From a58cbb985ec007c0ef83010b32408efb2f4784d2 Mon Sep 17 00:00:00 2001
From: Ondrej Hamada <ohamada@redhat.com>
Date: Wed, 21 Mar 2012 13:30:42 +0100
Subject: Search allowed attributes in superior objectclasses

get_allowed_attributes function was improved to look for allowed
attributes also in the superior objectclasses of specified objectclass.

This fixes the regression caused by patch for ticket #2293. Test-case
for unit-test was also created.

https://fedorahosted.org/freeipa/ticket/2293
---
 ipaserver/plugins/ldap2.py                  |  3 +++
 tests/test_xmlrpc/test_permission_plugin.py | 35 +++++++++++++++++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index dd575673..178386c6 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -401,6 +401,9 @@ class ldap2(CrudBackend, Encoder):
             obj = self.schema.get_obj(_ldap.schema.ObjectClass, oc)
             if obj is not None:
                 allowed_attributes += obj.must + obj.may
+                # look for allowed attributes in the superior objectclasses
+                if obj.sup:
+                    allowed_attributes += self.get_allowed_attributes(obj.sup,raise_on_unknown)
             elif raise_on_unknown:
                 raise errors.NotFound(reason=_('objectclass %s not found') % oc)
         return [unicode(a).lower() for a in list(set(allowed_attributes))]
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index 68a3cebf..2ce1bdf3 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -656,6 +656,41 @@ class test_permission(Declarative):
         ),
 
 
+        dict(
+            desc='Create permission %r with attributes from superior objectclass' % permission1,
+            command=(
+                'permission_add', [permission1], dict(
+                     type=u'hostgroup',
+                     permissions=u'add,delete,write',
+                     attrs=u'businessCategory,owner,description',
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Added permission "%s"' % permission1,
+                result=dict(
+                    dn=lambda x: DN(x) == permission1_dn,
+                    cn=[permission1],
+                    objectclass=objectclasses.permission,
+                    type=u'hostgroup',
+                    permissions=[u'add',u'delete',u'write'],
+                    attrs=[u'businesscategory',u'owner',u'description'],
+                ),
+            ),
+        ),
+
+
+        dict(
+            desc='Delete %r' % permission1,
+            command=('permission_del', [permission1], {}),
+            expected=dict(
+                result=dict(failed=u''),
+                value=permission1,
+                summary=u'Deleted permission "%s"' % permission1,
+            ),
+        ),
+
+
         dict(
             desc='Create targetgroup permission %r' % permission1,
             command=(
-- 
cgit