e3ffab
From 77af6877a855c6dd738d03376464197ac3a938f8 Mon Sep 17 00:00:00 2001
e3ffab
From: Petr Vobornik <pvoborni@redhat.com>
e3ffab
Date: Mon, 13 Oct 2014 14:57:45 +0200
e3ffab
Subject: [PATCH] ranges: prohibit setting --rid-base with ipa-trust-ad-posix
e3ffab
 type
e3ffab
e3ffab
We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense.
e3ffab
e3ffab
Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type.
e3ffab
e3ffab
No schema change is done.
e3ffab
e3ffab
https://fedorahosted.org/freeipa/ticket/4221
e3ffab
e3ffab
Reviewed-By: Tomas Babej <tbabej@redhat.com>
e3ffab
---
e3ffab
 ipalib/plugins/idrange.py | 61 ++++++++++++++++++++++++++++++++++++-----------
e3ffab
 1 file changed, 47 insertions(+), 14 deletions(-)
e3ffab
e3ffab
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
e3ffab
index 9e0481e94048c465f9a86112378a47390de0d494..6c3be6e69595127e346969e41703dc98e783282e 100644
e3ffab
--- a/ipalib/plugins/idrange.py
e3ffab
+++ b/ipalib/plugins/idrange.py
e3ffab
@@ -248,6 +248,12 @@ class idrange(LDAPObject):
e3ffab
             if not options.get('all', False) or options.get('pkey_only', False):
e3ffab
                 entry_attrs.pop('objectclass', None)
e3ffab
 
e3ffab
+    def handle_ipabaserid(self, entry_attrs, options):
e3ffab
+        if any((options.get('pkey_only', False), options.get('raw', False))):
e3ffab
+            return
e3ffab
+        if entry_attrs['iparangetype'][0] == u'ipa-ad-trust-posix':
e3ffab
+            entry_attrs.pop('ipabaserid', None)
e3ffab
+
e3ffab
     def check_ids_in_modified_range(self, old_base, old_size, new_base,
e3ffab
                                     new_size):
e3ffab
         if new_base is None and new_size is None:
e3ffab
@@ -414,6 +420,7 @@ class idrange_add(LDAPCreate):
e3ffab
 
e3ffab
         rid_base = kw.get('ipabaserid', None)
e3ffab
         secondary_rid_base = kw.get('ipasecondarybaserid', None)
e3ffab
+        range_type = kw.get('iparangetype', None)
e3ffab
 
e3ffab
         def set_from_prompt(param):
e3ffab
             value = self.prompt_param(self.params[param])
e3ffab
@@ -424,7 +431,7 @@ class idrange_add(LDAPCreate):
e3ffab
             # This is a trusted range
e3ffab
 
e3ffab
             # Prompt for RID base if domain SID / name was given
e3ffab
-            if rid_base is None:
e3ffab
+            if rid_base is None and range_type != u'ipa-ad-trust-posix':
e3ffab
                 set_from_prompt('ipabaserid')
e3ffab
 
e3ffab
         else:
e3ffab
@@ -486,23 +493,33 @@ class idrange_add(LDAPCreate):
e3ffab
             if not is_set('iparangetype'):
e3ffab
                 entry_attrs['iparangetype'] = u'ipa-ad-trust'
e3ffab
 
e3ffab
-            if entry_attrs['iparangetype'] not in (u'ipa-ad-trust',
e3ffab
-                                                   u'ipa-ad-trust-posix'):
e3ffab
+            if entry_attrs['iparangetype'] == u'ipa-ad-trust':
e3ffab
+                if not is_set('ipabaserid'):
e3ffab
+                    raise errors.ValidationError(
e3ffab
+                        name='ID Range setup',
e3ffab
+                        error=_('Options dom-sid/dom-name and rid-base must '
e3ffab
+                                'be used together')
e3ffab
+                    )
e3ffab
+            elif entry_attrs['iparangetype'] == u'ipa-ad-trust-posix':
e3ffab
+                if is_set('ipabaserid') and entry_attrs['ipabaserid'] != 0:
e3ffab
+                    raise errors.ValidationError(
e3ffab
+                        name='ID Range setup',
e3ffab
+                        error=_('Option rid-base must not be used when IPA '
e3ffab
+                                'range type is ipa-ad-trust-posix')
e3ffab
+                    )
e3ffab
+                else:
e3ffab
+                    entry_attrs['ipabaserid'] = 0
e3ffab
+            else:
e3ffab
                 raise errors.ValidationError(name='ID Range setup',
e3ffab
                     error=_('IPA Range type must be one of ipa-ad-trust '
e3ffab
                             'or ipa-ad-trust-posix when SID of the trusted '
e3ffab
-                            'domain is specified.'))
e3ffab
+                            'domain is specified'))
e3ffab
 
e3ffab
             if is_set('ipasecondarybaserid'):
e3ffab
                 raise errors.ValidationError(name='ID Range setup',
e3ffab
                     error=_('Options dom-sid/dom-name and secondary-rid-base '
e3ffab
                             'cannot be used together'))
e3ffab
 
e3ffab
-            if not is_set('ipabaserid'):
e3ffab
-                raise errors.ValidationError(name='ID Range setup',
e3ffab
-                    error=_('Options dom-sid/dom-name and rid-base must '
e3ffab
-                            'be used together'))
e3ffab
-
e3ffab
             # Validate SID as the one of trusted domains
e3ffab
             self.obj.validate_trusted_domain_sid(
e3ffab
                                         entry_attrs['ipanttrusteddomainsid'])
e3ffab
@@ -557,6 +574,7 @@ class idrange_add(LDAPCreate):
e3ffab
 
e3ffab
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
e3ffab
         assert isinstance(dn, DN)
e3ffab
+        self.obj.handle_ipabaserid(entry_attrs, options)
e3ffab
         self.obj.handle_iparangetype(entry_attrs, options,
e3ffab
                                      keep_objectclass=True)
e3ffab
         return dn
e3ffab
@@ -628,6 +646,7 @@ class idrange_find(LDAPSearch):
e3ffab
 
e3ffab
     def post_callback(self, ldap, entries, truncated, *args, **options):
e3ffab
         for entry in entries:
e3ffab
+            self.obj.handle_ipabaserid(entry, options)
e3ffab
             self.obj.handle_iparangetype(entry, options)
e3ffab
         return truncated
e3ffab
 
e3ffab
@@ -643,6 +662,7 @@ class idrange_show(LDAPRetrieve):
e3ffab
 
e3ffab
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
e3ffab
         assert isinstance(dn, DN)
e3ffab
+        self.obj.handle_ipabaserid(entry_attrs, options)
e3ffab
         self.obj.handle_iparangetype(entry_attrs, options)
e3ffab
         return dn
e3ffab
 
e3ffab
@@ -699,11 +719,23 @@ class idrange_mod(LDAPUpdate):
e3ffab
                 raise errors.ValidationError(name='ID Range setup',
e3ffab
                     error=_('Options dom-sid and secondary-rid-base cannot '
e3ffab
                             'be used together'))
e3ffab
-
e3ffab
-            if not in_updated_attrs('ipabaserid'):
e3ffab
-                raise errors.ValidationError(name='ID Range setup',
e3ffab
-                    error=_('Options dom-sid and rid-base must '
e3ffab
-                            'be used together'))
e3ffab
+            range_type = old_attrs['iparangetype'][0]
e3ffab
+            if range_type == u'ipa-ad-trust':
e3ffab
+                if not in_updated_attrs('ipabaserid'):
e3ffab
+                    raise errors.ValidationError(
e3ffab
+                        name='ID Range setup',
e3ffab
+                        error=_('Options dom-sid and rid-base must '
e3ffab
+                                'be used together'))
e3ffab
+            elif (range_type == u'ipa-ad-trust-posix' and
e3ffab
+                  'ipabaserid' in entry_attrs):
e3ffab
+                if entry_attrs['ipabaserid'] is None:
e3ffab
+                    entry_attrs['ipabaserid'] = 0
e3ffab
+                elif entry_attrs['ipabaserid'] != 0:
e3ffab
+                    raise errors.ValidationError(
e3ffab
+                        name='ID Range setup',
e3ffab
+                        error=_('Option rid-base must not be used when IPA '
e3ffab
+                                'range type is ipa-ad-trust-posix')
e3ffab
+                    )
e3ffab
 
e3ffab
             if is_set('ipanttrusteddomainsid'):
e3ffab
                 # Validate SID as the one of trusted domains
e3ffab
@@ -766,6 +798,7 @@ class idrange_mod(LDAPUpdate):
e3ffab
 
e3ffab
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
e3ffab
         assert isinstance(dn, DN)
e3ffab
+        self.obj.handle_ipabaserid(entry_attrs, options)
e3ffab
         self.obj.handle_iparangetype(entry_attrs, options)
e3ffab
         return dn
e3ffab
 
e3ffab
-- 
e3ffab
2.1.0
e3ffab