When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes the InvalidSyntax error is raised.

New tests were also added to the unit-tests.

https://fedorahosted.org/freeipa/ticket/2293

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From 80326444a08076f6e8a1f62296ea33413b526a9b Mon Sep 17 00:00:00 2001
From: Ondrej Hamada <oham...@redhat.com>
Date: Sun, 26 Feb 2012 03:38:08 +0100
Subject: [PATCH] Validate attributes in permission-add

When adding or modifying permission with both type and attributes
specified, check whether the attributes are allowed for specified type.
In case of disallowed attributes raise the InvalidSyntax exception.

New tests were also added to the unit-tests.

https://fedorahosted.org/freeipa/ticket/2293
---
 ipalib/plugins/permission.py                |   54 ++++++++++++++++++++++
 tests/test_xmlrpc/test_permission_plugin.py |   65 +++++++++++++++++++++++++++
 2 files changed, 119 insertions(+), 0 deletions(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 08781ce2ef3df30d10565a071a338edf77c52d23..ca10424532f65a13a62c88fa861945b63eade959 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -89,6 +89,43 @@ output_params = (
     ),
 )
 
+dn_ipaconfig='cn=ipaconfig,cn=etc,'+api.env.basedn
+
+def check_attrs(attrs, type):
+    # Trying to delete attributes - no need for validation
+    if attrs is None:
+        return True
+    allowed_objcls=[]
+    disallowed_objcls=[]
+    obj=api.Object[type]
+
+    if type in ['user','group']:
+        (dn,objcls)=api.Backend.ldap2.get_entry(
+            dn_ipaconfig,[obj.object_class_config]
+            )
+        allowed_objcls=objcls[obj.object_class_config]
+    else:
+        allowed_objcls=obj.object_class
+    if hasattr(obj,'possible_objectclasses'):
+        allowed_objcls+=obj.possible_objectclasses
+    if hasattr(obj,'disallow_object_classes'):
+        disallowed_objcls=obj.disallow_object_classes
+
+    allowed_attrs=[]
+    disallowed_attrs=[]
+    if allowed_objcls:
+        allowed_attrs=api.Backend.ldap2.get_allowed_attributes(allowed_objcls)
+    if disallowed_objcls:
+        disallowed_attrs=api.Backend.ldap2.get_allowed_attributes(disallowed_objcls)
+    failed_attrs=[]
+    for attr in attrs:
+        if (attr not in allowed_attrs) or (attr in disallowed_attrs):
+            failed_attrs.append(attr)
+    if failed_attrs:
+        raise errors.InvalidSyntax(attr=','.join(failed_attrs))
+    return True
+
+
 class permission(LDAPObject):
     """
     Permission object.
@@ -192,6 +229,8 @@ class permission_add(LDAPCreate):
         opts['permission'] = keys[-1]
         opts['aciprefix'] = ACI_PREFIX
         try:
+            if 'type' in entry_attrs and 'attrs' in entry_attrs:
+                check_attrs(entry_attrs['attrs'],entry_attrs['type'])
             self.api.Command.aci_add(keys[-1], **opts)
         except Exception, e:
             raise e
@@ -273,6 +312,21 @@ class permission_mod(LDAPUpdate):
         except errors.NotFound:
             self.obj.handle_not_found(*keys)
 
+        # check the correctness of attributes only when the type is specified
+        type=None
+        attrs_to_check=[]
+        current_values=self.api.Command.permission_show(attrs['cn'][0])['result']
+        if 'type' in entry_attrs:
+            type = entry_attrs['type']
+        elif 'type' in current_values:
+            type = current_values['type']
+        if 'attrs' in entry_attrs:
+            attrs_to_check = entry_attrs['attrs']
+        elif 'attrs' in current_values:
+            attrs_to_check = current_values['attrs']
+        if attrs_to_check and type is not None:
+            check_attrs(attrs_to_check,type)
+
         # when renaming permission, check if the target permission does not
         # exists already. Then, make changes to underlying ACI
         if 'rename' in options:
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index e8e6bebcd387307f30e4a7bc4d266092b7e41424..15e12e5c5868d7fbc21ce3f5797089150bf6c5e6 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -124,6 +124,71 @@ class test_permission(Declarative):
 
 
         dict(
+            desc='Try to create %r with invalid attribute \'ipaclientversion\'' % permission2,
+            command=(
+                'permission_add', [permission2], dict(
+                     type=u'user',
+                     permissions=u'write',
+                     attrs=u'ipaclientversion',
+                ),
+            ),
+            expected=errors.InvalidSyntax(attr=u'ipaclientversion'),
+        ),
+
+
+        dict(
+            desc='Add allowed attribute \'cn\' to %r' % permission1,
+            command=(
+                'permission_mod', [permission1], dict(
+                     attrs=u'cn',
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Modified permission "%s"' % permission1,
+                result=dict(
+                    dn=lambda x: DN(x) == permission1_dn,
+                    cn=[permission1],
+                    type=u'user',
+                    permissions=[u'write'],
+                    attrs=[u'cn'],
+                ),
+            ),
+        ),
+
+
+        dict(
+            desc='Try to modify %r with invalid attribute \'ipaclientversion\'' % permission1,
+            command=(
+                'permission_mod', [permission1], dict(
+                     attrs=u'ipaclientversion',
+                ),
+            ),
+            expected=errors.InvalidSyntax(attr=u'ipaclientversion'),
+        ),
+
+
+        dict(
+            desc='Unset attribute \'cn\' of %r' % permission1,
+            command=(
+                'permission_mod', [permission1], dict(
+                     attrs=None,
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Modified permission "%s"' % permission1,
+                result=dict(
+                    dn=lambda x: DN(x) == permission1_dn,
+                    cn=[permission1],
+                    type=u'user',
+                    permissions=[u'write'],
+                ),
+            ),
+        ),
+
+
+        dict(
             desc='Create %r' % privilege1,
             command=('privilege_add', [privilege1],
                 dict(description=u'privilege desc. 1')
-- 
1.7.6.5

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to