mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
harden the check for trust namespace overlap in new principals
This check must handle the possibility of optional attributes (ipantadditionalsuffixes and ipantflatname) missing in the trusted domain entry. https://fedorahosted.org/freeipa/ticket/6099 Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
parent
807702c986
commit
da2305ddb9
@ -975,11 +975,15 @@ def check_principal_realm_in_trust_namespace(api_instance, *keys):
|
||||
trust_suffix_namespace = set()
|
||||
|
||||
for obj in trust_objects:
|
||||
trust_suffix_namespace.update(
|
||||
set(upn.lower() for upn in obj['ipantadditionalsuffixes']))
|
||||
nt_suffixes = obj.get('ipantadditionalsuffixes', [])
|
||||
|
||||
trust_suffix_namespace.update(
|
||||
set((obj['cn'][0].lower(), obj['ipantflatname'][0].lower())))
|
||||
set(upn.lower() for upn in nt_suffixes))
|
||||
|
||||
if 'ipantflatname' in obj:
|
||||
trust_suffix_namespace.add(obj['ipantflatname'][0].lower())
|
||||
|
||||
trust_suffix_namespace.add(obj['cn'][0].lower())
|
||||
|
||||
for principal in keys[-1]:
|
||||
realm = principal.realm
|
||||
|
Loading…
Reference in New Issue
Block a user