Hi, this couple of patches fixes and improves the coverage for referential integrity of ID overrides.
Note: Last test in the patch 374 is supposed to be failing (for now). https://fedorahosted.org/freeipa/ticket/5322
From 17fab1cf2ff1966b97507477455ecda6bc91bdbd Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Mon, 12 Oct 2015 13:15:20 +0200 Subject: [PATCH] idoverride: Ignore ValidationErrors when converting the anchor When converting the anchor to a human readable form, SID validation may fail, i.e. if the domain is no longer trusted. Ignore such cases and pass along the anchor in the raw format. https://fedorahosted.org/freeipa/ticket/5322 --- ipalib/plugins/idviews.py | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index a910486cd0160571311924ce799800aa54868dcc..cd65b92c63d8272522f7381dd2bc175ea51394b8 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -689,6 +689,11 @@ class baseidoverride(LDAPObject): # If we were unable to resolve the anchor, # keep it in the raw form pass + except errors.ValidationError: + # Same as above, ValidationError may be raised when SIDs + # are attempted to be converted, but the domain is no + # longer trusted + pass def prohibit_ipa_users_in_default_view(self, dn, entry_attrs): # Check if parent object is Default Trust View, if so, prohibit @@ -773,12 +778,7 @@ class baseidoverride_find(LDAPSearch): def post_callback(self, ldap, entries, truncated, *args, **options): for entry in entries: - try: - self.obj.convert_anchor_to_human_readable_form(entry, **options) - except errors.NotFound: - # If the conversion to readle form went wrong, do not - # abort the whole find command. Use non-converted entry. - pass + self.obj.convert_anchor_to_human_readable_form(entry, **options) return truncated @@ -788,12 +788,7 @@ class baseidoverride_show(LDAPRetrieve): takes_options = LDAPRetrieve.takes_options + (fallback_to_ldap_option,) def post_callback(self, ldap, dn, entry_attrs, *keys, **options): - try: - self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options) - except errors.NotFound: - # If the conversion to readle form went wrong, do not - # abort the whole show command. Use non-converted entry. - pass + self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options) return dn -- 2.1.0
From a7de153a4de5a5cc9a46842210a748d5a66f756e Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Mon, 12 Oct 2015 18:32:24 +0200 Subject: [PATCH] tests: Add tests for idoverride object integrity As far as IPA objects are concerned, ID overrides are supposed to be removed when the respective user/group is removed. Adds a couple of tests to ensure this behaviour is covered. https://fedorahosted.org/freeipa/ticket/5322 --- ipatests/test_xmlrpc/test_idviews_plugin.py | 175 +++++++++++++++++++++++++++- 1 file changed, 173 insertions(+), 2 deletions(-) diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py index f1a46978b7324e83b0506084ff7a45e488005052..2875558810cfbea814632c9d28472f54b2466af8 100644 --- a/ipatests/test_xmlrpc/test_idviews_plugin.py +++ b/ipatests/test_xmlrpc/test_idviews_plugin.py @@ -52,6 +52,9 @@ hostgroup2 = u'hostgroup2' idoverrideuser1 = u'testuser' idoverridegroup1 = u'testgroup' +idoverrideuser_removed = u'testuser-removed' +idoverridegroup_removed = u'testgroup-removed' + nonexistentuser = u'nonexistentuser' nonexistentgroup = u'nonexistentgroup' @@ -126,8 +129,8 @@ class test_idviews(Declarative): ('host_del', [host1, host2, host3, host4], {'continue': True}), ('hostgroup_del', [hostgroup1, hostgroup2], {'continue': True}), ('idview_del', [idview1], {'continue': True}), - ('user_del', [idoverrideuser1], {'continue': True}), - ('group_del', [idoverridegroup1], {'continue': True}), + ('user_del', [idoverrideuser1, idoverrideuser_removed], {'continue': True}), + ('group_del', [idoverridegroup1, idoverridegroup_removed], {'continue': True}), ] tests = [ @@ -777,6 +780,7 @@ class test_idviews(Declarative): ), ), + # Test ID View applying dict( @@ -1479,4 +1483,171 @@ class test_idviews(Declarative): ), ), ), + + # Test integrity of idoverride objects agains their references + + dict( + desc='Create ID View "%s"' % idview1, + command=( + 'idview_add', + [idview1], + {} + ), + expected=dict( + value=idview1, + summary=u'Added ID View "%s"' % idview1, + result=dict( + dn=get_idview_dn(idview1), + objectclass=objectclasses.idview, + cn=[idview1] + ) + ), + ), + + dict( + desc='Create "%s"' % idoverrideuser_removed, + command=( + 'user_add', + [idoverrideuser_removed], + dict( + givenname=u'Removed', + sn=u'User', + ) + ), + expected=dict( + value=idoverrideuser_removed, + summary=u'Added user "%s"' % idoverrideuser_removed, + result=get_user_result( + idoverrideuser_removed, + u'Removed', + u'User', + 'add', + objectclass=add_oc( + objectclasses.user, + u'ipantuserattrs' + ) + ), + ), + ), + + dict( + desc='Create group %r' % idoverridegroup_removed, + command=( + 'group_add', + [idoverridegroup_removed], + dict(description=u'Removed group') + ), + expected=dict( + value=idoverridegroup_removed, + summary=u'Added group "%s"' % idoverridegroup_removed, + result=dict( + cn=[idoverridegroup_removed], + description=[u'Removed group'], + objectclass=objectclasses.posixgroup, + ipauniqueid=[fuzzy_uuid], + gidnumber=[fuzzy_digits], + dn=get_group_dn(idoverridegroup_removed), + ), + ), + ), + + dict( + desc='Create User ID override "%s"' % idoverrideuser_removed, + command=( + 'idoverrideuser_add', + [idview1, idoverrideuser_removed], + dict(description=u'description', + homedirectory=u'/home/newhome', + uid=u'newlogin', + uidnumber=12345, + ipasshpubkey=sshpubkey, + ) + ), + expected=dict( + value=idoverrideuser_removed, + summary=u'Added User ID override "%s"' % idoverrideuser_removed, + result=dict( + dn=get_override_dn(idview1, idoverrideuser_removed), + objectclass=objectclasses.idoverrideuser, + ipaanchoruuid=[idoverrideuser_removed], + ipaoriginaluid=[idoverrideuser_removed], + description=[u'description'], + homedirectory=[u'/home/newhome'], + uidnumber=[u'12345'], + uid=[u'newlogin'], + ipasshpubkey=[sshpubkey], + sshpubkeyfp=[sshpubkeyfp], + ) + ), + ), + + dict( + desc='Create Group ID override "%s"' % idoverridegroup_removed, + command=( + 'idoverridegroup_add', + [idview1, idoverridegroup_removed], + dict(description=u'description') + ), + expected=dict( + value=idoverridegroup_removed, + summary=u'Added Group ID override "%s"' % idoverridegroup_removed, + result=dict( + dn=get_override_dn(idview1, idoverridegroup_removed), + objectclass=objectclasses.idoverridegroup, + ipaanchoruuid=[idoverridegroup_removed], + description=[u'description'], + ) + ), + ), + + dict( + desc='Delete "%s"' % idoverrideuser_removed, + command=('user_del', [idoverrideuser_removed], {}), + expected=dict( + result=dict(failed=[]), + summary=u'Deleted user "%s"' % idoverrideuser_removed, + value=[idoverrideuser_removed], + ), + ), + + dict( + desc='Delete "%s"' % idoverridegroup_removed, + command=('group_del', [idoverridegroup_removed], {}), + expected=dict( + result=dict(failed=[]), + summary=u'Deleted group "%s"' % idoverridegroup_removed, + value=[idoverridegroup_removed], + ), + ), + + dict( + desc='Make sure idoverrideuser objects have been cleaned', + command=( + 'idoverrideuser_find', + [idview1], + dict(), + ), + expected=dict( + result=[], + summary=u'0 User ID overrides matched', + count=0, + truncated=False, + ), + ), + + dict( + desc='Make sure idoverridegroup objects have been cleaned', + command=( + 'idoverridegroup_find', + [idview1], + dict(), + ), + expected=dict( + result=[], + summary=u'0 Group ID overrides matched', + count=0, + truncated=False, + ), + ), + ] -- 2.1.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
