From 9fedf58eb1282560957edc1f36356602b55a736d Mon Sep 17 00:00:00 2001

From: Tomas Babej <tbabej@redhat.com>

Date: Thu, 23 Jul 2015 14:00:06 +0200

Subject: [PATCH] idviews: Enforce objectclass check in idoverride*-del

Even with anchor to sid type checking, it would be still

possible to delete a user ID override by specifying a group

raw anchor and vice versa.

This patch introduces a objectclass check in idoverride*-del

commands to prevent that.

https://fedorahosted.org/freeipa/ticket/5029

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 ipalib/plugins/idviews.py | 19 +++++++++++++++++++

 1 file changed, 19 insertions(+)

diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py

index c4f748132642f8702dcd12d38367dc36f4bc4a3c..2e6e84510d3caa3636d3f0c08c56403866ff54f9 100644

--- a/ipalib/plugins/idviews.py

+++ b/ipalib/plugins/idviews.py

@@ -716,6 +716,25 @@ class baseidoverride_del(LDAPDelete):

     takes_options = LDAPDelete.takes_options + (fallback_to_ldap_option,)

+    def pre_callback(self, ldap, dn, *keys, **options):

+        assert isinstance(dn, DN)

+

+        # Make sure the entry we're deleting has all the objectclasses

+        # this object requires

+        try:

+            entry = ldap.get_entry(dn, ['objectclass'])

+        except errors.NotFound:

+            self.obj.handle_not_found(*keys)

+

+        required_object_classes = set(self.obj.object_class)

+        actual_object_classes = set(entry['objectclass'])

+

+        # If not, treat it as a failed search

+        if not required_object_classes.issubset(actual_object_classes):

+            self.obj.handle_not_found(*keys)

+

+        return dn

+

 class baseidoverride_mod(LDAPUpdate):

     __doc__ = _('Modify an ID override.')

-- 

2.4.3