[Freeipa-devel] [PATCH 0057] Do not allow removal of ID range of an active trust

Alexander Bokovoy abokovoy at redhat.com
Mon May 20 14:29:41 UTC 2013 

On Mon, 20 May 2013, Tomas Babej wrote:
>On 05/16/2013 11:16 AM, Ana Krivokapic wrote:
>>On 05/15/2013 03:41 PM, Tomas Babej wrote:
>>>Hi,
>>>
>>>When removing an ID range using idrange-del command, validation
>>>in pre_callback ensures that the range does not belong to any
>>>active trust. In such case, ValidationError is raised.
>>>
>>>https://fedorahosted.org/freeipa/ticket/3615
>>>
>>>Tomas
>>>
>>>
>>>_______________________________________________
>>>Freeipa-devel mailing list
>>>Freeipa-devel at redhat.com
>>>https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>I suggest adding some unit tests to cover this change in functionality.
>>
>>-- 
>>Regards,
>>
>>Ana Krivokapic
>>Associate Software Engineer
>>FreeIPA team
>>Red Hat Inc.
>>
>>
>>_______________________________________________
>>Freeipa-devel mailing list
>>Freeipa-devel at redhat.com
>>https://www.redhat.com/mailman/listinfo/freeipa-devel
>
>I incorporated the unit tests. It had to use direct access to LDAP 
>using ldapmodify since we need to create a mock AD trusted range 
>first.
>
>Tomas

>From 57e98d6dc950d611e96e1ec2e264649a3d682c83 Mon Sep 17 00:00:00 2001
>From: Tomas Babej <tbabej at redhat.com>
>Date: Wed, 15 May 2013 15:37:15 +0200
>Subject: [PATCH] Do not allow removal of ID range of an active trust
>
>When removing an ID range using idrange-del command, validation
>in pre_callback ensures that the range does not belong to any
>active trust. In such case, ValidationError is raised.
>
>Unit tests to cover the functionality has been added.
>
>https://fedorahosted.org/freeipa/ticket/3615
>---
> ipalib/plugins/idrange.py              | 17 ++++++-
> tests/test_xmlrpc/test_range_plugin.py | 86 ++++++++++++++++++++++++++++++----
> tests/test_xmlrpc/xmlrpc_test.py       |  5 ++
> 3 files changed, 97 insertions(+), 11 deletions(-)
>
>diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
>index 54f6fbb3e19b9aa01dfde2a8d0c5da4498632386..a0309f82cc14117212c355547dac25b8c4e0f1e3 100644
>--- a/ipalib/plugins/idrange.py
>+++ b/ipalib/plugins/idrange.py
>@@ -434,14 +434,29 @@ class idrange_del(LDAPDelete):
> 
>     def pre_callback(self, ldap, dn, *keys, **options):
>         try:
>-            (old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize'])
>+            (old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid',
>+                                                      'ipaidrangesize',
>+                                                      'ipanttrusteddomainsid'])
>         except errors.NotFound:
>             self.obj.handle_not_found(*keys)
> 
>+        # Check whether we leave any object with id in deleted range
>         old_base_id = int(old_attrs.get('ipabaseid', [0])[0])
>         old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0])
>         self.obj.check_ids_in_modified_range(
>                 old_base_id, old_range_size, 0, 0)
>+
>+        # Check whether the range does not belong to the active trust
>+        range_sid = old_attrs.get('ipanttrusteddomainsid')
>+
>+        if range_sid is not None:
>+            range_sid = range_sid[0]
>+            result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
>+
>+            if result['count'] > 0:
>+                raise errors.ValidationError(name='ID Range constraint',
>+                    error=_("ID range of an active trust cannot be deleted."))
>+
>         return dn
> 
> class idrange_find(LDAPSearch):
>diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py
>index be8eac593a04c52aaaff61f980cfd5fd0899fabd..1f03d3fc570dbe978fd31569896857db9a972bfa 100644
>--- a/tests/test_xmlrpc/test_range_plugin.py
>+++ b/tests/test_xmlrpc/test_range_plugin.py
>@@ -22,6 +22,7 @@ Test the `ipalib/plugins/idrange.py` module, and XML-RPC in general.
> """
> 
> from ipalib import api, errors, _
>+from ipapython.ipautil import run
> from tests.util import assert_equal, Fuzzy
> from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid
> from tests.test_xmlrpc import objectclasses
>@@ -31,57 +32,113 @@ testrange1 = u'testrange1'
> testrange1_base_id = 900000
> testrange1_size = 99999
> testrange1_base_rid = 10000
>-testrange1_secondary_base_rid=200000
>+testrange1_secondary_base_rid = 200000
> 
> testrange2 = u'testrange2'
> testrange2_base_id = 100
> testrange2_size = 50
> testrange2_base_rid = 100
>-testrange2_secondary_base_rid=1000
>+testrange2_secondary_base_rid = 1000
> 
> testrange3 = u'testrange3'
> testrange3_base_id = 200
> testrange3_size = 50
> testrange3_base_rid = 70
>-testrange3_secondary_base_rid=1100
>+testrange3_secondary_base_rid = 1100
> 
> testrange4 = u'testrange4'
> testrange4_base_id = 300
> testrange4_size = 50
> testrange4_base_rid = 200
>-testrange4_secondary_base_rid=1030
>+testrange4_secondary_base_rid = 1030
> 
> testrange5 = u'testrange5'
> testrange5_base_id = 400
> testrange5_size = 50
> testrange5_base_rid = 1020
>-testrange5_secondary_base_rid=1200
>+testrange5_secondary_base_rid = 1200
> 
> testrange6 = u'testrange6'
> testrange6_base_id = 130
> testrange6_size = 50
> testrange6_base_rid = 500
>-testrange6_secondary_base_rid=1300
>+testrange6_secondary_base_rid = 1300
> 
> testrange7 = u'testrange7'
> testrange7_base_id = 600
> testrange7_size = 50
> testrange7_base_rid = 600
>-testrange7_secondary_base_rid=649
>+testrange7_secondary_base_rid = 649
> 
> testrange8 = u'testrange8'
> testrange8_base_id = 700
> testrange8_size = 50
> testrange8_base_rid = 700
> 
>-user1=u'tuser1'
>+testrange9 = u'testrange9'
>+testrange9_base_id = 800
>+testrange9_size = 50
>+testrange9_base_rid = 800
>+
>+testrange9_add = """
>+version: 1
>+DN: cn={name},cn=ranges,cn=etc,{basedn}
>+changetype: add
>+cn: {name}
>+objectClass: ipaIDrange
>+objectClass: ipatrustedaddomainrange
>+ipaBaseID: {base_id}
>+ipaIDRangeSize: {size}
>+ipaBaseRID: {base_rid}
>+ipaNTTrustedDomainSID: S-1-5-21-259319770-2312917334-591429603
>+""".format(basedn=api.env['basedn'],
>+           name=testrange9,
>+           base_id=testrange9_base_id,
>+           size=testrange9_size,
>+           base_rid=testrange9_base_rid)
>+
>+testrange9_del = """
>+version: 1
>+DN: cn={name},cn=ranges,cn=etc,{basedn}
>+changetype: delete
>+""".format(basedn=api.env['basedn'], name=testrange9)
>+
>+user1 = u'tuser1'
> user1_uid = 900000
>-group1=u'group1'
>+group1 = u'group1'
> group1_gid = 900100
> 
>+trusted_ad_range_ok = False
>+
> class test_range(Declarative):
>+
>+    def setUp(self):
>+        super(test_range, self).setUp()
>+
>+        ret = run(['ldapmodify',
>+                   '-Y', 'GSSAPI',
>+                   '-h', api.env['host']],
>+                   stdin=str(testrange9_add), raiseonerr=False)
well, you can use python's ldap module directly, there is no need to
call out to ldap utilities.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list