On 08/20/2015 12:11 PM, Martin Babinsky wrote:
On 08/20/2015 11:41 AM, thierry bordaz wrote:
On 08/19/2015 06:28 PM, Martin Babinsky wrote:
On 08/19/2015 02:54 PM, Martin Babinsky wrote:
this patch prevents https://fedorahosted.org/freeipa/ticket/5234 from
happening.



Actually, we (myself, mbasti, jcholast) found out that `user-del
--preserve` could use some more usability improvements.

This quick patch should fix both
https://fedorahosted.org/freeipa/ticket/5234 and
https://fedorahosted.org/freeipa/ticket/5236 and make user
preservation operate on multiple arguments in a same way as plain
deletion.




Hi Martin,

The tests are ok and the fix looks good to me.

ACK

thanks
thierry

That's nice, but I have found some small nitpicks and will send an
updated version.

So self-NACK.

Attaching updated patch.

--
Martin^3 Babinsky
From 762f8b13748ad51213ed245bfe6915d302feaca8 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabi...@redhat.com>
Date: Wed, 19 Aug 2015 14:43:14 +0200
Subject: [PATCH 1/3] improve the usability of `ipa user-del --preserve`
 command

`ipa user-del` with `--preserve` option will now process multiple entries and
handle `--continue` option in a manner analogous to `ipa user-del` in normal
mode.

In addition, it is now no longer possible to permanently delete a user by
accidentally running `ipa user-del --preserve` twice.

https://fedorahosted.org/freeipa/ticket/5234
https://fedorahosted.org/freeipa/ticket/5236
---
 ipalib/plugins/user.py | 123 ++++++++++++++++++++++++++-----------------------
 1 file changed, 66 insertions(+), 57 deletions(-)

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 1d6073b4240d963e2b047c20fe5b8be702ef3184..9f8dc993bb6225668aeb1cabafd20c6b98cdfd8c 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -593,6 +593,60 @@ class user_del(baseuser_del):
         ),
     )
 
+    def _preserve_user(self, pkey, delete_container, **options):
+        assert isinstance(delete_container, DN)
+
+        dn = self.obj.get_either_dn(pkey, **options)
+        delete_dn = DN(dn[0], delete_container)
+        ldap = self.obj.backend
+        self.log.debug("preserve move %s -> %s" % (dn, delete_dn))
+
+        if dn.endswith(delete_container):
+            raise errors.ExecutionError(
+                _('%s: user is already preserved' % pkey)
+            )
+        # Check that this value is a Active user
+        try:
+            original_entry_attrs = self._exc_wrapper(
+                pkey, options, ldap.get_entry)(dn, ['dn'])
+        except errors.NotFound:
+            self.obj.handle_not_found(pkey)
+
+        # start to move the entry to Delete container
+        self._exc_wrapper(pkey, options, ldap.move_entry)(dn, delete_dn,
+                                                          del_old=True)
+
+        # Then clear the credential attributes
+        attrs_to_clear = ['krbPrincipalKey', 'krbLastPwdChange',
+                          'krbPasswordExpiration', 'userPassword']
+
+        entry_attrs = self._exc_wrapper(pkey, options, ldap.get_entry)(
+            delete_dn, attrs_to_clear)
+
+        clearedCredential = False
+        for attr in attrs_to_clear:
+            if attr.lower() in entry_attrs:
+                del entry_attrs[attr]
+                clearedCredential = True
+        if clearedCredential:
+            self._exc_wrapper(pkey, options, ldap.update_entry)(entry_attrs)
+
+        # Then restore some original entry attributes
+        attrs_to_restore = ['secretary', 'managedby', 'manager', 'ipauniqueid',
+                            'uidnumber', 'gidnumber', 'passwordHistory']
+
+        entry_attrs = self._exc_wrapper(
+            pkey, options, ldap.get_entry)(delete_dn, attrs_to_restore)
+
+        restoreAttr = False
+        for attr in attrs_to_restore:
+            if ((attr.lower() in original_entry_attrs) and
+                    not (attr.lower() in entry_attrs)):
+                restoreAttr = True
+                entry_attrs[attr.lower()] = original_entry_attrs[attr.lower()]
+        if restoreAttr:
+            self._exc_wrapper(pkey, options, ldap.update_entry)(entry_attrs)
+
     def forward(self, *keys, **options):
         if self.api.env.context == 'cli':
             if options['no_preserve'] and options['preserve']:
@@ -633,68 +687,23 @@ class user_del(baseuser_del):
 
     def execute(self, *keys, **options):
 
-        dn = self.obj.get_either_dn(*keys, **options)
-
         # We are going to permanent delete or the user is already in the delete container.
         delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn)
-        user_from_delete_container = dn.endswith(delete_container)
-
-        if not options.get('preserve', True) or user_from_delete_container:
-            # Remove any ID overrides tied with this user
-            remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn)
-
-            # Issue a true DEL on that entry
-            return super(user_del, self).execute(*keys, **options)
 
         # The user to delete is active and there is no 'no_preserve' option
         if options.get('preserve', False):
-
-            ldap = self.obj.backend
-
-            # need to handle multiple keys (e.g. keys[-1]=(u'tb8', u'tb9')..
-            active_dn = self.obj.get_either_dn(*keys, **options)
-            superior_dn = DN(self.obj.delete_container_dn, api.env.basedn)
-            delete_dn = DN(active_dn[0], self.obj.delete_container_dn, api.env.basedn)
-            self.log.debug("preserve move %s -> %s" % (active_dn, delete_dn))
-
-            # Check that this value is a Active user
-            try:
-                original_entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(active_dn, ['dn'])
-            except errors.NotFound:
-                raise
-
-            # start to move the entry to Delete container
-            self._exc_wrapper(keys, options, ldap.move_entry)(active_dn, delete_dn, del_old=True)
-
-            # Then clear the credential attributes
-            attrs_to_clear = ['krbPrincipalKey', 'krbLastPwdChange', 'krbPasswordExpiration', 'userPassword']
-            try:
-                entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(delete_dn, attrs_to_clear)
-            except errors.NotFound:
-                raise
-            clearedCredential = False
-            for attr in attrs_to_clear:
-                if attr.lower() in entry_attrs:
-                    del entry_attrs[attr]
-                    clearedCredential = True
-            if clearedCredential:
-                self._exc_wrapper(keys, options, ldap.update_entry)(entry_attrs)
-
-            # Then restore some original entry attributes
-            attrs_to_restore = [ 'secretary', 'managedby', 'manager', 'ipauniqueid', 'uidnumber', 'gidnumber', 'passwordHistory']
-            try:
-                entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(delete_dn, attrs_to_restore)
-            except errors.NotFound:
-                raise
-            restoreAttr = False
-            for attr in attrs_to_restore:
-                if (attr.lower() in original_entry_attrs) and not (attr.lower() in entry_attrs):
-                    restoreAttr = True
-                    entry_attrs[attr.lower()] = original_entry_attrs[attr.lower()]
-            if restoreAttr:
-                self._exc_wrapper(keys, options, ldap.update_entry)(entry_attrs)
-
-            val = dict(result=dict(failed=[]), value=[keys[-1][0]])
+            failed = []
+            preserved = []
+            for pkey in keys[-1]:
+                try:
+                    self._preserve_user(pkey, delete_container, **options)
+                    preserved.append(pkey_to_value(pkey, options))
+                except:
+                    if not options.get('continue', False):
+                        raise
+                    failed.append(pkey_to_value(pkey, options))
+
+            val = dict(result=dict(failed=failed), value=preserved)
             return val
         else:
             return super(user_del, self).execute(*keys, **options)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to