Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/30/2013 04:35 PM, Tomas Babej wrote: > On 05/29/2013 12:25 PM, Martin Kosek wrote: >> On 05/28/2013 03:48 PM, Alexander Bokovoy wrote: >>> On Tue, 28 May 2013, Tomas Babej wrote: On 05/28/2013 02:35 PM, Alexander Bokovoy wrote: > On Mon, 27 May 2013, Tomas Babej wrote: > We got rid of openldap utilities now. While using python.ldap module, > I > also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. > --- a/tests/test_xmlrpc/test_range_plugin.py > +++ b/tests/test_xmlrpc/test_range_plugin.py > @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and > XML-RPC in general. > """ > > from ipalib import api, errors, _ > +from ipapython.ipautil import run This import is unused, can be removed. >>> Fixed, thanks for catching that. >>> >>> Updated patch attached. > So I tried to run this test on a machine where there is already trust > established and I think there should be done some changes. I perused the log. Seems that the failures you're experiencing are not relevant to the patch itself, since the newly added tests passed. This is problem with test_range_plugin.py tests that has been there for quite a while, the parameters of the ranges such as size, and base ID/RID/secondary RID are hardcoded in the test case. >>> Yep. >>> >>> > Probably it would be wise to add pre-start procedure to pull existing > ranges and define constants for the ranges so that they don't overlap > with existing ones. Perhaps selecting something from a top of the range > space... > > Attached is the log I agree. This has not been relevant until now, since we did not do much testing on IPA instances with trusts set up, and even then there's random factor in having the overlap with the already created trust range. I'd propose fixing this in a separate effort as a part of continouous integration improvements. I see it as a separate issue of its own. What do you think? >>> Please file a separate ticket then. >>> >>> ACK for this one. >>> >> May-be-NACK. >> >> Would it make sense to replace the error with DependentEntry error? We use in >> cases like this elsewhere and I think it makes more sense in this case too. >> >> Martin > > Sure, I changed the error class in idrange.py and tests accordingly. > > I ran the unit tests again to verify the changes. > > Here is the updated patch. > > Tomas ACK. Pushed to master, ipa-3-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/29/2013 12:25 PM, Martin Kosek wrote:
On 05/28/2013 03:48 PM, Alexander Bokovoy wrote:
On Tue, 28 May 2013, Tomas Babej wrote:
On 05/28/2013 02:35 PM, Alexander Bokovoy wrote:
On Mon, 27 May 2013, Tomas Babej wrote:
We got rid of openldap utilities now. While using python.ldap module, I
also made the tests much more robust and added a new test case.
In general patches look fine, there is one small nitpick.
I'll run tests on Monday and then will provide final ACK.
--- a/tests/test_xmlrpc/test_range_plugin.py
+++ b/tests/test_xmlrpc/test_range_plugin.py
@@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and
XML-RPC in general.
"""
from ipalib import api, errors, _
+from ipapython.ipautil import run
This import is unused, can be removed.
Fixed, thanks for catching that.
Updated patch attached.
So I tried to run this test on a machine where there is already trust
established and I think there should be done some changes.
I perused the log. Seems that the failures you're experiencing are not
relevant to the patch itself,
since the newly added tests passed.
This is problem with test_range_plugin.py tests that has been there for quite
a while, the parameters
of the ranges such as size, and base ID/RID/secondary RID are hardcoded in
the test case.
Yep.
Probably it would be wise to add pre-start procedure to pull existing
ranges and define constants for the ranges so that they don't overlap
with existing ones. Perhaps selecting something from a top of the range
space...
Attached is the log
I agree. This has not been relevant until now, since we did not do much
testing on IPA instances
with trusts set up, and even then there's random factor in having the overlap
with the already created
trust range.
I'd propose fixing this in a separate effort as a part of continouous
integration improvements. I see it
as a separate issue of its own.
What do you think?
Please file a separate ticket then.
ACK for this one.
May-be-NACK.
Would it make sense to replace the error with DependentEntry error? We use in
cases like this elsewhere and I think it makes more sense in this case too.
Martin
Sure, I changed the error class in idrange.py and tests accordingly.
I ran the unit tests again to verify the changes.
Here is the updated patch.
Tomas
From c0bcbc1b91c2a9d964d458054210477459f30a7b Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Wed, 15 May 2013 15:37:15 +0200
Subject: [PATCH] Do not allow removal of ID range of an active trust
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
Unit tests to cover the functionality has been added.
https://fedorahosted.org/freeipa/ticket/3615
---
ipalib/plugins/idrange.py | 19 -
tests/test_xmlrpc/test_range_plugin.py | 144 ++---
2 files changed, 152 insertions(+), 11 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..d548794428fbbc7981112d6c441c980fd9e06157 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -434,14 +434,31 @@ class idrange_del(LDAPDelete):
def pre_callback(self, ldap, dn, *keys, **options):
try:
-(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize'])
+(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid',
+ 'ipaidrangesize',
+ 'ipanttrusteddomainsid'])
except errors.NotFound:
self.obj.handle_not_found(*keys)
+# Check whether we leave any object with id in deleted range
old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
self.obj.check_ids_in_modified_range(
old_base_id, old_range_size, 0, 0)
+
+# Check whether the range does not belong to the active trust
+range_sid = old_attrs.get('ipanttrusteddomainsid')
+
+if range_sid is not None:
+range_sid = range_sid[0]
+result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
+
+if result['count'] > 0:
+raise errors.DependentEntry(
+label='Active Trust',
+key=keys[0],
+dependent=result['result'][0]['cn'][0])
+
return dn
class idrange_find(LDAPSearch):
diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py
index be8eac593a04c52aaaff61f980cfd5fd0899fabd..ce70433112b3216304356b520026d79be66543cf 100644
--- a/tests/test_xmlrpc/test_range_plugin.py
+++ b/tests/test_xmlrpc/test_range_plugin.py
@@ -27,61 +27,166 @@ from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid
from tests.test_xmlrpc import objectclas
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/28/2013 03:48 PM, Alexander Bokovoy wrote: > On Tue, 28 May 2013, Tomas Babej wrote: >> On 05/28/2013 02:35 PM, Alexander Bokovoy wrote: >>> On Mon, 27 May 2013, Tomas Babej wrote: >>> We got rid of openldap utilities now. While using python.ldap module, I >>> also made the tests much more robust and added a new test case. >> In general patches look fine, there is one small nitpick. >> I'll run tests on Monday and then will provide final ACK. >> >>> --- a/tests/test_xmlrpc/test_range_plugin.py >>> +++ b/tests/test_xmlrpc/test_range_plugin.py >>> @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and >>> XML-RPC in general. >>> """ >>> >>> from ipalib import api, errors, _ >>> +from ipapython.ipautil import run >> This import is unused, can be removed. >> > Fixed, thanks for catching that. > > Updated patch attached. >>> So I tried to run this test on a machine where there is already trust >>> established and I think there should be done some changes. >> >> I perused the log. Seems that the failures you're experiencing are not >> relevant to the patch itself, >> since the newly added tests passed. >> >> This is problem with test_range_plugin.py tests that has been there for quite >> a while, the parameters >> of the ranges such as size, and base ID/RID/secondary RID are hardcoded in >> the test case. > Yep. > > >>> Probably it would be wise to add pre-start procedure to pull existing >>> ranges and define constants for the ranges so that they don't overlap >>> with existing ones. Perhaps selecting something from a top of the range >>> space... >>> >>> Attached is the log >> >> I agree. This has not been relevant until now, since we did not do much >> testing on IPA instances >> with trusts set up, and even then there's random factor in having the overlap >> with the already created >> trust range. >> >> I'd propose fixing this in a separate effort as a part of continouous >> integration improvements. I see it >> as a separate issue of its own. >> >> What do you think? > Please file a separate ticket then. > > ACK for this one. > May-be-NACK. Would it make sense to replace the error with DependentEntry error? We use in cases like this elsewhere and I think it makes more sense in this case too. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/28/2013 03:48 PM, Alexander Bokovoy wrote: On Tue, 28 May 2013, Tomas Babej wrote: On 05/28/2013 02:35 PM, Alexander Bokovoy wrote: On Mon, 27 May 2013, Tomas Babej wrote: We got rid of openldap utilities now. While using python.ldap module, I also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run This import is unused, can be removed. Fixed, thanks for catching that. Updated patch attached. So I tried to run this test on a machine where there is already trust established and I think there should be done some changes. I perused the log. Seems that the failures you're experiencing are not relevant to the patch itself, since the newly added tests passed. This is problem with test_range_plugin.py tests that has been there for quite a while, the parameters of the ranges such as size, and base ID/RID/secondary RID are hardcoded in the test case. Yep. Probably it would be wise to add pre-start procedure to pull existing ranges and define constants for the ranges so that they don't overlap with existing ones. Perhaps selecting something from a top of the range space... Attached is the log I agree. This has not been relevant until now, since we did not do much testing on IPA instances with trusts set up, and even then there's random factor in having the overlap with the already created trust range. I'd propose fixing this in a separate effort as a part of continouous integration improvements. I see it as a separate issue of its own. What do you think? Please file a separate ticket then. ACK for this one. For the record: https://fedorahosted.org/freeipa/ticket/3662 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On Tue, 28 May 2013, Tomas Babej wrote: On 05/28/2013 02:35 PM, Alexander Bokovoy wrote: On Mon, 27 May 2013, Tomas Babej wrote: We got rid of openldap utilities now. While using python.ldap module, I also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run This import is unused, can be removed. Fixed, thanks for catching that. Updated patch attached. So I tried to run this test on a machine where there is already trust established and I think there should be done some changes. I perused the log. Seems that the failures you're experiencing are not relevant to the patch itself, since the newly added tests passed. This is problem with test_range_plugin.py tests that has been there for quite a while, the parameters of the ranges such as size, and base ID/RID/secondary RID are hardcoded in the test case. Yep. Probably it would be wise to add pre-start procedure to pull existing ranges and define constants for the ranges so that they don't overlap with existing ones. Perhaps selecting something from a top of the range space... Attached is the log I agree. This has not been relevant until now, since we did not do much testing on IPA instances with trusts set up, and even then there's random factor in having the overlap with the already created trust range. I'd propose fixing this in a separate effort as a part of continouous integration improvements. I see it as a separate issue of its own. What do you think? Please file a separate ticket then. ACK for this one. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/28/2013 02:35 PM, Alexander Bokovoy wrote: On Mon, 27 May 2013, Tomas Babej wrote: We got rid of openldap utilities now. While using python.ldap module, I also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run This import is unused, can be removed. Fixed, thanks for catching that. Updated patch attached. So I tried to run this test on a machine where there is already trust established and I think there should be done some changes. I perused the log. Seems that the failures you're experiencing are not relevant to the patch itself, since the newly added tests passed. This is problem with test_range_plugin.py tests that has been there for quite a while, the parameters of the ranges such as size, and base ID/RID/secondary RID are hardcoded in the test case. Probably it would be wise to add pre-start procedure to pull existing ranges and define constants for the ranges so that they don't overlap with existing ones. Perhaps selecting something from a top of the range space... Attached is the log I agree. This has not been relevant until now, since we did not do much testing on IPA instances with trusts set up, and even then there's random factor in having the overlap with the already created trust range. I'd propose fixing this in a separate effort as a part of continouous integration improvements. I see it as a separate issue of its own. What do you think? Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On Mon, 27 May 2013, Tomas Babej wrote:
We got rid of openldap utilities now. While using python.ldap
module, I also made the tests much more robust and added a new
test case.
In general patches look fine, there is one small nitpick.
I'll run tests on Monday and then will provide final ACK.
--- a/tests/test_xmlrpc/test_range_plugin.py
+++ b/tests/test_xmlrpc/test_range_plugin.py
@@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py`
module, and XML-RPC in general.
"""
from ipalib import api, errors, _
+from ipapython.ipautil import run
This import is unused, can be removed.
Fixed, thanks for catching that.
Updated patch attached.
So I tried to run this test on a machine where there is already trust
established and I think there should be done some changes.
Probably it would be wise to add pre-start procedure to pull existing
ranges and define constants for the ranges so that they don't overlap
with existing ones. Perhaps selecting something from a top of the range
space...
Attached is the log.
--
/ Alexander Bokovoy
test_range pre-cleanup[0]: ('idrange_del', [u'testrange1', u'testrange2',
u'testrange3', u'testrange4', u'testrange5', u'testrange6', u'testrange7',
u'testrange8'], {'continue': True}) ... ok
test_range pre-cleanup[1]: ('user_del', [u'tuser1'], {}) ... ok
test_range pre-cleanup[2]: ('group_del', [u'group1'], {}) ... ok
test_range[0]: idrange_add: Create ID range u'testrange1' ... ERROR
test_range[1]: idrange_show: Retrieve ID range u'testrange1' ... ERROR
test_range[2]: user_add: Create user u'tuser1' in ID range u'testrange1' ... ok
test_range[3]: group_add: Create group u'group1' in ID range u'testrange1' ...
ok
test_range[4]: idrange_mod: Try to modify ID range u'testrange1' to get out
bounds object #1 ... FAIL
test_range[5]: idrange_mod: Try to modify ID range u'testrange1' to get out
bounds object #2 ... FAIL
test_range[6]: idrange_mod: Try to modify ID range u'testrange1' to get out
bounds object #3 ... FAIL
test_range[7]: idrange_mod: Modify ID range u'testrange1' ... ERROR
test_range[8]: idrange_del: Try to delete ID range u'testrange1' with active
IDs inside it ... FAIL
test_range[9]: user_del: Delete user u'tuser1' ... ok
test_range[10]: group_del: Delete group u'group1' ... ok
test_range[11]: idrange_del: Delete ID range u'testrange1' ... ERROR
test_range[12]: idrange_add: Create ID range u'testrange2' ... ERROR
test_range[13]: idrange_mod: Try to modify ID range u'testrange2' so that its
rid ranges are overlapping themselves ... FAIL
test_range[14]: idrange_add: Try to create ID range u'testrange3' with
overlapping rid range ... FAIL
test_range[15]: idrange_add: Try to create ID range u'testrange4' with
overlapping secondary rid range ... FAIL
test_range[16]: idrange_add: Try to create ID range u'testrange5' with primary
range overlapping secondary rid range ... FAIL
test_range[17]: idrange_add: Try to create ID range u'testrange6' with
overlapping id range ... FAIL
test_range[18]: idrange_add: Try to create ID range u'testrange7' with rid
ranges overlapping themselves ... ok
test_range[19]: idrange_del: Delete ID range u'testrange2' ... ERROR
test_range[20]: idrange_add: Create ID range u'testrange8' ... ok
test_range[21]: idrange_mod: Try to modify ID range u'testrange8' so it has
only primary rid range set ... ok
test_range[22]: idrange_del: Delete ID range u'testrange8' ... ok
test_range[23]: idrange_del: Delete non-active AD trusted range u'testrange9'
... ok
test_range[24]: idrange_del: Try to delete active AD trusted range
u'testrange10' ... ok
test_range post-cleanup[0]: ('idrange_del', [u'testrange1', u'testrange2',
u'testrange3', u'testrange4', u'testrange5', u'testrange6', u'testrange7',
u'testrange8'], {'continue': True}) ... ok
test_range post-cleanup[1]: ('user_del', [u'tuser1'], {}) ... ok
test_range post-cleanup[2]: ('group_del', [u'group1'], {}) ... ok
==
ERROR: test_range[0]: idrange_add: Create ID range u'testrange1'
--
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest
self.test(*self.arg)
File
"/root/rpmbuild/BUILD/freeipa-3.2.99GIT1a3f0f1/tests/test_xmlrpc/xmlrpc_test.py",
line 271, in
func = lambda: self.check(nice, **test)
File
"/root/rpmbuild/BUILD/freeipa-3.2.99GIT1a3f0f1/tests/test_xmlrpc/xmlrpc_test.py",
line 289, in check
self.check_output(nice, cmd, args, options, expected, extra_check)
File
"/root/rpmbuild/BUILD/freeipa-3.2.99GIT1a3f0f1/tests/test_xmlrpc/xmlrpc_test.py",
line 326, in check_output
got = api.Command[cmd](*args, **options)
File "/root/rpmbuild/BUILD/freeipa-3.2.99GIT1a3f0f1/ipalib/frontend.py", line
436, in __call__
ret = self.run(*args, **options)
File "/root/rpmbuild/BUILD/freeipa-3.2.99GIT1a3f0f1/ipalib/frontend.py", line
735, in run
return self.forward(*args,
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/27/2013 10:03 AM, Tomas Babej wrote:
On 05/26/2013 08:56 PM, Alexander Bokovoy wrote:
On Fri, 24 May 2013, Tomas Babej wrote:
On 05/20/2013 04:29 PM, Alexander Bokovoy wrote:
On Mon, 20 May 2013, Tomas Babej wrote:
On 05/16/2013 11:16 AM, Ana Krivokapic wrote:
On 05/15/2013 03:41 PM, Tomas Babej wrote:
Hi,
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
https://fedorahosted.org/freeipa/ticket/3615
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I suggest adding some unit tests to cover this change in
functionality.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I incorporated the unit tests. It had to use direct access to LDAP
using ldapmodify since we need to create a mock AD trusted range
first.
Tomas
We got rid of openldap utilities now. While using python.ldap
module, I also made the tests much more robust and added a new test
case.
In general patches look fine, there is one small nitpick.
I'll run tests on Monday and then will provide final ACK.
--- a/tests/test_xmlrpc/test_range_plugin.py
+++ b/tests/test_xmlrpc/test_range_plugin.py
@@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module,
and XML-RPC in general.
"""
from ipalib import api, errors, _
+from ipapython.ipautil import run
This import is unused, can be removed.
Fixed, thanks for catching that.
Updated patch attached.
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Additionally, I removed one redundant variable upon further review.
Tomas
From 94e11bbca4f98fb1f8c4aa011a7c3b18419f77bf Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Wed, 15 May 2013 15:37:15 +0200
Subject: [PATCH] Do not allow removal of ID range of an active trust
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
Unit tests to cover the functionality has been added.
https://fedorahosted.org/freeipa/ticket/3615
---
ipalib/plugins/idrange.py | 17 +++-
tests/test_xmlrpc/test_range_plugin.py | 142 ++---
2 files changed, 148 insertions(+), 11 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -434,14 +434,29 @@ class idrange_del(LDAPDelete):
def pre_callback(self, ldap, dn, *keys, **options):
try:
-(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize'])
+(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid',
+ 'ipaidrangesize',
+ 'ipanttrusteddomainsid'])
except errors.NotFound:
self.obj.handle_not_found(*keys)
+# Check whether we leave any object with id in deleted range
old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
self.obj.check_ids_in_modified_range(
old_base_id, old_range_size, 0, 0)
+
+# Check whether the range does not belong to the active trust
+range_sid = old_attrs.get('ipanttrusteddomainsid')
+
+if range_sid is not None:
+range_sid = range_sid[0]
+result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
+
+if result['count'] > 0:
+raise errors.ValidationError(name='ID Range constraint',
+error=_("ID range of an active trust cannot be deleted."))
+
return dn
class idrange_find(LDAPSearch):
diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py
index be8eac593a04c52aaaff61f980cfd5fd0899fabd..0f79a96dd01d96ccfffe27fa919ef2076334220a 100644
--- a/tests/test_xmlrpc/test_range_plugin.py
+++ b/tests/test_xmlrpc/test_range_plugin.py
@@ -27,61 +27,165 @@ from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid
from tests.test_xmlrpc import objectclasses
from ipapython.dn import *
+import ldap, ldap.sasl, ldap.modlist
+
testrange1 = u'testrange1'
testrange1_base_id = 90
testrange1_size = 9
testrange1_base_rid = 1
-testrange1_secondary_base_rid=20
+testrange1_secondary_base_rid = 20
testrange2 = u'testrange2'
testrange2_base_
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/26/2013 08:56 PM, Alexander Bokovoy wrote:
On Fri, 24 May 2013, Tomas Babej wrote:
On 05/20/2013 04:29 PM, Alexander Bokovoy wrote:
On Mon, 20 May 2013, Tomas Babej wrote:
On 05/16/2013 11:16 AM, Ana Krivokapic wrote:
On 05/15/2013 03:41 PM, Tomas Babej wrote:
Hi,
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
https://fedorahosted.org/freeipa/ticket/3615
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I suggest adding some unit tests to cover this change in
functionality.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I incorporated the unit tests. It had to use direct access to LDAP
using ldapmodify since we need to create a mock AD trusted range
first.
Tomas
We got rid of openldap utilities now. While using python.ldap module,
I also made the tests much more robust and added a new test case.
In general patches look fine, there is one small nitpick.
I'll run tests on Monday and then will provide final ACK.
--- a/tests/test_xmlrpc/test_range_plugin.py
+++ b/tests/test_xmlrpc/test_range_plugin.py
@@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and
XML-RPC in general.
"""
from ipalib import api, errors, _
+from ipapython.ipautil import run
This import is unused, can be removed.
Fixed, thanks for catching that.
Updated patch attached.
Tomas
From 3ef84ba0c664a43b7ae19ce22ac9d4e61e23a929 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Wed, 15 May 2013 15:37:15 +0200
Subject: [PATCH] Do not allow removal of ID range of an active trust
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
Unit tests to cover the functionality has been added.
https://fedorahosted.org/freeipa/ticket/3615
---
ipalib/plugins/idrange.py | 17 +++-
tests/test_xmlrpc/test_range_plugin.py | 142 ++---
2 files changed, 148 insertions(+), 11 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -434,14 +434,29 @@ class idrange_del(LDAPDelete):
def pre_callback(self, ldap, dn, *keys, **options):
try:
-(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize'])
+(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid',
+ 'ipaidrangesize',
+ 'ipanttrusteddomainsid'])
except errors.NotFound:
self.obj.handle_not_found(*keys)
+# Check whether we leave any object with id in deleted range
old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
self.obj.check_ids_in_modified_range(
old_base_id, old_range_size, 0, 0)
+
+# Check whether the range does not belong to the active trust
+range_sid = old_attrs.get('ipanttrusteddomainsid')
+
+if range_sid is not None:
+range_sid = range_sid[0]
+result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
+
+if result['count'] > 0:
+raise errors.ValidationError(name='ID Range constraint',
+error=_("ID range of an active trust cannot be deleted."))
+
return dn
class idrange_find(LDAPSearch):
diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py
index be8eac593a04c52aaaff61f980cfd5fd0899fabd..7018f63e96a7659b822787874ec786b18e629d50 100644
--- a/tests/test_xmlrpc/test_range_plugin.py
+++ b/tests/test_xmlrpc/test_range_plugin.py
@@ -27,61 +27,165 @@ from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid
from tests.test_xmlrpc import objectclasses
from ipapython.dn import *
+import ldap, ldap.sasl, ldap.modlist
+
testrange1 = u'testrange1'
testrange1_base_id = 90
testrange1_size = 9
testrange1_base_rid = 1
-testrange1_secondary_base_rid=20
+testrange1_secondary_base_rid = 20
testrange2 = u'testrange2'
testrange2_base_id = 100
testrange2_size = 50
testrange2_base_rid = 100
-testrange2_secondary_base_rid=1000
+testrange2_secondary_base_rid = 1000
testrange3 = u'testrange3'
testrange3_base_id = 200
testrange3_size = 50
testrange3_base_rid = 70
-testrange3_secondary_base_rid=1100
+test
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On Fri, 24 May 2013, Tomas Babej wrote: On 05/20/2013 04:29 PM, Alexander Bokovoy wrote: On Mon, 20 May 2013, Tomas Babej wrote: On 05/16/2013 11:16 AM, Ana Krivokapic wrote: On 05/15/2013 03:41 PM, Tomas Babej wrote: Hi, When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. https://fedorahosted.org/freeipa/ticket/3615 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I suggest adding some unit tests to cover this change in functionality. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I incorporated the unit tests. It had to use direct access to LDAP using ldapmodify since we need to create a mock AD trusted range first. Tomas We got rid of openldap utilities now. While using python.ldap module, I also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run This import is unused, can be removed. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/20/2013 04:29 PM, Alexander Bokovoy wrote:
On Mon, 20 May 2013, Tomas Babej wrote:
On 05/16/2013 11:16 AM, Ana Krivokapic wrote:
On 05/15/2013 03:41 PM, Tomas Babej wrote:
Hi,
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
https://fedorahosted.org/freeipa/ticket/3615
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I suggest adding some unit tests to cover this change in functionality.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I incorporated the unit tests. It had to use direct access to LDAP
using ldapmodify since we need to create a mock AD trusted range first.
Tomas
We got rid of openldap utilities now. While using python.ldap module, I
also made the tests much more robust and added a new test case.
Tomas
From 594045ac7ccd464d2324f4f04db71586edeaea5c Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Wed, 15 May 2013 15:37:15 +0200
Subject: [PATCH] Do not allow removal of ID range of an active trust
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
Unit tests to cover the functionality has been added.
https://fedorahosted.org/freeipa/ticket/3615
---
ipalib/plugins/idrange.py | 17 +++-
tests/test_xmlrpc/test_range_plugin.py | 143 ++---
2 files changed, 149 insertions(+), 11 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -434,14 +434,29 @@ class idrange_del(LDAPDelete):
def pre_callback(self, ldap, dn, *keys, **options):
try:
-(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize'])
+(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid',
+ 'ipaidrangesize',
+ 'ipanttrusteddomainsid'])
except errors.NotFound:
self.obj.handle_not_found(*keys)
+# Check whether we leave any object with id in deleted range
old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
self.obj.check_ids_in_modified_range(
old_base_id, old_range_size, 0, 0)
+
+# Check whether the range does not belong to the active trust
+range_sid = old_attrs.get('ipanttrusteddomainsid')
+
+if range_sid is not None:
+range_sid = range_sid[0]
+result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
+
+if result['count'] > 0:
+raise errors.ValidationError(name='ID Range constraint',
+error=_("ID range of an active trust cannot be deleted."))
+
return dn
class idrange_find(LDAPSearch):
diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py
index be8eac593a04c52aaaff61f980cfd5fd0899fabd..4084ca8410dd93a7a4c509d96a6a284cc03e10e7 100644
--- a/tests/test_xmlrpc/test_range_plugin.py
+++ b/tests/test_xmlrpc/test_range_plugin.py
@@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general.
"""
from ipalib import api, errors, _
+from ipapython.ipautil import run
from tests.util import assert_equal, Fuzzy
from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid
from tests.test_xmlrpc import objectclasses
from ipapython.dn import *
+import ldap, ldap.sasl, ldap.modlist
+
testrange1 = u'testrange1'
testrange1_base_id = 90
testrange1_size = 9
testrange1_base_rid = 1
-testrange1_secondary_base_rid=20
+testrange1_secondary_base_rid = 20
testrange2 = u'testrange2'
testrange2_base_id = 100
testrange2_size = 50
testrange2_base_rid = 100
-testrange2_secondary_base_rid=1000
+testrange2_secondary_base_rid = 1000
testrange3 = u'testrange3'
testrange3_base_id = 200
testrange3_size = 50
testrange3_base_rid = 70
-testrange3_secondary_base_rid=1100
+testrange3_secondary_base_rid = 1100
testrange4 = u'testrange4'
testrange4_base_id = 300
testrange4_size = 50
testrange4_base_rid = 200
-testrange4_secondary_base_rid=1030
+testrange4_secondary_base_rid = 1030
testrange5 = u'testrange5'
testrange5_base_id = 400
testrange5_size = 50
testrange5_base_rid = 1020
-testrange5_secondary_base_rid=1200
+testrange5_secondary_b
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On Mon, 20 May 2013, Tomas Babej wrote:
On 05/16/2013 11:16 AM, Ana Krivokapic wrote:
On 05/15/2013 03:41 PM, Tomas Babej wrote:
Hi,
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
https://fedorahosted.org/freeipa/ticket/3615
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I suggest adding some unit tests to cover this change in functionality.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I incorporated the unit tests. It had to use direct access to LDAP
using ldapmodify since we need to create a mock AD trusted range
first.
Tomas
From 57e98d6dc950d611e96e1ec2e264649a3d682c83 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Wed, 15 May 2013 15:37:15 +0200
Subject: [PATCH] Do not allow removal of ID range of an active trust
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
Unit tests to cover the functionality has been added.
https://fedorahosted.org/freeipa/ticket/3615
---
ipalib/plugins/idrange.py | 17 ++-
tests/test_xmlrpc/test_range_plugin.py | 86 ++
tests/test_xmlrpc/xmlrpc_test.py | 5 ++
3 files changed, 97 insertions(+), 11 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index
54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3
100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -434,14 +434,29 @@ class idrange_del(LDAPDelete):
def pre_callback(self, ldap, dn, *keys, **options):
try:
-(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid',
'ipaidrangesize'])
+(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid',
+ 'ipaidrangesize',
+ 'ipanttrusteddomainsid'])
except errors.NotFound:
self.obj.handle_not_found(*keys)
+# Check whether we leave any object with id in deleted range
old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
self.obj.check_ids_in_modified_range(
old_base_id, old_range_size, 0, 0)
+
+# Check whether the range does not belong to the active trust
+range_sid = old_attrs.get('ipanttrusteddomainsid')
+
+if range_sid is not None:
+range_sid = range_sid[0]
+result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
+
+if result['count'] > 0:
+raise errors.ValidationError(name='ID Range constraint',
+error=_("ID range of an active trust cannot be deleted."))
+
return dn
class idrange_find(LDAPSearch):
diff --git a/tests/test_xmlrpc/test_range_plugin.py
b/tests/test_xmlrpc/test_range_plugin.py
index
be8eac593a04c52aaaff61f980cfd5fd0899fabd..1f03d3fc570dbe978fd31569896857db9a972bfa
100644
--- a/tests/test_xmlrpc/test_range_plugin.py
+++ b/tests/test_xmlrpc/test_range_plugin.py
@@ -22,6 +22,7 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in
general.
"""
from ipalib import api, errors, _
+from ipapython.ipautil import run
from tests.util import assert_equal, Fuzzy
from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid
from tests.test_xmlrpc import objectclasses
@@ -31,57 +32,113 @@ testrange1 = u'testrange1'
testrange1_base_id = 90
testrange1_size = 9
testrange1_base_rid = 1
-testrange1_secondary_base_rid=20
+testrange1_secondary_base_rid = 20
testrange2 = u'testrange2'
testrange2_base_id = 100
testrange2_size = 50
testrange2_base_rid = 100
-testrange2_secondary_base_rid=1000
+testrange2_secondary_base_rid = 1000
testrange3 = u'testrange3'
testrange3_base_id = 200
testrange3_size = 50
testrange3_base_rid = 70
-testrange3_secondary_base_rid=1100
+testrange3_secondary_base_rid = 1100
testrange4 = u'testrange4'
testrange4_base_id = 300
testrange4_size = 50
testrange4_base_rid = 200
-testrange4_secondary_base_rid=1030
+testrange4_secondary_base_rid = 1030
testrange5 = u'testrange5'
testrange5_base_id = 400
testrange5_size = 50
testrange5_base_rid = 1020
-testrange5_secondary_base_rid=1200
+testrange5_secondary_base_rid = 1200
testrange6 = u'testrange6'
testrange6_base_id = 130
testrange6_size = 50
testrange6_base_rid = 500
-testrange6_secondary_base_rid=1300
+testrange6_secondary_base_rid = 1300
testrange7 = u'testrange7'
testrange7_base_id
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/16/2013 11:16 AM, Ana Krivokapic wrote:
On 05/15/2013 03:41 PM, Tomas Babej wrote:
Hi,
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
https://fedorahosted.org/freeipa/ticket/3615
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I suggest adding some unit tests to cover this change in functionality.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I incorporated the unit tests. It had to use direct access to LDAP using
ldapmodify since we need to create a mock AD trusted range first.
Tomas
From 57e98d6dc950d611e96e1ec2e264649a3d682c83 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Wed, 15 May 2013 15:37:15 +0200
Subject: [PATCH] Do not allow removal of ID range of an active trust
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
Unit tests to cover the functionality has been added.
https://fedorahosted.org/freeipa/ticket/3615
---
ipalib/plugins/idrange.py | 17 ++-
tests/test_xmlrpc/test_range_plugin.py | 86 ++
tests/test_xmlrpc/xmlrpc_test.py | 5 ++
3 files changed, 97 insertions(+), 11 deletions(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -434,14 +434,29 @@ class idrange_del(LDAPDelete):
def pre_callback(self, ldap, dn, *keys, **options):
try:
-(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize'])
+(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid',
+ 'ipaidrangesize',
+ 'ipanttrusteddomainsid'])
except errors.NotFound:
self.obj.handle_not_found(*keys)
+# Check whether we leave any object with id in deleted range
old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
self.obj.check_ids_in_modified_range(
old_base_id, old_range_size, 0, 0)
+
+# Check whether the range does not belong to the active trust
+range_sid = old_attrs.get('ipanttrusteddomainsid')
+
+if range_sid is not None:
+range_sid = range_sid[0]
+result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
+
+if result['count'] > 0:
+raise errors.ValidationError(name='ID Range constraint',
+error=_("ID range of an active trust cannot be deleted."))
+
return dn
class idrange_find(LDAPSearch):
diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py
index be8eac593a04c52aaaff61f980cfd5fd0899fabd..1f03d3fc570dbe978fd31569896857db9a972bfa 100644
--- a/tests/test_xmlrpc/test_range_plugin.py
+++ b/tests/test_xmlrpc/test_range_plugin.py
@@ -22,6 +22,7 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general.
"""
from ipalib import api, errors, _
+from ipapython.ipautil import run
from tests.util import assert_equal, Fuzzy
from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid
from tests.test_xmlrpc import objectclasses
@@ -31,57 +32,113 @@ testrange1 = u'testrange1'
testrange1_base_id = 90
testrange1_size = 9
testrange1_base_rid = 1
-testrange1_secondary_base_rid=20
+testrange1_secondary_base_rid = 20
testrange2 = u'testrange2'
testrange2_base_id = 100
testrange2_size = 50
testrange2_base_rid = 100
-testrange2_secondary_base_rid=1000
+testrange2_secondary_base_rid = 1000
testrange3 = u'testrange3'
testrange3_base_id = 200
testrange3_size = 50
testrange3_base_rid = 70
-testrange3_secondary_base_rid=1100
+testrange3_secondary_base_rid = 1100
testrange4 = u'testrange4'
testrange4_base_id = 300
testrange4_size = 50
testrange4_base_rid = 200
-testrange4_secondary_base_rid=1030
+testrange4_secondary_base_rid = 1030
testrange5 = u'testrange5'
testrange5_base_id = 400
testrange5_size = 50
testrange5_base_rid = 1020
-testrange5_secondary_base_rid=1200
+testrange5_secondary_base_rid = 1200
testrange6 = u'testrange6'
testrange6_base_id = 130
testrange6_size = 50
testrange6_base_rid = 500
-testrange6_secondary_base_rid=1300
+testrange6_secondary_base_rid = 1300
testrange7 = u'testrange7'
testrange7_base_i
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/15/2013 03:41 PM, Tomas Babej wrote: > Hi, > > When removing an ID range using idrange-del command, validation > in pre_callback ensures that the range does not belong to any > active trust. In such case, ValidationError is raised. > > https://fedorahosted.org/freeipa/ticket/3615 > > Tomas > > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I suggest adding some unit tests to cover this change in functionality. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
Hi,
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
https://fedorahosted.org/freeipa/ticket/3615
Tomas
From 72a55d498602b5c6cc912eb9585dc860b7fee591 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Wed, 15 May 2013 15:37:15 +0200
Subject: [PATCH] Do not allow removal of ID range of an active trust
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
https://fedorahosted.org/freeipa/ticket/3615
---
ipalib/plugins/idrange.py | 17 -
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -434,14 +434,29 @@ class idrange_del(LDAPDelete):
def pre_callback(self, ldap, dn, *keys, **options):
try:
-(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize'])
+(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid',
+ 'ipaidrangesize',
+ 'ipanttrusteddomainsid'])
except errors.NotFound:
self.obj.handle_not_found(*keys)
+# Check whether we leave any object with id in deleted range
old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
self.obj.check_ids_in_modified_range(
old_base_id, old_range_size, 0, 0)
+
+# Check whether the range does not belong to the active trust
+range_sid = old_attrs.get('ipanttrusteddomainsid')
+
+if range_sid is not None:
+range_sid = range_sid[0]
+result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
+
+if result['count'] > 0:
+raise errors.ValidationError(name='ID Range constraint',
+error=_("ID range of an active trust cannot be deleted."))
+
return dn
class idrange_find(LDAPSearch):
--
1.8.1.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
