[Freeipa-devel] [PATCH] 0067 Explicitly filter options that permission-{add, mod} passes to aci-{add, mod}

Fri, 29 Jun 2012 04:47:09 -0700

The permission commands were not filtering their options properly before passing them to the underlying ACI commands. This upset the new input validation when --addattr/--setattr was used.
This patch adds a filter that only lets options listed in aci_attributes through to the ACI commands. 

https://fedorahosted.org/freeipa/ticket/2885

--
PetrĀ³


From e06fd2eaa47c7b06641c3eb85961b0d852e32839 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pvikt...@redhat.com>
Date: Fri, 29 Jun 2012 07:24:14 -0400
Subject: [PATCH] Explicitly filter options that permission-{add,mod} passes
 to aci-{add,mod}

Make permission commands not pass options that the underlying ACI commands
do not understand.

Update tests.

Remove some extraneous imports of the `copy` module.

https://fedorahosted.org/freeipa/ticket/2885
---
 ipalib/plugins/delegation.py                |    1 -
 ipalib/plugins/permission.py                |   19 +++++++++----------
 ipalib/plugins/selfservice.py               |    2 --
 ipalib/plugins/user.py                      |    1 -
 tests/test_xmlrpc/test_permission_plugin.py |   11 ++++++++++-
 5 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/ipalib/plugins/delegation.py b/ipalib/plugins/delegation.py
index f602507bd1b1ccd08ed61fc5e9ed07ccd5974999..0f3eecd7b429de97a3cbe60eb150363152419495 100644
--- a/ipalib/plugins/delegation.py
+++ b/ipalib/plugins/delegation.py
@@ -18,7 +18,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import copy
 from ipalib import api, _, ngettext
 from ipalib import Flag, Str
 from ipalib.request import context
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index ec3d78d1b2eece4ca8233dbb2b9aa69a2b943d96..89f9eaa628ebd41c376e3da8130c6079dc0508c9 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -17,8 +17,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import copy
-
 from ipalib.plugins.baseldap import *
 from ipalib import api, _, ngettext
 from ipalib import Flag, Str, StrEnum
@@ -189,6 +187,11 @@ def check_system(self, ldap, dn, *keys):
                 return False
         return True
 
+    def filter_aci_attributes(self, options):
+        """Return option dictionary that only includes ACI attributes"""
+        return dict((k, v) for k, v in options.items() if
+            k in self.aci_attributes)
+
 api.register(permission)
 
 
@@ -200,7 +203,7 @@ class permission_add(LDAPCreate):
 
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         # Test the ACI before going any further
-        opts = copy.copy(options)
+        opts = self.obj.filter_aci_attributes(options)
         opts['test'] = True
         opts['permission'] = keys[-1]
         opts['aciprefix'] = ACI_PREFIX
@@ -217,7 +220,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         # Now actually add the aci.
-        opts = copy.copy(options)
+        opts = self.obj.filter_aci_attributes(options)
         opts['test'] = False
         opts['permission'] = keys[-1]
         opts['aciprefix'] = ACI_PREFIX
@@ -340,9 +343,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
                 raise errors.ValidationError(
                     name='rename',error=_('New name can not be empty'))
 
-        opts = copy.copy(options)
-        for o in ['all', 'raw', 'rights', 'test', 'rename']:
-            opts.pop(o, None)
+        opts = self.obj.filter_aci_attributes(options)
         setattr(context, 'aciupdate', False)
         # If there are no options left we don't need to do anything to the
         # underlying ACI.
@@ -434,13 +435,11 @@ def post_callback(self, ldap, entries, truncated, *args, **options):
         # Now find all the ACIs that match. Once we find them, add any that
         # aren't already in the list along with their permission info.
 
-        opts = copy.copy(options)
+        opts = self.obj.filter_aci_attributes(options)
         if aciname:
             opts['aciname'] = aciname
         opts['aciprefix'] = ACI_PREFIX
         # permission ACI attribute is needed
-        opts.pop('raw', None)
-        opts.pop('sizelimit', None)
         aciresults = self.api.Command.aci_find(*args, **opts)
         truncated = truncated or aciresults['truncated']
         results = aciresults['result']
diff --git a/ipalib/plugins/selfservice.py b/ipalib/plugins/selfservice.py
index 82f2a0cc0efae8d0fb6ea862228f7a70d70ddccc..2b10488543223f1e31eba3edab0b494783e8bbbb 100644
--- a/ipalib/plugins/selfservice.py
+++ b/ipalib/plugins/selfservice.py
@@ -17,8 +17,6 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-import copy
-
 from ipalib import api, _, ngettext
 from ipalib import Flag, Str
 from ipalib.request import context
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 7e98bba4c48436588ff3baffad538a426b9f5edb..c19d9a666c2894445b2baaff34d5378f5bb40dbf 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -19,7 +19,6 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from time import gmtime, strftime, strptime
-import copy
 import string
 
 from ipalib import api, errors
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index 847b03e58a01c9e1a4678429dee80fc1389926f6..8aaa4a99990241a78c15f094ad6ae80beb48aec3 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -304,6 +304,8 @@ class test_permission(Declarative):
                 'permission_add', [permission2], dict(
                      type=u'user',
                      permissions=u'write',
+                     setattr=u'owner=cn=test',
+                     addattr=u'owner=cn=test2',
                 )
             ),
             expected=dict(
@@ -315,6 +317,7 @@ class test_permission(Declarative):
                     objectclass=objectclasses.permission,
                     type=u'user',
                     permissions=[u'write'],
+                    owner=[u'cn=test', u'cn=test2'],
                 ),
             ),
         ),
@@ -482,7 +485,12 @@ class test_permission(Declarative):
         dict(
             desc='Update %r' % permission1,
             command=(
-                'permission_mod', [permission1], dict(permissions=u'read', memberof=u'ipausers')
+                'permission_mod', [permission1], dict(
+                    permissions=u'read',
+                    memberof=u'ipausers',
+                    setattr=u'owner=cn=other-test',
+                    addattr=u'owner=cn=other-test2',
+                )
             ),
             expected=dict(
                 value=permission1,
@@ -494,6 +502,7 @@ class test_permission(Declarative):
                     type=u'user',
                     permissions=[u'read'],
                     memberof=u'ipausers',
+                    owner=[u'cn=other-test', u'cn=other-test2'],
                 ),
             ),
         ),
-- 
1.7.10.4


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel





















					Reply via email to