Re: [Freeipa-devel] [PATCH] 0020 Allow removing sudo commands with special characters from command groups

2012-03-12 Thread Martin Kosek 
On Tue, 2012-03-06 at 13:55 +0100, Petr Viktorin wrote:
 On 03/05/2012 04:10 PM, Petr Viktorin wrote:
  This patch fixes DN handling when removing LDAP entries from groups.
 
  Because they deal with commas and backslashes in a CSV param, the tests
  here rely on my patch 0015.
 
 
 
  ___
  Freeipa-devel mailing list
  Freeipa-devel@redhat.com
  https://www.redhat.com/mailman/listinfo/freeipa-devel
 
 Here is the same patch with CSV-stuff-dependent tests removed.
 

Thanks, this patch looks and works fine, so ACK.

Before we push it, can you please update the tests in this patch or even
better send an updated version of your patch 22 where RDN is changed to
ipaUniqueID? Otherwise, if we push both these patches, we would get test
failures with DN mismatches.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0020 Allow removing sudo commands with special characters from command groups

2012-03-12 Thread Martin Kosek 
On Mon, 2012-03-12 at 14:05 +0100, Martin Kosek wrote:
 On Tue, 2012-03-06 at 13:55 +0100, Petr Viktorin wrote:
  On 03/05/2012 04:10 PM, Petr Viktorin wrote:
   This patch fixes DN handling when removing LDAP entries from groups.
  
   Because they deal with commas and backslashes in a CSV param, the tests
   here rely on my patch 0015.
  
  
  
   ___
   Freeipa-devel mailing list
   Freeipa-devel@redhat.com
   https://www.redhat.com/mailman/listinfo/freeipa-devel
  
  Here is the same patch with CSV-stuff-dependent tests removed.
  
 
 Thanks, this patch looks and works fine, so ACK.
 
 Before we push it, can you please update the tests in this patch or even
 better send an updated version of your patch 22 where RDN is changed to
 ipaUniqueID? Otherwise, if we push both these patches, we would get test
 failures with DN mismatches.
 
 Martin
 

Pushed to master, ipa-2-2.

Updated test are being dealt with in a scope of patch 0022.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0020 Allow removing sudo commands with special characters from command groups

2012-03-06 Thread Petr Viktorin 

On 03/05/2012 04:10 PM, Petr Viktorin wrote:

This patch fixes DN handling when removing LDAP entries from groups.

Because they deal with commas and backslashes in a CSV param, the tests
here rely on my patch 0015.



___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel


Here is the same patch with CSV-stuff-dependent tests removed.

--
PetrĀ³
From bf0b44a682037b78e01e02329d7f6740b609406e Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Fri, 2 Mar 2012 12:42:27 -0500
Subject: [PATCH] Allow removing sudo commands with special characters from
 command groups

Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.

https://fedorahosted.org/freeipa/ticket/2483
---
 ipalib/plugins/baseldap.py|4 +-
 ipaserver/plugins/ldap2.py|6 +-
 tests/test_xmlrpc/test_sudocmdgroup_plugin.py |   72 +
 3 files changed, 77 insertions(+), 5 deletions(-)

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index c0f25479a1460cec9b46db7f10da837d07103887..cf5d8d20eb27a0342f064086e0ee9d85c78c5bae 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1583,8 +1583,8 @@ class LDAPRemoveMember(LDAPModMember):
 
 completed = 0
 for (attr, objs) in member_dns.iteritems():
-for ldap_obj_name in objs:
-for m_dn in member_dns[attr][ldap_obj_name]:
+for ldap_obj_name, m_dns in objs.iteritems():
+for m_dn in m_dns:
 if not m_dn:
 continue
 try:
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index ffe2fba8ad050064e49297e6e743ab13f9b4678d..dd5756735405d5a5a9c76d4fa0d82459007a2233 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -1091,12 +1091,12 @@ class ldap2(CrudBackend, Encoder):
 (group_dn, group_entry_attrs) = self.get_entry(group_dn, [member_attr])
 
 # remove dn from group entry's `member_attr` attribute
-members = group_entry_attrs.get(member_attr, [])
+members = [DN(m) for m in group_entry_attrs.get(member_attr, [])]
 try:
-members.remove(dn.lower())
+members.remove(DN(dn))
 except ValueError:
 raise errors.NotGroupMember()
-group_entry_attrs[member_attr] = members
+group_entry_attrs[member_attr] = [str(m) for m in members]
 
 # update group entry
 self.update_entry(group_dn, group_entry_attrs)
diff --git a/tests/test_xmlrpc/test_sudocmdgroup_plugin.py b/tests/test_xmlrpc/test_sudocmdgroup_plugin.py
index 8a534b2bf9f8f73c6304555a2bef3c52a367e626..9f2bf3336be542d74d016976f98086b92310c37f 100644
--- a/tests/test_xmlrpc/test_sudocmdgroup_plugin.py
+++ b/tests/test_xmlrpc/test_sudocmdgroup_plugin.py
@@ -28,12 +28,36 @@ from ipalib.dn import *
 sudocmdgroup1 = u'testsudocmdgroup1'
 sudocmdgroup2 = u'testsudocmdgroup2'
 sudocmd1 = u'/usr/bin/sudotestcmd1'
+sudocmd_plus = u'/bin/ls -l /lost+found/*'
+
+def create_command(sudocmd):
+return dict(
+desc='Create %r' % sudocmd,
+command=(
+'sudocmd_add', [], dict(sudocmd=sudocmd,
+description=u'Test sudo command')
+),
+expected=dict(
+value=sudocmd,
+summary=u'Added Sudo Command %s' % sudocmd,
+result=dict(
+objectclass=objectclasses.sudocmd,
+sudocmd=[sudocmd],
+ipauniqueid=[fuzzy_uuid],
+description=[u'Test sudo command'],
+dn=lambda x: DN(x) == \
+DN(('sudocmd',sudocmd),('cn','sudocmds'),('cn','sudo'),
+api.env.basedn),
+),
+),
+)
 
 class test_sudocmdgroup(Declarative):
 cleanup_commands = [
 ('sudocmdgroup_del', [sudocmdgroup1], {}),
 ('sudocmdgroup_del', [sudocmdgroup2], {}),
 ('sudocmd_del', [sudocmd1], {}),
+('sudocmd_del', [sudocmd_plus], {}),
 ]
 
 tests = [
@@ -473,6 +497,54 @@ class test_sudocmdgroup(Declarative):
 ),
 ),
 
+
+# test a command that needs DN escaping:
+create_command(sudocmd_plus),
+
+dict(
+desc='Add %r to %r' % (sudocmd_plus, sudocmdgroup1),
+command=('sudocmdgroup_add_member', [sudocmdgroup1],
+dict(sudocmd=sudocmd_plus)
+),
+expected=dict(
+completed=1,
+failed=dict(
+member=dict(
+sudocmd=tuple(),
+),
+),
+result={
+'dn':