pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone

Blame SOURCES/0028-Reworked-the-renaming-mechanism.patch

ac7d03
From bd2a0a8d363af6c8b1491314d5da5f3c146e4ce6 Mon Sep 17 00:00:00 2001
ac7d03
From: Stanislav Laznicka <slaznick@redhat.com>
ac7d03
Date: Mon, 27 Mar 2017 08:18:29 +0200
ac7d03
Subject: [PATCH] Reworked the renaming mechanism
ac7d03
ac7d03
The rename operation on *_mod commands was only allowed when
ac7d03
the primary key of an entry was also its RDN. With these changes,
ac7d03
it should be possible to rename the rest of the entries as well.
ac7d03
ac7d03
An attribute to the base LDAPObject was added to whitelist the
ac7d03
objects we want to allow to be renamed. It replaced an old
ac7d03
attribute rdn_is_primary_key which was used for the very same
ac7d03
purpose but the name was confusing because it was not set
ac7d03
correctly for certain objects.
ac7d03
ac7d03
https://pagure.io/freeipa/issue/2466
ac7d03
https://pagure.io/freeipa/issue/6784
ac7d03
ac7d03
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ac7d03
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ac7d03
Reviewed-By: Martin Basti <mbasti@redhat.com>
ac7d03
---
ac7d03
 ipaserver/plugins/automount.py         |  2 +-
ac7d03
 ipaserver/plugins/baseldap.py          | 32 ++++++++++++++++++++------------
ac7d03
 ipaserver/plugins/baseuser.py          |  2 +-
ac7d03
 ipaserver/plugins/ca.py                |  2 +-
ac7d03
 ipaserver/plugins/dns.py               |  2 +-
ac7d03
 ipaserver/plugins/group.py             |  2 +-
ac7d03
 ipaserver/plugins/idviews.py           |  6 +++---
ac7d03
 ipaserver/plugins/otptoken.py          |  2 +-
ac7d03
 ipaserver/plugins/permission.py        |  2 +-
ac7d03
 ipaserver/plugins/privilege.py         |  2 +-
ac7d03
 ipaserver/plugins/radiusproxy.py       |  2 +-
ac7d03
 ipaserver/plugins/role.py              |  2 +-
ac7d03
 ipaserver/plugins/servicedelegation.py |  2 +-
ac7d03
 13 files changed, 34 insertions(+), 26 deletions(-)
ac7d03
ac7d03
diff --git a/ipaserver/plugins/automount.py b/ipaserver/plugins/automount.py
ac7d03
index c4cf2d6db876e13c78ecd73fc53bb356bf190e17..03f994c65832e7b6099739e951105c4b5a897391 100644
ac7d03
--- a/ipaserver/plugins/automount.py
ac7d03
+++ b/ipaserver/plugins/automount.py
ac7d03
@@ -456,7 +456,7 @@ class automountkey(LDAPObject):
ac7d03
     default_attributes = [
ac7d03
         'automountkey', 'automountinformation', 'description'
ac7d03
     ]
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
     rdn_separator = ' '
ac7d03
 
ac7d03
     takes_params = (
ac7d03
diff --git a/ipaserver/plugins/baseldap.py b/ipaserver/plugins/baseldap.py
ac7d03
index 79ba7fc4a14f8105cda481e1599b2acbd8394e45..dbe3cbd28c85ebc3d9254e24e14c5701adc673ab 100644
ac7d03
--- a/ipaserver/plugins/baseldap.py
ac7d03
+++ b/ipaserver/plugins/baseldap.py
ac7d03
@@ -36,7 +36,7 @@ from ipalib.text import _
ac7d03
 from ipalib.util import json_serialize, validate_hostname
ac7d03
 from ipalib.capabilities import client_has_capability
ac7d03
 from ipalib.messages import add_message, SearchResultTruncated
ac7d03
-from ipapython.dn import DN
ac7d03
+from ipapython.dn import DN, RDN
ac7d03
 from ipapython.version import API_VERSION
ac7d03
 
ac7d03
 if six.PY3:
ac7d03
@@ -549,7 +549,7 @@ class LDAPObject(Object):
ac7d03
     rdn_attribute = ''
ac7d03
     uuid_attribute = ''
ac7d03
     attribute_members = {}
ac7d03
-    rdn_is_primary_key = False # Do we need RDN change to do a rename?
ac7d03
+    allow_rename = False
ac7d03
     password_attributes = []
ac7d03
     # Can bind as this entry (has userPassword or krbPrincipalKey)
ac7d03
     bindable = False
ac7d03
@@ -1384,7 +1384,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
ac7d03
     def get_options(self):
ac7d03
         for option in super(LDAPUpdate, self).get_options():
ac7d03
             yield option
ac7d03
-        if self.obj.rdn_is_primary_key:
ac7d03
+        if self.obj.allow_rename:
ac7d03
             yield self._get_rename_option()
ac7d03
 
ac7d03
     def execute(self, *keys, **options):
ac7d03
@@ -1419,15 +1419,19 @@ class LDAPUpdate(LDAPQuery, crud.Update):
ac7d03
         _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.disallow_object_classes), list(entry_attrs), allow_only=False)
ac7d03
 
ac7d03
         rdnupdate = False
ac7d03
-        try:
ac7d03
-            if self.obj.rdn_is_primary_key and 'rename' in options:
ac7d03
-                if not options['rename']:
ac7d03
-                    raise errors.ValidationError(name='rename', error=u'can\'t be empty')
ac7d03
-                entry_attrs[self.obj.primary_key.name] = options['rename']
ac7d03
-
ac7d03
-            if self.obj.rdn_is_primary_key and self.obj.primary_key.name in entry_attrs:
ac7d03
+        if 'rename' in options:
ac7d03
+            if not options['rename']:
ac7d03
+                raise errors.ValidationError(
ac7d03
+                    name='rename', error=u'can\'t be empty')
ac7d03
+            entry_attrs[self.obj.primary_key.name] = options['rename']
ac7d03
+
ac7d03
+        # if setattr was used to change the RDN, the primary_key.name is
ac7d03
+        # already in entry_attrs
ac7d03
+        if self.obj.allow_rename and self.obj.primary_key.name in entry_attrs:
ac7d03
+            # perform RDN change if the primary key is also RDN
ac7d03
+            if (RDN((self.obj.primary_key.name, keys[-1])) ==
ac7d03
+                    entry_attrs.dn[0]):
ac7d03
                 try:
ac7d03
-                    # RDN change
ac7d03
                     new_dn = DN((self.obj.primary_key.name,
ac7d03
                                  entry_attrs[self.obj.primary_key.name]),
ac7d03
                                 *entry_attrs.dn[1:])
ac7d03
@@ -1435,17 +1439,21 @@ class LDAPUpdate(LDAPQuery, crud.Update):
ac7d03
                         entry_attrs.dn,
ac7d03
                         new_dn)
ac7d03
 
ac7d03
-                    rdnkeys = keys[:-1] + (entry_attrs[self.obj.primary_key.name], )
ac7d03
+                    rdnkeys = (keys[:-1] +
ac7d03
+                               (entry_attrs[self.obj.primary_key.name], ))
ac7d03
                     entry_attrs.dn = self.obj.get_dn(*rdnkeys)
ac7d03
                     options['rdnupdate'] = True
ac7d03
                     rdnupdate = True
ac7d03
                 except errors.EmptyModlist:
ac7d03
                     # Attempt to rename to the current name, ignore
ac7d03
                     pass
ac7d03
+                except errors.NotFound:
ac7d03
+                    self.obj.handle_not_found(*keys)
ac7d03
                 finally:
ac7d03
                     # Delete the primary_key from entry_attrs either way
ac7d03
                     del entry_attrs[self.obj.primary_key.name]
ac7d03
 
ac7d03
+        try:
ac7d03
             # Exception callbacks will need to test for options['rdnupdate']
ac7d03
             # to decide what to do. An EmptyModlist in this context doesn't
ac7d03
             # mean an error occurred, just that there were no other updates to
ac7d03
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
ac7d03
index 44adc76ec854dadbe0d8a4e8ca03e71c30df526c..bf24dbf542d3b481671dfe4e8cee14a2edcc26e0 100644
ac7d03
--- a/ipaserver/plugins/baseuser.py
ac7d03
+++ b/ipaserver/plugins/baseuser.py
ac7d03
@@ -164,7 +164,7 @@ class baseuser(LDAPObject):
ac7d03
         'memberof': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'],
ac7d03
         'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'],
ac7d03
     }
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
     bindable = True
ac7d03
     password_attributes = [('userpassword', 'has_password'),
ac7d03
                            ('krbprincipalkey', 'has_keytab')]
ac7d03
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
ac7d03
index f774f78bd6d4ad236b37d06b8b267e8dd78f93b7..9bb163dffa645c1cbb10976e62cbd4a714139319 100644
ac7d03
--- a/ipaserver/plugins/ca.py
ac7d03
+++ b/ipaserver/plugins/ca.py
ac7d03
@@ -68,7 +68,7 @@ class ca(LDAPObject):
ac7d03
         'cn', 'description', 'ipacaid', 'ipacaissuerdn', 'ipacasubjectdn',
ac7d03
     ]
ac7d03
     rdn_attribute = 'cn'
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
     label = _('Certificate Authorities')
ac7d03
     label_singular = _('Certificate Authority')
ac7d03
 
ac7d03
diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py
ac7d03
index 7007928f3b4b2fd863077193671a03ae46119dc5..47ac963a0ae26fcaa81e70a8143bd7d0c172d20e 100644
ac7d03
--- a/ipaserver/plugins/dns.py
ac7d03
+++ b/ipaserver/plugins/dns.py
ac7d03
@@ -3000,7 +3000,7 @@ class dnsrecord(LDAPObject):
ac7d03
     possible_objectclasses = ['idnsTemplateObject']
ac7d03
     permission_filter_objectclasses = ['idnsrecord']
ac7d03
     default_attributes = ['idnsname'] + _record_attributes
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
 
ac7d03
     label = _('DNS Resource Records')
ac7d03
     label_singular = _('DNS Resource Record')
ac7d03
diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py
ac7d03
index 218da3c94d95bb399761acf9414182eff566c63b..1fb092d5f049e86f12681e5eb2397f98f1001697 100644
ac7d03
--- a/ipaserver/plugins/group.py
ac7d03
+++ b/ipaserver/plugins/group.py
ac7d03
@@ -173,7 +173,7 @@ class group(LDAPObject):
ac7d03
         'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule',
ac7d03
         'sudorule'],
ac7d03
     }
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
     managed_permissions = {
ac7d03
         'System: Read Groups': {
ac7d03
             'replaces_global_anonymous_aci': True,
ac7d03
diff --git a/ipaserver/plugins/idviews.py b/ipaserver/plugins/idviews.py
ac7d03
index 6d4ac75209ea08e3c2969d53e1ae5372c3a535ac..b5ee32cf138677874497e2f345c932c352e20054 100644
ac7d03
--- a/ipaserver/plugins/idviews.py
ac7d03
+++ b/ipaserver/plugins/idviews.py
ac7d03
@@ -97,7 +97,7 @@ class idview(LDAPObject):
ac7d03
     object_class = ['ipaIDView', 'top']
ac7d03
     possible_objectclasses = ['ipaNameResolutionData']
ac7d03
     default_attributes = ['cn', 'description', 'ipadomainresolutionorder']
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
 
ac7d03
     label = _('ID Views')
ac7d03
     label_singular = _('ID View')
ac7d03
@@ -848,7 +848,7 @@ class idoverrideuser(baseidoverride):
ac7d03
 
ac7d03
     label = _('User ID overrides')
ac7d03
     label_singular = _('User ID override')
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
 
ac7d03
     # ID user overrides are bindable because we map SASL GSSAPI
ac7d03
     # authentication of trusted users to ID user overrides in the
ac7d03
@@ -964,7 +964,7 @@ class idoverridegroup(baseidoverride):
ac7d03
 
ac7d03
     label = _('Group ID overrides')
ac7d03
     label_singular = _('Group ID override')
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
 
ac7d03
     permission_filter_objectclasses = ['ipaGroupOverride']
ac7d03
     managed_permissions = {
ac7d03
diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
ac7d03
index 98ecbe58b84622d7937a7e6eff77c5e41624bf4f..c66f0980f0fc2ed49b4224be40a18ce528a6da7b 100644
ac7d03
--- a/ipaserver/plugins/otptoken.py
ac7d03
+++ b/ipaserver/plugins/otptoken.py
ac7d03
@@ -143,7 +143,7 @@ class otptoken(LDAPObject):
ac7d03
     relationships = {
ac7d03
         'managedby': ('Managed by', 'man_by_', 'not_man_by_'),
ac7d03
     }
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
 
ac7d03
     label = _('OTP Tokens')
ac7d03
     label_singular = _('OTP Token')
ac7d03
diff --git a/ipaserver/plugins/permission.py b/ipaserver/plugins/permission.py
ac7d03
index dd2a0183e90ed6da9e55fb0590ea0bd81bf0bd67..977c6fe363c501f820aa82ae5b2ea00d8c78c7ae 100644
ac7d03
--- a/ipaserver/plugins/permission.py
ac7d03
+++ b/ipaserver/plugins/permission.py
ac7d03
@@ -188,7 +188,7 @@ class permission(baseldap.LDAPObject):
ac7d03
         'member': ['privilege'],
ac7d03
         'memberindirect': ['role'],
ac7d03
     }
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
     managed_permissions = {
ac7d03
         'System: Read Permissions': {
ac7d03
             'replaces_global_anonymous_aci': True,
ac7d03
diff --git a/ipaserver/plugins/privilege.py b/ipaserver/plugins/privilege.py
ac7d03
index b3afbd289ac2e82d5569b5d5306be398a560413e..01d5396902d482eb5a9f21e7ece730a0a35157d6 100644
ac7d03
--- a/ipaserver/plugins/privilege.py
ac7d03
+++ b/ipaserver/plugins/privilege.py
ac7d03
@@ -101,7 +101,7 @@ class privilege(LDAPObject):
ac7d03
     reverse_members = {
ac7d03
         'member': ['permission'],
ac7d03
     }
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
     managed_permissions = {
ac7d03
         'System: Read Privileges': {
ac7d03
             'replaces_global_anonymous_aci': True,
ac7d03
diff --git a/ipaserver/plugins/radiusproxy.py b/ipaserver/plugins/radiusproxy.py
ac7d03
index 3391b8aed77205fb1a586d5472d8cfdbc9fd1cd5..be77c62432066beec951e5f50afe689e1d6debce 100644
ac7d03
--- a/ipaserver/plugins/radiusproxy.py
ac7d03
+++ b/ipaserver/plugins/radiusproxy.py
ac7d03
@@ -101,7 +101,7 @@ class radiusproxy(LDAPObject):
ac7d03
         'ipatokenradiustimeout', 'ipatokenradiusretries', 'ipatokenusermapattribute'
ac7d03
     ]
ac7d03
     search_attributes = ['cn', 'description', 'ipatokenradiusserver']
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
     label = _('RADIUS Servers')
ac7d03
     label_singular = _('RADIUS Server')
ac7d03
 
ac7d03
diff --git a/ipaserver/plugins/role.py b/ipaserver/plugins/role.py
ac7d03
index 5d0d1f8c657b8d840762135f5ff16db90fb4893f..e7f115c461a6a0421f9c43d0410daaf9d4307e76 100644
ac7d03
--- a/ipaserver/plugins/role.py
ac7d03
+++ b/ipaserver/plugins/role.py
ac7d03
@@ -92,7 +92,7 @@ class role(LDAPObject):
ac7d03
     reverse_members = {
ac7d03
         'member': ['privilege'],
ac7d03
     }
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
     managed_permissions = {
ac7d03
         'System: Read Roles': {
ac7d03
             'replaces_global_anonymous_aci': True,
ac7d03
diff --git a/ipaserver/plugins/servicedelegation.py b/ipaserver/plugins/servicedelegation.py
ac7d03
index c8052e957cc5f8d24f6a8d0621ca93422052e35b..4f94924fa76691bcd6c6fc2cef9eb7fb30fce48c 100644
ac7d03
--- a/ipaserver/plugins/servicedelegation.py
ac7d03
+++ b/ipaserver/plugins/servicedelegation.py
ac7d03
@@ -138,7 +138,7 @@ class servicedelegation(LDAPObject):
ac7d03
         },
ac7d03
     }
ac7d03
 
ac7d03
-    rdn_is_primary_key = True
ac7d03
+    allow_rename = True
ac7d03
 
ac7d03
     takes_params = (
ac7d03
         Str(
ac7d03
-- 
ac7d03
2.12.1
ac7d03