On 10/07/15 07:32, Jan Cholasta wrote:
Hi,

Dne 9.7.2015 v 16:55 Martin Basti napsal(a):
https://fedorahosted.org/freeipa/ticket/5075

Patch attached.

the check is very plugin-specific, so I don't think it should be in ipalib.util. You can keep it in privilege and import it from there in permission just fine.

Honza

Updated patch attached.

--
Martin Basti

From 46f47facdd6ecd0bd5f6bd5d3b1ed17c9776ff7a Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Thu, 9 Jul 2015 16:48:36 +0200
Subject: [PATCH] Validate adding privilege to a permission

Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.

https://fedorahosted.org/freeipa/ticket/5075
---
 ipalib/plugins/permission.py |  7 ++++++
 ipalib/plugins/privilege.py  | 53 +++++++++++++++++++++++---------------------
 2 files changed, 35 insertions(+), 25 deletions(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index f2e896935cc777801ec3a70262372f296b1ea2b8..e02828e9abfff453857a50ce9fc5b04fee523d27 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -21,6 +21,7 @@ import re
 import traceback
 
 from ipalib.plugins import baseldap
+from ipalib.plugins.privilege import validate_permission_to_privilege
 from ipalib import errors
 from ipalib.parameters import Str, StrEnum, DNParam, Flag
 from ipalib import api, _, ngettext
@@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember):
     """Add members to a permission."""
     NO_CLI = True
 
+    def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options):
+        # We can only add permissions with bind rule type set to
+        # "permission" (or old-style permissions)
+        validate_permission_to_privilege(self, ldap, keys[-1])
+        return dn
+
 
 @register()
 class permission_remove_member(baseldap.LDAPRemoveMember):
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index 867544359f76fdcb44cd3015f7466a46ba492bec..ff9ccdef756d22a21455ee3920e4fe1a8e2df274 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -45,6 +45,33 @@ See role and permission for additional information.
 register = Registry()
 
 
+def validate_permission_to_privilege(obj, ldap, permission):
+            ldapfilter = ldap.combine_filters(rules='&', filters=[
+                '(objectClass=ipaPermissionV2)',
+                '(!(ipaPermBindRuleType=permission))',
+                ldap.make_filter_from_attr('cn', permission, rules='|'),
+            ])
+            try:
+                entries, truncated = ldap.find_entries(
+                    filter=ldapfilter,
+                    attrs_list=['cn', 'ipapermbindruletype'],
+                    base_dn=DN(obj.api.env.container_permission,
+                               obj.api.env.basedn),
+                    size_limit=1)
+            except errors.NotFound:
+                pass
+            else:
+                entry = entries[0]
+                message = _('cannot add permission "%(perm)s" with bindtype '
+                            '"%(bindtype)s" to a privilege')
+                raise errors.ValidationError(
+                    name='permission',
+                    error=message % {
+                        'perm': entry.single_value['cn'],
+                        'bindtype': entry.single_value.get(
+                            'ipapermbindruletype', 'permission')})
+
+
 @register()
 class privilege(LDAPObject):
     """
@@ -185,31 +212,7 @@ class privilege_add_permission(LDAPAddReverseMember):
         if options.get('permission'):
             # We can only add permissions with bind rule type set to
             # "permission" (or old-style permissions)
-            ldapfilter = ldap.combine_filters(rules='&', filters=[
-                '(objectClass=ipaPermissionV2)',
-                '(!(ipaPermBindRuleType=permission))',
-                ldap.make_filter_from_attr('cn', options['permission'],
-                                           rules='|'),
-            ])
-            try:
-                entries, truncated = ldap.find_entries(
-                    filter=ldapfilter,
-                    attrs_list=['cn', 'ipapermbindruletype'],
-                    base_dn=DN(self.api.env.container_permission,
-                               self.api.env.basedn),
-                    size_limit=1)
-            except errors.NotFound:
-                pass
-            else:
-                entry = entries[0]
-                message = _('cannot add permission "%(perm)s" with bindtype '
-                            '"%(bindtype)s" to a privilege')
-                raise errors.ValidationError(
-                    name='permission',
-                    error=message % {
-                        'perm': entry.single_value['cn'],
-                        'bindtype': entry.single_value.get(
-                            'ipapermbindruletype', 'permission')})
+            validate_permission_to_privilege(self, ldap, options['permission'])
         return dn
 
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to