Do not use extra command options in ACI, permission, selfservice

Allowing Commands to be called with ignored unknown options opens the
door to problems, for example with misspelled option names.
Before we start rejecting them, we need to make sure IPA itself does
not use them when it calls commands internally.

This patch does that for ACI-related plugins.

Part of the work for https://fedorahosted.org/freeipa/ticket/2509
This commit is contained in:
Petr Viktorin 2012-04-17 12:48:33 -04:00 committed by Martin Kosek
parent 95bb8d0f45
commit c5689e7faf
4 changed files with 28 additions and 37 deletions

View File

@ -565,21 +565,20 @@ class aci_del(crud.Delete):
takes_options = (_prefix_option,)
def execute(self, aciname, **kw):
def execute(self, aciname, aciprefix):
"""
Execute the aci-delete operation.
:param aciname: The name of the ACI being deleted.
:param kw: unused
:param aciprefix: The ACI prefix.
"""
assert 'aciname' not in kw
ldap = self.api.Backend.ldap2
(dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci'])
acistrs = entry_attrs.get('aci', [])
acis = _convert_strings_to_acis(acistrs)
aci = _find_aci_by_name(acis, kw['aciprefix'], aciname)
aci = _find_aci_by_name(acis, aciprefix, aciname)
for a in acistrs:
candidate = ACI(a)
if aci.isequal(candidate):
@ -614,28 +613,25 @@ class aci_mod(crud.Update):
msg_summary = _('Modified ACI "%(value)s"')
def execute(self, aciname, **kw):
aciprefix = kw['aciprefix']
ldap = self.api.Backend.ldap2
(dn, entry_attrs) = ldap.get_entry(self.api.env.basedn, ['aci'])
acis = _convert_strings_to_acis(entry_attrs.get('aci', []))
aci = _find_aci_by_name(acis, kw['aciprefix'], aciname)
aci = _find_aci_by_name(acis, aciprefix, aciname)
# The strategy here is to convert the ACI we're updating back into
# a series of keywords. Then we replace any keywords that have been
# updated and convert that back into an ACI and write it out.
oldkw = _aci_to_kw(ldap, aci)
newkw = deepcopy(oldkw)
if 'selfaci' in newkw and newkw['selfaci'] == True:
if newkw.get('selfaci', False):
# selfaci is set in aci_to_kw to True only if the target is self
kw['selfaci'] = True
for k in kw.keys():
newkw[k] = kw[k]
newkw.update(kw)
for acikw in (oldkw, newkw):
try:
del acikw['aciname']
except KeyError:
pass
acikw.pop('aciname', None)
# _make_aci is what is run in aci_add and validates the input.
# Do this before we delete the existing ACI.
@ -643,7 +639,7 @@ class aci_mod(crud.Update):
if aci.isequal(newaci):
raise errors.EmptyModlist()
self.api.Command['aci_del'](aciname, **kw)
self.api.Command['aci_del'](aciname, aciprefix=aciprefix)
try:
result = self.api.Command['aci_add'](aciname, **newkw)['result']
@ -652,7 +648,7 @@ class aci_mod(crud.Update):
# report the ADD error back to user
try:
self.api.Command['aci_add'](aciname, **oldkw)
except:
except Exception:
pass
raise e
@ -949,7 +945,7 @@ class aci_rename(crud.Update):
# Do this before we delete the existing ACI.
newaci = _make_aci(ldap, None, kw['newname'], newkw)
self.api.Command['aci_del'](aciname, **kw)
self.api.Command['aci_del'](aciname, aciprefix=kw['aciprefix'])
result = self.api.Command['aci_add'](kw['newname'], **newkw)['result']

View File

@ -194,10 +194,7 @@ class permission_add(LDAPCreate):
opts['test'] = True
opts['permission'] = keys[-1]
opts['aciprefix'] = ACI_PREFIX
try:
self.api.Command.aci_add(keys[-1], **opts)
except Exception, e:
raise e
self.api.Command.aci_add(keys[-1], **opts)
# Clear the aci attributes out of the permission entry
for o in options:
@ -289,24 +286,20 @@ class permission_mod(LDAPUpdate):
except errors.NotFound:
pass # permission may be renamed, continue
else:
raise errors.ValidationError(name='rename',error=_('New name can not be empty'))
raise errors.ValidationError(
name='rename',error=_('New name can not be empty'))
opts = copy.copy(options)
for o in ['all', 'raw', 'rights', 'rename']:
if o in opts:
del opts[o]
for o in ['all', 'raw', 'rights', 'test', 'rename']:
opts.pop(o, None)
setattr(context, 'aciupdate', False)
# If there are no options left we don't need to do anything to the
# underlying ACI.
if len(opts) > 0:
opts['test'] = False
opts['permission'] = keys[-1]
opts['aciprefix'] = ACI_PREFIX
try:
self.api.Command.aci_mod(keys[-1], **opts)
setattr(context, 'aciupdate', True)
except Exception, e:
raise e
self.api.Command.aci_mod(keys[-1], **opts)
setattr(context, 'aciupdate', True)
# Clear the aci attributes out of the permission entry
for o in self.obj.aci_attributes:
@ -341,11 +334,12 @@ class permission_mod(LDAPUpdate):
permission=options['rename'])
self.api.Command.aci_rename(cn, aciprefix=ACI_PREFIX,
newname=options['rename'], newprefix=ACI_PREFIX)
newname=options['rename'])
cn = options['rename'] # rename finished
result = self.api.Command.permission_show(cn, **options)['result']
common_options = dict((k, options[k]) for k in ('all', 'raw') if k in options)
result = self.api.Command.permission_show(cn, **common_options)['result']
for r in result:
if not r.startswith('member_'):
entry_attrs[r] = result[r]
@ -363,7 +357,7 @@ class permission_find(LDAPSearch):
has_output_params = LDAPSearch.has_output_params + output_params
def post_callback(self, ldap, entries, truncated, *args, **options):
if options.get('pkey_only', False):
if options.pop('pkey_only', False):
return
for entry in entries:
(dn, attrs) = entry
@ -379,9 +373,9 @@ class permission_find(LDAPSearch):
# Now find all the ACIs that match. Once we find them, add any that
# aren't already in the list along with their permission info.
options['aciprefix'] = ACI_PREFIX
opts = copy.copy(options)
opts['aciprefix'] = ACI_PREFIX
try:
# permission ACI attribute is needed
del opts['raw']
@ -422,7 +416,8 @@ class permission_show(LDAPRetrieve):
has_output_params = LDAPRetrieve.has_output_params + output_params
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
try:
aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX, **options)['result']
common_options = dict((k, options[k]) for k in ('all', 'raw') if k in options)
aci = self.api.Command.aci_show(keys[-1], aciprefix=ACI_PREFIX, **common_options)['result']
for attr in self.obj.aci_attributes:
if attr in aci:
entry_attrs[attr] = aci[attr]

View File

@ -149,8 +149,7 @@ class selfservice_del(crud.Delete):
msg_summary = _('Deleted selfservice "%(value)s"')
def execute(self, aciname, **kw):
kw['aciprefix'] = ACI_PREFIX
result = api.Command['aci_del'](aciname, **kw)
result = api.Command['aci_del'](aciname, aciprefix=ACI_PREFIX)
self.obj.postprocess_result(result)
return dict(

View File

@ -46,7 +46,8 @@ class test_selfservice(Declarative):
dict(
desc='Try to update non-existent %r' % selfservice1,
command=('selfservice_mod', [selfservice1], dict(description=u'Foo')),
command=('selfservice_mod', [selfservice1],
dict(permissions=u'write')),
expected=errors.NotFound(
reason=u'ACI with name "%s" not found' % selfservice1),
),