Hi, Sending updated and rebased versions of patches 0024 and 0025.
Tomas
>From 6d4903a1c5e255929cdbc2222e2a67d79c6e44b1 Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Fri, 21 Dec 2012 05:34:37 -0500 Subject: [PATCH] Make options checks in idrange-add/mod consistent Both now enforce the following checks: - dom_sid and secondary_rid_base cannot be used together - rid_base must be used together if dom_rid is set - secondary_rid_base and rid_base must be used together if dom_rid is not set Unit test for third check has been added. http://fedorahosted.org/freeipa/ticket/3170 --- ipalib/plugins/idrange.py | 47 +++++++++++++++++++++++++--------- tests/test_xmlrpc/test_range_plugin.py | 46 ++++++++++++++++++++++++++++++++- 2 files changed, 80 insertions(+), 13 deletions(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 84e1057ac6b59b8ad99882a54e3288897338c978..911d5a2563e8264ad398830618e13abdab09d94c 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -353,11 +353,13 @@ class idrange_add(LDAPCreate): entry_attrs['objectclass'].append('ipatrustedaddomainrange') else: + # secondary base rid must be set if and only if base rid is set if is_set('ipasecondarybaserid') != is_set('ipabaserid'): raise errors.ValidationError(name='ID Range setup', error=_('Options secondary_rid_base and rid_base must ' 'be used together')) + # and they must not overlap if is_set('ipabaserid') and is_set('ipasecondarybaserid'): if self.obj.are_rid_ranges_overlapping( entry_attrs['ipabaserid'], @@ -434,24 +436,40 @@ class idrange_mod(LDAPUpdate): assert isinstance(dn, DN) attrs_list.append('objectclass') - is_set = lambda x: (x in entry_attrs) and (x is not None) - try: - (old_dn, old_attrs) = ldap.get_entry(dn, - ['ipabaseid', - 'ipaidrangesize', - 'ipabaserid', - 'ipasecondarybaserid']) + (old_dn, old_attrs) = ldap.get_entry(dn, ['*']) except errors.NotFound: self.obj.handle_not_found(*keys) - if is_set('ipanttrusteddomainsid'): - # Validate SID as the one of trusted domains - self.obj.validate_trusted_domain_sid(options['ipanttrusteddomainsid']) + is_set = lambda x: (x in entry_attrs) and (x is not None) + in_updated_attrs = lambda x : any((x in attrs and x is not None) + for attrs in (entry_attrs, old_attrs)) + + if in_updated_attrs('ipanttrusteddomainsid'): + if in_updated_attrs('ipasecondarybaserid'): + raise errors.ValidationError(name='ID Range setup', + error=_('Options dom_sid and secondary_rid_base cannot ' + 'be used together')) + + if not in_updated_attrs('ipabaserid'): + raise errors.ValidationError(name='ID Range setup', + error=_('Options dom_sid and rid_base must ' + 'be used together')) + + if is_set('ipanttrusteddomainsid'): + # Validate SID as the one of trusted domains + # perform this check only if the attribute was changed + self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid']) + else: + # secondary base rid must be set if and only if base rid is set + if (in_updated_attrs('ipasecondarybaserid') != in_updated_attrs('ipabaserid')): + raise errors.ValidationError(name='ID Range setup', + error=_('Options secondary_rid_base and rid_base must ' + 'be used together')) # ensure that primary and secondary rid ranges do not overlap - if all((base in entry_attrs) or (base in old_attrs) - for base in ('ipabaserid', 'ipasecondarybaserid')): + if all(in_updated_attrs(base) + for base in ('ipabaserid', 'ipasecondarybaserid')): # make sure we are working with updated attributes rid_range_attributes = ('ipabaserid', 'ipasecondarybaserid', 'ipaidrangesize') @@ -471,14 +489,19 @@ class idrange_mod(LDAPUpdate): error=_("Primary RID range and secondary RID range" " cannot overlap")) + # check whether ids are in modified range old_base_id = int(old_attrs.get('ipabaseid', [0])[0]) old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0]) new_base_id = entry_attrs.get('ipabaseid') + if new_base_id is not None: new_base_id = int(new_base_id) + new_range_size = entry_attrs.get('ipaidrangesize') + if new_range_size is not None: new_range_size = int(new_range_size) + self.obj.check_ids_in_modified_range(old_base_id, old_range_size, new_base_id, new_range_size) diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py index 2e00609a7829a836f924ac04ff34d040bcb2a544..c308dc6ad2da921659059f02dee91ef13938bae9 100644 --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -69,6 +69,11 @@ testrange7_size = 50 testrange7_base_rid = 600 testrange7_secondary_base_rid=649 +testrange8 = u'testrange8' +testrange8_base_id = 700 +testrange8_size = 50 +testrange8_base_rid = 700 + user1=u'tuser1' user1_uid = 900000 group1=u'group1' @@ -76,7 +81,7 @@ group1_gid = 900100 class test_range(Declarative): cleanup_commands = [ - ('idrange_del', [testrange1,testrange2,testrange3,testrange4,testrange5,testrange6,testrange7], {'continue': True}), + ('idrange_del', [testrange1,testrange2,testrange3,testrange4,testrange5,testrange6,testrange7, testrange8], {'continue': True}), ('user_del', [user1], {}), ('group_del', [group1], {}), ] @@ -365,4 +370,43 @@ class test_range(Declarative): summary=u'Deleted ID range "%s"' % testrange2, ), ), + + dict( + desc='Create ID range %r' % (testrange8), + command=('idrange_add', [testrange8], + dict(ipabaseid=testrange8_base_id, + ipaidrangesize=testrange8_size)), + expected=dict( + result=dict( + dn=DN(('cn',testrange8),('cn','ranges'),('cn','etc'), + api.env.basedn), + cn=[testrange8], + objectclass=[u'ipaIDrange', u'ipadomainidrange'], + ipabaseid=[unicode(testrange8_base_id)], + ipaidrangesize=[unicode(testrange8_size)], + iparangetype=[u'local domain range'], + ), + value=testrange8, + summary=u'Added ID range "%s"' % (testrange8), + ), + ), + + dict( + desc='Try to modify ID range %r so it has only primary rid range set' % (testrange8), + command=('idrange_mod', [testrange8], + dict(ipabaserid=testrange8_base_rid)), + expected=errors.ValidationError( + name='ID Range setup', error='Options secondary_rid_base and rid_base must be used together'), + ), + + dict( + desc='Delete ID range %r' % testrange8, + command=('idrange_del', [testrange8], {}), + expected=dict( + result=dict(failed=u''), + value=testrange8, + summary=u'Deleted ID range "%s"' % testrange8, + ), + ), + ] -- 1.8.0.1
>From fbee80640c938212064775ec5bb63b3b3cb9c27e Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Fri, 21 Dec 2012 05:43:25 -0500 Subject: [PATCH] Add trusted domain range objectclass when using idrange-mod When modifing the idrange, one was able to add ipa NT trusted AD domain sid without objectclass ipatrustedaddomainrange being added. This patch fixes the issue. --- ipalib/plugins/idrange.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 911d5a2563e8264ad398830618e13abdab09d94c..1994900e52d108ea66bbab055662fdd4c61f5c42 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -460,6 +460,11 @@ class idrange_mod(LDAPUpdate): # Validate SID as the one of trusted domains # perform this check only if the attribute was changed self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid']) + + # Add trusted AD domain range object class, if it wasn't there + if not 'ipatrustedaddomainrange' in old_attrs['objectclass']: + entry_attrs['objectclass'].append('ipatrustedaddomainrange') + else: # secondary base rid must be set if and only if base rid is set if (in_updated_attrs('ipasecondarybaserid') != in_updated_attrs('ipabaserid')): -- 1.8.0.1
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel