Fix validator for SELinux user map settings in config plugin.

We need to compare two values and need to be aware of where those values are coming from. They may come from options, setattr or existing config. The format of that data is going to be different depending on its source (always a list internally). One may also set both at the same time so a standard validator cannot be used because it lacks the context of the other value being set. https://fedorahosted.org/freeipa/ticket/2938 https://fedorahosted.org/freeipa/ticket/2940
2025-02-25 18:55:28 -06:00 · 2012-07-24 22:55:27 -04:00 · 2012-07-24 22:55:27 -04:00 · e345ad12eb
commit e345ad12eb
parent 9d853483fe
2 changed files with 48 additions and 15 deletions
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@ -250,30 +250,35 @@ class config_mod(LDAPUpdate):
                                error=_('%(obj)s default attribute %(attr)s would not be allowed!') \
                                % dict(obj=obj, attr=obj_attr))
-        if 'ipaselinuxusermapdefault' in options and options['ipaselinuxusermapdefault'] is None:
+        # Combine the current entry and options into a single object to
-            raise errors.ValidationError(name='ipaselinuxusermapdefault',
+        # evaluate. This covers changes via setattr and options.
-                error=_('SELinux user map default user may not be empty'))
+        # Note: this is not done in a validator because we may be changing
-
+        #       the default user and map list at the same time and we don't
-        # Make sure the default user is in the list
+        #       have both values in a validator.
-        if 'ipaselinuxusermapdefault' in options or \
+        validate = dict(options)
-          'ipaselinuxusermaporder' in options:
+        validate.update(entry_attrs)
        if ('ipaselinuxusermapdefault' in validate or
          'ipaselinuxusermaporder' in validate):
            config = None
-            if 'ipaselinuxusermapdefault' in options:
+            failedattr = 'ipaselinuxusermaporder'
-                defaultuser = options['ipaselinuxusermapdefault']
+            if 'ipaselinuxusermapdefault' in validate:
                defaultuser = validate['ipaselinuxusermapdefault']
                failedattr = 'ipaselinuxusermapdefault'
            else:
                config = ldap.get_ipa_config()[1]
-                defaultuser = config['ipaselinuxusermapdefault']
+                defaultuser = config['ipaselinuxusermapdefault'][0]
-            if 'ipaselinuxusermaporder' in options:
+            if 'ipaselinuxusermaporder' in validate:
-                order = options['ipaselinuxusermaporder']
+                order = validate['ipaselinuxusermaporder']
                userlist = order.split('$')
            else:
                if not config:
                    config = ldap.get_ipa_config()[1]
                order = config['ipaselinuxusermaporder']
-            userlist = order[0].split('$')
+                userlist = order[0].split('$')
            if defaultuser not in userlist:
-                raise errors.ValidationError(name='ipaselinuxusermaporder',
+                raise errors.ValidationError(name=failedattr,
-                    error=_('Default SELinux user map default user not in order list'))
+                    error=_('SELinux user map default user not in order list'))
        return dn
--- a/tests/test_xmlrpc/test_config_plugin.py
+++ b/tests/test_xmlrpc/test_config_plugin.py
@ -60,4 +60,32 @@ class test_config(Declarative):
            expected=errors.RequirementError(name='ipausersearchfields'),
        ),
        dict(
            desc='Try to set invalid ipaselinuxusermapdefault',
            command=('config_mod', [],
                dict(ipaselinuxusermapdefault=u'unknown_u:s0')),
            expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'),
        ),
        dict(
            desc='Try to set invalid ipaselinuxusermapdefault with setattr',
            command=('config_mod', [],
                dict(setattr=u'ipaselinuxusermapdefault=unknown_u:s0')),
            expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'),
        ),
        dict(
            desc='Try to set invalid ipaselinuxusermaporder',
            command=('config_mod', [],
                dict(ipaselinuxusermaporder=u'notfound_u:s0')),
            expected=errors.ValidationError(name='ipaselinuxusermaporder', error='SELinux user map default user not in order list'),
        ),
        dict(
            desc='Try to set new selinux order and invalid default user',
            command=('config_mod', [],
                dict(ipaselinuxusermaporder=u'$xguest_u:s0$guest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023', ipaselinuxusermapdefault=u'unknown_u:s0')),
            expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'),
        ),
    ]