[Freeipa-devel] [PATCH 0157] Prohibit deletion of active subdomain range

Tomas Babej Thu, 13 Mar 2014 04:46:40 -0700

Hi,

Changes the code in the idrange_del method to not only check for
the root domains that match the SID in the IDRange, but for the
SIDs of subdomains of trusts as well.


https://fedorahosted.org/freeipa/ticket/4247

-- 
Tomas Babej
Associate Software Engeneer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org

>From e8c83773d8164d87d79062931b642df76fc479da Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 13 Mar 2014 12:36:17 +0100
Subject: [PATCH] Prohibit deletion of active subdomain range

Changes the code in the idrange_del method to not only check for
the root domains that match the SID in the IDRange, but for the
SIDs of subdomains of trusts as well.

https://fedorahosted.org/freeipa/ticket/4247
---
 ipalib/plugins/idrange.py | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 3a92d9898cc03f517b0f2bb75093eeb741cff646..ff6cdbc94ce479d0d8863cc5dfb1c074e7f3a5ad 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -568,13 +568,24 @@ class idrange_del(LDAPDelete):
 
         if range_sid is not None:
             range_sid = range_sid[0]
-            result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
 
-            if result['count'] > 0:
-                raise errors.DependentEntry(
-                    label='Active Trust',
-                    key=keys[0],
-                    dependent=result['result'][0]['cn'][0])
+            # We need to check all the subdomains of all trusts, so we iterate
+            # over all active trusts
+            active_trusts = api.Command['trust_find']()
+
+            for trust in active_trusts['result']:
+                matching_domains = api.Command['trustdomain_find'](
+                                       trust['cn'][0],
+                                       ipanttrusteddomainsid=range_sid
+                                   )
+
+                # If there's a active domain of a trust that this range
+                # belongs to, raise an DependentEntry error
+                if matching_domains['count'] > 0:
+                    raise errors.DependentEntry(
+                        label='Active Trust domain',
+                        key=keys[0],
+                        dependent=matching_domains['result'][0]['cn'][0])
 
         return dn
 
-- 
1.8.5.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0157] Prohibit deletion of active subdomain range

Reply via email to