From 13328bc7518a9e536d26562a738b4591c0494b75 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Thu, 23 Jun 2016 16:04:04 +0200 Subject: [PATCH] topo segment-add: validate that both masters support target suffix This patch removes the ability to add segment between hosts where either does not support the requested suffix. https://fedorahosted.org/freeipa/ticket/5967 Reviewed-By: Petr Vobornik --- ipaserver/plugins/topology.py | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/ipaserver/plugins/topology.py b/ipaserver/plugins/topology.py index 0d0b3c084..0cccf902f 100644 --- a/ipaserver/plugins/topology.py +++ b/ipaserver/plugins/topology.py @@ -204,7 +204,7 @@ class topologysegment(LDAPObject): ), ) - def validate_nodes(self, ldap, dn, entry_attrs): + def validate_nodes(self, ldap, dn, entry_attrs, suffix): leftnode = entry_attrs.get('iparepltoposegmentleftnode') rightnode = entry_attrs.get('iparepltoposegmentrightnode') @@ -246,6 +246,27 @@ class topologysegment(LDAPObject): error=_('left node and right node must not be the same') ) + # don't allow segment between nodes where both don't have the suffix + masters_to_suffix = map_masters_to_suffixes(masters) + suffix_masters = masters_to_suffix.get(suffix, []) + suffix_m_hostnames = [m['cn'][0].lower() for m in suffix_masters] + + if leftnode not in suffix_m_hostnames: + raise errors.ValidationError( + name='leftnode', + error=_("left node ({host}) does not support " + "suffix '{suff}'" + .format(host=leftnode, suff=suffix)) + ) + + if rightnode not in suffix_m_hostnames: + raise errors.ValidationError( + name='rightnode', + error=_("right node ({host}) does not support " + "suffix '{suff}'" + .format(host=rightnode, suff=suffix)) + ) + @register() class topologysegment_find(LDAPSearch): @@ -266,7 +287,7 @@ class topologysegment_add(LDAPCreate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) validate_domain_level(self.api) - self.obj.validate_nodes(ldap, dn, entry_attrs) + self.obj.validate_nodes(ldap, dn, entry_attrs, keys[0]) return dn @@ -291,7 +312,7 @@ class topologysegment_mod(LDAPUpdate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) validate_domain_level(self.api) - self.obj.validate_nodes(ldap, dn, entry_attrs) + self.obj.validate_nodes(ldap, dn, entry_attrs, keys[0]) return dn