From 8122d74596457530ce794916bafb1c7fcdb56ada Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Thu, 25 Jul 2013 13:54:39 +0200
Subject: [PATCH] Use case-insensitive dict for trusted domain info

In DomainValidator, we store a dictionary containing information
for trusted domains. This is a case-sensitive dictionary keyed by
the domain name.

We need to use case-insensitive dictionary since domain names
are generally case-insensitive.

https://fedorahosted.org/freeipa/ticket/3816
---
 ipaserver/dcerpc.py | 36 ++++++++++++++++++++++++------------
 1 file changed, 24 insertions(+), 12 deletions(-)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 4660842fc..3ef81a6db 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -150,18 +150,29 @@ class DomainValidator(object):
         return True
 
     def get_trusted_domains(self):
-        """Returns dict of trusted domain tuples (flatname, sid, trust_auth_outgoing), keyed by domain name"""
-        cn_trust = DN(('cn', 'ad'), self.api.env.container_trusts, self.api.env.basedn)
+        """
+        Returns case-insensitive dict of trusted domain tuples
+        (flatname, sid, trust_auth_outgoing), keyed by domain name.
+        """
+        cn_trust = DN(('cn', 'ad'), self.api.env.container_trusts,
+                      self.api.env.basedn)
+
         try:
             search_kw = {'objectClass': 'ipaNTTrustedDomain'}
             filter = self.ldap.make_filter(search_kw, rules=self.ldap.MATCH_ALL)
-            (entries, truncated) = self.ldap.find_entries(filter=filter, base_dn=cn_trust,
-                                                          attrs_list=[self.ATTR_TRUSTED_SID,
-                                                                      self.ATTR_FLATNAME,
-                                                                      self.ATTR_TRUST_PARTNER,
-                                                                      self.ATTR_TRUST_AUTHOUT])
+            (entries, truncated) = self.ldap.find_entries(
+                filter=filter,
+                base_dn=cn_trust,
+                attrs_list=[self.ATTR_TRUSTED_SID,
+                            self.ATTR_FLATNAME,
+                            self.ATTR_TRUST_PARTNER,
+                            self.ATTR_TRUST_AUTHOUT]
+                )
+
+            # We need to use case-insensitive dictionary since we use
+            # domain names as keys and those are generally case-insensitive
+            result = ipautil.CIDict()
 
-            result = dict()
             for dn, entry in entries:
                 try:
                     trust_partner = entry[self.ATTR_TRUST_PARTNER][0]
@@ -170,13 +181,14 @@ class DomainValidator(object):
                 except KeyError, e:
                     # Some piece of trusted domain info in LDAP is missing
                     # Skip the domain, but leave log entry for investigation
-                    api.log.warn("Trusted domain '%s' entry misses an attribute: %s",
-                            dn, e)
+                    api.log.warn("Trusted domain '%s' entry misses an "
+                                 "attribute: %s", dn, e)
                     continue
+
                 trust_authout = entry.get(self.ATTR_TRUST_AUTHOUT, [None])[0]
 
-                # We were able to read all Trusted domain attributes but the secret
-                # User is not member of trust admins group
+                # We were able to read all Trusted domain attributes but the
+                # secret User is not member of trust admins group
                 if trust_authout is None:
                     raise errors.ACIError(
                         info=_('communication with trusted domains is allowed '