diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-05-27 16:22:33 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-05-30 15:50:18 +0200 |
| commit | 63a2147ac2bca82c710a6ffd025d4dbd8f1b3449 (patch) | |
| tree | 22c693465ed36a4d9af3ea09496b3929de02a713 /ipalib/plugins/krbtpolicy.py | |
| parent | b22bdfbb02afd89d59d944d7e1aec9b5865546fa (diff) | |
| download | freeipa-63a2147ac2bca82c710a6ffd025d4dbd8f1b3449.tar.gz freeipa-63a2147ac2bca82c710a6ffd025d4dbd8f1b3449.tar.xz freeipa-63a2147ac2bca82c710a6ffd025d4dbd8f1b3449.zip | |
krbtpolicy plugin: Fix internal error when global policy is not readable
An ACIError is now raised if:
- the user doesn't have permission to read any one of the ticket policy
attributes on the requested entry
(checked using attribute-level rights)
- any ticket policy attribute from the default policy is not available
(either not readable, or not there at all)
(only checked if these are accessed, i.e. when the user entry doesn't
override all of the defaults, or when requesting the global policy)
https://fedorahosted.org/freeipa/ticket/4354
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Diffstat (limited to 'ipalib/plugins/krbtpolicy.py')
| -rw-r--r-- | ipalib/plugins/krbtpolicy.py | 36 |
1 files changed, 27 insertions, 9 deletions
diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py index a3b971e14..8ddc3b08e 100644 --- a/ipalib/plugins/krbtpolicy.py +++ b/ipalib/plugins/krbtpolicy.py @@ -172,15 +172,33 @@ class krbtpolicy_show(baseldap.LDAPRetrieve): options['all'] = False return dn - def post_callback(self, ldap, dn, entry_attrs, *keys, **options): - assert isinstance(dn, DN) - if keys[-1] is not None: - # if policy for a specific user isn't set, display global values - if 'krbmaxticketlife' not in entry_attrs or \ - 'krbmaxrenewableage' not in entry_attrs: - res = self.api.Command.krbtpolicy_show() - for a in self.obj.default_attributes: - entry_attrs.setdefault(a, res['result'][a]) + def post_callback(self, ldap, dn, entry, *keys, **options): + default_entry = None + rights = None + for attrname in self.obj.default_attributes: + if attrname not in entry: + if keys[-1] is not None: + # User entry doesn't override the attribute. + # Check if this is caused by insufficient read rights + if rights is None: + rights = baseldap.get_effective_rights( + ldap, dn, self.obj.default_attributes) + if 'r' not in rights.get(attrname.lower(), ''): + raise errors.ACIError( + info=_('Ticket policy for %s could not be read') % + keys[-1]) + # Fallback to the default + if default_entry is None: + try: + default_dn = self.obj.get_dn(None) + default_entry = ldap.get_entry(default_dn) + except errors.NotFound: + default_entry = {} + if attrname in default_entry: + entry[attrname] = default_entry[attrname] + if attrname not in entry: + raise errors.ACIError( + info=_('Default ticket policy could not be read')) return dn |