Hi,

this couple of patches improves ID Views and ID overrides handling. See
commit messages for details.

Tomas
>From 8acc50c10d9886668a0147b46f311f9aa83294bb Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 27 May 2015 14:31:13 +0200
Subject: [PATCH] idviews: Set dcerpc detection flag properly

The availability of dcerpc bindings is being checked on the client
side as well, hence we need to define it properly.

https://fedorahosted.org/freeipa/ticket/5025
---
 ipalib/plugins/idviews.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index 57f0cce1549edb4e582df225f7831916d96c216b..a7b1e0a78e57fcd2864d258c7968393c359499f2 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -30,12 +30,14 @@ from ipalib.util import (normalize_sshpubkey, validate_sshpubkey,
 
 from ipapython.dn import DN
 
+_dcerpc_bindings_installed = False
+
 if api.env.in_server and api.env.context in ['lite', 'server']:
     try:
         import ipaserver.dcerpc
         _dcerpc_bindings_installed = True
     except ImportError:
-        _dcerpc_bindings_installed = False
+        pass
 
 __doc__ = _("""
 ID Views
-- 
2.1.0

>From 41f158cd2b18ee7007e5b1d9ee2e1e02e37512c5 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 27 May 2015 15:06:15 +0200
Subject: [PATCH] idviews: Allow users specify the raw anchor directly as
 identifier

For various reasons, it can happen that the users or groups that
have overrides defined in a given ID view are no longer resolvable.

Since user and group names are used to specify the ID override objects
too by leveraging the respective user's or group's ipaUniqueID,
we need to provide a fallback in case these user or group entries
no longer exist.

https://fedorahosted.org/freeipa/ticket/5026
---
 ipalib/plugins/idviews.py | 42 +++++++++++++++++++++++++++++++-----------
 1 file changed, 31 insertions(+), 11 deletions(-)

diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index a7b1e0a78e57fcd2864d258c7968393c359499f2..2c843462a859ae397ab1ef8e183f21dc1ac796a6 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -17,6 +17,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import re
 
 from ipalib.plugins.baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
                                      LDAPDelete, LDAPUpdate, LDAPSearch,
@@ -57,6 +58,12 @@ protected_default_trust_view_error = errors.ProtectedEntryError(
 
 DEFAULT_TRUST_VIEW_NAME = "default trust view"
 
+ANCHOR_REGEX = re.compile(
+    r':IPA:.*:[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}'
+    r'|'
+    r':SID:S-[0-9\-]+'
+)
+
 @register()
 class idview(LDAPObject):
     """
@@ -559,11 +566,19 @@ class baseidoverride(LDAPObject):
     override_object = None
 
     def get_dn(self, *keys, **options):
-        anchor = resolve_object_to_anchor(
-            self.backend,
-            self.override_object,
-            keys[-1]
-        )
+        # If user passed raw anchor, do not try
+        # to translate it.
+        if ANCHOR_REGEX.match(keys[-1]):
+            anchor = keys[-1]
+
+        # Otherwise, translate object into a
+        # legitimate object anchor.
+        else:
+            anchor = resolve_object_to_anchor(
+                self.backend,
+                self.override_object,
+                keys[-1]
+            )
 
         keys = keys[:-1] + (anchor, )
         return super(baseidoverride, self).get_dn(*keys, **options)
@@ -578,12 +593,17 @@ class baseidoverride(LDAPObject):
             anchor = entry_attrs.single_value['ipaanchoruuid']
 
             if anchor:
-                object_name = resolve_anchor_to_object_name(
-                    self.backend,
-                    self.override_object,
-                    anchor
-                )
-                entry_attrs.single_value['ipaanchoruuid'] = object_name
+                try:
+                    object_name = resolve_anchor_to_object_name(
+                        self.backend,
+                        self.override_object,
+                        anchor
+                    )
+                    entry_attrs.single_value['ipaanchoruuid'] = object_name
+                except errors.NotFound:
+                    # If we were unable to resolve the anchor,
+                    # keep it in the raw form
+                    pass
 
     def prohibit_ipa_users_in_default_view(self, dn, entry_attrs):
         # Check if parent object is Default Trust View, if so, prohibit
-- 
2.1.0

>From c4ad3ba829ab2816c6ddb64da8d5c6ceb8789340 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 27 May 2015 16:30:48 +0200
Subject: [PATCH] idviews: Remove ID overrides for permanently removed users
 and groups

For IPA users and groups we are able to trigger a removal of
any relevant ID overrides in user-del and group-del commands.

https://fedorahosted.org/freeipa/ticket/5026
---
 ipalib/plugins/group.py   |  5 +++++
 ipalib/plugins/idviews.py | 25 +++++++++++++++++++++++++
 ipalib/plugins/user.py    | 15 ++++++++++++---
 3 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 5d33ba217137f31e59a9e63cb69a442b138e156b..edecebb064f4fd07c251a2226357571ac07f90dc 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -22,6 +22,7 @@ from ipalib import api
 from ipalib import Int, Str
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import *
+from ipalib.plugins.idviews import remove_ipaobject_overrides
 from ipalib.plugins import baseldap
 from ipalib import _, ngettext
 if api.env.in_server and api.env.context in ['lite', 'server']:
@@ -316,6 +317,10 @@ class group_del(LDAPDelete):
                 reason=_(u'privileged group'))
         if 'mepmanagedby' in group_attrs:
             raise errors.ManagedGroupError()
+
+        # Remove any ID overrides tied with this group
+        remove_ipaobject_overrides(ldap, self.obj.api, dn)
+
         return dn
 
     def post_callback(self, ldap, dn, *keys, **options):
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index 2c843462a859ae397ab1ef8e183f21dc1ac796a6..9f58c8327c0bfc1e6ec50a33a6607d79655416bf 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -537,6 +537,31 @@ def resolve_anchor_to_object_name(ldap, obj_type, anchor):
                % dict(anchor=anchor))
 
 
+def remove_ipaobject_overrides(ldap, api, dn):
+    """
+    Removes all ID overrides for given object. This method is to be
+    consumed by -del commands of the given objects (users, groups).
+    """
+
+    entry = ldap.get_entry(dn, attrs_list=['ipaUniqueID'])
+    object_uuid = entry.single_value['ipaUniqueID']
+
+    override_filter = '(ipaanchoruuid=:IPA:{0}:{1})'.format(api.env.domain,
+                                                            object_uuid)
+    try:
+        entries, truncated = ldap.find_entries(
+            override_filter,
+            base_dn=DN(api.env.container_views, api.env.basedn),
+            paged_search=True
+        )
+    except errors.EmptyResult:
+        pass
+    else:
+        # In case we found something, delete it
+        for entry in entries:
+            ldap.delete_entry(entry)
+
+
 # This is not registered on purpose, it's a base class for ID overrides
 class baseidoverride(LDAPObject):
     """
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 54d47bb01450ec462577e552315e3d680b7648c3..dc2ef08698dbe41b0312c186c37408b1b1d84569 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -31,6 +31,7 @@ from ipalib.plugins.baseuser import baseuser, baseuser_add, baseuser_del, \
     status_baseuser_output_params, baseuser_pwdchars, \
     validate_nsaccountlock, radius_dn2pk, convert_nsaccountlock, split_principal, validate_principal, \
     normalize_principal, fix_addressbook_permission_bindrule
+from ipalib.plugins.idviews import remove_ipaobject_overrides
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import *
 from ipalib.plugins import baseldap
@@ -591,9 +592,17 @@ class user_del(baseuser_del):
 
         dn = self.obj.get_dn(*keys, **options)
 
-        if options['permanently'] or dn.endswith(DN(self.obj.delete_container_dn, api.env.basedn)):
-            # We are going to permanent delete or the user is already in the delete container.
-            # So we issue a true DEL on that entry
+        # We are going to permanent delete or the user is already in the delete container.
+        delete_container = DN(self.obj.delete_container_dn, api.env.basedn)
+        user_from_delete_container = dn.endswith(delete_container)
+
+        if options['permanently'] or user_from_delete_container:
+            self.log.info("Going to remove overrides")
+            # Remove any ID overrides tied with this user
+            remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn)
+            self.log.info("removed overrides")
+
+            # Issue a true DEL on that entry
             return super(user_del, self).execute(*keys, **options)
 
         # The user to delete is active and there is no 'permanently' option
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to