Bug 1459946 - GetEffectiveRights gives false-negative with ACIs containing targetfilter
GetEffectiveRights gives false-negative with ACIs containing targetfilter
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Ludwig
Viktor Ashirov
Marc Muehlfeld
Depends On:
  Show dependency treegraph
Reported: 2017-06-08 12:03 EDT by mreynolds
Modified: 2018-04-10 10:17 EDT (History)
4 users (show)

See Also:
Fixed In Version: 389-ds-base-
Doc Type: Bug Fix
Doc Text:
ACIs with the *targetfilter* keyword work correctly Previously, if an Access Control Instruction (ACI) in Directory Server used the "targetfilter" keyword, searches containing the *geteffective* rights control returned before the code was executed for template entries. Consequently, the *GetEffectireRights()* function could not determine the permissions when creating entries and returned false-negative results when verifying an ACI. With this update, Directory Server creates a template entry based on the provided *geteffective* attribute and verifies access to this template entry. As a result, ACIs in the mentioned scenario work correctly.
Story Points: ---
Clone Of:
Last Closed: 2018-04-10 10:16:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0811 None None None 2018-04-10 10:17 EDT

  None (edit)
Description mreynolds 2017-06-08 12:03:33 EDT
This bug is created as a clone of upstream ticket:

#### Issue Description

Consider ACI:
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,<suffix>";)

The GetEffectiveRights control does not interpret this ACI as granting add
access to a user matching the `groupdn`.  This behaviour causes problems
in FreeIPA because it is impossible to properly test whether a non-admin
user is able to perform some actions.

#### Package Version and Platform


#### Steps to reproduce

1. Make an ACI like the above.
2. Query effective rights for a user who matches the ACI.
3. Observe that the GER control indicates that they do not have access.

#### Actual results

If the user is a member of the `groupdn`, the GetEffectiveRights control
indicates that the user does not have add access even when the user
does have add access (albeitit conditional on the `targetfilter` matching
the object to be added.)

#### Expected results

The GetEffectiveRights control should indicate that a user has entry-level
access (add or delete) even where the access is granted conditional on a
Comment 1 Ludwig 2017-11-30 11:16:33 EST
fix for upstream ticket under review
Comment 2 Ludwig 2018-01-11 09:33:53 EST
upstream ticket fixed and committed
Comment 5 Ludwig 2018-01-25 06:31:40 EST
that just checks effective rights for an entry, but the bug is about a not existing entries defined by an objectclass. There are more details in this bug and the corresponding ticket.
see esopcially: https://pagure.io/389-ds-base/issue/49278#comment-480856
Comment 6 Akshay Adhikari 2018-02-09 02:38:04 EST
============================================================================ test session starts ============================================================================
platform linux -- Python 3.6.3, pytest-3.4.0, py-1.5.2, pluggy-0.6.0 -- /opt/rh/rh-python36/root/usr/bin/python3
cachedir: .pytest_cache
metadata: {'Python': '3.6.3', 'Platform': 'Linux-3.10.0-843.el7.x86_64-x86_64-with-redhat-7.5-Maipo', 'Packages': {'pytest': '3.4.0', 'py': '1.5.2', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.5.1', 'html': '1.16.1'}}
nss: 3.34.0-4.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-13.el7
svrcore: 4.1.3-2.el7

rootdir: /export/tests, inifile:
plugins: metadata-1.5.1, html-1.16.1
collected 2 items                                                                                                                                                           

suites/get_effective_rights/acceptance_test.py::test_group_aci_entry_exists PASSED                                                                                    [ 50%]
suites/get_effective_rights/acceptance_test.py::test_group_aci_template_entry PASSED                                                                                  [100%]

------------------------------------------------------- generated xml file: /mnt/tests/rhds/tests/upstream/report.xml -------------------------------------------------------
------------------------------------------------------ generated html file: /mnt/tests/rhds/tests/upstream/report.html ------------------------------------------------------
========================================================================= 2 passed in 9.57 seconds ==========================================================================
Comment 10 errata-xmlrpc 2018-04-10 10:16:50 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.