Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/30/2013 04:35 PM, Tomas Babej wrote: > On 05/29/2013 12:25 PM, Martin Kosek wrote: >> On 05/28/2013 03:48 PM, Alexander Bokovoy wrote: >>> On Tue, 28 May 2013, Tomas Babej wrote: On 05/28/2013 02:35 PM, Alexander Bokovoy wrote: > On Mon, 27 May 2013, Tomas Babej wrote: > We got rid of openldap utilities now. While using python.ldap module, > I > also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. > --- a/tests/test_xmlrpc/test_range_plugin.py > +++ b/tests/test_xmlrpc/test_range_plugin.py > @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and > XML-RPC in general. > """ > > from ipalib import api, errors, _ > +from ipapython.ipautil import run This import is unused, can be removed. >>> Fixed, thanks for catching that. >>> >>> Updated patch attached. > So I tried to run this test on a machine where there is already trust > established and I think there should be done some changes. I perused the log. Seems that the failures you're experiencing are not relevant to the patch itself, since the newly added tests passed. This is problem with test_range_plugin.py tests that has been there for quite a while, the parameters of the ranges such as size, and base ID/RID/secondary RID are hardcoded in the test case. >>> Yep. >>> >>> > Probably it would be wise to add pre-start procedure to pull existing > ranges and define constants for the ranges so that they don't overlap > with existing ones. Perhaps selecting something from a top of the range > space... > > Attached is the log I agree. This has not been relevant until now, since we did not do much testing on IPA instances with trusts set up, and even then there's random factor in having the overlap with the already created trust range. I'd propose fixing this in a separate effort as a part of continouous integration improvements. I see it as a separate issue of its own. What do you think? >>> Please file a separate ticket then. >>> >>> ACK for this one. >>> >> May-be-NACK. >> >> Would it make sense to replace the error with DependentEntry error? We use in >> cases like this elsewhere and I think it makes more sense in this case too. >> >> Martin > > Sure, I changed the error class in idrange.py and tests accordingly. > > I ran the unit tests again to verify the changes. > > Here is the updated patch. > > Tomas ACK. Pushed to master, ipa-3-2. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/29/2013 12:25 PM, Martin Kosek wrote: On 05/28/2013 03:48 PM, Alexander Bokovoy wrote: On Tue, 28 May 2013, Tomas Babej wrote: On 05/28/2013 02:35 PM, Alexander Bokovoy wrote: On Mon, 27 May 2013, Tomas Babej wrote: We got rid of openldap utilities now. While using python.ldap module, I also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run This import is unused, can be removed. Fixed, thanks for catching that. Updated patch attached. So I tried to run this test on a machine where there is already trust established and I think there should be done some changes. I perused the log. Seems that the failures you're experiencing are not relevant to the patch itself, since the newly added tests passed. This is problem with test_range_plugin.py tests that has been there for quite a while, the parameters of the ranges such as size, and base ID/RID/secondary RID are hardcoded in the test case. Yep. Probably it would be wise to add pre-start procedure to pull existing ranges and define constants for the ranges so that they don't overlap with existing ones. Perhaps selecting something from a top of the range space... Attached is the log I agree. This has not been relevant until now, since we did not do much testing on IPA instances with trusts set up, and even then there's random factor in having the overlap with the already created trust range. I'd propose fixing this in a separate effort as a part of continouous integration improvements. I see it as a separate issue of its own. What do you think? Please file a separate ticket then. ACK for this one. May-be-NACK. Would it make sense to replace the error with DependentEntry error? We use in cases like this elsewhere and I think it makes more sense in this case too. Martin Sure, I changed the error class in idrange.py and tests accordingly. I ran the unit tests again to verify the changes. Here is the updated patch. Tomas From c0bcbc1b91c2a9d964d458054210477459f30a7b Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 15 May 2013 15:37:15 +0200 Subject: [PATCH] Do not allow removal of ID range of an active trust When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. Unit tests to cover the functionality has been added. https://fedorahosted.org/freeipa/ticket/3615 --- ipalib/plugins/idrange.py | 19 - tests/test_xmlrpc/test_range_plugin.py | 144 ++--- 2 files changed, 152 insertions(+), 11 deletions(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..d548794428fbbc7981112d6c441c980fd9e06157 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -434,14 +434,31 @@ class idrange_del(LDAPDelete): def pre_callback(self, ldap, dn, *keys, **options): try: -(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize']) +(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', + 'ipaidrangesize', + 'ipanttrusteddomainsid']) except errors.NotFound: self.obj.handle_not_found(*keys) +# Check whether we leave any object with id in deleted range old_base_id = int(old_attrs.get('ipabaseid', [0])[0]) old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0]) self.obj.check_ids_in_modified_range( old_base_id, old_range_size, 0, 0) + +# Check whether the range does not belong to the active trust +range_sid = old_attrs.get('ipanttrusteddomainsid') + +if range_sid is not None: +range_sid = range_sid[0] +result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid) + +if result['count'] > 0: +raise errors.DependentEntry( +label='Active Trust', +key=keys[0], +dependent=result['result'][0]['cn'][0]) + return dn class idrange_find(LDAPSearch): diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py index be8eac593a04c52aaaff61f980cfd5fd0899fabd..ce70433112b3216304356b520026d79be66543cf 100644 --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -27,61 +27,166 @@ from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid from tests.test_xmlrpc import objectclas
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/28/2013 03:48 PM, Alexander Bokovoy wrote: > On Tue, 28 May 2013, Tomas Babej wrote: >> On 05/28/2013 02:35 PM, Alexander Bokovoy wrote: >>> On Mon, 27 May 2013, Tomas Babej wrote: >>> We got rid of openldap utilities now. While using python.ldap module, I >>> also made the tests much more robust and added a new test case. >> In general patches look fine, there is one small nitpick. >> I'll run tests on Monday and then will provide final ACK. >> >>> --- a/tests/test_xmlrpc/test_range_plugin.py >>> +++ b/tests/test_xmlrpc/test_range_plugin.py >>> @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and >>> XML-RPC in general. >>> """ >>> >>> from ipalib import api, errors, _ >>> +from ipapython.ipautil import run >> This import is unused, can be removed. >> > Fixed, thanks for catching that. > > Updated patch attached. >>> So I tried to run this test on a machine where there is already trust >>> established and I think there should be done some changes. >> >> I perused the log. Seems that the failures you're experiencing are not >> relevant to the patch itself, >> since the newly added tests passed. >> >> This is problem with test_range_plugin.py tests that has been there for quite >> a while, the parameters >> of the ranges such as size, and base ID/RID/secondary RID are hardcoded in >> the test case. > Yep. > > >>> Probably it would be wise to add pre-start procedure to pull existing >>> ranges and define constants for the ranges so that they don't overlap >>> with existing ones. Perhaps selecting something from a top of the range >>> space... >>> >>> Attached is the log >> >> I agree. This has not been relevant until now, since we did not do much >> testing on IPA instances >> with trusts set up, and even then there's random factor in having the overlap >> with the already created >> trust range. >> >> I'd propose fixing this in a separate effort as a part of continouous >> integration improvements. I see it >> as a separate issue of its own. >> >> What do you think? > Please file a separate ticket then. > > ACK for this one. > May-be-NACK. Would it make sense to replace the error with DependentEntry error? We use in cases like this elsewhere and I think it makes more sense in this case too. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/28/2013 03:48 PM, Alexander Bokovoy wrote: On Tue, 28 May 2013, Tomas Babej wrote: On 05/28/2013 02:35 PM, Alexander Bokovoy wrote: On Mon, 27 May 2013, Tomas Babej wrote: We got rid of openldap utilities now. While using python.ldap module, I also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run This import is unused, can be removed. Fixed, thanks for catching that. Updated patch attached. So I tried to run this test on a machine where there is already trust established and I think there should be done some changes. I perused the log. Seems that the failures you're experiencing are not relevant to the patch itself, since the newly added tests passed. This is problem with test_range_plugin.py tests that has been there for quite a while, the parameters of the ranges such as size, and base ID/RID/secondary RID are hardcoded in the test case. Yep. Probably it would be wise to add pre-start procedure to pull existing ranges and define constants for the ranges so that they don't overlap with existing ones. Perhaps selecting something from a top of the range space... Attached is the log I agree. This has not been relevant until now, since we did not do much testing on IPA instances with trusts set up, and even then there's random factor in having the overlap with the already created trust range. I'd propose fixing this in a separate effort as a part of continouous integration improvements. I see it as a separate issue of its own. What do you think? Please file a separate ticket then. ACK for this one. For the record: https://fedorahosted.org/freeipa/ticket/3662 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On Tue, 28 May 2013, Tomas Babej wrote: On 05/28/2013 02:35 PM, Alexander Bokovoy wrote: On Mon, 27 May 2013, Tomas Babej wrote: We got rid of openldap utilities now. While using python.ldap module, I also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run This import is unused, can be removed. Fixed, thanks for catching that. Updated patch attached. So I tried to run this test on a machine where there is already trust established and I think there should be done some changes. I perused the log. Seems that the failures you're experiencing are not relevant to the patch itself, since the newly added tests passed. This is problem with test_range_plugin.py tests that has been there for quite a while, the parameters of the ranges such as size, and base ID/RID/secondary RID are hardcoded in the test case. Yep. Probably it would be wise to add pre-start procedure to pull existing ranges and define constants for the ranges so that they don't overlap with existing ones. Perhaps selecting something from a top of the range space... Attached is the log I agree. This has not been relevant until now, since we did not do much testing on IPA instances with trusts set up, and even then there's random factor in having the overlap with the already created trust range. I'd propose fixing this in a separate effort as a part of continouous integration improvements. I see it as a separate issue of its own. What do you think? Please file a separate ticket then. ACK for this one. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/28/2013 02:35 PM, Alexander Bokovoy wrote: On Mon, 27 May 2013, Tomas Babej wrote: We got rid of openldap utilities now. While using python.ldap module, I also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run This import is unused, can be removed. Fixed, thanks for catching that. Updated patch attached. So I tried to run this test on a machine where there is already trust established and I think there should be done some changes. I perused the log. Seems that the failures you're experiencing are not relevant to the patch itself, since the newly added tests passed. This is problem with test_range_plugin.py tests that has been there for quite a while, the parameters of the ranges such as size, and base ID/RID/secondary RID are hardcoded in the test case. Probably it would be wise to add pre-start procedure to pull existing ranges and define constants for the ranges so that they don't overlap with existing ones. Perhaps selecting something from a top of the range space... Attached is the log I agree. This has not been relevant until now, since we did not do much testing on IPA instances with trusts set up, and even then there's random factor in having the overlap with the already created trust range. I'd propose fixing this in a separate effort as a part of continouous integration improvements. I see it as a separate issue of its own. What do you think? Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On Mon, 27 May 2013, Tomas Babej wrote: We got rid of openldap utilities now. While using python.ldap module, I also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run This import is unused, can be removed. Fixed, thanks for catching that. Updated patch attached. So I tried to run this test on a machine where there is already trust established and I think there should be done some changes. Probably it would be wise to add pre-start procedure to pull existing ranges and define constants for the ranges so that they don't overlap with existing ones. Perhaps selecting something from a top of the range space... Attached is the log. -- / Alexander Bokovoy test_range pre-cleanup[0]: ('idrange_del', [u'testrange1', u'testrange2', u'testrange3', u'testrange4', u'testrange5', u'testrange6', u'testrange7', u'testrange8'], {'continue': True}) ... ok test_range pre-cleanup[1]: ('user_del', [u'tuser1'], {}) ... ok test_range pre-cleanup[2]: ('group_del', [u'group1'], {}) ... ok test_range[0]: idrange_add: Create ID range u'testrange1' ... ERROR test_range[1]: idrange_show: Retrieve ID range u'testrange1' ... ERROR test_range[2]: user_add: Create user u'tuser1' in ID range u'testrange1' ... ok test_range[3]: group_add: Create group u'group1' in ID range u'testrange1' ... ok test_range[4]: idrange_mod: Try to modify ID range u'testrange1' to get out bounds object #1 ... FAIL test_range[5]: idrange_mod: Try to modify ID range u'testrange1' to get out bounds object #2 ... FAIL test_range[6]: idrange_mod: Try to modify ID range u'testrange1' to get out bounds object #3 ... FAIL test_range[7]: idrange_mod: Modify ID range u'testrange1' ... ERROR test_range[8]: idrange_del: Try to delete ID range u'testrange1' with active IDs inside it ... FAIL test_range[9]: user_del: Delete user u'tuser1' ... ok test_range[10]: group_del: Delete group u'group1' ... ok test_range[11]: idrange_del: Delete ID range u'testrange1' ... ERROR test_range[12]: idrange_add: Create ID range u'testrange2' ... ERROR test_range[13]: idrange_mod: Try to modify ID range u'testrange2' so that its rid ranges are overlapping themselves ... FAIL test_range[14]: idrange_add: Try to create ID range u'testrange3' with overlapping rid range ... FAIL test_range[15]: idrange_add: Try to create ID range u'testrange4' with overlapping secondary rid range ... FAIL test_range[16]: idrange_add: Try to create ID range u'testrange5' with primary range overlapping secondary rid range ... FAIL test_range[17]: idrange_add: Try to create ID range u'testrange6' with overlapping id range ... FAIL test_range[18]: idrange_add: Try to create ID range u'testrange7' with rid ranges overlapping themselves ... ok test_range[19]: idrange_del: Delete ID range u'testrange2' ... ERROR test_range[20]: idrange_add: Create ID range u'testrange8' ... ok test_range[21]: idrange_mod: Try to modify ID range u'testrange8' so it has only primary rid range set ... ok test_range[22]: idrange_del: Delete ID range u'testrange8' ... ok test_range[23]: idrange_del: Delete non-active AD trusted range u'testrange9' ... ok test_range[24]: idrange_del: Try to delete active AD trusted range u'testrange10' ... ok test_range post-cleanup[0]: ('idrange_del', [u'testrange1', u'testrange2', u'testrange3', u'testrange4', u'testrange5', u'testrange6', u'testrange7', u'testrange8'], {'continue': True}) ... ok test_range post-cleanup[1]: ('user_del', [u'tuser1'], {}) ... ok test_range post-cleanup[2]: ('group_del', [u'group1'], {}) ... ok == ERROR: test_range[0]: idrange_add: Create ID range u'testrange1' -- Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/nose/case.py", line 197, in runTest self.test(*self.arg) File "/root/rpmbuild/BUILD/freeipa-3.2.99GIT1a3f0f1/tests/test_xmlrpc/xmlrpc_test.py", line 271, in func = lambda: self.check(nice, **test) File "/root/rpmbuild/BUILD/freeipa-3.2.99GIT1a3f0f1/tests/test_xmlrpc/xmlrpc_test.py", line 289, in check self.check_output(nice, cmd, args, options, expected, extra_check) File "/root/rpmbuild/BUILD/freeipa-3.2.99GIT1a3f0f1/tests/test_xmlrpc/xmlrpc_test.py", line 326, in check_output got = api.Command[cmd](*args, **options) File "/root/rpmbuild/BUILD/freeipa-3.2.99GIT1a3f0f1/ipalib/frontend.py", line 436, in __call__ ret = self.run(*args, **options) File "/root/rpmbuild/BUILD/freeipa-3.2.99GIT1a3f0f1/ipalib/frontend.py", line 735, in run return self.forward(*args,
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/27/2013 10:03 AM, Tomas Babej wrote: On 05/26/2013 08:56 PM, Alexander Bokovoy wrote: On Fri, 24 May 2013, Tomas Babej wrote: On 05/20/2013 04:29 PM, Alexander Bokovoy wrote: On Mon, 20 May 2013, Tomas Babej wrote: On 05/16/2013 11:16 AM, Ana Krivokapic wrote: On 05/15/2013 03:41 PM, Tomas Babej wrote: Hi, When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. https://fedorahosted.org/freeipa/ticket/3615 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I suggest adding some unit tests to cover this change in functionality. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I incorporated the unit tests. It had to use direct access to LDAP using ldapmodify since we need to create a mock AD trusted range first. Tomas We got rid of openldap utilities now. While using python.ldap module, I also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run This import is unused, can be removed. Fixed, thanks for catching that. Updated patch attached. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Additionally, I removed one redundant variable upon further review. Tomas From 94e11bbca4f98fb1f8c4aa011a7c3b18419f77bf Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 15 May 2013 15:37:15 +0200 Subject: [PATCH] Do not allow removal of ID range of an active trust When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. Unit tests to cover the functionality has been added. https://fedorahosted.org/freeipa/ticket/3615 --- ipalib/plugins/idrange.py | 17 +++- tests/test_xmlrpc/test_range_plugin.py | 142 ++--- 2 files changed, 148 insertions(+), 11 deletions(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -434,14 +434,29 @@ class idrange_del(LDAPDelete): def pre_callback(self, ldap, dn, *keys, **options): try: -(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize']) +(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', + 'ipaidrangesize', + 'ipanttrusteddomainsid']) except errors.NotFound: self.obj.handle_not_found(*keys) +# Check whether we leave any object with id in deleted range old_base_id = int(old_attrs.get('ipabaseid', [0])[0]) old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0]) self.obj.check_ids_in_modified_range( old_base_id, old_range_size, 0, 0) + +# Check whether the range does not belong to the active trust +range_sid = old_attrs.get('ipanttrusteddomainsid') + +if range_sid is not None: +range_sid = range_sid[0] +result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid) + +if result['count'] > 0: +raise errors.ValidationError(name='ID Range constraint', +error=_("ID range of an active trust cannot be deleted.")) + return dn class idrange_find(LDAPSearch): diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py index be8eac593a04c52aaaff61f980cfd5fd0899fabd..0f79a96dd01d96ccfffe27fa919ef2076334220a 100644 --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -27,61 +27,165 @@ from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid from tests.test_xmlrpc import objectclasses from ipapython.dn import * +import ldap, ldap.sasl, ldap.modlist + testrange1 = u'testrange1' testrange1_base_id = 90 testrange1_size = 9 testrange1_base_rid = 1 -testrange1_secondary_base_rid=20 +testrange1_secondary_base_rid = 20 testrange2 = u'testrange2' testrange2_base_
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/26/2013 08:56 PM, Alexander Bokovoy wrote: On Fri, 24 May 2013, Tomas Babej wrote: On 05/20/2013 04:29 PM, Alexander Bokovoy wrote: On Mon, 20 May 2013, Tomas Babej wrote: On 05/16/2013 11:16 AM, Ana Krivokapic wrote: On 05/15/2013 03:41 PM, Tomas Babej wrote: Hi, When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. https://fedorahosted.org/freeipa/ticket/3615 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I suggest adding some unit tests to cover this change in functionality. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I incorporated the unit tests. It had to use direct access to LDAP using ldapmodify since we need to create a mock AD trusted range first. Tomas We got rid of openldap utilities now. While using python.ldap module, I also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run This import is unused, can be removed. Fixed, thanks for catching that. Updated patch attached. Tomas From 3ef84ba0c664a43b7ae19ce22ac9d4e61e23a929 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 15 May 2013 15:37:15 +0200 Subject: [PATCH] Do not allow removal of ID range of an active trust When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. Unit tests to cover the functionality has been added. https://fedorahosted.org/freeipa/ticket/3615 --- ipalib/plugins/idrange.py | 17 +++- tests/test_xmlrpc/test_range_plugin.py | 142 ++--- 2 files changed, 148 insertions(+), 11 deletions(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -434,14 +434,29 @@ class idrange_del(LDAPDelete): def pre_callback(self, ldap, dn, *keys, **options): try: -(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize']) +(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', + 'ipaidrangesize', + 'ipanttrusteddomainsid']) except errors.NotFound: self.obj.handle_not_found(*keys) +# Check whether we leave any object with id in deleted range old_base_id = int(old_attrs.get('ipabaseid', [0])[0]) old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0]) self.obj.check_ids_in_modified_range( old_base_id, old_range_size, 0, 0) + +# Check whether the range does not belong to the active trust +range_sid = old_attrs.get('ipanttrusteddomainsid') + +if range_sid is not None: +range_sid = range_sid[0] +result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid) + +if result['count'] > 0: +raise errors.ValidationError(name='ID Range constraint', +error=_("ID range of an active trust cannot be deleted.")) + return dn class idrange_find(LDAPSearch): diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py index be8eac593a04c52aaaff61f980cfd5fd0899fabd..7018f63e96a7659b822787874ec786b18e629d50 100644 --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -27,61 +27,165 @@ from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid from tests.test_xmlrpc import objectclasses from ipapython.dn import * +import ldap, ldap.sasl, ldap.modlist + testrange1 = u'testrange1' testrange1_base_id = 90 testrange1_size = 9 testrange1_base_rid = 1 -testrange1_secondary_base_rid=20 +testrange1_secondary_base_rid = 20 testrange2 = u'testrange2' testrange2_base_id = 100 testrange2_size = 50 testrange2_base_rid = 100 -testrange2_secondary_base_rid=1000 +testrange2_secondary_base_rid = 1000 testrange3 = u'testrange3' testrange3_base_id = 200 testrange3_size = 50 testrange3_base_rid = 70 -testrange3_secondary_base_rid=1100 +test
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On Fri, 24 May 2013, Tomas Babej wrote: On 05/20/2013 04:29 PM, Alexander Bokovoy wrote: On Mon, 20 May 2013, Tomas Babej wrote: On 05/16/2013 11:16 AM, Ana Krivokapic wrote: On 05/15/2013 03:41 PM, Tomas Babej wrote: Hi, When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. https://fedorahosted.org/freeipa/ticket/3615 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I suggest adding some unit tests to cover this change in functionality. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I incorporated the unit tests. It had to use direct access to LDAP using ldapmodify since we need to create a mock AD trusted range first. Tomas We got rid of openldap utilities now. While using python.ldap module, I also made the tests much more robust and added a new test case. In general patches look fine, there is one small nitpick. I'll run tests on Monday and then will provide final ACK. --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run This import is unused, can be removed. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/20/2013 04:29 PM, Alexander Bokovoy wrote: On Mon, 20 May 2013, Tomas Babej wrote: On 05/16/2013 11:16 AM, Ana Krivokapic wrote: On 05/15/2013 03:41 PM, Tomas Babej wrote: Hi, When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. https://fedorahosted.org/freeipa/ticket/3615 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I suggest adding some unit tests to cover this change in functionality. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I incorporated the unit tests. It had to use direct access to LDAP using ldapmodify since we need to create a mock AD trusted range first. Tomas We got rid of openldap utilities now. While using python.ldap module, I also made the tests much more robust and added a new test case. Tomas From 594045ac7ccd464d2324f4f04db71586edeaea5c Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 15 May 2013 15:37:15 +0200 Subject: [PATCH] Do not allow removal of ID range of an active trust When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. Unit tests to cover the functionality has been added. https://fedorahosted.org/freeipa/ticket/3615 --- ipalib/plugins/idrange.py | 17 +++- tests/test_xmlrpc/test_range_plugin.py | 143 ++--- 2 files changed, 149 insertions(+), 11 deletions(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -434,14 +434,29 @@ class idrange_del(LDAPDelete): def pre_callback(self, ldap, dn, *keys, **options): try: -(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize']) +(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', + 'ipaidrangesize', + 'ipanttrusteddomainsid']) except errors.NotFound: self.obj.handle_not_found(*keys) +# Check whether we leave any object with id in deleted range old_base_id = int(old_attrs.get('ipabaseid', [0])[0]) old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0]) self.obj.check_ids_in_modified_range( old_base_id, old_range_size, 0, 0) + +# Check whether the range does not belong to the active trust +range_sid = old_attrs.get('ipanttrusteddomainsid') + +if range_sid is not None: +range_sid = range_sid[0] +result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid) + +if result['count'] > 0: +raise errors.ValidationError(name='ID Range constraint', +error=_("ID range of an active trust cannot be deleted.")) + return dn class idrange_find(LDAPSearch): diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py index be8eac593a04c52aaaff61f980cfd5fd0899fabd..4084ca8410dd93a7a4c509d96a6a284cc03e10e7 100644 --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,66 +22,171 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run from tests.util import assert_equal, Fuzzy from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid from tests.test_xmlrpc import objectclasses from ipapython.dn import * +import ldap, ldap.sasl, ldap.modlist + testrange1 = u'testrange1' testrange1_base_id = 90 testrange1_size = 9 testrange1_base_rid = 1 -testrange1_secondary_base_rid=20 +testrange1_secondary_base_rid = 20 testrange2 = u'testrange2' testrange2_base_id = 100 testrange2_size = 50 testrange2_base_rid = 100 -testrange2_secondary_base_rid=1000 +testrange2_secondary_base_rid = 1000 testrange3 = u'testrange3' testrange3_base_id = 200 testrange3_size = 50 testrange3_base_rid = 70 -testrange3_secondary_base_rid=1100 +testrange3_secondary_base_rid = 1100 testrange4 = u'testrange4' testrange4_base_id = 300 testrange4_size = 50 testrange4_base_rid = 200 -testrange4_secondary_base_rid=1030 +testrange4_secondary_base_rid = 1030 testrange5 = u'testrange5' testrange5_base_id = 400 testrange5_size = 50 testrange5_base_rid = 1020 -testrange5_secondary_base_rid=1200 +testrange5_secondary_b
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On Mon, 20 May 2013, Tomas Babej wrote: On 05/16/2013 11:16 AM, Ana Krivokapic wrote: On 05/15/2013 03:41 PM, Tomas Babej wrote: Hi, When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. https://fedorahosted.org/freeipa/ticket/3615 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I suggest adding some unit tests to cover this change in functionality. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I incorporated the unit tests. It had to use direct access to LDAP using ldapmodify since we need to create a mock AD trusted range first. Tomas From 57e98d6dc950d611e96e1ec2e264649a3d682c83 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 15 May 2013 15:37:15 +0200 Subject: [PATCH] Do not allow removal of ID range of an active trust When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. Unit tests to cover the functionality has been added. https://fedorahosted.org/freeipa/ticket/3615 --- ipalib/plugins/idrange.py | 17 ++- tests/test_xmlrpc/test_range_plugin.py | 86 ++ tests/test_xmlrpc/xmlrpc_test.py | 5 ++ 3 files changed, 97 insertions(+), 11 deletions(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -434,14 +434,29 @@ class idrange_del(LDAPDelete): def pre_callback(self, ldap, dn, *keys, **options): try: -(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize']) +(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', + 'ipaidrangesize', + 'ipanttrusteddomainsid']) except errors.NotFound: self.obj.handle_not_found(*keys) +# Check whether we leave any object with id in deleted range old_base_id = int(old_attrs.get('ipabaseid', [0])[0]) old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0]) self.obj.check_ids_in_modified_range( old_base_id, old_range_size, 0, 0) + +# Check whether the range does not belong to the active trust +range_sid = old_attrs.get('ipanttrusteddomainsid') + +if range_sid is not None: +range_sid = range_sid[0] +result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid) + +if result['count'] > 0: +raise errors.ValidationError(name='ID Range constraint', +error=_("ID range of an active trust cannot be deleted.")) + return dn class idrange_find(LDAPSearch): diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py index be8eac593a04c52aaaff61f980cfd5fd0899fabd..1f03d3fc570dbe978fd31569896857db9a972bfa 100644 --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,6 +22,7 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run from tests.util import assert_equal, Fuzzy from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid from tests.test_xmlrpc import objectclasses @@ -31,57 +32,113 @@ testrange1 = u'testrange1' testrange1_base_id = 90 testrange1_size = 9 testrange1_base_rid = 1 -testrange1_secondary_base_rid=20 +testrange1_secondary_base_rid = 20 testrange2 = u'testrange2' testrange2_base_id = 100 testrange2_size = 50 testrange2_base_rid = 100 -testrange2_secondary_base_rid=1000 +testrange2_secondary_base_rid = 1000 testrange3 = u'testrange3' testrange3_base_id = 200 testrange3_size = 50 testrange3_base_rid = 70 -testrange3_secondary_base_rid=1100 +testrange3_secondary_base_rid = 1100 testrange4 = u'testrange4' testrange4_base_id = 300 testrange4_size = 50 testrange4_base_rid = 200 -testrange4_secondary_base_rid=1030 +testrange4_secondary_base_rid = 1030 testrange5 = u'testrange5' testrange5_base_id = 400 testrange5_size = 50 testrange5_base_rid = 1020 -testrange5_secondary_base_rid=1200 +testrange5_secondary_base_rid = 1200 testrange6 = u'testrange6' testrange6_base_id = 130 testrange6_size = 50 testrange6_base_rid = 500 -testrange6_secondary_base_rid=1300 +testrange6_secondary_base_rid = 1300 testrange7 = u'testrange7' testrange7_base_id
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/16/2013 11:16 AM, Ana Krivokapic wrote: On 05/15/2013 03:41 PM, Tomas Babej wrote: Hi, When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. https://fedorahosted.org/freeipa/ticket/3615 Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I suggest adding some unit tests to cover this change in functionality. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel I incorporated the unit tests. It had to use direct access to LDAP using ldapmodify since we need to create a mock AD trusted range first. Tomas From 57e98d6dc950d611e96e1ec2e264649a3d682c83 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 15 May 2013 15:37:15 +0200 Subject: [PATCH] Do not allow removal of ID range of an active trust When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. Unit tests to cover the functionality has been added. https://fedorahosted.org/freeipa/ticket/3615 --- ipalib/plugins/idrange.py | 17 ++- tests/test_xmlrpc/test_range_plugin.py | 86 ++ tests/test_xmlrpc/xmlrpc_test.py | 5 ++ 3 files changed, 97 insertions(+), 11 deletions(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -434,14 +434,29 @@ class idrange_del(LDAPDelete): def pre_callback(self, ldap, dn, *keys, **options): try: -(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize']) +(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', + 'ipaidrangesize', + 'ipanttrusteddomainsid']) except errors.NotFound: self.obj.handle_not_found(*keys) +# Check whether we leave any object with id in deleted range old_base_id = int(old_attrs.get('ipabaseid', [0])[0]) old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0]) self.obj.check_ids_in_modified_range( old_base_id, old_range_size, 0, 0) + +# Check whether the range does not belong to the active trust +range_sid = old_attrs.get('ipanttrusteddomainsid') + +if range_sid is not None: +range_sid = range_sid[0] +result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid) + +if result['count'] > 0: +raise errors.ValidationError(name='ID Range constraint', +error=_("ID range of an active trust cannot be deleted.")) + return dn class idrange_find(LDAPSearch): diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py index be8eac593a04c52aaaff61f980cfd5fd0899fabd..1f03d3fc570dbe978fd31569896857db9a972bfa 100644 --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -22,6 +22,7 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general. """ from ipalib import api, errors, _ +from ipapython.ipautil import run from tests.util import assert_equal, Fuzzy from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid from tests.test_xmlrpc import objectclasses @@ -31,57 +32,113 @@ testrange1 = u'testrange1' testrange1_base_id = 90 testrange1_size = 9 testrange1_base_rid = 1 -testrange1_secondary_base_rid=20 +testrange1_secondary_base_rid = 20 testrange2 = u'testrange2' testrange2_base_id = 100 testrange2_size = 50 testrange2_base_rid = 100 -testrange2_secondary_base_rid=1000 +testrange2_secondary_base_rid = 1000 testrange3 = u'testrange3' testrange3_base_id = 200 testrange3_size = 50 testrange3_base_rid = 70 -testrange3_secondary_base_rid=1100 +testrange3_secondary_base_rid = 1100 testrange4 = u'testrange4' testrange4_base_id = 300 testrange4_size = 50 testrange4_base_rid = 200 -testrange4_secondary_base_rid=1030 +testrange4_secondary_base_rid = 1030 testrange5 = u'testrange5' testrange5_base_id = 400 testrange5_size = 50 testrange5_base_rid = 1020 -testrange5_secondary_base_rid=1200 +testrange5_secondary_base_rid = 1200 testrange6 = u'testrange6' testrange6_base_id = 130 testrange6_size = 50 testrange6_base_rid = 500 -testrange6_secondary_base_rid=1300 +testrange6_secondary_base_rid = 1300 testrange7 = u'testrange7' testrange7_base_i
Re: [Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
On 05/15/2013 03:41 PM, Tomas Babej wrote: > Hi, > > When removing an ID range using idrange-del command, validation > in pre_callback ensures that the range does not belong to any > active trust. In such case, ValidationError is raised. > > https://fedorahosted.org/freeipa/ticket/3615 > > Tomas > > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel I suggest adding some unit tests to cover this change in functionality. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust
Hi, When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. https://fedorahosted.org/freeipa/ticket/3615 Tomas From 72a55d498602b5c6cc912eb9585dc860b7fee591 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 15 May 2013 15:37:15 +0200 Subject: [PATCH] Do not allow removal of ID range of an active trust When removing an ID range using idrange-del command, validation in pre_callback ensures that the range does not belong to any active trust. In such case, ValidationError is raised. https://fedorahosted.org/freeipa/ticket/3615 --- ipalib/plugins/idrange.py | 17 - 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -434,14 +434,29 @@ class idrange_del(LDAPDelete): def pre_callback(self, ldap, dn, *keys, **options): try: -(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize']) +(old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', + 'ipaidrangesize', + 'ipanttrusteddomainsid']) except errors.NotFound: self.obj.handle_not_found(*keys) +# Check whether we leave any object with id in deleted range old_base_id = int(old_attrs.get('ipabaseid', [0])[0]) old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0]) self.obj.check_ids_in_modified_range( old_base_id, old_range_size, 0, 0) + +# Check whether the range does not belong to the active trust +range_sid = old_attrs.get('ipanttrusteddomainsid') + +if range_sid is not None: +range_sid = range_sid[0] +result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid) + +if result['count'] > 0: +raise errors.ValidationError(name='ID Range constraint', +error=_("ID range of an active trust cannot be deleted.")) + return dn class idrange_find(LDAPSearch): -- 1.8.1.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel