[Freeipa-devel] [PATCHES 0024-0025] Improvements to idrange.py

Martin Kosek mkosek at redhat.com
Fri Feb 22 15:34:55 UTC 2013 

On 02/22/2013 03:01 PM, Tomas Babej wrote:
> On 02/21/2013 02:22 PM, Martin Kosek wrote:
>> On 02/20/2013 03:19 PM, Tomas Babej wrote:
>>> On Wed 20 Feb 2013 02:24:03 PM CET, Alexander Bokovoy wrote:
>>>> On Wed, 20 Feb 2013, Tomas Babej wrote:
>>>>> On 12/21/2012 12:15 PM, Tomas Babej wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Sending updated and rebased versions of patches 0024 and 0025.
>>>>>>
>>>>>> Tomas
>>>>>>
>>>>>>
>>>>> Sending rebased version, these got quite rotten.
>>>> Thanks for updating them.
>>>>
>>>>> @@ -504,25 +515,37 @@ class idrange_mod(LDAPUpdate):
>>>>>                              'not be found. Please specify the SID
>>>>> directly '
>>>>>                              'using dom-sid option.'))
>>>>>
>>>>> -        try:
>>>>> -            (old_dn, old_attrs) = ldap.get_entry(dn,
>>>>> -                                                ['ipabaseid',
>>>>> -                                                'ipaidrangesize',
>>>>> -                                                'ipabaserid',
>>>>> -                                                'ipasecondarybaserid'])
>>>>> -        except errors.NotFound:
>>>>> -            self.obj.handle_not_found(*keys)
>>>>> +        if in_updated_attrs('ipanttrusteddomainsid'):
>>>>> +            if in_updated_attrs('ipasecondarybaserid'):
>>>>> +                raise errors.ValidationError(name='ID Range setup',
>>>>> +                    error=_('Options dom_sid and secondary_rid_base
>>>>> cannot '
>>>>> +                            'be used together'))
>>>> Since we agreed to refer to options by their CLI name (--dom-sid and
>>>> --secondary-rid-base) in the other patch, it makes sense to use it
>>>> here too.
>>>>
>>>>
>>>>> -        if is_set('ipanttrusteddomainsid'):
>>>>> -            # Validate SID as the one of trusted domains
>>>>> -
>>>>> self.obj.validate_trusted_domain_sid(entry_attrs['ipanttrusteddomainsid'])
>>>>>
>>>>> +            if not in_updated_attrs('ipabaserid'):
>>>>> +                raise errors.ValidationError(name='ID Range setup',
>>>>> +                    error=_('Options dom_sid and rid_base must '
>>>>> +                            'be used together'))
>>>> Same here.
>>>>
>>>>> +            # secondary base rid must be set if and only if base rid
>>>>> is set
>>>>> +            if in_updated_attrs('ipasecondarybaserid') !=\
>>>>> +                in_updated_attrs('ipabaserid'):
>>>>> +                raise errors.ValidationError(name='ID Range setup',
>>>>> +                    error=_('Options secondary_rid_base and rid_base
>>>>> must '
>>>>> +                            'be used together'))
>>>> Same here.
>>>>
>>>>> +        dict(
>>>>> +            desc='Try to modify ID range %r so it has only primary
>>>>> rid range set' % (testrange8),
>>>>> +            command=('idrange_mod', [testrange8],
>>>>> +                      dict(ipabaserid=testrange8_base_rid)),
>>>>> +            expected=errors.ValidationError(
>>>>> +                name='ID Range setup', error='Options
>>>>> secondary_rid_base and rid_base must be used together'),
>>>>> +        ),
>>>> And synchronize error message here too.
>>>>
>>> Thanks!
>>>
>>> Sending the updated patch 0024.
>>>
>>> Tomas
>>>
>> In patch 0024 your intention is OK, but the checking functions are not:
>>
>>           is_set = lambda x: (x in entry_attrs) and (x is not None)
>> +        in_updated_attrs = lambda x: any((x in attrs and x is not None)
>> +                                         for attrs in (entry_attrs, old_attrs))
>>
>> They return True even when the attribute is None because they check if *x* is
>> None and not if *attrs[x]* is None. Example:
>>
>> # ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=1000
>> --secondary-rid-base=1000000 local_range
>> ----------------------------
>> Added ID range "local_range"
>> ----------------------------
>>    Range name: local_range
>>    First Posix ID of the range: 1200000
>>    Number of IDs in the range: 200000
>>    First RID of the corresponding RID range: 1000
>>    First RID of the secondary RID range: 1000000
>>    Range type: local domain range
>>
>> This command should be NOOP, but is not:
>>
>> # ipa idrange-mod local_range --dom-sid=
>> ipa: ERROR: invalid 'ID Range setup': Options dom-sid and secondary-rid-base
>> cannot be used together
>>
>> Martin
> Thanks for the catch, all checking functions fixed.
> 
> Sending the complete patchset, up to date.
> 
> Tomas

I think I am being a nitpicker now (sorry), but this condition also fails if
the old_attrs has a setting, but I am removing it in a current -mod command:

# ipa idrange-add --base-id=1200000 --range-size=200000 --rid-base=1000
--secondary-rid-base=1000000 local_range
----------------------------
Added ID range "local_range"
----------------------------
  Range name: local_range
  First Posix ID of the range: 1200000
  Number of IDs in the range: 200000
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1000000
  Range type: local domain range
# ipa idrange-mod local_range --dom-sid S-1-2 --secondary-rid-base=
ipa: ERROR: invalid 'ID Range setup': Options dom-sid and secondary-rid-base
cannot be used together

Martin

More information about the Freeipa-devel mailing list