[Freeipa-devel] [PATCH 0157] Prohibit deletion of active subdomain range

Thu Mar 13 17:12:54 UTC 2014

On 03/13/2014 05:11 PM, Alexander Bokovoy wrote:
> On Thu, 13 Mar 2014, Tomas Babej wrote:
>>>>
>>>> Tomas, could you please change the code correspondingly?
>>> Sure. Here is the updated patch.
>>>
>> Slightly improved patch with better control flow. Thanks for the reviews.
>>
>> --
>> Tomas Babej
>> Associate Software Engeneer | Red Hat | Identity Management
>> RHCE | Brno Site | IRC: tbabej | freeipa.org
>>
>
>> From 31362721d8477fc6c44341edd34c3335d881613d Mon Sep 17 00:00:00 2001
>> From: Tomas Babej <tbabej at redhat.com>
>> Date: Thu, 13 Mar 2014 12:36:17 +0100
>> Subject: [PATCH] Prohibit deletion of active subdomain range
>>
>> Changes the code in the idrange_del method to not only check for
>> the root domains that match the SID in the IDRange, but for the
>> SIDs of subdomains of trusts as well.
>>
>> https://fedorahosted.org/freeipa/ticket/4247
>> ---
>> ipalib/plugins/idrange.py | 20 ++++++++++++++++----
>> 1 file changed, 16 insertions(+), 4 deletions(-)
>>
>> diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
>> index
>> 3a92d9898cc03f517b0f2bb75093eeb741cff646..91d8525dbc0c5a294e3d2782c58ef14af2d5a972
>> 100644
>> --- a/ipalib/plugins/idrange.py
>> +++ b/ipalib/plugins/idrange.py
>> @@ -567,14 +567,26 @@ class idrange_del(LDAPDelete):
>>         range_sid = old_attrs.get('ipanttrusteddomainsid')
>>
>>         if range_sid is not None:
>> +            # Search for trusted domain with SID specified in the ID
>> range entry
>>             range_sid = range_sid[0]
>> -            result =
>> api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
>> +            domain_filter=('(&(objectclass=ipaNTTrustedDomain)'
>> +                           '(ipanttrusteddomainsid=%s))' % range_sid)
>>
>> -            if result['count'] > 0:
>> +            try:
>> +                (trust_domains, truncated) = ldap.find_entries(
>> +                    base_dn=DN(api.env.container_trusts,
>> api.env.basedn),
>> +                    filter=domain_filter)
>> +            except errors.NotFound:
>> +                pass
>> +            else:
>> +                # If there's an entry, it means that there's active
>> domain
>> +                # of a trust that this range belongs to, so raise a
>> +                # DependentEntry error
>>                 raise errors.DependentEntry(
>> -                    label='Active Trust',
>> +                    label='Active Trust domain',
>>                     key=keys[0],
>> -                    dependent=result['result'][0]['cn'][0])
>> +                    dependent=trust_domains[0].dn[0].value)
>> +
>>
>>         return dn
>>
>
> ACK now.

Pushed to:
master: 62426970b7b2abd7941ce5df1f1f0e5554ec5a7d
ipa-3-3: 8e7b209ed2f7f82bd9dee75a23cc867a3b69a9a8


-- 
Petr³