IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Make options checks in idrange-add/mod consistent

Browse Source 
Both now enforce the following checks:
  - dom_sid and secondary_rid_base cannot be used together
  - rid_base must be used together if dom_rid is set
  - secondary_rid_base and rid_base must be used together
    if dom_rid is not set

Unit test for third check has been added.

http://fedorahosted.org/freeipa/ticket/3170
This commit is contained in:
Tomas Babej 2012-12-21 05:34:37 -05:00 committed by Martin Kosek
parent 54a53bca48
commit 4ba2700de4
2 changed files with 91 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
ipalib/plugins/idrange.py
View File

@ -364,7 +364,7 @@ class idrange_add(LDAPCreate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN) assert isinstance(dn, DN)
is_set = lambda x: (x in entry_attrs) and (x is not None) is_set = lambda x: (x in entry_attrs) and (entry_attrs[x] is not None)
# This needs to stay in options since there is no # This needs to stay in options since there is no
# ipanttrusteddomainname attribute in LDAP # ipanttrusteddomainname attribute in LDAP
@ -402,11 +402,13 @@ class idrange_add(LDAPCreate):
entry_attrs['objectclass'].append('ipatrustedaddomainrange') entry_attrs['objectclass'].append('ipatrustedaddomainrange')
else: else:
# secondary base rid must be set if and only if base rid is set
if is_set('ipasecondarybaserid') != is_set('ipabaserid'): if is_set('ipasecondarybaserid') != is_set('ipabaserid'):
raise errors.ValidationError(name='ID Range setup', raise errors.ValidationError(name='ID Range setup',
error=_('Options secondary-rid-base and rid-base must ' error=_('Options secondary-rid-base and rid-base must '
'be used together')) 'be used together'))
# and they must not overlap
if is_set('ipabaserid') and is_set('ipasecondarybaserid'): if is_set('ipabaserid') and is_set('ipasecondarybaserid'):
if self.obj.are_rid_ranges_overlapping( if self.obj.are_rid_ranges_overlapping(
entry_attrs['ipabaserid'], entry_attrs['ipabaserid'],
@ -483,7 +485,16 @@ class idrange_mod(LDAPUpdate):
assert isinstance(dn, DN) assert isinstance(dn, DN)
attrs_list.append('objectclass') attrs_list.append('objectclass')
is_set = lambda x: (x in entry_attrs) and (x is not None) try:
(old_dn, old_attrs) = ldap.get_entry(dn, ['*'])
except errors.NotFound:
self.obj.handle_not_found(*keys)
is_set = lambda x: (x in entry_attrs) and (entry_attrs[x] is not None)
in_updated_attrs = lambda x:\
(x in entry_attrs and entry_attrs[x] is not None) or\
(x not in entry_attrs and x in old_attrs
and old_attrs[x] is not None)
# This needs to stay in options since there is no # This needs to stay in options since there is no
# ipanttrusteddomainname attribute in LDAP # ipanttrusteddomainname attribute in LDAP
@ -496,6 +507,8 @@ class idrange_mod(LDAPUpdate):
sid = self.obj.get_trusted_domain_sid_from_name( sid = self.obj.get_trusted_domain_sid_from_name(
options['ipanttrusteddomainname']) options['ipanttrusteddomainname'])
# we translate the name into sid so further validation can rely
# on ipanttrusteddomainsid attribute only
if sid is not None: if sid is not None:
entry_attrs['ipanttrusteddomainsid'] = sid entry_attrs['ipanttrusteddomainsid'] = sid
else: else:
@ -504,25 +517,37 @@ class idrange_mod(LDAPUpdate):
'not be found. Please specify the SID directly ' 'not be found. Please specify the SID directly '
'using dom-sid option.')) 'using dom-sid option.'))
try: if in_updated_attrs('ipanttrusteddomainsid'):
(old_dn, old_attrs) = ldap.get_entry(dn, if in_updated_attrs('ipasecondarybaserid'):
['ipabaseid', raise errors.ValidationError(name='ID Range setup',
'ipaidrangesize', error=_('Options dom-sid and secondary-rid-base cannot '
'ipabaserid', 'be used together'))
'ipasecondarybaserid'])
except errors.NotFound: if not in_updated_attrs('ipabaserid'):
self.obj.handle_not_found(*keys) raise errors.ValidationError(name='ID Range setup',
error=_('Options dom-sid and rid-base must '
'be used together'))
if is_set('ipanttrusteddomainsid'): if is_set('ipanttrusteddomainsid'):
# Validate SID as the one of trusted domains # Validate SID as the one of trusted domains
self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid']) # perform this check only if the attribute was changed
self.obj.validate_trusted_domain_sid(
entry_attrs['ipanttrusteddomainsid'])
else:
# secondary base rid must be set if and only if base rid is set
if in_updated_attrs('ipasecondarybaserid') !=\
in_updated_attrs('ipabaserid'):
raise errors.ValidationError(name='ID Range setup',
error=_('Options secondary-rid-base and rid-base must '
'be used together'))
# ensure that primary and secondary rid ranges do not overlap # ensure that primary and secondary rid ranges do not overlap
if all((base in entry_attrs) or (base in old_attrs) if all(in_updated_attrs(base)
for base in ('ipabaserid', 'ipasecondarybaserid')): for base in ('ipabaserid', 'ipasecondarybaserid')):
# make sure we are working with updated attributes # make sure we are working with updated attributes
rid_range_attributes = ('ipabaserid', 'ipasecondarybaserid', 'ipaidrangesize') rid_range_attributes = ('ipabaserid', 'ipasecondarybaserid',
'ipaidrangesize')
updated_values = dict() updated_values = dict()
for attr in rid_range_attributes: for attr in rid_range_attributes:
@ -539,14 +564,19 @@ class idrange_mod(LDAPUpdate):
error=_("Primary RID range and secondary RID range" error=_("Primary RID range and secondary RID range"
" cannot overlap")) " cannot overlap"))
# check whether ids are in modified range
old_base_id = int(old_attrs.get('ipabaseid', [0])[0]) old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0]) old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
new_base_id = entry_attrs.get('ipabaseid') new_base_id = entry_attrs.get('ipabaseid')
if new_base_id is not None: if new_base_id is not None:
new_base_id = int(new_base_id) new_base_id = int(new_base_id)
new_range_size = entry_attrs.get('ipaidrangesize') new_range_size = entry_attrs.get('ipaidrangesize')
if new_range_size is not None: if new_range_size is not None:
new_range_size = int(new_range_size) new_range_size = int(new_range_size)
self.obj.check_ids_in_modified_range(old_base_id, old_range_size, self.obj.check_ids_in_modified_range(old_base_id, old_range_size,
new_base_id, new_range_size) new_base_id, new_range_size)

46
tests/test_xmlrpc/test_range_plugin.py
View File

@ -69,6 +69,11 @@ testrange7_size = 50
testrange7_base_rid = 600 testrange7_base_rid = 600
testrange7_secondary_base_rid=649 testrange7_secondary_base_rid=649
testrange8 = u'testrange8'
testrange8_base_id = 700
testrange8_size = 50
testrange8_base_rid = 700
user1=u'tuser1' user1=u'tuser1'
user1_uid = 900000 user1_uid = 900000
group1=u'group1' group1=u'group1'
@ -76,7 +81,7 @@ group1_gid = 900100
class test_range(Declarative): class test_range(Declarative):
cleanup_commands = [ cleanup_commands = [
('idrange_del', [testrange1,testrange2,testrange3,testrange4,testrange5,testrange6,testrange7], {'continue': True}), ('idrange_del', [testrange1,testrange2,testrange3,testrange4,testrange5,testrange6,testrange7, testrange8], {'continue': True}),
('user_del', [user1], {}), ('user_del', [user1], {}),
('group_del', [group1], {}), ('group_del', [group1], {}),
] ]
@ -365,4 +370,43 @@ class test_range(Declarative):
summary=u'Deleted ID range "%s"' % testrange2, summary=u'Deleted ID range "%s"' % testrange2,
), ),
), ),
dict(
desc='Create ID range %r' % (testrange8),
command=('idrange_add', [testrange8],
dict(ipabaseid=testrange8_base_id,
ipaidrangesize=testrange8_size)),
expected=dict(
result=dict(
dn=DN(('cn',testrange8),('cn','ranges'),('cn','etc'),
api.env.basedn),
cn=[testrange8],
objectclass=[u'ipaIDrange', u'ipadomainidrange'],
ipabaseid=[unicode(testrange8_base_id)],
ipaidrangesize=[unicode(testrange8_size)],
iparangetype=[u'local domain range'],
),
value=testrange8,
summary=u'Added ID range "%s"' % (testrange8),
),
),
dict(
desc='Try to modify ID range %r so it has only primary rid range set' % (testrange8),
command=('idrange_mod', [testrange8],
dict(ipabaserid=testrange8_base_rid)),
expected=errors.ValidationError(
name='ID Range setup', error='Options secondary-rid-base and rid-base must be used together'),
),
dict(
desc='Delete ID range %r' % testrange8,
command=('idrange_del', [testrange8], {}),
expected=dict(
result=dict(failed=u''),
value=testrange8,
summary=u'Deleted ID range "%s"' % testrange8,
),
),
] ]