From f43aae3a51894d06ba26c53e04965c587bd081a2 Mon Sep 17 00:00:00 2001 From: Petr Viktorin Date: Mar 12 2012 15:04:41 +0000 Subject: Allow removing sudo commands with special characters from command groups Previously the commands were compared as serialized strings. Differences in serializations meant commands with special characters weren't found in the checked list. Use the DN class to compare DNs correctly. https://fedorahosted.org/freeipa/ticket/2483 --- diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index c0f2547..cf5d8d2 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -1583,8 +1583,8 @@ class LDAPRemoveMember(LDAPModMember): completed = 0 for (attr, objs) in member_dns.iteritems(): - for ldap_obj_name in objs: - for m_dn in member_dns[attr][ldap_obj_name]: + for ldap_obj_name, m_dns in objs.iteritems(): + for m_dn in m_dns: if not m_dn: continue try: diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py index ffe2fba..dd57567 100644 --- a/ipaserver/plugins/ldap2.py +++ b/ipaserver/plugins/ldap2.py @@ -1091,12 +1091,12 @@ class ldap2(CrudBackend, Encoder): (group_dn, group_entry_attrs) = self.get_entry(group_dn, [member_attr]) # remove dn from group entry's `member_attr` attribute - members = group_entry_attrs.get(member_attr, []) + members = [DN(m) for m in group_entry_attrs.get(member_attr, [])] try: - members.remove(dn.lower()) + members.remove(DN(dn)) except ValueError: raise errors.NotGroupMember() - group_entry_attrs[member_attr] = members + group_entry_attrs[member_attr] = [str(m) for m in members] # update group entry self.update_entry(group_dn, group_entry_attrs) diff --git a/tests/test_xmlrpc/test_sudocmdgroup_plugin.py b/tests/test_xmlrpc/test_sudocmdgroup_plugin.py index 8a534b2..9f2bf33 100644 --- a/tests/test_xmlrpc/test_sudocmdgroup_plugin.py +++ b/tests/test_xmlrpc/test_sudocmdgroup_plugin.py @@ -28,12 +28,36 @@ from ipalib.dn import * sudocmdgroup1 = u'testsudocmdgroup1' sudocmdgroup2 = u'testsudocmdgroup2' sudocmd1 = u'/usr/bin/sudotestcmd1' +sudocmd_plus = u'/bin/ls -l /lost+found/*' + +def create_command(sudocmd): + return dict( + desc='Create %r' % sudocmd, + command=( + 'sudocmd_add', [], dict(sudocmd=sudocmd, + description=u'Test sudo command') + ), + expected=dict( + value=sudocmd, + summary=u'Added Sudo Command "%s"' % sudocmd, + result=dict( + objectclass=objectclasses.sudocmd, + sudocmd=[sudocmd], + ipauniqueid=[fuzzy_uuid], + description=[u'Test sudo command'], + dn=lambda x: DN(x) == \ + DN(('sudocmd',sudocmd),('cn','sudocmds'),('cn','sudo'), + api.env.basedn), + ), + ), + ) class test_sudocmdgroup(Declarative): cleanup_commands = [ ('sudocmdgroup_del', [sudocmdgroup1], {}), ('sudocmdgroup_del', [sudocmdgroup2], {}), ('sudocmd_del', [sudocmd1], {}), + ('sudocmd_del', [sudocmd_plus], {}), ] tests = [ @@ -473,6 +497,54 @@ class test_sudocmdgroup(Declarative): ), ), + ################ + # test a command that needs DN escaping: + create_command(sudocmd_plus), + + dict( + desc='Add %r to %r' % (sudocmd_plus, sudocmdgroup1), + command=('sudocmdgroup_add_member', [sudocmdgroup1], + dict(sudocmd=sudocmd_plus) + ), + expected=dict( + completed=1, + failed=dict( + member=dict( + sudocmd=tuple(), + ), + ), + result={ + 'dn': lambda x: DN(x) == \ + DN(('cn',sudocmdgroup1),('cn','sudocmdgroups'), + ('cn','sudo'),api.env.basedn), + 'member_sudocmd': (sudocmd_plus,), + 'cn': [sudocmdgroup1], + 'description': [u'New desc 1'], + }, + ), + ), + + dict( + desc='Remove %r from %r' % (sudocmd_plus, sudocmdgroup1), + command=('sudocmdgroup_remove_member', [sudocmdgroup1], + dict(sudocmd=sudocmd_plus) + ), + expected=dict( + completed=1, + failed=dict( + member=dict( + sudocmd=tuple(), + ), + ), + result={ + 'dn': lambda x: DN(x) == \ + DN(('cn',sudocmdgroup1),('cn','sudocmdgroups'), + ('cn','sudo'),api.env.basedn), + 'cn': [sudocmdgroup1], + 'description': [u'New desc 1'], + }, + ), + ), ################ # delete sudocmdgroup1: