permission plugin: Ignore unparseable ACIs

When manipulating a permission for an entry that has an ACI that the parser cannot process, skip this ACI instead of failing. Add a test that manipulates permission in cn=accounts, where there are complex ipaAllowedOperation-based ACIs. Workaround for: https://fedorahosted.org/freeipa/ticket/4376 Reviewed-By: Martin Kosek <mkosek@redhat.com>
2025-01-11 00:31:56 -06:00 · 2014-06-30 20:56:23 +02:00 · 2014-06-30 20:56:23 +02:00 · fdef2e1bd8
commit fdef2e1bd8
parent 5ff8e3d8b3
2 changed files with 58 additions and 1 deletions
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@ -641,7 +641,12 @@ class permission(baseldap.LDAPObject):
                acientry = ldap.make_entry(location)
        acis = acientry.get('aci', ())
        for acistring in acis:
-            aci = ACI(acistring)
+            try:
+                aci = ACI(acistring)
+            except SyntaxError as e:
+                self.log.warning('Unparseable ACI %s: %s (at %s)',
+                                 acistring, e, location)
+                continue
            if aci.name == wanted_aciname:
                return acientry, acistring
        else:
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@ -3966,3 +3966,55 @@ class test_permission_filters(Declarative):
            'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
        ),
    ]
+
+
+class test_permission_in_accounts(Declarative):
+    """Test managing a permission in cn=accounts"""
+
+    tests = [
+        dict(
+            desc='Create %r in cn=accounts' % permission1,
+            command=(
+                'permission_add', [permission1], dict(
+                    ipapermlocation=DN('cn=accounts', api.env.basedn),
+                    ipapermright=u'add',
+                    attrs=[u'cn'],
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Added permission "%s"' % permission1,
+                result=dict(
+                    dn=permission1_dn,
+                    cn=[permission1],
+                    objectclass=objectclasses.permission,
+                    attrs=[u'cn'],
+                    ipapermright=[u'add'],
+                    ipapermbindruletype=[u'permission'],
+                    ipapermissiontype=[u'SYSTEM', u'V2'],
+                    ipapermlocation=[DN('cn=accounts', api.env.basedn)],
+                ),
+            ),
+        ),
+
+        verify_permission_aci(
+            permission1, DN('cn=accounts', api.env.basedn),
+            '(targetattr = "cn")' +
+            '(version 3.0;acl "permission:%s";' % permission1 +
+            'allow (add) groupdn = "ldap:///%s";)' % permission1_dn,
+        ),
+
+        dict(
+            desc='Delete %r' % permission1,
+            command=(
+                'permission_del', [permission1], {}
+            ),
+            expected=dict(
+                result=dict(failed=[]),
+                value=[permission1],
+                summary=u'Deleted permission "%s"' % permission1,
+            )
+        ),
+
+        verify_permission_aci_missing(permission1, api.env.basedn),
+    ]