Re: [Freeipa-devel] [PATCH] 180 Add missing --pkey-only option for selfservice and

Martin Kosek Mon, 16 Jan 2012 03:23:52 -0800

On Thu, 2012-01-12 at 22:47 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Fri, 2011-12-09 at 19:33 -0600, Endi Sukma Dewata wrote:
> >> On 12/9/2011 9:47 AM, Martin Kosek wrote:
> >>> pkey-only functionality has to be implemented separately for these
> >>> modules as they are based on crud.Search instead of standard
> >>> LDAPSearch.
> >>>
> >>> Delegation commands were modified in the process to allow ACIs
> >>> without 'memberof' as delegation ACIs. This check is no longer
> >>> needed since delegation ACI prefixe ensures the ACI type.
> >>>
> >>> https://fedorahosted.org/freeipa/ticket/2092
> >>
> >>    From UI perspective this is ACKed. I'm sending a patch to enable paging
> >> on these pages.
> >>
> >
> > Thanks for the UI review Endi. If there are no objections from server
> > people too we can push this.
> >
> > A rebased version for current master is attached.
> >
> > Martin
> 
> The delegation tests fail with creation. Here is what it looks like from 
> the cli.
> 
> # ipa delegation-add --attrs=street,c,l,st,postalcode --group=editors 
> --permissions=write --membergroup=admins delegation1
> ipa: ERROR: Delegation 'delegation1' not found
> 
> rob


In this case, delegation was broken earlier in a recent patch "Display
the value of memberOf ACIs in permission plugin". 

A new version of the patch #180 adding the --pkey-only option + fixing
the delegation plugin is attached. Delegation plugin is pretty simple
and straightforward after this patch.

Martin

>From 776f15592fbf41387d37b7d89f2d756ab8da6688 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mko...@redhat.com>
Date: Mon, 16 Jan 2012 11:14:59 +0100
Subject: [PATCH] Add missing --pkey-only option for selfservice and
 delegation

pkey-only functionality has to be implemented separately for these
modules as they are based on crud.Search instead of standard
LDAPSearch.

Delegation moduled was also fixed to support new format of ACI's
memberof attribute introduced in patch "Display the value of
memberOf ACIs in permission plugin."

https://fedorahosted.org/freeipa/ticket/2092
---
 API.txt                                      |    9 ++-
 VERSION                                      |    2 +-
 ipalib/plugins/aci.py                        |   11 +++-
 ipalib/plugins/baseldap.py                   |   12 ++--
 ipalib/plugins/delegation.py                 |   85 +++++++++-----------------
 ipalib/plugins/selfservice.py                |    3 +
 tests/test_xmlrpc/test_delegation_plugin.py  |   16 +++++
 tests/test_xmlrpc/test_permission_plugin.py  |   21 ++++++
 tests/test_xmlrpc/test_selfservice_plugin.py |   15 +++++
 9 files changed, 106 insertions(+), 68 deletions(-)

diff --git a/API.txt b/API.txt
index 80ef42ba01728de400f413b790c35c51ae80d6ff..9048231bb1f349047f9790e5335778d4c3d637b0 100644
--- a/API.txt
+++ b/API.txt
@@ -27,7 +27,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('result', <type 'bool'>, None)
 output: Output('value', <type 'unicode'>, None)
 command: aci_find
-args: 1,15,4
+args: 1,16,4
 arg: Str('criteria?')
 option: Str('aciname', attribute=False, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False)
 option: Str('permission', attribute=False, autofill=False, cli_name='permission', multivalue=False, query=True, required=False)
@@ -41,6 +41,7 @@ option: Str('subtree', attribute=False, autofill=False, cli_name='subtree', mult
 option: Str('targetgroup', attribute=False, autofill=False, cli_name='targetgroup', multivalue=False, query=True, required=False)
 option: Bool('selfaci', attribute=False, autofill=False, cli_name='self', default=False, multivalue=False, query=True, required=False)
 option: StrEnum('aciprefix?', cli_name='prefix', multivalue=False, required=False, values=(u'permission', u'delegation', u'selfservice', u'none'))
+option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('version?', exclude='webui')
@@ -560,13 +561,14 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('result', <type 'bool'>, None)
 output: Output('value', <type 'unicode'>, None)
 command: delegation_find
-args: 1,8,4
+args: 1,9,4
 arg: Str('criteria?')
 option: Str('aciname', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False)
 option: Str('permissions', attribute=True, autofill=False, cli_name='permissions', csv=True, multivalue=True, query=True, required=False)
 option: Str('attrs', attribute=True, autofill=False, cli_name='attrs', csv=True, multivalue=True, query=True, required=False)
 option: Str('memberof', attribute=True, autofill=False, cli_name='membergroup', multivalue=False, query=True, required=False)
 option: Str('group', attribute=True, autofill=False, cli_name='group', multivalue=False, query=True, required=False)
+option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('version?', exclude='webui')
@@ -2465,11 +2467,12 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Output('result', <type 'bool'>, None)
 output: Output('value', <type 'unicode'>, None)
 command: selfservice_find
-args: 1,6,4
+args: 1,7,4
 arg: Str('criteria?')
 option: Str('aciname', attribute=True, autofill=False, cli_name='name', multivalue=False, primary_key=True, query=True, required=False)
 option: Str('permissions', attribute=True, autofill=False, cli_name='permissions', csv=True, multivalue=True, query=True, required=False)
 option: Str('attrs', attribute=True, autofill=False, cli_name='attrs', csv=True, multivalue=True, query=True, required=False)
+option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('version?', exclude='webui')
diff --git a/VERSION b/VERSION
index dafb7d803da8dff6a1bcf800d6a13cb3961f1575..ff245b559f67f80f83119d15a154c30185ad0f55 100644
--- a/VERSION
+++ b/VERSION
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=20
+IPA_API_VERSION_MINOR=21
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index 8a10efccbb387044e8548ff6bd2d6bfcacf206d4..e4ef2ef17ffed7f47a88d0ff5e60ace942d60657 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -126,6 +126,7 @@ from ipalib.aci import ACI
 from ipalib.dn import DN
 from ipalib import output
 from ipalib import _, ngettext
+from ipalib.plugins.baseldap import gen_pkey_only_option
 if api.env.in_server and api.env.context in ['lite', 'server']:
     from ldap import explode_dn
 from ipapython.ipa_log_manager import *
@@ -297,7 +298,7 @@ def _make_aci(ldap, current, aciname, kw):
 
     return a
 
-def _aci_to_kw(ldap, a, test=False):
+def _aci_to_kw(ldap, a, test=False, pkey_only=False):
     """Convert an ACI into its equivalent keywords.
 
        This is used for the modify operation so we can merge the
@@ -306,6 +307,8 @@ def _aci_to_kw(ldap, a, test=False):
     """
     kw = {}
     kw['aciprefix'], kw['aciname'] = _parse_aci_name(a.name)
+    if pkey_only:
+        return kw
     kw['permissions'] = tuple(a.permissions)
     if 'targetattr' in a.target:
         kw['attrs'] = list(a.target['targetattr']['expression'])
@@ -682,7 +685,8 @@ class aci_find(crud.Search):
     NO_CLI = True
     msg_summary = ngettext('%(count)d ACI matched', '%(count)d ACIs matched', 0)
 
-    takes_options = (_prefix_option.clone_rename("aciprefix?", required=False),)
+    takes_options = (_prefix_option.clone_rename("aciprefix?", required=False),
+                     gen_pkey_only_option("name"),)
 
     def execute(self, term, **kw):
         ldap = self.api.Backend.ldap2
@@ -837,7 +841,8 @@ class aci_find(crud.Search):
             if kw.get('raw', False):
                 aci = dict(aci=unicode(result))
             else:
-                aci = _aci_to_kw(ldap, result)
+                aci = _aci_to_kw(ldap, result,
+                        pkey_only=kw.get('pkey_only', False))
             acis.append(aci)
 
         return dict(
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 2fdcd2b744e1abc78189a1a81de78189e86f5f92..7c7053b8559d502a78a3d38e304b35d1c48c0f03 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1540,6 +1540,12 @@ class LDAPRemoveMember(LDAPModMember):
         return
 
 
+def gen_pkey_only_option(cli_name):
+    return Flag('pkey_only?',
+                label=_('Primary key only'),
+                doc=_('Results should contain primary key attribute only ("%s")') \
+                    % to_cli(cli_name),)
+
 class LDAPSearch(BaseLDAPCommand, crud.Search):
     """
     Retrieve all LDAP entries matching the given criteria.
@@ -1582,11 +1588,7 @@ class LDAPSearch(BaseLDAPCommand, crud.Search):
             yield option
         if self.obj.primary_key and \
                 'no_output' not in self.obj.primary_key.flags:
-            yield Flag('pkey_only?',
-                       label=_('Primary key only'),
-                       doc=_('Results should contain primary key attribute only ("%s")') \
-                               % to_cli(self.obj.primary_key.cli_name),
-                      )
+            yield gen_pkey_only_option(self.obj.primary_key.cli_name)
         for attr in self.member_attributes:
             for ldap_obj_name in self.obj.attribute_members[attr]:
                 ldap_obj = self.api.Object[ldap_obj_name]
diff --git a/ipalib/plugins/delegation.py b/ipalib/plugins/delegation.py
index 5fe1511f2318af24c2a23279f0a3ab40fc4fae07..660425013b6622a1b4f21c0cb72d761537641bf8 100644
--- a/ipalib/plugins/delegation.py
+++ b/ipalib/plugins/delegation.py
@@ -1,5 +1,6 @@
 # Authors:
 #   Rob Crittenden <rcrit...@redhat.com>
+#   Martin Kosek <mko...@redhat.com>
 #
 # Copyright (C) 2010  Red Hat
 # see file 'COPYING' for use and warranty information
@@ -24,6 +25,7 @@ from ipalib.request import context
 from ipalib import api, crud, errors
 from ipalib import output
 from ipalib import Object, Command
+from ipalib.plugins.baseldap import gen_pkey_only_option
 
 __doc__ = _("""
 Group to Group Delegation
@@ -53,45 +55,6 @@ EXAMPLES:
 
 ACI_PREFIX=u"delegation"
 
-def convert_delegation(ldap, aci):
-    """
-    memberOf is in filter but we want to pull out the group for easier
-    displaying.
-    """
-    filter = aci['memberof']
-    st = filter.find('memberOf=')
-    if st == -1:
-        raise errors.NotFound(reason=_('Delegation \'%(permission)s\' not found') % dict(permission=aci['aciname']))
-    en = filter.find(')', st)
-    membergroup = filter[st+9:en]
-    try:
-        (dn, entry_attrs) = ldap.get_entry(membergroup, ['cn'])
-    except Exception, e:
-        # Uh oh, the group we're granting access to has an error
-        msg = _('Error retrieving member group %(group)s: %(error)s') % (membergroup, str(e))
-        raise errors.NonFatalError(reason=msg)
-    aci['memberof'] = entry_attrs['cn'][0]
-
-    del aci['aciprefix']     # do not include prefix in result
-
-    return aci
-
-def is_delegation(ldap, aciname):
-    """
-    Determine if the ACI is a Delegation ACI and raise an exception if it
-    isn't.
-
-    Return the result if it is a delegation ACI, adding a new attribute
-    membergroup.
-    """
-    result = api.Command['aci_show'](aciname, aciprefix=ACI_PREFIX)['result']
-    if 'memberof' in result:
-        result = convert_delegation(ldap, result)
-    else:
-        raise errors.NotFound(reason=_('Delegation \'%(permission)s\' not found') % dict(permission=aciname))
-    return result
-
-
 class delegation(Object):
     """
     Delegation object.
@@ -163,8 +126,12 @@ class delegation_add(crud.Create):
             kw['permissions'] = (u'write',)
         kw['aciprefix'] = ACI_PREFIX
         result = api.Command['aci_add'](aciname, **kw)['result']
-        if 'memberof' in result:
-            result = convert_delegation(ldap, result)
+
+        # do not include prefix in result
+        try:
+            del result['aciprefix']
+        except KeyError:
+            pass
 
         return dict(
             result=result,
@@ -181,8 +148,6 @@ class delegation_del(crud.Delete):
     msg_summary = _('Deleted delegation "%(value)s"')
 
     def execute(self, aciname, **kw):
-        ldap = self.api.Backend.ldap2
-        is_delegation(ldap, aciname)
         kw['aciprefix'] = ACI_PREFIX
         result = api.Command['aci_del'](aciname, **kw)
         return dict(
@@ -199,12 +164,15 @@ class delegation_mod(crud.Update):
     msg_summary = _('Modified delegation "%(value)s"')
 
     def execute(self, aciname, **kw):
-        ldap = self.api.Backend.ldap2
-        is_delegation(ldap, aciname)
         kw['aciprefix'] = ACI_PREFIX
         result = api.Command['aci_mod'](aciname, **kw)['result']
-        if 'memberof' in result:
-            result = convert_delegation(ldap, result)
+
+        # do not include prefix in result
+        try:
+            del result['aciprefix']
+        except KeyError:
+            pass
+
         return dict(
             result=result,
             value=aciname,
@@ -220,17 +188,18 @@ class delegation_find(crud.Search):
         '%(count)d delegation matched', '%(count)d delegations matched', 0
     )
 
+    takes_options = (gen_pkey_only_option("name"),)
+
     def execute(self, term, **kw):
         ldap = self.api.Backend.ldap2
         kw['aciprefix'] = ACI_PREFIX
-        acis = api.Command['aci_find'](term, **kw)['result']
-        results = []
-        for aci in acis:
+        results = api.Command['aci_find'](term, **kw)['result']
+
+        for aci in results:
+            # do not include prefix in result
             try:
-                if 'memberof' in aci:
-                    aci = convert_delegation(ldap, aci)
-                    results.append(aci)
-            except errors.NotFound:
+                del aci['aciprefix']
+            except KeyError:
                 pass
 
         return dict(
@@ -252,8 +221,12 @@ class delegation_show(crud.Retrieve):
     )
 
     def execute(self, aciname, **kw):
-        ldap = self.api.Backend.ldap2
-        result = is_delegation(ldap, aciname)
+        result = api.Command['aci_show'](aciname, aciprefix=ACI_PREFIX)['result']
+        # do not include prefix in result
+        try:
+            del result['aciprefix']
+        except KeyError:
+            pass
         return dict(
             result=result,
             value=aciname,
diff --git a/ipalib/plugins/selfservice.py b/ipalib/plugins/selfservice.py
index 902e16baf813508708c570b6cc7544612f4ab544..2db3764797aa2edbd4770498ed79e4773ddbe09f 100644
--- a/ipalib/plugins/selfservice.py
+++ b/ipalib/plugins/selfservice.py
@@ -24,6 +24,7 @@ from ipalib.request import context
 from ipalib import api, crud, errors
 from ipalib import output
 from ipalib import Object, Command
+from ipalib.plugins.baseldap import gen_pkey_only_option
 
 __doc__ = _("""
 Self-service Permissions
@@ -182,6 +183,8 @@ class selfservice_find(crud.Search):
         '%(count)d selfservice matched', '%(count)d selfservices matched', 0
     )
 
+    takes_options = (gen_pkey_only_option("name"),)
+
     def execute(self, term, **kw):
         kw['selfaci'] = True
         kw['aciprefix'] = ACI_PREFIX
diff --git a/tests/test_xmlrpc/test_delegation_plugin.py b/tests/test_xmlrpc/test_delegation_plugin.py
index 2131c5ad7796cdb3e2f420bc9f19533fbcc48110..dbfa5ff75fdc5ce9a7c1ff53a20da98f805db9c5 100644
--- a/tests/test_xmlrpc/test_delegation_plugin.py
+++ b/tests/test_xmlrpc/test_delegation_plugin.py
@@ -147,6 +147,22 @@ class test_delegation(Declarative):
 
 
         dict(
+            desc='Search for %r with --pkey-only' % delegation1,
+            command=('delegation_find', [delegation1], {'pkey_only' : True}),
+            expected=dict(
+                count=1,
+                truncated=False,
+                summary=u'1 delegation matched',
+                result=[
+                    {
+                    'aciname': delegation1,
+                    },
+                ],
+            ),
+        ),
+
+
+        dict(
             desc='Update %r' % delegation1,
             command=(
                 'delegation_mod', [delegation1], dict(permissions=u'read')
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index b0df800944005129a511c7016d6dfae88d737938..b71921174019294e632e3466bed6b6a6a7f287ef 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -269,6 +269,27 @@ class test_permission(Declarative):
 
 
         dict(
+            desc='Search for %r with --pkey-only' % permission1,
+            command=('permission_find', [permission1], {'pkey_only' : True}),
+            expected=dict(
+                count=2,
+                truncated=False,
+                summary=u'2 permissions matched',
+                result=[
+                    {
+                        'dn': lambda x: DN(x) == permission1_dn,
+                        'cn': [permission1],
+                    },
+                    {
+                        'dn': lambda x: DN(x) == permission2_dn,
+                        'cn': [permission2],
+                    },
+                ],
+            ),
+        ),
+
+
+        dict(
             desc='Search for %r' % privilege1,
             command=('privilege_find', [privilege1], {}),
             expected=dict(
diff --git a/tests/test_xmlrpc/test_selfservice_plugin.py b/tests/test_xmlrpc/test_selfservice_plugin.py
index cb4b387decbfa4eda8128c3a786e78803a587dc1..e994bb32c4079d9179b16a58fc94c46bc49c13e1 100644
--- a/tests/test_xmlrpc/test_selfservice_plugin.py
+++ b/tests/test_xmlrpc/test_selfservice_plugin.py
@@ -137,6 +137,21 @@ class test_selfservice(Declarative):
             ),
         ),
 
+        dict(
+            desc='Search for %r with --pkey-only' % selfservice1,
+            command=('selfservice_find', [selfservice1], {'pkey_only' : True}),
+            expected=dict(
+                count=1,
+                truncated=False,
+                summary=u'1 selfservice matched',
+                result=[
+                    {
+                        'aciname': selfservice1,
+                    },
+                ],
+            ),
+        ),
+
 
         dict(
             desc='Update %r' % selfservice1,
-- 
1.7.7.5

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 180 Add missing --pkey-only option for selfservice and

Reply via email to