[Freeipa-devel] [PATCH] 0039 Prohibit deletion of included profiles

Thu Aug 13 06:36:01 UTC 2015

The attached patch fixes
https://fedorahosted.org/freeipa/ticket/5198

Thanks,
Fraser
-------------- next part --------------
From 0dd316bf0cbab7b6701bd69f142e82b30bee25b8 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal at redhat.com>
Date: Thu, 13 Aug 2015 02:32:54 -0400
Subject: [PATCH] Prohibit deletion of included profiles

Deletion of included profiles, including the default profile, should
not be allowed.  Detect this case and raise an error.

Also update the included profiles collection to use namedtuple,
making it easier to access the various components.

Fixes: https://fedorahosted.org/freeipa/ticket/5198
---
 ipalib/plugins/certprofile.py | 13 +++++++++++--
 ipapython/dogtag.py           |  8 +++++---
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
index 1dd4f403ee4461b83c053eb36019a8896506bb81..03bdd28728dc864adcd7305ddbff34a23405e78f 100644
--- a/ipalib/plugins/certprofile.py
+++ b/ipalib/plugins/certprofile.py
@@ -3,6 +3,7 @@
 #
 
 import re
+from operator import attrgetter
 
 from ipalib import api, Bool, File, Str
 from ipalib import output, util
@@ -14,6 +15,7 @@ from ipalib.plugins.baseldap import (
 from ipalib.request import context
 from ipalib import ngettext
 from ipalib.text import _
+from ipapython.dogtag import INCLUDED_PROFILES
 from ipapython.version import API_VERSION
 
 from ipalib import errors
@@ -287,9 +289,16 @@ class certprofile_del(LDAPDelete):
     __doc__ = _("Delete a Certificate Profile.")
     msg_summary = _('Deleted profile "%(value)s"')
 
-    def execute(self, *args, **kwargs):
+    def pre_callback(self, ldap, dn, *keys, **options):
         ca_enabled_check()
-        return super(certprofile_del, self).execute(*args, **kwargs)
+
+        if keys[0] in map(attrgetter('profile_id'), INCLUDED_PROFILES):
+            raise errors.ValidationError(name='profile_id',
+                error=_("Included profile '%(profile_id)s' cannot be deleted")
+                    % {'profile_id': keys[0]}
+            )
+
+        return dn
 
     def post_callback(self, ldap, dn, *keys, **options):
         with self.api.Backend.ra_certprofile as profile_api:
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 99bdf066d64d626af05d93953117909c5fbfb693..fc4154719e31eb32e28587ea89fb04ead14d282e 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -17,6 +17,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+import collections
 import os
 import httplib
 import xml.dom.minidom
@@ -42,10 +43,11 @@ from ipapython.ipa_log_manager import *
 # the configured version.
 
 
+Profile = collections.namedtuple('Profile', ['profile_id', 'description', 'store_issued'])
+
 INCLUDED_PROFILES = {
-    # ( profile_id    ,         description      ,      store_issued)
-    (u'caIPAserviceCert', u'Standard profile for network services', True),
-    (u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),
+    Profile(u'caIPAserviceCert', u'Standard profile for network services', True),
+    Profile(u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),
     }
 
 DEFAULT_PROFILE = u'caIPAserviceCert'
-- 
2.4.3

