idviews: Handle Default Trust View properly in the framework

Make sure that: 1.) IPA users cannot be added to the Default Trust View 2.) Default Trust View cannot be deleted or renamed Part of: https://fedorahosted.org/freeipa/ticket/3979 Reviewed-By: Petr Viktorin <pviktori@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-12-27 09:21:59 -06:00 · 2014-09-22 12:58:05 +02:00 · 2014-09-22 12:58:05 +02:00 · 13089eae52
commit 13089eae52
parent b9425751b4
1 changed files with 39 additions and 0 deletions
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@ -45,6 +45,12 @@ other Identity Management solutions.

 register = Registry()

+protected_default_trust_view_error = errors.ProtectedEntryError(
+    label=_('ID View'),
+    key=u"Default Trust View",
+    reason=_('system ID View')
+)
+

@register()
 class idview(LDAPObject):
@ -97,12 +103,24 @@ class idview_del(LDAPDelete):
    __doc__ = _('Delete an ID View.')
    msg_summary = _('Deleted ID View "%(value)s"')

+    def pre_callback(self, ldap, dn, *keys, **options):
+        if "Default Trust View" in keys:
+            raise protected_default_trust_view_error
+
+        return dn
+

@register()
 class idview_mod(LDAPUpdate):
    __doc__ = _('Modify an ID View.')
    msg_summary = _('Modified an ID View "%(value)s"')

+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        if "Default Trust View" in keys:
+            raise protected_default_trust_view_error
+
+        return dn
+

@register()
 class idview_find(LDAPSearch):
@ -519,6 +537,16 @@ class baseidoverride(LDAPObject):
                )
                entry_attrs.single_value['ipaanchoruuid'] = object_name

+    def prohibit_ipa_users_in_default_view(self, dn, entry_attrs):
+        # Check if parent object is Default Trust View, if so, prohibit
+        # adding overrides for IPA objects
+
+        if dn[1].value == 'Default Trust View':
+            if dn[0].value.startswith(IPA_ANCHOR_PREFIX):
+                raise errors.ValidationError(
+                    name=_('ID View'),
+                    error=_('Default Trust View cannot contain IPA users')
+                    )

 class baseidoverride_add(LDAPCreate):
    __doc__ = _('Add a new ID override.')
@ -526,6 +554,7 @@ class baseidoverride_add(LDAPCreate):

    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
        self.obj.set_anchoruuid_from_dn(dn, entry_attrs)
+        self.obj.prohibit_ipa_users_in_default_view(dn, entry_attrs)
        return dn

    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@ -542,6 +571,16 @@ class baseidoverride_mod(LDAPUpdate):
    __doc__ = _('Modify an ID override.')
    msg_summary = _('Modified an ID override "%(value)s"')

+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        if 'rename' in options:
+            raise errors.ValidationError(
+                name=_('ID override'),
+                error=_('ID overrides cannot be renamed')
+                )
+
+        self.obj.prohibit_ipa_users_in_default_view(dn, entry_attrs)
+        return dn
+
    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
        self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options)
        return dn