permission-find missed some results with --pkey-only option

When permission-find post callback detected a --pkey-only option, it just terminated. However, this way the results that could have been added from aci_find matches were not included. Fix the post callback to go through the entire matching process. Also make sure that DNS permissions have a correct objectclass (ipapermission), otherwise such objects are not matched by the permission LDAP search. https://fedorahosted.org/freeipa/ticket/2658
author: Martin Kosek <mkosek@redhat.com> 2012-05-31 12:39:24 +0200
committer: Martin Kosek <mkosek@redhat.com> 2012-06-01 07:51:59 +0200
commit: 6ff5f28142c46bf5f08fef74c261f75e1baa9f66 (patch)
tree: 68d497483906af2844f2668747fcce360b409306
parent: 0ca29fac9af4cd437a8536f28ffd25923ec3f8cd (diff)
download: freeipa-6ff5f28142c46bf5f08fef74c261f75e1baa9f66.tar.gz
freeipa-6ff5f28142c46bf5f08fef74c261f75e1baa9f66.tar.xz
freeipa-6ff5f28142c46bf5f08fef74c261f75e1baa9f66.zip
4 files changed, 49 insertions, 14 deletions
diff --git a/install/share/dns.ldif b/install/share/dns.ldif
index cd77fe22c..81ba21009 100644
--- a/install/share/dns.ldif
+++ b/install/share/dns.ldif
@@ -34,6 +34,7 @@ dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: groupofnames
 objectClass: top
+objectClass: ipapermission
 cn: add dns entries
 description: Add DNS entries
 member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -43,6 +44,7 @@ dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: groupofnames
 objectClass: top
+objectClass: ipapermission
 cn: remove dns entries
 description: Remove DNS entries
 member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -52,6 +54,7 @@ dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: groupofnames
 objectClass: top
+objectClass: ipapermission
 cn: update dns entries
 description: Update DNS entries
 member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
@@ -72,6 +75,7 @@ dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: groupofnames
 objectClass: top
+objectClass: ipapermission
 cn: Write DNS Configuration
 description: Write DNS Configuration
 member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX
diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update
index 02af8e467..3dacb248f 100644
--- a/install/updates/40-dns.update
+++ b/install/updates/40-dns.update
@@ -1,17 +1,23 @@
 # Add missing member values to attach permissions to their respective
 # privileges and run a memberOf task.
 dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX
+addifexist:objectclass: ipapermission
 addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
 addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
 
 dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX
+addifexist:objectclass: ipapermission
 addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
 addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
 
 dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX
+addifexist:objectclass: ipapermission
 addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
 addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
 
+dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX
+addifexist:objectclass: ipapermission
+
 dn: cn=Update PBAC memberOf $TIME, cn=memberof task, cn=tasks, cn=config
 add: objectClass: top
 add: objectClass: extensibleObject
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index a484ff640..d6fe385b1 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -350,19 +350,19 @@ class permission_find(LDAPSearch):
     has_output_params = LDAPSearch.has_output_params + output_params
 
     def post_callback(self, ldap, entries, truncated, *args, **options):
-        if options.pop('pkey_only', False):
-            return truncated
-        for entry in entries:
-            (dn, attrs) = entry
-            try:
-                aci = self.api.Command.aci_show(attrs['cn'][0], aciprefix=ACI_PREFIX, **options)['result']
-
-                # copy information from respective ACI to permission entry
-                for attr in self.obj.aci_attributes:
-                    if attr in aci:
-                        attrs[attr] = aci[attr]
-            except errors.NotFound:
-                self.debug('ACI not found for %s' % attrs['cn'][0])
+        pkey_only = options.pop('pkey_only', False)
+        if not pkey_only:
+            for entry in entries:
+                (dn, attrs) = entry
+                try:
+                    aci = self.api.Command.aci_show(attrs['cn'][0], aciprefix=ACI_PREFIX, **options)['result']
+
+                    # copy information from respective ACI to permission entry
+                    for attr in self.obj.aci_attributes:
+                        if attr in aci:
+                            attrs[attr] = aci[attr]
+                except errors.NotFound:
+                    self.debug('ACI not found for %s' % attrs['cn'][0])
         if truncated:
             # size/time limit met, no need to search acis
             return truncated
@@ -406,9 +406,15 @@ class permission_find(LDAPSearch):
                     permission = self.api.Command.permission_show(aci['permission'], **options)['result']
                     dn = permission['dn']
                     del permission['dn']
+                    if pkey_only:
+                        new_entry = (dn, {self.obj.primary_key.name: \
+                                          permission[self.obj.primary_key.name]})
+                    else:
+                        new_entry = (dn, permission)
+
                     if (dn, permission) not in entries:
                        if len(entries) < max_entries:
-                           entries.append((dn, permission))
+                           entries.append(new_entry)
                        else:
                            truncated = True
                            break
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index d8ff14903..6613c9bba 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -368,6 +368,25 @@ class test_permission(Declarative):
 
 
         dict(
+            desc='Search by ACI attribute with --pkey-only',
+            command=('permission_find', [], {'pkey_only': True,
+                                             'attrs': [u'krbminpwdlife']}),
+            expected=dict(
+                count=1,
+                truncated=False,
+                summary=u'1 permission matched',
+                result=[
+                    {
+                        'dn': lambda x: DN(x) == DN(('cn','Modify Group Password Policy'),
+                                                     api.env.container_permission,api.env.basedn),
+                        'cn': [u'Modify Group Password Policy'],
+                    },
+                ],
+            ),
+        ),
+
+
+        dict(
             desc='Search for %r' % privilege1,
             command=('privilege_find', [privilege1], {}),
             expected=dict(
author	Martin Kosek <mkosek@redhat.com>	2012-05-31 12:39:24 +0200
committer	Martin Kosek <mkosek@redhat.com>	2012-06-01 07:51:59 +0200
commit	6ff5f28142c46bf5f08fef74c261f75e1baa9f66 (patch)
tree	68d497483906af2844f2668747fcce360b409306
parent	0ca29fac9af4cd437a8536f28ffd25923ec3f8cd (diff)
download	freeipa-6ff5f28142c46bf5f08fef74c261f75e1baa9f66.tar.gz freeipa-6ff5f28142c46bf5f08fef74c261f75e1baa9f66.tar.xz freeipa-6ff5f28142c46bf5f08fef74c261f75e1baa9f66.zip