freeipa/ipapython
Rob Crittenden 19d5b3b621 Return a copy of cached entries, only with requested attributes
Some plugins, notably dns, modifies a returned entry in order
to compare it to the user-provided info (e.g. dnsrecord-del).
This modification was done on the cached entry directly rather
than a copy which caused unexpected results, mostly
EmptyResult because the cached entry was changed directly so
the next get_entry returned the same modified entry.

In addition, on a hit in the LDAP cache the entire cached entry
was returned regardless of what attributes were requested.

The automember condition add/remove calls only request the
inclusive/exclusive rule attributes and loop over the returned
values to look for duplicates. This was failing because the queried
entry contains attributes that the candidate entry does not contain.
The automember code is:

    old_entry = ldap.get_entry(dn, [attr])
    for regex in old_entry.keys():
        if not isinstance(entry_attrs[regex], (list, tuple)):

old_entry, returned from the cache, contained objectclass, cn,
description, etc. which don't exist in the candidate entry so
entry_attrs[regex] threw a KeyError.

To return a copy of the entry and requested attributes on a
search HIT.

Also be more careful when storing the attributes in the cache entry.
The returned attributes may not match the requested. So store the
attributes we actually have.

This issue was exposed by Ansible which maintains a larger and
longer-lived cache because commands are executed in the server context
one after another, giving the cache a chance to build up.

Adjust the expected test results as well. In test_get_testuser()
the first request asks for all attributes (default) so ensure
that is successful since a user_add gets all attributes in
the post_callback. Next request a subset of the attributes which
is also a hit and confirm that only those requested were returned.

https://pagure.io/freeipa/issue/8897

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-06-29 14:55:50 +03:00
..
install pylint: Fix several warnings 2021-03-30 09:58:42 +02:00
__init__.py Rename ipa-python directory to ipapython so it is a real python library 2009-02-09 14:35:15 -05:00
admintool.py Treat container subplatforms like main platform 2020-08-07 17:54:06 +03:00
certdb.py When loading certificates verify that it is X.509 v3 2021-06-14 15:19:42 -04:00
config.py Unify access to FQDN 2020-10-26 17:11:19 +11:00
cookie.py handle Y2038 in timestamp to datetime conversions 2020-06-25 09:18:02 +03:00
directivesetter.py Grammar: whitespace is a word 2020-06-23 10:16:29 +02:00
dn_ctypes.py Load libldap_r-*.so.2 2019-05-14 12:27:55 +02:00
dn.py Removes several pylint warnings. 2019-09-27 09:38:32 +02:00
dnsutil.py dnsutil: Improvements for IPA DNS Resolver 2021-05-25 10:45:49 +03:00
dogtag.py Add a status option to ipa-acme-manage 2020-11-02 10:43:57 -05:00
errors.py Replace StandardError with Exception 2015-09-30 10:51:36 +02:00
fqdn.py Easier to use ipa_gethostfqdn() 2020-10-26 17:11:19 +11:00
graph.py Py3: Remove subclassing from object 2018-09-27 11:49:04 +02:00
ipa_log_manager.py Remove deprecated object logger 2019-04-23 12:55:35 +02:00
ipachangeconf.py Fixed errors newly exposed by pylint 2.4.0 2019-09-25 20:14:06 +10:00
ipaldap.py Return a copy of cached entries, only with requested attributes 2021-06-29 14:55:50 +03:00
ipautil.py trust-fetch-domains: use custom krb5.conf overlay for all trust operations 2021-01-22 12:21:33 -05:00
ipavalidate.py Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
kerberos.py Py3: Replace six.bytes_type with bytes 2018-09-27 16:11:18 +02:00
kernel_keyring.py Don't configure KEYRING ccache in containers 2019-01-18 11:33:11 +01:00
Makefile.am ipapython: fix DEFAULT_PLUGINS in version.py 2017-03-09 18:39:48 +01:00
nsslib.py Remove ipapython.nsslib as it is not used anymore 2017-03-01 09:43:41 +00:00
README Replace DNS client based on acutil with python-dns 2012-05-24 13:55:56 +02:00
session_storage.py Fix pylint warnings inconsistent-return-statements 2017-12-18 11:51:14 +01:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Add helpers for resolve1 and nameservers 2020-09-23 16:44:26 +02:00
ssh.py Allow multiple permitopen/permitlisten in SSH keys 2021-03-29 10:06:07 +03:00
version.py.in Manually reformat ipapython/version.py.in 2020-05-05 10:42:46 +02:00

This is a set of libraries common to IPA clients and servers though mostly
geared currently towards command-line tools.

A brief overview:

config.py - identify the IPA server domain and realm. It uses python-dns to
            try to detect this information first and will fall back to
            /etc/ipa/default.conf if that fails.

ipautil.py - helper functions

entity.py - entity is the main data type. User and Group extend this class
            (but don't add anything currently).

ipavalidate.py - basic data validation routines