Re: [Freeipa-devel] [PATCH] 987 Don't allow IPA master hosts and services to be disabled
On Fri, 2012-03-16 at 08:29 -0400, Rob Crittenden wrote:
Petr Viktorin wrote:
On 03/15/2012 10:04 PM, Rob Crittenden wrote:
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index
9562ff98729ead6ac9e56d504f6ee0a7c0ca377a..f3c89a0fc5e3f00ed7f132dbff2510d89bc7370d
100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -887,12 +877,29 @@ last, after all sets and adds.),
# normalize all values
changedattrs = setattrs | addattrs | delattrs
for attr in changedattrs:
- # remove duplicite and invalid values
- entry_attrs[attr] = list(set([val for val in entry_attrs[attr] if
val]))
- if not entry_attrs[attr]:
- entry_attrs[attr] = None
- elif isinstance(entry_attrs[attr], (tuple, list)) and
len(entry_attrs[attr]) == 1:
- entry_attrs[attr] = entry_attrs[attr][0]
+ if attr in self.obj.params:
+ # convert single-value params to scalars
+ # Need to use the LDAPObject's params, not self's, because the
+ # CRUD classes filter their disallowed parameters out.
+ # Yet {set,add,del}attr are powerful enough to change these
+ # (e.g. Config's ipacertificatesubjectbase)
+ if not self.obj.params[attr].multivalue:
+ if len(entry_attrs[attr]) == 1:
+ entry_attrs[attr] = entry_attrs[attr][0]
+ elif not entry_attrs[attr]:
+ entry_attrs[attr] = None
+ else:
+ raise errors.OnlyOneValueAllowed(attr=attr)
+ # validate and convert params
+ entry_attrs[attr] = self.obj.params[attr](entry_attrs[attr])
+ else:
+ # unknown attribute: remove duplicite and invalid values
+ entry_attrs[attr] = list(set([val for val in entry_attrs[attr] if
val]))
+ if not entry_attrs[attr]:
+ entry_attrs[attr] = None
+ elif isinstance(entry_attrs[attr], (tuple, list)) and
len(entry_attrs[attr]) == 1:
+ entry_attrs[attr] = entry_attrs[attr][0]
+
You've included an unrelated patch (my 0016).
That's what I get for mixing my review and dev branch. Correct patch
attached.
rob
I still think this is not the one. It somehow got squashed with Petr3's
*attr patch.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 987 Don't allow IPA master hosts and services to be disabled
Martin Kosek wrote:
On Fri, 2012-03-16 at 08:29 -0400, Rob Crittenden wrote:
Petr Viktorin wrote:
On 03/15/2012 10:04 PM, Rob Crittenden wrote:
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index
9562ff98729ead6ac9e56d504f6ee0a7c0ca377a..f3c89a0fc5e3f00ed7f132dbff2510d89bc7370d
100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -887,12 +877,29 @@ last, after all sets and adds.),
# normalize all values
changedattrs = setattrs | addattrs | delattrs
for attr in changedattrs:
- # remove duplicite and invalid values
- entry_attrs[attr] = list(set([val for val in entry_attrs[attr] if
val]))
- if not entry_attrs[attr]:
- entry_attrs[attr] = None
- elif isinstance(entry_attrs[attr], (tuple, list)) and
len(entry_attrs[attr]) == 1:
- entry_attrs[attr] = entry_attrs[attr][0]
+ if attr in self.obj.params:
+ # convert single-value params to scalars
+ # Need to use the LDAPObject's params, not self's, because the
+ # CRUD classes filter their disallowed parameters out.
+ # Yet {set,add,del}attr are powerful enough to change these
+ # (e.g. Config's ipacertificatesubjectbase)
+ if not self.obj.params[attr].multivalue:
+ if len(entry_attrs[attr]) == 1:
+ entry_attrs[attr] = entry_attrs[attr][0]
+ elif not entry_attrs[attr]:
+ entry_attrs[attr] = None
+ else:
+ raise errors.OnlyOneValueAllowed(attr=attr)
+ # validate and convert params
+ entry_attrs[attr] = self.obj.params[attr](entry_attrs[attr])
+ else:
+ # unknown attribute: remove duplicite and invalid values
+ entry_attrs[attr] = list(set([val for val in entry_attrs[attr] if
val]))
+ if not entry_attrs[attr]:
+ entry_attrs[attr] = None
+ elif isinstance(entry_attrs[attr], (tuple, list)) and
len(entry_attrs[attr]) == 1:
+ entry_attrs[attr] = entry_attrs[attr][0]
+
You've included an unrelated patch (my 0016).
That's what I get for mixing my review and dev branch. Correct patch
attached.
rob
I still think this is not the one. It somehow got squashed with Petr3's
*attr patch.
Martin
Ok, was a little more careful this time.
rob
From 12ffb0d7305a60faa31f08ffc1a884aa40e7ea4b Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Mon, 19 Mar 2012 10:16:49 -0400
Subject: [PATCH] Don't allow hosts and services of IPA masters to be
disabled.
https://fedorahosted.org/freeipa/ticket/2487
---
ipalib/plugins/baseldap.py |2 +-
ipalib/plugins/host.py |2 ++
ipalib/plugins/service.py| 22 --
tests/test_xmlrpc/test_host_plugin.py| 10 +-
tests/test_xmlrpc/test_service_plugin.py | 14 ++
5 files changed, 42 insertions(+), 8 deletions(-)
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 9562ff98729ead6ac9e56d504f6ee0a7c0ca377a..92540d8ac38a9fe033327d98c949469cb4745a97 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -396,7 +396,7 @@ def host_is_master(ldap, fqdn):
master_dn = str(DN('cn=%s' % fqdn, 'cn=masters,cn=ipa,cn=etc', api.env.basedn))
try:
(dn, entry_attrs) = ldap.get_entry(master_dn, ['objectclass'])
-raise errors.ValidationError(name='hostname', error=_('An IPA master host cannot be deleted'))
+raise errors.ValidationError(name='hostname', error=_('An IPA master host cannot be deleted or disabled'))
except errors.NotFound:
# Good, not a master
return
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 9db98e713e52ae8671a4813e59885c6f4a03c2ba..662cff3114be5aae399ff4c5fb43ca3d7e46c703 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -850,6 +850,8 @@ class host_disable(LDAPQuery):
else:
fqdn = keys[-1]
+host_is_master(ldap, fqdn)
+
# See if we actually do anthing here, and if not raise an exception
done_work = False
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index e75d71f03183688e3f01aa3a0fdfa76ec4838505..7c563b306eae2beeab524644ac9b639b9c9c985c 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -200,6 +200,18 @@ def set_certificate_attrs(entry_attrs):
entry_attrs['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
entry_attrs['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])
+def check_required_principal(ldap, hostname, service):
+
+Raise an error if the host of this prinicipal is an IPA master and one
+of the principals required for proper execution.
+
+try:
+host_is_master(ldap, hostname)
+except errors.ValidationError, e:
+service_types = ['HTTP', 'ldap', 'DNS' 'dogtagldap']
+if service in service_types:
+raise errors.ValidationError(name='principal', error=_('This principal is required by the IPA master'))
+
class service(LDAPObject):
Service object.
@@ -296,12 +308,7 @@ class
Re: [Freeipa-devel] [PATCH] 987 Don't allow IPA master hosts and services to be disabled
On Mon, 2012-03-19 at 10:17 -0400, Rob Crittenden wrote:
Martin Kosek wrote:
On Fri, 2012-03-16 at 08:29 -0400, Rob Crittenden wrote:
Petr Viktorin wrote:
On 03/15/2012 10:04 PM, Rob Crittenden wrote:
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index
9562ff98729ead6ac9e56d504f6ee0a7c0ca377a..f3c89a0fc5e3f00ed7f132dbff2510d89bc7370d
100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -887,12 +877,29 @@ last, after all sets and adds.),
# normalize all values
changedattrs = setattrs | addattrs | delattrs
for attr in changedattrs:
- # remove duplicite and invalid values
- entry_attrs[attr] = list(set([val for val in entry_attrs[attr] if
val]))
- if not entry_attrs[attr]:
- entry_attrs[attr] = None
- elif isinstance(entry_attrs[attr], (tuple, list)) and
len(entry_attrs[attr]) == 1:
- entry_attrs[attr] = entry_attrs[attr][0]
+ if attr in self.obj.params:
+ # convert single-value params to scalars
+ # Need to use the LDAPObject's params, not self's, because the
+ # CRUD classes filter their disallowed parameters out.
+ # Yet {set,add,del}attr are powerful enough to change these
+ # (e.g. Config's ipacertificatesubjectbase)
+ if not self.obj.params[attr].multivalue:
+ if len(entry_attrs[attr]) == 1:
+ entry_attrs[attr] = entry_attrs[attr][0]
+ elif not entry_attrs[attr]:
+ entry_attrs[attr] = None
+ else:
+ raise errors.OnlyOneValueAllowed(attr=attr)
+ # validate and convert params
+ entry_attrs[attr] = self.obj.params[attr](entry_attrs[attr])
+ else:
+ # unknown attribute: remove duplicite and invalid values
+ entry_attrs[attr] = list(set([val for val in entry_attrs[attr] if
val]))
+ if not entry_attrs[attr]:
+ entry_attrs[attr] = None
+ elif isinstance(entry_attrs[attr], (tuple, list)) and
len(entry_attrs[attr]) == 1:
+ entry_attrs[attr] = entry_attrs[attr][0]
+
You've included an unrelated patch (my 0016).
That's what I get for mixing my review and dev branch. Correct patch
attached.
rob
I still think this is not the one. It somehow got squashed with Petr3's
*attr patch.
Martin
Ok, was a little more careful this time.
rob
Yup, its much better now. ACK. Pushed to master, ipa-2-2.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 987 Don't allow IPA master hosts and services to be disabled
On 03/15/2012 10:04 PM, Rob Crittenden wrote:
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index
9562ff98729ead6ac9e56d504f6ee0a7c0ca377a..f3c89a0fc5e3f00ed7f132dbff2510d89bc7370d
100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -887,12 +877,29 @@ last, after all sets and adds.),
# normalize all values
changedattrs = setattrs | addattrs | delattrs
for attr in changedattrs:
-# remove duplicite and invalid values
-entry_attrs[attr] = list(set([val for val in entry_attrs[attr] if
val]))
-if not entry_attrs[attr]:
-entry_attrs[attr] = None
-elif isinstance(entry_attrs[attr], (tuple, list)) and
len(entry_attrs[attr]) == 1:
-entry_attrs[attr] = entry_attrs[attr][0]
+if attr in self.obj.params:
+# convert single-value params to scalars
+# Need to use the LDAPObject's params, not self's, because the
+# CRUD classes filter their disallowed parameters out.
+# Yet {set,add,del}attr are powerful enough to change these
+# (e.g. Config's ipacertificatesubjectbase)
+if not self.obj.params[attr].multivalue:
+if len(entry_attrs[attr]) == 1:
+entry_attrs[attr] = entry_attrs[attr][0]
+elif not entry_attrs[attr]:
+entry_attrs[attr] = None
+else:
+raise errors.OnlyOneValueAllowed(attr=attr)
+# validate and convert params
+entry_attrs[attr] = self.obj.params[attr](entry_attrs[attr])
+else:
+# unknown attribute: remove duplicite and invalid values
+entry_attrs[attr] = list(set([val for val in entry_attrs[attr]
if val]))
+if not entry_attrs[attr]:
+entry_attrs[attr] = None
+elif isinstance(entry_attrs[attr], (tuple, list)) and
len(entry_attrs[attr]) == 1:
+entry_attrs[attr] = entry_attrs[attr][0]
+
You've included an unrelated patch (my 0016).
--
PetrĀ³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
