2 files changed, 120 insertions, 0 deletions

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 08781ce2e..c9fd5649f 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -23,6 +23,7 @@ from ipalib import api, _, ngettext
 from ipalib import Flag, Str, StrEnum
 from ipalib.request import context
 from ipalib import errors
+from ipalib.dn import DN
 
 __doc__ = _("""
 Permissions
@@ -89,6 +90,43 @@ output_params = (
     ),
 )
 
+dn_ipaconfig = str(DN('cn=ipaconfig,cn=etc,%s' % api.env.basedn))
+
+def check_attrs(attrs, type):
+    # Trying to delete attributes - no need for validation
+    if attrs is None:
+        return True
+    allowed_objcls=[]
+    disallowed_objcls=[]
+    obj=api.Object[type]
+
+    if obj.object_class_config:
+        (dn,objcls)=api.Backend.ldap2.get_entry(
+            dn_ipaconfig,[obj.object_class_config]
+            )
+        allowed_objcls=objcls[obj.object_class_config]
+    else:
+        allowed_objcls=obj.object_class
+    if obj.possible_objectclasses:
+        allowed_objcls+=obj.possible_objectclasses
+    if obj.disallow_object_classes:
+        disallowed_objcls=obj.disallow_object_classes
+
+    allowed_attrs=[]
+    disallowed_attrs=[]
+    if allowed_objcls:
+        allowed_attrs=api.Backend.ldap2.get_allowed_attributes(allowed_objcls)
+    if disallowed_objcls:
+        disallowed_attrs=api.Backend.ldap2.get_allowed_attributes(disallowed_objcls)
+    failed_attrs=[]
+    for attr in attrs:
+        if (attr not in allowed_attrs) or (attr in disallowed_attrs):
+            failed_attrs.append(attr)
+    if failed_attrs:
+        raise errors.ObjectclassViolation(info='attribute(s) \"%s\" not allowed' % ','.join(failed_attrs))
+    return True
+
+
 class permission(LDAPObject):
     """
     Permission object.
@@ -192,6 +230,8 @@ class permission_add(LDAPCreate):
         opts['permission'] = keys[-1]
         opts['aciprefix'] = ACI_PREFIX
         try:
+            if 'type' in entry_attrs and 'attrs' in entry_attrs:
+                check_attrs(entry_attrs['attrs'],entry_attrs['type'])
             self.api.Command.aci_add(keys[-1], **opts)
         except Exception, e:
             raise e
@@ -273,6 +313,21 @@ class permission_mod(LDAPUpdate):
         except errors.NotFound:
             self.obj.handle_not_found(*keys)
 
+        # check the correctness of attributes only when the type is specified
+        type=None
+        attrs_to_check=[]
+        current_values=self.api.Command.permission_show(attrs['cn'][0])['result']
+        if 'type' in entry_attrs:
+            type = entry_attrs['type']
+        elif 'type' in current_values:
+            type = current_values['type']
+        if 'attrs' in entry_attrs:
+            attrs_to_check = entry_attrs['attrs']
+        elif 'attrs' in current_values:
+            attrs_to_check = current_values['attrs']
+        if attrs_to_check and type is not None:
+            check_attrs(attrs_to_check,type)
+
         # when renaming permission, check if the target permission does not
         # exists already. Then, make changes to underlying ACI
         if 'rename' in options:
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index e8e6bebcd..68a3cebf9 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -124,6 +124,71 @@ class test_permission(Declarative):
 
 
         dict(
+            desc='Try to create %r with invalid attribute \'ipaclientversion\'' % permission2,
+            command=(
+                'permission_add', [permission2], dict(
+                     type=u'user',
+                     permissions=u'write',
+                     attrs=u'ipaclientversion',
+                ),
+            ),
+            expected=errors.ObjectclassViolation(info=u'attribute(s) \"ipaclientversion\" not allowed'),
+        ),
+
+
+        dict(
+            desc='Add allowed attribute \'cn\' to %r' % permission1,
+            command=(
+                'permission_mod', [permission1], dict(
+                     attrs=u'cn',
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Modified permission "%s"' % permission1,
+                result=dict(
+                    dn=lambda x: DN(x) == permission1_dn,
+                    cn=[permission1],
+                    type=u'user',
+                    permissions=[u'write'],
+                    attrs=[u'cn'],
+                ),
+            ),
+        ),
+
+
+        dict(
+            desc='Try to modify %r with invalid attribute \'ipaclientversion\'' % permission1,
+            command=(
+                'permission_mod', [permission1], dict(
+                     attrs=u'ipaclientversion',
+                ),
+            ),
+            expected=errors.ObjectclassViolation(info=u'attribute(s) \"ipaclientversion\" not allowed'),
+        ),
+
+
+        dict(
+            desc='Unset attribute \'cn\' of %r' % permission1,
+            command=(
+                'permission_mod', [permission1], dict(
+                     attrs=None,
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Modified permission "%s"' % permission1,
+                result=dict(
+                    dn=lambda x: DN(x) == permission1_dn,
+                    cn=[permission1],
+                    type=u'user',
+                    permissions=[u'write'],
+                ),
+            ),
+        ),
+
+
+        dict(
             desc='Create %r' % privilege1,
             command=('privilege_add', [privilege1],
                 dict(description=u'privilege desc. 1')