mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
Add managed read permissions to krbtpolicy
Unlike other objects, the ticket policy is stored in different subtrees: global policy in cn=kerberos and per-user policy in cn=users,cn=accounts. Add two permissions, one for each location. Also, modify tests so that adding new permissions in cn=users doesn't cause failures. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
This commit is contained in:
parent
6b0c6bf344
commit
b53f2d28fd
@ -408,3 +408,10 @@ default:objectClass: groupofnames
|
||||
default:objectClass: top
|
||||
default:cn: Password Policy Readers
|
||||
default:description: Read password policies
|
||||
|
||||
dn: cn=Kerberos Ticket Policy Readers,cn=privileges,cn=pbac,$SUFFIX
|
||||
default:objectClass: nestedgroup
|
||||
default:objectClass: groupofnames
|
||||
default:objectClass: top
|
||||
default:cn: Kerberos Ticket Policy Readers
|
||||
default:description: Read global and per-user Kerberos ticket policy
|
||||
|
@ -75,6 +75,42 @@ class krbtpolicy(LDAPObject):
|
||||
object_name = _('kerberos ticket policy settings')
|
||||
default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage']
|
||||
limit_object_classes = ['krbticketpolicyaux']
|
||||
# permission_filter_objectclasses is deliberately missing,
|
||||
# so it is not possible to create a permission of `--type krbtpolicy`.
|
||||
# This is because we need two permissions to cover both global and per-user
|
||||
# policies.
|
||||
managed_permissions = {
|
||||
'System: Read Default Kerberos Ticket Policy': {
|
||||
'non_object': True,
|
||||
'replaces_global_anonymous_aci': True,
|
||||
'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'],
|
||||
'ipapermlocation': DN(container_dn, api.env.basedn),
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermright': {'read', 'search', 'compare'},
|
||||
'ipapermdefaultattr': {
|
||||
'krbdefaultencsalttypes', 'krbmaxrenewableage',
|
||||
'krbmaxticketlife', 'krbsupportedencsalttypes',
|
||||
'objectclass',
|
||||
},
|
||||
'default_privileges': {
|
||||
'Kerberos Ticket Policy Readers',
|
||||
},
|
||||
},
|
||||
'System: Read User Kerberos Ticket Policy': {
|
||||
'non_object': True,
|
||||
'replaces_global_anonymous_aci': True,
|
||||
'ipapermlocation': DN(api.env.container_user, api.env.basedn),
|
||||
'ipapermtargetfilter': ['(objectclass=krbticketpolicyaux)'],
|
||||
'ipapermbindruletype': 'permission',
|
||||
'ipapermright': {'read', 'search', 'compare'},
|
||||
'ipapermdefaultattr': {
|
||||
'krbmaxrenewableage', 'krbmaxticketlife',
|
||||
},
|
||||
'default_privileges': {
|
||||
'Kerberos Ticket Policy Readers',
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
label = _('Kerberos Ticket Policy')
|
||||
label_singular = _('Kerberos Ticket Policy')
|
||||
|
@ -100,6 +100,7 @@ users_dn = DN(api.env.container_user, api.env.basedn)
|
||||
groups_dn = DN(api.env.container_group, api.env.basedn)
|
||||
etc_dn = DN('cn=etc', api.env.basedn)
|
||||
nonexistent_dn = DN('cn=does not exist', api.env.basedn)
|
||||
admin_dn = DN('uid=admin', users_dn)
|
||||
|
||||
|
||||
def verify_permission_aci(name, dn, acistring):
|
||||
@ -1116,10 +1117,43 @@ class test_permission(Declarative):
|
||||
'allow (write) groupdn = "ldap:///%s";)' % permission2_dn,
|
||||
),
|
||||
|
||||
dict(
|
||||
desc='Change subtree of %r to admin' % permission1_renamed_ucase,
|
||||
command=(
|
||||
'permission_mod', [permission1_renamed_ucase],
|
||||
dict(ipapermlocation=admin_dn)
|
||||
),
|
||||
expected=dict(
|
||||
value=permission1_renamed_ucase,
|
||||
summary=u'Modified permission "%s"' % permission1_renamed_ucase,
|
||||
result=dict(
|
||||
dn=permission1_renamed_ucase_dn,
|
||||
cn=[permission1_renamed_ucase],
|
||||
objectclass=objectclasses.permission,
|
||||
member_privilege=[privilege1],
|
||||
ipapermlocation=[admin_dn],
|
||||
ipapermright=[u'write'],
|
||||
memberof=[u'ipausers'],
|
||||
attrs=[u'sn'],
|
||||
ipapermbindruletype=[u'permission'],
|
||||
ipapermissiontype=[u'SYSTEM', u'V2'],
|
||||
),
|
||||
),
|
||||
),
|
||||
|
||||
verify_permission_aci(
|
||||
permission1_renamed_ucase, admin_dn,
|
||||
'(targetattr = "sn")' +
|
||||
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
|
||||
'(version 3.0;acl "permission:%s";' % permission1_renamed_ucase +
|
||||
'allow (write) groupdn = "ldap:///%s";)' %
|
||||
permission1_renamed_ucase_dn,
|
||||
),
|
||||
|
||||
dict(
|
||||
desc='Search for %r using --subtree' % permission1_renamed_ucase,
|
||||
command=('permission_find', [],
|
||||
{'ipapermlocation': u'ldap:///%s' % users_dn}),
|
||||
{'ipapermlocation': u'ldap:///%s' % admin_dn}),
|
||||
expected=dict(
|
||||
count=1,
|
||||
truncated=False,
|
||||
@ -1130,13 +1164,12 @@ class test_permission(Declarative):
|
||||
'cn':[permission1_renamed_ucase],
|
||||
'objectclass': objectclasses.permission,
|
||||
'member_privilege':[privilege1],
|
||||
'ipapermlocation': [users_dn],
|
||||
'ipapermlocation': [admin_dn],
|
||||
'ipapermright':[u'write'],
|
||||
'memberof':[u'ipausers'],
|
||||
'attrs': [u'sn'],
|
||||
'ipapermbindruletype': [u'permission'],
|
||||
'ipapermissiontype': [u'SYSTEM', u'V2'],
|
||||
'ipapermlocation': [users_dn],
|
||||
},
|
||||
],
|
||||
),
|
||||
|
Loading…
Reference in New Issue
Block a user