Remove virtual attributes before rolling back a permission

On a failed permission update if the generated ACI is
invalid then the updated permission is rolled back.

Add the virtual relationship attributes to list of attributes
to be ignored when rolling back the entry.

This relies on the current order in the LDAPObject
relationships field where member and memberof are the first
two values.

https://pagure.io/freeipa/issue/8646

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

ipaserver/plugins/permission.py

@@ -1236,8 +1236,15 @@ class permission_mod(baseldap.LDAPUpdate):
             else:
                 self.obj.update_aci(entry, old_entry.single_value['cn'])
         except Exception:
-            # Don't revert attribute which doesn't exist in LDAP
+            # Don't revert attributes which don't exist in LDAP
             entry.pop('attributelevelrights', None)
+            for attr in list(
+                filter(
+                    lambda x: x not in ["member", "memberof"],
+                    [*self.obj.relationships],
+                )
+            ):
+                entry.pop(attr, None)
 
             logger.error('Error updating ACI: %s', traceback.format_exc())
             logger.warning('Reverting entry')