[Freeipa-devel] [PATCHES 0351-0353] Improvements to ID override type validation

Thu Jul 23 13:20:20 UTC 2015

On 07/23/2015 03:08 PM, Alexander Bokovoy wrote:
> On Thu, 23 Jul 2015, Tomas Babej wrote:
>> Hi,
>>
>> this patchset deals mainly with the ticket:
>>
>> https://fedorahosted.org/freeipa/ticket/5029
>>
>> Details in the commit messages.
>>
>> Tomas
> 
>> From 83defa7e286b9e65a147598b4056abc47b4647bf Mon Sep 17 00:00:00 2001
>> From: Tomas Babej <tbabej at redhat.com>
>> Date: Wed, 22 Jul 2015 14:00:37 +0200
>> Subject: [PATCH] dcerpc: Add get_trusted_domain_object_type method
>>
>> https://fedorahosted.org/freeipa/ticket/5029
>> ---
>> ipaserver/dcerpc.py | 29 +++++++++++++++++++++++++++++
>> 1 file changed, 29 insertions(+)
>>
>> diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
>> index
>> 7220c440d16816abf5c022c840e9744f321878c4..be6313e1586cb9e3296361a8d07041d496d3223f
>> 100644
>> --- a/ipaserver/dcerpc.py
>> +++ b/ipaserver/dcerpc.py
>> @@ -107,6 +107,14 @@ dcerpc_error_messages = {
>>          errors.RequirementError(name=_('At least the domain or IP
>> address should be specified')),
>> }
>>
>> +pysss_type_key_translation_dict = {
>> +    pysss_nss_idmap.ID_USER: 'user',
>> +    pysss_nss_idmap.ID_GROUP: 'group',
>> +    # Used for users with magic private groups
>> +    pysss_nss_idmap.ID_BOTH: 'both',
>> +}
>> +
>> +
>> def assess_dcerpc_exception(num=None,message=None):
>>     """
>>     Takes error returned by Samba bindings and converts it into
>> @@ -368,6 +376,27 @@ class DomainValidator(object):
>>             raise errors.ValidationError(name=_('trusted domain object'),
>>                error= _('Trusted domain did not return a valid SID for
>> the object'))
>>
>> +    def get_trusted_domain_object_type(self, name_or_sid):
>> +        """
>> +        Return the type of the object corresponding to the given name in
>> +        the trusted domain, which is either 'user', 'group' or 'both'.
>> +        The 'both' types is used for users with magic private groups.
>> +        """
>> +
>> +        object_type = None
>> +
>> +        if is_sid_valid(name_or_sid):
>> +            result = pysss_nss_idmap.getnamebysid(name_or_sid)
>> +        else:
>> +            result = pysss_nss_idmap.getsidbyname(name_or_sid)
>> +
>> +        if name_or_sid in result:
>> +            object_type =
>> result[name_or_sid].get(pysss_nss_idmap.TYPE_KEY)
> If user or group not found, pysss_nss_idmap.getsidbyname() will return
> empty dict and the line above will fail:
>>>> import pysss_nss_idmap
>>>> pysss_nss_idmap.getsidbyname('some-name')
> {}

It will return {}, however, that line is prefixed by the

+        if name_or_sid in result:

condition, hence it won't get executed in this case.

I just ran a quick check and it seems to run as expected:

>>> import ipaserver.dcerpc
>>> validator = DomainValidator(api)
>>> validator.get_trusted_domain_object_type('some-name')
>>>

Tomas