Re: [Freeipa-devel] [PATCH 0194] harden the check for trust namespace overlap in new principals
On 07/27/2016 03:30 PM, David Kupka wrote: On 26/07/16 13:18, Martin Babinsky wrote: On 07/21/2016 12:56 PM, Martin Babinsky wrote: '*-add-principal' would crash with error if the trusted domains did not have any UPN suffixes or NETBIOS name associated with them. This patch fixes that. Big thanks to Milan who found and reported the issue during writing tests for the feature. https://fedorahosted.org/freeipa/ticket/6099 Bump for review. Works for me, ACK. Pushed to master: da2305ddb99ab982c757ab723acc95cda3d2f025 -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0194] harden the check for trust namespace overlap in new principals
On 26/07/16 13:18, Martin Babinsky wrote: On 07/21/2016 12:56 PM, Martin Babinsky wrote: '*-add-principal' would crash with error if the trusted domains did not have any UPN suffixes or NETBIOS name associated with them. This patch fixes that. Big thanks to Milan who found and reported the issue during writing tests for the feature. https://fedorahosted.org/freeipa/ticket/6099 Bump for review. Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0194] harden the check for trust namespace overlap in new principals
On 07/21/2016 12:56 PM, Martin Babinsky wrote: '*-add-principal' would crash with error if the trusted domains did not have any UPN suffixes or NETBIOS name associated with them. This patch fixes that. Big thanks to Milan who found and reported the issue during writing tests for the feature. https://fedorahosted.org/freeipa/ticket/6099 Bump for review. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0194] harden the check for trust namespace overlap in new principals
'*-add-principal' would crash with error if the trusted domains did not have any UPN suffixes or NETBIOS name associated with them. This patch fixes that. Big thanks to Milan who found and reported the issue during writing tests for the feature. https://fedorahosted.org/freeipa/ticket/6099 -- Martin^3 Babinsky From bb1b54a1d7432af719c6051b79b9afdef8e87c96 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Wed, 20 Jul 2016 15:46:22 +0200 Subject: [PATCH] harden the check for trust namespace overlap in new principals This check must handle the possibility of optional attributes (ipantadditionalsuffixes and ipantflatname) missing in the trusted domain entry. https://fedorahosted.org/freeipa/ticket/6099 --- ipalib/util.py | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index 0cd5c091ec576e02e477f661bab981d12e01f1eb..805774006312e82c7acd4a46b8c9df2895a94ffe 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -975,11 +975,15 @@ def check_principal_realm_in_trust_namespace(api_instance, *keys): trust_suffix_namespace = set() for obj in trust_objects: -trust_suffix_namespace.update( -set(upn.lower() for upn in obj['ipantadditionalsuffixes'])) +nt_suffixes = obj.get('ipantadditionalsuffixes', []) trust_suffix_namespace.update( -set((obj['cn'][0].lower(), obj['ipantflatname'][0].lower( +set(upn.lower() for upn in nt_suffixes)) + +if 'ipantflatname' in obj: +trust_suffix_namespace.add(obj['ipantflatname'][0].lower()) + +trust_suffix_namespace.add(obj['cn'][0].lower()) for principal in keys[-1]: realm = principal.realm -- 2.7.4 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code