subject:"\[Freeipa\-devel\] \[PATCH\] 0074 validate SID for trusted domain when adding\/modifying ID range"

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

2012-09-20 Thread Martin Kosek

On 09/20/2012 02:31 PM, Alexander Bokovoy wrote:
> On Thu, 20 Sep 2012, Martin Kosek wrote:
>> On 09/20/2012 01:58 PM, Alexander Bokovoy wrote:
>>> On Thu, 20 Sep 2012, Petr Viktorin wrote:
 On 09/20/2012 12:12 PM, Martin Kosek wrote:
> On 09/20/2012 11:42 AM, Alexander Bokovoy wrote:
>> Hi,
>>
>> On Thu, 20 Sep 2012, Martin Kosek wrote:
>>> On 09/19/2012 06:19 PM, Alexander Bokovoy wrote:
 Hi,

 This patch adds validation of SID for trusted domain when adding or
 modifying ID range for the domain. We only allow creating ranges for
 trusted domains when the trust is already established -- the default
 range is created automatically right after the trust is added.

 https://fedorahosted.org/freeipa/ticket/3087

>>>
>>> Basic functionality looks OK, but I saw few issues with exception
>>> formatting:
>>>
>>> diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
>>> index
>>> efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b
>>>
>>>
>>>
>>> 100644
>>> --- a/ipalib/plugins/idrange.py
>>> +++ b/ipalib/plugins/idrange.py
>>> @@ -26,6 +26,12 @@ from ipapython import ipautil
>>> from ipalib import util
>>> from ipapython.dn import DN
>>>
>>> +if api.env.in_server and api.env.context in ['lite', 'server']:
>>> +try:
>>> +import ipaserver.dcerpc
>>> +_dcerpc_bindings_installed = True
>>> +except Exception, e:
>>> +_dcerpc_bindings_installed = False
>>>
>>>
>>> Variable "e" is not used, so it can be removed.
>> Then Exception, e should be omitted completely :)
>
> As per PEP8, "except Exception:" is preffered over bare "except:" as
> otherwise
> it would also catch SystemExit or KeyboardInterrupt.

 You should use the most specific exception you want to handle. In this case
 it's probably ImportError.
>>> New patch is attached.
>>>
>>
>> The patch looks OK, I would just also like to have the rest of the name=_('ID
>> Range setup') messages fixed so that we don't print confusing errors:
>>
>> $ git grep "ID Range setup" ipalib/
>> ipalib/plugins/idrange.py:raise
>> errors.ValidationError(name=_('ID Range setup'),
>> ipalib/plugins/idrange.py:raise
>> errors.ValidationError(name=_('ID Range setup'),
>> ipalib/plugins/idrange.py:raise
>> errors.ValidationError(name=_('ID Range setup'),
> Yep. Done.
> 
> 

ACK. Pushed to master, ipa-3-0.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

2012-09-20 Thread Alexander Bokovoy


On Thu, 20 Sep 2012, Martin Kosek wrote:

On 09/20/2012 01:58 PM, Alexander Bokovoy wrote:

On Thu, 20 Sep 2012, Petr Viktorin wrote:

On 09/20/2012 12:12 PM, Martin Kosek wrote:

On 09/20/2012 11:42 AM, Alexander Bokovoy wrote:

Hi,

On Thu, 20 Sep 2012, Martin Kosek wrote:

On 09/19/2012 06:19 PM, Alexander Bokovoy wrote:

Hi,

This patch adds validation of SID for trusted domain when adding or
modifying ID range for the domain. We only allow creating ranges for
trusted domains when the trust is already established -- the default
range is created automatically right after the trust is added.

https://fedorahosted.org/freeipa/ticket/3087



Basic functionality looks OK, but I saw few issues with exception formatting:

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index
efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b


100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -26,6 +26,12 @@ from ipapython import ipautil
from ipalib import util
from ipapython.dn import DN

+if api.env.in_server and api.env.context in ['lite', 'server']:
+try:
+import ipaserver.dcerpc
+_dcerpc_bindings_installed = True
+except Exception, e:
+_dcerpc_bindings_installed = False


Variable "e" is not used, so it can be removed.

Then Exception, e should be omitted completely :)


As per PEP8, "except Exception:" is preffered over bare "except:" as otherwise
it would also catch SystemExit or KeyboardInterrupt.


You should use the most specific exception you want to handle. In this case
it's probably ImportError.

New patch is attached.



The patch looks OK, I would just also like to have the rest of the name=_('ID
Range setup') messages fixed so that we don't print confusing errors:

$ git grep "ID Range setup" ipalib/
ipalib/plugins/idrange.py:raise
errors.ValidationError(name=_('ID Range setup'),
ipalib/plugins/idrange.py:raise
errors.ValidationError(name=_('ID Range setup'),
ipalib/plugins/idrange.py:raise
errors.ValidationError(name=_('ID Range setup'),

Yep. Done.


--
/ Alexander Bokovoy
>From 86fef992edd0f6e7b5c818c774352067e90e02a3 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Wed, 19 Sep 2012 19:09:22 +0300
Subject: [PATCH 1/4] validate SID for trusted domain when adding/modifying ID
 range

https://fedorahosted.org/freeipa/ticket/3087
---
 ipalib/plugins/idrange.py | 31 ---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 
ee50613bbaeb70aecf830ad480773a253f88a136..8f2d4efdc0463e7d81cd72fba7769e38dc0c638b
 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -26,6 +26,12 @@ from ipapython import ipautil
 from ipalib import util
 from ipapython.dn import DN
 
+if api.env.in_server and api.env.context in ['lite', 'server']:
+try:
+import ipaserver.dcerpc
+_dcerpc_bindings_installed = True
+except ImportError:
+_dcerpc_bindings_installed = False
 
 __doc__ = _("""
 ID ranges
@@ -249,6 +255,18 @@ class idrange(LDAPObject):
 error=_('range modification leaving objects with ID out '
 'of the defined range is not allowed'))
 
+def validate_trusted_domain_sid(self, sid):
+if not _dcerpc_bindings_installed:
+raise errors.NotFound(reason=_('Cannot perform SID validation 
without Samba 4 support installed. '
+ 'Make sure you have installed server-trust-ad 
sub-package of IPA on the server'))
+domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+if not domain_validator.is_configured():
+raise errors.NotFound(reason=_('Cross-realm trusts are not 
configured. '
+  'Make sure you have run ipa-adtrust-install on the 
IPA server first'))
+if not domain_validator.is_trusted_sid_valid(sid):
+raise errors.ValidationError(name='domain SID',
+  error=_('SID is not recognized as a valid SID for a trusted 
domain'))
+
 class idrange_add(LDAPCreate):
 __doc__ = _("""
 Add new ID range.
@@ -278,19 +296,22 @@ class idrange_add(LDAPCreate):
 
 if 'ipanttrusteddomainsid' in options:
 if 'ipasecondarybaserid' in options:
-raise errors.ValidationError(name=_('ID Range setup'),
+raise errors.ValidationError(name='ID Range setup',
 error=_('Options dom_sid and secondary_rid_base cannot ' \
 'be used together'))
 
 if 'ipabaserid' not in options:
-raise errors.ValidationError(name=_('ID Range setup'),
+raise errors.ValidationError(name='ID Range setup',
 error=_('Options dom_sid and rid_base must ' \
 'be used together'))
 
+# Validate SID

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

2012-09-20 Thread Martin Kosek

On 09/20/2012 01:58 PM, Alexander Bokovoy wrote:
> On Thu, 20 Sep 2012, Petr Viktorin wrote:
>> On 09/20/2012 12:12 PM, Martin Kosek wrote:
>>> On 09/20/2012 11:42 AM, Alexander Bokovoy wrote:
 Hi,

 On Thu, 20 Sep 2012, Martin Kosek wrote:
> On 09/19/2012 06:19 PM, Alexander Bokovoy wrote:
>> Hi,
>>
>> This patch adds validation of SID for trusted domain when adding or
>> modifying ID range for the domain. We only allow creating ranges for
>> trusted domains when the trust is already established -- the default
>> range is created automatically right after the trust is added.
>>
>> https://fedorahosted.org/freeipa/ticket/3087
>>
>
> Basic functionality looks OK, but I saw few issues with exception 
> formatting:
>
> diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
> index
> efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b
>
>
> 100644
> --- a/ipalib/plugins/idrange.py
> +++ b/ipalib/plugins/idrange.py
> @@ -26,6 +26,12 @@ from ipapython import ipautil
> from ipalib import util
> from ipapython.dn import DN
>
> +if api.env.in_server and api.env.context in ['lite', 'server']:
> +try:
> +import ipaserver.dcerpc
> +_dcerpc_bindings_installed = True
> +except Exception, e:
> +_dcerpc_bindings_installed = False
>
>
> Variable "e" is not used, so it can be removed.
 Then Exception, e should be omitted completely :)
>>>
>>> As per PEP8, "except Exception:" is preffered over bare "except:" as 
>>> otherwise
>>> it would also catch SystemExit or KeyboardInterrupt.
>>
>> You should use the most specific exception you want to handle. In this case
>> it's probably ImportError.
> New patch is attached.
> 

The patch looks OK, I would just also like to have the rest of the name=_('ID
Range setup') messages fixed so that we don't print confusing errors:

$ git grep "ID Range setup" ipalib/
ipalib/plugins/idrange.py:raise
errors.ValidationError(name=_('ID Range setup'),
ipalib/plugins/idrange.py:raise
errors.ValidationError(name=_('ID Range setup'),
ipalib/plugins/idrange.py:raise
errors.ValidationError(name=_('ID Range setup'),

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

2012-09-20 Thread Alexander Bokovoy


On Thu, 20 Sep 2012, Petr Viktorin wrote:

On 09/20/2012 12:12 PM, Martin Kosek wrote:

On 09/20/2012 11:42 AM, Alexander Bokovoy wrote:

Hi,

On Thu, 20 Sep 2012, Martin Kosek wrote:

On 09/19/2012 06:19 PM, Alexander Bokovoy wrote:

Hi,

This patch adds validation of SID for trusted domain when adding or
modifying ID range for the domain. We only allow creating ranges for
trusted domains when the trust is already established -- the default
range is created automatically right after the trust is added.

https://fedorahosted.org/freeipa/ticket/3087



Basic functionality looks OK, but I saw few issues with exception formatting:

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index
efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b

100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -26,6 +26,12 @@ from ipapython import ipautil
from ipalib import util
from ipapython.dn import DN

+if api.env.in_server and api.env.context in ['lite', 'server']:
+try:
+import ipaserver.dcerpc
+_dcerpc_bindings_installed = True
+except Exception, e:
+_dcerpc_bindings_installed = False


Variable "e" is not used, so it can be removed.

Then Exception, e should be omitted completely :)


As per PEP8, "except Exception:" is preffered over bare "except:" as otherwise
it would also catch SystemExit or KeyboardInterrupt.


You should use the most specific exception you want to handle. In 
this case it's probably ImportError.

New patch is attached.

--
/ Alexander Bokovoy
>From 4ddcad0b54e18339581a7aec042f42bec5bc7b48 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Wed, 19 Sep 2012 19:09:22 +0300
Subject: [PATCH 1/4] validate SID for trusted domain when adding/modifying ID
 range

https://fedorahosted.org/freeipa/ticket/3087
---
 ipalib/plugins/idrange.py | 25 +
 1 file changed, 25 insertions(+)

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 
ee50613bbaeb70aecf830ad480773a253f88a136..4ef3559aca0ef5314e44b727e97106866db94cda
 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -26,6 +26,12 @@ from ipapython import ipautil
 from ipalib import util
 from ipapython.dn import DN
 
+if api.env.in_server and api.env.context in ['lite', 'server']:
+try:
+import ipaserver.dcerpc
+_dcerpc_bindings_installed = True
+except ImportError:
+_dcerpc_bindings_installed = False
 
 __doc__ = _("""
 ID ranges
@@ -249,6 +255,18 @@ class idrange(LDAPObject):
 error=_('range modification leaving objects with ID out '
 'of the defined range is not allowed'))
 
+def validate_trusted_domain_sid(self, sid):
+if not _dcerpc_bindings_installed:
+raise errors.NotFound(reason=_('Cannot perform SID validation 
without Samba 4 support installed. '
+ 'Make sure you have installed server-trust-ad 
sub-package of IPA on the server'))
+domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+if not domain_validator.is_configured():
+raise errors.NotFound(reason=_('Cross-realm trusts are not 
configured. '
+  'Make sure you have run ipa-adtrust-install on the 
IPA server first'))
+if not domain_validator.is_trusted_sid_valid(sid):
+raise errors.ValidationError(name='domain SID',
+  error=_('SID is not recognized as a valid SID for a trusted 
domain'))
+
 class idrange_add(LDAPCreate):
 __doc__ = _("""
 Add new ID range.
@@ -287,6 +305,9 @@ class idrange_add(LDAPCreate):
 error=_('Options dom_sid and rid_base must ' \
 'be used together'))
 
+# Validate SID as the one of trusted domains
+
self.obj.validate_trusted_domain_sid(options['ipanttrusteddomainsid'])
+# Finally, add trusted AD domain range object class
 entry_attrs['objectclass'].append('ipatrustedaddomainrange')
 else:
 if (('ipasecondarybaserid' in options) != ('ipabaserid' in 
options)):
@@ -366,6 +387,10 @@ class idrange_mod(LDAPUpdate):
 except errors.NotFound:
 self.obj.handle_not_found(*keys)
 
+if 'ipanttrusteddomainsid' in options:
+# Validate SID as the one of trusted domains
+
self.obj.validate_trusted_domain_sid(options['ipanttrusteddomainsid'])
+
 old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
 old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
 new_base_id = entry_attrs.get('ipabaseid')
-- 
1.7.12

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

2012-09-20 Thread Petr Viktorin


On 09/20/2012 12:12 PM, Martin Kosek wrote:

On 09/20/2012 11:42 AM, Alexander Bokovoy wrote:

Hi,

On Thu, 20 Sep 2012, Martin Kosek wrote:

On 09/19/2012 06:19 PM, Alexander Bokovoy wrote:

Hi,

This patch adds validation of SID for trusted domain when adding or
modifying ID range for the domain. We only allow creating ranges for
trusted domains when the trust is already established -- the default
range is created automatically right after the trust is added.

https://fedorahosted.org/freeipa/ticket/3087



Basic functionality looks OK, but I saw few issues with exception formatting:

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index
efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b

100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -26,6 +26,12 @@ from ipapython import ipautil
from ipalib import util
from ipapython.dn import DN

+if api.env.in_server and api.env.context in ['lite', 'server']:
+try:
+import ipaserver.dcerpc
+_dcerpc_bindings_installed = True
+except Exception, e:
+_dcerpc_bindings_installed = False


Variable "e" is not used, so it can be removed.

Then Exception, e should be omitted completely :)


As per PEP8, "except Exception:" is preffered over bare "except:" as otherwise
it would also catch SystemExit or KeyboardInterrupt.


You should use the most specific exception you want to handle. In this 
case it's probably ImportError.







__doc__ = _("""
ID ranges
@@ -137,6 +143,21 @@ user. RIDs are unique in a domain, 32bit values and are
used for users and
groups.
""")

+def validate_trusted_domain_sid(self, sid):

"self" is not needed in the list of attributes, this is not a class method.

I'm using self.api inside. While api is singleton and accessible
globally, I'd prefer passing it explicitly. So may be I'll change that
to 'api'.


Looks like to hack to me. I would either define this function as a method of
idrange class (as I did with handle_iparangetype) and then use self.api or use
"api" directly as a function parameter and not make assumptions what "self" may 
be.




+if not _dcerpc_bindings_installed:
+raise errors.NotFound(name=_('ID Range setup'),
+  reason=_('''Cannot perform SID validation without Samba 4
support installed.
+  Make sure you have installed server-trust-ad
sub-package of IPA on the server'''))

Improperly formatted exception:
1) NotFound error does not use "name" param, maybe you wanted to use
ValidationError?
2) The text will be improperly formatted - since you used '', the
indentation will be in text:

ipa: ERROR: Cannot perform SID validation without Samba 4 support installed.
  Make sure you have installed server-trust-ad
sub-package of IPA on the server

Will fix it.



Also, I know this was discussed before, but using gettext in a name attribute
of ValidationError will cause improperly formatted exception:

# ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo
ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None):
Options dom_sid and rid_base must be used together

The problem is, that "name" param is printer as %r, thus you would need to
coerce it to unicode to make it better.

I'd rather fix our printing code and Gettext() usage to properly give
out the original string rather than swallow limitations we put on
ourselves. Wider use will be, more translations will be needed and names
will need to be translated as well.


ValidationError has this format: _('invalid %(name)r: %(error)s'). AFAIU, name
parameter was intended to contain only a name of attribute or option where the
validation failed, i.e. a non-translable string. So this was the reason why we
print it as "%r". This pattern is followed in the rest of the plugins.

In your case, I think using name="dom_sid" would be the preferred use of
ValidationError.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel




--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

2012-09-20 Thread Martin Kosek

On 09/20/2012 11:42 AM, Alexander Bokovoy wrote:
> Hi,
> 
> On Thu, 20 Sep 2012, Martin Kosek wrote:
>> On 09/19/2012 06:19 PM, Alexander Bokovoy wrote:
>>> Hi,
>>>
>>> This patch adds validation of SID for trusted domain when adding or
>>> modifying ID range for the domain. We only allow creating ranges for
>>> trusted domains when the trust is already established -- the default
>>> range is created automatically right after the trust is added.
>>>
>>> https://fedorahosted.org/freeipa/ticket/3087
>>>
>>
>> Basic functionality looks OK, but I saw few issues with exception formatting:
>>
>> diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
>> index
>> efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b
>>
>> 100644
>> --- a/ipalib/plugins/idrange.py
>> +++ b/ipalib/plugins/idrange.py
>> @@ -26,6 +26,12 @@ from ipapython import ipautil
>> from ipalib import util
>> from ipapython.dn import DN
>>
>> +if api.env.in_server and api.env.context in ['lite', 'server']:
>> +try:
>> +import ipaserver.dcerpc
>> +_dcerpc_bindings_installed = True
>> +except Exception, e:
>> +_dcerpc_bindings_installed = False
>>
>>
>> Variable "e" is not used, so it can be removed.
> Then Exception, e should be omitted completely :)

As per PEP8, "except Exception:" is preffered over bare "except:" as otherwise
it would also catch SystemExit or KeyboardInterrupt.

> 
> 
>>
>> __doc__ = _("""
>> ID ranges
>> @@ -137,6 +143,21 @@ user. RIDs are unique in a domain, 32bit values and are
>> used for users and
>> groups.
>> """)
>>
>> +def validate_trusted_domain_sid(self, sid):
>>
>> "self" is not needed in the list of attributes, this is not a class method.
> I'm using self.api inside. While api is singleton and accessible
> globally, I'd prefer passing it explicitly. So may be I'll change that
> to 'api'.

Looks like to hack to me. I would either define this function as a method of
idrange class (as I did with handle_iparangetype) and then use self.api or use
"api" directly as a function parameter and not make assumptions what "self" may 
be.

> 
>> +if not _dcerpc_bindings_installed:
>> +raise errors.NotFound(name=_('ID Range setup'),
>> +  reason=_('''Cannot perform SID validation without Samba 4
>> support installed.
>> +  Make sure you have installed server-trust-ad
>> sub-package of IPA on the server'''))
>>
>> Improperly formatted exception:
>> 1) NotFound error does not use "name" param, maybe you wanted to use
>> ValidationError?
>> 2) The text will be improperly formatted - since you used '', the
>> indentation will be in text:
>>
>> ipa: ERROR: Cannot perform SID validation without Samba 4 support installed.
>>  Make sure you have installed server-trust-ad
>> sub-package of IPA on the server
> Will fix it.
> 
>>
>> Also, I know this was discussed before, but using gettext in a name attribute
>> of ValidationError will cause improperly formatted exception:
>>
>> # ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo
>> ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None):
>> Options dom_sid and rid_base must be used together
>>
>> The problem is, that "name" param is printer as %r, thus you would need to
>> coerce it to unicode to make it better.
> I'd rather fix our printing code and Gettext() usage to properly give
> out the original string rather than swallow limitations we put on
> ourselves. Wider use will be, more translations will be needed and names
> will need to be translated as well.

ValidationError has this format: _('invalid %(name)r: %(error)s'). AFAIU, name
parameter was intended to contain only a name of attribute or option where the
validation failed, i.e. a non-translable string. So this was the reason why we
print it as "%r". This pattern is followed in the rest of the plugins.

In your case, I think using name="dom_sid" would be the preferred use of
ValidationError.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

2012-09-20 Thread Alexander Bokovoy


Hi,

On Thu, 20 Sep 2012, Martin Kosek wrote:

On 09/19/2012 06:19 PM, Alexander Bokovoy wrote:

Hi,

This patch adds validation of SID for trusted domain when adding or
modifying ID range for the domain. We only allow creating ranges for
trusted domains when the trust is already established -- the default
range is created automatically right after the trust is added.

https://fedorahosted.org/freeipa/ticket/3087



Basic functionality looks OK, but I saw few issues with exception formatting:

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index
efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b
100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -26,6 +26,12 @@ from ipapython import ipautil
from ipalib import util
from ipapython.dn import DN

+if api.env.in_server and api.env.context in ['lite', 'server']:
+try:
+import ipaserver.dcerpc
+_dcerpc_bindings_installed = True
+except Exception, e:
+_dcerpc_bindings_installed = False


Variable "e" is not used, so it can be removed.

Then Exception, e should be omitted completely :)




__doc__ = _("""
ID ranges
@@ -137,6 +143,21 @@ user. RIDs are unique in a domain, 32bit values and are
used for users and
groups.
""")

+def validate_trusted_domain_sid(self, sid):

"self" is not needed in the list of attributes, this is not a class method.

I'm using self.api inside. While api is singleton and accessible
globally, I'd prefer passing it explicitly. So may be I'll change that
to 'api'.


+if not _dcerpc_bindings_installed:
+raise errors.NotFound(name=_('ID Range setup'),
+  reason=_('''Cannot perform SID validation without Samba 4
support installed.
+  Make sure you have installed server-trust-ad
sub-package of IPA on the server'''))

Improperly formatted exception:
1) NotFound error does not use "name" param, maybe you wanted to use
ValidationError?
2) The text will be improperly formatted - since you used '', the
indentation will be in text:

ipa: ERROR: Cannot perform SID validation without Samba 4 support installed.
 Make sure you have installed server-trust-ad
sub-package of IPA on the server

Will fix it.



Also, I know this was discussed before, but using gettext in a name attribute
of ValidationError will cause improperly formatted exception:

# ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo
ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None):
Options dom_sid and rid_base must be used together

The problem is, that "name" param is printer as %r, thus you would need to
coerce it to unicode to make it better.

I'd rather fix our printing code and Gettext() usage to properly give
out the original string rather than swallow limitations we put on
ourselves. Wider use will be, more translations will be needed and names
will need to be translated as well.


+domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+if not domain_validator.is_configured():
+raise errors.NotFound(name=_('ID Range setup'),
+  reason=_('''Cross-realm trusts are not configured..
+  Make sure you have run ipa-adtrust-install on the
IPA server first'''))

Same issues:

# ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo 
--rid-base=1000
ipa: ERROR: Cross-realm trusts are not configured..
 Make sure you have run ipa-adtrust-install on the IPA
server first


+if not domain_validator.is_trusted_sid_valid(sid):
+raise errors.ValidationError(name=_('ID Range setup'),
+  error=_('SID is not recognized as a valid SID from a trusted
domain'))
+
+

Same issues:

ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None):
SID is not recognized as a valid SID from a trusted domain

I'll fix formatting.

Thanks!
--
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

2012-09-20 Thread Martin Kosek

On 09/19/2012 06:19 PM, Alexander Bokovoy wrote:
> Hi,
> 
> This patch adds validation of SID for trusted domain when adding or
> modifying ID range for the domain. We only allow creating ranges for
> trusted domains when the trust is already established -- the default
> range is created automatically right after the trust is added.
> 
> https://fedorahosted.org/freeipa/ticket/3087
> 

Basic functionality looks OK, but I saw few issues with exception formatting:

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index
efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b
100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -26,6 +26,12 @@ from ipapython import ipautil
 from ipalib import util
 from ipapython.dn import DN

+if api.env.in_server and api.env.context in ['lite', 'server']:
+try:
+import ipaserver.dcerpc
+_dcerpc_bindings_installed = True
+except Exception, e:
+_dcerpc_bindings_installed = False


Variable "e" is not used, so it can be removed.


 __doc__ = _("""
 ID ranges
@@ -137,6 +143,21 @@ user. RIDs are unique in a domain, 32bit values and are
used for users and
 groups.
 """)

+def validate_trusted_domain_sid(self, sid):

"self" is not needed in the list of attributes, this is not a class method.

+if not _dcerpc_bindings_installed:
+raise errors.NotFound(name=_('ID Range setup'),
+  reason=_('''Cannot perform SID validation without Samba 4
support installed.
+  Make sure you have installed server-trust-ad
sub-package of IPA on the server'''))

Improperly formatted exception:
1) NotFound error does not use "name" param, maybe you wanted to use
ValidationError?
2) The text will be improperly formatted - since you used '', the
indentation will be in text:

ipa: ERROR: Cannot perform SID validation without Samba 4 support installed.
  Make sure you have installed server-trust-ad
sub-package of IPA on the server


Also, I know this was discussed before, but using gettext in a name attribute
of ValidationError will cause improperly formatted exception:

# ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo
ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None):
Options dom_sid and rid_base must be used together

The problem is, that "name" param is printer as %r, thus you would need to
coerce it to unicode to make it better.

+domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+if not domain_validator.is_configured():
+raise errors.NotFound(name=_('ID Range setup'),
+  reason=_('''Cross-realm trusts are not configured..
+  Make sure you have run ipa-adtrust-install on the
IPA server first'''))

Same issues:

# ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo 
--rid-base=1000
ipa: ERROR: Cross-realm trusts are not configured..
  Make sure you have run ipa-adtrust-install on the IPA
server first


+if not domain_validator.is_trusted_sid_valid(sid):
+raise errors.ValidationError(name=_('ID Range setup'),
+  error=_('SID is not recognized as a valid SID from a trusted
domain'))
+
+

Same issues:

ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None):
SID is not recognized as a valid SID from a trusted domain

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

2012-09-19 Thread Alexander Bokovoy


Hi,

This patch adds validation of SID for trusted domain when adding or
modifying ID range for the domain. We only allow creating ranges for
trusted domains when the trust is already established -- the default
range is created automatically right after the trust is added.

https://fedorahosted.org/freeipa/ticket/3087
--
/ Alexander Bokovoy
>From c8859d449b65be67841c96c81f7f64f8c27b06b1 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Wed, 19 Sep 2012 19:09:22 +0300
Subject: [PATCH] validate SID for trusted domain when adding/modifying ID
 range

https://fedorahosted.org/freeipa/ticket/3087
---
 ipalib/plugins/idrange.py | 28 
 1 file changed, 28 insertions(+)

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 
efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b
 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -26,6 +26,12 @@ from ipapython import ipautil
 from ipalib import util
 from ipapython.dn import DN
 
+if api.env.in_server and api.env.context in ['lite', 'server']:
+try:
+import ipaserver.dcerpc
+_dcerpc_bindings_installed = True
+except Exception, e:
+_dcerpc_bindings_installed = False
 
 __doc__ = _("""
 ID ranges
@@ -137,6 +143,21 @@ user. RIDs are unique in a domain, 32bit values and are 
used for users and
 groups.
 """)
 
+def validate_trusted_domain_sid(self, sid):
+if not _dcerpc_bindings_installed:
+raise errors.NotFound(name=_('ID Range setup'),
+  reason=_('''Cannot perform SID validation without Samba 4 
support installed.
+  Make sure you have installed server-trust-ad 
sub-package of IPA on the server'''))
+domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+if not domain_validator.is_configured():
+raise errors.NotFound(name=_('ID Range setup'),
+  reason=_('''Cross-realm trusts are not configured..
+  Make sure you have run ipa-adtrust-install on the 
IPA server first'''))
+if not domain_validator.is_trusted_sid_valid(sid):
+raise errors.ValidationError(name=_('ID Range setup'),
+  error=_('SID is not recognized as a valid SID from a trusted 
domain'))
+
+
 class idrange(LDAPObject):
 """
 Range object.
@@ -287,6 +308,9 @@ class idrange_add(LDAPCreate):
 error=_('Options dom_sid and rid_base must ' \
 'be used together'))
 
+# Validate SID as the one of trusted domains
+validate_trusted_domain_sid(self, options['ipanttrusteddomainsid'])
+# Finally, add trusted AD domain range object class
 entry_attrs['objectclass'].append('ipatrustedaddomainrange')
 else:
 if (('ipasecondarybaserid' in options) != ('ipabaserid' in 
options)):
@@ -366,6 +390,10 @@ class idrange_mod(LDAPUpdate):
 except errors.NotFound:
 self.obj.handle_not_found(*keys)
 
+if 'ipanttrusteddomainsid' in options:
+# Validate SID as the one of trusted domains
+validate_trusted_domain_sid(self, options['ipanttrusteddomainsid'])
+
 old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
 old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
 new_base_id = entry_attrs.get('ipabaseid')
-- 
1.7.12

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

Re: [Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

[Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range

9 matches

Site Navigation

Mail list logo

Footer information