Re: [Freeipa-devel] [PATCH 471] ULC: Prevent preserved users from being assigned membership

2015-08-13 Thread Martin Basti 



On 08/12/2015 02:20 PM, Jan Cholasta wrote:

On 12.8.2015 12:22, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza


Fixed broken user_show on preserved user. Updated patch attached.




Pushed to:
master: 391ccabb9f0629b3d172d31cdab9067e4bd4e5dd
ipa-4-2: cd81727d6243de2c613afec6dd0bf9a41c724354

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 471] ULC: Prevent preserved users from being assigned membership

2015-08-12 Thread David Kupka 

On 12/08/15 12:22, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza


Works for me, ACK.

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 471] ULC: Prevent preserved users from being assigned membership

2015-08-12 Thread Jan Cholasta 

On 12.8.2015 12:22, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza


Fixed broken user_show on preserved user. Updated patch attached.

--
Jan Cholasta
From dc4c4f940d97fa62396cb122672b436ee3176230 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 12 Aug 2015 11:03:40 +0200
Subject: [PATCH] ULC: Prevent preserved users from being assigned membership

https://fedorahosted.org/freeipa/ticket/5170
---
 ipalib/plugins/user.py | 31 ++-
 1 file changed, 18 insertions(+), 13 deletions(-)

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 8599392..4ea770e 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -342,7 +342,7 @@ class user(baseuser):
 ),
 )
 
-def get_dn(self, *keys, **options):
+def get_either_dn(self, *keys, **options):
 '''
 Returns the DN of a user
 The user can be active (active container) or delete (delete container)
@@ -351,7 +351,7 @@ class user(baseuser):
 ldap = self.backend
 # Check that this value is a Active user
 try:
-active_dn = super(user, self).get_dn(*keys, **options)
+active_dn = self.get_dn(*keys, **options)
 ldap.get_entry(active_dn, ['dn'])
 
 # The Active user exists
@@ -402,7 +402,7 @@ class user_add(baseuser_add):
 )
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
-assert isinstance(dn, DN)
+dn = self.obj.get_either_dn(*keys, **options)
 if not options.get('noprivate', False):
 try:
 # The Managed Entries plugin will allow a user to be created
@@ -599,7 +599,7 @@ class user_del(baseuser_del):
 return super(user_del, self).forward(*keys, **options)
 
 def pre_callback(self, ldap, dn, *keys, **options):
-assert isinstance(dn, DN)
+dn = self.obj.get_either_dn(*keys, **options)
 
 # For User life Cycle: user-del is a common plugin
 # command to delete active user (active container) and
@@ -625,7 +625,7 @@ class user_del(baseuser_del):
 
 def execute(self, *keys, **options):
 
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
 
 # We are going to permanent delete or the user is already in the delete container.
 delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn)
@@ -644,7 +644,7 @@ class user_del(baseuser_del):
 ldap = self.obj.backend
 
 # need to handle multiple keys (e.g. keys[-1]=(u'tb8', u'tb9')..
-active_dn = self.obj.get_dn(*keys, **options)
+active_dn = self.obj.get_either_dn(*keys, **options)
 superior_dn = DN(self.obj.delete_container_dn, api.env.basedn)
 delete_dn = DN(active_dn[0], self.obj.delete_container_dn, api.env.basedn)
 self.log.debug("preserve move %s -> %s" % (active_dn, delete_dn))
@@ -701,6 +701,7 @@ class user_mod(baseuser_mod):
 has_output_params = baseuser_mod.has_output_params + user_output_params
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+dn = self.obj.get_either_dn(*keys, **options)
 self.pre_common_callback(ldap, dn, entry_attrs, **options)
 validate_nsaccountlock(entry_attrs)
 return dn
@@ -777,6 +778,10 @@ class user_show(baseuser_show):
 ),
 )
 
+def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
+dn = self.obj.get_either_dn(*keys, **options)
+return dn
+
 def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
 convert_nsaccountlock(entry_attrs)
 self.post_common_callback(ldap, dn, entry_attrs, **options)
@@ -813,7 +818,7 @@ class user_undel(LDAPQuery):
 ldap = self.obj.backend
 
 # First check that the user exists and is a delete one
-delete_dn = self.obj.get_dn(*keys, **options)
+delete_dn = self.obj.get_either_dn(*keys, **options)
 if delete_dn.endswith(DN(self.obj.active_container_dn, api.env.basedn)):
 raise errors.ValidationError(
 name=self.obj.primary_key.cli_name,
@@ -860,7 +865,7 @@ class user_disable(LDAPQuery):
 
 check_protected_member(keys[-1])
 
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
 ldap.deactivate_entry(dn)
 
 return dict(
@@ -880,7 +885,7 @@ class user_enable(LDAPQuery):
 def execute(self, *keys, **options):
 ldap = self.obj.backend
 
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
 
 ldap.activate_entry(dn)
 
@@ -904,7 +909,7 @@ class user_unlock(LDAPQuery):
 msg_summary = _('Unlocked account "%(value)s"')
 
 def execute(self, *keys, **options):
-dn = self.obj.get_dn(*keys, **option

[Freeipa-devel] [PATCH 471] ULC: Prevent preserved users from being assigned membership

2015-08-12 Thread Jan Cholasta 

Hi,

the attached patch fixes .

Honza

--
Jan Cholasta
From 852dd8cd7c518c3c1ae7248cbd39811594e5b6d7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 12 Aug 2015 11:03:40 +0200
Subject: [PATCH] ULC: Prevent preserved users from being assigned membership

https://fedorahosted.org/freeipa/ticket/5170
---
 ipalib/plugins/user.py | 28 +++-
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index 8599392..83354a4 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -342,7 +342,7 @@ class user(baseuser):
 ),
 )
 
-def get_dn(self, *keys, **options):
+def get_either_dn(self, *keys, **options):
 '''
 Returns the DN of a user
 The user can be active (active container) or delete (delete container)
@@ -351,7 +351,7 @@ class user(baseuser):
 ldap = self.backend
 # Check that this value is a Active user
 try:
-active_dn = super(user, self).get_dn(*keys, **options)
+active_dn = self.get_dn(*keys, **options)
 ldap.get_entry(active_dn, ['dn'])
 
 # The Active user exists
@@ -402,7 +402,7 @@ class user_add(baseuser_add):
 )
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
-assert isinstance(dn, DN)
+dn = self.obj.get_either_dn(*keys, **options)
 if not options.get('noprivate', False):
 try:
 # The Managed Entries plugin will allow a user to be created
@@ -599,7 +599,7 @@ class user_del(baseuser_del):
 return super(user_del, self).forward(*keys, **options)
 
 def pre_callback(self, ldap, dn, *keys, **options):
-assert isinstance(dn, DN)
+dn = self.obj.get_either_dn(*keys, **options)
 
 # For User life Cycle: user-del is a common plugin
 # command to delete active user (active container) and
@@ -625,7 +625,7 @@ class user_del(baseuser_del):
 
 def execute(self, *keys, **options):
 
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
 
 # We are going to permanent delete or the user is already in the delete container.
 delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn)
@@ -644,7 +644,7 @@ class user_del(baseuser_del):
 ldap = self.obj.backend
 
 # need to handle multiple keys (e.g. keys[-1]=(u'tb8', u'tb9')..
-active_dn = self.obj.get_dn(*keys, **options)
+active_dn = self.obj.get_either_dn(*keys, **options)
 superior_dn = DN(self.obj.delete_container_dn, api.env.basedn)
 delete_dn = DN(active_dn[0], self.obj.delete_container_dn, api.env.basedn)
 self.log.debug("preserve move %s -> %s" % (active_dn, delete_dn))
@@ -701,6 +701,7 @@ class user_mod(baseuser_mod):
 has_output_params = baseuser_mod.has_output_params + user_output_params
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+dn = self.obj.get_either_dn(*keys, **options)
 self.pre_common_callback(ldap, dn, entry_attrs, **options)
 validate_nsaccountlock(entry_attrs)
 return dn
@@ -778,6 +779,7 @@ class user_show(baseuser_show):
 )
 
 def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+dn = self.obj.get_either_dn(*keys, **options)
 convert_nsaccountlock(entry_attrs)
 self.post_common_callback(ldap, dn, entry_attrs, **options)
 self.obj.get_preserved_attribute(entry_attrs, options)
@@ -813,7 +815,7 @@ class user_undel(LDAPQuery):
 ldap = self.obj.backend
 
 # First check that the user exists and is a delete one
-delete_dn = self.obj.get_dn(*keys, **options)
+delete_dn = self.obj.get_either_dn(*keys, **options)
 if delete_dn.endswith(DN(self.obj.active_container_dn, api.env.basedn)):
 raise errors.ValidationError(
 name=self.obj.primary_key.cli_name,
@@ -860,7 +862,7 @@ class user_disable(LDAPQuery):
 
 check_protected_member(keys[-1])
 
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
 ldap.deactivate_entry(dn)
 
 return dict(
@@ -880,7 +882,7 @@ class user_enable(LDAPQuery):
 def execute(self, *keys, **options):
 ldap = self.obj.backend
 
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
 
 ldap.activate_entry(dn)
 
@@ -904,7 +906,7 @@ class user_unlock(LDAPQuery):
 msg_summary = _('Unlocked account "%(value)s"')
 
 def execute(self, *keys, **options):
-dn = self.obj.get_dn(*keys, **options)
+dn = self.obj.get_either_dn(*keys, **options)
 entry = self.obj.backend.get_entry(
 dn, ['krbLastAdminUnlock', 'krbLogi