Add posixgroup to groups' permission object filter

Private groups don't have the 'ipausergroup' objectclass.
Add posixgroup to the objectclass filters to make
"--type group" permissions apply to all groups.

https://fedorahosted.org/freeipa/ticket/4372

Reviewed-By: Martin Kosek <mkosek@redhat.com>

ACI.txt

@@ -29,9 +29,9 @@ aci: (target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "p
 dn: cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "a6record || aaaarecord || afsdbrecord || arecord || certrecord || cn || cnamerecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || txtrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example")(version 3.0;acl "permission:System: Update DNS Entries";allow (write) groupdn = "ldap:///cn=System: Update DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Group Membership,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read Groups,cn=permissions,cn=pbac,dc=ipa,dc=example
-aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(objectclass=ipausergroup)")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
+aci: (targetattr = "businesscategory || cn || description || gidnumber || ipaexternalmember || ipauniqueid || mepmanagedby || o || objectclass || ou || owner || seealso")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Groups";allow (compare,read,search) userdn = "ldap:///anyone";)
 dn: cn=System: Read HBAC Rules,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "accessruletype || accesstime || cn || description || externalhost || hostcategory || ipaenabledflag || ipauniqueid || member || memberhost || memberservice || memberuser || objectclass || servicecategory || sourcehost || sourcehostcategory || usercategory")(targetfilter = "(objectclass=ipahbacrule)")(version 3.0;acl "permission:System: Read HBAC Rules";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Read HBAC Services,cn=permissions,cn=pbac,dc=ipa,dc=example

ipalib/plugins/group.py

@@ -126,7 +126,7 @@ class group(LDAPObject):
     object_class = ['ipausergroup']
     object_class_config = 'ipagroupobjectclasses'
     possible_objectclasses = ['posixGroup', 'mepManagedEntry', 'ipaExternalGroup']
-    permission_filter_objectclasses = ['ipausergroup']
+    permission_filter_objectclasses = ['posixgroup', 'ipausergroup']
     search_attributes_config = 'ipagroupsearchfields'
     default_attributes = [
         'cn', 'description', 'gidnumber', 'member', 'memberof',

ipatests/test_xmlrpc/test_permission_plugin.py

@@ -102,6 +102,8 @@ etc_dn = DN('cn=etc', api.env.basedn)
 nonexistent_dn = DN('cn=does not exist', api.env.basedn)
 admin_dn = DN('uid=admin', users_dn)
 
+group_filter = u'(|(objectclass=ipausergroup)(objectclass=posixgroup))'
+
 
 def verify_permission_aci(name, dn, acistring):
     """Return test dict that verifies the ACI at the given location"""
@@ -1927,7 +1929,7 @@ class test_permission_sync_attributes(Declarative):
         verify_permission_aci(
             permission1, groups_dn,
             '(targetattr = "sn")' +
-            '(targetfilter = "(objectclass=ipausergroup)")'
+            '(targetfilter = "%s")' % group_filter +
             '(version 3.0;acl "permission:%s";' % permission1 +
             'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
         ),
@@ -1962,7 +1964,103 @@ class test_permission_sync_attributes(Declarative):
             permission1, groups_dn,
             '(targetattr = "sn")' +
             '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
-            '(targetfilter = "(objectclass=ipausergroup)")'
+            '(targetfilter = "%s")' % group_filter +
+            '(version 3.0;acl "permission:%s";' % permission1 +
+            'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+        ),
+
+        dict(
+            desc='Set extra targetfilter on %r' % permission1,
+            command=(
+                'permission_mod', [permission1], dict(
+                    extratargetfilter=u'(cn=blabla)',
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Modified permission "%s"' % permission1,
+                result=dict(
+                    dn=permission1_dn,
+                    cn=[permission1],
+                    objectclass=objectclasses.permission,
+                    type=[u'group'],
+                    ipapermright=[u'write'],
+                    attrs=[u'sn'],
+                    ipapermbindruletype=[u'permission'],
+                    ipapermissiontype=[u'SYSTEM', u'V2'],
+                    ipapermtarget=[DN('cn=editors', groups_dn)],
+                    ipapermlocation=[groups_dn],
+                    targetgroup=[u'editors'],
+                    extratargetfilter=[u'(cn=blabla)'],
+                ),
+            ),
+        ),
+
+        verify_permission_aci(
+            permission1, groups_dn,
+            '(targetattr = "sn")' +
+            '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
+            '(targetfilter = "(&(cn=blabla)%s)")' % group_filter +
+            '(version 3.0;acl "permission:%s";' % permission1 +
+            'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+        ),
+
+        dict(
+            desc='Retrieve %r with --all' % permission1,
+            command=(
+                'permission_show', [permission1], dict(all=True)
+            ),
+            expected=dict(
+                value=permission1,
+                summary=None,
+                result=dict(
+                    dn=permission1_dn,
+                    cn=[permission1],
+                    objectclass=objectclasses.permission,
+                    type=[u'group'],
+                    ipapermright=[u'write'],
+                    attrs=[u'sn'],
+                    ipapermincludedattr=[u'sn'],
+                    ipapermbindruletype=[u'permission'],
+                    ipapermissiontype=[u'SYSTEM', u'V2'],
+                    ipapermtarget=[DN('cn=editors', groups_dn)],
+                    ipapermlocation=[groups_dn],
+                    targetgroup=[u'editors'],
+                    extratargetfilter=[u'(cn=blabla)'],
+                    ipapermtargetfilter=[u'(cn=blabla)', group_filter],
+                ),
+            ),
+        ),
+
+        dict(
+            desc='Set type of %r back to user' % permission1,
+            command=(
+                'permission_mod', [permission1], dict(
+                    type=u'user', ipapermtarget=None,
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Modified permission "%s"' % permission1,
+                result=dict(
+                    dn=permission1_dn,
+                    cn=[permission1],
+                    objectclass=objectclasses.permission,
+                    type=[u'user'],
+                    ipapermright=[u'write'],
+                    attrs=[u'sn'],
+                    ipapermbindruletype=[u'permission'],
+                    ipapermissiontype=[u'SYSTEM', u'V2'],
+                    ipapermlocation=[users_dn],
+                    extratargetfilter=[u'(cn=blabla)'],
+                ),
+            ),
+        ),
+
+        verify_permission_aci(
+            permission1, users_dn,
+            '(targetattr = "sn")' +
+            '(targetfilter = "(&(cn=blabla)(objectclass=posixaccount))")' +
             '(version 3.0;acl "permission:%s";' % permission1 +
             'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
         ),
@@ -2102,7 +2200,7 @@ class test_permission_sync_nice(Declarative):
         verify_permission_aci(
             permission1, groups_dn,
             '(targetattr = "sn")' +
-            '(targetfilter = "(objectclass=ipausergroup)")' +
+            '(targetfilter = "%s")' % group_filter +
             '(version 3.0;acl "permission:%s";' % permission1 +
             'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
         ),
@@ -2137,7 +2235,7 @@ class test_permission_sync_nice(Declarative):
             permission1, groups_dn,
             '(targetattr = "sn")' +
             '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
-            '(targetfilter = "(objectclass=ipausergroup)")' +
+            '(targetfilter = "%s")' % group_filter +
             '(version 3.0;acl "permission:%s";' % permission1 +
             'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
         ),