permission_add: Remove permission entry if adding the ACI fails

https://fedorahosted.org/freeipa/ticket/4187 Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
2025-02-25 18:55:28 -06:00 · 2014-02-21 13:58:15 +01:00
parent 0be66e9a67
commit d3a34591a8
2 changed files with 45 additions and 1 deletions
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -830,7 +830,26 @@ class permission_add(baseldap.LDAPCreate):
        return dn

    def post_callback(self, ldap, dn, entry, *keys, **options):
-        self.obj.add_aci(entry)
+        try:
+            self.obj.add_aci(entry)
+        except Exception:
+            # Adding the ACI failed.
+            # We want to be 100% sure the ACI is not there, so try to
+            # remove it. (This is a no-op if the ACI was not added.)
+            self.obj.remove_aci(entry)
+            # Remove the entry.
+            # The permission entry serves as a "lock" tho prevent
+            # permission-add commands started at the same time from
+            # interfering. As long as the entry is there, the other
+            # permission-add will fail with DuplicateEntry.
+            # So deleting entry ("releasing the lock") must be the last
+            # thing we do here.
+            try:
+                self.api.Backend['ldap2'].delete_entry(entry)
+            except errors.NotFound:
+                pass
+            # Re-raise original exception
+            raise
        self.obj.postprocess_result(entry, options)
        return dn

--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -219,6 +219,31 @@ class test_permission_negative(Declarative):

        verify_permission_aci_missing(permission1, users_dn),

+        dict(
+            desc='Try creating %r with bad attribute name' % permission1,
+            command=(
+                'permission_add', [permission1], dict(
+                    type=u'user',
+                    ipapermright=u'write',
+                    attrs=u'bogusattr',
+                )
+            ),
+            expected=errors.InvalidSyntax(
+                attr=r'targetattr "bogusattr" does not exist in schema. '
+                     r'Please add attributeTypes "bogusattr" to '
+                     r'schema if necessary. '
+                     r'ACL Syntax Error(-5):'
+                     r'(targetattr = \22bogusattr\22)'
+                     r'(targetfilter = \22(objectclass=posixaccount)\22)'
+                     r'(version 3.0;acl \22permission:%(name)s\22;'
+                     r'allow (write) groupdn = \22ldap:///%(dn)s\22;)' % dict(
+                        name=permission1,
+                        dn=permission1_dn),
+            ),
+        ),
+
+        verify_permission_aci_missing(permission1, users_dn),
+
        dict(
            desc='Create %r so we can try breaking it' % permission1,
            command=(