harden the check for trust namespace overlap in new principals

This check must handle the possibility of optional attributes
(ipantadditionalsuffixes and ipantflatname) missing in the trusted domain
entry.

https://fedorahosted.org/freeipa/ticket/6099

Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
Martin Babinsky 2016-07-20 15:46:22 +02:00
parent 807702c986
commit da2305ddb9

View File

@ -975,11 +975,15 @@ def check_principal_realm_in_trust_namespace(api_instance, *keys):
trust_suffix_namespace = set()
for obj in trust_objects:
trust_suffix_namespace.update(
set(upn.lower() for upn in obj['ipantadditionalsuffixes']))
nt_suffixes = obj.get('ipantadditionalsuffixes', [])
trust_suffix_namespace.update(
set((obj['cn'][0].lower(), obj['ipantflatname'][0].lower())))
set(upn.lower() for upn in nt_suffixes))
if 'ipantflatname' in obj:
trust_suffix_namespace.add(obj['ipantflatname'][0].lower())
trust_suffix_namespace.add(obj['cn'][0].lower())
for principal in keys[-1]:
realm = principal.realm