Hi,
the following two patches make sure that sshpubkeys work both with -mod and
-add commands of ipaoverrideuser objects. Also covers the use cases with unit
tests.
https://fedorahosted.org/freeipa/ticket/4868
TomasFrom ec60a1c2cd04a71725cf86c5926f749795cfe20a Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 26 Jan 2015 16:27:56 +0100
Subject: [PATCH] idviews: Make sure ssh public key can be set on
ipauseroverride-add
Clears up and generalizes ssh public key handling so that it
can be used in ipaoverrideuser-add as well as ipaoverrideuser-mod
commands.
Also properly deals with the situation when user removes the
ssh public key from the override, where original implementation
would leave stray objectclasses behind.
https://fedorahosted.org/freeipa/ticket/4868
---
ipalib/plugins/idviews.py | 57 +--
1 file changed, 50 insertions(+), 7 deletions(-)
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index df6b80fee6239c97e2133885234408c2816b3774..887616dd044e2c79dfabcbbef5ce5cde7b0508c6 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -729,6 +729,51 @@ class idoverrideuser(baseidoverride):
anchor)
entry_attrs['ipaOriginalUid'] = original_uid
+def handle_sshpubkey_update(self, dn, ldap, entry_attrs, modify=False):
+
+Handles adding sshpubkey value on idoverrideuser-add or
+idoverrideuser-mod. Makes sure that 'ipasshuser' objectclass
+is added/removed.
+
+
+def get_objectclasses():
+
+Returns a list of objectclasses that will be saved in the entry
+after this modification. Modifing this list changes the actual
+list of objeclasses being assigned to the entry.
+
+
+# If objectclasses are not in entry_attrs, fetch them from LDAP
+# and inject them there
+if 'objectclass' not in entry_attrs and modify:
+fromldap = ldap.get_entry(dn, ['objectclass'])['objectclass']
+entry_attrs['objectclass'] = fromldap
+elif 'objectclass' not in entry_attrs:
+entry_attrs['objectclass'] = [c for c in self.object_class]
+
+return entry_attrs['objectclass']
+
+# Let's deal with this only if modification to ipasshpubkey attribute
+# is being performed
+if 'ipasshpubkey' not in entry_attrs:
+return
+
+classes = get_objectclasses()
+sshpubkey_removed = entry_attrs['ipasshpubkey'] is None
+
+if sshpubkey_removed:
+# If sshpubkey value is being removed, remove the ipasshuser class
+# and ipaSshGroupOfPubKeys (superclass of ipasshuser) class too
+if 'ipasshuser' in classes:
+del classes[classes.index('ipasshuser')]
+if 'ipaSshGroupOfPubKeys' in classes:
+del classes[classes.index('ipaSshGroupOfPubKeys')]
+else:
+# If sshpubkey value is being added, make sure ipasshuser class
+# is present too
+if 'ipasshuser' not in classes:
+classes.append('ipasshuser')
+
@register()
class idoverridegroup(baseidoverride):
@@ -788,6 +833,9 @@ class idoverrideuser_add(baseidoverride_add):
# Update the ipaOriginalUid
self.obj.update_original_uid_reference(entry_attrs)
+
+# Handle the objectclass changes related to sshpubkey
+self.obj.handle_sshpubkey_update(dn, ldap, entry_attrs)
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -816,14 +864,9 @@ class idoverrideuser_mod(baseidoverride_mod):
# Update the ipaOriginalUid
self.obj.set_anchoruuid_from_dn(dn, entry_attrs)
self.obj.update_original_uid_reference(entry_attrs)
-if 'objectclass' in entry_attrs:
-obj_classes = entry_attrs['objectclass']
-else:
-_entry_attrs = ldap.get_entry(dn, ['objectclass'])
-obj_classes = entry_attrs['objectclass'] = _entry_attrs['objectclass']
-if 'ipasshpubkey' in entry_attrs and 'ipasshuser' not in obj_classes:
-obj_classes.append('ipasshuser')
+# Handle the objectclass changes related to sshpubkey
+self.obj.handle_sshpubkey_update(dn, ldap, entry_attrs, modify=True)
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
--
2.1.0
From 50766894a633b07fa90e68ce9bd5771b387521f0 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 26 Jan 2015 16:29:29 +0100
Subject: [PATCH] ipatests: Add coverage for adding and removing sshpubkeys in
ID overrides
Adds xmlrpc tests for:
- Adding a user ID override with sshpubkey
- Modifying a user ID override to contain sshpubkey
- Removing a sshpubkey value from a user ID override