Make sure SYSTEM permissions can be retreived with --all --raw

Part of the work for: https://fedorahosted.org/freeipa/ticket/4034
2025-02-25 18:55:28 -06:00 · 2013-12-13 11:10:28 +01:00
parent 7fc35ced1d
commit d38748d64f
2 changed files with 26 additions and 4 deletions
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -310,8 +310,16 @@ class permission(baseldap.LDAPObject):

        if options.get('raw'):
            # Retreive the ACI from LDAP to ensure we get the real thing
-            acientry, acistring = self._get_aci_entry_and_string(entry)
-            entry.single_value['aci'] = acistring
+            try:
+                acientry, acistring = self._get_aci_entry_and_string(entry)
+            except errors.NotFound:
+                if list(entry.get('ipapermissiontype')) == ['SYSTEM']:
+                    # SYSTEM permissions don't have normal ACIs
+                    pass
+                else:
+                    raise
+            else:
+                entry.single_value['aci'] = acistring

        if not client_has_capability(options['version'], 'permissions2'):
            # Legacy clients expect some attributes as a single value
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -1349,7 +1349,6 @@ class test_dns(Declarative):
                '"%s" already exists' % dnszone1_permission)
        ),

-
        dict(
            desc='Make sure the permission was created %r' % dnszone1,
            command=(
@@ -1367,6 +1366,22 @@ class test_dns(Declarative):
            ),
        ),

+        dict(
+            desc='Retrieve the permission %r with --all --raw' % dnszone1,
+            command=(
+                'permission_show', [dnszone1_permission], {}
+            ),
+            expected=dict(
+                value=dnszone1_permission,
+                summary=None,
+                result={
+                    'dn': dnszone1_permission_dn,
+                    'cn': [dnszone1_permission],
+                    'objectclass': objectclasses.system_permission,
+                    'ipapermissiontype': [u'SYSTEM'],
+                },
+            ),
+        ),

        dict(
            desc='Try to remove per-zone permission for unknown zone',
@@ -1374,7 +1389,6 @@ class test_dns(Declarative):
            expected=errors.NotFound(reason=u'does.not.exist: DNS zone not found')
        ),

-
        dict(
            desc='Remove per-zone permission for zone %r' % dnszone1,
            command=(