[Freeipa-devel] [PATCH] 940 apply some validation to some classes only

Martin Kosek mkosek at redhat.com
Mon Feb 6 15:14:37 UTC 2012 

On Fri, 2012-02-03 at 16:58 -0500, Rob Crittenden wrote:
> There is some validation that we only need to apply when an entry is 
> being created, namely the key itself. This is to allow us to manage an 
> otherwise illegal entry that finds its way into the system (i.e. migration).
> 
> Consider this. We migrate a group with a space in it. This isn't allowed 
> in IPA but we also provide no way to delete it because the cn regex 
> kicks out the group-del command.
> 
> The trick is adding appropriate context so we can know during validation 
> how we got here. A command object has a bases field which contains the 
> base classes associated with it, which appears to contain only the leaf 
> baseclass. So using this we can tell how we got to validation and can 
> skip based on that baseclass name.
> 
> I went back and forth a bit on where the right place to put this was, 
> I'm open to more fine tuning. I initially skipped just the pattern 
> validation then expanded it to apply to all validation in the Parameter.
> 
> rob

1) This patch breaks API.txt, it needs re-generating.

2) This may be a matter of opinion but I think that
+        if self.onlyvalidateclasses and \
+          not any(x in self.onlyvalidateclasses for x in classbases):
+            return

would be more readable than:

+        if self.onlyvalidateclasses and \
+          not [x for x in classbases if x in self.onlyvalidateclasses]:
+            return

3) I would move the entire self.onlyvalidateclasses up to the validate()
method. It would have several benefits:
- the validation skip would be done just once, not for every value as
the decision does not use the value at all
- we would not have to modify _validate_scalar() methods at all since
they won't need classbases

4) I think it would be better to keep validation for --rename options.
As it is generated from RDN attribute parameter, it inherits
onlyvalidateclasses list as well.

Otherwise your patch would let user to rename a valid object to an
invalid one:

# ipa user-mod fbar --rename="bad boy"
--------------------
Modified user "fbar"
--------------------
  User login: bad boy
  First name: Foo
  Last name: Bar
  Home directory: /home/fbar
  Login shell: /bin/sh
  UID: 480800040
  GID: 480800040
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

Martin

More information about the Freeipa-devel mailing list