Re: [Freeipa-devel] [PATCHES 0351-0353] Improvements to ID override type validation
On 07/23/2015 03:32 PM, Alexander Bokovoy wrote:
On Thu, 23 Jul 2015, Tomas Babej wrote:
+def get_trusted_domain_object_type(self, name_or_sid):
+
+Return the type of the object corresponding to the given
name in
+the trusted domain, which is either 'user', 'group' or 'both'.
+The 'both' types is used for users with magic private groups.
+
+
+object_type = None
+
+if is_sid_valid(name_or_sid):
+result = pysss_nss_idmap.getnamebysid(name_or_sid)
+else:
+result = pysss_nss_idmap.getsidbyname(name_or_sid)
+
+if name_or_sid in result:
+object_type =
result[name_or_sid].get(pysss_nss_idmap.TYPE_KEY)
If user or group not found, pysss_nss_idmap.getsidbyname() will return
empty dict and the line above will fail:
import pysss_nss_idmap
pysss_nss_idmap.getsidbyname('some-name')
{}
It will return {}, however, that line is prefixed by the
+if name_or_sid in result:
condition, hence it won't get executed in this case.
Ok, and then you get conversion dict.get(None) - None which then
wouldn't match anything in the caller.
Sounds good. The rest was fine.
ACK.
Pushed to:
master: aa066f31a5341079197f7b5a79fe2fa1045688bb
ipa-4-2: a60f4ad7d0bbdaca2fbec2c9c491e976bf935f7e
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0351-0353] Improvements to ID override type validation
On Thu, 23 Jul 2015, Tomas Babej wrote:
Hi,
this patchset deals mainly with the ticket:
https://fedorahosted.org/freeipa/ticket/5029
Details in the commit messages.
Tomas
From 83defa7e286b9e65a147598b4056abc47b4647bf Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Wed, 22 Jul 2015 14:00:37 +0200
Subject: [PATCH] dcerpc: Add get_trusted_domain_object_type method
https://fedorahosted.org/freeipa/ticket/5029
---
ipaserver/dcerpc.py | 29 +
1 file changed, 29 insertions(+)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index
7220c440d16816abf5c022c840e9744f321878c4..be6313e1586cb9e3296361a8d07041d496d3223f
100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -107,6 +107,14 @@ dcerpc_error_messages = {
errors.RequirementError(name=_('At least the domain or IP address
should be specified')),
}
+pysss_type_key_translation_dict = {
+pysss_nss_idmap.ID_USER: 'user',
+pysss_nss_idmap.ID_GROUP: 'group',
+# Used for users with magic private groups
+pysss_nss_idmap.ID_BOTH: 'both',
+}
+
+
def assess_dcerpc_exception(num=None,message=None):
Takes error returned by Samba bindings and converts it into
@@ -368,6 +376,27 @@ class DomainValidator(object):
raise errors.ValidationError(name=_('trusted domain object'),
error= _('Trusted domain did not return a valid SID for the
object'))
+def get_trusted_domain_object_type(self, name_or_sid):
+
+Return the type of the object corresponding to the given name in
+the trusted domain, which is either 'user', 'group' or 'both'.
+The 'both' types is used for users with magic private groups.
+
+
+object_type = None
+
+if is_sid_valid(name_or_sid):
+result = pysss_nss_idmap.getnamebysid(name_or_sid)
+else:
+result = pysss_nss_idmap.getsidbyname(name_or_sid)
+
+if name_or_sid in result:
+object_type = result[name_or_sid].get(pysss_nss_idmap.TYPE_KEY)
If user or group not found, pysss_nss_idmap.getsidbyname() will return
empty dict and the line above will fail:
import pysss_nss_idmap
pysss_nss_idmap.getsidbyname('some-name')
{}
+
+# Do the translation to hide pysss_nss_idmap constants
+# from higher-level code
+return pysss_type_key_translation_dict.get(object_type)
+
def get_trusted_domain_object_from_sid(self, sid):
root_logger.debug(Converting SID to object name: %s % sid)
--
2.1.0
From b331e08905db1deb90e1188e62a51620c3f187b3 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Thu, 23 Jul 2015 12:36:53 +0200
Subject: [PATCH] idviews: Restrict anchor to name and name to anchor
conversions
When converting the ID override anchor from AD SID representation to
the object name, we need to properly restrict the type of the object
that is being resolved.
The same restriction applies for the opposite direction, when
converting the object name to it's SID.
https://fedorahosted.org/freeipa/ticket/5029
---
ipalib/plugins/idviews.py | 50 +++
1 file changed, 46 insertions(+), 4 deletions(-)
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index
48f646b812c424435233327e8fcfa363e17104f2..4d1aefef2cc8e8259d6b62315eb266c61f5cc5fb
100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -434,6 +434,36 @@ class idview_unapply(baseidview_apply):
# ID overrides helper methods
+def verify_trusted_domain_object_type(validator, desired_type, name_or_sid):
+
+object_type = validator.get_trusted_domain_object_type(name_or_sid)
+
+if object_type == desired_type:
+# In case SSSD returns the same type as the type being
+# searched, no problems here.
+return True
+
+elif desired_type == 'user' and object_type == 'both':
+# Type both denotes users with magic private groups.
+# Overriding attributes for such users is OK.
+return True
+
+elif desired_type == 'group' and object_type == 'both':
+# However, overriding attributes for magic private groups
+# does not make sense. One should override the GID of
+# the user itself.
+
+raise errors.ConversionError(
+name='identifier',
+error=_('You are trying to reference a magic private group '
+'which is not allowed to be overriden. '
+'Try overriding the GID attribute of the '
+'corresponding user instead.')
+)
+
+return False
+
+
def resolve_object_to_anchor(ldap, obj_type, obj, fallback_to_ldap):
Resolves the user/group name to the anchor uuid:
@@ -484,9 +514,15 @@ def resolve_object_to_anchor(ldap, obj_type, obj,
fallback_to_ldap):
sid = domain_validator.get_trusted_domain_object_sid(obj,
fallback_to_ldap=fallback_to_ldap)
-
Re: [Freeipa-devel] [PATCHES 0351-0353] Improvements to ID override type validation
On Thu, 23 Jul 2015, Tomas Babej wrote:
+def get_trusted_domain_object_type(self, name_or_sid):
+
+Return the type of the object corresponding to the given name in
+the trusted domain, which is either 'user', 'group' or 'both'.
+The 'both' types is used for users with magic private groups.
+
+
+object_type = None
+
+if is_sid_valid(name_or_sid):
+result = pysss_nss_idmap.getnamebysid(name_or_sid)
+else:
+result = pysss_nss_idmap.getsidbyname(name_or_sid)
+
+if name_or_sid in result:
+object_type =
result[name_or_sid].get(pysss_nss_idmap.TYPE_KEY)
If user or group not found, pysss_nss_idmap.getsidbyname() will return
empty dict and the line above will fail:
import pysss_nss_idmap
pysss_nss_idmap.getsidbyname('some-name')
{}
It will return {}, however, that line is prefixed by the
+if name_or_sid in result:
condition, hence it won't get executed in this case.
Ok, and then you get conversion dict.get(None) - None which then
wouldn't match anything in the caller.
Sounds good. The rest was fine.
ACK.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0351-0353] Improvements to ID override type validation
On 07/23/2015 03:08 PM, Alexander Bokovoy wrote:
On Thu, 23 Jul 2015, Tomas Babej wrote:
Hi,
this patchset deals mainly with the ticket:
https://fedorahosted.org/freeipa/ticket/5029
Details in the commit messages.
Tomas
From 83defa7e286b9e65a147598b4056abc47b4647bf Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Wed, 22 Jul 2015 14:00:37 +0200
Subject: [PATCH] dcerpc: Add get_trusted_domain_object_type method
https://fedorahosted.org/freeipa/ticket/5029
---
ipaserver/dcerpc.py | 29 +
1 file changed, 29 insertions(+)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index
7220c440d16816abf5c022c840e9744f321878c4..be6313e1586cb9e3296361a8d07041d496d3223f
100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -107,6 +107,14 @@ dcerpc_error_messages = {
errors.RequirementError(name=_('At least the domain or IP
address should be specified')),
}
+pysss_type_key_translation_dict = {
+pysss_nss_idmap.ID_USER: 'user',
+pysss_nss_idmap.ID_GROUP: 'group',
+# Used for users with magic private groups
+pysss_nss_idmap.ID_BOTH: 'both',
+}
+
+
def assess_dcerpc_exception(num=None,message=None):
Takes error returned by Samba bindings and converts it into
@@ -368,6 +376,27 @@ class DomainValidator(object):
raise errors.ValidationError(name=_('trusted domain object'),
error= _('Trusted domain did not return a valid SID for
the object'))
+def get_trusted_domain_object_type(self, name_or_sid):
+
+Return the type of the object corresponding to the given name in
+the trusted domain, which is either 'user', 'group' or 'both'.
+The 'both' types is used for users with magic private groups.
+
+
+object_type = None
+
+if is_sid_valid(name_or_sid):
+result = pysss_nss_idmap.getnamebysid(name_or_sid)
+else:
+result = pysss_nss_idmap.getsidbyname(name_or_sid)
+
+if name_or_sid in result:
+object_type =
result[name_or_sid].get(pysss_nss_idmap.TYPE_KEY)
If user or group not found, pysss_nss_idmap.getsidbyname() will return
empty dict and the line above will fail:
import pysss_nss_idmap
pysss_nss_idmap.getsidbyname('some-name')
{}
It will return {}, however, that line is prefixed by the
+if name_or_sid in result:
condition, hence it won't get executed in this case.
I just ran a quick check and it seems to run as expected:
import ipaserver.dcerpc
validator = DomainValidator(api)
validator.get_trusted_domain_object_type('some-name')
Tomas
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
