diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-06-12 12:01:26 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-23 10:54:43 +0200 |
commit | ac8539bd344f2309f74efc6b42bddb3a925ff20f (patch) | |
tree | 42ff24c96d15c102699500d1fbef61d0a0f925ae | |
parent | 02b5074d84ad42cb6ffc2abd7a84fbff62747470 (diff) | |
download | freeipa-ac8539bd344f2309f74efc6b42bddb3a925ff20f.tar.gz freeipa-ac8539bd344f2309f74efc6b42bddb3a925ff20f.tar.xz freeipa-ac8539bd344f2309f74efc6b42bddb3a925ff20f.zip |
Add posixgroup to groups' permission object filter
Private groups don't have the 'ipausergroup' objectclass.
Add posixgroup to the objectclass filters to make
"--type group" permissions apply to all groups.
https://fedorahosted.org/freeipa/ticket/4372
Reviewed-By: Martin Kosek <mkosek@redhat.com>
-rw-r--r-- | ACI.txt | 4 | ||||
-rw-r--r-- | ipalib/plugins/group.py | 2 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 106 |
3 files changed, 105 insertions, 7 deletions
@@ -29,9 +29,9 @@ aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "p dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";) +aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=System: Read Groups,cn=permissions,cn=pbac,dc=ipa,dc=example -aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";) +aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";) dn: cn=System: Read HBAC Rules,cn=permissions,cn=pbac,dc=ipa,dc=example aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";) dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 581ee70b6..d130f8668 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -126,7 +126,7 @@ class group(LDAPObject): object_class = ['ipausergroup'] object_class_config = 'ipagroupobjectclasses' possible_objectclasses = ['posixGroup', 'mepManagedEntry', 'ipaExternalGroup'] - permission_filter_objectclasses = ['ipausergroup'] + permission_filter_objectclasses = ['posixgroup', 'ipausergroup'] search_attributes_config = 'ipagroupsearchfields' default_attributes = [ 'cn', 'description', 'gidnumber', 'member', 'memberof', diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index feffc2eb1..ed2032b33 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -102,6 +102,8 @@ etc_dn = DN('cn=etc', api.env.basedn) nonexistent_dn = DN('cn=does not exist', api.env.basedn) admin_dn = DN('uid=admin', users_dn) +group_filter = u'(|(objectclass=ipausergroup)(objectclass=posixgroup))' + def verify_permission_aci(name, dn, acistring): """Return test dict that verifies the ACI at the given location""" @@ -1927,7 +1929,7 @@ class test_permission_sync_attributes(Declarative): verify_permission_aci( permission1, groups_dn, '(targetattr = "sn")' + - '(targetfilter = "(objectclass=ipausergroup)")' + '(targetfilter = "%s")' % group_filter + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -1962,7 +1964,103 @@ class test_permission_sync_attributes(Declarative): permission1, groups_dn, '(targetattr = "sn")' + '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) + - '(targetfilter = "(objectclass=ipausergroup)")' + '(targetfilter = "%s")' % group_filter + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Set extra targetfilter on %r' % permission1, + command=( + 'permission_mod', [permission1], dict( + extratargetfilter=u'(cn=blabla)', + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'group'], + ipapermright=[u'write'], + attrs=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermtarget=[DN('cn=editors', groups_dn)], + ipapermlocation=[groups_dn], + targetgroup=[u'editors'], + extratargetfilter=[u'(cn=blabla)'], + ), + ), + ), + + verify_permission_aci( + permission1, groups_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) + + '(targetfilter = "(&(cn=blabla)%s)")' % group_filter + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Retrieve %r with --all' % permission1, + command=( + 'permission_show', [permission1], dict(all=True) + ), + expected=dict( + value=permission1, + summary=None, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'group'], + ipapermright=[u'write'], + attrs=[u'sn'], + ipapermincludedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermtarget=[DN('cn=editors', groups_dn)], + ipapermlocation=[groups_dn], + targetgroup=[u'editors'], + extratargetfilter=[u'(cn=blabla)'], + ipapermtargetfilter=[u'(cn=blabla)', group_filter], + ), + ), + ), + + dict( + desc='Set type of %r back to user' % permission1, + command=( + 'permission_mod', [permission1], dict( + type=u'user', ipapermtarget=None, + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'user'], + ipapermright=[u'write'], + attrs=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + extratargetfilter=[u'(cn=blabla)'], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetattr = "sn")' + + '(targetfilter = "(&(cn=blabla)(objectclass=posixaccount))")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -2102,7 +2200,7 @@ class test_permission_sync_nice(Declarative): verify_permission_aci( permission1, groups_dn, '(targetattr = "sn")' + - '(targetfilter = "(objectclass=ipausergroup)")' + + '(targetfilter = "%s")' % group_filter + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -2137,7 +2235,7 @@ class test_permission_sync_nice(Declarative): permission1, groups_dn, '(targetattr = "sn")' + '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) + - '(targetfilter = "(objectclass=ipausergroup)")' + + '(targetfilter = "%s")' % group_filter + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), |