https://fedorahosted.org/freeipa/ticket/5075
Patch attached. -- Martin Basti
From c8b9a1126a3c59183b39774333294cc413a26043 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Thu, 9 Jul 2015 16:48:36 +0200 Subject: [PATCH] Validate adding privilege to a permission Adding priviledge to a permission via webUI allowed to avoid check and to add permission with improper type. https://fedorahosted.org/freeipa/ticket/5075 --- ipalib/plugins/permission.py | 7 +++++++ ipalib/plugins/privilege.py | 27 ++------------------------- ipalib/util.py | 27 +++++++++++++++++++++++++++ 3 files changed, 36 insertions(+), 25 deletions(-) diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index f2e896935cc777801ec3a70262372f296b1ea2b8..75532b35039428621bd180f916bb704b7cd9166e 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -29,6 +29,7 @@ from ipalib.capabilities import client_has_capability from ipalib.aci import ACI from ipapython.dn import DN from ipalib.request import context +from ipalib.util import validate_permission_to_privilege __doc__ = _(""" Permissions @@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember): """Add members to a permission.""" NO_CLI = True + def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options): + # We can only add permissions with bind rule type set to + # "permission" (or old-style permissions) + validate_permission_to_privilege(self, ldap, keys[-1]) + return dn + @register() class permission_remove_member(baseldap.LDAPRemoveMember): diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py index 867544359f76fdcb44cd3015f7466a46ba492bec..ce5df4f848be3ba88adf329f246948c3e439af64 100644 --- a/ipalib/plugins/privilege.py +++ b/ipalib/plugins/privilege.py @@ -20,6 +20,7 @@ from ipalib.plugins.baseldap import * from ipalib import api, _, ngettext, errors from ipalib.plugable import Registry +from ipalib.util import validate_permission_to_privilege __doc__ = _(""" Privileges @@ -185,31 +186,7 @@ class privilege_add_permission(LDAPAddReverseMember): if options.get('permission'): # We can only add permissions with bind rule type set to # "permission" (or old-style permissions) - ldapfilter = ldap.combine_filters(rules='&', filters=[ - '(objectClass=ipaPermissionV2)', - '(!(ipaPermBindRuleType=permission))', - ldap.make_filter_from_attr('cn', options['permission'], - rules='|'), - ]) - try: - entries, truncated = ldap.find_entries( - filter=ldapfilter, - attrs_list=['cn', 'ipapermbindruletype'], - base_dn=DN(self.api.env.container_permission, - self.api.env.basedn), - size_limit=1) - except errors.NotFound: - pass - else: - entry = entries[0] - message = _('cannot add permission "%(perm)s" with bindtype ' - '"%(bindtype)s" to a privilege') - raise errors.ValidationError( - name='permission', - error=message % { - 'perm': entry.single_value['cn'], - 'bindtype': entry.single_value.get( - 'ipapermbindruletype', 'permission')}) + validate_permission_to_privilege(self, ldap, options['permission']) return dn diff --git a/ipalib/util.py b/ipalib/util.py index 649a4875fde0b44844749946cce53d81f7f6eea4..626b463d532b3f7da5e5fef46ddb673af31ced35 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -809,3 +809,30 @@ def get_topology_connection_errors(graph): if not_visited: connect_errors.append((m, list(visited), list(not_visited))) return connect_errors + + +def validate_permission_to_privilege(obj, ldap, permission): + ldapfilter = ldap.combine_filters(rules='&', filters=[ + '(objectClass=ipaPermissionV2)', + '(!(ipaPermBindRuleType=permission))', + ldap.make_filter_from_attr('cn', permission, rules='|'), + ]) + try: + entries, truncated = ldap.find_entries( + filter=ldapfilter, + attrs_list=['cn', 'ipapermbindruletype'], + base_dn=DN(obj.api.env.container_permission, + obj.api.env.basedn), + size_limit=1) + except errors.NotFound: + pass + else: + entry = entries[0] + message = _('cannot add permission "%(perm)s" with bindtype ' + '"%(bindtype)s" to a privilege') + raise errors.ValidationError( + name='permission', + error=message % { + 'perm': entry.single_value['cn'], + 'bindtype': entry.single_value.get( + 'ipapermbindruletype', 'permission')}) -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code