From 63a2147ac2bca82c710a6ffd025d4dbd8f1b3449 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Tue, 27 May 2014 16:22:33 +0200
Subject: krbtpolicy plugin: Fix internal error when global policy is not
 readable

An ACIError is now raised if:
- the user doesn't have permission to read any one of the ticket policy
  attributes on the requested entry
  (checked using attribute-level rights)
- any ticket policy attribute from the default policy is not available
  (either not readable, or not there at all)
  (only checked if these are accessed, i.e. when the user entry doesn't
   override all of the defaults, or when requesting the global policy)

https://fedorahosted.org/freeipa/ticket/4354

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipalib/plugins/krbtpolicy.py | 36 +++++++++++++++++++++++++++---------
 1 file changed, 27 insertions(+), 9 deletions(-)

(limited to 'ipalib/plugins/krbtpolicy.py')

diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py
index a3b971e14..8ddc3b08e 100644
--- a/ipalib/plugins/krbtpolicy.py
+++ b/ipalib/plugins/krbtpolicy.py
@@ -172,15 +172,33 @@ class krbtpolicy_show(baseldap.LDAPRetrieve):
             options['all'] = False
         return dn
 
-    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-        assert isinstance(dn, DN)
-        if keys[-1] is not None:
-            # if policy for a specific user isn't set, display global values
-            if 'krbmaxticketlife' not in entry_attrs or \
-                'krbmaxrenewableage' not in entry_attrs:
-                res = self.api.Command.krbtpolicy_show()
-                for a in self.obj.default_attributes:
-                    entry_attrs.setdefault(a, res['result'][a])
+    def post_callback(self, ldap, dn, entry, *keys, **options):
+        default_entry = None
+        rights = None
+        for attrname in self.obj.default_attributes:
+            if attrname not in entry:
+                if keys[-1] is not None:
+                    # User entry doesn't override the attribute.
+                    # Check if this is caused by insufficient read rights
+                    if rights is None:
+                        rights = baseldap.get_effective_rights(
+                            ldap, dn, self.obj.default_attributes)
+                    if 'r' not in rights.get(attrname.lower(), ''):
+                        raise errors.ACIError(
+                            info=_('Ticket policy for %s could not be read') %
+                                keys[-1])
+                    # Fallback to the default
+                    if default_entry is None:
+                        try:
+                            default_dn = self.obj.get_dn(None)
+                            default_entry = ldap.get_entry(default_dn)
+                        except errors.NotFound:
+                            default_entry = {}
+                    if attrname in default_entry:
+                        entry[attrname] = default_entry[attrname]
+            if attrname not in entry:
+                raise errors.ACIError(
+                    info=_('Default ticket policy could not be read'))
         return dn
 
 
-- 
cgit