IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-28 09:06:44 -06:00
Code Issues Packages Projects Releases Wiki Activity

idoverride: Ignore ValidationErrors when converting the anchor

Browse Source 
When converting the anchor to a human readable form, SID validation
may fail, i.e. if the domain is no longer trusted.

Ignore such cases and pass along the anchor in the raw format.

https://fedorahosted.org/freeipa/ticket/5322

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This commit is contained in:
Tomas Babej 2015-10-12 13:15:20 +02:00
parent 5484ae014e
commit 4c2276f7ec
1 changed files with 33 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
ipalib/plugins/idviews.py
View File

@ -197,16 +197,23 @@ class idview_show(LDAPRetrieve):
scope=ldap.SCOPE_ONELEVEL,
paged_search=True)
entry_attrs[attr_name] = [
resolve_anchor_to_object_name(
ldap,
obj_type,
override.single_value['ipaanchoruuid']
)
for override in overrides
]
resolved_overrides = []
for override in overrides:
anchor = override.single_value['ipaanchoruuid']
try:
name = resolve_anchor_to_object_name(ldap, obj_type,
anchor)
resolved_overrides.append(name)
except (errors.NotFound, errors.ValidationError):
# Anchor could not be resolved, use raw
resolved_overrides.append(anchor)
entry_attrs[attr_name] = resolved_overrides
except errors.NotFound:
# No overrides found, nothing to do
pass
def enumerate_hosts(self, dn, entry_attrs):
@ -689,6 +696,11 @@ class baseidoverride(LDAPObject):
# If we were unable to resolve the anchor,
# keep it in the raw form
pass
except errors.ValidationError:
# Same as above, ValidationError may be raised when SIDs
# are attempted to be converted, but the domain is no
# longer trusted
pass
def prohibit_ipa_users_in_default_view(self, dn, entry_attrs):
# Check if parent object is Default Trust View, if so, prohibit
@ -773,12 +785,7 @@ class baseidoverride_find(LDAPSearch):
def post_callback(self, ldap, entries, truncated, *args, **options):
for entry in entries:
try:
self.obj.convert_anchor_to_human_readable_form(entry, **options)
except errors.NotFound:
# If the conversion to readle form went wrong, do not
# abort the whole find command. Use non-converted entry.
pass
self.obj.convert_anchor_to_human_readable_form(entry, **options)
return truncated
@ -788,12 +795,7 @@ class baseidoverride_show(LDAPRetrieve):
takes_options = LDAPRetrieve.takes_options + (fallback_to_ldap_option,)
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
try:
self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options)
except errors.NotFound:
# If the conversion to readle form went wrong, do not
# abort the whole show command. Use non-converted entry.
pass
self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options)
return dn
@ -874,10 +876,17 @@ class idoverrideuser(baseidoverride):
def update_original_uid_reference(self, entry_attrs):
anchor = entry_attrs.single_value['ipaanchoruuid']
original_uid = resolve_anchor_to_object_name(self.backend,
self.override_object,
anchor)
entry_attrs['ipaOriginalUid'] = original_uid
try:
original_uid = resolve_anchor_to_object_name(self.backend,
self.override_object,
anchor)
entry_attrs['ipaOriginalUid'] = original_uid
except (errors.NotFound, errors.ValidationError):
# Anchor could not be resolved, this means we had to specify the
# object to manipulate using a raw anchor value already, hence
# we have no way to update the original_uid
pass
@register()