[Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust

Tomas Babej Wed, 15 May 2013 06:41:57 -0700

Hi,

When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.


https://fedorahosted.org/freeipa/ticket/3615

Tomas

From 72a55d498602b5c6cc912eb9585dc860b7fee591 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Wed, 15 May 2013 15:37:15 +0200
Subject: [PATCH] Do not allow removal of ID range of an active trust

When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.

https://fedorahosted.org/freeipa/ticket/3615
---
 ipalib/plugins/idrange.py | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -434,14 +434,29 @@ class idrange_del(LDAPDelete):
 
     def pre_callback(self, ldap, dn, *keys, **options):
         try:
-            (old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize'])
+            (old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid',
+                                                      'ipaidrangesize',
+                                                      'ipanttrusteddomainsid'])
         except errors.NotFound:
             self.obj.handle_not_found(*keys)
 
+        # Check whether we leave any object with id in deleted range
         old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
         old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
         self.obj.check_ids_in_modified_range(
                 old_base_id, old_range_size, 0, 0)
+
+        # Check whether the range does not belong to the active trust
+        range_sid = old_attrs.get('ipanttrusteddomainsid')
+
+        if range_sid is not None:
+            range_sid = range_sid[0]
+            result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
+
+            if result['count'] > 0:
+                raise errors.ValidationError(name='ID Range constraint',
+                    error=_("ID range of an active trust cannot be deleted."))
+
         return dn
 
 class idrange_find(LDAPSearch):
-- 
1.8.1.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust

Reply via email to