From 8ad2b5d6b81986235d0da6aa9349cfefaec06fcb Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 9 Jul 2015 16:48:36 +0200
Subject: [PATCH] Validate adding privilege to a permission
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.
https://fedorahosted.org/freeipa/ticket/5075
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
ipalib/plugins/permission.py | 7 ++++++
ipalib/plugins/privilege.py | 51 ++++++++++++++++++++++----------------------
2 files changed, 33 insertions(+), 25 deletions(-)
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index f2e896935cc777801ec3a70262372f296b1ea2b8..7d2a4dd156693d9d9b7d6f042488856274fb3f64 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -21,6 +21,7 @@ import re
import traceback
from ipalib.plugins import baseldap
+from ipalib.plugins.privilege import validate_permission_to_privilege
from ipalib import errors
from ipalib.parameters import Str, StrEnum, DNParam, Flag
from ipalib import api, _, ngettext
@@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember):
"""Add members to a permission."""
NO_CLI = True
+ def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options):
+ # We can only add permissions with bind rule type set to
+ # "permission" (or old-style permissions)
+ validate_permission_to_privilege(self.api, keys[-1])
+ return dn
+
@register()
class permission_remove_member(baseldap.LDAPRemoveMember):
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index 867544359f76fdcb44cd3015f7466a46ba492bec..ffb903e03dbfaafbe2bb7135038494ae49a7d8a8 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -45,6 +45,31 @@ See role and permission for additional information.
register = Registry()
+def validate_permission_to_privilege(api, permission):
+ ldap = api.Backend.ldap2
+ ldapfilter = ldap.combine_filters(rules='&', filters=[
+ '(objectClass=ipaPermissionV2)', '(!(ipaPermBindRuleType=permission))',
+ ldap.make_filter_from_attr('cn', permission, rules='|')])
+ try:
+ entries, truncated = ldap.find_entries(
+ filter=ldapfilter,
+ attrs_list=['cn', 'ipapermbindruletype'],
+ base_dn=DN(api.env.container_permission, api.env.basedn),
+ size_limit=1)
+ except errors.NotFound:
+ pass
+ else:
+ entry = entries[0]
+ message = _('cannot add permission "%(perm)s" with bindtype '
+ '"%(bindtype)s" to a privilege')
+ raise errors.ValidationError(
+ name='permission',
+ error=message % {
+ 'perm': entry.single_value['cn'],
+ 'bindtype': entry.single_value.get(
+ 'ipapermbindruletype', 'permission')})
+
+
@register()
class privilege(LDAPObject):
"""
@@ -185,31 +210,7 @@ class privilege_add_permission(LDAPAddReverseMember):
if options.get('permission'):
# We can only add permissions with bind rule type set to
# "permission" (or old-style permissions)
- ldapfilter = ldap.combine_filters(rules='&', filters=[
- '(objectClass=ipaPermissionV2)',
- '(!(ipaPermBindRuleType=permission))',
- ldap.make_filter_from_attr('cn', options['permission'],
- rules='|'),
- ])
- try:
- entries, truncated = ldap.find_entries(
- filter=ldapfilter,
- attrs_list=['cn', 'ipapermbindruletype'],
- base_dn=DN(self.api.env.container_permission,
- self.api.env.basedn),
- size_limit=1)
- except errors.NotFound:
- pass
- else:
- entry = entries[0]
- message = _('cannot add permission "%(perm)s" with bindtype '
- '"%(bindtype)s" to a privilege')
- raise errors.ValidationError(
- name='permission',
- error=message % {
- 'perm': entry.single_value['cn'],
- 'bindtype': entry.single_value.get(
- 'ipapermbindruletype', 'permission')})
+ validate_permission_to_privilege(self.api, options['permission'])
return dn
--
2.4.3