[Freeipa-devel] [PATCH] 0096 caacl: fix regression in rule instantiation

[Fraser Tweedale]

The attached patch fixes a kerberos.Principal-related regression.

Thanks,
Fraser
-------------- next part --------------
From c3d4bee34f4a1aa6afafee07851e8b5557860331 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 28 Jul 2016 10:55:45 +1000
Subject: [PATCH] caacl: fix regression in rule instantiation

The Principal refactor causes service collections
('memberservice_service' attribute) to return Principal objects
where previously it returned strings, but the HBAC machinery used
for CA ACL enforcement only handles strings.  Update the code to
stringify service Principal objects when adding them to HBAC rules.

Part of: https://fedorahosted.org/freeipa/ticket/3864
---
 ipaserver/plugins/caacl.py | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index d316cc7c48cf2997d6be6b052dc1efa6d6fcdb6a..a7817c4cf64f070c74557f52e9f26c9013a4963c 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -132,16 +132,21 @@ def _acl_make_rule(principal_type, obj):
         rule.services.names = obj.get(attr, [])
 
     # add principals and principal's groups
-    m = {'user': 'group', 'host': 'hostgroup', 'service': None}
     category_attr = '{}category'.format(principal_type)
     if category_attr in obj and obj[category_attr][0].lower() == 'all':
         rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
     else:
-        principal_attr = 'member{}_{}'.format(principal_type, principal_type)
-        rule.users.names = obj.get(principal_attr, [])
-        if m[principal_type] is not None:
-            group_attr = 'member{}_{}'.format(principal_type, m[principal_type])
-            rule.users.groups = obj.get(group_attr, [])
+        if principal_type == 'user':
+            rule.users.names = obj.get('memberuser_user', [])
+            rule.users.groups = obj.get('memberuser_group', [])
+        elif principal_type == 'host':
+            rule.users.names = obj.get('memberhost_host', [])
+            rule.users.groups = obj.get('memberhost_hostgroup', [])
+        elif principal_type == 'service':
+            rule.users.names = [
+                unicode(principal)
+                for principal in obj.get('memberservice_service', [])
+            ]
 
     return rule
 
-- 
2.5.5