On 06/23/2016 05:30 PM, Stanislav Laznicka wrote:
> On 06/23/2016 04:38 PM, Petr Vobornik wrote:
>> On 06/23/2016 04:20 PM, Stanislav Laznicka wrote:
>>> Hello,
>>>
>>> attached are patches fixing the logic mentioned in
>>> https://fedorahosted.org/freeipa/ticket/5967.
>>>
>>>
>> If server supports the suffix can be verified in validate_nodes call
>> where masters are already fetched.
>>
> Thank you for the suggestion, modified patch 50 attached.
> 

Maybe it's just me, but the code is hard to ready. Check the attached
version - speeding up review process.

I've also change the first commit message line it was too generic.

-- 
Petr Vobornik
From c89512b00f584337cb51be51a239d482661e64e5 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Thu, 23 Jun 2016 16:07:18 +0200
Subject: [PATCH] Fix topologysuffix-verify failing connections

topologysuffix-verify would have checked connectivity even between hosts that
are not managed by the given suffix.

https://fedorahosted.org/freeipa/ticket/5967
---
 ipaserver/plugins/topology.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaserver/plugins/topology.py b/ipaserver/plugins/topology.py
index 216b5964e1063545b90564bbf6df316aef592fd4..6b65d16ed4ab4f67a4dbda144e3e2db84e209a93 100644
--- a/ipaserver/plugins/topology.py
+++ b/ipaserver/plugins/topology.py
@@ -498,6 +498,7 @@ Checks done:
 
         masters = self.api.Command.server_find(
             '', sizelimit=0, no_members=False)['result']
+        masters = _map_masters_to_suffixes(masters).get(keys[0], [])
         segments = self.api.Command.topologysegment_find(
             keys[0], sizelimit=0)['result']
         graph = create_topology_graph(masters, segments)
-- 
2.5.5

From 7d57f3479272c42b69c74066dc984a87a5a1fb8e Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Thu, 23 Jun 2016 16:04:04 +0200
Subject: [PATCH] topo segment-add: validate that both master supports target
 suffix

This patch removes the ability to add segment between hosts where
either does not support the requested suffix.

https://fedorahosted.org/freeipa/ticket/5967
---
 ipaserver/plugins/topology.py | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/ipaserver/plugins/topology.py b/ipaserver/plugins/topology.py
index c1848f0cc699f84b40be3623e956780d65de8619..216b5964e1063545b90564bbf6df316aef592fd4 100644
--- a/ipaserver/plugins/topology.py
+++ b/ipaserver/plugins/topology.py
@@ -14,7 +14,8 @@ from ipalib import _, ngettext
 from ipalib import output
 from ipalib.constants import DOMAIN_LEVEL_1
 from ipaserver.topology import (
-    create_topology_graph, get_topology_connection_errors)
+    create_topology_graph, get_topology_connection_errors,
+    _map_masters_to_suffixes)
 from ipapython.dn import DN
 
 if six.PY3:
@@ -203,7 +204,7 @@ class topologysegment(LDAPObject):
         ),
     )
 
-    def validate_nodes(self, ldap, dn, entry_attrs):
+    def validate_nodes(self, ldap, dn, entry_attrs, suffix):
         leftnode = entry_attrs.get('iparepltoposegmentleftnode')
         rightnode = entry_attrs.get('iparepltoposegmentrightnode')
 
@@ -245,6 +246,27 @@ class topologysegment(LDAPObject):
                 error=_('left node and right node must not be the same')
             )
 
+        # don't allow segment between nodes where both don't have the suffix
+        masters_to_suffix = _map_masters_to_suffixes(masters)
+        suffix_masters = masters_to_suffix.get(suffix, [])
+        suffix_m_hostnames = [m['cn'][0].lower() for m in suffix_masters]
+
+        if leftnode not in suffix_m_hostnames:
+            raise errors.ValidationError(
+                name='leftnode',
+                error=_("left node ({host}) does not support "
+                        "suffix '{suff}'"
+                        .format(host=leftnode, suff=suffix))
+            )
+
+        if rightnode not in suffix_m_hostnames:
+            raise errors.ValidationError(
+                name='rightnode',
+                error=_("right node ({host}) does not support "
+                        "suffix '{suff}'"
+                        .format(host=rightnode, suff=suffix))
+            )
+
 
 @register()
 class topologysegment_find(LDAPSearch):
@@ -265,7 +287,7 @@ class topologysegment_add(LDAPCreate):
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
         validate_domain_level(self.api)
-        self.obj.validate_nodes(ldap, dn, entry_attrs)
+        self.obj.validate_nodes(ldap, dn, entry_attrs, keys[0])
         return dn
 
 
@@ -290,7 +312,7 @@ class topologysegment_mod(LDAPUpdate):
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
         validate_domain_level(self.api)
-        self.obj.validate_nodes(ldap, dn, entry_attrs)
+        self.obj.validate_nodes(ldap, dn, entry_attrs, keys[0])
         return dn
 
 
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to