On 06/23/2016 04:38 PM, Petr Vobornik wrote:
On 06/23/2016 04:20 PM, Stanislav Laznicka wrote:
Hello,

attached are patches fixing the logic mentioned in
https://fedorahosted.org/freeipa/ticket/5967.


If server supports the suffix can be verified in validate_nodes call
where masters are already fetched.

Thank you for the suggestion, modified patch 50 attached.

From 75a307b618f8b0345c61d91182182ad78b5caa2f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Thu, 23 Jun 2016 16:04:04 +0200
Subject: [PATCH 1/2] Raise exception on incorrect segment addition

This patch removes the ability to add segment between hosts where
either is not yet managed by the requested suffix.

https://fedorahosted.org/freeipa/ticket/5967
---
 ipaserver/plugins/topology.py | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/ipaserver/plugins/topology.py b/ipaserver/plugins/topology.py
index c1848f0cc699f84b40be3623e956780d65de8619..c5cf08efe3ee8215c5053e445ec23014ee2ef122 100644
--- a/ipaserver/plugins/topology.py
+++ b/ipaserver/plugins/topology.py
@@ -203,7 +203,7 @@ class topologysegment(LDAPObject):
         ),
     )
 
-    def validate_nodes(self, ldap, dn, entry_attrs):
+    def validate_nodes(self, ldap, dn, entry_attrs, suffix):
         leftnode = entry_attrs.get('iparepltoposegmentleftnode')
         rightnode = entry_attrs.get('iparepltoposegmentrightnode')
 
@@ -245,6 +245,38 @@ class topologysegment(LDAPObject):
                 error=_('left node and right node must not be the same')
             )
 
+        # don't allow node not yet managed by a suffix to that suffix
+        left_master = None
+        right_master = None
+        for master in masters:
+            if left_master is None and master['cn'][0].lower() == leftnode:
+                left_master = master
+            elif right_master is None and master['cn'][0].lower() == rightnode:
+                right_master = master
+            elif left_master is not None and right_master is not None:
+                break
+
+        left_suffix = left_master.get(
+            'iparepltopomanagedsuffix_topologysuffix', False)
+        right_suffix = right_master.get(
+            'iparepltopomanagedsuffix_topologysuffix', False)
+
+        if suffix not in left_suffix:
+            raise errors.ValidationError(
+                name='leftnode',
+                error=_("left node ({host}) does not yet belong to "
+                        "the suffix '{suff}'"
+                        .format(host=leftnode, suff=suffix))
+            )
+
+        if suffix not in right_suffix:
+            raise errors.ValidationError(
+                name='rightnode',
+                error=_("right node ({host}) does not yet belong to "
+                        "the suffix '{suff}'"
+                        .format(host=rightnode, suff=suffix))
+            )
+
 
 @register()
 class topologysegment_find(LDAPSearch):
@@ -265,7 +297,7 @@ class topologysegment_add(LDAPCreate):
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
         validate_domain_level(self.api)
-        self.obj.validate_nodes(ldap, dn, entry_attrs)
+        self.obj.validate_nodes(ldap, dn, entry_attrs, keys[0])
         return dn
 
 
@@ -290,7 +322,7 @@ class topologysegment_mod(LDAPUpdate):
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
         validate_domain_level(self.api)
-        self.obj.validate_nodes(ldap, dn, entry_attrs)
+        self.obj.validate_nodes(ldap, dn, entry_attrs, keys[0])
         return dn
 
 
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to