Re: [Freeipa-devel] [PATCH 373-374] idoverrides: Ignore SID conversion error and add coverage

[Tomas Babej]

On 10/13/2015 03:32 PM, Martin Babinsky wrote:
> On 10/13/2015 12:21 PM, Tomas Babej wrote:
>> Hi,
>>
>> this couple of patches fixes and improves the coverage for referential
>> integrity of ID overrides.
>>
>> Note: Last test in the patch 374 is supposed to be failing (for now).
>>
>> https://fedorahosted.org/freeipa/ticket/5322
>>
>>
>>
> 
> Hi Tomas,
> 
> Patch 373:
> 
> I still get errors in CLI/WebUI, see http://fpaste.org/278706/47425481/
> 
> It seems that there are some other places in idviews code (e.g.
> idview-show post_callback) that emit unhandled ValidationErrors.
> 
> Patch 374: ACK
> 

You're right, updated patch attached.


From 5efc3364a26bc9dd98ff6474b4d70a628d59b8c8 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Mon, 12 Oct 2015 13:15:20 +0200
Subject: [PATCH] idoverride: Ignore ValidationErrors when converting the
 anchor

When converting the anchor to a human readable form, SID validation
may fail, i.e. if the domain is no longer trusted.

Ignore such cases and pass along the anchor in the raw format.

https://fedorahosted.org/freeipa/ticket/5322
---
 ipalib/plugins/idviews.py | 57 +++++++++++++++++++++++++++--------------------
 1 file changed, 33 insertions(+), 24 deletions(-)

diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index a910486cd0160571311924ce799800aa54868dcc..aeaf9d1f5da1d4a824458b877db88105aea8bb8c 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -197,16 +197,23 @@ class idview_show(LDAPRetrieve):
                     scope=ldap.SCOPE_ONELEVEL,
                     paged_search=True)
 
-                entry_attrs[attr_name] = [
-                    resolve_anchor_to_object_name(
-                        ldap,
-                        obj_type,
-                        override.single_value['ipaanchoruuid']
-                    )
-                    for override in overrides
-                ]
+                resolved_overrides = []
+                for override in overrides:
+                    anchor = override.single_value['ipaanchoruuid']
+
+                    try:
+                        name = resolve_anchor_to_object_name(ldap, obj_type,
+                                anchor)
+                        resolved_overrides.append(name)
+
+                    except (errors.NotFound, errors.ValidationError):
+                        # Anchor could not be resolved, use raw
+                        resolved_overrides.append(anchor)
+
+                entry_attrs[attr_name] = resolved_overrides
 
             except errors.NotFound:
+                # No overrides found, nothing to do
                 pass
 
     def enumerate_hosts(self, dn, entry_attrs):
@@ -689,6 +696,11 @@ class baseidoverride(LDAPObject):
                     # If we were unable to resolve the anchor,
                     # keep it in the raw form
                     pass
+                except errors.ValidationError:
+                    # Same as above, ValidationError may be raised when SIDs
+                    # are attempted to be converted, but the domain is no
+                    # longer trusted
+                    pass
 
     def prohibit_ipa_users_in_default_view(self, dn, entry_attrs):
         # Check if parent object is Default Trust View, if so, prohibit
@@ -773,12 +785,7 @@ class baseidoverride_find(LDAPSearch):
 
     def post_callback(self, ldap, entries, truncated, *args, **options):
         for entry in entries:
-            try:
-                self.obj.convert_anchor_to_human_readable_form(entry, **options)
-            except errors.NotFound:
-                # If the conversion to readle form went wrong, do not
-                # abort the whole find command. Use non-converted entry.
-                pass
+            self.obj.convert_anchor_to_human_readable_form(entry, **options)
         return truncated
 
 
@@ -788,12 +795,7 @@ class baseidoverride_show(LDAPRetrieve):
     takes_options = LDAPRetrieve.takes_options + (fallback_to_ldap_option,)
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-        try:
-            self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options)
-        except errors.NotFound:
-            # If the conversion to readle form went wrong, do not
-            # abort the whole show command. Use non-converted entry.
-            pass
+        self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options)
         return dn
 
 
@@ -874,10 +876,17 @@ class idoverrideuser(baseidoverride):
 
     def update_original_uid_reference(self, entry_attrs):
         anchor = entry_attrs.single_value['ipaanchoruuid']
-        original_uid = resolve_anchor_to_object_name(self.backend,
-                                                     self.override_object,
-                                                     anchor)
-        entry_attrs['ipaOriginalUid'] = original_uid
+        try:
+            original_uid = resolve_anchor_to_object_name(self.backend,
+                                                         self.override_object,
+                                                         anchor)
+            entry_attrs['ipaOriginalUid'] = original_uid
+
+        except (errors.NotFound, errors.ValidationError):
+            # Anchor could not be resolved, this means we had to specify the
+            # object to manipulate using a raw anchor value already, hence
+            # we have no way to update the original_uid
+            pass
 
 
 @register()
-- 
2.1.0


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code