From 9fedf58eb1282560957edc1f36356602b55a736d Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 23 Jul 2015 14:00:06 +0200 Subject: [PATCH] idviews: Enforce objectclass check in idoverride*-del Even with anchor to sid type checking, it would be still possible to delete a user ID override by specifying a group raw anchor and vice versa. This patch introduces a objectclass check in idoverride*-del commands to prevent that. https://fedorahosted.org/freeipa/ticket/5029 Reviewed-By: Alexander Bokovoy --- ipalib/plugins/idviews.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index c4f748132642f8702dcd12d38367dc36f4bc4a3c..2e6e84510d3caa3636d3f0c08c56403866ff54f9 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -716,6 +716,25 @@ class baseidoverride_del(LDAPDelete): takes_options = LDAPDelete.takes_options + (fallback_to_ldap_option,) + def pre_callback(self, ldap, dn, *keys, **options): + assert isinstance(dn, DN) + + # Make sure the entry we're deleting has all the objectclasses + # this object requires + try: + entry = ldap.get_entry(dn, ['objectclass']) + except errors.NotFound: + self.obj.handle_not_found(*keys) + + required_object_classes = set(self.obj.object_class) + actual_object_classes = set(entry['objectclass']) + + # If not, treat it as a failed search + if not required_object_classes.issubset(actual_object_classes): + self.obj.handle_not_found(*keys) + + return dn + class baseidoverride_mod(LDAPUpdate): __doc__ = _('Modify an ID override.') -- 2.4.3