mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
harden the check for trust namespace overlap in new principals
This check must handle the possibility of optional attributes (ipantadditionalsuffixes and ipantflatname) missing in the trusted domain entry. https://fedorahosted.org/freeipa/ticket/6099 Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
parent
807702c986
commit
da2305ddb9
@ -975,11 +975,15 @@ def check_principal_realm_in_trust_namespace(api_instance, *keys):
|
|||||||
trust_suffix_namespace = set()
|
trust_suffix_namespace = set()
|
||||||
|
|
||||||
for obj in trust_objects:
|
for obj in trust_objects:
|
||||||
trust_suffix_namespace.update(
|
nt_suffixes = obj.get('ipantadditionalsuffixes', [])
|
||||||
set(upn.lower() for upn in obj['ipantadditionalsuffixes']))
|
|
||||||
|
|
||||||
trust_suffix_namespace.update(
|
trust_suffix_namespace.update(
|
||||||
set((obj['cn'][0].lower(), obj['ipantflatname'][0].lower())))
|
set(upn.lower() for upn in nt_suffixes))
|
||||||
|
|
||||||
|
if 'ipantflatname' in obj:
|
||||||
|
trust_suffix_namespace.add(obj['ipantflatname'][0].lower())
|
||||||
|
|
||||||
|
trust_suffix_namespace.add(obj['cn'][0].lower())
|
||||||
|
|
||||||
for principal in keys[-1]:
|
for principal in keys[-1]:
|
||||||
realm = principal.realm
|
realm = principal.realm
|
||||||
|
Loading…
Reference in New Issue
Block a user