Validate adding privilege to a permission

Adding priviledge to a permission via webUI allowed to avoid check and to add permission with improper type. https://fedorahosted.org/freeipa/ticket/5075 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-07-09 16:48:36 +02:00 · 2015-07-09 16:48:36 +02:00 · a619a1e211
commit a619a1e211
parent a0ce9e6b09
2 changed files with 33 additions and 25 deletions
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@ -21,6 +21,7 @@ import re
 import traceback

 from ipalib.plugins import baseldap
+from ipalib.plugins.privilege import validate_permission_to_privilege
 from ipalib import errors
 from ipalib.parameters import Str, StrEnum, DNParam, Flag
 from ipalib import api, _, ngettext
@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember):
    """Add members to a permission."""
    NO_CLI = True

+    def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options):
+        # We can only add permissions with bind rule type set to
+        # "permission" (or old-style permissions)
+        validate_permission_to_privilege(self.api, keys[-1])
+        return dn
+

@register()
 class permission_remove_member(baseldap.LDAPRemoveMember):
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@ -45,6 +45,31 @@ See role and permission for additional information.
 register = Registry()


+def validate_permission_to_privilege(api, permission):
+    ldap = api.Backend.ldap2
+    ldapfilter = ldap.combine_filters(rules='&', filters=[
+        '(objectClass=ipaPermissionV2)', '(!(ipaPermBindRuleType=permission))',
+        ldap.make_filter_from_attr('cn', permission, rules='|')])
+    try:
+        entries, truncated = ldap.find_entries(
+            filter=ldapfilter,
+            attrs_list=['cn', 'ipapermbindruletype'],
+            base_dn=DN(api.env.container_permission, api.env.basedn),
+            size_limit=1)
+    except errors.NotFound:
+        pass
+    else:
+        entry = entries[0]
+        message = _('cannot add permission "%(perm)s" with bindtype '
+                    '"%(bindtype)s" to a privilege')
+        raise errors.ValidationError(
+            name='permission',
+            error=message % {
+                'perm': entry.single_value['cn'],
+                'bindtype': entry.single_value.get(
+                    'ipapermbindruletype', 'permission')})
+
+
@register()
 class privilege(LDAPObject):
    """
@ -185,31 +210,7 @@ class privilege_add_permission(LDAPAddReverseMember):
        if options.get('permission'):
            # We can only add permissions with bind rule type set to
            # "permission" (or old-style permissions)
-            ldapfilter = ldap.combine_filters(rules='&', filters=[
-                '(objectClass=ipaPermissionV2)',
-                '(!(ipaPermBindRuleType=permission))',
-                ldap.make_filter_from_attr('cn', options['permission'],
-                                           rules='|'),
-            ])
-            try:
-                entries, truncated = ldap.find_entries(
-                    filter=ldapfilter,
-                    attrs_list=['cn', 'ipapermbindruletype'],
-                    base_dn=DN(self.api.env.container_permission,
-                               self.api.env.basedn),
-                    size_limit=1)
-            except errors.NotFound:
-                pass
-            else:
-                entry = entries[0]
-                message = _('cannot add permission "%(perm)s" with bindtype '
-                            '"%(bindtype)s" to a privilege')
-                raise errors.ValidationError(
-                    name='permission',
-                    error=message % {
-                        'perm': entry.single_value['cn'],
-                        'bindtype': entry.single_value.get(
-                            'ipapermbindruletype', 'permission')})
+            validate_permission_to_privilege(self.api, options['permission'])
        return dn