diff options
author | Ondrej Hamada <ohamada@redhat.com> | 2012-02-29 11:40:31 +0100 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-02-28 18:22:24 -0500 |
commit | 1356988b7a40a60af39807db143860efb4a2f435 (patch) | |
tree | 108983b039333bb6e311a377b7d33bcaaac383db | |
parent | 2d555256526827564f89d941c2d2b31815378a6b (diff) | |
download | freeipa-1356988b7a40a60af39807db143860efb4a2f435.tar.gz freeipa-1356988b7a40a60af39807db143860efb4a2f435.tar.xz freeipa-1356988b7a40a60af39807db143860efb4a2f435.zip |
Validate attributes in permission-add
When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes raises the ObjectclassViolation
exception.
New tests were also added to the unit-tests.
https://fedorahosted.org/freeipa/ticket/2293
-rw-r--r-- | ipalib/plugins/permission.py | 55 | ||||
-rw-r--r-- | tests/test_xmlrpc/test_permission_plugin.py | 65 |
2 files changed, 120 insertions, 0 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 08781ce2e..c9fd5649f 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -23,6 +23,7 @@ from ipalib import api, _, ngettext from ipalib import Flag, Str, StrEnum from ipalib.request import context from ipalib import errors +from ipalib.dn import DN __doc__ = _(""" Permissions @@ -89,6 +90,43 @@ output_params = ( ), ) +dn_ipaconfig = str(DN('cn=ipaconfig,cn=etc,%s' % api.env.basedn)) + +def check_attrs(attrs, type): + # Trying to delete attributes - no need for validation + if attrs is None: + return True + allowed_objcls=[] + disallowed_objcls=[] + obj=api.Object[type] + + if obj.object_class_config: + (dn,objcls)=api.Backend.ldap2.get_entry( + dn_ipaconfig,[obj.object_class_config] + ) + allowed_objcls=objcls[obj.object_class_config] + else: + allowed_objcls=obj.object_class + if obj.possible_objectclasses: + allowed_objcls+=obj.possible_objectclasses + if obj.disallow_object_classes: + disallowed_objcls=obj.disallow_object_classes + + allowed_attrs=[] + disallowed_attrs=[] + if allowed_objcls: + allowed_attrs=api.Backend.ldap2.get_allowed_attributes(allowed_objcls) + if disallowed_objcls: + disallowed_attrs=api.Backend.ldap2.get_allowed_attributes(disallowed_objcls) + failed_attrs=[] + for attr in attrs: + if (attr not in allowed_attrs) or (attr in disallowed_attrs): + failed_attrs.append(attr) + if failed_attrs: + raise errors.ObjectclassViolation(info='attribute(s) \"%s\" not allowed' % ','.join(failed_attrs)) + return True + + class permission(LDAPObject): """ Permission object. @@ -192,6 +230,8 @@ class permission_add(LDAPCreate): opts['permission'] = keys[-1] opts['aciprefix'] = ACI_PREFIX try: + if 'type' in entry_attrs and 'attrs' in entry_attrs: + check_attrs(entry_attrs['attrs'],entry_attrs['type']) self.api.Command.aci_add(keys[-1], **opts) except Exception, e: raise e @@ -273,6 +313,21 @@ class permission_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) + # check the correctness of attributes only when the type is specified + type=None + attrs_to_check=[] + current_values=self.api.Command.permission_show(attrs['cn'][0])['result'] + if 'type' in entry_attrs: + type = entry_attrs['type'] + elif 'type' in current_values: + type = current_values['type'] + if 'attrs' in entry_attrs: + attrs_to_check = entry_attrs['attrs'] + elif 'attrs' in current_values: + attrs_to_check = current_values['attrs'] + if attrs_to_check and type is not None: + check_attrs(attrs_to_check,type) + # when renaming permission, check if the target permission does not # exists already. Then, make changes to underlying ACI if 'rename' in options: diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py index e8e6bebcd..68a3cebf9 100644 --- a/tests/test_xmlrpc/test_permission_plugin.py +++ b/tests/test_xmlrpc/test_permission_plugin.py @@ -124,6 +124,71 @@ class test_permission(Declarative): dict( + desc='Try to create %r with invalid attribute \'ipaclientversion\'' % permission2, + command=( + 'permission_add', [permission2], dict( + type=u'user', + permissions=u'write', + attrs=u'ipaclientversion', + ), + ), + expected=errors.ObjectclassViolation(info=u'attribute(s) \"ipaclientversion\" not allowed'), + ), + + + dict( + desc='Add allowed attribute \'cn\' to %r' % permission1, + command=( + 'permission_mod', [permission1], dict( + attrs=u'cn', + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=lambda x: DN(x) == permission1_dn, + cn=[permission1], + type=u'user', + permissions=[u'write'], + attrs=[u'cn'], + ), + ), + ), + + + dict( + desc='Try to modify %r with invalid attribute \'ipaclientversion\'' % permission1, + command=( + 'permission_mod', [permission1], dict( + attrs=u'ipaclientversion', + ), + ), + expected=errors.ObjectclassViolation(info=u'attribute(s) \"ipaclientversion\" not allowed'), + ), + + + dict( + desc='Unset attribute \'cn\' of %r' % permission1, + command=( + 'permission_mod', [permission1], dict( + attrs=None, + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=lambda x: DN(x) == permission1_dn, + cn=[permission1], + type=u'user', + permissions=[u'write'], + ), + ), + ), + + + dict( desc='Create %r' % privilege1, command=('privilege_add', [privilege1], dict(description=u'privilege desc. 1') |