permission plugin: Do not assume attribute-level rights for new attributes are present

With the --all --raw options, the code assumed attribute-level rights
were set on ipaPermissionV2 attributes, even on permissions that did not
have the objectclass.
Add a check that the data is present before using it.

https://fedorahosted.org/freeipa/ticket/4121

Reviewed-By: Martin Kosek <mkosek@redhat.com>

1 files changed, 10 insertions, 7 deletions

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 64deb99ef..670e3f1c6 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -342,13 +342,16 @@ class permission(baseldap.LDAPObject):
 
         rights = entry.get('attributelevelrights')
         if rights:
-            rights['memberof'] = rights['ipapermtargetfilter']
-            rights['targetgroup'] = rights['ipapermtarget']
-
-            type_rights = set(rights['ipapermtargetfilter'])
-            type_rights.intersection_update(rights['ipapermlocation'])
-            rights['type'] = ''.join(sorted(
-                type_rights, key=rights['ipapermtargetfilter'].index))
+            if 'ipapermtarget' in rights:
+                rights['targetgroup'] = rights['ipapermtarget']
+            if 'ipapermtargetfilter' in rights:
+                rights['memberof'] = rights['ipapermtargetfilter']
+
+                type_rights = set(rights['ipapermtargetfilter'])
+                location_rights = set(rights.get('ipapermlocation', ''))
+                type_rights.intersection_update(location_rights)
+                rights['type'] = ''.join(sorted(
+                    type_rights, key=rights['ipapermtargetfilter'].index))
 
             if 'ipapermincludedattr' in rights:
                 rights['attrs'] = ''.join(sorted(