Bug 1459946 - GetEffectiveRights gives false-negative with ACIs containing targetfilter
GetEffectiveRights gives false-negative with ACIs containing targetfilter
Status: VERIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.4
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: Ludwig
Viktor Ashirov
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-08 12:03 EDT by mreynolds
Modified: 2018-02-23 09:57 EST (History)
4 users (show)

See Also:
Fixed In Version: 389-ds-base-1.3.7.5-12
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description mreynolds 2017-06-08 12:03:33 EDT
This bug is created as a clone of upstream ticket:
https://pagure.io/389-ds-base/issue/49278

#### Issue Description

Consider ACI:
```
aci: (targetfilter = "(objectclass=ipaca)")(version 3.0;acl "permission:System: Add CA";allow (add) groupdn = "ldap:///cn=System: Add CA,cn=permissions,cn=pbac,<suffix>";)
```

The GetEffectiveRights control does not interpret this ACI as granting add
access to a user matching the `groupdn`.  This behaviour causes problems
in FreeIPA because it is impossible to properly test whether a non-admin
user is able to perform some actions.

#### Package Version and Platform

389-ds-base-1.3.5.17-3.fc25.x86_64

#### Steps to reproduce

1. Make an ACI like the above.
2. Query effective rights for a user who matches the ACI.
3. Observe that the GER control indicates that they do not have access.

#### Actual results

If the user is a member of the `groupdn`, the GetEffectiveRights control
indicates that the user does not have add access even when the user
does have add access (albeitit conditional on the `targetfilter` matching
the object to be added.)

#### Expected results

The GetEffectiveRights control should indicate that a user has entry-level
access (add or delete) even where the access is granted conditional on a
targetfilter.
Comment 1 Ludwig 2017-11-30 11:16:33 EST
fix for upstream ticket under review
Comment 2 Ludwig 2018-01-11 09:33:53 EST
upstream ticket fixed and committed
Comment 5 Ludwig 2018-01-25 06:31:40 EST
that just checks effective rights for an entry, but the bug is about a not existing entries defined by an objectclass. There are more details in this bug and the corresponding ticket.
see esopcially: https://pagure.io/389-ds-base/issue/49278#comment-480856
Comment 6 Akshay Adhikari 2018-02-09 02:38:04 EST
============================================================================ test session starts ============================================================================
platform linux -- Python 3.6.3, pytest-3.4.0, py-1.5.2, pluggy-0.6.0 -- /opt/rh/rh-python36/root/usr/bin/python3
cachedir: .pytest_cache
metadata: {'Python': '3.6.3', 'Platform': 'Linux-3.10.0-843.el7.x86_64-x86_64-with-redhat-7.5-Maipo', 'Packages': {'pytest': '3.4.0', 'py': '1.5.2', 'pluggy': '0.6.0'}, 'Plugins': {'metadata': '1.5.1', 'html': '1.16.1'}}
389-ds-base: 1.3.7.5-16.el7
nss: 3.34.0-4.el7
nspr: 4.17.0-1.el7
openldap: 2.4.44-13.el7
svrcore: 4.1.3-2.el7

rootdir: /export/tests, inifile:
plugins: metadata-1.5.1, html-1.16.1
collected 2 items                                                                                                                                                           

suites/get_effective_rights/acceptance_test.py::test_group_aci_entry_exists PASSED                                                                                    [ 50%]
suites/get_effective_rights/acceptance_test.py::test_group_aci_template_entry PASSED                                                                                  [100%]

------------------------------------------------------- generated xml file: /mnt/tests/rhds/tests/upstream/report.xml -------------------------------------------------------
------------------------------------------------------ generated html file: /mnt/tests/rhds/tests/upstream/report.html ------------------------------------------------------
========================================================================= 2 passed in 9.57 seconds ==========================================================================

Note You need to log in before you can comment on or make changes to this bug.