Add permission_filter_objectclasses for explicit type filters

Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>

9 files changed, 27 insertions, 11 deletions

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 1d26c9859..c2aad784d 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -442,6 +442,7 @@ class LDAPObject(Object):
     possible_objectclasses = []
     limit_object_classes = [] # Only attributes in these are allowed
     disallow_object_classes = [] # Disallow attributes in these
+    permission_filter_objectclasses = None
     search_attributes = []
     search_attributes_config = None
     default_attributes = []
diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
index e7301a9f7..c1b1b6434 100644
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -2113,6 +2113,7 @@ class dnsrecord(LDAPObject):
     object_name = _('DNS resource record')
     object_name_plural = _('DNS resource records')
     object_class = ['top', 'idnsrecord']
+    permission_filter_objectclasses = ['idnsrecord']
     default_attributes = ['idnsname'] + _record_attributes
     rdn_is_primary_key = True
 
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 93b0410fd..318f0746a 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -122,6 +122,7 @@ class group(LDAPObject):
     object_class = ['ipausergroup']
     object_class_config = 'ipagroupobjectclasses'
     possible_objectclasses = ['posixGroup', 'mepManagedEntry', 'ipaExternalGroup']
+    permission_filter_objectclasses = ['ipausergroup']
     search_attributes_config = 'ipagroupsearchfields'
     default_attributes = [
         'cn', 'description', 'gidnumber', 'member', 'memberof',
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 039764928..1e339acfc 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -222,6 +222,7 @@ class host(LDAPObject):
     object_name = _('host')
     object_name_plural = _('hosts')
     object_class = ['ipaobject', 'nshost', 'ipahost', 'pkiuser', 'ipaservice']
+    permission_filter_objectclasses = ['ipahost']
     # object_class_config = 'ipahostobjectclasses'
     search_attributes = [
         'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index 4b8702b09..a3dd3a4a9 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -61,6 +61,7 @@ class hostgroup(LDAPObject):
     object_name = _('host group')
     object_name_plural = _('host groups')
     object_class = ['ipaobject', 'ipahostgroup']
+    permission_filter_objectclasses = ['ipahostgroup']
     default_attributes = ['cn', 'description', 'member', 'memberof',
         'memberindirect', 'memberofindirect',
     ]
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index e454b9aa3..fe27e6cb6 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -81,6 +81,7 @@ class netgroup(LDAPObject):
     object_name = _('netgroup')
     object_name_plural = _('netgroups')
     object_class = ['ipaobject', 'ipaassociation', 'ipanisnetgroup']
+    permission_filter_objectclasses = ['ipanisnetgroup']
     default_attributes = [
         'cn', 'description', 'memberof', 'externalhost', 'nisdomainname',
         'memberuser', 'memberhost', 'member', 'memberindirect',
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 071544aac..64deb99ef 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -99,9 +99,6 @@ EXAMPLES:
 
 register = Registry()
 
-VALID_OBJECT_TYPES = (u'user', u'group', u'host', u'service', u'hostgroup',
-                      u'netgroup', u'dnsrecord',)
-
 _DEPRECATED_OPTION_ALIASES = {
     'permissions': 'ipapermright',
     'filter': 'ipapermtargetfilter',
@@ -141,6 +138,15 @@ class DNOrURL(DNParam):
         return super(DNOrURL, self)._convert_scalar(value, index=index)
 
 
+def validate_type(ugettext, typestr):
+    try:
+        obj = api.Object[typestr]
+    except KeyError:
+        return _('"%s" is not an object type') % typestr
+    if not getattr(obj, 'permission_filter_objectclasses', None):
+        return _('"%s" is not a valid permission type') % typestr
+
+
 @register()
 class permission(baseldap.LDAPObject):
     """
@@ -247,12 +253,11 @@ class permission(baseldap.LDAPObject):
             doc=_('User group to apply permissions to (sets target)'),
             flags={'ask_create', 'virtual_attribute'},
         ),
-        StrEnum(
-            'type?',
+        Str(
+            'type?', validate_type,
             label=_('Type'),
             doc=_('Type of IPA object '
                   '(sets subtree and objectClass targetfilter)'),
-            values=VALID_OBJECT_TYPES,
             flags={'ask_create', 'virtual_attribute'},
         ),
     ) + tuple(
@@ -310,19 +315,22 @@ class permission(baseldap.LDAPObject):
 
             # type
             if ipapermtargetfilter and ipapermlocation:
-                for objname in VALID_OBJECT_TYPES:
-                    obj = self.api.Object[objname]
+                for obj in self.api.Object():
+                    filter_objectclasses = getattr(
+                        obj, 'permission_filter_objectclasses', None)
+                    if not filter_objectclasses:
+                        continue
                     wantdn = DN(obj.container_dn, self.api.env.basedn)
                     if DN(ipapermlocation) != wantdn:
                         continue
 
-                    for objclass in obj.object_class:
+                    for objclass in filter_objectclasses:
                         filter_re = '\(objectclass=%s\)' % re.escape(objclass)
                         if not any(re.match(filter_re, tf, re.I)
                                    for tf in ipapermtargetfilter):
                             break
                     else:
-                        entry.single_value['type'] = objname
+                        entry.single_value['type'] = unicode(obj.name)
                         break
 
             # old output names
@@ -684,7 +692,7 @@ class permission(baseldap.LDAPObject):
                         error=_('subtree and type are mutually exclusive'))
                 obj = self.api.Object[objtype.lower()]
                 new_values = [u'(objectclass=%s)' % o
-                              for o in obj.object_class]
+                              for o in obj.permission_filter_objectclasses]
                 filter_ops['add'].extend(new_values)
                 container_dn = DN(obj.container_dn, self.api.env.basedn)
                 options['ipapermlocation'] = container_dn
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 67fbea678..25f02cd12 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -299,6 +299,7 @@ class service(LDAPObject):
         'ipaservice', 'pkiuser'
     ]
     possible_objectclasses = ['ipakrbprincipal']
+    permission_filter_objectclasses = ['ipaservice']
     search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata']
     default_attributes = ['krbprincipalname', 'usercertificate', 'managedby',
         'ipakrbauthzdata',]
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 539dd896a..edda273b2 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -209,6 +209,7 @@ class user(LDAPObject):
         'ipatokenradiusproxyuser'
     ]
     disallow_object_classes = ['krbticketpolicyaux']
+    permission_filter_objectclasses = ['posixaccount']
     search_attributes_config = 'ipausersearchfields'
     default_attributes = [
         'uid', 'givenname', 'sn', 'homedirectory', 'loginshell',