permission plugin: Ensure ipapermlocation (subtree) always exists

2025-02-25 18:55:28 -06:00 · 2013-12-05 18:18:32 +01:00 · 2013-12-05 18:18:32 +01:00 · 7fc35ced1d
commit 7fc35ced1d
parent 53caa7aca2
2 changed files with 27 additions and 1 deletions
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@ -623,6 +623,16 @@ class permission(baseldap.LDAPObject):
                    name='ipapermtargetfilter',
                    error=_('Bad search filter'))

+        # Ensure location exists
+        if entry.get('ipapermlocation'):
+            location = DN(entry.single_value['ipapermlocation'])
+            try:
+                ldap.get_entry(location, attrs_list=[])
+            except errors.NotFound:
+                raise errors.ValidationError(
+                    name='ipapermlocation',
+                    error=_('Entry %s does not exist') % location)
+
        # Ensure there's something in the ACI's filter
        needed_attrs = (
            'ipapermtarget', 'ipapermtargetfilter', 'ipapermallowedattr')
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@ -88,6 +88,7 @@ invalid_permission1 = u'bad;perm'
 users_dn = DN(api.env.container_user, api.env.basedn)
 groups_dn = DN(api.env.container_group, api.env.basedn)
 etc_dn = DN('cn=etc', api.env.basedn)
+nonexistent_dn = DN('cn=does not exist', api.env.basedn)


 def verify_permission_aci(name, dn, acistring):
@ -1468,6 +1469,19 @@ class test_permission(Declarative):
                name='ipapermtargetfilter',
                error='Bad search filter'),
        ),
+
+
+        dict(
+            desc='Try setting nonexisting location on %r' % permission1,
+            command=(
+                'permission_mod', [permission1], dict(
+                    ipapermlocation=nonexistent_dn,
+                )
+            ),
+            expected=errors.ValidationError(
+                name='ipapermlocation',
+                error='Entry %s does not exist' % nonexistent_dn)
+        ),
    ]


@ -1546,7 +1560,9 @@ class test_permission_rollback(Declarative):
                    ipapermlocation=DN('foo=bar'),
                )
            ),
-            expected=errors.NotFound(reason='Entry foo=bar not found'),
+            expected=errors.ValidationError(
+                name='ipapermlocation',
+                error='Entry foo=bar does not exist'),
        ),

    ] + _verifications + [