Add option to limit the attributes allowed in an entry.

Kerberos ticket policy can update policy in a user entry. This allowed set/addattr to be used to modify attributes outside of the ticket policy perview, also bypassing all validation/normalization. Likewise the ticket policy was updatable by the user plugin bypassing all validation. Add two new LDAPObject values to control this behavior: limit_object_classes: only attributes in these are allowed disallow_object_classes: attributes in these are disallowed By default both of these lists are empty so are skipped. ticket 744
2025-02-25 18:55:28 -06:00 · 2011-05-16 17:39:23 -04:00
parent aa29a8a769
commit 9cc0754b71
5 changed files with 197 additions and 0 deletions
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -253,6 +253,8 @@ class LDAPObject(Object):
    # If an objectclass is possible but not default in an entry. Needed for
    # collecting attributes for ACI UI.
    possible_objectclasses = []
+    limit_object_classes = [] # Only attributes in these are allowed
+    disallow_object_classes = [] # Disallow attributes in these
    search_attributes = []
    search_attributes_config = None
    default_attributes = []
@@ -438,6 +440,36 @@ def _check_empty_attrs(params, entry_attrs):
                raise errors.RequirementError(name=a)


+def _check_limit_object_class(attributes, attrs, allow_only):
+    """
+    If the set of objectclasses is limited enforce that only those
+    are updated in entry_attrs (plus dn)
+
+    allow_only tells us what mode to check in:
+
+    If True then we enforce that the attributes must be in the list of
+    allowed.
+
+    If False then those attributes are not allowed.
+    """
+    if len(attributes[0]) == 0 and len(attributes[1]) == 0:
+        return
+    limitattrs = deepcopy(attrs)
+    # Go through the MUST first
+    for (oid, attr) in attributes[0].iteritems():
+        if attr.names[0].lower() in limitattrs:
+            if not allow_only:
+                raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=attr.names[0].lower()))
+            limitattrs.remove(attr.names[0].lower())
+    # And now the MAY
+    for (oid, attr) in attributes[1].iteritems():
+        if attr.names[0].lower() in limitattrs:
+            if not allow_only:
+                raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=attr.names[0].lower()))
+            limitattrs.remove(attr.names[0].lower())
+    if len(limitattrs) > 0 and allow_only:
+        raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=limitattrs[0]))
+
 class CallbackInterface(Method):
    """
    Callback registration interface
@@ -568,6 +600,8 @@ class LDAPCreate(CallbackInterface, crud.Create):
                )

        _check_single_value_attrs(self.params, entry_attrs)
+        _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.limit_object_classes), entry_attrs.keys(), allow_only=True)
+        _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.disallow_object_classes), entry_attrs.keys(), allow_only=False)

        try:
            ldap.add_entry(dn, entry_attrs, normalize=self.obj.normalize_dn)
@@ -848,6 +882,8 @@ class LDAPUpdate(LDAPQuery, crud.Update):

        _check_single_value_attrs(self.params, entry_attrs)
        _check_empty_attrs(self.obj.params, entry_attrs)
+        _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.limit_object_classes), entry_attrs.keys(), allow_only=True)
+        _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.disallow_object_classes), entry_attrs.keys(), allow_only=False)

        rdnupdate = False
        try:
--- a/ipalib/plugins/krbtpolicy.py
+++ b/ipalib/plugins/krbtpolicy.py
@@ -74,6 +74,7 @@ class krbtpolicy(LDAPObject):
    container_dn = 'cn=%s,cn=kerberos' % api.env.realm
    object_name = 'kerberos ticket policy settings'
    default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage']
+    limit_object_classes = ['krbticketpolicyaux']

    label=_('Kerberos Ticket Policy')

--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -62,6 +62,7 @@ from ipalib.plugins.baseldap import *
 from ipalib import _, ngettext
 from ipalib.request import context
 from time import gmtime, strftime
+import copy


 NO_UPG_MAGIC = '__no_upg__'
@@ -84,6 +85,7 @@ class user(LDAPObject):
    object_class = ['posixaccount']
    object_class_config = 'ipauserobjectclasses'
    possible_objectclasses = ['meporiginentry']
+    disallow_object_classes = ['krbticketpolicyaux']
    search_attributes_config = 'ipausersearchfields'
    default_attributes = [
        'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', 'ou',