590d18
From 82738f7ef90586668761a4f1215a734ab8c25f5a Mon Sep 17 00:00:00 2001
590d18
From: "Endi S. Dewata" <edewata@redhat.com>
590d18
Date: Mon, 10 Aug 2015 20:57:58 +0200
590d18
Subject: [PATCH] Fixed vault container ownership.
590d18
590d18
The vault-add command has been fixed such that if the user/service
590d18
private vault container does not exist yet it will be created and
590d18
owned by the user/service instead of the vault creator.
590d18
590d18
https://fedorahosted.org/freeipa/ticket/5194
590d18
590d18
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
590d18
---
590d18
 ipalib/plugins/vault.py | 27 ++++++++++++++++++++++++---
590d18
 1 file changed, 24 insertions(+), 3 deletions(-)
590d18
590d18
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
590d18
index b5a12d5c3da599d7f5afaed90f579ad3a23c27cd..88c63071f04462aa240a70d3a3eeac2d04e66062 100644
590d18
--- a/ipalib/plugins/vault.py
590d18
+++ b/ipalib/plugins/vault.py
590d18
@@ -704,12 +704,33 @@ class vault_add_internal(LDAPCreate):
590d18
         else:
590d18
             owner_dn = self.api.Object.user.get_dn(name)
590d18
 
590d18
+        parent_dn = DN(*dn[1:])
590d18
+
590d18
+        container_dn = DN(self.api.Object.vault.container_dn,
590d18
+                          self.api.env.basedn)
590d18
+
590d18
+        services_dn = DN(('cn', 'services'), container_dn)
590d18
+        users_dn = DN(('cn', 'users'), container_dn)
590d18
+
590d18
+        if dn.endswith(services_dn):
590d18
+            # service container should be owned by the service
590d18
+            service = parent_dn[0]['cn']
590d18
+            parent_owner_dn = self.api.Object.service.get_dn(service)
590d18
+
590d18
+        elif dn.endswith(users_dn):
590d18
+            # user container should be owned by the user
590d18
+            user = parent_dn[0]['cn']
590d18
+            parent_owner_dn = self.api.Object.user.get_dn(user)
590d18
+
590d18
+        else:
590d18
+            parent_owner_dn = owner_dn
590d18
+
590d18
         try:
590d18
-            parent_dn = DN(*dn[1:])
590d18
-            self.obj.create_container(parent_dn, owner_dn)
590d18
-        except errors.DuplicateEntry, e:
590d18
+            self.obj.create_container(parent_dn, parent_owner_dn)
590d18
+        except errors.DuplicateEntry as e:
590d18
             pass
590d18
 
590d18
+        # vault should be owned by the creator
590d18
         entry_attrs['owner'] = owner_dn
590d18
 
590d18
         return dn
590d18
-- 
590d18
2.4.3
590d18