mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
Do not use extra command options in ACI, permission, selfservice
Allowing Commands to be called with ignored unknown options opens the door to problems, for example with misspelled option names. Before we start rejecting them, we need to make sure IPA itself does not use them when it calls commands internally. This patch does that for ACI-related plugins. Part of the work for https://fedorahosted.org/freeipa/ticket/2509
This commit is contained in:
parent
95bb8d0f45
commit
c5689e7faf
@ -565,21 +565,20 @@ class aci_del(crud.Delete):
|
||||
|
||||
takes_options = (_prefix_option,)
|
||||
|
||||
def execute(self, aciname, **kw):
|
||||
def execute(self, aciname, aciprefix):
|
||||
"""
|
||||
Execute the aci-delete operation.
|
||||
|
||||
:param aciname: The name of the ACI being deleted.
|
||||
:param kw: unused
|
||||
:param aciprefix: The ACI prefix.
|
||||
"""
|
||||
assert 'aciname' not in kw
|
||||
ldap = self.api.Backend.ldap2
|
||||
|
||||
(dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci'])
|
||||
|
||||
acistrs = entry_attrs.get('aci', [])
|
||||
acis = _convert_strings_to_acis(acistrs)
|
||||
aci = _find_aci_by_name(acis, kw['aciprefix'], aciname)
|
||||
aci = _find_aci_by_name(acis, aciprefix, aciname)
|
||||
for a in acistrs:
|
||||
candidate = ACI(a)
|
||||
if aci.isequal(candidate):
|
||||
@ -614,28 +613,25 @@ class aci_mod(crud.Update):
|
||||
msg_summary = _('Modified ACI "%(value)s"')
|
||||
|
||||
def execute(self, aciname, **kw):
|
||||
aciprefix = kw['aciprefix']
|
||||
ldap = self.api.Backend.ldap2
|
||||
|
||||
(dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci'])
|
||||
|
||||
acis = _convert_strings_to_acis(entry_attrs.get('aci', []))
|
||||
aci = _find_aci_by_name(acis, kw['aciprefix'], aciname)
|
||||
aci = _find_aci_by_name(acis, aciprefix, aciname)
|
||||
|
||||
# The strategy here is to convert the ACI we're updating back into
|
||||
# a series of keywords. Then we replace any keywords that have been
|
||||
# updated and convert that back into an ACI and write it out.
|
||||
oldkw = _aci_to_kw(ldap, aci)
|
||||
newkw = deepcopy(oldkw)
|
||||
if 'selfaci' in newkw and newkw['selfaci'] == True:
|
||||
if newkw.get('selfaci', False):
|
||||
# selfaci is set in aci_to_kw to True only if the target is self
|
||||
kw['selfaci'] = True
|
||||
for k in kw.keys():
|
||||
newkw[k] = kw[k]
|
||||
newkw.update(kw)
|
||||
for acikw in (oldkw, newkw):
|
||||
try:
|
||||
del acikw['aciname']
|
||||
except KeyError:
|
||||
pass
|
||||
acikw.pop('aciname', None)
|
||||
|
||||
# _make_aci is what is run in aci_add and validates the input.
|
||||
# Do this before we delete the existing ACI.
|
||||
@ -643,7 +639,7 @@ class aci_mod(crud.Update):
|
||||
if aci.isequal(newaci):
|
||||
raise errors.EmptyModlist()
|
||||
|
||||
self.api.Command['aci_del'](aciname, **kw)
|
||||
self.api.Command['aci_del'](aciname, aciprefix=aciprefix)
|
||||
|
||||
try:
|
||||
result = self.api.Command['aci_add'](aciname, **newkw)['result']
|
||||
@ -652,7 +648,7 @@ class aci_mod(crud.Update):
|
||||
# report the ADD error back to user
|
||||
try:
|
||||
self.api.Command['aci_add'](aciname, **oldkw)
|
||||
except:
|
||||
except Exception:
|
||||
pass
|
||||
raise e
|
||||
|
||||
@ -949,7 +945,7 @@ class aci_rename(crud.Update):
|
||||
# Do this before we delete the existing ACI.
|
||||
newaci = _make_aci(ldap, None, kw['newname'], newkw)
|
||||
|
||||
self.api.Command['aci_del'](aciname, **kw)
|
||||
self.api.Command['aci_del'](aciname, aciprefix=kw['aciprefix'])
|
||||
|
||||
result = self.api.Command['aci_add'](kw['newname'], **newkw)['result']
|
||||
|
||||
|
@ -194,10 +194,7 @@ class permission_add(LDAPCreate):
|
||||
opts['test'] = True
|
||||
opts['permission'] = keys[-1]
|
||||
opts['aciprefix'] = ACI_PREFIX
|
||||
try:
|
||||
self.api.Command.aci_add(keys[-1], **opts)
|
||||
except Exception, e:
|
||||
raise e
|
||||
self.api.Command.aci_add(keys[-1], **opts)
|
||||
|
||||
# Clear the aci attributes out of the permission entry
|
||||
for o in options:
|
||||
@ -289,24 +286,20 @@ class permission_mod(LDAPUpdate):
|
||||
except errors.NotFound:
|
||||
pass # permission may be renamed, continue
|
||||
else:
|
||||
raise errors.ValidationError(name='rename',error=_('New name can not be empty'))
|
||||
raise errors.ValidationError(
|
||||
name='rename',error=_('New name can not be empty'))
|
||||
|
||||
opts = copy.copy(options)
|
||||
for o in ['all', 'raw', 'rights', 'rename']:
|
||||
if o in opts:
|
||||
del opts[o]
|
||||
for o in ['all', 'raw', 'rights', 'test', 'rename']:
|
||||
opts.pop(o, None)
|
||||
setattr(context, 'aciupdate', False)
|
||||
# If there are no options left we don't need to do anything to the
|
||||
# underlying ACI.
|
||||
if len(opts) > 0:
|
||||
opts['test'] = False
|
||||
opts['permission'] = keys[-1]
|
||||
opts['aciprefix'] = ACI_PREFIX
|
||||
try:
|
||||
self.api.Command.aci_mod(keys[-1], **opts)
|
||||
setattr(context, 'aciupdate', True)
|
||||
except Exception, e:
|
||||
raise e
|
||||
self.api.Command.aci_mod(keys[-1], **opts)
|
||||
setattr(context, 'aciupdate', True)
|
||||
|
||||
# Clear the aci attributes out of the permission entry
|
||||
for o in self.obj.aci_attributes:
|
||||
@ -341,11 +334,12 @@ class permission_mod(LDAPUpdate):
|
||||
permission=options['rename'])
|
||||
|
||||
self.api.Command.aci_rename(cn, aciprefix=ACI_PREFIX,
|
||||
newname=options['rename'], newprefix=ACI_PREFIX)
|
||||
newname=options['rename'])
|
||||
|
||||
cn = options['rename'] # rename finished
|
||||
|
||||
result = self.api.Command.permission_show(cn, **options)['result']
|
||||
common_options = dict((k, options[k]) for k in ('all', 'raw') if k in options)
|
||||
result = self.api.Command.permission_show(cn, **common_options)['result']
|
||||
for r in result:
|
||||
if not r.startswith('member_'):
|
||||
entry_attrs[r] = result[r]
|
||||
@ -363,7 +357,7 @@ class permission_find(LDAPSearch):
|
||||
has_output_params = LDAPSearch.has_output_params + output_params
|
||||
|
||||
def post_callback(self, ldap, entries, truncated, *args, **options):
|
||||
if options.get('pkey_only', False):
|
||||
if options.pop('pkey_only', False):
|
||||
return
|
||||
for entry in entries:
|
||||
(dn, attrs) = entry
|
||||
@ -379,9 +373,9 @@ class permission_find(LDAPSearch):
|
||||
|
||||
# Now find all the ACIs that match. Once we find them, add any that
|
||||
# aren't already in the list along with their permission info.
|
||||
options['aciprefix'] = ACI_PREFIX
|
||||
|
||||
opts = copy.copy(options)
|
||||
opts['aciprefix'] = ACI_PREFIX
|
||||
try:
|
||||
# permission ACI attribute is needed
|
||||
del opts['raw']
|
||||
@ -422,7 +416,8 @@ class permission_show(LDAPRetrieve):
|
||||
has_output_params = LDAPRetrieve.has_output_params + output_params
|
||||
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||
try:
|
||||
aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX, **options)['result']
|
||||
common_options = dict((k, options[k]) for k in ('all', 'raw') if k in options)
|
||||
aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX, **common_options)['result']
|
||||
for attr in self.obj.aci_attributes:
|
||||
if attr in aci:
|
||||
entry_attrs[attr] = aci[attr]
|
||||
|
@ -149,8 +149,7 @@ class selfservice_del(crud.Delete):
|
||||
msg_summary = _('Deleted selfservice "%(value)s"')
|
||||
|
||||
def execute(self, aciname, **kw):
|
||||
kw['aciprefix'] = ACI_PREFIX
|
||||
result = api.Command['aci_del'](aciname, **kw)
|
||||
result = api.Command['aci_del'](aciname, aciprefix=ACI_PREFIX)
|
||||
self.obj.postprocess_result(result)
|
||||
|
||||
return dict(
|
||||
|
@ -46,7 +46,8 @@ class test_selfservice(Declarative):
|
||||
|
||||
dict(
|
||||
desc='Try to update non-existent %r' % selfservice1,
|
||||
command=('selfservice_mod', [selfservice1], dict(description=u'Foo')),
|
||||
command=('selfservice_mod', [selfservice1],
|
||||
dict(permissions=u'write')),
|
||||
expected=errors.NotFound(
|
||||
reason=u'ACI with name "%s" not found' % selfservice1),
|
||||
),
|
||||
|
Loading…
Reference in New Issue
Block a user