From 78b657b02d2918fb26e0969e096f7eb15dbf830c Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Thu, 9 Jan 2014 14:43:37 +0100
Subject: Add permission_filter_objectclasses for explicit type filters

Part of the work for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 ipalib/plugins/permission.py | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

(limited to 'ipalib/plugins/permission.py')

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 071544aac..64deb99ef 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -99,9 +99,6 @@ EXAMPLES:
 
 register = Registry()
 
-VALID_OBJECT_TYPES = (u'user', u'group', u'host', u'service', u'hostgroup',
-                      u'netgroup', u'dnsrecord',)
-
 _DEPRECATED_OPTION_ALIASES = {
     'permissions': 'ipapermright',
     'filter': 'ipapermtargetfilter',
@@ -141,6 +138,15 @@ class DNOrURL(DNParam):
         return super(DNOrURL, self)._convert_scalar(value, index=index)
 
 
+def validate_type(ugettext, typestr):
+    try:
+        obj = api.Object[typestr]
+    except KeyError:
+        return _('"%s" is not an object type') % typestr
+    if not getattr(obj, 'permission_filter_objectclasses', None):
+        return _('"%s" is not a valid permission type') % typestr
+
+
 @register()
 class permission(baseldap.LDAPObject):
     """
@@ -247,12 +253,11 @@ class permission(baseldap.LDAPObject):
             doc=_('User group to apply permissions to (sets target)'),
             flags={'ask_create', 'virtual_attribute'},
         ),
-        StrEnum(
-            'type?',
+        Str(
+            'type?', validate_type,
             label=_('Type'),
             doc=_('Type of IPA object '
                   '(sets subtree and objectClass targetfilter)'),
-            values=VALID_OBJECT_TYPES,
             flags={'ask_create', 'virtual_attribute'},
         ),
     ) + tuple(
@@ -310,19 +315,22 @@ class permission(baseldap.LDAPObject):
 
             # type
             if ipapermtargetfilter and ipapermlocation:
-                for objname in VALID_OBJECT_TYPES:
-                    obj = self.api.Object[objname]
+                for obj in self.api.Object():
+                    filter_objectclasses = getattr(
+                        obj, 'permission_filter_objectclasses', None)
+                    if not filter_objectclasses:
+                        continue
                     wantdn = DN(obj.container_dn, self.api.env.basedn)
                     if DN(ipapermlocation) != wantdn:
                         continue
 
-                    for objclass in obj.object_class:
+                    for objclass in filter_objectclasses:
                         filter_re = '\(objectclass=%s\)' % re.escape(objclass)
                         if not any(re.match(filter_re, tf, re.I)
                                    for tf in ipapermtargetfilter):
                             break
                     else:
-                        entry.single_value['type'] = objname
+                        entry.single_value['type'] = unicode(obj.name)
                         break
 
             # old output names
@@ -684,7 +692,7 @@ class permission(baseldap.LDAPObject):
                         error=_('subtree and type are mutually exclusive'))
                 obj = self.api.Object[objtype.lower()]
                 new_values = [u'(objectclass=%s)' % o
-                              for o in obj.object_class]
+                              for o in obj.permission_filter_objectclasses]
                 filter_ops['add'].extend(new_values)
                 container_dn = DN(obj.container_dn, self.api.env.basedn)
                 options['ipapermlocation'] = container_dn
-- 
cgit