diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-02-21 13:58:15 +0100 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-03-12 12:17:08 +0100 |
| commit | d3a34591a807f1420042ddbb53b3d5ac846927aa (patch) | |
| tree | 699a555689ee571759e028b51175d689ae85934d | |
| parent | 0be66e9a67e433d36b9e4c00a17b45393d51a888 (diff) | |
| download | freeipa-d3a34591a807f1420042ddbb53b3d5ac846927aa.tar.gz freeipa-d3a34591a807f1420042ddbb53b3d5ac846927aa.tar.xz freeipa-d3a34591a807f1420042ddbb53b3d5ac846927aa.zip | |
permission_add: Remove permission entry if adding the ACI fails
https://fedorahosted.org/freeipa/ticket/4187
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
| -rw-r--r-- | ipalib/plugins/permission.py | 21 | ||||
| -rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 25 |
2 files changed, 45 insertions, 1 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index d4181a6b4..bd7f5da6a 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -830,7 +830,26 @@ class permission_add(baseldap.LDAPCreate): return dn def post_callback(self, ldap, dn, entry, *keys, **options): - self.obj.add_aci(entry) + try: + self.obj.add_aci(entry) + except Exception: + # Adding the ACI failed. + # We want to be 100% sure the ACI is not there, so try to + # remove it. (This is a no-op if the ACI was not added.) + self.obj.remove_aci(entry) + # Remove the entry. + # The permission entry serves as a "lock" tho prevent + # permission-add commands started at the same time from + # interfering. As long as the entry is there, the other + # permission-add will fail with DuplicateEntry. + # So deleting entry ("releasing the lock") must be the last + # thing we do here. + try: + self.api.Backend['ldap2'].delete_entry(entry) + except errors.NotFound: + pass + # Re-raise original exception + raise self.obj.postprocess_result(entry, options) return dn diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index 725fe0ab4..62ff20e56 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -220,6 +220,31 @@ class test_permission_negative(Declarative): verify_permission_aci_missing(permission1, users_dn), dict( + desc='Try creating %r with bad attribute name' % permission1, + command=( + 'permission_add', [permission1], dict( + type=u'user', + ipapermright=u'write', + attrs=u'bogusattr', + ) + ), + expected=errors.InvalidSyntax( + attr=r'targetattr "bogusattr" does not exist in schema. ' + r'Please add attributeTypes "bogusattr" to ' + r'schema if necessary. ' + r'ACL Syntax Error(-5):' + r'(targetattr = \22bogusattr\22)' + r'(targetfilter = \22(objectclass=posixaccount)\22)' + r'(version 3.0;acl \22permission:%(name)s\22;' + r'allow (write) groupdn = \22ldap:///%(dn)s\22;)' % dict( + name=permission1, + dn=permission1_dn), + ), + ), + + verify_permission_aci_missing(permission1, users_dn), + + dict( desc='Create %r so we can try breaking it' % permission1, command=( 'permission_add', [permission1], dict( |