freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

Commit 1dc11a0 Allow removing sudo commands with special characters from command groups

3 files Authored by pviktori 6 years ago , Committed by mkosek 6 years ago ,
Allow removing sudo commands with special characters from command groups

Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.

https://fedorahosted.org/freeipa/ticket/2483

    
 1 @@ -1583,8 +1583,8 @@
 2   
 3           completed = 0
 4           for (attr, objs) in member_dns.iteritems():
 5 -             for ldap_obj_name in objs:
 6 -                 for m_dn in member_dns[attr][ldap_obj_name]:
 7 +             for ldap_obj_name, m_dns in objs.iteritems():
 8 +                 for m_dn in m_dns:
 9                       if not m_dn:
10                           continue
11                       try:
 1 @@ -1091,12 +1091,12 @@
 2           (group_dn, group_entry_attrs) = self.get_entry(group_dn, [member_attr])
 3   
 4           # remove dn from group entry's `member_attr` attribute
 5 -         members = group_entry_attrs.get(member_attr, [])
 6 +         members = [DN(m) for m in group_entry_attrs.get(member_attr, [])]
 7           try:
 8 -             members.remove(dn.lower())
 9 +             members.remove(DN(dn))
10           except ValueError:
11               raise errors.NotGroupMember()
12 -         group_entry_attrs[member_attr] = members
13 +         group_entry_attrs[member_attr] = [str(m) for m in members]
14   
15           # update group entry
16           self.update_entry(group_dn, group_entry_attrs)
 1 @@ -28,12 +28,36 @@
 2   sudocmdgroup1 = u'testsudocmdgroup1'
 3   sudocmdgroup2 = u'testsudocmdgroup2'
 4   sudocmd1 = u'/usr/bin/sudotestcmd1'
 5 + sudocmd_plus = u'/bin/ls -l /lost+found/*'
 6 + 
 7 + def create_command(sudocmd):
 8 +     return dict(
 9 +         desc='Create %r' % sudocmd,
10 +         command=(
11 +             'sudocmd_add', [], dict(sudocmd=sudocmd,
12 +                 description=u'Test sudo command')
13 +         ),
14 +         expected=dict(
15 +             value=sudocmd,
16 +             summary=u'Added Sudo Command "%s"' % sudocmd,
17 +             result=dict(
18 +                 objectclass=objectclasses.sudocmd,
19 +                 sudocmd=[sudocmd],
20 +                 ipauniqueid=[fuzzy_uuid],
21 +                 description=[u'Test sudo command'],
22 +                 dn=lambda x: DN(x) == \
23 +                     DN(('sudocmd',sudocmd),('cn','sudocmds'),('cn','sudo'),
24 +                     api.env.basedn),
25 +             ),
26 +         ),
27 +     )
28   
29   class test_sudocmdgroup(Declarative):
30       cleanup_commands = [
31           ('sudocmdgroup_del', [sudocmdgroup1], {}),
32           ('sudocmdgroup_del', [sudocmdgroup2], {}),
33           ('sudocmd_del', [sudocmd1], {}),
34 +         ('sudocmd_del', [sudocmd_plus], {}),
35       ]
36   
37       tests = [
38 @@ -473,6 +497,54 @@
39               ),
40           ),
41   
42 +         ################
43 +         # test a command that needs DN escaping:
44 +         create_command(sudocmd_plus),
45 + 
46 +         dict(
47 +             desc='Add %r to %r' % (sudocmd_plus, sudocmdgroup1),
48 +             command=('sudocmdgroup_add_member', [sudocmdgroup1],
49 +                 dict(sudocmd=sudocmd_plus)
50 +             ),
51 +             expected=dict(
52 +                 completed=1,
53 +                 failed=dict(
54 +                     member=dict(
55 +                         sudocmd=tuple(),
56 +                     ),
57 +                 ),
58 +                 result={
59 +                         'dn': lambda x: DN(x) == \
60 +                             DN(('cn',sudocmdgroup1),('cn','sudocmdgroups'),
61 +                                ('cn','sudo'),api.env.basedn),
62 +                         'member_sudocmd': (sudocmd_plus,),
63 +                         'cn': [sudocmdgroup1],
64 +                         'description': [u'New desc 1'],
65 +                 },
66 +             ),
67 +         ),
68 + 
69 +         dict(
70 +             desc='Remove %r from %r' %  (sudocmd_plus, sudocmdgroup1),
71 +             command=('sudocmdgroup_remove_member', [sudocmdgroup1],
72 +                 dict(sudocmd=sudocmd_plus)
73 +             ),
74 +             expected=dict(
75 +                 completed=1,
76 +                 failed=dict(
77 +                     member=dict(
78 +                         sudocmd=tuple(),
79 +                     ),
80 +                 ),
81 +                 result={
82 +                         'dn': lambda x: DN(x) == \
83 +                             DN(('cn',sudocmdgroup1),('cn','sudocmdgroups'),
84 +                                ('cn','sudo'),api.env.basedn),
85 +                         'cn': [sudocmdgroup1],
86 +                         'description': [u'New desc 1'],
87 +                 },
88 +             ),
89 +         ),
90   
91           ################
92           # delete sudocmdgroup1: