From ba321efe715dbbb3b4be22cb786995cf441e1a74 Mon Sep 17 00:00:00 2001

From: Fraser Tweedale <ftweedal@redhat.com>

Date: Thu, 13 Aug 2015 02:32:54 -0400

Subject: [PATCH] Prohibit deletion of predefined profiles

Deletion of predefined profiles, including the default profile,

should not be allowed.  Detect this case and raise an error.

Also update the predefined profiles collection to use namedtuple,

making it easier to access the various components.

Fixes: https://fedorahosted.org/freeipa/ticket/5198

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 ipalib/plugins/certprofile.py | 13 +++++++++++--

 ipapython/dogtag.py           |  8 +++++---

 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py

index 1dd4f403ee4461b83c053eb36019a8896506bb81..007cc543406b7e5705fd7474f3685cd6a9ce6aca 100644

--- a/ipalib/plugins/certprofile.py

+++ b/ipalib/plugins/certprofile.py

@@ -3,6 +3,7 @@

 #

 import re

+from operator import attrgetter

 from ipalib import api, Bool, File, Str

 from ipalib import output, util

@@ -14,6 +15,7 @@ from ipalib.plugins.baseldap import (

 from ipalib.request import context

 from ipalib import ngettext

 from ipalib.text import _

+from ipapython.dogtag import INCLUDED_PROFILES

 from ipapython.version import API_VERSION

 from ipalib import errors

@@ -287,9 +289,16 @@ class certprofile_del(LDAPDelete):

     __doc__ = _("Delete a Certificate Profile.")

     msg_summary = _('Deleted profile "%(value)s"')

-    def execute(self, *args, **kwargs):

+    def pre_callback(self, ldap, dn, *keys, **options):

         ca_enabled_check()

-        return super(certprofile_del, self).execute(*args, **kwargs)

+

+        if keys[0] in map(attrgetter('profile_id'), INCLUDED_PROFILES):

+            raise errors.ValidationError(name='profile_id',

+                error=_("Predefined profile '%(profile_id)s' cannot be deleted")

+                    % {'profile_id': keys[0]}

+            )

+

+        return dn

     def post_callback(self, ldap, dn, *keys, **options):

         with self.api.Backend.ra_certprofile as profile_api:

diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py

index 0782d360ccf2ce2c90c4e9cfa66b5159e437e77c..3f0d08154d21a3072e344c311c3e70e414d9dee4 100644

--- a/ipapython/dogtag.py

+++ b/ipapython/dogtag.py

@@ -17,6 +17,7 @@

 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

 #

+import collections

 import os

 import httplib

 import xml.dom.minidom

@@ -42,10 +43,11 @@ from ipapython.ipa_log_manager import *

 # the configured version.

+Profile = collections.namedtuple('Profile', ['profile_id', 'description', 'store_issued'])

+

 INCLUDED_PROFILES = {

-    # ( profile_id    ,         description      ,      store_issued)

-    (u'caIPAserviceCert', u'Standard profile for network services', True),

-    (u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),

+    Profile(u'caIPAserviceCert', u'Standard profile for network services', True),

+    Profile(u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),

     }

 DEFAULT_PROFILE = u'caIPAserviceCert'

-- 

2.4.3