update_managed_permissions: Pass around anonymous ACI rather than its blacklist

It turns out the ACI object of the anonymous read ACI, rather than just the list of its attributes, will be useful in the future. Change the plugin so that the ACI object is passed around. Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Petr Viktorin <pviktori@redhat.com> 2014-04-29 21:15:05 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-05-26 12:12:35 +0200
commit: 993c1c8557aafb890199b1c443ebd2d895ae6ba6 (patch)
tree: aaa048dee0a530223a5070f3df77caa9beff00b3
parent: 791ec1e0141a4aa3ab9a8a9717f0664d9a1f792f (diff)
download: freeipa-993c1c8557aafb890199b1c443ebd2d895ae6ba6.tar.gz
freeipa-993c1c8557aafb890199b1c443ebd2d895ae6ba6.tar.xz
freeipa-993c1c8557aafb890199b1c443ebd2d895ae6ba6.zip
1 files changed, 18 insertions, 17 deletions
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 92e5d963b..175a5bf47 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -229,8 +229,7 @@ class update_managed_permissions(PostUpdate):
     """
     order = LAST
 
-    def get_anonymous_read_blacklist(self, ldap):
-        """Get the list of attributes from the legacy anonymous access ACI"""
+    def get_anonymous_read_aci(self, ldap):
         aciname = u'Enable Anonymous access'
         aciprefix = u'none'
 
@@ -239,19 +238,19 @@ class update_managed_permissions(PostUpdate):
         acistrs = base_entry.get('aci', [])
         acilist = aci._convert_strings_to_acis(acistrs)
         try:
-            rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
+            return aci._find_aci_by_name(acilist, aciprefix, aciname)
         except errors.NotFound:
-            self.log.info('Anonymous ACI not found, using no blacklist')
-            return []
-
-        return rawaci.target['targetattr']['expression']
+            return None
 
     def execute(self, **options):
         ldap = self.api.Backend[ldap2]
 
-        anonymous_read_blacklist = self.get_anonymous_read_blacklist(ldap)
+        anonymous_read_aci = self.get_anonymous_read_aci(ldap)
 
-        self.log.info('Anonymous read blacklist: %s', anonymous_read_blacklist)
+        if anonymous_read_aci:
+            self.log.info('Anonymous read ACI: %s', anonymous_read_aci)
+        else:
+            self.log.info('Anonymous ACI not found')
 
         for obj in self.api.Object():
             managed_permissions = getattr(obj, 'managed_permissions', {})
@@ -262,17 +261,16 @@ class update_managed_permissions(PostUpdate):
                                        obj,
                                        unicode(name),
                                        template,
-                                       anonymous_read_blacklist)
+                                       anonymous_read_aci)
 
         self.log.info('Updating non-object managed permissions')
         for name, template in NONOBJECT_PERMISSIONS.iteritems():
             self.update_permission(ldap, None, unicode(name), template,
-                                   anonymous_read_blacklist)
+                                   anonymous_read_aci)
 
         return False, False, ()
 
-    def update_permission(self, ldap, obj, name, template,
-                          anonymous_read_blacklist):
+    def update_permission(self, ldap, obj, name, template, anonymous_read_aci):
         """Update the given permission and the corresponding ACI"""
         assert name.startswith('System:')
 
@@ -289,7 +287,7 @@ class update_managed_permissions(PostUpdate):
 
         self.log.debug('Updating managed permission: %s', name)
         self.update_entry(obj, entry, template,
-                          anonymous_read_blacklist, is_new=is_new)
+                          anonymous_read_aci, is_new=is_new)
 
         if is_new:
             ldap.add_entry(entry)
@@ -305,7 +303,7 @@ class update_managed_permissions(PostUpdate):
         self.api.Object[permission].update_aci(entry)
 
     def update_entry(self, obj, entry, template,
-                     anonymous_read_blacklist, is_new):
+                     anonymous_read_aci, is_new):
         """Update the given permission Entry (without contacting LDAP)"""
 
         [name_ava] = entry.dn[0]
@@ -365,8 +363,11 @@ class update_managed_permissions(PostUpdate):
         entry['ipapermdefaultattr'] = list(attributes)
 
         # Exclude attributes filtered from the global read ACI
-        if template.pop('replaces_global_anonymous_aci', False) and is_new:
-            read_blacklist = set(a.lower() for a in anonymous_read_blacklist)
+        replaces_ga_aci = template.pop('replaces_global_anonymous_aci', False)
+        if replaces_ga_aci and is_new and anonymous_read_aci:
+            read_blacklist = set(
+                a.lower() for a in
+                anonymous_read_aci.target['targetattr']['expression'])
             read_blacklist &= attributes
             if read_blacklist:
                 self.log.info('Excluded attributes for %s: %s',
author	Petr Viktorin <pviktori@redhat.com>	2014-04-29 21:15:05 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-05-26 12:12:35 +0200
commit	993c1c8557aafb890199b1c443ebd2d895ae6ba6 (patch)
tree	aaa048dee0a530223a5070f3df77caa9beff00b3
parent	791ec1e0141a4aa3ab9a8a9717f0664d9a1f792f (diff)
download	freeipa-993c1c8557aafb890199b1c443ebd2d895ae6ba6.tar.gz freeipa-993c1c8557aafb890199b1c443ebd2d895ae6ba6.tar.xz freeipa-993c1c8557aafb890199b1c443ebd2d895ae6ba6.zip