[Freeipa-devel] [PATCH] 374 Fixed vault container ownership.

Mon Aug 10 19:45:18 UTC 2015

The vault-add command has been fixed such that if the user/service
private vault container does not exist yet it will be created and
owned by the user/service instead of the vault creator.

https://fedorahosted.org/freeipa/ticket/5194

-- 
Endi S. Dewata
-------------- next part --------------
From 35c2e903c1208591a3cabfd715cf297cb9de506d Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Mon, 10 Aug 2015 20:57:58 +0200
Subject: [PATCH] Fixed vault container ownership.

The vault-add command has been fixed such that if the user/service
private vault container does not exist yet it will be created and
owned by the user/service instead of the vault creator.

https://fedorahosted.org/freeipa/ticket/5194
---
 ipalib/plugins/vault.py | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 427b1ea1588af2fb09a99181b8773abdf8099b8d..be1560181322d8323ab6d8f169e106a404aa0617 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -924,12 +924,33 @@ class vault2_add_internal(LDAPCreate):
         else:
             owner_dn = self.api.Object.user.get_dn(name)
 
+        parent_dn = DN(*dn[1:])
+
+        container_dn = DN(self.api.Object.vault.container_dn,
+                          self.api.env.basedn)
+
+        services_dn = DN(('cn', 'services'), container_dn)
+        users_dn = DN(('cn', 'users'), container_dn)
+
+        if dn.endswith(services_dn):
+            # service container should be owned by the service
+            service = parent_dn[0]['cn']
+            parent_owner_dn = self.api.Object.service.get_dn(service)
+
+        elif dn.endswith(users_dn):
+            # user container should be owned by the user
+            user = parent_dn[0]['cn']
+            parent_owner_dn = self.api.Object.user.get_dn(user)
+
+        else:
+            parent_owner_dn = owner_dn
+
         try:
-            parent_dn = DN(*dn[1:])
-            self.obj.create_container(parent_dn, owner_dn)
+            self.obj.create_container(parent_dn, parent_owner_dn)
         except errors.DuplicateEntry, e:
             pass
 
+        # vault should be owned by the creator
         entry_attrs['owner'] = owner_dn
 
         return dn
-- 
2.4.3

