[Freeipa-devel] Display the value of memberOf ACIs in permission plugin.

Tue, 06 Dec 2011 15:21:52 -0800 

There were two problems:
1. memberof wasn't in the list of things we looked for in the return value from aci_show() 
2. The value wasn't being translated into a group name.

Use the DN class to retrieve the group name from the memberof URI.
Note that I changed the parsing for targetgroup as well. We now save a lookup and potentially returning a NotFound if an aci points to a group that no longer exists. 

https://fedorahosted.org/freeipa/ticket/2100

rob

>From 8fe31617d48e85711be3a242bcd5e4f12e79c7fb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 6 Dec 2011 18:15:41 -0500
Subject: [PATCH] Display the value of memberOf ACIs in permission plugin.

There were two problems:

1. memberof wasn't in the list of things we looked for in the return value
   from aci_show()
2. The value wasn't being translated into a group name.

Use the DN class to retrieve the group name from the memberof URI.

Note that I changed the parsing for targetgroup as well. We now save a lookup
and potentially returning a NotFound if an aci points to a group that no
longer exists.

https://fedorahosted.org/freeipa/ticket/2100
---
 ipalib/plugins/aci.py                       |   11 +++--
 ipalib/plugins/permission.py                |    2 +-
 tests/test_xmlrpc/test_permission_plugin.py |   56 +++++++++++++++++++++++++++
 3 files changed, 64 insertions(+), 5 deletions(-)

diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index 7ace05e..4b85bc9 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -122,6 +122,7 @@ from ipalib import api, crud, errors
 from ipalib import Object, Command
 from ipalib import Flag, Int, Str, StrEnum
 from ipalib.aci import ACI
+from ipalib.dn import DN
 from ipalib import output
 from ipalib import _, ngettext
 if api.env.in_server and api.env.context in ['lite', 'server']:
@@ -312,8 +313,10 @@ def _aci_to_kw(ldap, a, test=False):
         kw['attrs'] = tuple(kw['attrs'])
     if 'targetfilter' in a.target:
         target = a.target['targetfilter']['expression']
-        if target.startswith('(memberOf') or target.startswith('memberOf'):
-            kw['memberof'] = unicode(target)
+        if target.startswith('(memberOf=') or target.startswith('memberOf='):
+            (junk, memberof) = target.split('memberOf=', 1)
+            memberof = DN(memberof)
+            kw['memberof'] = memberof['cn']
         else:
             kw['filter'] = unicode(target)
     if 'target' in a.target:
@@ -332,8 +335,8 @@ def _aci_to_kw(ldap, a, test=False):
                 # targetgroup attr, otherwise we consider it a subtree
                 if api.env.container_group in target:
                     targetdn = unicode(target.replace('ldap:///',''))
-                    (dn, entry_attrs) = ldap.get_entry(targetdn, ['cn'])
-                    kw['targetgroup'] = entry_attrs['cn'][0]
+                    target = DN(targetdn)
+                    kw['targetgroup'] = target['cn']
                 else:
                     kw['subtree'] = unicode(target)
 
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index c48979f..457fe80 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -98,7 +98,7 @@ class permission(LDAPObject):
         'memberindirect', 'ipapermissiontype',
     ]
     aci_attributes = ['group', 'permissions', 'attrs', 'type',
-        'filter', 'subtree', 'targetgroup',
+        'filter', 'subtree', 'targetgroup', 'memberof',
     ]
     attribute_members = {
         'member': ['privilege'],
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index a116a66..e9017a7 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -438,4 +438,60 @@ class test_permission(Declarative):
             )
         ),
 
+
+        dict(
+            desc='Create memberof permission %r' % permission1,
+            command=(
+                'permission_add', [permission1], dict(
+                     memberof=u'editors',
+                     permissions=u'write',
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Added permission "%s"' % permission1,
+                result=dict(
+                    dn=lambda x: DN(x) == permission1_dn,
+                    cn=[permission1],
+                    objectclass=objectclasses.permission,
+                    memberof=u'editors',
+                    permissions=[u'write'],
+                ),
+            ),
+        ),
+
+
+        dict(
+            desc='Delete %r' % permission1,
+            command=('permission_del', [permission1], {}),
+            expected=dict(
+                result=dict(failed=u''),
+                value=permission1,
+                summary=u'Deleted permission "%s"' % permission1,
+            )
+        ),
+
+
+        dict(
+            desc='Create targetgroup permission %r' % permission1,
+            command=(
+                'permission_add', [permission1], dict(
+                     targetgroup=u'editors',
+                     permissions=u'write',
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Added permission "%s"' % permission1,
+                result=dict(
+                    dn=lambda x: DN(x) == permission1_dn,
+                    cn=[permission1],
+                    objectclass=objectclasses.permission,
+                    targetgroup=u'editors',
+                    permissions=[u'write'],
+                ),
+            ),
+        ),
+
+
     ]
-- 
1.7.6


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to