On 03/05/2012 04:10 PM, Petr Viktorin wrote:
This patch fixes DN handling when removing LDAP entries from groups.
Because they deal with commas and backslashes in a CSV param, the tests
here rely on my patch 0015.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Here is the same patch with CSV-stuff-dependent tests removed.
--
PetrĀ³
From bf0b44a682037b78e01e02329d7f6740b609406e Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Fri, 2 Mar 2012 12:42:27 -0500
Subject: [PATCH] Allow removing sudo commands with special characters from
command groups
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.
https://fedorahosted.org/freeipa/ticket/2483
---
ipalib/plugins/baseldap.py|4 +-
ipaserver/plugins/ldap2.py|6 +-
tests/test_xmlrpc/test_sudocmdgroup_plugin.py | 72 +
3 files changed, 77 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index c0f25479a1460cec9b46db7f10da837d07103887..cf5d8d20eb27a0342f064086e0ee9d85c78c5bae 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1583,8 +1583,8 @@ class LDAPRemoveMember(LDAPModMember):
completed = 0
for (attr, objs) in member_dns.iteritems():
-for ldap_obj_name in objs:
-for m_dn in member_dns[attr][ldap_obj_name]:
+for ldap_obj_name, m_dns in objs.iteritems():
+for m_dn in m_dns:
if not m_dn:
continue
try:
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index ffe2fba8ad050064e49297e6e743ab13f9b4678d..dd5756735405d5a5a9c76d4fa0d82459007a2233 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -1091,12 +1091,12 @@ class ldap2(CrudBackend, Encoder):
(group_dn, group_entry_attrs) = self.get_entry(group_dn, [member_attr])
# remove dn from group entry's `member_attr` attribute
-members = group_entry_attrs.get(member_attr, [])
+members = [DN(m) for m in group_entry_attrs.get(member_attr, [])]
try:
-members.remove(dn.lower())
+members.remove(DN(dn))
except ValueError:
raise errors.NotGroupMember()
-group_entry_attrs[member_attr] = members
+group_entry_attrs[member_attr] = [str(m) for m in members]
# update group entry
self.update_entry(group_dn, group_entry_attrs)
diff --git a/tests/test_xmlrpc/test_sudocmdgroup_plugin.py b/tests/test_xmlrpc/test_sudocmdgroup_plugin.py
index 8a534b2bf9f8f73c6304555a2bef3c52a367e626..9f2bf3336be542d74d016976f98086b92310c37f 100644
--- a/tests/test_xmlrpc/test_sudocmdgroup_plugin.py
+++ b/tests/test_xmlrpc/test_sudocmdgroup_plugin.py
@@ -28,12 +28,36 @@ from ipalib.dn import *
sudocmdgroup1 = u'testsudocmdgroup1'
sudocmdgroup2 = u'testsudocmdgroup2'
sudocmd1 = u'/usr/bin/sudotestcmd1'
+sudocmd_plus = u'/bin/ls -l /lost+found/*'
+
+def create_command(sudocmd):
+return dict(
+desc='Create %r' % sudocmd,
+command=(
+'sudocmd_add', [], dict(sudocmd=sudocmd,
+description=u'Test sudo command')
+),
+expected=dict(
+value=sudocmd,
+summary=u'Added Sudo Command %s' % sudocmd,
+result=dict(
+objectclass=objectclasses.sudocmd,
+sudocmd=[sudocmd],
+ipauniqueid=[fuzzy_uuid],
+description=[u'Test sudo command'],
+dn=lambda x: DN(x) == \
+DN(('sudocmd',sudocmd),('cn','sudocmds'),('cn','sudo'),
+api.env.basedn),
+),
+),
+)
class test_sudocmdgroup(Declarative):
cleanup_commands = [
('sudocmdgroup_del', [sudocmdgroup1], {}),
('sudocmdgroup_del', [sudocmdgroup2], {}),
('sudocmd_del', [sudocmd1], {}),
+('sudocmd_del', [sudocmd_plus], {}),
]
tests = [
@@ -473,6 +497,54 @@ class test_sudocmdgroup(Declarative):
),
),
+
+# test a command that needs DN escaping:
+create_command(sudocmd_plus),
+
+dict(
+desc='Add %r to %r' % (sudocmd_plus, sudocmdgroup1),
+command=('sudocmdgroup_add_member', [sudocmdgroup1],
+dict(sudocmd=sudocmd_plus)
+),
+expected=dict(
+completed=1,
+failed=dict(
+member=dict(
+sudocmd=tuple(),
+),
+),
+result={
+'dn':