[Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range
Martin Kosek
mkosek at redhat.com
Thu Sep 20 08:25:07 UTC 2012
On 09/19/2012 06:19 PM, Alexander Bokovoy wrote:
> Hi,
>
> This patch adds validation of SID for trusted domain when adding or
> modifying ID range for the domain. We only allow creating ranges for
> trusted domains when the trust is already established -- the default
> range is created automatically right after the trust is added.
>
> https://fedorahosted.org/freeipa/ticket/3087
>
Basic functionality looks OK, but I saw few issues with exception formatting:
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index
efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b
100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -26,6 +26,12 @@ from ipapython import ipautil
from ipalib import util
from ipapython.dn import DN
+if api.env.in_server and api.env.context in ['lite', 'server']:
+ try:
+ import ipaserver.dcerpc
+ _dcerpc_bindings_installed = True
+ except Exception, e:
+ _dcerpc_bindings_installed = False
Variable "e" is not used, so it can be removed.
__doc__ = _("""
ID ranges
@@ -137,6 +143,21 @@ user. RIDs are unique in a domain, 32bit values and are
used for users and
groups.
""")
+def validate_trusted_domain_sid(self, sid):
"self" is not needed in the list of attributes, this is not a class method.
+ if not _dcerpc_bindings_installed:
+ raise errors.NotFound(name=_('ID Range setup'),
+ reason=_('''Cannot perform SID validation without Samba 4
support installed.
+ Make sure you have installed server-trust-ad
sub-package of IPA on the server'''))
Improperly formatted exception:
1) NotFound error does not use "name" param, maybe you wanted to use
ValidationError?
2) The text will be improperly formatted - since you used '''<text>''', the
indentation will be in text:
ipa: ERROR: Cannot perform SID validation without Samba 4 support installed.
Make sure you have installed server-trust-ad
sub-package of IPA on the server
Also, I know this was discussed before, but using gettext in a name attribute
of ValidationError will cause improperly formatted exception:
# ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo
ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None):
Options dom_sid and rid_base must be used together
The problem is, that "name" param is printer as %r, thus you would need to
coerce it to unicode to make it better.
+ domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+ if not domain_validator.is_configured():
+ raise errors.NotFound(name=_('ID Range setup'),
+ reason=_('''Cross-realm trusts are not configured..
+ Make sure you have run ipa-adtrust-install on the
IPA server first'''))
Same issues:
# ipa idrange-add foo --base-id=1000 --range-size=100 --dom-sid=foo --rid-base=1000
ipa: ERROR: Cross-realm trusts are not configured..
Make sure you have run ipa-adtrust-install on the IPA
server first
+ if not domain_validator.is_trusted_sid_valid(sid):
+ raise errors.ValidationError(name=_('ID Range setup'),
+ error=_('SID is not recognized as a valid SID from a trusted
domain'))
+
+
Same issues:
ipa: ERROR: invalid Gettext('ID Range setup', domain='ipa', localedir=None):
SID is not recognized as a valid SID from a trusted domain
Martin
More information about the Freeipa-devel
mailing list