There were two problems:
1. memberof wasn't in the list of things we looked for in the return
value from aci_show()
2. The value wasn't being translated into a group name.
Use the DN class to retrieve the group name from the memberof URI.
Note that I changed the parsing for targetgroup as well. We now save a
lookup and potentially returning a NotFound if an aci points to a group
that no longer exists.
https://fedorahosted.org/freeipa/ticket/2100
rob
>From 8fe31617d48e85711be3a242bcd5e4f12e79c7fb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 6 Dec 2011 18:15:41 -0500
Subject: [PATCH] Display the value of memberOf ACIs in permission plugin.
There were two problems:
1. memberof wasn't in the list of things we looked for in the return value
from aci_show()
2. The value wasn't being translated into a group name.
Use the DN class to retrieve the group name from the memberof URI.
Note that I changed the parsing for targetgroup as well. We now save a lookup
and potentially returning a NotFound if an aci points to a group that no
longer exists.
https://fedorahosted.org/freeipa/ticket/2100
---
ipalib/plugins/aci.py | 11 +++--
ipalib/plugins/permission.py | 2 +-
tests/test_xmlrpc/test_permission_plugin.py | 56 +++++++++++++++++++++++++++
3 files changed, 64 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index 7ace05e..4b85bc9 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -122,6 +122,7 @@ from ipalib import api, crud, errors
from ipalib import Object, Command
from ipalib import Flag, Int, Str, StrEnum
from ipalib.aci import ACI
+from ipalib.dn import DN
from ipalib import output
from ipalib import _, ngettext
if api.env.in_server and api.env.context in ['lite', 'server']:
@@ -312,8 +313,10 @@ def _aci_to_kw(ldap, a, test=False):
kw['attrs'] = tuple(kw['attrs'])
if 'targetfilter' in a.target:
target = a.target['targetfilter']['expression']
- if target.startswith('(memberOf') or target.startswith('memberOf'):
- kw['memberof'] = unicode(target)
+ if target.startswith('(memberOf=') or target.startswith('memberOf='):
+ (junk, memberof) = target.split('memberOf=', 1)
+ memberof = DN(memberof)
+ kw['memberof'] = memberof['cn']
else:
kw['filter'] = unicode(target)
if 'target' in a.target:
@@ -332,8 +335,8 @@ def _aci_to_kw(ldap, a, test=False):
# targetgroup attr, otherwise we consider it a subtree
if api.env.container_group in target:
targetdn = unicode(target.replace('ldap:///',''))
- (dn, entry_attrs) = ldap.get_entry(targetdn, ['cn'])
- kw['targetgroup'] = entry_attrs['cn'][0]
+ target = DN(targetdn)
+ kw['targetgroup'] = target['cn']
else:
kw['subtree'] = unicode(target)
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index c48979f..457fe80 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -98,7 +98,7 @@ class permission(LDAPObject):
'memberindirect', 'ipapermissiontype',
]
aci_attributes = ['group', 'permissions', 'attrs', 'type',
- 'filter', 'subtree', 'targetgroup',
+ 'filter', 'subtree', 'targetgroup', 'memberof',
]
attribute_members = {
'member': ['privilege'],
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index a116a66..e9017a7 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -438,4 +438,60 @@ class test_permission(Declarative):
)
),
+
+ dict(
+ desc='Create memberof permission %r' % permission1,
+ command=(
+ 'permission_add', [permission1], dict(
+ memberof=u'editors',
+ permissions=u'write',
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Added permission "%s"' % permission1,
+ result=dict(
+ dn=lambda x: DN(x) == permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ memberof=u'editors',
+ permissions=[u'write'],
+ ),
+ ),
+ ),
+
+
+ dict(
+ desc='Delete %r' % permission1,
+ command=('permission_del', [permission1], {}),
+ expected=dict(
+ result=dict(failed=u''),
+ value=permission1,
+ summary=u'Deleted permission "%s"' % permission1,
+ )
+ ),
+
+
+ dict(
+ desc='Create targetgroup permission %r' % permission1,
+ command=(
+ 'permission_add', [permission1], dict(
+ targetgroup=u'editors',
+ permissions=u'write',
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Added permission "%s"' % permission1,
+ result=dict(
+ dn=lambda x: DN(x) == permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ targetgroup=u'editors',
+ permissions=[u'write'],
+ ),
+ ),
+ ),
+
+
]
--
1.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel