[Freeipa-devel] [PATCHES] 0012-13 Don't allow deleting required config options
Rob Crittenden
rcritten at redhat.com
Mon Feb 20 19:51:28 UTC 2012
Petr Viktorin wrote:
> https://fedorahosted.org/freeipa/ticket/2159 says various config options
> are not marked Required, so entering an empty value for it will pass
> validation (and IPA will blow up later when it expects a string,not
> None). Forexample the following:
> $ ipa config-mod --groupsearch=
> fails with AttributeError: 'NoneType' object has no attribute 'split'
>
> There is a more general problem behind this, though: even if the
> attributes *are* marked as Required, an empty string will pass
> validation. This is because `None` is used in `Param.validate` to mean
> both "No value supplied" and "Empty value supplied". The method
> currently assumes the former, and skips validation entirely for `None`
> values to optional parameters.
>
> For example, the following will delete "membergroup", even though it's a
> required attribute :
>
> $ ipa delegation-add --attrs=street --group=editors \
> --membergroup=admins td1
> $ ipa delegation-mod --membergroup= td1
>
> Note that some LDAPObjects handle this with a _check_empty_attrs
> function, so they aren't affected. That function is specific to LADP
> objects, though. So I needed to tackle this on a lower level.
>
> This patch solves the problem by
> * adding a 'nonempty' flag when a required parameter of a CRUD Update
> object is auto-converted to a non-required parameter
> * making the`validate` method aware of whether the parameter was
> supplied; and if it was, honor the "nonempty" flag.
>
>
> The second patch fixes https://fedorahosted.org/freeipa/ticket/2159 by
> marking required config options as required.
This looks good but I think there are other things to protect in config
as well such as the default e-mail domain. It is probably safe to say
that everything in there is required.
rob
More information about the Freeipa-devel
mailing list