pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone
Source Code
GIT

Blame SOURCES/0048-caacl-fix-regression-in-rule-instantiation.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client
  1.   b2aa39a344317a6d2f7eba466b187d418ddfc7d1
  2.   SOURCES
  3.   0048-caacl-fix-regression-in-rule-instantiation.patch
Blob History Raw
403b09 
From c27595371bfe1f4fe12125e053cb7ec3ad08ebf6 Mon Sep 17 00:00:00 2001
403b09 
From: Fraser Tweedale <ftweedal@redhat.com>
403b09 
Date: Thu, 28 Jul 2016 10:55:45 +1000
403b09 
Subject: [PATCH] caacl: fix regression in rule instantiation
403b09
403b09 
The Principal refactor causes service collections
403b09 
('memberservice_service' attribute) to return Principal objects
403b09 
where previously it returned strings, but the HBAC machinery used
403b09 
for CA ACL enforcement only handles strings.  Update the code to
403b09 
stringify service Principal objects when adding them to HBAC rules.
403b09
403b09 
Fixes: https://fedorahosted.org/freeipa/ticket/6146
403b09 
Reviewed-By: Martin Basti <mbasti@redhat.com>
403b09 
---
403b09 
 ipaserver/plugins/caacl.py | 17 +++++++++++------
403b09 
 1 file changed, 11 insertions(+), 6 deletions(-)
403b09
403b09 
diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
403b09 
index d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a..a7817c4cf64f070c74557f52e9f26c9013a4963c 100644
403b09 
--- a/ipaserver/plugins/caacl.py
403b09 
+++ b/ipaserver/plugins/caacl.py
403b09 
@@ -132,16 +132,21 @@ def _acl_make_rule(principal_type, obj):
403b09 
         rule.services.names = obj.get(attr, [])
403b09
403b09 
     # add principals and principal's groups
403b09 
-    m = {'user': 'group', 'host': 'hostgroup', 'service': None}
403b09 
     category_attr = '{}category'.format(principal_type)
403b09 
     if category_attr in obj and obj[category_attr][0].lower() == 'all':
403b09 
         rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
403b09 
     else:
403b09 
-        principal_attr = 'member{}_{}'.format(principal_type, principal_type)
403b09 
-        rule.users.names = obj.get(principal_attr, [])
403b09 
-        if m[principal_type] is not None:
403b09 
-            group_attr = 'member{}_{}'.format(principal_type, m[principal_type])
403b09 
-            rule.users.groups = obj.get(group_attr, [])
403b09 
+        if principal_type == 'user':
403b09 
+            rule.users.names = obj.get('memberuser_user', [])
403b09 
+            rule.users.groups = obj.get('memberuser_group', [])
403b09 
+        elif principal_type == 'host':
403b09 
+            rule.users.names = obj.get('memberhost_host', [])
403b09 
+            rule.users.groups = obj.get('memberhost_hostgroup', [])
403b09 
+        elif principal_type == 'service':
403b09 
+            rule.users.names = [
403b09 
+                unicode(principal)
403b09 
+                for principal in obj.get('memberservice_service', [])
403b09 
+            ]
403b09
403b09 
     return rule
403b09
403b09 
--
403b09 
2.7.4
403b09

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation