diff options
author | Martin Basti <mbasti@redhat.com> | 2015-07-09 16:48:36 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-07-17 04:57:54 +0000 |
commit | a619a1e211927c27f5c034dec8c1a1bbc03720f2 (patch) | |
tree | cfca7a39e739e7ca4b9dec62cb45e9cb638501f0 | |
parent | a0ce9e6b09f8e35284bc8c97bd63d1e019ca8142 (diff) | |
download | freeipa-a619a1e211927c27f5c034dec8c1a1bbc03720f2.tar.gz freeipa-a619a1e211927c27f5c034dec8c1a1bbc03720f2.tar.xz freeipa-a619a1e211927c27f5c034dec8c1a1bbc03720f2.zip |
Validate adding privilege to a permission
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.
https://fedorahosted.org/freeipa/ticket/5075
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
-rw-r--r-- | ipalib/plugins/permission.py | 7 | ||||
-rw-r--r-- | ipalib/plugins/privilege.py | 51 |
2 files changed, 33 insertions, 25 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index f2e896935..7d2a4dd15 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -21,6 +21,7 @@ import re import traceback from ipalib.plugins import baseldap +from ipalib.plugins.privilege import validate_permission_to_privilege from ipalib import errors from ipalib.parameters import Str, StrEnum, DNParam, Flag from ipalib import api, _, ngettext @@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember): """Add members to a permission.""" NO_CLI = True + def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options): + # We can only add permissions with bind rule type set to + # "permission" (or old-style permissions) + validate_permission_to_privilege(self.api, keys[-1]) + return dn + @register() class permission_remove_member(baseldap.LDAPRemoveMember): diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py index 867544359..ffb903e03 100644 --- a/ipalib/plugins/privilege.py +++ b/ipalib/plugins/privilege.py @@ -45,6 +45,31 @@ See role and permission for additional information. register = Registry() +def validate_permission_to_privilege(api, permission): + ldap = api.Backend.ldap2 + ldapfilter = ldap.combine_filters(rules='&', filters=[ + '(objectClass=ipaPermissionV2)', '(!(ipaPermBindRuleType=permission))', + ldap.make_filter_from_attr('cn', permission, rules='|')]) + try: + entries, truncated = ldap.find_entries( + filter=ldapfilter, + attrs_list=['cn', 'ipapermbindruletype'], + base_dn=DN(api.env.container_permission, api.env.basedn), + size_limit=1) + except errors.NotFound: + pass + else: + entry = entries[0] + message = _('cannot add permission "%(perm)s" with bindtype ' + '"%(bindtype)s" to a privilege') + raise errors.ValidationError( + name='permission', + error=message % { + 'perm': entry.single_value['cn'], + 'bindtype': entry.single_value.get( + 'ipapermbindruletype', 'permission')}) + + @register() class privilege(LDAPObject): """ @@ -185,31 +210,7 @@ class privilege_add_permission(LDAPAddReverseMember): if options.get('permission'): # We can only add permissions with bind rule type set to # "permission" (or old-style permissions) - ldapfilter = ldap.combine_filters(rules='&', filters=[ - '(objectClass=ipaPermissionV2)', - '(!(ipaPermBindRuleType=permission))', - ldap.make_filter_from_attr('cn', options['permission'], - rules='|'), - ]) - try: - entries, truncated = ldap.find_entries( - filter=ldapfilter, - attrs_list=['cn', 'ipapermbindruletype'], - base_dn=DN(self.api.env.container_permission, - self.api.env.basedn), - size_limit=1) - except errors.NotFound: - pass - else: - entry = entries[0] - message = _('cannot add permission "%(perm)s" with bindtype ' - '"%(bindtype)s" to a privilege') - raise errors.ValidationError( - name='permission', - error=message % { - 'perm': entry.single_value['cn'], - 'bindtype': entry.single_value.get( - 'ipapermbindruletype', 'permission')}) + validate_permission_to_privilege(self.api, options['permission']) return dn |