Add permission_filter_objectclasses for explicit type filters

Part of the work for: https://fedorahosted.org/freeipa/ticket/4074 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-01-09 14:43:37 +01:00
parent e951f18416
commit 78b657b02d
10 changed files with 30 additions and 14 deletions
--- a/API.txt
+++ b/API.txt
@@ -2340,7 +2340,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('subtree', attribute=False, cli_name='subtree', multivalue=True, required=False)
 option: Str('targetgroup', alwaysask=True, attribute=False, autofill=False, cli_name='targetgroup', multivalue=False, query=False, required=False)
-option: StrEnum('type', alwaysask=True, attribute=False, autofill=False, cli_name='type', multivalue=False, query=False, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'))
+option: Str('type', alwaysask=True, attribute=False, autofill=False, cli_name='type', multivalue=False, query=False, required=False)
 option: Str('version?', exclude='webui')
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
@@ -2400,7 +2400,7 @@ option: Int('sizelimit?', autofill=False, minvalue=0)
 option: Str('subtree', attribute=False, autofill=False, cli_name='subtree', multivalue=True, query=True, required=False)
 option: Str('targetgroup', attribute=False, autofill=False, cli_name='targetgroup', multivalue=False, query=True, required=False)
 option: Int('timelimit?', autofill=False, minvalue=0)
-option: StrEnum('type', attribute=False, autofill=False, cli_name='type', multivalue=False, query=True, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'))
+option: Str('type', attribute=False, autofill=False, cli_name='type', multivalue=False, query=True, required=False)
 option: Str('version?', exclude='webui')
 output: Output('count', <type 'int'>, None)
 output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
@@ -2430,7 +2430,7 @@ option: Flag('rights', autofill=True, default=False)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('subtree', attribute=False, autofill=False, cli_name='subtree', multivalue=True, required=False)
 option: Str('targetgroup', attribute=False, autofill=False, cli_name='targetgroup', multivalue=False, required=False)
-option: StrEnum('type', attribute=False, autofill=False, cli_name='type', multivalue=False, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'))
+option: Str('type', attribute=False, autofill=False, cli_name='type', multivalue=False, required=False)
 option: Str('version?', exclude='webui')
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -442,6 +442,7 @@ class LDAPObject(Object):
    possible_objectclasses = []
    limit_object_classes = [] # Only attributes in these are allowed
    disallow_object_classes = [] # Disallow attributes in these
+    permission_filter_objectclasses = None
    search_attributes = []
    search_attributes_config = None
    default_attributes = []
--- a/ipalib/plugins/dns.py
+++ b/ipalib/plugins/dns.py
@@ -2113,6 +2113,7 @@ class dnsrecord(LDAPObject):
    object_name = _('DNS resource record')
    object_name_plural = _('DNS resource records')
    object_class = ['top', 'idnsrecord']
+    permission_filter_objectclasses = ['idnsrecord']
    default_attributes = ['idnsname'] + _record_attributes
    rdn_is_primary_key = True

--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -122,6 +122,7 @@ class group(LDAPObject):
    object_class = ['ipausergroup']
    object_class_config = 'ipagroupobjectclasses'
    possible_objectclasses = ['posixGroup', 'mepManagedEntry', 'ipaExternalGroup']
+    permission_filter_objectclasses = ['ipausergroup']
    search_attributes_config = 'ipagroupsearchfields'
    default_attributes = [
        'cn', 'description', 'gidnumber', 'member', 'memberof',
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -222,6 +222,7 @@ class host(LDAPObject):
    object_name = _('host')
    object_name_plural = _('hosts')
    object_class = ['ipaobject', 'nshost', 'ipahost', 'pkiuser', 'ipaservice']
+    permission_filter_objectclasses = ['ipahost']
    # object_class_config = 'ipahostobjectclasses'
    search_attributes = [
        'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -61,6 +61,7 @@ class hostgroup(LDAPObject):
    object_name = _('host group')
    object_name_plural = _('host groups')
    object_class = ['ipaobject', 'ipahostgroup']
+    permission_filter_objectclasses = ['ipahostgroup']
    default_attributes = ['cn', 'description', 'member', 'memberof',
        'memberindirect', 'memberofindirect',
    ]
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -81,6 +81,7 @@ class netgroup(LDAPObject):
    object_name = _('netgroup')
    object_name_plural = _('netgroups')
    object_class = ['ipaobject', 'ipaassociation', 'ipanisnetgroup']
+    permission_filter_objectclasses = ['ipanisnetgroup']
    default_attributes = [
        'cn', 'description', 'memberof', 'externalhost', 'nisdomainname',
        'memberuser', 'memberhost', 'member', 'memberindirect',
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -99,9 +99,6 @@ EXAMPLES:

 register = Registry()

-VALID_OBJECT_TYPES = (u'user', u'group', u'host', u'service', u'hostgroup',
-                      u'netgroup', u'dnsrecord',)
-
 _DEPRECATED_OPTION_ALIASES = {
    'permissions': 'ipapermright',
    'filter': 'ipapermtargetfilter',
@@ -141,6 +138,15 @@ class DNOrURL(DNParam):
        return super(DNOrURL, self)._convert_scalar(value, index=index)


+def validate_type(ugettext, typestr):
+    try:
+        obj = api.Object[typestr]
+    except KeyError:
+        return _('"%s" is not an object type') % typestr
+    if not getattr(obj, 'permission_filter_objectclasses', None):
+        return _('"%s" is not a valid permission type') % typestr
+
+
@register()
 class permission(baseldap.LDAPObject):
    """
@@ -247,12 +253,11 @@ class permission(baseldap.LDAPObject):
            doc=_('User group to apply permissions to (sets target)'),
            flags={'ask_create', 'virtual_attribute'},
        ),
-        StrEnum(
-            'type?',
+        Str(
+            'type?', validate_type,
            label=_('Type'),
            doc=_('Type of IPA object '
                  '(sets subtree and objectClass targetfilter)'),
-            values=VALID_OBJECT_TYPES,
            flags={'ask_create', 'virtual_attribute'},
        ),
    ) + tuple(
@@ -310,19 +315,22 @@ class permission(baseldap.LDAPObject):

            # type
            if ipapermtargetfilter and ipapermlocation:
-                for objname in VALID_OBJECT_TYPES:
-                    obj = self.api.Object[objname]
+                for obj in self.api.Object():
+                    filter_objectclasses = getattr(
+                        obj, 'permission_filter_objectclasses', None)
+                    if not filter_objectclasses:
+                        continue
                    wantdn = DN(obj.container_dn, self.api.env.basedn)
                    if DN(ipapermlocation) != wantdn:
                        continue

-                    for objclass in obj.object_class:
+                    for objclass in filter_objectclasses:
                        filter_re = '\(objectclass=%s\)' % re.escape(objclass)
                        if not any(re.match(filter_re, tf, re.I)
                                   for tf in ipapermtargetfilter):
                            break
                    else:
-                        entry.single_value['type'] = objname
+                        entry.single_value['type'] = unicode(obj.name)
                        break

            # old output names
@@ -684,7 +692,7 @@ class permission(baseldap.LDAPObject):
                        error=_('subtree and type are mutually exclusive'))
                obj = self.api.Object[objtype.lower()]
                new_values = [u'(objectclass=%s)' % o
-                              for o in obj.object_class]
+                              for o in obj.permission_filter_objectclasses]
                filter_ops['add'].extend(new_values)
                container_dn = DN(obj.container_dn, self.api.env.basedn)
                options['ipapermlocation'] = container_dn
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -299,6 +299,7 @@ class service(LDAPObject):
        'ipaservice', 'pkiuser'
    ]
    possible_objectclasses = ['ipakrbprincipal']
+    permission_filter_objectclasses = ['ipaservice']
    search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata']
    default_attributes = ['krbprincipalname', 'usercertificate', 'managedby',
        'ipakrbauthzdata',]
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -209,6 +209,7 @@ class user(LDAPObject):
        'ipatokenradiusproxyuser'
    ]
    disallow_object_classes = ['krbticketpolicyaux']
+    permission_filter_objectclasses = ['posixaccount']
    search_attributes_config = 'ipausersearchfields'
    default_attributes = [
        'uid', 'givenname', 'sn', 'homedirectory', 'loginshell',