On 10/29/2012 02:17 PM, Jan Cholasta wrote:
Hi,
On 29.10.2012 10:44, Martin Kosek wrote:
ldap2 server plugin generates a modlist for every IPA command entry
modification. However, encoding of attributes entry_attrs generated
by our framework still does not match entry read from LDAP (until
ticket #2265 is addressed), convert compared values to common ground
so that the comparison does not report false positives when encoding
do not match (e.g. 'int' and 'unicode').
https://fedorahosted.org/freeipa/ticket/3220
This doesn't work, unfortunately:
======================================================================
ERROR: test_attr[17]: user_mod: Unlock u'tuser1' using addattr&delattr
----------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
self.test(*self.arg)
File "/home/jcholast/freeipa/tests/test_xmlrpc/xmlrpc_test.py", line 249, in
<lambda>
func = lambda: self.check(nice, **test)
File "/home/jcholast/freeipa/tests/test_xmlrpc/xmlrpc_test.py", line 266, in
check
self.check_output(nice, cmd, args, options, expected, extra_check)
File "/home/jcholast/freeipa/tests/test_xmlrpc/xmlrpc_test.py", line 303, in
check_output
got = api.Command[cmd](*args, **options)
File "/home/jcholast/freeipa/ipalib/frontend.py", line 435, in __call__
ret = self.run(*args, **options)
File "/home/jcholast/freeipa/ipalib/frontend.py", line 748, in run
return self.forward(*args, **options)
File "/home/jcholast/freeipa/ipalib/frontend.py", line 769, in forward
return self.Backend.xmlclient.forward(self.name, *args, **kw)
File "/home/jcholast/freeipa/ipalib/rpc.py", line 545, in forward
raise error(message=e.faultString)
AttrValueNotFound: nsaccountlock does not contain 'TRUE'
======================================================================
ERROR: Test disabling HBAC rule using setattr
----------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
self.test(*self.arg)
File "/home/jcholast/freeipa/tests/test_xmlrpc/test_hbac_plugin.py", line
447, in test_ea_hbacrule_disable_setattr
self.rule_name, setattr=u'ipaenabledflag=false')
File "/home/jcholast/freeipa/ipalib/frontend.py", line 435, in __call__
ret = self.run(*args, **options)
File "/home/jcholast/freeipa/ipalib/frontend.py", line 748, in run
return self.forward(*args, **options)
File "/home/jcholast/freeipa/ipalib/frontend.py", line 769, in forward
return self.Backend.xmlclient.forward(self.name, *args, **kw)
File "/home/jcholast/freeipa/ipalib/rpc.py", line 545, in forward
raise error(message=e.faultString)
InvalidSyntax: ipaEnabledFlag: value #0 invalid per syntax: Invalid syntax.
======================================================================
ERROR: Test enabling HBAC rule using setattr
----------------------------------------------------------------------
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
self.test(*self.arg)
File "/home/jcholast/freeipa/tests/test_xmlrpc/test_hbac_plugin.py", line
457, in test_eb_hbacrule_enable_setattr
self.rule_name, setattr=u'ipaenabledflag=1')
File "/home/jcholast/freeipa/ipalib/frontend.py", line 435, in __call__
ret = self.run(*args, **options)
File "/home/jcholast/freeipa/ipalib/frontend.py", line 748, in run
return self.forward(*args, **options)
File "/home/jcholast/freeipa/ipalib/frontend.py", line 769, in forward
return self.Backend.xmlclient.forward(self.name, *args, **kw)
File "/home/jcholast/freeipa/ipalib/rpc.py", line 545, in forward
raise error(message=e.faultString)
InvalidSyntax: ipaEnabledFlag: value #0 invalid per syntax: Invalid syntax.
This is caused by:
+ v = set(unicode(value)
+ if not isinstance(value, (DN, str, unicode))
+ else value for value in v)
You can't use "unicode(value)", as it does not properly encode boolean values.
Use "unicode_from_utf8(self.conn.encode(value))" instead - this will encode the
value to LDAP-formatted str and then convert it back to unicode.
Honza
Thanks for the catch Honza! I missed these errors in false positives I got in
my unit tests...
Attaching a fixed patch, unit are clean this time.
Martin
From d89a37c57fd6cabde027cbb8ee61b5eaca002919 Mon Sep 17 00:00:00 2001
From: Martin Kosek <[email protected]>
Date: Mon, 29 Oct 2012 10:32:39 +0100
Subject: [PATCH] Use common encoding in modlist generation
ldap2 server plugin generates a modlist for every IPA command entry
modification. However, encoding of attributes entry_attrs generated
by our framework still does not match entry read from LDAP (until
ticket #2265 is addressed), convert compared values to common ground
so that the comparison does not report false positives when encoding
do not match (e.g. 'int' and 'unicode').
https://fedorahosted.org/freeipa/ticket/3220
---
ipaserver/plugins/ldap2.py | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py
index caf35096c981363927f8471e2567476954f664e5..519f4613ad8eabbc3a51d272092e6b51697e4ca3 100644
--- a/ipaserver/plugins/ldap2.py
+++ b/ipaserver/plugins/ldap2.py
@@ -1341,6 +1341,22 @@ class ldap2(CrudBackend):
v = set(filter(lambda value: value is not None, v))
old_v = set(entry_attrs_old.get(k.lower(), []))
+ # FIXME: Convert all values to either unicode, DN or str
+ # before detecting value changes (see IPASimpleLDAPObject for
+ # supported types).
+ # This conversion will set a common ground for the comparison.
+ #
+ # This fix can be removed when ticket 2265 is fixed and our
+ # encoded entry_attrs' types will match get_entry result
+ try:
+ v = set(unicode_from_utf8(self.conn.encode(value))
+ if not isinstance(value, (DN, str, unicode))
+ else value for value in v)
+ except Exception, e:
+ # Rather let the value slip in modlist than let ldap2 crash
+ self.error("Cannot convert attribute '%s' for modlist "
+ "for modlist comparison: %s", k, e)
+
adds = list(v.difference(old_v))
rems = list(old_v.difference(v))
--
1.7.11.7
_______________________________________________
Freeipa-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-devel
