Allow removing sudo commands with special characters from command groups

Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.

https://fedorahosted.org/freeipa/ticket/2483

3 files changed, 77 insertions, 5 deletions

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index c0f25479a..cf5d8d20e 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1583,8 +1583,8 @@ class LDAPRemoveMember(LDAPModMember):
 
         completed = 0
         for (attr, objs) in member_dns.iteritems():
-            for ldap_obj_name in objs:
-                for m_dn in member_dns[attr][ldap_obj_name]:
+            for ldap_obj_name, m_dns in objs.iteritems():
+                for m_dn in m_dns:
                     if not m_dn:
                         continue
                     try:
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index ffe2fba8a..dd5756735 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -1091,12 +1091,12 @@ class ldap2(CrudBackend, Encoder):
         (group_dn, group_entry_attrs) = self.get_entry(group_dn, [member_attr])
 
         # remove dn from group entry's `member_attr` attribute
-        members = group_entry_attrs.get(member_attr, [])
+        members = [DN(m) for m in group_entry_attrs.get(member_attr, [])]
         try:
-            members.remove(dn.lower())
+            members.remove(DN(dn))
         except ValueError:
             raise errors.NotGroupMember()
-        group_entry_attrs[member_attr] = members
+        group_entry_attrs[member_attr] = [str(m) for m in members]
 
         # update group entry
         self.update_entry(group_dn, group_entry_attrs)
diff --git a/tests/test_xmlrpc/test_sudocmdgroup_plugin.py b/tests/test_xmlrpc/test_sudocmdgroup_plugin.py
index 8a534b2bf..9f2bf3336 100644
--- a/tests/test_xmlrpc/test_sudocmdgroup_plugin.py
+++ b/tests/test_xmlrpc/test_sudocmdgroup_plugin.py
@@ -28,12 +28,36 @@ from ipalib.dn import *
 sudocmdgroup1 = u'testsudocmdgroup1'
 sudocmdgroup2 = u'testsudocmdgroup2'
 sudocmd1 = u'/usr/bin/sudotestcmd1'
+sudocmd_plus = u'/bin/ls -l /lost+found/*'
+
+def create_command(sudocmd):
+    return dict(
+        desc='Create %r' % sudocmd,
+        command=(
+            'sudocmd_add', [], dict(sudocmd=sudocmd,
+                description=u'Test sudo command')
+        ),
+        expected=dict(
+            value=sudocmd,
+            summary=u'Added Sudo Command "%s"' % sudocmd,
+            result=dict(
+                objectclass=objectclasses.sudocmd,
+                sudocmd=[sudocmd],
+                ipauniqueid=[fuzzy_uuid],
+                description=[u'Test sudo command'],
+                dn=lambda x: DN(x) == \
+                    DN(('sudocmd',sudocmd),('cn','sudocmds'),('cn','sudo'),
+                    api.env.basedn),
+            ),
+        ),
+    )
 
 class test_sudocmdgroup(Declarative):
     cleanup_commands = [
         ('sudocmdgroup_del', [sudocmdgroup1], {}),
         ('sudocmdgroup_del', [sudocmdgroup2], {}),
         ('sudocmd_del', [sudocmd1], {}),
+        ('sudocmd_del', [sudocmd_plus], {}),
     ]
 
     tests = [
@@ -473,6 +497,54 @@ class test_sudocmdgroup(Declarative):
             ),
         ),
 
+        ################
+        # test a command that needs DN escaping:
+        create_command(sudocmd_plus),
+
+        dict(
+            desc='Add %r to %r' % (sudocmd_plus, sudocmdgroup1),
+            command=('sudocmdgroup_add_member', [sudocmdgroup1],
+                dict(sudocmd=sudocmd_plus)
+            ),
+            expected=dict(
+                completed=1,
+                failed=dict(
+                    member=dict(
+                        sudocmd=tuple(),
+                    ),
+                ),
+                result={
+                        'dn': lambda x: DN(x) == \
+                            DN(('cn',sudocmdgroup1),('cn','sudocmdgroups'),
+                               ('cn','sudo'),api.env.basedn),
+                        'member_sudocmd': (sudocmd_plus,),
+                        'cn': [sudocmdgroup1],
+                        'description': [u'New desc 1'],
+                },
+            ),
+        ),
+
+        dict(
+            desc='Remove %r from %r' %  (sudocmd_plus, sudocmdgroup1),
+            command=('sudocmdgroup_remove_member', [sudocmdgroup1],
+                dict(sudocmd=sudocmd_plus)
+            ),
+            expected=dict(
+                completed=1,
+                failed=dict(
+                    member=dict(
+                        sudocmd=tuple(),
+                    ),
+                ),
+                result={
+                        'dn': lambda x: DN(x) == \
+                            DN(('cn',sudocmdgroup1),('cn','sudocmdgroups'),
+                               ('cn','sudo'),api.env.basedn),
+                        'cn': [sudocmdgroup1],
+                        'description': [u'New desc 1'],
+                },
+            ),
+        ),
 
         ################
         # delete sudocmdgroup1: