IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Rewrite the Permission plugin

Browse Source 
Ticket: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Permissions_V2
This commit is contained in:
Petr Viktorin 2013-11-13 16:31:58 +01:00 committed by Martin Kosek
parent 445634d6ac
commit d7ee87cfa1
9 changed files with 1708 additions and 548 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
API.txt
View File

@ -2228,27 +2228,33 @@ output: Output('result', <type 'bool'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: permission_add
args: 1,13,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, required=True)
args: 1,19,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', alwaysask=True, attribute=True, autofill=False, cli_name='attrs', csv=True, multivalue=True, query=False, required=False)
option: Str('filter', alwaysask=True, attribute=True, autofill=False, cli_name='filter', multivalue=False, query=False, required=False)
option: Str('memberof', alwaysask=True, attribute=True, autofill=False, cli_name='memberof', multivalue=False, query=False, required=False)
option: Str('attrs', attribute=False, cli_name='attrs', multivalue=True, required=False)
option: Str('filter', attribute=False, cli_name='filter', multivalue=True, required=False)
option: Str('ipapermallowedattr', attribute=True, cli_name='attrs', multivalue=True, required=False)
option: StrEnum('ipapermbindruletype', attribute=True, autofill=True, cli_name='bindtype', default=u'permission', multivalue=False, required=True, values=(u'permission',))
option: DNOrURL('ipapermlocation', alwaysask=True, attribute=True, autofill=False, cli_name='subtree', default=ipapython.dn.DN('dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), multivalue=False, query=False, required=False)
option: StrEnum('ipapermright', attribute=True, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
option: DNParam('ipapermtarget', attribute=True, cli_name='target', multivalue=False, required=False)
option: Str('ipapermtargetfilter', attribute=True, cli_name='filter', multivalue=False, required=False)
option: Str('memberof', alwaysask=True, attribute=False, autofill=False, cli_name='memberof', multivalue=False, query=False, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('permissions', attribute=True, cli_name='permissions', csv=True, multivalue=True, required=True)
option: Str('permissions', attribute=False, cli_name='permissions', multivalue=True, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Str('subtree', alwaysask=True, attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=False, required=False)
option: Str('targetgroup', alwaysask=True, attribute=True, autofill=False, cli_name='targetgroup', multivalue=False, query=False, required=False)
option: StrEnum('type', alwaysask=True, attribute=True, autofill=False, cli_name='type', multivalue=False, query=False, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'))
option: Str('subtree', attribute=False, cli_name='subtree', multivalue=True, required=False)
option: Str('targetgroup', alwaysask=True, attribute=False, autofill=False, cli_name='targetgroup', multivalue=False, query=False, required=False)
option: StrEnum('type', alwaysask=True, attribute=False, autofill=False, cli_name='type', multivalue=False, query=False, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'))
option: Str('version?', exclude='webui')
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: permission_add_member
args: 1,5,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=True)
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('privilege*', alwaysask=True, cli_name='privileges', csv=True)
@ -2259,18 +2265,18 @@ output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: permission_add_noaci
args: 1,5,3
arg: Str('cn', cli_name='name', multivalue=False, pattern=None, primary_key=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: StrEnum('permissiontype?', values=(u'SYSTEM',))
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('version?', exclude='webui')
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui', multivalue=False, required=True)
option: Str('ipapermissiontype', cli_name='ipapermissiontype', multivalue=True, required=True)
option: Flag('no_members', autofill=True, cli_name='no_members', default=False, exclude='webui', multivalue=False, required=True)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui', multivalue=False, required=True)
option: Str('version', cli_name='version', exclude='webui', multivalue=False, required=False)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: permission_del
args: 1,3,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=True, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=True)
arg: Str('cn', attribute=True, cli_name='name', multivalue=True, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True)
option: Flag('continue', autofill=True, cli_name='continue', default=False)
option: Flag('force', autofill=True, default=False)
option: Str('version?', exclude='webui')
@ -2278,52 +2284,64 @@ output: Output('result', <type 'dict'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: permission_find
args: 1,15,4
args: 1,21,4
arg: Str('criteria?', noextrawhitespace=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', attribute=True, autofill=False, cli_name='attrs', csv=True, multivalue=True, query=True, required=False)
option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=False)
option: Str('filter', attribute=True, autofill=False, cli_name='filter', multivalue=False, query=True, required=False)
option: Str('memberof', attribute=True, autofill=False, cli_name='memberof', multivalue=False, query=True, required=False)
option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, query=True, required=False)
option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=False)
option: Str('filter', attribute=False, autofill=False, cli_name='filter', multivalue=True, query=True, required=False)
option: Str('ipapermallowedattr', attribute=True, autofill=False, cli_name='attrs', multivalue=True, query=True, required=False)
option: StrEnum('ipapermbindruletype', attribute=True, autofill=False, cli_name='bindtype', default=u'permission', multivalue=False, query=True, required=False, values=(u'permission',))
option: DNOrURL('ipapermlocation', attribute=True, autofill=False, cli_name='subtree', default=ipapython.dn.DN('dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), multivalue=False, query=True, required=False)
option: StrEnum('ipapermright', attribute=True, autofill=False, cli_name='permissions', multivalue=True, query=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
option: DNParam('ipapermtarget', attribute=True, autofill=False, cli_name='target', multivalue=False, query=True, required=False)
option: Str('ipapermtargetfilter', attribute=True, autofill=False, cli_name='filter', multivalue=False, query=True, required=False)
option: Str('memberof', attribute=False, autofill=False, cli_name='memberof', multivalue=False, query=True, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('permissions', attribute=True, autofill=False, cli_name='permissions', csv=True, multivalue=True, query=True, required=False)
option: Str('permissions', attribute=False, autofill=False, cli_name='permissions', multivalue=True, query=True, required=False)
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Int('sizelimit?', autofill=False, minvalue=0)
option: Str('subtree', attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=True, required=False)
option: Str('targetgroup', attribute=True, autofill=False, cli_name='targetgroup', multivalue=False, query=True, required=False)
option: Str('subtree', attribute=False, autofill=False, cli_name='subtree', multivalue=True, query=True, required=False)
option: Str('targetgroup', attribute=False, autofill=False, cli_name='targetgroup', multivalue=False, query=True, required=False)
option: Int('timelimit?', autofill=False, minvalue=0)
option: StrEnum('type', attribute=True, autofill=False, cli_name='type', multivalue=False, query=True, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'))
option: StrEnum('type', attribute=False, autofill=False, cli_name='type', multivalue=False, query=True, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'))
option: Str('version?', exclude='webui')
output: Output('count', <type 'int'>, None)
output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('truncated', <type 'bool'>, None)
command: permission_mod
args: 1,16,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=True)
args: 1,22,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', attribute=True, autofill=False, cli_name='attrs', csv=True, multivalue=True, required=False)
option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, required=False)
option: Str('delattr*', cli_name='delattr', exclude='webui')
option: Str('filter', attribute=True, autofill=False, cli_name='filter', multivalue=False, required=False)
option: Str('memberof', attribute=True, autofill=False, cli_name='memberof', multivalue=False, required=False)
option: Str('filter', attribute=False, autofill=False, cli_name='filter', multivalue=True, required=False)
option: Str('ipapermallowedattr', attribute=True, autofill=False, cli_name='attrs', multivalue=True, required=False)
option: StrEnum('ipapermbindruletype', attribute=True, autofill=False, cli_name='bindtype', default=u'permission', multivalue=False, required=False, values=(u'permission',))
option: DNOrURL('ipapermlocation', attribute=True, autofill=False, cli_name='subtree', default=ipapython.dn.DN('dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com'), multivalue=False, required=False)
option: StrEnum('ipapermright', attribute=True, autofill=False, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
option: DNParam('ipapermtarget', attribute=True, autofill=False, cli_name='target', multivalue=False, required=False)
option: Str('ipapermtargetfilter', attribute=True, autofill=False, cli_name='filter', multivalue=False, required=False)
option: Str('memberof', attribute=False, autofill=False, cli_name='memberof', multivalue=False, required=False)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('permissions', attribute=True, autofill=False, cli_name='permissions', csv=True, multivalue=True, required=False)
option: Str('permissions', attribute=False, autofill=False, cli_name='permissions', multivalue=True, required=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('rename', cli_name='rename', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, required=False)
option: Str('rename', cli_name='rename', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, required=False)
option: Flag('rights', autofill=True, default=False)
option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Str('subtree', attribute=True, autofill=False, cli_name='subtree', multivalue=False, required=False)
option: Str('targetgroup', attribute=True, autofill=False, cli_name='targetgroup', multivalue=False, required=False)
option: StrEnum('type', attribute=True, autofill=False, cli_name='type', multivalue=False, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'))
option: Str('subtree', attribute=False, autofill=False, cli_name='subtree', multivalue=True, required=False)
option: Str('targetgroup', attribute=False, autofill=False, cli_name='targetgroup', multivalue=False, required=False)
option: StrEnum('type', attribute=False, autofill=False, cli_name='type', multivalue=False, required=False, values=(u'user', u'group', u'host', u'service', u'hostgroup', u'netgroup', u'dnsrecord'))
option: Str('version?', exclude='webui')
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: permission_remove_member
args: 1,5,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=True)
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Str('privilege*', alwaysask=True, cli_name='privileges', csv=True)
@ -2334,7 +2352,7 @@ output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: permission_show
args: 1,5,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9]+$', primary_key=True, query=True, required=True)
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
@ -3871,3 +3889,4 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
capability: messages 2.52
capability: optional_uid_params 2.54
capability: permissions2 2.69

2
VERSION
View File

@ -89,4 +89,4 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
IPA_API_VERSION_MINOR=70
IPA_API_VERSION_MINOR=71

6
ipalib/capabilities.py
View File

@ -40,7 +40,11 @@ capabilities = dict(
# a user with UID=999. With the capability, these parameters are optional
# and 999 really means 999.
# https://fedorahosted.org/freeipa/ticket/2886
optional_uid_params=u'2.54'
optional_uid_params=u'2.54',
# permissions2: Reworked permission system
# http://www.freeipa.org/page/V3/Permissions_V2
permissions2=u'2.69',
)

2
ipalib/plugins/dns.py
View File

@ -2030,7 +2030,7 @@ class dnszone_add_permission(LDAPQuery):
permission_name = self.obj.permission_name(keys[-1])
permission = api.Command['permission_add_noaci'](permission_name,
permissiontype=u'SYSTEM'
ipapermissiontype=u'SYSTEM'
)['result']
update = {}

1096
ipalib/plugins/permission.py
View File

File diff suppressed because it is too large Load Diff

6
ipatests/test_xmlrpc/objectclasses.py
View File

@ -77,12 +77,16 @@ role = [
u'top',
]
permission = [
system_permission = [
u'groupofnames',
u'ipapermission',
u'top'
]
permission = system_permission + [
u'ipapermissionv2',
]
privilege = [
u'nestedgroup',
u'groupofnames',

1
ipatests/test_xmlrpc/test_dns_plugin.py
View File

@ -1361,6 +1361,7 @@ class test_dns(Declarative):
result={
'dn': dnszone1_permission_dn,
'cn': [dnszone1_permission],
'objectclass': objectclasses.system_permission,
'ipapermissiontype': [u'SYSTEM'],
},
),

1022
ipatests/test_xmlrpc/test_permission_plugin.py
View File

File diff suppressed because it is too large Load Diff

26
ipatests/test_xmlrpc/test_privilege_plugin.py
View File

@ -38,6 +38,8 @@ privilege1 = u'testpriv1'
privilege1_dn = DN(('cn',privilege1),
api.env.container_privilege,api.env.basedn)
users_dn = DN(api.env.container_user, api.env.basedn)
class test_privilege(Declarative):
@ -89,8 +91,8 @@ class test_privilege(Declarative):
desc='Create %r' % permission1,
command=(
'permission_add', [permission1], dict(
type=u'user',
permissions=[u'add', u'delete'],
type=u'user',
ipapermright=[u'add', u'delete'],
)
),
expected=dict(
@ -100,8 +102,12 @@ class test_privilege(Declarative):
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=u'user',
permissions=[u'add', u'delete'],
type=[u'user'],
ipapermright=[u'add', u'delete'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN('uid=*', users_dn)],
),
),
),
@ -206,8 +212,8 @@ class test_privilege(Declarative):
desc='Create %r' % permission2,
command=(
'permission_add', [permission2], dict(
type=u'user',
permissions=u'write',
type=u'user',
ipapermright=u'write',
)
),
expected=dict(
@ -217,8 +223,12 @@ class test_privilege(Declarative):
dn=permission2_dn,
cn=[permission2],
objectclass=objectclasses.permission,
type=u'user',
permissions=[u'write'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN('uid=*', users_dn)],
),
),
),