diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-03-07 18:56:35 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-03-14 10:14:05 +0100 |
commit | 29eef98c7609d83b44a653f967cd4cc44b577497 (patch) | |
tree | 76140b6ded81372d4b856bc67d678f7357f782d4 | |
parent | fe2a41e8a3906eff51e66ff3a6204304a44fdeef (diff) | |
download | freeipa-29eef98c7609d83b44a653f967cd4cc44b577497.tar.gz freeipa-29eef98c7609d83b44a653f967cd4cc44b577497.tar.xz freeipa-29eef98c7609d83b44a653f967cd4cc44b577497.zip |
permission plugin: Support searching by extratargetfilter
The extratargetfilter behaves exactly like targetfilter, so that e.g.
ipa permission-find --filter=(objectclass=ipausergroup)
finds all permissions with that filter in the ACI.
Part of the work for https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
-rw-r--r-- | ipalib/plugins/permission.py | 2 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 42 |
2 files changed, 43 insertions, 1 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 3319028f2..cd8981d90 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -1115,7 +1115,7 @@ class permission_find(baseldap.LDAPSearch): has_output_params = baseldap.LDAPSearch.has_output_params + output_params def execute(self, *keys, **options): - self.obj.preprocess_options(options) + self.obj.preprocess_options(options, merge_targetfilter=True) return super(permission_find, self).execute(*keys, **options) def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index 2a86a7437..e9a892675 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -2382,6 +2382,48 @@ class test_permission_targetfilter(Declarative): 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn ), + ] + [ + dict( + desc='Search for %r using %s %s' % (permission1, value_name, option_name), + command=( + 'permission_find', [], + {option_name: value, 'all': True} + ), + expected=dict( + summary=u'1 permission matched' if should_find else u'0 permissions matched', + truncated=False, + count=1 if should_find else 0, + result=[dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'user'], + ipapermright=[u'write'], + attrs=[u'sn'], + ipapermincludedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + memberof=[u'admins'], + extratargetfilter=[u'(cn=*)'], + ipapermtargetfilter=[ + u'(cn=*)', + u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), + u'(objectclass=posixaccount)'], + )] if should_find else [], + ), + ) + for option_name in ( + 'extratargetfilter', + 'ipapermtargetfilter', + ) + for value_name, value, should_find in ( + ('"extra"', u'(cn=*)', True), + ('"non-extra"', u'(objectclass=posixaccount)', True), + ('non-existing', u'(sn=insert a very improbable last name)', False), + ) + ] + [ + ] |