From 9ac25c247afc348c90197f33039c066d2a9d4247 Mon Sep 17 00:00:00 2001
From: Richard Connon <richard@connon.me.uk>
Date: Fri, 14 Feb 2014 12:04:43 +0000
Subject: Lint checking for invalid default ACLs

---
 src/lib/Bcfg2/Server/Lint/RequiredAttrs.py | 33 +++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py b/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py
index e49779a10..77934d720 100644
--- a/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py
+++ b/src/lib/Bcfg2/Server/Lint/RequiredAttrs.py
@@ -119,6 +119,7 @@ class RequiredAttrs(Bcfg2.Server.Lint.ServerPlugin):
             POSIXUser={None: dict(name=is_username)})
 
     def Run(self):
+        self.check_default_acls()
         self.check_packages()
         if "Defaults" in self.core.plugins:
             self.logger.info("Defaults plugin enabled; skipping required "
@@ -129,12 +130,42 @@ class RequiredAttrs(Bcfg2.Server.Lint.ServerPlugin):
 
     @classmethod
     def Errors(cls):
-        return {"unknown-entry-type": "error",
+        return {"missing-elements": "error",
+                "unknown-entry-type": "error",
                 "unknown-entry-tag": "error",
                 "required-attrs-missing": "error",
                 "required-attr-format": "error",
                 "extra-attrs": "warning"}
 
+    def check_default_acls(self):
+        """ Check Path entries have valid default ACLs """
+        def check_acl(path):
+            """ Check that a default ACL contains either no entries or minimum
+            required entries """
+            defaults = 1 if len(path.xpath(
+                "/ACL[@type='default' and @scope='user']")) else 0
+            defaults += 1 if len(path.xpath(
+                "/ACL[@type='default' and @scope='user']")) else 0
+            defaults += 1 if len(path.xpath(
+                "/ACL[@type='default' and @scope='user']")) else 0
+            if defaults > 0 and defaults < 3:
+                self.LintError(
+                    "missing-elements",
+                    "A Path must have either no default ACLs or at"
+                    " least default:user::, default:group:: and"
+                    " default:other::")
+
+        if 'Bundler' in self.core.plugins:
+            for bundle in self.core.plugins['Bundler'].entries.values():
+                xdata = bundle.pnode.data
+                for path in xdata.xpath("//BoundPath"):
+                    check_acl(path)
+        if 'Rules' in self.core.plugins:
+            for rules in self.core.plugins['Rules'].entries.values():
+                xdata = rules.pnode.data
+                for path in xdata.xpath("//Path"):
+                    check_acl(path)
+
     def check_packages(self):
         """ Check Packages sources for Source entries with missing
         attributes. """
-- 
cgit v1.2.3-1-g7c22