rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0013-Validate-adding-privilege-to-a-permission.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   db5969ef1d220eb0c817ef53f22d74d97c0a0108
  2.   SOURCES
  3.   0013-Validate-adding-privilege-to-a-permission.patch
Blob History Raw
590d18 
From 8ad2b5d6b81986235d0da6aa9349cfefaec06fcb Mon Sep 17 00:00:00 2001
590d18 
From: Martin Basti <mbasti@redhat.com>
590d18 
Date: Thu, 9 Jul 2015 16:48:36 +0200
590d18 
Subject: [PATCH] Validate adding privilege to a permission
590d18
590d18 
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
590d18 
with improper type.
590d18
590d18 
https://fedorahosted.org/freeipa/ticket/5075
590d18
590d18 
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
590d18 
---
590d18 
 ipalib/plugins/permission.py |  7 ++++++
590d18 
 ipalib/plugins/privilege.py  | 51 ++++++++++++++++++++++----------------------
590d18 
 2 files changed, 33 insertions(+), 25 deletions(-)
590d18
590d18 
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
590d18 
index f2e896935cc777801ec3a70262372f296b1ea2b8..7d2a4dd156693d9d9b7d6f042488856274fb3f64 100644
590d18 
--- a/ipalib/plugins/permission.py
590d18 
+++ b/ipalib/plugins/permission.py
590d18 
@@ -21,6 +21,7 @@ import re
590d18 
 import traceback
590d18
590d18 
 from ipalib.plugins import baseldap
590d18 
+from ipalib.plugins.privilege import validate_permission_to_privilege
590d18 
 from ipalib import errors
590d18 
 from ipalib.parameters import Str, StrEnum, DNParam, Flag
590d18 
 from ipalib import api, _, ngettext
590d18 
@@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember):
590d18 
     """Add members to a permission."""
590d18 
     NO_CLI = True
590d18
590d18 
+    def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options):
590d18 
+        # We can only add permissions with bind rule type set to
590d18 
+        # "permission" (or old-style permissions)
590d18 
+        validate_permission_to_privilege(self.api, keys[-1])
590d18 
+        return dn
590d18 
+
590d18
590d18 
 @register()
590d18 
 class permission_remove_member(baseldap.LDAPRemoveMember):
590d18 
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
590d18 
index 867544359f76fdcb44cd3015f7466a46ba492bec..ffb903e03dbfaafbe2bb7135038494ae49a7d8a8 100644
590d18 
--- a/ipalib/plugins/privilege.py
590d18 
+++ b/ipalib/plugins/privilege.py
590d18 
@@ -45,6 +45,31 @@ See role and permission for additional information.
590d18 
 register = Registry()
590d18
590d18
590d18 
+def validate_permission_to_privilege(api, permission):
590d18 
+    ldap = api.Backend.ldap2
590d18 
+    ldapfilter = ldap.combine_filters(rules='&', filters=[
590d18 
+        '(objectClass=ipaPermissionV2)', '(!(ipaPermBindRuleType=permission))',
590d18 
+        ldap.make_filter_from_attr('cn', permission, rules='|')])
590d18 
+    try:
590d18 
+        entries, truncated = ldap.find_entries(
590d18 
+            filter=ldapfilter,
590d18 
+            attrs_list=['cn', 'ipapermbindruletype'],
590d18 
+            base_dn=DN(api.env.container_permission, api.env.basedn),
590d18 
+            size_limit=1)
590d18 
+    except errors.NotFound:
590d18 
+        pass
590d18 
+    else:
590d18 
+        entry = entries[0]
590d18 
+        message = _('cannot add permission "%(perm)s" with bindtype '
590d18 
+                    '"%(bindtype)s" to a privilege')
590d18 
+        raise errors.ValidationError(
590d18 
+            name='permission',
590d18 
+            error=message % {
590d18 
+                'perm': entry.single_value['cn'],
590d18 
+                'bindtype': entry.single_value.get(
590d18 
+                    'ipapermbindruletype', 'permission')})
590d18 
+
590d18 
+
590d18 
 @register()
590d18 
 class privilege(LDAPObject):
590d18 
     """
590d18 
@@ -185,31 +210,7 @@ class privilege_add_permission(LDAPAddReverseMember):
590d18 
         if options.get('permission'):
590d18 
             # We can only add permissions with bind rule type set to
590d18 
             # "permission" (or old-style permissions)
590d18 
-            ldapfilter = ldap.combine_filters(rules='&', filters=[
590d18 
-                '(objectClass=ipaPermissionV2)',
590d18 
-                '(!(ipaPermBindRuleType=permission))',
590d18 
-                ldap.make_filter_from_attr('cn', options['permission'],
590d18 
-                                           rules='|'),
590d18 
-            ])
590d18 
-            try:
590d18 
-                entries, truncated = ldap.find_entries(
590d18 
-                    filter=ldapfilter,
590d18 
-                    attrs_list=['cn', 'ipapermbindruletype'],
590d18 
-                    base_dn=DN(self.api.env.container_permission,
590d18 
-                               self.api.env.basedn),
590d18 
-                    size_limit=1)
590d18 
-            except errors.NotFound:
590d18 
-                pass
590d18 
-            else:
590d18 
-                entry = entries[0]
590d18 
-                message = _('cannot add permission "%(perm)s" with bindtype '
590d18 
-                            '"%(bindtype)s" to a privilege')
590d18 
-                raise errors.ValidationError(
590d18 
-                    name='permission',
590d18 
-                    error=message % {
590d18 
-                        'perm': entry.single_value['cn'],
590d18 
-                        'bindtype': entry.single_value.get(
590d18 
-                            'ipapermbindruletype', 'permission')})
590d18 
+            validate_permission_to_privilege(self.api, options['permission'])
590d18 
         return dn
590d18
590d18
590d18 
--
590d18 
2.4.3
590d18

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation