https://fedorahosted.org/freeipa/ticket/3376

Patch attached.
From 04429fc3a1f136b4391efa5822fef7f6b52364c9 Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Mon, 14 Mar 2016 17:42:56 +0100
Subject: [PATCH] Do not do extra search for ipasshpubkey to generate
 fingerprints

Host, user and idview commands do unnnecessary extra search for
ipasshpubkey attribute to generate fingerprints.

Note: Host and user plugins shows ipasshpubkey only when the attribute
is changed, idviews show ipasshpubkey always. This behavioar has been
kept by this commit.

https://fedorahosted.org/freeipa/ticket/3376
---
 ipalib/plugins/baseuser.py | 16 ++++++++++------
 ipalib/plugins/host.py     | 18 ++++++++++++------
 ipalib/plugins/idviews.py  |  8 ++++----
 ipalib/util.py             | 23 +++++++++++++++++------
 4 files changed, 43 insertions(+), 22 deletions(-)

diff --git a/ipalib/plugins/baseuser.py b/ipalib/plugins/baseuser.py
index 9c78a521dcb9a7a7db0be695468c85735d80620c..7b4844573affcfa6c7178edf571cbed77f681920 100644
--- a/ipalib/plugins/baseuser.py
+++ b/ipalib/plugins/baseuser.py
@@ -33,7 +33,7 @@ from ipalib import _
 from ipapython.ipautil import ipa_generate_password
 from ipapython.ipavalidate import Email
 from ipalib.util import (normalize_sshpubkey, validate_sshpubkey,
-    convert_sshpubkey_post)
+    convert_sshpubkey_post, remove_sshpubkey_from_output_post)
 
 if six.PY3:
     unicode = str
@@ -186,7 +186,7 @@ class baseuser(LDAPObject):
         'telephonenumber', 'title', 'memberof', 'nsaccountlock',
         'memberofindirect', 'ipauserauthtype', 'userclass',
         'ipatokenradiusconfiglink', 'ipatokenradiususername',
-        'krbprincipalexpiration', 'usercertificate;binary',
+        'krbprincipalexpiration', 'usercertificate;binary', 'ipasshpubkey',
     ]
     search_display_attributes = [
         'uid', 'givenname', 'sn', 'homedirectory', 'loginshell',
@@ -498,7 +498,8 @@ class baseuser_add(LDAPCreate):
         assert isinstance(dn, DN)
         self.obj.convert_usercertificate_post(entry_attrs, **options)
         self.obj.get_password_attributes(ldap, dn, entry_attrs)
-        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        convert_sshpubkey_post(entry_attrs)
+        remove_sshpubkey_from_output_post(entry_attrs, **options)
         radius_dn2pk(self.api, entry_attrs)
 
 class baseuser_del(LDAPDelete):
@@ -589,7 +590,8 @@ class baseuser_mod(LDAPUpdate):
         convert_nsaccountlock(entry_attrs)
         self.obj.get_password_attributes(ldap, dn, entry_attrs)
         self.obj.convert_usercertificate_post(entry_attrs, **options)
-        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        convert_sshpubkey_post(entry_attrs)
+        remove_sshpubkey_from_output_post(entry_attrs, **options)
         radius_dn2pk(self.api, entry_attrs)
 
 class baseuser_find(LDAPSearch):
@@ -623,7 +625,8 @@ class baseuser_find(LDAPSearch):
                 attrs['nsaccountlock'] = True
             else:
                 convert_nsaccountlock(attrs)
-            convert_sshpubkey_post(ldap, attrs.dn, attrs)
+            convert_sshpubkey_post(attrs)
+            remove_sshpubkey_from_output_post(attrs, **options)
 
 class baseuser_show(LDAPRetrieve):
     """
@@ -633,7 +636,8 @@ class baseuser_show(LDAPRetrieve):
         assert isinstance(dn, DN)
         self.obj.get_password_attributes(ldap, dn, entry_attrs)
         self.obj.convert_usercertificate_post(entry_attrs, **options)
-        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        convert_sshpubkey_post(entry_attrs)
+        remove_sshpubkey_from_output_post(entry_attrs, **options)
         radius_dn2pk(self.api, entry_attrs)
 
 
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 6ff751ca88187bb37ac64ca291234eed56e26e6f..7e174919c6a6d38a53f6e04c1624b85e08b9911d 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -43,7 +43,8 @@ from ipalib import x509
 from ipalib import output
 from ipalib.request import context
 from ipalib.util import (normalize_sshpubkey, validate_sshpubkey_no_options,
-    convert_sshpubkey_post, validate_hostname)
+    convert_sshpubkey_post, validate_hostname,
+    remove_sshpubkey_from_output_post)
 from ipapython.ipautil import ipa_generate_password, CheckedIPAddress
 from ipapython.dnsutil import DNSName
 from ipapython.ssh import SSHPublicKey
@@ -297,13 +298,14 @@ class host(LDAPObject):
     # object_class_config = 'ipahostobjectclasses'
     search_attributes = [
         'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
-        'nshardwareplatform', 'nsosversion', 'managedby',
+        'nshardwareplatform', 'nsosversion', 'managedby', 'ipasshpubkey',
     ]
     default_attributes = [
         'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
         'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof',
         'managedby', 'memberofindirect', 'macaddress',
         'userclass', 'ipaallowedtoperform', 'ipaassignedidview',
+        'ipasshpubkey',
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
@@ -710,7 +712,8 @@ class host_add(LDAPCreate):
             # fetched anywhere.
             entry_attrs['has_keytab'] = False
 
-        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        convert_sshpubkey_post(entry_attrs)
+        remove_sshpubkey_from_output_post(entry_attrs, **options)
 
         return dn
 
@@ -936,7 +939,8 @@ class host_mod(LDAPUpdate):
 
         self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
 
-        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        convert_sshpubkey_post(entry_attrs)
+        remove_sshpubkey_from_output_post(entry_attrs, **options)
         convert_ipaassignedidview_post(entry_attrs, options)
 
         return dn
@@ -1023,7 +1027,8 @@ class host_find(LDAPSearch):
             if options.get('all', False):
                 entry_attrs['managing'] = self.obj.get_managed_hosts(entry_attrs.dn)
 
-            convert_sshpubkey_post(ldap, entry_attrs.dn, entry_attrs)
+            convert_sshpubkey_post(entry_attrs)
+            remove_sshpubkey_from_output_post(entry_attrs, **options)
             convert_ipaassignedidview_post(entry_attrs, options)
 
         return truncated
@@ -1059,7 +1064,8 @@ class host_show(LDAPRetrieve):
 
         self.obj.suppress_netgroup_memberof(ldap, entry_attrs)
 
-        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        convert_sshpubkey_post(entry_attrs)
+        remove_sshpubkey_from_output_post(entry_attrs, **options)
         convert_ipaassignedidview_post(entry_attrs, options)
 
         return dn
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index 6f8bdc7a8f5f50e82d77aa6696092ce6b43aeb9d..bfbec56457bc0122fbb223fe26f5cf09708bdd3e 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -954,7 +954,7 @@ class idoverrideuser_add(baseidoverride_add):
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         dn = super(idoverrideuser_add, self).post_callback(ldap, dn,
                  entry_attrs, *keys, **options)
-        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        convert_sshpubkey_post(entry_attrs)
         return dn
 
 
@@ -990,7 +990,7 @@ class idoverrideuser_mod(baseidoverride_mod):
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         dn = super(idoverrideuser_mod, self).post_callback(ldap, dn,
                  entry_attrs, *keys, **options)
-        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        convert_sshpubkey_post(entry_attrs)
         return dn
 
 
@@ -1004,7 +1004,7 @@ class idoverrideuser_find(baseidoverride_find):
         truncated = super(idoverrideuser_find, self).post_callback(
             ldap, entries, truncated, *args, **options)
         for entry in entries:
-            convert_sshpubkey_post(ldap, entry.dn, entry)
+            convert_sshpubkey_post(entry)
         return truncated
 
 
@@ -1015,7 +1015,7 @@ class idoverrideuser_show(baseidoverride_show):
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         dn = super(idoverrideuser_show, self).post_callback(ldap, dn,
                  entry_attrs, *keys, **options)
-        convert_sshpubkey_post(ldap, dn, entry_attrs)
+        convert_sshpubkey_post(entry_attrs)
         return dn
 
 
diff --git a/ipalib/util.py b/ipalib/util.py
index 262acf926e73ba1521faa151154e2149875be4b7..e0d44057d865d810fb0eed8516a2214ab67f639e 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -290,12 +290,9 @@ def validate_sshpubkey_no_options(ugettext, value):
     if pubkey.has_options():
         return _('options are not allowed')
 
-def convert_sshpubkey_post(ldap, dn, entry_attrs):
-    if 'ipasshpubkey' in entry_attrs:
-        pubkeys = entry_attrs['ipasshpubkey']
-    else:
-        old_entry_attrs = ldap.get_entry(dn, ['ipasshpubkey'])
-        pubkeys = old_entry_attrs.get('ipasshpubkey')
+
+def convert_sshpubkey_post(entry_attrs):
+    pubkeys = entry_attrs.get('ipasshpubkey')
     if not pubkeys:
         return
 
@@ -321,6 +318,20 @@ def convert_sshpubkey_post(ldap, dn, entry_attrs):
     if fingerprints:
         entry_attrs['sshpubkeyfp'] = fingerprints
 
+
+def remove_sshpubkey_from_output_post(entry_attrs, **options):
+    """
+    Attribute sshpubkey should be in output of commands only when it was added
+    or changed (*-add, *-mod operations with --sshpubkey option) or
+    option --all was used. Otherwise, only fingerprint of ssh pubkeys should
+    be sent to output
+    """
+    if options.get('all', False) or options.get('ipasshpubkey'):
+        return
+
+    entry_attrs.pop('ipasshpubkey', None)
+
+
 class cachedproperty(object):
     """
     A property-like attribute that caches the return value of a method call.
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to