diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-06-10 12:31:29 +0200 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-11 13:21:30 +0200 |
| commit | b6258d08d6c5605b32151654c6259f7c77f1a32b (patch) | |
| tree | 7498bba33fa7f720e86ceec7203333da88a27719 /makeaci | |
| parent | 2f3cdba54620989afba0ce1b423cddb56b841ab3 (diff) | |
| download | freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.tar.gz freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.tar.xz freeipa-b6258d08d6c5605b32151654c6259f7c77f1a32b.zip | |
Make sure member* attrs are always granted together in read permissions
Memberofindirect processing of an entry doesn't work if the user doesn't
have rights to any one of these attributes:
- member
- memberuser
- memberhost
Add all of these to any read permission that specifies any of them.
Add a check to makeaci that will enforce this for any future permissions.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'makeaci')
| -rwxr-xr-x | makeaci | 18 |
1 files changed, 18 insertions, 0 deletions
@@ -72,6 +72,24 @@ def generate_aci_lines(api): yield 'dn: %s\n' % dn yield 'aci: %s\n' % aci + check_member_attrs(name, template) + + +def check_member_attrs(name, template): + """Check that member* attrs are always present together for read + + ldap2._process_memberofindirect reads all these attributes together; + if the user doesn't have rights to one of them, the entire entry is + left out and memberofindirect processing returns wrong a result. + So we need all of them be readable. + """ + checked_attrs = ['member', 'memberuser', 'memberhost'] + perm_attrs = template.get('ipapermdefaultattr', ()) + flags = [(a in perm_attrs) for a in checked_attrs] + if 'read' in template['ipapermright'] and any(flags) and not all(flags): + raise AssertionError("'%s' includes some but not all of %s" % + (name, checked_attrs)) + def main(options): api.bootstrap( |