pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone

Blame SOURCES/0078-Prohibit-deletion-of-predefined-profiles.patch

590d18
From ba321efe715dbbb3b4be22cb786995cf441e1a74 Mon Sep 17 00:00:00 2001
590d18
From: Fraser Tweedale <ftweedal@redhat.com>
590d18
Date: Thu, 13 Aug 2015 02:32:54 -0400
590d18
Subject: [PATCH] Prohibit deletion of predefined profiles
590d18
590d18
Deletion of predefined profiles, including the default profile,
590d18
should not be allowed.  Detect this case and raise an error.
590d18
590d18
Also update the predefined profiles collection to use namedtuple,
590d18
making it easier to access the various components.
590d18
590d18
Fixes: https://fedorahosted.org/freeipa/ticket/5198
590d18
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
590d18
---
590d18
 ipalib/plugins/certprofile.py | 13 +++++++++++--
590d18
 ipapython/dogtag.py           |  8 +++++---
590d18
 2 files changed, 16 insertions(+), 5 deletions(-)
590d18
590d18
diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
590d18
index 1dd4f403ee4461b83c053eb36019a8896506bb81..007cc543406b7e5705fd7474f3685cd6a9ce6aca 100644
590d18
--- a/ipalib/plugins/certprofile.py
590d18
+++ b/ipalib/plugins/certprofile.py
590d18
@@ -3,6 +3,7 @@
590d18
 #
590d18
 
590d18
 import re
590d18
+from operator import attrgetter
590d18
 
590d18
 from ipalib import api, Bool, File, Str
590d18
 from ipalib import output, util
590d18
@@ -14,6 +15,7 @@ from ipalib.plugins.baseldap import (
590d18
 from ipalib.request import context
590d18
 from ipalib import ngettext
590d18
 from ipalib.text import _
590d18
+from ipapython.dogtag import INCLUDED_PROFILES
590d18
 from ipapython.version import API_VERSION
590d18
 
590d18
 from ipalib import errors
590d18
@@ -287,9 +289,16 @@ class certprofile_del(LDAPDelete):
590d18
     __doc__ = _("Delete a Certificate Profile.")
590d18
     msg_summary = _('Deleted profile "%(value)s"')
590d18
 
590d18
-    def execute(self, *args, **kwargs):
590d18
+    def pre_callback(self, ldap, dn, *keys, **options):
590d18
         ca_enabled_check()
590d18
-        return super(certprofile_del, self).execute(*args, **kwargs)
590d18
+
590d18
+        if keys[0] in map(attrgetter('profile_id'), INCLUDED_PROFILES):
590d18
+            raise errors.ValidationError(name='profile_id',
590d18
+                error=_("Predefined profile '%(profile_id)s' cannot be deleted")
590d18
+                    % {'profile_id': keys[0]}
590d18
+            )
590d18
+
590d18
+        return dn
590d18
 
590d18
     def post_callback(self, ldap, dn, *keys, **options):
590d18
         with self.api.Backend.ra_certprofile as profile_api:
590d18
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
590d18
index 0782d360ccf2ce2c90c4e9cfa66b5159e437e77c..3f0d08154d21a3072e344c311c3e70e414d9dee4 100644
590d18
--- a/ipapython/dogtag.py
590d18
+++ b/ipapython/dogtag.py
590d18
@@ -17,6 +17,7 @@
590d18
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
590d18
 #
590d18
 
590d18
+import collections
590d18
 import os
590d18
 import httplib
590d18
 import xml.dom.minidom
590d18
@@ -42,10 +43,11 @@ from ipapython.ipa_log_manager import *
590d18
 # the configured version.
590d18
 
590d18
 
590d18
+Profile = collections.namedtuple('Profile', ['profile_id', 'description', 'store_issued'])
590d18
+
590d18
 INCLUDED_PROFILES = {
590d18
-    # ( profile_id    ,         description      ,      store_issued)
590d18
-    (u'caIPAserviceCert', u'Standard profile for network services', True),
590d18
-    (u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),
590d18
+    Profile(u'caIPAserviceCert', u'Standard profile for network services', True),
590d18
+    Profile(u'IECUserRoles', u'User profile that includes IECUserRoles extension from request', True),
590d18
     }
590d18
 
590d18
 DEFAULT_PROFILE = u'caIPAserviceCert'
590d18
-- 
590d18
2.4.3
590d18