[Freeipa-devel] [PATCH 0158] Extend ipa-range-check DS plugin to handle range types
Lukas Slebodnik
lslebodn at redhat.com
Sat Jul 12 18:22:58 UTC 2014
On (01/04/14 10:52), Tomas Babej wrote:
>
>On 04/01/2014 10:40 AM, Alexander Bokovoy wrote:
>> On Tue, 01 Apr 2014, Tomas Babej wrote:
>>> From 736b3f747188696fd4a46ca63d91a6cca942fd56 Mon Sep 17 00:00:00 2001
>>> From: Tomas Babej <tbabej at redhat.com>
>>> Date: Wed, 5 Mar 2014 12:28:18 +0100
>>> Subject: [PATCH] Extend ipa-range-check DS plugin to handle range types
>>>
>>> The ipa-range-check plugin used to determine the range type depending
>>> on the value of the attributes such as RID or secondary RID base. This
>>> approached caused variety of issues since the portfolio of ID range
>>> types expanded.
>>>
>>> The patch makes sure the following rules are implemented:
>>> * No ID range pair can overlap on base ranges, with exception
>>> of two ipa-ad-trust-posix ranges belonging to the same forest
>>> * For any ID range pair of ranges belonging to the same domain:
>>> * Both ID ranges must be of the same type
>>> * For ranges of ipa-ad-trust type or ipa-local type:
>>> * Primary RID ranges can not overlap
>>> * For ranges of ipa-local type:
>>> * Primary and secondary RID ranges can not overlap
>>> * Secondary RID ranges cannot overlap
>>>
>>> For the implementation part, the plugin was extended with a domain ID
>>> to forest root domain ID mapping derivation capabilities.
>>>
>>> https://fedorahosted.org/freeipa/ticket/4137
>>>
>>> -static int slapi_entry_to_range_info(struct slapi_entry *entry,
>>> +struct domain_info {
>>> + char *domain_id;
>>> + char *forest_root_id;
>>> + struct domain_info *next;
>>> +};
>>> +
>>> +static void free_domain_info(struct domain_info *info) {
>>> + if (info != NULL) {
>>> + slapi_ch_free_string(&(info->domain_id));
>>> + slapi_ch_free_string(&(info->forest_root_id));
>>> + free_domain_info(info->next);
>>> + free(info);
>>> + }
>>> +}
>> Please, don't use recursion in the freeing part, there is really no
>> pressing need to do so. Just use while() like you do in
>> get_forest_root_id():
>>
>>> +/* Searches for the domain_info struct with the specified domain_id
>>> + * in the linked list. Returns the forest root domain's ID, or NULL for
>>> + * local ranges. */
>>> +
>>> +static char* get_forest_root_id(struct domain_info *head, char*
>>> domain_id) {
>>> +
>>> + /* For local ranges there is no forest root domain,
>>> + * so consider only ranges with domain_id set */
>>> + if (domain_id != NULL) {
>>> + while(head) {
>>> + if (strcasecmp(head->domain_id, domain_id) == 0) {
>>> + return head->forest_root_id;
>>> + }
>>> + head = head->next;
>>> + }
>>> + }
>>> +
>>> + return NULL;
>>> +}
>>> +
>>
>>
>
>Fixed, updated patch attached.
>
>--
>Tomas Babej
>Associate Software Engineer | Red Hat | Identity Management
>RHCE | Brno Site | IRC: tbabej | freeipa.org
>
>>From f98082d6cfd902417af94d7cd22d3cc85980a782 Mon Sep 17 00:00:00 2001
>From: Tomas Babej <tbabej at redhat.com>
>Date: Wed, 5 Mar 2014 12:28:18 +0100
>Subject: [PATCH] Extend ipa-range-check DS plugin to handle range types
>
>The ipa-range-check plugin used to determine the range type depending
>on the value of the attributes such as RID or secondary RID base. This
>approached caused variety of issues since the portfolio of ID range
>types expanded.
>
>The patch makes sure the following rules are implemented:
> * No ID range pair can overlap on base ranges, with exception
> of two ipa-ad-trust-posix ranges belonging to the same forest
> * For any ID range pair of ranges belonging to the same domain:
> * Both ID ranges must be of the same type
> * For ranges of ipa-ad-trust type or ipa-local type:
> * Primary RID ranges can not overlap
> * For ranges of ipa-local type:
> * Primary and secondary RID ranges can not overlap
> * Secondary RID ranges cannot overlap
>
>For the implementation part, the plugin was extended with a domain ID
>to forest root domain ID mapping derivation capabilities.
>
>https://fedorahosted.org/freeipa/ticket/4137
>---
//snip
>
>- no_overlap = ranges_overlap(new_range, old_range);
>+ ranges_valid = check_ranges(new_range, old_range);
> free_range_info(old_range);
> old_range = NULL;
>- if (no_overlap != 0) {
>+ if (ranges_valid != 0) {
> ret = LDAP_CONSTRAINT_VIOLATION;
>
>- switch (no_overlap){
>+ switch (ranges_valid){
> case 1:
> errmsg = "New base range overlaps with existing base range.";
> break;
>@@ -417,6 +627,8 @@ static int ipa_range_check_pre_op(Slapi_PBlock *pb, int modtype)
> case 5:
> errmsg = "New secondary rid range overlaps with existing primary rid range.";
> break;
>+ case 6:
>+ errmsg = "New ID range has invalid type. All ranges in the same domain must be of the same type.";
> default:
There is a missing break. Ithink it is a problem, because you do not
want to fall through to the defaul and override errmsg.
Smple patch is attached.
LS
-------------- next part --------------
>From 2f9060c011e7dd719887d7935a809887e26ac1e5 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn at redhat.com>
Date: Sat, 12 Jul 2014 18:28:38 +0200
Subject: [PATCH 2/4] Add missing break
Wrong error message would be used for in case of
RANGE_CHECK_DIFFERENT_TYPE_IN_DOMAIN. Missing break will cause fall through to
the default section.
---
daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
index d659dc7d8b510cb5719dc9ff1db2ef55e2d237c4..1fd543c185cda0a7b871875f1d4ba969a7bf910c 100644
--- a/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
+++ b/daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
@@ -660,6 +660,7 @@ static int ipa_range_check_pre_op(Slapi_PBlock *pb, int modtype)
break;
case RANGE_CHECK_DIFFERENT_TYPE_IN_DOMAIN:
errmsg = "New ID range has invalid type. All ranges in the same domain must be of the same type.";
+ break;
default:
errmsg = "New range overlaps with existing one.";
break;
--
1.9.3
More information about the Freeipa-devel
mailing list