Avoid internal error when user is not Trust admin

When user tries to perform any action requiring communication with trusted domain, IPA server tries to retrieve a trust secret on his behalf to be able to establish the connection. This happens for example during group-add-member command when external user is being resolved in the AD. When user is not member of Trust admins group, the retrieval crashes and reports internal error. Catch this exception and rather report properly formatted ACIError. Also make sure that this exception is properly processed in group-add-member post callback. https://fedorahosted.org/freeipa/ticket/3390
2025-02-25 18:55:28 -06:00 · 2013-01-24 11:51:58 +01:00 · 2013-01-24 11:51:58 +01:00 · a41e10f0eb
commit a41e10f0eb
parent 981c9f10ee
2 changed files with 24 additions and 5 deletions
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@ -387,7 +387,7 @@ class group_add_member(LDAPAddMember):
                    try:
                        actual_sid = domain_validator.get_trusted_domain_object_sid(sid)
                    except errors.PublicError, e:
-                        failed_sids.append((sid, unicode(e)))
+                        failed_sids.append((sid, e.strerror))
                    else:
                        sids.append(actual_sid)
            restore = []
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@ -156,10 +156,29 @@ class DomainValidator(object):
                                                                      self.ATTR_TRUST_AUTHOUT])

            result = dict()
-            for entry in entries:
-                result[entry[1][self.ATTR_TRUST_PARTNER][0]] = (entry[1][self.ATTR_FLATNAME][0].lower(),
-                                                                security.dom_sid(entry[1][self.ATTR_TRUSTED_SID][0]),
-                                                                entry[1][self.ATTR_TRUST_AUTHOUT][0])
+            for dn, entry in entries:
+                try:
+                    trust_partner = entry[self.ATTR_TRUST_PARTNER][0]
+                    flatname_normalized = entry[self.ATTR_FLATNAME][0].lower()
+                    trusted_sid = entry[self.ATTR_TRUSTED_SID][0]
+                except KeyError, e:
+                    # Some piece of trusted domain info in LDAP is missing
+                    # Skip the domain, but leave log entry for investigation
+                    api.log.warn("Trusted domain '%s' entry misses an attribute: %s",
+                            dn, e)
+                    continue
+                trust_authout = entry.get(self.ATTR_TRUST_AUTHOUT, [None])[0]
+
+                # We were able to read all Trusted domain attributes but the secret
+                # User is not member of trust admins group
+                if trust_authout is None:
+                    raise errors.ACIError(
+                        info=_('communication with trusted domains is allowed '
+                               'for Trusts administrator group members only'))
+
+                result[trust_partner] = (flatname_normalized,
+                                         security.dom_sid(trusted_sid),
+                                         trust_authout)
            return result
        except errors.NotFound, e:
            return []