[Freeipa-devel] [PATCH 0157] Prohibit deletion of active subdomain range
Martin Kosek
mkosek at redhat.com
Thu Mar 13 12:01:19 UTC 2014
On 03/13/2014 12:59 PM, Alexander Bokovoy wrote:
> On Thu, 13 Mar 2014, Tomas Babej wrote:
>> Hi,
>>
>> Changes the code in the idrange_del method to not only check for
>> the root domains that match the SID in the IDRange, but for the
>> SIDs of subdomains of trusts as well.
>>
>> https://fedorahosted.org/freeipa/ticket/4247
>>
>> --
>> Tomas Babej
>> Associate Software Engeneer | Red Hat | Identity Management
>> RHCE | Brno Site | IRC: tbabej | freeipa.org
>>
>>
>
>>> From e8c83773d8164d87d79062931b642df76fc479da Mon Sep 17 00:00:00 2001
>> From: Tomas Babej <tbabej at redhat.com>
>> Date: Thu, 13 Mar 2014 12:36:17 +0100
>> Subject: [PATCH] Prohibit deletion of active subdomain range
>>
>> Changes the code in the idrange_del method to not only check for
>> the root domains that match the SID in the IDRange, but for the
>> SIDs of subdomains of trusts as well.
>>
>> https://fedorahosted.org/freeipa/ticket/4247
>> ---
>> ipalib/plugins/idrange.py | 23 +++++++++++++++++------
>> 1 file changed, 17 insertions(+), 6 deletions(-)
>>
>> diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
>> index
>> 3a92d9898cc03f517b0f2bb75093eeb741cff646..ff6cdbc94ce479d0d8863cc5dfb1c074e7f3a5ad
>> 100644
>> --- a/ipalib/plugins/idrange.py
>> +++ b/ipalib/plugins/idrange.py
>> @@ -568,13 +568,24 @@ class idrange_del(LDAPDelete):
>>
>> if range_sid is not None:
>> range_sid = range_sid[0]
>> - result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
>>
>> - if result['count'] > 0:
>> - raise errors.DependentEntry(
>> - label='Active Trust',
>> - key=keys[0],
>> - dependent=result['result'][0]['cn'][0])
>> + # We need to check all the subdomains of all trusts, so we iterate
>> + # over all active trusts
>> + active_trusts = api.Command['trust_find']()
>> +
>> + for trust in active_trusts['result']:
>> + matching_domains = api.Command['trustdomain_find'](
>> + trust['cn'][0],
>> + ipanttrusteddomainsid=range_sid
>> + )
>> +
>> + # If there's a active domain of a trust that this range
>> + # belongs to, raise an DependentEntry error
>> + if matching_domains['count'] > 0:
>> + raise errors.DependentEntry(
>> + label='Active Trust domain',
>> + key=keys[0],
>> + dependent=matching_domains['result'][0]['cn'][0])
>>
>> return dn
>
> ACK.
NACK from me - too complicated and uneffective. Please check my review for details.
Martin
More information about the Freeipa-devel
mailing list