diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2017-01-25 15:51:46 +1000 |
|---|---|---|
| committer | Tomas Krizek <tkrizek@redhat.com> | 2017-03-03 12:09:57 +0100 |
| commit | 2066a80be21258d9311ae374fe124d9ac3b79acd (patch) | |
| tree | 7b5536c786aa4a374815c234767a3f1663ab64d8 | |
| parent | 223a48b6d9916069971f79ab324ead26fa21c79d (diff) | |
| download | freeipa-2066a80be21258d9311ae374fe124d9ac3b79acd.tar.gz freeipa-2066a80be21258d9311ae374fe124d9ac3b79acd.tar.xz freeipa-2066a80be21258d9311ae374fe124d9ac3b79acd.zip | |
Remove redundant principal_type argument
Minor refactor to remove the redundant 'principal_type' argument
from 'caacl_check' and associated functions.
Part of: https://pagure.io/freeipa/issue/5011
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
| -rw-r--r-- | ipaserver/plugins/caacl.py | 8 | ||||
| -rw-r--r-- | ipaserver/plugins/cert.py | 13 |
2 files changed, 12 insertions, 9 deletions
diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index a7817c4cf..ff1178ad7 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -151,7 +151,13 @@ def _acl_make_rule(principal_type, obj): return rule -def acl_evaluate(principal_type, principal, ca_id, profile_id): +def acl_evaluate(principal, ca_id, profile_id): + if principal.is_user: + principal_type = 'user' + elif principal.is_host: + principal_type = 'host' + else: + principal_type = 'service' req = _acl_make_request(principal_type, principal, ca_id, profile_id) acls = api.Command.caacl_find(no_members=False)['result'] rules = [_acl_make_rule(principal_type, obj) for obj in acls] diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 585a70ef9..46518d9bd 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -200,11 +200,9 @@ def ca_enabled_check(_api): if not _api.Command.ca_is_enabled()['result']: raise errors.NotFound(reason=_('CA is not configured')) -def caacl_check(principal_type, principal, ca, profile_id): - principal_type_map = {USER: 'user', HOST: 'host', SERVICE: 'service'} - if not acl_evaluate( - principal_type_map[principal_type], - principal, ca, profile_id): + +def caacl_check(principal, ca, profile_id): + if not acl_evaluate(principal, ca, profile_id): raise errors.ACIError(info=_( "Principal '%(principal)s' " "is not permitted to use CA '%(ca)s' " @@ -599,7 +597,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): if principal_type == KRBTGT: ca_kdc_check(ldap, bind_principal.hostname) else: - caacl_check(principal_type, principal, ca, profile_id) + caacl_check(principal, ca, profile_id) try: csr_obj = pkcs10.load_certificate_request(csr) @@ -756,8 +754,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): if principal_type == KRBTGT: ca_kdc_check(ldap, alt_principal.hostname) else: - caacl_check(principal_type, alt_principal, ca, - profile_id) + caacl_check(alt_principal, ca, profile_id) elif isinstance(gn, (x509.KRB5PrincipalName, x509.UPN)): if principal_type == KRBTGT: |