diff options
author | Martin Kosek <mkosek@redhat.com> | 2012-05-31 12:39:24 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2012-06-01 07:51:59 +0200 |
commit | 6ff5f28142c46bf5f08fef74c261f75e1baa9f66 (patch) | |
tree | 68d497483906af2844f2668747fcce360b409306 | |
parent | 0ca29fac9af4cd437a8536f28ffd25923ec3f8cd (diff) | |
download | freeipa-6ff5f28142c46bf5f08fef74c261f75e1baa9f66.tar.gz freeipa-6ff5f28142c46bf5f08fef74c261f75e1baa9f66.tar.xz freeipa-6ff5f28142c46bf5f08fef74c261f75e1baa9f66.zip |
permission-find missed some results with --pkey-only option
When permission-find post callback detected a --pkey-only option,
it just terminated. However, this way the results that could have
been added from aci_find matches were not included.
Fix the post callback to go through the entire matching process.
Also make sure that DNS permissions have a correct objectclass
(ipapermission), otherwise such objects are not matched by the
permission LDAP search.
https://fedorahosted.org/freeipa/ticket/2658
-rw-r--r-- | install/share/dns.ldif | 4 | ||||
-rw-r--r-- | install/updates/40-dns.update | 6 | ||||
-rw-r--r-- | ipalib/plugins/permission.py | 34 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_permission_plugin.py | 19 |
4 files changed, 49 insertions, 14 deletions
diff --git a/install/share/dns.ldif b/install/share/dns.ldif index cd77fe22c..81ba21009 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -34,6 +34,7 @@ dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: groupofnames objectClass: top +objectClass: ipapermission cn: add dns entries description: Add DNS entries member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -43,6 +44,7 @@ dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: groupofnames objectClass: top +objectClass: ipapermission cn: remove dns entries description: Remove DNS entries member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -52,6 +54,7 @@ dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: groupofnames objectClass: top +objectClass: ipapermission cn: update dns entries description: Update DNS entries member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX @@ -72,6 +75,7 @@ dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX changetype: add objectClass: groupofnames objectClass: top +objectClass: ipapermission cn: Write DNS Configuration description: Write DNS Configuration member: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update index 02af8e467..3dacb248f 100644 --- a/install/updates/40-dns.update +++ b/install/updates/40-dns.update @@ -1,17 +1,23 @@ # Add missing member values to attach permissions to their respective # privileges and run a memberOf task. dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX +addifexist:objectclass: ipapermission addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX' addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX' dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX +addifexist:objectclass: ipapermission addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX' addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX' dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX +addifexist:objectclass: ipapermission addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX' addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX' +dn: cn=Write DNS Configuration,cn=permissions,cn=pbac,$SUFFIX +addifexist:objectclass: ipapermission + dn: cn=Update PBAC memberOf $TIME, cn=memberof task, cn=tasks, cn=config add: objectClass: top add: objectClass: extensibleObject diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index a484ff640..d6fe385b1 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -350,19 +350,19 @@ class permission_find(LDAPSearch): has_output_params = LDAPSearch.has_output_params + output_params def post_callback(self, ldap, entries, truncated, *args, **options): - if options.pop('pkey_only', False): - return truncated - for entry in entries: - (dn, attrs) = entry - try: - aci = self.api.Command.aci_show(attrs['cn'][0], aciprefix=ACI_PREFIX, **options)['result'] - - # copy information from respective ACI to permission entry - for attr in self.obj.aci_attributes: - if attr in aci: - attrs[attr] = aci[attr] - except errors.NotFound: - self.debug('ACI not found for %s' % attrs['cn'][0]) + pkey_only = options.pop('pkey_only', False) + if not pkey_only: + for entry in entries: + (dn, attrs) = entry + try: + aci = self.api.Command.aci_show(attrs['cn'][0], aciprefix=ACI_PREFIX, **options)['result'] + + # copy information from respective ACI to permission entry + for attr in self.obj.aci_attributes: + if attr in aci: + attrs[attr] = aci[attr] + except errors.NotFound: + self.debug('ACI not found for %s' % attrs['cn'][0]) if truncated: # size/time limit met, no need to search acis return truncated @@ -406,9 +406,15 @@ class permission_find(LDAPSearch): permission = self.api.Command.permission_show(aci['permission'], **options)['result'] dn = permission['dn'] del permission['dn'] + if pkey_only: + new_entry = (dn, {self.obj.primary_key.name: \ + permission[self.obj.primary_key.name]}) + else: + new_entry = (dn, permission) + if (dn, permission) not in entries: if len(entries) < max_entries: - entries.append((dn, permission)) + entries.append(new_entry) else: truncated = True break diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py index d8ff14903..6613c9bba 100644 --- a/tests/test_xmlrpc/test_permission_plugin.py +++ b/tests/test_xmlrpc/test_permission_plugin.py @@ -368,6 +368,25 @@ class test_permission(Declarative): dict( + desc='Search by ACI attribute with --pkey-only', + command=('permission_find', [], {'pkey_only': True, + 'attrs': [u'krbminpwdlife']}), + expected=dict( + count=1, + truncated=False, + summary=u'1 permission matched', + result=[ + { + 'dn': lambda x: DN(x) == DN(('cn','Modify Group Password Policy'), + api.env.container_permission,api.env.basedn), + 'cn': [u'Modify Group Password Policy'], + }, + ], + ), + ), + + + dict( desc='Search for %r' % privilege1, command=('privilege_find', [privilege1], {}), expected=dict( |