mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 08:41:55 -06:00
Check for existence of the group when adding a user.
The Managed Entries plugin will allow a user to be added even if a group of the same name exists. This would leave the user without a private group. We need to check for both the user and the group so we can do 1 of 3 things: - throw an error that the group exists (but not the user) - throw an error that the user exists (and the group) - allow the uesr to be added ticket 567
This commit is contained in:
parent
e8157f2628
commit
ba8d21f5ae
@ -1110,6 +1110,21 @@ class ManagedPolicyError(ExecutionError):
|
|||||||
errno = 4021
|
errno = 4021
|
||||||
format = _('A managed group cannot have a password policy.')
|
format = _('A managed group cannot have a password policy.')
|
||||||
|
|
||||||
|
class ManagedGroupExistsError(ExecutionError):
|
||||||
|
"""
|
||||||
|
**4024** Raised when adding a user and its managed group exists
|
||||||
|
|
||||||
|
For example:
|
||||||
|
|
||||||
|
>>> raise ManagedGroupExistsError(group=u'engineering')
|
||||||
|
Traceback (most recent call last):
|
||||||
|
...
|
||||||
|
ManagedGroupExistsError: Unable to create private group. A group 'engineering' already exists.'
|
||||||
|
"""
|
||||||
|
|
||||||
|
errno = 4024
|
||||||
|
format = _('Unable to create private group. Group \'%(group)s\' already exists.')
|
||||||
|
|
||||||
class BuiltinError(ExecutionError):
|
class BuiltinError(ExecutionError):
|
||||||
"""
|
"""
|
||||||
**4100** Base class for builtin execution errors (*4100 - 4199*).
|
**4100** Base class for builtin execution errors (*4100 - 4199*).
|
||||||
|
@ -211,6 +211,18 @@ class user_add(LDAPCreate):
|
|||||||
msg_summary = _('Added user "%(value)s"')
|
msg_summary = _('Added user "%(value)s"')
|
||||||
|
|
||||||
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
||||||
|
try:
|
||||||
|
# The Managed Entries plugin will allow a user to be created
|
||||||
|
# even if a group has a duplicate name. This would leave a user
|
||||||
|
# without a private group. Check for both the group and the user.
|
||||||
|
self.api.Command['group_show'](keys[-1])
|
||||||
|
try:
|
||||||
|
self.api.Command['user_show'](keys[-1])
|
||||||
|
raise errors.DuplicateEntry()
|
||||||
|
except errors.NotFound:
|
||||||
|
raise errors.ManagedGroupExistsError(group=keys[-1])
|
||||||
|
except errors.NotFound:
|
||||||
|
pass
|
||||||
config = ldap.get_ipa_config()[1]
|
config = ldap.get_ipa_config()[1]
|
||||||
if 'ipamaxusernamelength' in config:
|
if 'ipamaxusernamelength' in config:
|
||||||
if len(keys[-1]) > int(config.get('ipamaxusernamelength')[0]):
|
if len(keys[-1]) > int(config.get('ipamaxusernamelength')[0]):
|
||||||
|
@ -32,6 +32,7 @@ user_memberof = (u'cn=ipausers,cn=groups,cn=accounts,%s' % api.env.basedn,)
|
|||||||
user1=u'tuser1'
|
user1=u'tuser1'
|
||||||
user2=u'tuser2'
|
user2=u'tuser2'
|
||||||
renameduser1=u'tuser'
|
renameduser1=u'tuser'
|
||||||
|
group1=u'group1'
|
||||||
|
|
||||||
invaliduser1=u'+tuser1'
|
invaliduser1=u'+tuser1'
|
||||||
invaliduser2=u'tuser1234567890123456789012345678901234567890'
|
invaliduser2=u'tuser1234567890123456789012345678901234567890'
|
||||||
@ -41,6 +42,7 @@ class test_user(Declarative):
|
|||||||
|
|
||||||
cleanup_commands = [
|
cleanup_commands = [
|
||||||
('user_del', [user1, user2], {}),
|
('user_del', [user1, user2], {}),
|
||||||
|
('group_del', [group1], {}),
|
||||||
]
|
]
|
||||||
|
|
||||||
tests = [
|
tests = [
|
||||||
@ -461,4 +463,33 @@ class test_user(Declarative):
|
|||||||
expected=errors.ValidationError(name='uid', error='can be at most 33 characters'),
|
expected=errors.ValidationError(name='uid', error='can be at most 33 characters'),
|
||||||
),
|
),
|
||||||
|
|
||||||
|
dict(
|
||||||
|
desc='Create %r' % group1,
|
||||||
|
command=(
|
||||||
|
'group_add', [group1], dict(description=u'Test desc')
|
||||||
|
),
|
||||||
|
expected=dict(
|
||||||
|
value=group1,
|
||||||
|
summary=u'Added group "%s"' % group1,
|
||||||
|
result=dict(
|
||||||
|
cn=[group1],
|
||||||
|
description=[u'Test desc'],
|
||||||
|
gidnumber=[fuzzy_digits],
|
||||||
|
objectclass=objectclasses.group + [u'posixgroup'],
|
||||||
|
ipauniqueid=[fuzzy_uuid],
|
||||||
|
dn=u'cn=%s,cn=groups,cn=accounts,%s' % (group1, api.env.basedn),
|
||||||
|
),
|
||||||
|
),
|
||||||
|
),
|
||||||
|
|
||||||
|
|
||||||
|
dict(
|
||||||
|
desc='Try to user %r where the managed group exists' % group1,
|
||||||
|
command=(
|
||||||
|
'user_add', [group1], dict(givenname=u'Test', sn=u'User1')
|
||||||
|
),
|
||||||
|
expected=errors.ManagedGroupExistsError(group=group1)
|
||||||
|
),
|
||||||
|
|
||||||
|
|
||||||
]
|
]
|
||||||
|
Loading…
Reference in New Issue
Block a user