The permission commands were not filtering their options properly before
passing them to the underlying ACI commands. This upset the new input
validation when --addattr/--setattr was used.
This patch adds a filter that only lets options listed in aci_attributes
through to the ACI commands.
https://fedorahosted.org/freeipa/ticket/2885
--
PetrĀ³
From e06fd2eaa47c7b06641c3eb85961b0d852e32839 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Fri, 29 Jun 2012 07:24:14 -0400
Subject: [PATCH] Explicitly filter options that permission-{add,mod} passes
to aci-{add,mod}
Make permission commands not pass options that the underlying ACI commands
do not understand.
Update tests.
Remove some extraneous imports of the `copy` module.
https://fedorahosted.org/freeipa/ticket/2885
---
ipalib/plugins/delegation.py | 1 -
ipalib/plugins/permission.py | 19 +++++++++----------
ipalib/plugins/selfservice.py | 2 --
ipalib/plugins/user.py | 1 -
tests/test_xmlrpc/test_permission_plugin.py | 11 ++++++++++-
5 files changed, 19 insertions(+), 15 deletions(-)
diff --git a/ipalib/plugins/delegation.py b/ipalib/plugins/delegation.py
index f602507bd1b1ccd08ed61fc5e9ed07ccd5974999..0f3eecd7b429de97a3cbe60eb150363152419495 100644
--- a/ipalib/plugins/delegation.py
+++ b/ipalib/plugins/delegation.py
@@ -18,7 +18,6 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import copy
from ipalib import api, _, ngettext
from ipalib import Flag, Str
from ipalib.request import context
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index ec3d78d1b2eece4ca8233dbb2b9aa69a2b943d96..89f9eaa628ebd41c376e3da8130c6079dc0508c9 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -17,8 +17,6 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import copy
-
from ipalib.plugins.baseldap import *
from ipalib import api, _, ngettext
from ipalib import Flag, Str, StrEnum
@@ -189,6 +187,11 @@ def check_system(self, ldap, dn, *keys):
return False
return True
+ def filter_aci_attributes(self, options):
+ """Return option dictionary that only includes ACI attributes"""
+ return dict((k, v) for k, v in options.items() if
+ k in self.aci_attributes)
+
api.register(permission)
@@ -200,7 +203,7 @@ class permission_add(LDAPCreate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
# Test the ACI before going any further
- opts = copy.copy(options)
+ opts = self.obj.filter_aci_attributes(options)
opts['test'] = True
opts['permission'] = keys[-1]
opts['aciprefix'] = ACI_PREFIX
@@ -217,7 +220,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
# Now actually add the aci.
- opts = copy.copy(options)
+ opts = self.obj.filter_aci_attributes(options)
opts['test'] = False
opts['permission'] = keys[-1]
opts['aciprefix'] = ACI_PREFIX
@@ -340,9 +343,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
raise errors.ValidationError(
name='rename',error=_('New name can not be empty'))
- opts = copy.copy(options)
- for o in ['all', 'raw', 'rights', 'test', 'rename']:
- opts.pop(o, None)
+ opts = self.obj.filter_aci_attributes(options)
setattr(context, 'aciupdate', False)
# If there are no options left we don't need to do anything to the
# underlying ACI.
@@ -434,13 +435,11 @@ def post_callback(self, ldap, entries, truncated, *args, **options):
# Now find all the ACIs that match. Once we find them, add any that
# aren't already in the list along with their permission info.
- opts = copy.copy(options)
+ opts = self.obj.filter_aci_attributes(options)
if aciname:
opts['aciname'] = aciname
opts['aciprefix'] = ACI_PREFIX
# permission ACI attribute is needed
- opts.pop('raw', None)
- opts.pop('sizelimit', None)
aciresults = self.api.Command.aci_find(*args, **opts)
truncated = truncated or aciresults['truncated']
results = aciresults['result']
diff --git a/ipalib/plugins/selfservice.py b/ipalib/plugins/selfservice.py
index 82f2a0cc0efae8d0fb6ea862228f7a70d70ddccc..2b10488543223f1e31eba3edab0b494783e8bbbb 100644
--- a/ipalib/plugins/selfservice.py
+++ b/ipalib/plugins/selfservice.py
@@ -17,8 +17,6 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-import copy
-
from ipalib import api, _, ngettext
from ipalib import Flag, Str
from ipalib.request import context
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 7e98bba4c48436588ff3baffad538a426b9f5edb..c19d9a666c2894445b2baaff34d5378f5bb40dbf 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -19,7 +19,6 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from time import gmtime, strftime, strptime
-import copy
import string
from ipalib import api, errors
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index 847b03e58a01c9e1a4678429dee80fc1389926f6..8aaa4a99990241a78c15f094ad6ae80beb48aec3 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -304,6 +304,8 @@ class test_permission(Declarative):
'permission_add', [permission2], dict(
type=u'user',
permissions=u'write',
+ setattr=u'owner=cn=test',
+ addattr=u'owner=cn=test2',
)
),
expected=dict(
@@ -315,6 +317,7 @@ class test_permission(Declarative):
objectclass=objectclasses.permission,
type=u'user',
permissions=[u'write'],
+ owner=[u'cn=test', u'cn=test2'],
),
),
),
@@ -482,7 +485,12 @@ class test_permission(Declarative):
dict(
desc='Update %r' % permission1,
command=(
- 'permission_mod', [permission1], dict(permissions=u'read', memberof=u'ipausers')
+ 'permission_mod', [permission1], dict(
+ permissions=u'read',
+ memberof=u'ipausers',
+ setattr=u'owner=cn=other-test',
+ addattr=u'owner=cn=other-test2',
+ )
),
expected=dict(
value=permission1,
@@ -494,6 +502,7 @@ class test_permission(Declarative):
type=u'user',
permissions=[u'read'],
memberof=u'ipausers',
+ owner=[u'cn=other-test', u'cn=other-test2'],
),
),
),
--
1.7.10.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel