Blob Blame History Raw
From 8ad2b5d6b81986235d0da6aa9349cfefaec06fcb Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Thu, 9 Jul 2015 16:48:36 +0200
Subject: [PATCH] Validate adding privilege to a permission

Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.

https://fedorahosted.org/freeipa/ticket/5075

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipalib/plugins/permission.py |  7 ++++++
 ipalib/plugins/privilege.py  | 51 ++++++++++++++++++++++----------------------
 2 files changed, 33 insertions(+), 25 deletions(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index f2e896935cc777801ec3a70262372f296b1ea2b8..7d2a4dd156693d9d9b7d6f042488856274fb3f64 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -21,6 +21,7 @@ import re
 import traceback
 
 from ipalib.plugins import baseldap
+from ipalib.plugins.privilege import validate_permission_to_privilege
 from ipalib import errors
 from ipalib.parameters import Str, StrEnum, DNParam, Flag
 from ipalib import api, _, ngettext
@@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember):
     """Add members to a permission."""
     NO_CLI = True
 
+    def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options):
+        # We can only add permissions with bind rule type set to
+        # "permission" (or old-style permissions)
+        validate_permission_to_privilege(self.api, keys[-1])
+        return dn
+
 
 @register()
 class permission_remove_member(baseldap.LDAPRemoveMember):
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index 867544359f76fdcb44cd3015f7466a46ba492bec..ffb903e03dbfaafbe2bb7135038494ae49a7d8a8 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -45,6 +45,31 @@ See role and permission for additional information.
 register = Registry()
 
 
+def validate_permission_to_privilege(api, permission):
+    ldap = api.Backend.ldap2
+    ldapfilter = ldap.combine_filters(rules='&', filters=[
+        '(objectClass=ipaPermissionV2)', '(!(ipaPermBindRuleType=permission))',
+        ldap.make_filter_from_attr('cn', permission, rules='|')])
+    try:
+        entries, truncated = ldap.find_entries(
+            filter=ldapfilter,
+            attrs_list=['cn', 'ipapermbindruletype'],
+            base_dn=DN(api.env.container_permission, api.env.basedn),
+            size_limit=1)
+    except errors.NotFound:
+        pass
+    else:
+        entry = entries[0]
+        message = _('cannot add permission "%(perm)s" with bindtype '
+                    '"%(bindtype)s" to a privilege')
+        raise errors.ValidationError(
+            name='permission',
+            error=message % {
+                'perm': entry.single_value['cn'],
+                'bindtype': entry.single_value.get(
+                    'ipapermbindruletype', 'permission')})
+
+
 @register()
 class privilege(LDAPObject):
     """
@@ -185,31 +210,7 @@ class privilege_add_permission(LDAPAddReverseMember):
         if options.get('permission'):
             # We can only add permissions with bind rule type set to
             # "permission" (or old-style permissions)
-            ldapfilter = ldap.combine_filters(rules='&', filters=[
-                '(objectClass=ipaPermissionV2)',
-                '(!(ipaPermBindRuleType=permission))',
-                ldap.make_filter_from_attr('cn', options['permission'],
-                                           rules='|'),
-            ])
-            try:
-                entries, truncated = ldap.find_entries(
-                    filter=ldapfilter,
-                    attrs_list=['cn', 'ipapermbindruletype'],
-                    base_dn=DN(self.api.env.container_permission,
-                               self.api.env.basedn),
-                    size_limit=1)
-            except errors.NotFound:
-                pass
-            else:
-                entry = entries[0]
-                message = _('cannot add permission "%(perm)s" with bindtype '
-                            '"%(bindtype)s" to a privilege')
-                raise errors.ValidationError(
-                    name='permission',
-                    error=message % {
-                        'perm': entry.single_value['cn'],
-                        'bindtype': entry.single_value.get(
-                            'ipapermbindruletype', 'permission')})
+            validate_permission_to_privilege(self.api, options['permission'])
         return dn
 
 
-- 
2.4.3