From 3120a6833e71d28fb0dcbbd62190b5f9c2e2c466 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Tue, 4 Mar 2014 12:45:24 +0100 Subject: [PATCH] permission plugin: Output the extratargetfilter virtual attribute The --filter, --type, and --memberof options interact in a way that's difficult to recreate in the UI: type and memberof are "views" on the filter, they affect it and are affected by it Add a "extratagretfilter" view that only contains the filters not linked to type or memberof. Show extra target filter, and not the full target filter, by default; show both with --all, and full filter only with --raw. Write support will be added in a subsequent patch. Part of the work for: https://fedorahosted.org/freeipa/ticket/4216 Reviewed-By: Martin Kosek --- API.txt | 9 +- VERSION | 4 +- ipalib/plugins/permission.py | 39 ++++++- .../test_xmlrpc/test_old_permission_plugin.py | 35 +----- .../test_xmlrpc/test_permission_plugin.py | 103 ++---------------- ipatests/test_xmlrpc/test_privilege_plugin.py | 2 - 6 files changed, 52 insertions(+), 140 deletions(-) diff --git a/API.txt b/API.txt index 5d1063386..e4ed91eb0 100644 --- a/API.txt +++ b/API.txt @@ -2324,11 +2324,12 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: Output('value', , None) command: permission_add -args: 1,18,3 +args: 1,19,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('attrs', attribute=False, cli_name='attrs', multivalue=True, required=False) +option: Str('extratargetfilter', attribute=False, cli_name='extratargetfilter', multivalue=True, required=False) option: Str('filter', attribute=False, cli_name='filter', multivalue=True, required=False) option: StrEnum('ipapermbindruletype', attribute=True, autofill=True, cli_name='bindtype', default=u'permission', multivalue=False, required=True, values=(u'permission', u'all', u'anonymous')) option: DNOrURL('ipapermlocation', alwaysask=True, attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=False, required=False) @@ -2379,11 +2380,12 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: Output('value', , None) command: permission_find -args: 1,23,4 +args: 1,24,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, query=True, required=False) option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=False) +option: Str('extratargetfilter', attribute=False, autofill=False, cli_name='extratargetfilter', multivalue=True, query=True, required=False) option: Str('filter', attribute=False, autofill=False, cli_name='filter', multivalue=True, query=True, required=False) option: StrEnum('ipapermbindruletype', attribute=True, autofill=False, cli_name='bindtype', default=u'permission', multivalue=False, query=True, required=False, values=(u'permission', u'all', u'anonymous')) option: Str('ipapermdefaultattr', attribute=True, autofill=False, cli_name='defaultattrs', multivalue=True, query=True, required=False) @@ -2409,12 +2411,13 @@ output: ListOfEntries('result', (, ), Gettext('A list output: Output('summary', (, ), None) output: Output('truncated', , None) command: permission_mod -args: 1,23,3 +args: 1,24,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, required=False) option: Str('delattr*', cli_name='delattr', exclude='webui') +option: Str('extratargetfilter', attribute=False, autofill=False, cli_name='extratargetfilter', multivalue=True, required=False) option: Str('filter', attribute=False, autofill=False, cli_name='filter', multivalue=True, required=False) option: StrEnum('ipapermbindruletype', attribute=True, autofill=False, cli_name='bindtype', default=u'permission', multivalue=False, required=False, values=(u'permission', u'all', u'anonymous')) option: Str('ipapermexcludedattr', attribute=True, autofill=False, cli_name='excludedattrs', multivalue=True, required=False) diff --git a/VERSION b/VERSION index e889bced8..4f01e38c0 100644 --- a/VERSION +++ b/VERSION @@ -89,5 +89,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=77 -# Last change: pviktori - permissions: multivalued memberof +IPA_API_VERSION_MINOR=78 +# Last change: pviktori - permission extratargetfilter diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index bd7f5da6a..d8eeea28b 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -101,7 +101,7 @@ register = Registry() _DEPRECATED_OPTION_ALIASES = { 'permissions': 'ipapermright', - 'filter': 'ipapermtargetfilter', + 'filter': 'extratargetfilter', 'subtree': 'ipapermlocation', } @@ -229,6 +229,12 @@ class permission(baseldap.LDAPObject): doc=_('Subtree to apply permissions to'), flags={'ask_create'}, ), + Str( + 'extratargetfilter*', prevalidate_filter, + label=_('Extra target filter'), + doc=_('Target filter, excluding filters set by type and memberof'), + flags={'virtual_attribute'}, + ), Str( 'ipapermtargetfilter*', prevalidate_filter, cli_name='filter', @@ -287,11 +293,16 @@ class permission(baseldap.LDAPObject): Command options. Contains keys such as ``raw``, ``all``, ``pkey_only``, ``version``. """ + old_client = not client_has_capability( + options['version'], 'permissions2') + if not options.get('raw') and not options.get('pkey_only'): ipapermtargetfilter = entry.get('ipapermtargetfilter', []) ipapermtarget = entry.single_value.get('ipapermtarget') ipapermlocation = entry.single_value.get('ipapermlocation') + implicit_targetfilters = set() + # memberof memberof = [] for targetfilter in ipapermtargetfilter: @@ -302,6 +313,7 @@ class permission(baseldap.LDAPObject): self.api.env.basedn) if dn[1:] == groups_dn[:] and dn[0].attr == 'cn': memberof.append(dn[0].value) + implicit_targetfilters.add(match.group(0)) if memberof: entry['memberof'] = memberof @@ -324,17 +336,28 @@ class permission(baseldap.LDAPObject): if DN(ipapermlocation) != wantdn: continue + objectclass_targetfilters = set() for objclass in filter_objectclasses: filter_re = '\(objectclass=%s\)' % re.escape(objclass) - if not any(re.match(filter_re, tf, re.I) - for tf in ipapermtargetfilter): + for tf in ipapermtargetfilter: + if re.match(filter_re, tf, re.I): + objectclass_targetfilters.add(tf) + break + else: break else: entry.single_value['type'] = unicode(obj.name) + implicit_targetfilters |= objectclass_targetfilters break + if ipapermtargetfilter: + extratargetfilter = sorted( + set(ipapermtargetfilter) - implicit_targetfilters) + if extratargetfilter: + entry['extratargetfilter'] = extratargetfilter + # old output names - if not client_has_capability(options['version'], 'permissions2'): + if old_client: for old_name, new_name in _DEPRECATED_OPTION_ALIASES.items(): if new_name in entry: entry[old_name] = entry[new_name] @@ -359,7 +382,7 @@ class permission(baseldap.LDAPObject): set(rights.get('ipapermexcludedattr', '')), key=rights['ipapermincludedattr'].index)) - if not client_has_capability(options['version'], 'permissions2'): + if old_client: for old_name, new_name in _DEPRECATED_OPTION_ALIASES.items(): if new_name in entry: rights[old_name] = rights[new_name] @@ -386,7 +409,7 @@ class permission(baseldap.LDAPObject): not entry.get('ipapermdefaultattr')): entry.pop('ipapermincludedattr', None) - if not client_has_capability(options['version'], 'permissions2'): + if old_client: # Legacy clients expect some attributes as a single value for attr in 'type', 'targetgroup', 'aci': if attr in entry: @@ -407,6 +430,10 @@ class permission(baseldap.LDAPObject): new_filter.append(flt[1:-1]) entry['filter'] = new_filter + if not options['raw'] and not options['all']: + # Don't return the raw target filter by default + entry.pop('ipapermtargetfilter', None) + def get_effective_attrs(self, entry): attrs = set(entry.get('ipapermdefaultattr', ())) attrs.update(entry.get('ipapermincludedattr', ())) diff --git a/ipatests/test_xmlrpc/test_old_permission_plugin.py b/ipatests/test_xmlrpc/test_old_permission_plugin.py index 72c218208..c4fa982c8 100644 --- a/ipatests/test_xmlrpc/test_old_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_old_permission_plugin.py @@ -155,7 +155,6 @@ class test_old_permission(Declarative): permissions=[u'write'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -231,7 +230,6 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -282,7 +280,6 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -307,7 +304,6 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -344,7 +340,6 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -400,7 +395,6 @@ class test_old_permission(Declarative): owner=[u'cn=test', u'cn=test2'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -424,7 +418,6 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, { @@ -435,7 +428,6 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -519,7 +511,6 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -544,7 +535,6 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, { @@ -555,7 +545,6 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -618,8 +607,6 @@ class test_old_permission(Declarative): owner=[u'cn=other-test', u'cn=other-test2'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - filter=[u'memberOf=%s' % DN('cn=ipausers', groups_dn), - u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -642,8 +629,6 @@ class test_old_permission(Declarative): 'memberof': u'ipausers', 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn), - u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -689,8 +674,6 @@ class test_old_permission(Declarative): 'memberof': u'ipausers', 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn), - u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -717,8 +700,6 @@ class test_old_permission(Declarative): 'memberof': u'ipausers', 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn), - u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -745,8 +726,6 @@ class test_old_permission(Declarative): 'memberof': u'ipausers', 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn), - u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -773,7 +752,6 @@ class test_old_permission(Declarative): memberof=u'ipausers', ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - filter=[u'memberOf=%s' % DN('cn=ipausers', groups_dn)], ), ), ), @@ -798,9 +776,6 @@ class test_old_permission(Declarative): 'memberof':u'ipausers', 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'filter': [ - u'memberOf=%s' % DN('cn=ipausers', groups_dn)], - }, ], ), @@ -946,8 +921,6 @@ class test_old_permission(Declarative): type=u'user', ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - filter=[u'memberOf=%s' % DN('cn=editors', groups_dn), - u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -979,8 +952,6 @@ class test_old_permission(Declarative): type=u'user', ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - filter=[u'memberOf=%s' % DN('cn=admins', groups_dn), - u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -1004,7 +975,6 @@ class test_old_permission(Declarative): type=u'user', ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -1078,7 +1048,6 @@ class test_old_permission(Declarative): attrs=(u'cn',), ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -1101,7 +1070,7 @@ class test_old_permission(Declarative): attributelevelrights=permission3_attributelevelrights, ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - filter=[u'objectclass=posixaccount'], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -1124,7 +1093,7 @@ class test_old_permission(Declarative): attributelevelrights=permission3_attributelevelrights, ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - filter=[u'objectclass=posixaccount'], + ipapermtargetfilter=[u'(objectclass=posixaccount)'], subtree=u'ldap:///%s' % users_dn, ), ), diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index 62ff20e56..3421ddce8 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -266,7 +266,6 @@ class test_permission_negative(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -378,7 +377,6 @@ class test_permission(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -463,7 +461,6 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ), ), @@ -517,7 +514,6 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ], ), @@ -543,7 +539,6 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ], ), @@ -581,7 +576,6 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ], ), @@ -645,7 +639,6 @@ class test_permission(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -677,7 +670,6 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, { 'dn': permission2_dn, @@ -689,7 +681,6 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ], ), @@ -774,7 +765,6 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ], ), @@ -799,7 +789,6 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], 'member_privilege': [privilege1], }, { @@ -812,7 +801,6 @@ class test_permission(Declarative): 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], - 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], }, ], ), @@ -877,10 +865,6 @@ class test_permission(Declarative): memberof=[u'ipausers'], owner=[u'cn=other-test', u'cn=other-test2'], attrs=[u'sn'], - ipapermtargetfilter=[ - u'(memberOf=%s)' % DN('cn=ipausers', groups_dn), - u"(objectclass=posixaccount)", - ], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], @@ -913,9 +897,6 @@ class test_permission(Declarative): 'ipapermright': [u'read'], 'memberof': [u'ipausers'], 'attrs': [u'sn'], - 'ipapermtargetfilter': [ - u'(memberOf=%s)' % DN('cn=ipausers', groups_dn), - u'(objectclass=posixaccount)'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -958,9 +939,6 @@ class test_permission(Declarative): 'ipapermright': [u'read'], 'memberof': [u'ipausers'], 'attrs': [u'sn'], - 'ipapermtargetfilter': [ - u'(memberOf=%s)' % DN('cn=ipausers', groups_dn), - u'(objectclass=posixaccount)'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -988,9 +966,6 @@ class test_permission(Declarative): 'ipapermright': [u'all'], 'memberof': [u'ipausers'], 'attrs': [u'sn'], - 'ipapermtargetfilter': [ - u'(memberOf=%s)' % DN('cn=ipausers', groups_dn), - u'(objectclass=posixaccount)'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -1030,9 +1005,6 @@ class test_permission(Declarative): 'ipapermright': [u'write'], 'memberof': [u'ipausers'], 'attrs': [u'sn'], - 'ipapermtargetfilter': [ - u'(memberOf=%s)' % DN('cn=ipausers', groups_dn), - u'(objectclass=posixaccount)'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -1071,8 +1043,6 @@ class test_permission(Declarative): ipapermright=[u'write'], memberof=[u'ipausers'], attrs=[u'sn'], - ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers', - groups_dn)], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ), @@ -1105,7 +1075,7 @@ class test_permission(Declarative): 'attrs': [u'cn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], - 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], + 'extratargetfilter': [u'(objectclass=posixaccount)'], 'ipapermlocation': [api.env.basedn], }, ), @@ -1120,7 +1090,7 @@ class test_permission(Declarative): ), dict( - desc='Search for %r using --subtree' % permission1, + desc='Search for %r using --subtree' % permission1_renamed_ucase, command=('permission_find', [], {'ipapermlocation': u'ldap:///%s' % users_dn}), expected=dict( @@ -1137,8 +1107,6 @@ class test_permission(Declarative): 'ipapermright':[u'write'], 'memberof':[u'ipausers'], 'attrs': [u'sn'], - 'ipapermtargetfilter': [u'(memberOf=%s)' % DN( - 'cn=ipausers', groups_dn)], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -1288,9 +1256,6 @@ class test_permission(Declarative): ipapermright=[u'write'], type=[u'user'], attrs=[u'sn'], - ipapermtargetfilter=[ - u'(memberOf=%s)' % DN(('cn', 'editors'), groups_dn), - u'(objectclass=posixaccount)'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], @@ -1332,9 +1297,6 @@ class test_permission(Declarative): ipapermright=[u'write'], type=[u'user'], attrs=[u'sn'], - ipapermtargetfilter=[ - u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), - u'(objectclass=posixaccount)'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], @@ -1372,7 +1334,6 @@ class test_permission(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -1452,7 +1413,6 @@ class test_permission(Declarative): ipapermright=[u'write'], attrs=(u'cn',), ipapermbindruletype=[u'permission'], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], ), @@ -1715,9 +1675,6 @@ class test_permission_sync_attributes(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[ - u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), - u'(objectclass=posixaccount)'], memberof=[u'admins'], ), ), @@ -1750,8 +1707,7 @@ class test_permission_sync_attributes(Declarative): attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], - ipapermtargetfilter=[ - u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), + extratargetfilter=[ u'(objectclass=posixaccount)'], memberof=[u'admins'], ipapermlocation=[api.env.basedn], @@ -1790,9 +1746,6 @@ class test_permission_sync_attributes(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[ - u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), - u'(objectclass=posixaccount)'], memberof=[u'admins'], ), ), @@ -1829,8 +1782,6 @@ class test_permission_sync_attributes(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[ - u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn)], memberof=[u'admins'], ), ), @@ -1894,7 +1845,6 @@ class test_permission_sync_attributes(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[groups_dn], - ipapermtargetfilter=[u'(objectclass=ipausergroup)'], ), ), ), @@ -1929,7 +1879,6 @@ class test_permission_sync_attributes(Declarative): ipapermtarget=[DN('cn=editors', groups_dn)], ipapermlocation=[groups_dn], targetgroup=[u'editors'], - ipapermtargetfilter=[u'(objectclass=ipausergroup)'], ), ), ), @@ -1975,9 +1924,6 @@ class test_permission_sync_nice(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[ - u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), - u'(objectclass=posixaccount)'], memberof=[u'admins'], ), ), @@ -2010,8 +1956,6 @@ class test_permission_sync_nice(Declarative): attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], - ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), - groups_dn)], memberof=[u'admins'], ipapermlocation=[api.env.basedn], ), @@ -2076,7 +2020,6 @@ class test_permission_sync_nice(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[groups_dn], - ipapermtargetfilter=[u'(objectclass=ipausergroup)'], ), ), ), @@ -2111,7 +2054,6 @@ class test_permission_sync_nice(Declarative): ipapermtarget=[DN('cn=editors', groups_dn)], ipapermlocation=[groups_dn], targetgroup=[u'editors'], - ipapermtargetfilter=[u'(objectclass=ipausergroup)'], ), ), ), @@ -2278,7 +2220,6 @@ class test_permission_bindtype(Declarative): ipapermbindruletype=[u'anonymous'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -2340,7 +2281,6 @@ class test_permission_bindtype(Declarative): ipapermbindruletype=[u'all'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -2382,7 +2322,6 @@ class test_permission_bindtype(Declarative): objectclass=objectclasses.permission, ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ], ), @@ -2421,7 +2360,6 @@ class test_permission_bindtype(Declarative): ipapermbindruletype=[u'all'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -2453,7 +2391,6 @@ class test_permission_bindtype(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -2483,7 +2420,6 @@ class test_permission_bindtype(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -2795,7 +2731,6 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o'], ipapermincludedattr=[u'cn', u'sn', u'o'], @@ -2827,7 +2762,6 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o'], ipapermincludedattr=[u'cn', u'sn', u'o'], @@ -2903,7 +2837,6 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o'], ipapermexcludedattr=[u'cn'], @@ -2935,7 +2868,6 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o', u'sn'], ipapermincludedattr=[u'sn'], @@ -2969,7 +2901,6 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o', u'sn'], ipapermincludedattr=[u'sn'], @@ -2995,7 +2926,6 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o', u'sn'], ipapermincludedattr=[u'sn'], @@ -3032,7 +2962,6 @@ class test_managed_permissions(Declarative): ipapermright=[u'write'], ipapermbindruletype=[u'all'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ipapermdefaultattr=[u'l', u'o', u'cn'], attrs=[u'l', u'o', u'sn', u'cn'], ipapermincludedattr=[u'sn'], @@ -3100,11 +3029,8 @@ class test_permission_filters(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[ - u'(objectclass=posixaccount)', + extratargetfilter=[ u'(objectclass=top)', - u'(memberOf=%s)' % DN(('cn', 'ipausers'), groups_dn), - u'(memberof=%s)' % DN(('cn', 'admins'), groups_dn), ], ), ), @@ -3146,10 +3072,8 @@ class test_permission_filters(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[api.env.basedn], - ipapermtargetfilter=[ + extratargetfilter=[ u'(objectclass=ipauser)', - u'(memberOf=%s)' % DN(('cn', 'ipausers'), groups_dn), - u'(memberof=%s)' % DN(('cn', 'admins'), groups_dn), ], ), ), @@ -3186,7 +3110,7 @@ class test_permission_filters(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[api.env.basedn], - ipapermtargetfilter=[ + extratargetfilter=[ u'(cn=xyz)', u'(objectclass=ipauser)', ], @@ -3227,9 +3151,7 @@ class test_permission_filters(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[ - u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), - u'(objectclass=posixaccount)', + extratargetfilter=[ u'(uid=abc)', ], ), @@ -3267,7 +3189,7 @@ class test_permission_filters(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[api.env.basedn], - ipapermtargetfilter=[ + extratargetfilter=[ u'(uid=abc)', ], ), @@ -3301,11 +3223,7 @@ class test_permission_filters(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[api.env.basedn], - ipapermtargetfilter=[ - u'(uid=abc)', - u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), - u'(memberOf=%s)' % DN(('cn', 'editors'), groups_dn), - ], + extratargetfilter=[u'(uid=abc)'], ), ), ), @@ -3354,9 +3272,6 @@ class test_permission_filters(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[ - u'(objectclass=posixaccount)', - ], ), ), ), diff --git a/ipatests/test_xmlrpc/test_privilege_plugin.py b/ipatests/test_xmlrpc/test_privilege_plugin.py index 37b1592e0..0f0e2f046 100644 --- a/ipatests/test_xmlrpc/test_privilege_plugin.py +++ b/ipatests/test_xmlrpc/test_privilege_plugin.py @@ -107,7 +107,6 @@ class test_privilege(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ), @@ -228,7 +227,6 @@ class test_privilege(Declarative): ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], - ipapermtargetfilter=[u'(objectclass=posixaccount)'], ), ), ),