URL: https://github.com/freeipa/freeipa/pull/316
Author: stlaz
 Title: #316: Fix error in permission-find post_callback search
Action: opened

PR body:
"""
This pull requests fixes a bug introduced when fixing a different issue in 
https://github.com/freeipa/freeipa/commit/29aa4877eec89894cc3a6e50c4b6817a713d3177
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/316/head:pr316
git checkout pr316
From 209a62febff8ae835cf6bb74c5a00e8a817078d7 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 7 Dec 2016 11:51:19 +0100
Subject: [PATCH 1/2] Generalize filter generation in LDAPSearch

Make it easier to generate search filters properly
and in a unified way in any inheriting method

https://fedorahosted.org/freeipa/ticket/5640
---
 ipaserver/plugins/baseldap.py | 54 +++++++++++++++++++++++++++----------------
 1 file changed, 34 insertions(+), 20 deletions(-)

diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
index 5770641..9d6bfc7 100644
--- a/ipaserver/plugins/baseldap.py
+++ b/ipaserver/plugins/baseldap.py
@@ -1922,6 +1922,38 @@ def get_options(self):
             for option in self.get_member_options(attr):
                 yield option
 
+    def get_attr_filter(self, ldap, **options):
+        """
+        Returns a MATCH_ALL filter containing all required attributes from the
+        options
+        """
+        search_kw = self.args_options_2_entry(**options)
+        search_kw['objectclass'] = self.obj.object_class
+        return ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
+
+    def get_term_filter(self, ldap, term):
+        """
+        Returns a filter to search for a value (term) in any of the
+        search attributes of an entry.
+        """
+        if self.obj.search_attributes:
+            search_attrs = self.obj.search_attributes
+        else:
+            search_attrs = self.obj.default_attributes
+        if self.obj.search_attributes_config:
+            config = ldap.get_ipa_config()
+            config_attrs = config.get(
+                self.obj.search_attributes_config, [])
+            if len(config_attrs) == 1 and (
+              isinstance(config_attrs[0], six.string_types)):
+                search_attrs = config_attrs[0].split(',')
+
+        search_kw = {}
+        for a in search_attrs:
+            search_kw[a] = term
+
+        return ldap.make_filter(search_kw, exact=False)
+
     def get_member_filter(self, ldap, **options):
         filter = ''
         for attr in self.member_attributes:
@@ -1981,26 +2013,8 @@ def execute(self, *args, **options):
                 attrs_list.difference_update(self.obj.attribute_members)
             attrs_list = list(attrs_list)
 
-        if self.obj.search_attributes:
-            search_attrs = self.obj.search_attributes
-        else:
-            search_attrs = self.obj.default_attributes
-        if self.obj.search_attributes_config:
-            config = ldap.get_ipa_config()
-            config_attrs = config.get(
-                self.obj.search_attributes_config, [])
-            if len(config_attrs) == 1 and (
-                isinstance(config_attrs[0], six.string_types)):
-                search_attrs = config_attrs[0].split(',')
-
-        search_kw['objectclass'] = self.obj.object_class
-        attr_filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
-
-        search_kw = {}
-        for a in search_attrs:
-            search_kw[a] = term
-        term_filter = ldap.make_filter(search_kw, exact=False)
-
+        attr_filter = self.get_attr_filter(ldap, **options)
+        term_filter = self.get_term_filter(ldap, term)
         member_filter = self.get_member_filter(ldap, **options)
 
         filter = ldap.combine_filters(

From 0ffd604e30c66235af86c6bb76105ef210ceb80f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 7 Dec 2016 11:53:31 +0100
Subject: [PATCH 2/2] Fix permission-find with sizelimit set

If permission-find is fired with an argument and sizelimit set
a message about truncation will be sent along with the result
as the search in post_callback() does general search instead
of having its filter properly set.

https://fedorahosted.org/freeipa/ticket/5640
---
 ipaserver/plugins/permission.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ipaserver/plugins/permission.py b/ipaserver/plugins/permission.py
index 0bd75b0..dd2a018 100644
--- a/ipaserver/plugins/permission.py
+++ b/ipaserver/plugins/permission.py
@@ -1306,6 +1306,13 @@ def post_callback(self, ldap, entries, truncated, *args, **options):
                 filters.append(ldap.make_filter_from_attr('cn',
                                                           options['name'],
                                                           exact=False))
+            index = tuple(self.args).index('criteria')
+            try:
+                term = args[index]
+                filters.append(self.get_term_filter(ldap, term))
+            except IndexError:
+                term = None
+
             attrs_list = list(self.obj.default_attributes)
             attrs_list += list(self.obj.attribute_members)
             if options.get('all'):
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to