IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Validate adding privilege to a permission

Browse Source 
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.

https://fedorahosted.org/freeipa/ticket/5075

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Martin Basti 2015-07-09 16:48:36 +02:00 committed by Jan Cholasta
parent a0ce9e6b09
commit a619a1e211
2 changed files with 33 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
ipalib/plugins/permission.py
View File

@ -21,6 +21,7 @@ import re
import traceback import traceback
from ipalib.plugins import baseldap from ipalib.plugins import baseldap
from ipalib.plugins.privilege import validate_permission_to_privilege
from ipalib import errors from ipalib import errors
from ipalib.parameters import Str, StrEnum, DNParam, Flag from ipalib.parameters import Str, StrEnum, DNParam, Flag
from ipalib import api, _, ngettext from ipalib import api, _, ngettext
@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember):
"""Add members to a permission.""" """Add members to a permission."""
NO_CLI = True NO_CLI = True
def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options):
# We can only add permissions with bind rule type set to
# "permission" (or old-style permissions)
validate_permission_to_privilege(self.api, keys[-1])
return dn
@register() @register()
class permission_remove_member(baseldap.LDAPRemoveMember): class permission_remove_member(baseldap.LDAPRemoveMember):

51
ipalib/plugins/privilege.py
View File

@ -45,6 +45,31 @@ See role and permission for additional information.
register = Registry() register = Registry()
def validate_permission_to_privilege(api, permission):
ldap = api.Backend.ldap2
ldapfilter = ldap.combine_filters(rules='&', filters=[
'(objectClass=ipaPermissionV2)', '(!(ipaPermBindRuleType=permission))',
ldap.make_filter_from_attr('cn', permission, rules='|')])
try:
entries, truncated = ldap.find_entries(
filter=ldapfilter,
attrs_list=['cn', 'ipapermbindruletype'],
base_dn=DN(api.env.container_permission, api.env.basedn),
size_limit=1)
except errors.NotFound:
pass
else:
entry = entries[0]
message = _('cannot add permission "%(perm)s" with bindtype '
'"%(bindtype)s" to a privilege')
raise errors.ValidationError(
name='permission',
error=message % {
'perm': entry.single_value['cn'],
'bindtype': entry.single_value.get(
'ipapermbindruletype', 'permission')})
@register() @register()
class privilege(LDAPObject): class privilege(LDAPObject):
""" """
@ -185,31 +210,7 @@ class privilege_add_permission(LDAPAddReverseMember):
if options.get('permission'): if options.get('permission'):
# We can only add permissions with bind rule type set to # We can only add permissions with bind rule type set to
# "permission" (or old-style permissions) # "permission" (or old-style permissions)
ldapfilter = ldap.combine_filters(rules='&', filters=[ validate_permission_to_privilege(self.api, options['permission'])
'(objectClass=ipaPermissionV2)',
'(!(ipaPermBindRuleType=permission))',
ldap.make_filter_from_attr('cn', options['permission'],
rules='|'),
])
try:
entries, truncated = ldap.find_entries(
filter=ldapfilter,
attrs_list=['cn', 'ipapermbindruletype'],
base_dn=DN(self.api.env.container_permission,
self.api.env.basedn),
size_limit=1)
except errors.NotFound:
pass
else:
entry = entries[0]
message = _('cannot add permission "%(perm)s" with bindtype '
'"%(bindtype)s" to a privilege')
raise errors.ValidationError(
name='permission',
error=message % {
'perm': entry.single_value['cn'],
'bindtype': entry.single_value.get(
'ipapermbindruletype', 'permission')})
return dn return dn