idviews: Enforce objectclass check in idoverride*-del

Even with anchor to sid type checking, it would be still possible to delete a user ID override by specifying a group raw anchor and vice versa. This patch introduces a objectclass check in idoverride*-del commands to prevent that. https://fedorahosted.org/freeipa/ticket/5029 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-11 08:41:55 -06:00 · 2015-07-23 14:00:06 +02:00 · 2015-07-23 14:00:06 +02:00 · aa066f31a5
commit aa066f31a5
parent e0d3231f07
1 changed files with 19 additions and 0 deletions
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@ -718,6 +718,25 @@ class baseidoverride_del(LDAPDelete):

    takes_options = LDAPDelete.takes_options + (fallback_to_ldap_option,)

+    def pre_callback(self, ldap, dn, *keys, **options):
+        assert isinstance(dn, DN)
+
+        # Make sure the entry we're deleting has all the objectclasses
+        # this object requires
+        try:
+            entry = ldap.get_entry(dn, ['objectclass'])
+        except errors.NotFound:
+            self.obj.handle_not_found(*keys)
+
+        required_object_classes = set(self.obj.object_class)
+        actual_object_classes = set(entry['objectclass'])
+
+        # If not, treat it as a failed search
+        if not required_object_classes.issubset(actual_object_classes):
+            self.obj.handle_not_found(*keys)
+
+        return dn
+

 class baseidoverride_mod(LDAPUpdate):
    __doc__ = _('Modify an ID override.')