Re: [Freeipa-devel] [PATCH] 0033 Fail when adding a trust with a different range
On 06/19/2013 10:07 AM, Tomas Babej wrote: On 06/13/2013 12:17 PM, Ana Krivokapic wrote: On 06/12/2013 12:14 PM, Martin Kosek wrote: On 06/12/2013 11:40 AM, Tomas Babej wrote: On 06/12/2013 10:23 AM, Alexander Bokovoy wrote: On Mon, 10 Jun 2013, Ana Krivokapic wrote: And once here(added by your patch): +if not self.validate_range(*keys, **options): +raise errors.ValidationError( +name=_('id range'), +error=_( +'An id range already exists for this trust. ' +'You should either delete the old range, or ' +'exclude --base-id/--range-size options from the command.' I'd suggest we have one common place, say validate_range() function as we have now, that contains all the checks (more coming in the future for sure). That would mean that the whole trust-add command will fail in the case that ID range with the same name but different domain SID already exists, since we now call validate_range() within execute() method. I checked with Alexander and we agreed that this is more desired behaviour. This would also result to reducement of the number of API calls, which is a nice benefit. Tomas This updated patch completely separates validation logic and object creation logic of the trust_add command. I added two new methods: * validate_range(), which ensures that the options and environment related to idrange is valid, and * validate_options, which takes care of other general validation One change introduced in this patch is making the __populate_remote_domain() method of TrustDomainJoins class public, and calling it from trust_add. This was necessary in order to enable discovering details of the trusted domain in validation phase. Looks good overall but I'd suggest to wrap populate_remote_domain() calls in join_ad_* methods instead of removing them. If remote domain is not initialized (i.e. not(isinstance(self.remote_domain,TrustedDomainInstance)), then call populate_remote_domain() as it was before. Fixed. I tested the patch and it works fine. There's a lot of refactoring done, but the changes preserve equal state. Aside from Alexander's comment up here, I have but one nitpick. There are few constructs of the form: try: value = dictionary['keyword'] except KeyError: value = None or if 'keyword' in dictionary: value = dictionary['keyword'] else: value = None Can you please substitute these with value = dictionary.get(keyword, None)? Not everywhere, but there are places where it can improve readability of the code. You can even use just value = dictionary.get(keyword) as None is the default return value: print {}.get(foo) Fixed. None Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK Tomas Pushed to master. -- PetrĀ³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Fail when adding a trust with a different range
On 06/13/2013 12:17 PM, Ana Krivokapic wrote: On 06/12/2013 12:14 PM, Martin Kosek wrote: On 06/12/2013 11:40 AM, Tomas Babej wrote: On 06/12/2013 10:23 AM, Alexander Bokovoy wrote: On Mon, 10 Jun 2013, Ana Krivokapic wrote: And once here(added by your patch): +if not self.validate_range(*keys, **options): +raise errors.ValidationError( +name=_('id range'), +error=_( +'An id range already exists for this trust. ' +'You should either delete the old range, or ' +'exclude --base-id/--range-size options from the command.' I'd suggest we have one common place, say validate_range() function as we have now, that contains all the checks (more coming in the future for sure). That would mean that the whole trust-add command will fail in the case that ID range with the same name but different domain SID already exists, since we now call validate_range() within execute() method. I checked with Alexander and we agreed that this is more desired behaviour. This would also result to reducement of the number of API calls, which is a nice benefit. Tomas This updated patch completely separates validation logic and object creation logic of the trust_add command. I added two new methods: * validate_range(), which ensures that the options and environment related to idrange is valid, and * validate_options, which takes care of other general validation One change introduced in this patch is making the __populate_remote_domain() method of TrustDomainJoins class public, and calling it from trust_add. This was necessary in order to enable discovering details of the trusted domain in validation phase. Looks good overall but I'd suggest to wrap populate_remote_domain() calls in join_ad_* methods instead of removing them. If remote domain is not initialized (i.e. not(isinstance(self.remote_domain,TrustedDomainInstance)), then call populate_remote_domain() as it was before. Fixed. I tested the patch and it works fine. There's a lot of refactoring done, but the changes preserve equal state. Aside from Alexander's comment up here, I have but one nitpick. There are few constructs of the form: try: value = dictionary['keyword'] except KeyError: value = None or if 'keyword' in dictionary: value = dictionary['keyword'] else: value = None Can you please substitute these with value = dictionary.get(keyword, None)? Not everywhere, but there are places where it can improve readability of the code. You can even use just value = dictionary.get(keyword) as None is the default return value: print {}.get(foo) Fixed. None Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Fail when adding a trust with a different range
On 06/12/2013 12:14 PM, Martin Kosek wrote: On 06/12/2013 11:40 AM, Tomas Babej wrote: On 06/12/2013 10:23 AM, Alexander Bokovoy wrote: On Mon, 10 Jun 2013, Ana Krivokapic wrote: And once here(added by your patch): +if not self.validate_range(*keys, **options): +raise errors.ValidationError( +name=_('id range'), +error=_( +'An id range already exists for this trust. ' +'You should either delete the old range, or ' +'exclude --base-id/--range-size options from the command.' I'd suggest we have one common place, say validate_range() function as we have now, that contains all the checks (more coming in the future for sure). That would mean that the whole trust-add command will fail in the case that ID range with the same name but different domain SID already exists, since we now call validate_range() within execute() method. I checked with Alexander and we agreed that this is more desired behaviour. This would also result to reducement of the number of API calls, which is a nice benefit. Tomas This updated patch completely separates validation logic and object creation logic of the trust_add command. I added two new methods: * validate_range(), which ensures that the options and environment related to idrange is valid, and * validate_options, which takes care of other general validation One change introduced in this patch is making the __populate_remote_domain() method of TrustDomainJoins class public, and calling it from trust_add. This was necessary in order to enable discovering details of the trusted domain in validation phase. Looks good overall but I'd suggest to wrap populate_remote_domain() calls in join_ad_* methods instead of removing them. If remote domain is not initialized (i.e. not(isinstance(self.remote_domain,TrustedDomainInstance)), then call populate_remote_domain() as it was before. Fixed. I tested the patch and it works fine. There's a lot of refactoring done, but the changes preserve equal state. Aside from Alexander's comment up here, I have but one nitpick. There are few constructs of the form: try: value = dictionary['keyword'] except KeyError: value = None or if 'keyword' in dictionary: value = dictionary['keyword'] else: value = None Can you please substitute these with value = dictionary.get(keyword, None)? Not everywhere, but there are places where it can improve readability of the code. You can even use just value = dictionary.get(keyword) as None is the default return value: print {}.get(foo) Fixed. None Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Updated patch attached. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From 370b91c93c3c93f63aa45069feece618375c406b Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Fri, 31 May 2013 12:01:23 +0200 Subject: [PATCH] Fail when adding a trust with a different range When adding a trust, if an id range already exists for this trust, and options --base-id/--range-size are provided with the trust-add command, trust-add should fail. https://fedorahosted.org/freeipa/ticket/3635 --- ipalib/plugins/trust.py | 215 +--- ipaserver/dcerpc.py | 15 +++- 2 files changed, 159 insertions(+), 71 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 3cb0ed98005ae5bd11b39f8ae01c9470d1bfc9c4..5c9360b57982ef1284ec741d3ee6114345e2e7c2 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -155,6 +155,8 @@ autofill=True, ) +DEFAULT_RANGE_SIZE = 20 + def trust_type_string(level): Returns a string representing a type of the trust. The original field is an enum: @@ -287,7 +289,7 @@ class trust_add(LDAPCreate): Int('range_size?', cli_name='range_size', label=_('Size of the ID range reserved for the trusted domain'), -default=20, +default=DEFAULT_RANGE_SIZE, autofill=True ), ) @@ -296,20 +298,12 @@ class trust_add(LDAPCreate): has_output_params = LDAPCreate.has_output_params + trust_output_params def execute(self, *keys, **options): -if not _murmur_installed and 'base_id' not in options: -raise errors.ValidationError(name=_('missing base_id'), -error=_('pysss_murmur is not available on the server ' \ -'and no base-id is given.')) +full_join = self.validate_options(*keys, **options) +old_range, range_name, dom_sid = self.validate_range(*keys, **options) +result = self.execute_ad(full_join, *keys, **options) -if 'trust_type' in
Re: [Freeipa-devel] [PATCH] 0033 Fail when adding a trust with a different range
On Mon, 10 Jun 2013, Ana Krivokapic wrote: And once here(added by your patch): +if not self.validate_range(*keys, **options): +raise errors.ValidationError( +name=_('id range'), +error=_( +'An id range already exists for this trust. ' +'You should either delete the old range, or ' +'exclude --base-id/--range-size options from the command.' I'd suggest we have one common place, say validate_range() function as we have now, that contains all the checks (more coming in the future for sure). That would mean that the whole trust-add command will fail in the case that ID range with the same name but different domain SID already exists, since we now call validate_range() within execute() method. I checked with Alexander and we agreed that this is more desired behaviour. This would also result to reducement of the number of API calls, which is a nice benefit. Tomas This updated patch completely separates validation logic and object creation logic of the trust_add command. I added two new methods: * validate_range(), which ensures that the options and environment related to idrange is valid, and * validate_options, which takes care of other general validation One change introduced in this patch is making the __populate_remote_domain() method of TrustDomainJoins class public, and calling it from trust_add. This was necessary in order to enable discovering details of the trusted domain in validation phase. Looks good overall but I'd suggest to wrap populate_remote_domain() calls in join_ad_* methods instead of removing them. If remote domain is not initialized (i.e. not(isinstance(self.remote_domain,TrustedDomainInstance)), then call populate_remote_domain() as it was before. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Fail when adding a trust with a different range
On 06/12/2013 10:23 AM, Alexander Bokovoy wrote: On Mon, 10 Jun 2013, Ana Krivokapic wrote: And once here(added by your patch): +if not self.validate_range(*keys, **options): +raise errors.ValidationError( +name=_('id range'), +error=_( +'An id range already exists for this trust. ' +'You should either delete the old range, or ' +'exclude --base-id/--range-size options from the command.' I'd suggest we have one common place, say validate_range() function as we have now, that contains all the checks (more coming in the future for sure). That would mean that the whole trust-add command will fail in the case that ID range with the same name but different domain SID already exists, since we now call validate_range() within execute() method. I checked with Alexander and we agreed that this is more desired behaviour. This would also result to reducement of the number of API calls, which is a nice benefit. Tomas This updated patch completely separates validation logic and object creation logic of the trust_add command. I added two new methods: * validate_range(), which ensures that the options and environment related to idrange is valid, and * validate_options, which takes care of other general validation One change introduced in this patch is making the __populate_remote_domain() method of TrustDomainJoins class public, and calling it from trust_add. This was necessary in order to enable discovering details of the trusted domain in validation phase. Looks good overall but I'd suggest to wrap populate_remote_domain() calls in join_ad_* methods instead of removing them. If remote domain is not initialized (i.e. not(isinstance(self.remote_domain,TrustedDomainInstance)), then call populate_remote_domain() as it was before. I tested the patch and it works fine. There's a lot of refactoring done, but the changes preserve equal state. Aside from Alexander's comment up here, I have but one nitpick. There are few constructs of the form: try: value = dictionary['keyword'] except KeyError: value = None or if 'keyword' in dictionary: value = dictionary['keyword'] else: value = None Can you please substitute these with value = dictionary.get(keyword, None)? Not everywhere, but there are places where it can improve readability of the code. All from me for now, Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Fail when adding a trust with a different range
On 06/12/2013 11:40 AM, Tomas Babej wrote: On 06/12/2013 10:23 AM, Alexander Bokovoy wrote: On Mon, 10 Jun 2013, Ana Krivokapic wrote: And once here(added by your patch): +if not self.validate_range(*keys, **options): +raise errors.ValidationError( +name=_('id range'), +error=_( +'An id range already exists for this trust. ' +'You should either delete the old range, or ' +'exclude --base-id/--range-size options from the command.' I'd suggest we have one common place, say validate_range() function as we have now, that contains all the checks (more coming in the future for sure). That would mean that the whole trust-add command will fail in the case that ID range with the same name but different domain SID already exists, since we now call validate_range() within execute() method. I checked with Alexander and we agreed that this is more desired behaviour. This would also result to reducement of the number of API calls, which is a nice benefit. Tomas This updated patch completely separates validation logic and object creation logic of the trust_add command. I added two new methods: * validate_range(), which ensures that the options and environment related to idrange is valid, and * validate_options, which takes care of other general validation One change introduced in this patch is making the __populate_remote_domain() method of TrustDomainJoins class public, and calling it from trust_add. This was necessary in order to enable discovering details of the trusted domain in validation phase. Looks good overall but I'd suggest to wrap populate_remote_domain() calls in join_ad_* methods instead of removing them. If remote domain is not initialized (i.e. not(isinstance(self.remote_domain,TrustedDomainInstance)), then call populate_remote_domain() as it was before. I tested the patch and it works fine. There's a lot of refactoring done, but the changes preserve equal state. Aside from Alexander's comment up here, I have but one nitpick. There are few constructs of the form: try: value = dictionary['keyword'] except KeyError: value = None or if 'keyword' in dictionary: value = dictionary['keyword'] else: value = None Can you please substitute these with value = dictionary.get(keyword, None)? Not everywhere, but there are places where it can improve readability of the code. You can even use just value = dictionary.get(keyword) as None is the default return value: print {}.get(foo) None Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Fail when adding a trust with a different range
On 06/07/2013 05:49 PM, Ana Krivokapic wrote: On 06/07/2013 12:15 PM, Tomas Babej wrote: On 05/31/2013 12:08 PM, Ana Krivokapic wrote: Hello, This patch addresses tickethttps://fedorahosted.org/freeipa/ticket/3635. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi, the patch itself works as it should, I have only some refactoring comments: 1.) There already is a add_range method that is called from within trust_add's execute() and handles some range validation (currently only whether domain's SID of new and existing range are equal, my patch 67 add some more). Your patch introduces a new method validate_range() that is called from execute(), which leads to some duplication of the logic, mainly two same calls to the API (getting the info about the old range via idrange_show) I'd rather we keep all the validation in one place, preferably inside the add_range method or refactored out of it in the new method that is called only from add_range(). 2.) That being said, other parts of refactoring are nice and make code more clear, +1. Tomas My first instinct was to place this validation in the add_range() method. However, add_range() is called after the trust itself is added, and validation introduced by this patch needs to happen before the trust is added (we need to prevent the addition of trust in case the validation fails). As for the code duplication, you are right about that. I tried to minimize duplication - resulting updated patch attached. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. While this is a nice improvement from the code repetition point of view, the patch still has one flaw as I see it - the range validation happens at two separate places: Once here(already in the code): if old_range: old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0]; if old_dom_sid == dom_sid: return raise errors.ValidationError(name=_('range exists'), error=_('ID range with the same name but different ' \ 'domain SID already exists. The ID range for ' \ 'the new trusted domain must be created manually.')) And once here(added by your patch): +if not self.validate_range(*keys, **options): +raise errors.ValidationError( +name=_('id range'), +error=_( +'An id range already exists for this trust. ' +'You should either delete the old range, or ' +'exclude --base-id/--range-size options from the command.' I'd suggest we have one common place, say validate_range() function as we have now, that contains all the checks (more coming in the future for sure). That would mean that the whole trust-add command will fail in the case that ID range with the same name but different domain SID already exists, since we now call validate_range() within execute() method. I checked with Alexander and we agreed that this is more desired behaviour. This would also result to reducement of the number of API calls, which is a nice benefit. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Fail when adding a trust with a different range
On 06/10/2013 11:11 AM, Tomas Babej wrote: On 06/07/2013 05:49 PM, Ana Krivokapic wrote: On 06/07/2013 12:15 PM, Tomas Babej wrote: On 05/31/2013 12:08 PM, Ana Krivokapic wrote: Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3635. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi, the patch itself works as it should, I have only some refactoring comments: 1.) There already is a add_range method that is called from within trust_add's execute() and handles some range validation (currently only whether domain's SID of new and existing range are equal, my patch 67 add some more). Your patch introduces a new method validate_range() that is called from execute(), which leads to some duplication of the logic, mainly two same calls to the API (getting the info about the old range via idrange_show) I'd rather we keep all the validation in one place, preferably inside the add_range method or refactored out of it in the new method that is called only from add_range(). 2.) That being said, other parts of refactoring are nice and make code more clear, +1. Tomas My first instinct was to place this validation in the add_range() method. However, add_range() is called after the trust itself is added, and validation introduced by this patch needs to happen before the trust is added (we need to prevent the addition of trust in case the validation fails). As for the code duplication, you are right about that. I tried to minimize duplication - resulting updated patch attached. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. While this is a nice improvement from the code repetition point of view, the patch still has one flaw as I see it - the range validation happens at two separate places: Once here(already in the code): if old_range: old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0]; if old_dom_sid == dom_sid: return raise errors.ValidationError(name=_('range exists'), error=_('ID range with the same name but different ' \ 'domain SID already exists. The ID range for ' \ 'the new trusted domain must be created manually.')) And once here(added by your patch): +if not self.validate_range(*keys, **options): +raise errors.ValidationError( +name=_('id range'), +error=_( +'An id range already exists for this trust. ' +'You should either delete the old range, or ' +'exclude --base-id/--range-size options from the command.' I'd suggest we have one common place, say validate_range() function as we have now, that contains all the checks (more coming in the future for sure). That would mean that the whole trust-add command will fail in the case that ID range with the same name but different domain SID already exists, since we now call validate_range() within execute() method. I checked with Alexander and we agreed that this is more desired behaviour. This would also result to reducement of the number of API calls, which is a nice benefit. Tomas This updated patch completely separates validation logic and object creation logic of the trust_add command. I added two new methods: * validate_range(), which ensures that the options and environment related to idrange is valid, and * validate_options, which takes care of other general validation One change introduced in this patch is making the __populate_remote_domain() method of TrustDomainJoins class public, and calling it from trust_add. This was necessary in order to enable discovering details of the trusted domain in validation phase. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From dd35e8749a83dde6508a58ae63ee0191e0b7bd40 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Fri, 31 May 2013 12:01:23 +0200 Subject: [PATCH] Fail when adding a trust with a different range When adding a trust, if an id range already exists for this trust, and options --base-id/--range-size are provided with the trust-add command, trust-add should fail. https://fedorahosted.org/freeipa/ticket/3635 --- ipalib/plugins/trust.py | 204 +--- ipaserver/dcerpc.py | 8 +- 2 files changed, 142 insertions(+), 70 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 3cb0ed98005ae5bd11b39f8ae01c9470d1bfc9c4..89d77320798d6f1e109a2b2a18016f6902792bd9 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -155,6 +155,8 @@ autofill=True, ) +DEFAULT_RANGE_SIZE = 20 + def trust_type_string(level): Returns a string representing a type of the trust. The original field is an enum: @@ -287,7 +289,7 @@ class
Re: [Freeipa-devel] [PATCH] 0033 Fail when adding a trust with a different range
On 05/31/2013 12:08 PM, Ana Krivokapic wrote: Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3635. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi, the patch itself works as it should, I have only some refactoring comments: 1.) There already is a add_range method that is called from within trust_add's execute() and handles some range validation (currently only whether domain's SID of new and existing range are equal, my patch 67 add some more). Your patch introduces a new method validate_range() that is called from execute(), which leads to some duplication of the logic, mainly two same calls to the API (getting the info about the old range via idrange_show) I'd rather we keep all the validation in one place, preferably inside the add_range method or refactored out of it in the new method that is called only from add_range(). 2.) That being said, other parts of refactoring are nice and make code more clear, +1. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0033 Fail when adding a trust with a different range
On 06/07/2013 12:15 PM, Tomas Babej wrote: On 05/31/2013 12:08 PM, Ana Krivokapic wrote: Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3635. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Hi, the patch itself works as it should, I have only some refactoring comments: 1.) There already is a add_range method that is called from within trust_add's execute() and handles some range validation (currently only whether domain's SID of new and existing range are equal, my patch 67 add some more). Your patch introduces a new method validate_range() that is called from execute(), which leads to some duplication of the logic, mainly two same calls to the API (getting the info about the old range via idrange_show) I'd rather we keep all the validation in one place, preferably inside the add_range method or refactored out of it in the new method that is called only from add_range(). 2.) That being said, other parts of refactoring are nice and make code more clear, +1. Tomas My first instinct was to place this validation in the add_range() method. However, add_range() is called after the trust itself is added, and validation introduced by this patch needs to happen before the trust is added (we need to prevent the addition of trust in case the validation fails). As for the code duplication, you are right about that. I tried to minimize duplication - resulting updated patch attached. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From bccca7cdfc94aeac27168baa1a4c0d32d312c2b2 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Fri, 31 May 2013 12:01:23 +0200 Subject: [PATCH] Fail when adding a trust with a different range When adding a trust, if an id range already exists for this trust, and options --base-id/--range-size are provided with the trust-add command, trust-add should fail. https://fedorahosted.org/freeipa/ticket/3635 --- ipalib/plugins/trust.py | 59 +++-- 1 file changed, 43 insertions(+), 16 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 3cb0ed98005ae5bd11b39f8ae01c9470d1bfc9c4..9b5676820347044c469e98e2998170528a9fb05d 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -155,6 +155,8 @@ autofill=True, ) +DEFAULT_RANGE_SIZE = 20 + def trust_type_string(level): Returns a string representing a type of the trust. The original field is an enum: @@ -287,7 +289,7 @@ class trust_add(LDAPCreate): Int('range_size?', cli_name='range_size', label=_('Size of the ID range reserved for the trusted domain'), -default=20, +default=DEFAULT_RANGE_SIZE, autofill=True ), ) @@ -301,14 +303,26 @@ def execute(self, *keys, **options): error=_('pysss_murmur is not available on the server ' \ 'and no base-id is given.')) -if 'trust_type' in options: -if options['trust_type'] == u'ad': -result = self.execute_ad(*keys, **options) -else: -raise errors.ValidationError(name=_('trust type'), error=_('only ad is supported')) -else: +if 'trust_type' not in options: raise errors.RequirementError(name=_('trust type')) +if options['trust_type'] != u'ad': +raise errors.ValidationError( +name=_('trust type'), +error=_('only ad is supported') +) + +if not self.validate_range(*keys, **options): +raise errors.ValidationError( +name=_('id range'), +error=_( +'An id range already exists for this trust. ' +'You should either delete the old range, or ' +'exclude --base-id/--range-size options from the command.' +) +) + +result = self.execute_ad(*keys, **options) self.add_range(*keys, **options) trust_filter = cn=%s % result['value'] @@ -325,19 +339,32 @@ def execute(self, *keys, **options): return result +def get_old_range(self, range_name): +try: +return api.Command['idrange_show'](range_name) +except errors.NotFound: +return None + +def validate_range(self, *keys, **options): + +If a range for this trusted domain already exists, +'--base-id' or '--range-size' options should not be specified. + +range_name = keys[-1].upper()+'_id_range' +range_exists = self.get_old_range(range_name) is not None +base_id = options.get('base_id') +range_size = options.get('range_size') !=
[Freeipa-devel] [PATCH] 0033 Fail when adding a trust with a different range
Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3635. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From 80c5f958a326679c67fac16b13bcfdbd0532d17d Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Fri, 31 May 2013 12:01:23 +0200 Subject: [PATCH] Fail when adding a trust with a different range When adding a trust, if an id range already exists for this trust, and options --base-id/--range-size are provided with the trust-add command, trust-add should fail. https://fedorahosted.org/freeipa/ticket/3635 --- ipalib/plugins/trust.py | 48 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 3cb0ed98005ae5bd11b39f8ae01c9470d1bfc9c4..cfa4f3fe2ab289f71ba692014d007ccbbc688100 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -155,6 +155,8 @@ autofill=True, ) +DEFAULT_RANGE_SIZE = 20 + def trust_type_string(level): Returns a string representing a type of the trust. The original field is an enum: @@ -287,7 +289,7 @@ class trust_add(LDAPCreate): Int('range_size?', cli_name='range_size', label=_('Size of the ID range reserved for the trusted domain'), -default=20, +default=DEFAULT_RANGE_SIZE, autofill=True ), ) @@ -301,14 +303,26 @@ def execute(self, *keys, **options): error=_('pysss_murmur is not available on the server ' \ 'and no base-id is given.')) -if 'trust_type' in options: -if options['trust_type'] == u'ad': -result = self.execute_ad(*keys, **options) -else: -raise errors.ValidationError(name=_('trust type'), error=_('only ad is supported')) -else: +if 'trust_type' not in options: raise errors.RequirementError(name=_('trust type')) +if options['trust_type'] != u'ad': +raise errors.ValidationError( +name=_('trust type'), +error=_('only ad is supported') +) + +if not self.validate_range(*keys, **options): +raise errors.ValidationError( +name=_('id range'), +error=_( +'An id range already exists for this trust. ' +'You should either delete the old range, or ' +'exclude --base-id/--range-size options from the command.' +) +) + +result = self.execute_ad(*keys, **options) self.add_range(*keys, **options) trust_filter = cn=%s % result['value'] @@ -325,6 +339,24 @@ def execute(self, *keys, **options): return result +def validate_range(self, *keys, **options): + +If a range for this trusted domain already exists, +'--base-id' or '--range-size' options should not be specified. + +range_name = keys[-1].upper()+'_id_range' + +range_exists = True +try: +api.Command['idrange_show'](range_name) +except errors.NotFound: +range_exists = False + +base_id = options.get('base_id') +range_size = options.get('range_size') != DEFAULT_RANGE_SIZE + +return not(range_exists and (base_id or range_size)) + def add_range(self, *keys, **options): new_obj = api.Command['trust_show'](keys[-1]) dom_sid = new_obj['result']['ipanttrusteddomainsid'][0]; @@ -350,7 +382,7 @@ def add_range(self, *keys, **options): if 'base_id' in options: base_id = options['base_id'] else: -base_id = 20 + (pysss_murmur.murmurhash3(dom_sid, len(dom_sid), 0xdeadbeef) % 1) * 20 +base_id = DEFAULT_RANGE_SIZE + (pysss_murmur.murmurhash3(dom_sid, len(dom_sid), 0xdeadbeef) % 1) * DEFAULT_RANGE_SIZE # Add new ID range api.Command['idrange_add'](range_name, -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel