mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-28 09:06:44 -06:00
permission plugin: Join --type objectclass filters with OR
For groups, we will need to filter on either posixgroup (which UPGs have but non-posix groups don't) and groupofnames/nestedgroup (which normal groups have but UPGs don't). Join permission_filter_objectclasses with `|` and add them as a single ipapermtargetfilter value. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566 Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Petr Viktorin
parent
013bf3d4e2
commit
02b5074d84
@ -363,26 +363,17 @@ class permission(baseldap.LDAPObject):
|
|||||||
# type
|
# type
|
||||||
if ipapermtargetfilter and ipapermlocation:
|
if ipapermtargetfilter and ipapermlocation:
|
||||||
for obj in self.api.Object():
|
for obj in self.api.Object():
|
||||||
filter_objectclasses = getattr(
|
filt = self.make_type_filter(obj)
|
||||||
obj, 'permission_filter_objectclasses', None)
|
if not filt:
|
||||||
if not filter_objectclasses:
|
|
||||||
continue
|
continue
|
||||||
|
|
||||||
wantdn = DN(obj.container_dn, self.api.env.basedn)
|
wantdn = DN(obj.container_dn, self.api.env.basedn)
|
||||||
if DN(ipapermlocation) != wantdn:
|
if DN(ipapermlocation) != wantdn:
|
||||||
continue
|
continue
|
||||||
|
|
||||||
objectclass_targetfilters = set()
|
if filt in ipapermtargetfilter:
|
||||||
for objclass in filter_objectclasses:
|
|
||||||
filter_re = '\(objectclass=%s\)' % re.escape(objclass)
|
|
||||||
for tf in ipapermtargetfilter:
|
|
||||||
if re.match(filter_re, tf, re.I):
|
|
||||||
objectclass_targetfilters.add(tf)
|
|
||||||
break
|
|
||||||
else:
|
|
||||||
break
|
|
||||||
else:
|
|
||||||
result['type'] = [unicode(obj.name)]
|
result['type'] = [unicode(obj.name)]
|
||||||
implicit_targetfilters |= objectclass_targetfilters
|
implicit_targetfilters.add(filt)
|
||||||
break
|
break
|
||||||
|
|
||||||
return result
|
return result
|
||||||
@ -717,6 +708,17 @@ class permission(baseldap.LDAPObject):
|
|||||||
raise ValueError('Cannot convert ACI, %r != %r' % (new_acistring,
|
raise ValueError('Cannot convert ACI, %r != %r' % (new_acistring,
|
||||||
acistring))
|
acistring))
|
||||||
|
|
||||||
|
def make_type_filter(self, obj):
|
||||||
|
"""Make a filter for a --type based permission from an Object"""
|
||||||
|
objectclasses = getattr(obj, 'permission_filter_objectclasses', None)
|
||||||
|
if not objectclasses:
|
||||||
|
return None
|
||||||
|
filters = [u'(objectclass=%s)' % o for o in objectclasses]
|
||||||
|
if len(filters) == 1:
|
||||||
|
return filters[0]
|
||||||
|
else:
|
||||||
|
return '(|%s)' % ''.join(sorted(filters))
|
||||||
|
|
||||||
def preprocess_options(self, options,
|
def preprocess_options(self, options,
|
||||||
return_filter_ops=False,
|
return_filter_ops=False,
|
||||||
merge_targetfilter=False):
|
merge_targetfilter=False):
|
||||||
@ -808,15 +810,19 @@ class permission(baseldap.LDAPObject):
|
|||||||
if 'type' in options:
|
if 'type' in options:
|
||||||
objtype = options.pop('type')
|
objtype = options.pop('type')
|
||||||
filter_ops['remove'].append(re.compile(r'\(objectclass=.*\)', re.I))
|
filter_ops['remove'].append(re.compile(r'\(objectclass=.*\)', re.I))
|
||||||
|
filter_ops['remove'].append(re.compile(
|
||||||
|
r'\(\|(\(objectclass=[^(]*\))+\)', re.I))
|
||||||
if objtype:
|
if objtype:
|
||||||
if 'ipapermlocation' in options:
|
if 'ipapermlocation' in options:
|
||||||
raise errors.ValidationError(
|
raise errors.ValidationError(
|
||||||
name='ipapermlocation',
|
name='ipapermlocation',
|
||||||
error=_('subtree and type are mutually exclusive'))
|
error=_('subtree and type are mutually exclusive'))
|
||||||
obj = self.api.Object[objtype.lower()]
|
obj = self.api.Object[objtype.lower()]
|
||||||
new_values = [u'(objectclass=%s)' % o
|
filt = self.make_type_filter(obj)
|
||||||
for o in obj.permission_filter_objectclasses]
|
if not filt:
|
||||||
filter_ops['add'].extend(new_values)
|
raise errors.ValidationError(
|
||||||
|
_('"%s" is not a valid permission type') % objtype)
|
||||||
|
filter_ops['add'].append(filt)
|
||||||
container_dn = DN(obj.container_dn, self.api.env.basedn)
|
container_dn = DN(obj.container_dn, self.api.env.basedn)
|
||||||
options['ipapermlocation'] = container_dn
|
options['ipapermlocation'] = container_dn
|
||||||
else:
|
else:
|
||||||
|
|||||||
@ -516,6 +516,8 @@ class update_managed_permissions(PostUpdate):
|
|||||||
template = dict(template)
|
template = dict(template)
|
||||||
template.pop('replaces', None)
|
template.pop('replaces', None)
|
||||||
template.pop('replaces_system', None)
|
template.pop('replaces_system', None)
|
||||||
|
template.pop('replaces_permissions', None)
|
||||||
|
template.pop('replaces_acis', None)
|
||||||
|
|
||||||
fixup_function = template.pop('fixup_function', None)
|
fixup_function = template.pop('fixup_function', None)
|
||||||
if fixup_function:
|
if fixup_function:
|
||||||
@ -536,8 +538,7 @@ class update_managed_permissions(PostUpdate):
|
|||||||
|
|
||||||
ldap_filter = template.pop('ipapermtargetfilter', None)
|
ldap_filter = template.pop('ipapermtargetfilter', None)
|
||||||
if obj and ldap_filter is None:
|
if obj and ldap_filter is None:
|
||||||
ldap_filter = ['(objectclass=%s)' % oc
|
ldap_filter = [self.api.Object[permission].make_type_filter(obj)]
|
||||||
for oc in obj.permission_filter_objectclasses]
|
|
||||||
entry['ipapermtargetfilter'] = list(ldap_filter or [])
|
entry['ipapermtargetfilter'] = list(ldap_filter or [])
|
||||||
|
|
||||||
ipapermlocation = template.pop('ipapermlocation', None)
|
ipapermlocation = template.pop('ipapermlocation', None)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user