|
|
590d18 |
From ba321efe715dbbb3b4be22cb786995cf441e1a74 Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
590d18 |
Date: Thu, 13 Aug 2015 02:32:54 -0400
|
|
|
590d18 |
Subject: [PATCH] Prohibit deletion of predefined profiles
|
|
|
590d18 |
|
|
|
590d18 |
Deletion of predefined profiles, including the default profile,
|
|
|
590d18 |
should not be allowed. Detect this case and raise an error.
|
|
|
590d18 |
|
|
|
590d18 |
Also update the predefined profiles collection to use namedtuple,
|
|
|
590d18 |
making it easier to access the various components.
|
|
|
590d18 |
|
|
|
590d18 |
Fixes: https://fedorahosted.org/freeipa/ticket/5198
|
|
|
590d18 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
ipalib/plugins/certprofile.py | 13 +++++++++++--
|
|
|
590d18 |
ipapython/dogtag.py | 8 +++++---
|
|
|
590d18 |
2 files changed, 16 insertions(+), 5 deletions(-)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
|
|
|
590d18 |
index 1dd4f403ee4461b83c053eb36019a8896506bb81..007cc543406b7e5705fd7474f3685cd6a9ce6aca 100644
|
|
|
590d18 |
--- a/ipalib/plugins/certprofile.py
|
|
|
590d18 |
+++ b/ipalib/plugins/certprofile.py
|
|
|
590d18 |
@@ -3,6 +3,7 @@
|
|
|
590d18 |
#
|
|
|
590d18 |
|
|
|
590d18 |
import re
|
|
|
590d18 |
+from operator import attrgetter
|
|
|
590d18 |
|
|
|
590d18 |
from ipalib import api, Bool, File, Str
|
|
|
590d18 |
from ipalib import output, util
|
|
|
590d18 |
@@ -14,6 +15,7 @@ from ipalib.plugins.baseldap import (
|
|
|
590d18 |
from ipalib.request import context
|
|
|
590d18 |
from ipalib import ngettext
|
|
|
590d18 |
from ipalib.text import _
|
|
|
590d18 |
+from ipapython.dogtag import INCLUDED_PROFILES
|
|
|
590d18 |
from ipapython.version import API_VERSION
|
|
|
590d18 |
|
|
|
590d18 |
from ipalib import errors
|
|
|
590d18 |
@@ -287,9 +289,16 @@ class certprofile_del(LDAPDelete):
|
|
|
590d18 |
__doc__ = _("Delete a Certificate Profile.")
|
|
|
590d18 |
msg_summary = _('Deleted profile "%(value)s"')
|
|
|
590d18 |
|
|
|
590d18 |
- def execute(self, *args, **kwargs):
|
|
|
590d18 |
+ def pre_callback(self, ldap, dn, *keys, **options):
|
|
|
590d18 |
ca_enabled_check()
|
|
|
590d18 |
- return super(certprofile_del, self).execute(*args, **kwargs)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ if keys[0] in map(attrgetter('profile_id'), INCLUDED_PROFILES):
|
|
|
590d18 |
+ raise errors.ValidationError(name='profile_id',
|
|
|
590d18 |
+ error=_("Predefined profile '%(profile_id)s' cannot be deleted")
|
|
|
590d18 |
+ % {'profile_id': keys[0]}
|
|
|
590d18 |
+ )
|
|
|
590d18 |
+
|
|
|
590d18 |
+ return dn
|
|
|
590d18 |
|
|
|
590d18 |
def post_callback(self, ldap, dn, *keys, **options):
|
|
|
590d18 |
with self.api.Backend.ra_certprofile as profile_api:
|
|
|
590d18 |
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
|
|
|
590d18 |
index 0782d360ccf2ce2c90c4e9cfa66b5159e437e77c..3f0d08154d21a3072e344c311c3e70e414d9dee4 100644
|
|
|
590d18 |
--- a/ipapython/dogtag.py
|
|
|
590d18 |
+++ b/ipapython/dogtag.py
|
|
|
590d18 |
@@ -17,6 +17,7 @@
|
|
|
590d18 |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
590d18 |
#
|
|
|
590d18 |
|
|
|
590d18 |
+import collections
|
|
|
590d18 |
import os
|
|
|
590d18 |
import httplib
|
|
|
590d18 |
import xml.dom.minidom
|
|
|
590d18 |
@@ -42,10 +43,11 @@ from ipapython.ipa_log_manager import *
|
|
|
590d18 |
# the configured version.
|
|
|
590d18 |
|
|
|
590d18 |
|
|
|
590d18 |
+Profile = collections.namedtuple('Profile', ['profile_id', 'description', 'store_issued'])
|
|
|
590d18 |
+
|
|
|
590d18 |
INCLUDED_PROFILES = {
|
|
|
590d18 |
- # ( profile_id , description , store_issued)
|
|
|
590d18 |
- (u'caIPAserviceCert', u'Standard profile for network services', True),
|
|
|
590d18 |
- (u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),
|
|
|
590d18 |
+ Profile(u'caIPAserviceCert', u'Standard profile for network services', True),
|
|
|
590d18 |
+ Profile(u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),
|
|
|
590d18 |
}
|
|
|
590d18 |
|
|
|
590d18 |
DEFAULT_PROFILE = u'caIPAserviceCert'
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|