krbtpolicy plugin: Fix internal error when global policy is not readable

An ACIError is now raised if:
- the user doesn't have permission to read any one of the ticket policy
  attributes on the requested entry
  (checked using attribute-level rights)
- any ticket policy attribute from the default policy is not available
  (either not readable, or not there at all)
  (only checked if these are accessed, i.e. when the user entry doesn't
   override all of the defaults, or when requesting the global policy)

https://fedorahosted.org/freeipa/ticket/4354

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

ipalib/plugins/krbtpolicy.py

@@ -172,15 +172,33 @@ class krbtpolicy_show(baseldap.LDAPRetrieve):
             options['all'] = False
         return dn
 
-    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+    def post_callback(self, ldap, dn, entry, *keys, **options):
-        assert isinstance(dn, DN)
+        default_entry = None
-        if keys[-1] is not None:
+        rights = None
-            # if policy for a specific user isn't set, display global values
+        for attrname in self.obj.default_attributes:
-            if 'krbmaxticketlife' not in entry_attrs or \
+            if attrname not in entry:
-                'krbmaxrenewableage' not in entry_attrs:
+                if keys[-1] is not None:
-                res = self.api.Command.krbtpolicy_show()
+                    # User entry doesn't override the attribute.
-                for a in self.obj.default_attributes:
+                    # Check if this is caused by insufficient read rights
-                    entry_attrs.setdefault(a, res['result'][a])
+                    if rights is None:
+                        rights = baseldap.get_effective_rights(
+                            ldap, dn, self.obj.default_attributes)
+                    if 'r' not in rights.get(attrname.lower(), ''):
+                        raise errors.ACIError(
+                            info=_('Ticket policy for %s could not be read') %
+                                keys[-1])
+                    # Fallback to the default
+                    if default_entry is None:
+                        try:
+                            default_dn = self.obj.get_dn(None)
+                            default_entry = ldap.get_entry(default_dn)
+                        except errors.NotFound:
+                            default_entry = {}
+                    if attrname in default_entry:
+                        entry[attrname] = default_entry[attrname]
+            if attrname not in entry:
+                raise errors.ACIError(
+                    info=_('Default ticket policy could not be read'))
         return dn