From 78b657b02d2918fb26e0969e096f7eb15dbf830c Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Thu, 9 Jan 2014 14:43:37 +0100 Subject: Add permission_filter_objectclasses for explicit type filters Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek --- API.txt | 6 +++--- ipalib/plugins/baseldap.py | 1 + ipalib/plugins/dns.py | 1 + ipalib/plugins/group.py | 1 + ipalib/plugins/host.py | 1 + ipalib/plugins/hostgroup.py | 1 + ipalib/plugins/netgroup.py | 1 + ipalib/plugins/permission.py | 30 +++++++++++++++++++----------- ipalib/plugins/service.py | 1 + ipalib/plugins/user.py | 1 + 10 files changed, 30 insertions(+), 14 deletions(-) diff --git a/API.txt b/API.txt index 60df70db..35c68340 100644 --- a/API.txt +++ b/API.txt @@ -2340,7 +2340,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('subtree', attribute=False, cli_name='subtree', multivalue=True, required=False) option: Str('targetgroup', alwaysask=True, attribute=False, autofill=False, cli_name='targetgroup', multivalue=False, query=False, required=False) -option: StrEnum('type', alwaysask=True, attribute=False, autofill=False, cli_name='type', multivalue=False, query=False, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord')) +option: Str('type', alwaysask=True, attribute=False, autofill=False, cli_name='type', multivalue=False, query=False, required=False) option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) @@ -2400,7 +2400,7 @@ option: Int('sizelimit?', autofill=False, minvalue=0) option: Str('subtree', attribute=False, autofill=False, cli_name='subtree', multivalue=True, query=True, required=False) option: Str('targetgroup', attribute=False, autofill=False, cli_name='targetgroup', multivalue=False, query=True, required=False) option: Int('timelimit?', autofill=False, minvalue=0) -option: StrEnum('type', attribute=False, autofill=False, cli_name='type', multivalue=False, query=True, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord')) +option: Str('type', attribute=False, autofill=False, cli_name='type', multivalue=False, query=True, required=False) option: Str('version?', exclude='webui') output: Output('count', , None) output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) @@ -2430,7 +2430,7 @@ option: Flag('rights', autofill=True, default=False) option: Str('setattr*', cli_name='setattr', exclude='webui') option: Str('subtree', attribute=False, autofill=False, cli_name='subtree', multivalue=True, required=False) option: Str('targetgroup', attribute=False, autofill=False, cli_name='targetgroup', multivalue=False, required=False) -option: StrEnum('type', attribute=False, autofill=False, cli_name='type', multivalue=False, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord')) +option: Str('type', attribute=False, autofill=False, cli_name='type', multivalue=False, required=False) option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 1d26c985..c2aad784 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -442,6 +442,7 @@ class LDAPObject(Object): possible_objectclasses = [] limit_object_classes = [] # Only attributes in these are allowed disallow_object_classes = [] # Disallow attributes in these + permission_filter_objectclasses = None search_attributes = [] search_attributes_config = None default_attributes = [] diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index e7301a9f..c1b1b643 100644 --- a/ipalib/plugins/dns.py +++ b/ipalib/plugins/dns.py @@ -2113,6 +2113,7 @@ class dnsrecord(LDAPObject): object_name = _('DNS resource record') object_name_plural = _('DNS resource records') object_class = ['top', 'idnsrecord'] + permission_filter_objectclasses = ['idnsrecord'] default_attributes = ['idnsname'] + _record_attributes rdn_is_primary_key = True diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py index 93b0410f..318f0746 100644 --- a/ipalib/plugins/group.py +++ b/ipalib/plugins/group.py @@ -122,6 +122,7 @@ class group(LDAPObject): object_class = ['ipausergroup'] object_class_config = 'ipagroupobjectclasses' possible_objectclasses = ['posixGroup', 'mepManagedEntry', 'ipaExternalGroup'] + permission_filter_objectclasses = ['ipausergroup'] search_attributes_config = 'ipagroupsearchfields' default_attributes = [ 'cn', 'description', 'gidnumber', 'member', 'memberof', diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 03976492..1e339acf 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -222,6 +222,7 @@ class host(LDAPObject): object_name = _('host') object_name_plural = _('hosts') object_class = ['ipaobject', 'nshost', 'ipahost', 'pkiuser', 'ipaservice'] + permission_filter_objectclasses = ['ipahost'] # object_class_config = 'ipahostobjectclasses' search_attributes = [ 'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname', diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py index 4b8702b0..a3dd3a4a 100644 --- a/ipalib/plugins/hostgroup.py +++ b/ipalib/plugins/hostgroup.py @@ -61,6 +61,7 @@ class hostgroup(LDAPObject): object_name = _('host group') object_name_plural = _('host groups') object_class = ['ipaobject', 'ipahostgroup'] + permission_filter_objectclasses = ['ipahostgroup'] default_attributes = ['cn', 'description', 'member', 'memberof', 'memberindirect', 'memberofindirect', ] diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py index e454b9aa..fe27e6cb 100644 --- a/ipalib/plugins/netgroup.py +++ b/ipalib/plugins/netgroup.py @@ -81,6 +81,7 @@ class netgroup(LDAPObject): object_name = _('netgroup') object_name_plural = _('netgroups') object_class = ['ipaobject', 'ipaassociation', 'ipanisnetgroup'] + permission_filter_objectclasses = ['ipanisnetgroup'] default_attributes = [ 'cn', 'description', 'memberof', 'externalhost', 'nisdomainname', 'memberuser', 'memberhost', 'member', 'memberindirect', diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 071544aa..64deb99e 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -99,9 +99,6 @@ EXAMPLES: register = Registry() -VALID_OBJECT_TYPES = (u'user', u'group', u'host', u'service', u'hostgroup', - u'netgroup', u'dnsrecord',) - _DEPRECATED_OPTION_ALIASES = { 'permissions': 'ipapermright', 'filter': 'ipapermtargetfilter', @@ -141,6 +138,15 @@ class DNOrURL(DNParam): return super(DNOrURL, self)._convert_scalar(value, index=index) +def validate_type(ugettext, typestr): + try: + obj = api.Object[typestr] + except KeyError: + return _('"%s" is not an object type') % typestr + if not getattr(obj, 'permission_filter_objectclasses', None): + return _('"%s" is not a valid permission type') % typestr + + @register() class permission(baseldap.LDAPObject): """ @@ -247,12 +253,11 @@ class permission(baseldap.LDAPObject): doc=_('User group to apply permissions to (sets target)'), flags={'ask_create', 'virtual_attribute'}, ), - StrEnum( - 'type?', + Str( + 'type?', validate_type, label=_('Type'), doc=_('Type of IPA object ' '(sets subtree and objectClass targetfilter)'), - values=VALID_OBJECT_TYPES, flags={'ask_create', 'virtual_attribute'}, ), ) + tuple( @@ -310,19 +315,22 @@ class permission(baseldap.LDAPObject): # type if ipapermtargetfilter and ipapermlocation: - for objname in VALID_OBJECT_TYPES: - obj = self.api.Object[objname] + for obj in self.api.Object(): + filter_objectclasses = getattr( + obj, 'permission_filter_objectclasses', None) + if not filter_objectclasses: + continue wantdn = DN(obj.container_dn, self.api.env.basedn) if DN(ipapermlocation) != wantdn: continue - for objclass in obj.object_class: + for objclass in filter_objectclasses: filter_re = '\(objectclass=%s\)' % re.escape(objclass) if not any(re.match(filter_re, tf, re.I) for tf in ipapermtargetfilter): break else: - entry.single_value['type'] = objname + entry.single_value['type'] = unicode(obj.name) break # old output names @@ -684,7 +692,7 @@ class permission(baseldap.LDAPObject): error=_('subtree and type are mutually exclusive')) obj = self.api.Object[objtype.lower()] new_values = [u'(objectclass=%s)' % o - for o in obj.object_class] + for o in obj.permission_filter_objectclasses] filter_ops['add'].extend(new_values) container_dn = DN(obj.container_dn, self.api.env.basedn) options['ipapermlocation'] = container_dn diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 67fbea67..25f02cd1 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -299,6 +299,7 @@ class service(LDAPObject): 'ipaservice', 'pkiuser' ] possible_objectclasses = ['ipakrbprincipal'] + permission_filter_objectclasses = ['ipaservice'] search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata'] default_attributes = ['krbprincipalname', 'usercertificate', 'managedby', 'ipakrbauthzdata',] diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 539dd896..edda273b 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -209,6 +209,7 @@ class user(LDAPObject): 'ipatokenradiusproxyuser' ] disallow_object_classes = ['krbticketpolicyaux'] + permission_filter_objectclasses = ['posixaccount'] search_attributes_config = 'ipausersearchfields' default_attributes = [ 'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', -- cgit