From b53f2d28fdc64a99c16b6e9434911da0058c9f58 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Wed, 26 Mar 2014 17:11:23 +0100 Subject: Add managed read permissions to krbtpolicy Unlike other objects, the ticket policy is stored in different subtrees: global policy in cn=kerberos and per-user policy in cn=users,cn=accounts. Add two permissions, one for each location. Also, modify tests so that adding new permissions in cn=users doesn't cause failures. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 --- install/updates/40-delegation.update | 7 +++++ ipalib/plugins/krbtpolicy.py | 40 ++++++++++++++++++++++++-- ipatests/test_xmlrpc/test_permission_plugin.py | 39 +++++++++++++++++++++++-- 3 files changed, 81 insertions(+), 5 deletions(-) diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 27e605789..6ab849bf8 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -408,3 +408,10 @@ default:objectClass: groupofnames default:objectClass: top default:cn: Password Policy Readers default:description: Read password policies + +dn: cn=Kerberos Ticket Policy Readers,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: nestedgroup +default:objectClass: groupofnames +default:objectClass: top +default:cn: Kerberos Ticket Policy Readers +default:description: Read global and per-user Kerberos ticket policy diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py index a05583dfb..4ae676dc5 100644 --- a/ipalib/plugins/krbtpolicy.py +++ b/ipalib/plugins/krbtpolicy.py @@ -75,8 +75,44 @@ class krbtpolicy(LDAPObject): object_name = _('kerberos ticket policy settings') default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage'] limit_object_classes = ['krbticketpolicyaux'] - - label=_('Kerberos Ticket Policy') + # permission_filter_objectclasses is deliberately missing, + # so it is not possible to create a permission of `--type krbtpolicy`. + # This is because we need two permissions to cover both global and per-user + # policies. + managed_permissions = { + 'System: Read Default Kerberos Ticket Policy': { + 'non_object': True, + 'replaces_global_anonymous_aci': True, + 'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'], + 'ipapermlocation': DN(container_dn, api.env.basedn), + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'krbdefaultencsalttypes', 'krbmaxrenewableage', + 'krbmaxticketlife', 'krbsupportedencsalttypes', + 'objectclass', + }, + 'default_privileges': { + 'Kerberos Ticket Policy Readers', + }, + }, + 'System: Read User Kerberos Ticket Policy': { + 'non_object': True, + 'replaces_global_anonymous_aci': True, + 'ipapermlocation': DN(api.env.container_user, api.env.basedn), + 'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'], + 'ipapermbindruletype': 'permission', + 'ipapermright': {'read', 'search', 'compare'}, + 'ipapermdefaultattr': { + 'krbmaxrenewableage', 'krbmaxticketlife', + }, + 'default_privileges': { + 'Kerberos Ticket Policy Readers', + }, + }, + } + + label = _('Kerberos Ticket Policy') label_singular = _('Kerberos Ticket Policy') takes_params = ( diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index d593dd986..54e8d57dd 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -100,6 +100,7 @@ users_dn = DN(api.env.container_user, api.env.basedn) groups_dn = DN(api.env.container_group, api.env.basedn) etc_dn = DN('cn=etc', api.env.basedn) nonexistent_dn = DN('cn=does not exist', api.env.basedn) +admin_dn = DN('uid=admin', users_dn) def verify_permission_aci(name, dn, acistring): @@ -1116,10 +1117,43 @@ class test_permission(Declarative): 'allow (write) groupdn = "ldap:///%s";)' % permission2_dn, ), + dict( + desc='Change subtree of %r to admin' % permission1_renamed_ucase, + command=( + 'permission_mod', [permission1_renamed_ucase], + dict(ipapermlocation=admin_dn) + ), + expected=dict( + value=permission1_renamed_ucase, + summary=u'Modified permission "%s"' % permission1_renamed_ucase, + result=dict( + dn=permission1_renamed_ucase_dn, + cn=[permission1_renamed_ucase], + objectclass=objectclasses.permission, + member_privilege=[privilege1], + ipapermlocation=[admin_dn], + ipapermright=[u'write'], + memberof=[u'ipausers'], + attrs=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ), + ), + ), + + verify_permission_aci( + permission1_renamed_ucase, admin_dn, + '(targetattr = "sn")' + + '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1_renamed_ucase + + 'allow (write) groupdn = "ldap:///%s";)' % + permission1_renamed_ucase_dn, + ), + dict( desc='Search for %r using --subtree' % permission1_renamed_ucase, command=('permission_find', [], - {'ipapermlocation': u'ldap:///%s' % users_dn}), + {'ipapermlocation': u'ldap:///%s' % admin_dn}), expected=dict( count=1, truncated=False, @@ -1130,13 +1164,12 @@ class test_permission(Declarative): 'cn':[permission1_renamed_ucase], 'objectclass': objectclasses.permission, 'member_privilege':[privilege1], - 'ipapermlocation': [users_dn], + 'ipapermlocation': [admin_dn], 'ipapermright':[u'write'], 'memberof':[u'ipausers'], 'attrs': [u'sn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], - 'ipapermlocation': [users_dn], }, ], ), -- cgit