Re: [Freeipa-devel] [PATCH 0194] harden the check for trust namespace overlap in new principals

2016-07-28 Thread Martin Babinsky 

On 07/27/2016 03:30 PM, David Kupka wrote:

On 26/07/16 13:18, Martin Babinsky wrote:

On 07/21/2016 12:56 PM, Martin Babinsky wrote:

'*-add-principal' would crash with error if the trusted domains did not
have any UPN suffixes or NETBIOS name associated with them. This patch
fixes that.

Big thanks to Milan who found and reported the issue during writing
tests for the feature.

https://fedorahosted.org/freeipa/ticket/6099




Bump for review.



Works for me, ACK.



Pushed to master: da2305ddb99ab982c757ab723acc95cda3d2f025

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0194] harden the check for trust namespace overlap in new principals

2016-07-27 Thread David Kupka 

On 26/07/16 13:18, Martin Babinsky wrote:

On 07/21/2016 12:56 PM, Martin Babinsky wrote:

'*-add-principal' would crash with error if the trusted domains did not
have any UPN suffixes or NETBIOS name associated with them. This patch
fixes that.

Big thanks to Milan who found and reported the issue during writing
tests for the feature.

https://fedorahosted.org/freeipa/ticket/6099




Bump for review.



Works for me, ACK.

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0194] harden the check for trust namespace overlap in new principals

2016-07-26 Thread Martin Babinsky 

On 07/21/2016 12:56 PM, Martin Babinsky wrote:

'*-add-principal' would crash with error if the trusted domains did not
have any UPN suffixes or NETBIOS name associated with them. This patch
fixes that.

Big thanks to Milan who found and reported the issue during writing
tests for the feature.

https://fedorahosted.org/freeipa/ticket/6099




Bump for review.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0194] harden the check for trust namespace overlap in new principals

2016-07-21 Thread Martin Babinsky 
'*-add-principal' would crash with error if the trusted domains did not 
have any UPN suffixes or NETBIOS name associated with them. This patch 
fixes that.


Big thanks to Milan who found and reported the issue during writing 
tests for the feature.


https://fedorahosted.org/freeipa/ticket/6099

--
Martin^3 Babinsky
From bb1b54a1d7432af719c6051b79b9afdef8e87c96 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 20 Jul 2016 15:46:22 +0200
Subject: [PATCH] harden the check for trust namespace overlap in new
 principals

This check must handle the possibility of optional attributes
(ipantadditionalsuffixes and ipantflatname) missing in the trusted domain
entry.

https://fedorahosted.org/freeipa/ticket/6099
---
 ipalib/util.py | 10 +++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ipalib/util.py b/ipalib/util.py
index 0cd5c091ec576e02e477f661bab981d12e01f1eb..805774006312e82c7acd4a46b8c9df2895a94ffe 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -975,11 +975,15 @@ def check_principal_realm_in_trust_namespace(api_instance, *keys):
 trust_suffix_namespace = set()
 
 for obj in trust_objects:
-trust_suffix_namespace.update(
-set(upn.lower() for upn in obj['ipantadditionalsuffixes']))
+nt_suffixes = obj.get('ipantadditionalsuffixes', [])
 
 trust_suffix_namespace.update(
-set((obj['cn'][0].lower(), obj['ipantflatname'][0].lower(
+set(upn.lower() for upn in nt_suffixes))
+
+if 'ipantflatname' in obj:
+trust_suffix_namespace.add(obj['ipantflatname'][0].lower())
+
+trust_suffix_namespace.add(obj['cn'][0].lower())
 
 for principal in keys[-1]:
 realm = principal.realm
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code