Add SID blacklist attributes

Update our LDAP schema and add 2 new attributes for SID blacklist definition. These new attributes can now be set per-trust with trustconfig command. https://fedorahosted.org/freeipa/ticket/3289
2025-02-25 18:55:28 -06:00 · 2013-02-07 14:59:00 +01:00
parent e08307d3fa
commit d4d19ff423
6 changed files with 65 additions and 13 deletions
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -123,10 +123,6 @@ particular type.
 """)

 trust_output_params = (
-    Str('ipantflatname',
-        label=_('Domain NetBIOS name')),
-    Str('ipanttrusteddomainsid',
-        label=_('Domain Security Identifier')),
    Str('trustdirection',
        label=_('Trust direction')),
    Str('trusttype',
@@ -201,8 +197,41 @@ class trust(LDAPObject):
            label=_('Realm name'),
            primary_key=True,
        ),
+        Str('ipantflatname',
+            cli_name='flat_name',
+            label=_('Domain NetBIOS name'),
+            flags=['no_create', 'no_update']),
+        Str('ipanttrusteddomainsid',
+            cli_name='sid',
+            label=_('Domain Security Identifier'),
+            flags=['no_create', 'no_update']),
+        Str('ipantsidblacklistincoming*',
+            csv=True,
+            cli_name='sid_blacklist_incoming',
+            label=_('SID blacklist incoming'),
+            flags=['no_create']),
+        Str('ipantsidblacklistoutgoing*',
+            csv=True,
+            cli_name='sid_blacklist_outgoing',
+            label=_('SID blacklist outgoing'),
+            flags=['no_create']),
    )

+    def validate_sid_blacklists(self, entry_attrs):
+        if not _bindings_installed:
+            # SID validator is not available, return
+            # Even if invalid SID gets in the trust entry, it won't crash
+            # the validation process as it is translated to SID S-0-0
+            return
+        for attr in ('ipantsidblacklistincoming', 'ipantsidblacklistoutgoing'):
+            values = entry_attrs.get(attr)
+            if not values:
+                continue
+            for value in values:
+                if not ipaserver.dcerpc.is_sid_valid(value):
+                    raise errors.ValidationError(name=attr,
+                            error=_("invalid SID: %(value)s") % dict(value=value))
+
 def make_trust_dn(env, trust_type, dn):
    assert isinstance(dn, DN)
    if trust_type in trust.trust_types:
@@ -437,9 +466,10 @@ class trust_mod(LDAPUpdate):
    available. More specific options will be added in coming releases.
    """)

-    msg_summary = _('Modified trust "%(value)s"')
+    msg_summary = _('Modified trust "%(value)s" '
+                    '(change will be effective in 60 seconds)')

-    def pre_callback(self, ldap, dn, *keys, **options):
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
        assert isinstance(dn, DN)
        result = None
        try:
@@ -447,6 +477,8 @@ class trust_mod(LDAPUpdate):
        except errors.NotFound, e:
            self.obj.handle_not_found(*keys)

+        self.obj.validate_sid_blacklists(entry_attrs)
+
        # TODO: we found the trust object, now modify it
        return result['result']['dn']