From 8ad2b5d6b81986235d0da6aa9349cfefaec06fcb Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 9 Jul 2015 16:48:36 +0200 Subject: [PATCH] Validate adding privilege to a permission Adding priviledge to a permission via webUI allowed to avoid check and to add permission with improper type. https://fedorahosted.org/freeipa/ticket/5075 Reviewed-By: Jan Cholasta --- ipalib/plugins/permission.py | 7 ++++++ ipalib/plugins/privilege.py | 51 ++++++++++++++++++++++---------------------- 2 files changed, 33 insertions(+), 25 deletions(-) diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index f2e896935cc777801ec3a70262372f296b1ea2b8..7d2a4dd156693d9d9b7d6f042488856274fb3f64 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -21,6 +21,7 @@ import re import traceback from ipalib.plugins import baseldap +from ipalib.plugins.privilege import validate_permission_to_privilege from ipalib import errors from ipalib.parameters import Str, StrEnum, DNParam, Flag from ipalib import api, _, ngettext @@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember): """Add members to a permission.""" NO_CLI = True + def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options): + # We can only add permissions with bind rule type set to + # "permission" (or old-style permissions) + validate_permission_to_privilege(self.api, keys[-1]) + return dn + @register() class permission_remove_member(baseldap.LDAPRemoveMember): diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py index 867544359f76fdcb44cd3015f7466a46ba492bec..ffb903e03dbfaafbe2bb7135038494ae49a7d8a8 100644 --- a/ipalib/plugins/privilege.py +++ b/ipalib/plugins/privilege.py @@ -45,6 +45,31 @@ See role and permission for additional information. register = Registry() +def validate_permission_to_privilege(api, permission): + ldap = api.Backend.ldap2 + ldapfilter = ldap.combine_filters(rules='&', filters=[ + '(objectClass=ipaPermissionV2)', '(!(ipaPermBindRuleType=permission))', + ldap.make_filter_from_attr('cn', permission, rules='|')]) + try: + entries, truncated = ldap.find_entries( + filter=ldapfilter, + attrs_list=['cn', 'ipapermbindruletype'], + base_dn=DN(api.env.container_permission, api.env.basedn), + size_limit=1) + except errors.NotFound: + pass + else: + entry = entries[0] + message = _('cannot add permission "%(perm)s" with bindtype ' + '"%(bindtype)s" to a privilege') + raise errors.ValidationError( + name='permission', + error=message % { + 'perm': entry.single_value['cn'], + 'bindtype': entry.single_value.get( + 'ipapermbindruletype', 'permission')}) + + @register() class privilege(LDAPObject): """ @@ -185,31 +210,7 @@ class privilege_add_permission(LDAPAddReverseMember): if options.get('permission'): # We can only add permissions with bind rule type set to # "permission" (or old-style permissions) - ldapfilter = ldap.combine_filters(rules='&', filters=[ - '(objectClass=ipaPermissionV2)', - '(!(ipaPermBindRuleType=permission))', - ldap.make_filter_from_attr('cn', options['permission'], - rules='|'), - ]) - try: - entries, truncated = ldap.find_entries( - filter=ldapfilter, - attrs_list=['cn', 'ipapermbindruletype'], - base_dn=DN(self.api.env.container_permission, - self.api.env.basedn), - size_limit=1) - except errors.NotFound: - pass - else: - entry = entries[0] - message = _('cannot add permission "%(perm)s" with bindtype ' - '"%(bindtype)s" to a privilege') - raise errors.ValidationError( - name='permission', - error=message % { - 'perm': entry.single_value['cn'], - 'bindtype': entry.single_value.get( - 'ipapermbindruletype', 'permission')}) + validate_permission_to_privilege(self.api, options['permission']) return dn -- 2.4.3