diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-06-30 20:56:23 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-07-01 09:35:38 +0200 |
| commit | fdef2e1bd80d688467aeb8ac425e9010bf00c530 (patch) | |
| tree | c45a6e2cfd4de61db7a82280d3657f83cb8f390f | |
| parent | 5ff8e3d8b36a3c52477da459bbf79bb8af809078 (diff) | |
| download | freeipa-fdef2e1bd80d688467aeb8ac425e9010bf00c530.tar.gz freeipa-fdef2e1bd80d688467aeb8ac425e9010bf00c530.tar.xz freeipa-fdef2e1bd80d688467aeb8ac425e9010bf00c530.zip | |
permission plugin: Ignore unparseable ACIs
When manipulating a permission for an entry that has an ACI
that the parser cannot process, skip this ACI instead of
failing.
Add a test that manipulates permission in cn=accounts,
where there are complex ipaAllowedOperation-based ACIs.
Workaround for: https://fedorahosted.org/freeipa/ticket/4376
Reviewed-By: Martin Kosek <mkosek@redhat.com>
| -rw-r--r-- | ipalib/plugins/permission.py | 7 | ||||
| -rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 52 |
2 files changed, 58 insertions, 1 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index e7bd22091..30571bea3 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -641,7 +641,12 @@ class permission(baseldap.LDAPObject): acientry = ldap.make_entry(location) acis = acientry.get('aci', ()) for acistring in acis: - aci = ACI(acistring) + try: + aci = ACI(acistring) + except SyntaxError as e: + self.log.warning('Unparseable ACI %s: %s (at %s)', + acistring, e, location) + continue if aci.name == wanted_aciname: return acientry, acistring else: diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index 46e0f1f0e..bf902c367 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -3966,3 +3966,55 @@ class test_permission_filters(Declarative): 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), ] + + +class test_permission_in_accounts(Declarative): + """Test managing a permission in cn=accounts""" + + tests = [ + dict( + desc='Create %r in cn=accounts' % permission1, + command=( + 'permission_add', [permission1], dict( + ipapermlocation=DN('cn=accounts', api.env.basedn), + ipapermright=u'add', + attrs=[u'cn'], + ) + ), + expected=dict( + value=permission1, + summary=u'Added permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + attrs=[u'cn'], + ipapermright=[u'add'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[DN('cn=accounts', api.env.basedn)], + ), + ), + ), + + verify_permission_aci( + permission1, DN('cn=accounts', api.env.basedn), + '(targetattr = "cn")' + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (add) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Delete %r' % permission1, + command=( + 'permission_del', [permission1], {} + ), + expected=dict( + result=dict(failed=[]), + value=[permission1], + summary=u'Deleted permission "%s"' % permission1, + ) + ), + + verify_permission_aci_missing(permission1, api.env.basedn), + ] |