Add option to limit the attributes allowed in an entry.

Kerberos ticket policy can update policy in a user entry. This allowed
set/addattr to be used to modify attributes outside of the ticket policy
perview, also bypassing all validation/normalization. Likewise the
ticket policy was updatable by the user plugin bypassing all validation.

Add two new LDAPObject values to control this behavior:

limit_object_classes: only attributes in these are allowed
disallow_object_classes: attributes in these are disallowed

By default both of these lists are empty so are skipped.

ticket 744

ipalib/plugins/baseldap.py

@@ -253,6 +253,8 @@ class LDAPObject(Object):
     # If an objectclass is possible but not default in an entry. Needed for
     # collecting attributes for ACI UI.
     possible_objectclasses = []
+    limit_object_classes = [] # Only attributes in these are allowed
+    disallow_object_classes = [] # Disallow attributes in these
     search_attributes = []
     search_attributes_config = None
     default_attributes = []
@@ -438,6 +440,36 @@ def _check_empty_attrs(params, entry_attrs):
                 raise errors.RequirementError(name=a)
 
 
+def _check_limit_object_class(attributes, attrs, allow_only):
+    """
+    If the set of objectclasses is limited enforce that only those
+    are updated in entry_attrs (plus dn)
+
+    allow_only tells us what mode to check in:
+
+    If True then we enforce that the attributes must be in the list of
+    allowed.
+
+    If False then those attributes are not allowed.
+    """
+    if len(attributes[0]) == 0 and len(attributes[1]) == 0:
+        return
+    limitattrs = deepcopy(attrs)
+    # Go through the MUST first
+    for (oid, attr) in attributes[0].iteritems():
+        if attr.names[0].lower() in limitattrs:
+            if not allow_only:
+                raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=attr.names[0].lower()))
+            limitattrs.remove(attr.names[0].lower())
+    # And now the MAY
+    for (oid, attr) in attributes[1].iteritems():
+        if attr.names[0].lower() in limitattrs:
+            if not allow_only:
+                raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=attr.names[0].lower()))
+            limitattrs.remove(attr.names[0].lower())
+    if len(limitattrs) > 0 and allow_only:
+        raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=limitattrs[0]))
+
 class CallbackInterface(Method):
     """
     Callback registration interface
@@ -568,6 +600,8 @@ class LDAPCreate(CallbackInterface, crud.Create):
                 )
 
         _check_single_value_attrs(self.params, entry_attrs)
+        _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.limit_object_classes), entry_attrs.keys(), allow_only=True)
+        _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.disallow_object_classes), entry_attrs.keys(), allow_only=False)
 
         try:
             ldap.add_entry(dn, entry_attrs, normalize=self.obj.normalize_dn)
@@ -848,6 +882,8 @@ class LDAPUpdate(LDAPQuery, crud.Update):
 
         _check_single_value_attrs(self.params, entry_attrs)
         _check_empty_attrs(self.obj.params, entry_attrs)
+        _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.limit_object_classes), entry_attrs.keys(), allow_only=True)
+        _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.disallow_object_classes), entry_attrs.keys(), allow_only=False)
 
         rdnupdate = False
         try:

ipalib/plugins/krbtpolicy.py

@@ -74,6 +74,7 @@ class krbtpolicy(LDAPObject):
     container_dn = 'cn=%s,cn=kerberos' % api.env.realm
     object_name = 'kerberos ticket policy settings'
     default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage']
+    limit_object_classes = ['krbticketpolicyaux']
 
     label=_('Kerberos Ticket Policy')
 

ipalib/plugins/user.py

@@ -62,6 +62,7 @@ from ipalib.plugins.baseldap import *
 from ipalib import _, ngettext
 from ipalib.request import context
 from time import gmtime, strftime
+import copy
 
 
 NO_UPG_MAGIC = '__no_upg__'
@@ -84,6 +85,7 @@ class user(LDAPObject):
     object_class = ['posixaccount']
     object_class_config = 'ipauserobjectclasses'
     possible_objectclasses = ['meporiginentry']
+    disallow_object_classes = ['krbticketpolicyaux']
     search_attributes_config = 'ipausersearchfields'
     default_attributes = [
         'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', 'ou',

tests/test_xmlrpc/test_krbtpolicy.py

@@ -0,0 +1,138 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2011  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Test kerberos ticket policy
+"""
+
+from ipalib import api, errors
+from tests.test_xmlrpc import objectclasses
+from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid
+
+user1 = u'tuser1'
+
+class test_krbtpolicy(Declarative):
+    cleanup_commands = [
+        ('user_del', [user1], {}),
+    ]
+
+    tests = [
+
+
+        dict(
+            desc='Reset global policy',
+            command=(
+                'krbtpolicy_reset', [], {}
+            ),
+            expected=dict(
+                value=u'',
+                summary=None,
+                result=dict(
+                    krbmaxticketlife=[u'86400'],
+                    krbmaxrenewableage=[u'604800'],
+                ),
+            ),
+        ),
+
+
+        dict(
+            desc='Show global policy',
+            command=(
+                'krbtpolicy_show', [], {}
+            ),
+            expected=dict(
+                value=u'',
+                summary=None,
+                result=dict(
+                    dn=u'cn=%s,cn=kerberos,%s' % (api.env.domain, api.env.basedn),
+                    krbmaxticketlife=[u'86400'],
+                    krbmaxrenewableage=[u'604800'],
+                ),
+            ),
+        ),
+
+
+        dict(
+            desc='Update global policy',
+            command=(
+                'krbtpolicy_mod', [], dict(krbmaxticketlife=3600)
+            ),
+            expected=dict(
+                value=u'',
+                summary=None,
+                result=dict(
+                    krbmaxticketlife=[u'3600'],
+                    krbmaxrenewableage=[u'604800'],
+                ),
+            ),
+        ),
+
+
+        dict(
+            desc='Create %r' % user1,
+            command=(
+                'user_add', [user1], dict(givenname=u'Test', sn=u'User1')
+            ),
+            expected=dict(
+                value=user1,
+                summary=u'Added user "%s"' % user1,
+                result=dict(
+                    gecos=[u'Test User1'],
+                    givenname=[u'Test'],
+                    homedirectory=[u'/home/tuser1'],
+                    krbprincipalname=[u'tuser1@' + api.env.realm],
+                    loginshell=[u'/bin/sh'],
+                    objectclass=objectclasses.user,
+                    sn=[u'User1'],
+                    uid=[user1],
+                    uidnumber=[fuzzy_digits],
+                    displayname=[u'Test User1'],
+                    cn=[u'Test User1'],
+                    initials=[u'TU'],
+                    ipauniqueid=[fuzzy_uuid],
+                    dn=u'uid=%s,cn=users,cn=accounts,%s' % (user1, api.env.basedn)
+                ),
+            ),
+        ),
+
+
+        dict(
+            desc='Update user ticket policy',
+            command=(
+                'krbtpolicy_mod', [user1], dict(krbmaxticketlife=3600)
+            ),
+            expected=dict(
+                value=user1,
+                summary=None,
+                result=dict(
+                    krbmaxticketlife=[u'3600'],
+                ),
+            ),
+        ),
+
+
+        dict(
+            desc='Try updating other user attribute',
+            command=(
+                'krbtpolicy_mod', [user1], dict(setattr=u'givenname=Pete')
+            ),
+            expected=errors.ObjectclassViolation(info='attribute "givenname" not allowed'),
+        ),
+
+
+    ]

tests/test_xmlrpc/test_user_plugin.py

@@ -304,6 +304,15 @@ class test_user(Declarative):
         ),
 
 
+        dict(
+            desc='Try updating the krb ticket policy of %r' % user1,
+            command=(
+                'user_mod', [user1], dict(setattr=u'krbmaxticketlife=88000')
+            ),
+            expected=errors.ObjectclassViolation(info='attribute "krbmaxticketlife" not allowed'),
+        ),
+
+
         dict(
             desc='Retrieve %r to verify update' % user1,
             command=('user_show', [user1], {}),
@@ -388,6 +397,17 @@ class test_user(Declarative):
         ),
 
 
+        dict(
+            desc='Create user %r with krb ticket policy' % user1,
+            command=(
+                'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
+                setattr=u'krbmaxticketlife=88000')
+            ),
+            expected=errors.ObjectclassViolation(info='attribute "krbmaxticketlife" not allowed'),
+        ),
+
+
+
         dict(
             desc='Create %r' % user1,
             command=(