" - " least default:user::, default:group:: and" - " default:other::") - - if 'Bundler' in self.core.plugins: - for bundle in self.core.plugins['Bundler'].entries.values(): - xdata = lxml.etree.XML(bundle.data) - for path in xdata.xpath("//BoundPath"): - check_acl(path) - if 'Rules' in self.core.plugins: - for rules in self.core.plugins['Rules'].entries.values(): - xdata = rules.pnode.data - for path in xdata.xpath("//Path"): - check_acl(path) + def check_default_acl(self, path): + """ Check that a default ACL contains either no entries or minimum + required entries """ + defaults = 1 if path.xpath( + "ACL[@type='default' and @scope='user' and @user='']") else 0 + defaults += 1 if path.xpath( + "ACL[@type='default' and @scope='group' and @group='']") else 0 + defaults += 1 if path.xpath( + "ACL[@type='default' and @scope='other']") else 0 + if defaults > 0 and defaults < 3: + self.LintError( + "missing-elements", + "A Path must have either no default ACLs or at" + " least default:user::, default:group:: and" + " default:other::") def check_packages(self): """ Check Packages sources for Source entries with missing @@ -265,6 +251,9 @@ class RequiredAttrs(Bcfg2.Server.Lint.ServerPlugin): required_attrs['major'] = is_device_mode required_attrs['minor'] = is_device_mode + if tag == 'Path': + self.check_default_acl(entry) + if tag == 'ACL' and 'scope' in required_attrs: required_attrs[entry.get('scope')] = is_username -- cgit v1.2.3-1-g7c22 From 304cf13f4988312a4ec6ac14fff79bc74737e3ee Mon Sep 17 00:00:00 2001 From: Richard Connon Date: Tue, 18 Feb 2014 14:46:49 +0000 Subject: support python 2.4 for default ACL checking in Lint --- src/lib/Bcfg2/Server/Lint/RequiredAttrs.py | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'src/lib/Bcfg2/Server/Lint/RequiredAttrs.py') diff --git a/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py b/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py index bb0d6956a..1d12ee461 100644 --- a/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py +++ b/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py @@ -139,12 +139,13 @@ class RequiredAttrs(Bcfg2.Server.Lint.ServerPlugin): def check_default_acl(self, path): """ Check that a default ACL contains either no entries or minimum required entries """ - defaults = 1 if path.xpath( - "ACL[@type='default' and @scope='user' and @user='']") else 0 - defaults += 1 if path.xpath( - "ACL[@type='default' and @scope='group' and @group='']") else 0 - defaults += 1 if path.xpath( - "ACL[@type='default' and @scope='other']") else 0 + defaults = 0 + if path.xpath("ACL[@type='default' and @scope='user' and @user='']"): + defaults += 1 + if path.xpath("ACL[@type='default' and @scope='group' and @group='']"): + defaults += 1 + if path.xpath("ACL[@type='default' and @scope='other']"): + defaults += 1 if defaults > 0 and defaults < 3: self.LintError( "missing-elements", -- cgit v1.2.3-1-g7c22 From 1f0515a25551eee4dce6af96210aef8f6fdc0e8c Mon Sep 17 00:00:00 2001 From: "Chris St. Pierre" Date: Sun, 23 Feb 2014 23:54:28 -0500 Subject: bcfg2-lint: Verify abstract Package tags --- src/lib/Bcfg2/Server/Lint/RequiredAttrs.py | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'src/lib/Bcfg2/Server/Lint/RequiredAttrs.py') diff --git a/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py b/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py index 1d12ee461..ce8b237b9 100644 --- a/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py +++ b/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py @@ -214,6 +214,16 @@ class RequiredAttrs(Bcfg2.Server.Lint.ServerPlugin): xdata.xpath("//*[substring(name(), 1, 5) = 'Bound']"): self.check_entry(path, bundle.name) + # ensure that abstract Package tags have either name + # or group specified + for package in xdata.xpath("//Package"): + if ('name' not in package.attrib and + 'group' not in package.attrib): + self.LintError( + "required-attrs-missing", + "Package tags require either a 'name' or 'group' " + "attribute: \n%s" % self.RenderXML(package)) + def check_entry(self, entry, filename): """ Generic entry check. -- cgit v1.2.3-1-g7c22