From d38748d64f5c7fb098b839b3c00a1f812d510d3b Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Fri, 13 Dec 2013 11:10:28 +0100
Subject: Make sure SYSTEM permissions can be retreived with --all --raw

Part of the work for: https://fedorahosted.org/freeipa/ticket/4034
---
 ipalib/plugins/permission.py            | 12 ++++++++++--
 ipatests/test_xmlrpc/test_dns_plugin.py | 18 ++++++++++++++++--
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index f3f001b7..bdde3e32 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -310,8 +310,16 @@ class permission(baseldap.LDAPObject):
 
         if options.get('raw'):
             # Retreive the ACI from LDAP to ensure we get the real thing
-            acientry, acistring = self._get_aci_entry_and_string(entry)
-            entry.single_value['aci'] = acistring
+            try:
+                acientry, acistring = self._get_aci_entry_and_string(entry)
+            except errors.NotFound:
+                if list(entry.get('ipapermissiontype')) == ['SYSTEM']:
+                    # SYSTEM permissions don't have normal ACIs
+                    pass
+                else:
+                    raise
+            else:
+                entry.single_value['aci'] = acistring
 
         if not client_has_capability(options['version'], 'permissions2'):
             # Legacy clients expect some attributes as a single value
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 8dbdec6b..d301458d 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -1349,7 +1349,6 @@ class test_dns(Declarative):
                 '"%s" already exists' % dnszone1_permission)
         ),
 
-
         dict(
             desc='Make sure the permission was created %r' % dnszone1,
             command=(
@@ -1367,6 +1366,22 @@ class test_dns(Declarative):
             ),
         ),
 
+        dict(
+            desc='Retrieve the permission %r with --all --raw' % dnszone1,
+            command=(
+                'permission_show', [dnszone1_permission], {}
+            ),
+            expected=dict(
+                value=dnszone1_permission,
+                summary=None,
+                result={
+                    'dn': dnszone1_permission_dn,
+                    'cn': [dnszone1_permission],
+                    'objectclass': objectclasses.system_permission,
+                    'ipapermissiontype': [u'SYSTEM'],
+                },
+            ),
+        ),
 
         dict(
             desc='Try to remove per-zone permission for unknown zone',
@@ -1374,7 +1389,6 @@ class test_dns(Declarative):
             expected=errors.NotFound(reason=u'does.not.exist: DNS zone not found')
         ),
 
-
         dict(
             desc='Remove per-zone permission for zone %r' % dnszone1,
             command=(
-- 
cgit