diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-02-25 17:24:02 +0100 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-25 14:18:12 +0100 |
commit | 1df9b5836ad26bab3513b726305f5e061424e2c9 (patch) | |
tree | 25a46abf01a2cebc371309e488c3b823a236cfc3 | |
parent | d0e83dbccfdb35b1cdd4963ce4ffb2ff0627b066 (diff) | |
download | freeipa-1df9b5836ad26bab3513b726305f5e061424e2c9.tar.gz freeipa-1df9b5836ad26bab3513b726305f5e061424e2c9.tar.xz freeipa-1df9b5836ad26bab3513b726305f5e061424e2c9.zip |
Allow modifying permissions with ":" in the name
The ":" character will be reserved for default permissions, so that
users cannot create a permission with a name that will later be
added as a default.
Allow the ":" character modifying/deleting permissions*, but not
when creating them. Also do not allow the new name to contain ":"
when renaming.
(* modify/delete have unrelated restrictions on managed permissions)
Reviewed-By: Martin Kosek <mkosek@redhat.com>
-rw-r--r-- | API.txt | 14 | ||||
-rw-r--r-- | VERSION | 4 | ||||
-rw-r--r-- | ipalib/plugins/permission.py | 31 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 25 |
4 files changed, 63 insertions, 11 deletions
@@ -2350,7 +2350,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('value', <type 'unicode'>, None) command: permission_add_member args: 1,5,3 -arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True) +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('privilege*', alwaysask=True, cli_name='privileges', csv=True) @@ -2361,7 +2361,7 @@ output: Output('failed', <type 'dict'>, None) output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: permission_add_noaci args: 1,5,3 -arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, required=True) +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', multivalue=False, required=True) option: Str('ipapermissiontype', cli_name='ipapermissiontype', multivalue=True, required=True) option: Flag('no_members', autofill=True, cli_name='no_members', default=False, exclude='webui', multivalue=False, required=True) @@ -2372,7 +2372,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('value', <type 'unicode'>, None) command: permission_del args: 1,3,3 -arg: Str('cn', attribute=True, cli_name='name', multivalue=True, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True) +arg: Str('cn', attribute=True, cli_name='name', multivalue=True, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, query=True, required=True) option: Flag('continue', autofill=True, cli_name='continue', default=False) option: Flag('force', autofill=True, default=False) option: Str('version?', exclude='webui') @@ -2384,7 +2384,7 @@ args: 1,24,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, query=True, required=False) -option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=False) +option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, query=True, required=False) option: Str('extratargetfilter', attribute=False, autofill=False, cli_name='filter', multivalue=True, query=True, required=False) option: Str('filter', attribute=False, autofill=False, cli_name='filter', multivalue=True, query=True, required=False) option: StrEnum('ipapermbindruletype', attribute=True, autofill=False, cli_name='bindtype', default=u'permission', multivalue=False, query=True, required=False, values=(u'permission', u'all', u'anonymous')) @@ -2412,7 +2412,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('truncated', <type 'bool'>, None) command: permission_mod args: 1,24,3 -arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True) +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, required=False) @@ -2442,7 +2442,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('value', <type 'unicode'>, None) command: permission_remove_member args: 1,5,3 -arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True) +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Str('privilege*', alwaysask=True, cli_name='privileges', csv=True) @@ -2453,7 +2453,7 @@ output: Output('failed', <type 'dict'>, None) output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: permission_show args: 1,5,3 -arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True) +arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.:]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') @@ -89,5 +89,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=79 -# Last change: pviktori - rename --permission to --right +IPA_API_VERSION_MINOR=80 +# Last change: pviktori - ":" in permission names diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index b9aedbee7..987b9199a 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -147,6 +147,18 @@ def validate_type(ugettext, typestr): return _('"%s" is not a valid permission type') % typestr +def _disallow_colon(option): + """Given a "cn" option, return a new "cn" option with ':' disallowed + + Used in permission-add and for --rename in permission-mod to prevent user + from creating new permissions with ":" in the name. + """ + return option.clone( + pattern='^[-_ a-zA-Z0-9.]+$', + pattern_errmsg="May only contain letters, numbers, -, _, ., and space", + ) + + @register() class permission(baseldap.LDAPObject): """ @@ -176,8 +188,9 @@ class permission(baseldap.LDAPObject): cli_name='name', label=_('Permission name'), primary_key=True, - pattern='^[-_ a-zA-Z0-9.]+$', - pattern_errmsg="May only contain letters, numbers, -, _, ., and space", + pattern='^[-_ a-zA-Z0-9.:]+$', + pattern_errmsg="May only contain letters, numbers, " + "-, _, ., :, and space", ), StrEnum( 'ipapermright*', @@ -877,6 +890,13 @@ class permission_add(baseldap.LDAPCreate): self.obj.preprocess_options(options, merge_targetfilter=True) return super(permission_add, self).execute(*keys, **options) + def get_args(self): + for arg in super(permission_add, self).get_args(): + if arg.name == 'cn': + yield _disallow_colon(arg) + else: + yield arg + def pre_callback(self, ldap, dn, entry, attrs_list, *keys, **options): entry['ipapermissiontype'] = ['SYSTEM', 'V2'] entry['cn'] = list(keys) @@ -966,6 +986,13 @@ class permission_mod(baseldap.LDAPUpdate): options, return_filter_ops=True) return super(permission_mod, self).execute(*keys, **options) + def get_options(self): + for opt in super(permission_mod, self).get_options(): + if opt.name == 'rename': + yield _disallow_colon(opt) + else: + yield opt + def pre_callback(self, ldap, dn, entry, attrs_list, *keys, **options): if 'rename' in options and not options['rename']: raise errors.ValidationError(name='rename', diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index 5f305aa54..105f713f5 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -245,6 +245,18 @@ class test_permission_negative(Declarative): verify_permission_aci_missing(permission1, users_dn), dict( + desc='Try to create permission with : in the name', + command=('permission_add', ['bad:' + permission1], dict( + type=u'user', + ipapermright=u'write', + )), + expected=errors.ValidationError(name='name', + error='May only contain letters, numbers, -, _, ., and space'), + ), + + verify_permission_aci_missing(permission1, users_dn), + + dict( desc='Try to create permission with full and extra target filter', command=('permission_add', [permission1], dict( type=u'user', @@ -1522,6 +1534,19 @@ class test_permission(Declarative): name='ipapermlocation', error='Entry %s does not exist' % nonexistent_dn) ), + + dict( + desc='Search for nonexisting permission with ":" in the name', + command=( + 'permission_find', ['doesnotexist:' + permission1], {} + ), + expected=dict( + count=0, + truncated=False, + summary=u'0 permissions matched', + result=[], + ), + ), ] |