On Thu, 13 Aug 2015, Fraser Tweedale wrote:
On Thu, Aug 13, 2015 at 09:53:35AM +0300, Alexander Bokovoy wrote:
On Thu, 13 Aug 2015, Fraser Tweedale wrote:
>The attached patch fixes
>https://fedorahosted.org/freeipa/ticket/5198
>
>Thanks,
>Fraser
>From 0dd316bf0cbab7b6701bd69f142e82b30bee25b8 Mon Sep 17 00:00:00 2001
>From: Fraser Tweedale <ftwee...@redhat.com>
>Date: Thu, 13 Aug 2015 02:32:54 -0400
>Subject: [PATCH] Prohibit deletion of included profiles
>
>Deletion of included profiles, including the default profile, should
>not be allowed. Detect this case and raise an error.
>
>Also update the included profiles collection to use namedtuple,
>making it easier to access the various components.
>
>Fixes: https://fedorahosted.org/freeipa/ticket/5198
>---
>ipalib/plugins/certprofile.py | 13 +++++++++++--
>ipapython/dogtag.py | 8 +++++---
>2 files changed, 16 insertions(+), 5 deletions(-)
>
>diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
>index
1dd4f403ee4461b83c053eb36019a8896506bb81..03bdd28728dc864adcd7305ddbff34a23405e78f
100644
>--- a/ipalib/plugins/certprofile.py
>+++ b/ipalib/plugins/certprofile.py
>@@ -3,6 +3,7 @@
>#
>
>import re
>+from operator import attrgetter
>
>from ipalib import api, Bool, File, Str
>from ipalib import output, util
>@@ -14,6 +15,7 @@ from ipalib.plugins.baseldap import (
>from ipalib.request import context
>from ipalib import ngettext
>from ipalib.text import _
>+from ipapython.dogtag import INCLUDED_PROFILES
>from ipapython.version import API_VERSION
>
>from ipalib import errors
>@@ -287,9 +289,16 @@ class certprofile_del(LDAPDelete):
> __doc__ = _("Delete a Certificate Profile.")
> msg_summary = _('Deleted profile "%(value)s"')
>
>- def execute(self, *args, **kwargs):
>+ def pre_callback(self, ldap, dn, *keys, **options):
> ca_enabled_check()
>- return super(certprofile_del, self).execute(*args, **kwargs)
>+
>+ if keys[0] in map(attrgetter('profile_id'), INCLUDED_PROFILES):
>+ raise errors.ValidationError(name='profile_id',
>+ error=_("Included profile '%(profile_id)s' cannot be deleted")
>+ % {'profile_id': keys[0]}
>+ )
>+
>+ return dn
I think you also want to protect the included profiles from renaming.
This is already the case.
I'm also wondering about certprofile-mod changing the profile content
and changing profileID there to point to existing profile. Would this
affect CA operation?
(ACK below for the current code).
And I would change 'Included profile ... cannot be deleted' to
'Predefined profile ... cannot be deleted'.
Fair enough; updated patch attached.
Cheers,
Fraser
From 4dd4e7c273a04e8b386c229959a99d6ec8e55c14 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 13 Aug 2015 02:32:54 -0400
Subject: [PATCH] Prohibit deletion of predefined profiles
Deletion of predefined profiles, including the default profile,
should not be allowed. Detect this case and raise an error.
Also update the predefined profiles collection to use namedtuple,
making it easier to access the various components.
Fixes: https://fedorahosted.org/freeipa/ticket/5198
---
ipalib/plugins/certprofile.py | 13 +++++++++++--
ipapython/dogtag.py | 8 +++++---
2 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
index
1dd4f403ee4461b83c053eb36019a8896506bb81..007cc543406b7e5705fd7474f3685cd6a9ce6aca
100644
--- a/ipalib/plugins/certprofile.py
+++ b/ipalib/plugins/certprofile.py
@@ -3,6 +3,7 @@
#
import re
+from operator import attrgetter
from ipalib import api, Bool, File, Str
from ipalib import output, util
@@ -14,6 +15,7 @@ from ipalib.plugins.baseldap import (
from ipalib.request import context
from ipalib import ngettext
from ipalib.text import _
+from ipapython.dogtag import INCLUDED_PROFILES
from ipapython.version import API_VERSION
from ipalib import errors
@@ -287,9 +289,16 @@ class certprofile_del(LDAPDelete):
__doc__ = _("Delete a Certificate Profile.")
msg_summary = _('Deleted profile "%(value)s"')
- def execute(self, *args, **kwargs):
+ def pre_callback(self, ldap, dn, *keys, **options):
ca_enabled_check()
- return super(certprofile_del, self).execute(*args, **kwargs)
+
+ if keys[0] in map(attrgetter('profile_id'), INCLUDED_PROFILES):
+ raise errors.ValidationError(name='profile_id',
+ error=_("Predefined profile '%(profile_id)s' cannot be
deleted")
+ % {'profile_id': keys[0]}
+ )
+
+ return dn
def post_callback(self, ldap, dn, *keys, **options):
with self.api.Backend.ra_certprofile as profile_api:
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index
99bdf066d64d626af05d93953117909c5fbfb693..fc4154719e31eb32e28587ea89fb04ead14d282e
100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -17,6 +17,7 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+import collections
import os
import httplib
import xml.dom.minidom
@@ -42,10 +43,11 @@ from ipapython.ipa_log_manager import *
# the configured version.
+Profile = collections.namedtuple('Profile', ['profile_id', 'description',
'store_issued'])
+
INCLUDED_PROFILES = {
- # ( profile_id , description , store_issued)
- (u'caIPAserviceCert', u'Standard profile for network services', True),
- (u'IECUserRoles', u'User profile that includes IECUserRoles extension from
request', True),
+ Profile(u'caIPAserviceCert', u'Standard profile for network services',
True),
+ Profile(u'IECUserRoles', u'User profile that includes IECUserRoles
extension from request', True),
}
DEFAULT_PROFILE = u'caIPAserviceCert'
--
2.4.3
ACK.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
