[Freeipa-devel] [PATCH] 0039 Prohibit deletion of included profiles
Alexander Bokovoy
abokovoy at redhat.com
Thu Aug 13 09:01:09 UTC 2015
On Thu, 13 Aug 2015, Fraser Tweedale wrote:
>On Thu, Aug 13, 2015 at 09:53:35AM +0300, Alexander Bokovoy wrote:
>> On Thu, 13 Aug 2015, Fraser Tweedale wrote:
>> >The attached patch fixes
>> >https://fedorahosted.org/freeipa/ticket/5198
>> >
>> >Thanks,
>> >Fraser
>>
>> >From 0dd316bf0cbab7b6701bd69f142e82b30bee25b8 Mon Sep 17 00:00:00 2001
>> >From: Fraser Tweedale <ftweedal at redhat.com>
>> >Date: Thu, 13 Aug 2015 02:32:54 -0400
>> >Subject: [PATCH] Prohibit deletion of included profiles
>> >
>> >Deletion of included profiles, including the default profile, should
>> >not be allowed. Detect this case and raise an error.
>> >
>> >Also update the included profiles collection to use namedtuple,
>> >making it easier to access the various components.
>> >
>> >Fixes: https://fedorahosted.org/freeipa/ticket/5198
>> >---
>> >ipalib/plugins/certprofile.py | 13 +++++++++++--
>> >ipapython/dogtag.py | 8 +++++---
>> >2 files changed, 16 insertions(+), 5 deletions(-)
>> >
>> >diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
>> >index 1dd4f403ee4461b83c053eb36019a8896506bb81..03bdd28728dc864adcd7305ddbff34a23405e78f 100644
>> >--- a/ipalib/plugins/certprofile.py
>> >+++ b/ipalib/plugins/certprofile.py
>> >@@ -3,6 +3,7 @@
>> >#
>> >
>> >import re
>> >+from operator import attrgetter
>> >
>> >from ipalib import api, Bool, File, Str
>> >from ipalib import output, util
>> >@@ -14,6 +15,7 @@ from ipalib.plugins.baseldap import (
>> >from ipalib.request import context
>> >from ipalib import ngettext
>> >from ipalib.text import _
>> >+from ipapython.dogtag import INCLUDED_PROFILES
>> >from ipapython.version import API_VERSION
>> >
>> >from ipalib import errors
>> >@@ -287,9 +289,16 @@ class certprofile_del(LDAPDelete):
>> > __doc__ = _("Delete a Certificate Profile.")
>> > msg_summary = _('Deleted profile "%(value)s"')
>> >
>> >- def execute(self, *args, **kwargs):
>> >+ def pre_callback(self, ldap, dn, *keys, **options):
>> > ca_enabled_check()
>> >- return super(certprofile_del, self).execute(*args, **kwargs)
>> >+
>> >+ if keys[0] in map(attrgetter('profile_id'), INCLUDED_PROFILES):
>> >+ raise errors.ValidationError(name='profile_id',
>> >+ error=_("Included profile '%(profile_id)s' cannot be deleted")
>> >+ % {'profile_id': keys[0]}
>> >+ )
>> >+
>> >+ return dn
>> I think you also want to protect the included profiles from renaming.
>>
>This is already the case.
I'm also wondering about certprofile-mod changing the profile content
and changing profileID there to point to existing profile. Would this
affect CA operation?
(ACK below for the current code).
>
>> And I would change 'Included profile ... cannot be deleted' to
>> 'Predefined profile ... cannot be deleted'.
>>
>Fair enough; updated patch attached.
>
>Cheers,
>Fraser
>From 4dd4e7c273a04e8b386c229959a99d6ec8e55c14 Mon Sep 17 00:00:00 2001
>From: Fraser Tweedale <ftweedal at redhat.com>
>Date: Thu, 13 Aug 2015 02:32:54 -0400
>Subject: [PATCH] Prohibit deletion of predefined profiles
>
>Deletion of predefined profiles, including the default profile,
>should not be allowed. Detect this case and raise an error.
>
>Also update the predefined profiles collection to use namedtuple,
>making it easier to access the various components.
>
>Fixes: https://fedorahosted.org/freeipa/ticket/5198
>---
> ipalib/plugins/certprofile.py | 13 +++++++++++--
> ipapython/dogtag.py | 8 +++++---
> 2 files changed, 16 insertions(+), 5 deletions(-)
>
>diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
>index 1dd4f403ee4461b83c053eb36019a8896506bb81..007cc543406b7e5705fd7474f3685cd6a9ce6aca 100644
>--- a/ipalib/plugins/certprofile.py
>+++ b/ipalib/plugins/certprofile.py
>@@ -3,6 +3,7 @@
> #
>
> import re
>+from operator import attrgetter
>
> from ipalib import api, Bool, File, Str
> from ipalib import output, util
>@@ -14,6 +15,7 @@ from ipalib.plugins.baseldap import (
> from ipalib.request import context
> from ipalib import ngettext
> from ipalib.text import _
>+from ipapython.dogtag import INCLUDED_PROFILES
> from ipapython.version import API_VERSION
>
> from ipalib import errors
>@@ -287,9 +289,16 @@ class certprofile_del(LDAPDelete):
> __doc__ = _("Delete a Certificate Profile.")
> msg_summary = _('Deleted profile "%(value)s"')
>
>- def execute(self, *args, **kwargs):
>+ def pre_callback(self, ldap, dn, *keys, **options):
> ca_enabled_check()
>- return super(certprofile_del, self).execute(*args, **kwargs)
>+
>+ if keys[0] in map(attrgetter('profile_id'), INCLUDED_PROFILES):
>+ raise errors.ValidationError(name='profile_id',
>+ error=_("Predefined profile '%(profile_id)s' cannot be deleted")
>+ % {'profile_id': keys[0]}
>+ )
>+
>+ return dn
>
> def post_callback(self, ldap, dn, *keys, **options):
> with self.api.Backend.ra_certprofile as profile_api:
>diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
>index 99bdf066d64d626af05d93953117909c5fbfb693..fc4154719e31eb32e28587ea89fb04ead14d282e 100644
>--- a/ipapython/dogtag.py
>+++ b/ipapython/dogtag.py
>@@ -17,6 +17,7 @@
> # along with this program. If not, see <http://www.gnu.org/licenses/>.
> #
>
>+import collections
> import os
> import httplib
> import xml.dom.minidom
>@@ -42,10 +43,11 @@ from ipapython.ipa_log_manager import *
> # the configured version.
>
>
>+Profile = collections.namedtuple('Profile', ['profile_id', 'description', 'store_issued'])
>+
> INCLUDED_PROFILES = {
>- # ( profile_id , description , store_issued)
>- (u'caIPAserviceCert', u'Standard profile for network services', True),
>- (u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),
>+ Profile(u'caIPAserviceCert', u'Standard profile for network services', True),
>+ Profile(u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),
> }
>
> DEFAULT_PROFILE = u'caIPAserviceCert'
>--
>2.4.3
>
ACK.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list