Details in the commit messages. Fixes: https://fedorahosted.org/freeipa/ticket/5389
Tomas
From 79c1fb33b736135a53e422794453ea7100d8cc61 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Fri, 23 Oct 2015 10:39:47 +0200 Subject: [PATCH] trusts: Make trust_show.get_dn raise properly formatted NotFound The trust_show command does not raise a properly formatted NotFound error if the trust is not found, only a generic EmptyResult error is raised. This patch makes the trust_show tell us what actually could not be found. https://fedorahosted.org/freeipa/ticket/5389 --- ipalib/plugins/trust.py | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 472f3534ecdbfaaee4db5c650cd8f77c511d9dcf..0715713a7db63e699dadbc3ff63c99381665e457 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -539,22 +539,38 @@ class trust(LDAPObject): error=_("invalid SID: %(value)s") % dict(value=value)) def get_dn(self, *keys, **kwargs): + trust_type = kwargs.get('trust_type') + sdn = [('cn', x) for x in keys] sdn.reverse() - trust_type = kwargs.get('trust_type') + if trust_type is None: ldap = self.backend - filter = ldap.make_filter({'objectclass': ['ipaNTTrustedDomain'], 'cn': [keys[-1]] }, - rules=ldap.MATCH_ALL) - filter = ldap.combine_filters((filter, "ipaNTSecurityIdentifier=*"), rules=ldap.MATCH_ALL) - result = ldap.get_entries(DN(self.container_dn, self.env.basedn), - ldap.SCOPE_SUBTREE, filter, ['']) + trustfilter = ldap.make_filter({ + 'objectclass': ['ipaNTTrustedDomain'], + 'cn': [keys[-1]]}, + rules=ldap.MATCH_ALL + ) + + trustfilter = ldap.combine_filters( + (trustfilter, "ipaNTSecurityIdentifier=*"), + rules=ldap.MATCH_ALL + ) + + try: + result = ldap.get_entries( + DN(self.container_dn, self.env.basedn), + ldap.SCOPE_SUBTREE, trustfilter, [''] + ) + except errors.NotFound: + self.handle_not_found(keys[-1]) + if len(result) > 1: raise errors.OnlyOneValueAllowed(attr='trust domain') + return result[0].dn - dn=make_trust_dn(self.env, trust_type, DN(*sdn)) - return dn + return make_trust_dn(self.env, trust_type, DN(*sdn)) @register() class trust_add(LDAPCreate): -- 2.1.0
From 21e8433c9009dd7285dba6df302e779028aa0d41 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Fri, 23 Oct 2015 10:43:47 +0200 Subject: [PATCH] trustdomain: Perform validation of the trust domain first Makes sure that the first check that is performed when trustdomain-del command is run is that the actual trusted domain exists. This is done to prevent a subseqent error which might be misleading. https://fedorahosted.org/freeipa/ticket/5389 --- ipalib/plugins/trust.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 0715713a7db63e699dadbc3ff63c99381665e457..61846dc11e0decff2c45d599a803ca2e384364c9 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1494,13 +1494,18 @@ class trustdomain_del(LDAPDelete): # to always receive empty keys. We need to catch the case when root domain is being deleted for domain in keys[1]: + # Fetch the trust to verify that the entered domain is trusted + self.api.Command.trust_show(domain) + if keys[0].lower() == domain: raise errors.ValidationError(name='domain', - error=_("cannot delete root domain of the trust, use trust-del to delete the trust itself")) + error=_("cannot delete root domain of the trust, " + "use trust-del to delete the trust itself")) try: res = self.api.Command.trustdomain_enable(keys[0], domain) except errors.AlreadyActive: pass + result = super(trustdomain_del, self).execute(*keys, **options) result['value'] = pkey_to_value(keys[1], options) return result -- 2.1.0
From fc7303365d6bc9d33eddd7daf64265826fa55a95 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Fri, 23 Oct 2015 10:39:47 +0200 Subject: [PATCH] trusts: Make trust_show.get_dn raise properly formatted NotFound The trust_show command does not raise a properly formatted NotFound error if the trust is not found, only a generic EmptyResult error is raised. This patch makes the trust_show tell us what actually could not be found. https://fedorahosted.org/freeipa/ticket/5389 --- ipalib/plugins/trust.py | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 4e4e0b16268df6936dcd96a8f5f85fcace6257c5..27b388bc1ba08921fb897a4e5ef9041ccc01bc2f 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -534,22 +534,38 @@ class trust(LDAPObject): error=_("invalid SID: %(value)s") % dict(value=value)) def get_dn(self, *keys, **kwargs): - sdn = map(lambda x: ('cn', x), keys) - sdn.reverse() trust_type = kwargs.get('trust_type') + + sdn = [('cn', x) for x in keys] + sdn.reverse() + if trust_type is None: ldap = self.backend - filter = ldap.make_filter({'objectclass': ['ipaNTTrustedDomain'], 'cn': [keys[-1]] }, - rules=ldap.MATCH_ALL) - filter = ldap.combine_filters((filter, "ipaNTSecurityIdentifier=*"), rules=ldap.MATCH_ALL) - result = ldap.get_entries(DN(self.container_dn, self.env.basedn), - ldap.SCOPE_SUBTREE, filter, ['']) + trustfilter = ldap.make_filter({ + 'objectclass': ['ipaNTTrustedDomain'], + 'cn': [keys[-1]]}, + rules=ldap.MATCH_ALL + ) + + trustfilter = ldap.combine_filters( + (trustfilter, "ipaNTSecurityIdentifier=*"), + rules=ldap.MATCH_ALL + ) + + try: + result = ldap.get_entries( + DN(self.container_dn, self.env.basedn), + ldap.SCOPE_SUBTREE, trustfilter, [''] + ) + except errors.NotFound: + self.handle_not_found(keys[-1]) + if len(result) > 1: raise errors.OnlyOneValueAllowed(attr='trust domain') + return result[0].dn - dn=make_trust_dn(self.env, trust_type, DN(*sdn)) - return dn + return make_trust_dn(self.env, trust_type, DN(*sdn)) @register() class trust_add(LDAPCreate): -- 2.1.0
From 777721dee7a00d355e650bad03bcdcbeb4ac4a0b Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Fri, 23 Oct 2015 10:43:47 +0200 Subject: [PATCH] trustdomain: Perform validation of the trust domain first Makes sure that the first check that is performed when trustdomain-del command is run is that the actual trusted domain exists. This is done to prevent a subseqent error which might be misleading. https://fedorahosted.org/freeipa/ticket/5389 --- ipalib/plugins/trust.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 27b388bc1ba08921fb897a4e5ef9041ccc01bc2f..7cb7e654e9ae0e5587a57a2c03d70bed80e446d9 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1489,13 +1489,18 @@ class trustdomain_del(LDAPDelete): # to always receive empty keys. We need to catch the case when root domain is being deleted for domain in keys[1]: + # Fetch the trust to verify that the entered domain is trusted + self.api.Command.trust_show(domain) + if keys[0].lower() == domain: raise errors.ValidationError(name='domain', - error=_("cannot delete root domain of the trust, use trust-del to delete the trust itself")) + error=_("cannot delete root domain of the trust, " + "use trust-del to delete the trust itself")) try: res = self.api.Command.trustdomain_enable(keys[0], domain) except errors.AlreadyActive: pass + result = super(trustdomain_del, self).execute(*keys, **options) result['value'] = pkey_to_value(keys[1], options) return result -- 2.1.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code