diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-01-06 14:04:19 +0100 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-02-12 17:11:17 +0100 |
| commit | 2f3ab2914a2522ab97b455d83b809530dac37f04 (patch) | |
| tree | a780fd0c3a98a2b31f13a44f73634c9d7d3e0b1f | |
| parent | 15995d1f389c37e7842471d890498a25f3f226da (diff) | |
| download | freeipa.git-2f3ab2914a2522ab97b455d83b809530dac37f04.tar.gz freeipa.git-2f3ab2914a2522ab97b455d83b809530dac37f04.tar.xz freeipa.git-2f3ab2914a2522ab97b455d83b809530dac37f04.zip | |
permission plugin: Generate ACIs in the plugin
Construct the ACI string from permission entry directly
in the permission plugin.
This is the next step in moving away from ipalib.aci.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
| -rw-r--r-- | ipalib/plugins/permission.py | 33 |
1 files changed, 23 insertions, 10 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 00825e55..875a9f5b 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -340,31 +340,44 @@ class permission(baseldap.LDAPObject): def make_aci(self, entry): """Make an ACI string from the given permission entry""" - aci = ACI() + aci_parts = [] name = entry.single_value['cn'] - aci.name = 'permission:%s' % name + + # targetattr + attrs = entry.get('ipapermallowedattr', []) + if attrs: + aci_parts.append("(targetattr = \"%s\")" % ' || '.join(attrs)) + + # target ipapermtarget = entry.single_value.get('ipapermtarget') if ipapermtarget: - aci.set_target('ldap:///%s' % ipapermtarget) + aci_parts.append("(target = \"%s\")" % + 'ldap:///%s' % ipapermtarget) + + # targetfilter ipapermtargetfilter = entry.single_value.get('ipapermtargetfilter') if ipapermtargetfilter: - aci.set_target_filter(ipapermtargetfilter) + assert (ipapermtargetfilter.startswith('(') + and ipapermtargetfilter.endswith(')')) + aci_parts.append("(targetfilter = \"%s\")" % ipapermtargetfilter) + # version, name, rights, bind rule ipapermbindruletype = entry.single_value.get('ipapermbindruletype', 'permission') if ipapermbindruletype == 'permission': dn = DN(('cn', name), self.container_dn, self.api.env.basedn) - aci.set_bindrule('groupdn = "ldap:///%s"' % dn) + bindrule = 'groupdn = "ldap:///%s"' % dn elif ipapermbindruletype == 'all': - aci.set_bindrule('userdn = "ldap:///all"') + bindrule = 'userdn = "ldap:///all"' elif ipapermbindruletype == 'anonymous': - aci.set_bindrule('userdn = "ldap:///anyone"') + bindrule = 'userdn = "ldap:///anyone"' else: raise ValueError(ipapermbindruletype) - aci.permissions = entry['ipapermright'] - aci.set_target_attr(entry.get('ipapermallowedattr', [])) - return aci.export_to_string() + aci_parts.append('(version 3.0;acl "permission:%s";allow (%s) %s;)' % ( + name, ','.join(entry['ipapermright']), bindrule)) + + return ''.join(aci_parts) def add_aci(self, permission_entry): """Add the ACI coresponding to the given permission entry""" |