mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
permission plugin: Do not change extra target filters by "views"
Previously, setting/deleting the "--type" virtual attribute removed all (objectclass=...) target filters. Change so that only the filter associated with --type is removed. The same change applies to --memberof: only filters associated with the option are removed when --memberof is (un-)set. Follow-up to https://fedorahosted.org/freeipa/ticket/4216 Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
Petr Viktorin
committed by
Martin Kosek
Martin Kosek
parent
9f1c3d06bd
commit
64cc4d81cc
@@ -2424,6 +2424,171 @@ class test_permission_targetfilter(Declarative):
|
||||
)
|
||||
] + [
|
||||
|
||||
dict(
|
||||
desc='Set extra objectclass filter on %r' % permission1,
|
||||
command=(
|
||||
'permission_mod', [permission1], dict(
|
||||
extratargetfilter=[u'(cn=*)', u'(objectclass=top)'],
|
||||
all=True,
|
||||
)
|
||||
),
|
||||
expected=dict(
|
||||
value=permission1,
|
||||
summary=u'Modified permission "%s"' % permission1,
|
||||
result=dict(
|
||||
dn=permission1_dn,
|
||||
cn=[permission1],
|
||||
objectclass=objectclasses.permission,
|
||||
type=[u'user'],
|
||||
ipapermright=[u'write'],
|
||||
attrs=[u'sn'],
|
||||
ipapermincludedattr=[u'sn'],
|
||||
ipapermbindruletype=[u'permission'],
|
||||
ipapermissiontype=[u'SYSTEM', u'V2'],
|
||||
ipapermlocation=[users_dn],
|
||||
memberof=[u'admins'],
|
||||
extratargetfilter=[u'(cn=*)', u'(objectclass=top)'],
|
||||
ipapermtargetfilter=[
|
||||
u'(cn=*)',
|
||||
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
|
||||
u'(objectclass=posixaccount)',
|
||||
u'(objectclass=top)'],
|
||||
),
|
||||
),
|
||||
),
|
||||
|
||||
verify_permission_aci(
|
||||
permission1, users_dn,
|
||||
'(targetattr = "sn")' +
|
||||
'(targetfilter = "(&' +
|
||||
'(cn=*)' +
|
||||
'(memberOf=%s)' % DN('cn=admins', groups_dn) +
|
||||
'(objectclass=posixaccount)' +
|
||||
'(objectclass=top)' +
|
||||
')")' +
|
||||
'(version 3.0;acl "permission:%s";' % permission1 +
|
||||
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn
|
||||
),
|
||||
|
||||
dict(
|
||||
desc='Unset type on %r to verify extra objectclass filter stays' % permission1,
|
||||
command=(
|
||||
'permission_mod', [permission1], dict(
|
||||
type=None,
|
||||
all=True,
|
||||
)
|
||||
),
|
||||
expected=dict(
|
||||
value=permission1,
|
||||
summary=u'Modified permission "%s"' % permission1,
|
||||
result=dict(
|
||||
dn=permission1_dn,
|
||||
cn=[permission1],
|
||||
objectclass=objectclasses.permission,
|
||||
ipapermright=[u'write'],
|
||||
attrs=[u'sn'],
|
||||
ipapermincludedattr=[u'sn'],
|
||||
ipapermbindruletype=[u'permission'],
|
||||
ipapermissiontype=[u'SYSTEM', u'V2'],
|
||||
ipapermlocation=[api.env.basedn],
|
||||
memberof=[u'admins'],
|
||||
extratargetfilter=[u'(cn=*)', u'(objectclass=top)'],
|
||||
ipapermtargetfilter=[
|
||||
u'(cn=*)',
|
||||
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
|
||||
u'(objectclass=top)'],
|
||||
),
|
||||
),
|
||||
),
|
||||
|
||||
verify_permission_aci(
|
||||
permission1, api.env.basedn,
|
||||
'(targetattr = "sn")' +
|
||||
'(targetfilter = "(&' +
|
||||
'(cn=*)' +
|
||||
'(memberOf=%s)' % DN('cn=admins', groups_dn) +
|
||||
'(objectclass=top)' +
|
||||
')")' +
|
||||
'(version 3.0;acl "permission:%s";' % permission1 +
|
||||
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn
|
||||
),
|
||||
|
||||
dict(
|
||||
desc='Set wildcard memberof filter on %r' % permission1,
|
||||
command=(
|
||||
'permission_mod', [permission1], dict(
|
||||
extratargetfilter=u'(memberof=*)',
|
||||
all=True,
|
||||
)
|
||||
),
|
||||
expected=dict(
|
||||
value=permission1,
|
||||
summary=u'Modified permission "%s"' % permission1,
|
||||
result=dict(
|
||||
dn=permission1_dn,
|
||||
cn=[permission1],
|
||||
objectclass=objectclasses.permission,
|
||||
ipapermright=[u'write'],
|
||||
attrs=[u'sn'],
|
||||
ipapermincludedattr=[u'sn'],
|
||||
ipapermbindruletype=[u'permission'],
|
||||
ipapermissiontype=[u'SYSTEM', u'V2'],
|
||||
ipapermlocation=[api.env.basedn],
|
||||
memberof=[u'admins'],
|
||||
extratargetfilter=[u'(memberof=*)'],
|
||||
ipapermtargetfilter=[
|
||||
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
|
||||
u'(memberof=*)'],
|
||||
),
|
||||
),
|
||||
),
|
||||
|
||||
verify_permission_aci(
|
||||
permission1, api.env.basedn,
|
||||
'(targetattr = "sn")' +
|
||||
'(targetfilter = "(&' +
|
||||
'(memberOf=%s)' % DN('cn=admins', groups_dn) +
|
||||
'(memberof=*)' +
|
||||
')")' +
|
||||
'(version 3.0;acl "permission:%s";' % permission1 +
|
||||
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn
|
||||
),
|
||||
|
||||
dict(
|
||||
desc='Remove --memberof on %r to verify wildcard is still there' % permission1,
|
||||
command=(
|
||||
'permission_mod', [permission1], dict(
|
||||
memberof=[],
|
||||
all=True,
|
||||
)
|
||||
),
|
||||
expected=dict(
|
||||
value=permission1,
|
||||
summary=u'Modified permission "%s"' % permission1,
|
||||
result=dict(
|
||||
dn=permission1_dn,
|
||||
cn=[permission1],
|
||||
objectclass=objectclasses.permission,
|
||||
ipapermright=[u'write'],
|
||||
attrs=[u'sn'],
|
||||
ipapermincludedattr=[u'sn'],
|
||||
ipapermbindruletype=[u'permission'],
|
||||
ipapermissiontype=[u'SYSTEM', u'V2'],
|
||||
ipapermlocation=[api.env.basedn],
|
||||
extratargetfilter=[u'(memberof=*)'],
|
||||
ipapermtargetfilter=[u'(memberof=*)'],
|
||||
),
|
||||
),
|
||||
),
|
||||
|
||||
verify_permission_aci(
|
||||
permission1, api.env.basedn,
|
||||
'(targetattr = "sn")' +
|
||||
'(targetfilter = "(memberof=*)")' +
|
||||
'(version 3.0;acl "permission:%s";' % permission1 +
|
||||
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn
|
||||
),
|
||||
|
||||
]
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user