[Freeipa-devel] [PATCH] 0074 validate SID for trusted domain when adding/modifying ID range
Alexander Bokovoy
abokovoy at redhat.com
Thu Sep 20 11:58:23 UTC 2012
On Thu, 20 Sep 2012, Petr Viktorin wrote:
>On 09/20/2012 12:12 PM, Martin Kosek wrote:
>>On 09/20/2012 11:42 AM, Alexander Bokovoy wrote:
>>>Hi,
>>>
>>>On Thu, 20 Sep 2012, Martin Kosek wrote:
>>>>On 09/19/2012 06:19 PM, Alexander Bokovoy wrote:
>>>>>Hi,
>>>>>
>>>>>This patch adds validation of SID for trusted domain when adding or
>>>>>modifying ID range for the domain. We only allow creating ranges for
>>>>>trusted domains when the trust is already established -- the default
>>>>>range is created automatically right after the trust is added.
>>>>>
>>>>>https://fedorahosted.org/freeipa/ticket/3087
>>>>>
>>>>
>>>>Basic functionality looks OK, but I saw few issues with exception formatting:
>>>>
>>>>diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
>>>>index
>>>>efa906428aa58c670bc4af63b10c88123dda5b65..4750c1d6716bd69045d53f32ae1836f44e70b03b
>>>>
>>>>100644
>>>>--- a/ipalib/plugins/idrange.py
>>>>+++ b/ipalib/plugins/idrange.py
>>>>@@ -26,6 +26,12 @@ from ipapython import ipautil
>>>>from ipalib import util
>>>>from ipapython.dn import DN
>>>>
>>>>+if api.env.in_server and api.env.context in ['lite', 'server']:
>>>>+ try:
>>>>+ import ipaserver.dcerpc
>>>>+ _dcerpc_bindings_installed = True
>>>>+ except Exception, e:
>>>>+ _dcerpc_bindings_installed = False
>>>>
>>>>
>>>>Variable "e" is not used, so it can be removed.
>>>Then Exception, e should be omitted completely :)
>>
>>As per PEP8, "except Exception:" is preffered over bare "except:" as otherwise
>>it would also catch SystemExit or KeyboardInterrupt.
>
>You should use the most specific exception you want to handle. In
>this case it's probably ImportError.
New patch is attached.
--
/ Alexander Bokovoy
-------------- next part --------------
>From 4ddcad0b54e18339581a7aec042f42bec5bc7b48 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Wed, 19 Sep 2012 19:09:22 +0300
Subject: [PATCH 1/4] validate SID for trusted domain when adding/modifying ID
range
https://fedorahosted.org/freeipa/ticket/3087
---
ipalib/plugins/idrange.py | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index ee50613bbaeb70aecf830ad480773a253f88a136..4ef3559aca0ef5314e44b727e97106866db94cda 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -26,6 +26,12 @@ from ipapython import ipautil
from ipalib import util
from ipapython.dn import DN
+if api.env.in_server and api.env.context in ['lite', 'server']:
+ try:
+ import ipaserver.dcerpc
+ _dcerpc_bindings_installed = True
+ except ImportError:
+ _dcerpc_bindings_installed = False
__doc__ = _("""
ID ranges
@@ -249,6 +255,18 @@ class idrange(LDAPObject):
error=_('range modification leaving objects with ID out '
'of the defined range is not allowed'))
+ def validate_trusted_domain_sid(self, sid):
+ if not _dcerpc_bindings_installed:
+ raise errors.NotFound(reason=_('Cannot perform SID validation without Samba 4 support installed. '
+ 'Make sure you have installed server-trust-ad sub-package of IPA on the server'))
+ domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+ if not domain_validator.is_configured():
+ raise errors.NotFound(reason=_('Cross-realm trusts are not configured. '
+ 'Make sure you have run ipa-adtrust-install on the IPA server first'))
+ if not domain_validator.is_trusted_sid_valid(sid):
+ raise errors.ValidationError(name='domain SID',
+ error=_('SID is not recognized as a valid SID for a trusted domain'))
+
class idrange_add(LDAPCreate):
__doc__ = _("""
Add new ID range.
@@ -287,6 +305,9 @@ class idrange_add(LDAPCreate):
error=_('Options dom_sid and rid_base must ' \
'be used together'))
+ # Validate SID as the one of trusted domains
+ self.obj.validate_trusted_domain_sid(options['ipanttrusteddomainsid'])
+ # Finally, add trusted AD domain range object class
entry_attrs['objectclass'].append('ipatrustedaddomainrange')
else:
if (('ipasecondarybaserid' in options) != ('ipabaserid' in options)):
@@ -366,6 +387,10 @@ class idrange_mod(LDAPUpdate):
except errors.NotFound:
self.obj.handle_not_found(*keys)
+ if 'ipanttrusteddomainsid' in options:
+ # Validate SID as the one of trusted domains
+ self.obj.validate_trusted_domain_sid(options['ipanttrusteddomainsid'])
+
old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
new_base_id = entry_attrs.get('ipabaseid')
--
1.7.12
More information about the Freeipa-devel
mailing list