From 964bce5fd60bbb52be1dcc67e628a6c1ab62e356 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Thu, 23 Jul 2015 12:36:53 +0200
Subject: [PATCH] idviews: Restrict anchor to name and name to anchor
 conversions

When converting the ID override anchor from AD SID representation to
the object name, we need to properly restrict the type of the object
that is being resolved.

The same restriction applies for the opposite direction, when
converting the object name to it's SID.

https://fedorahosted.org/freeipa/ticket/5029

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipalib/plugins/idviews.py | 50 +++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 46 insertions(+), 4 deletions(-)

diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index 67f52f886f0e19288a829616603c7aef6768f8db..c4f748132642f8702dcd12d38367dc36f4bc4a3c 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -432,6 +432,36 @@ class idview_unapply(baseidview_apply):
 
 
 # ID overrides helper methods
+def verify_trusted_domain_object_type(validator, desired_type, name_or_sid):
+
+    object_type = validator.get_trusted_domain_object_type(name_or_sid)
+
+    if object_type == desired_type:
+        # In case SSSD returns the same type as the type being
+        # searched, no problems here.
+        return True
+
+    elif desired_type == 'user' and object_type == 'both':
+        # Type both denotes users with magic private groups.
+        # Overriding attributes for such users is OK.
+        return True
+
+    elif desired_type == 'group' and object_type == 'both':
+        # However, overriding attributes for magic private groups
+        # does not make sense. One should override the GID of
+        # the user itself.
+
+        raise errors.ConversionError(
+            name='identifier',
+            error=_('You are trying to reference a magic private group '
+                    'which is not allowed to be overriden. '
+                    'Try overriding the GID attribute of the '
+                    'corresponding user instead.')
+            )
+
+    return False
+
+
 def resolve_object_to_anchor(ldap, obj_type, obj, fallback_to_ldap):
     """
     Resolves the user/group name to the anchor uuid:
@@ -482,9 +512,15 @@ def resolve_object_to_anchor(ldap, obj_type, obj, fallback_to_ldap):
                 sid = domain_validator.get_trusted_domain_object_sid(obj,
                         fallback_to_ldap=fallback_to_ldap)
 
-                # There is no domain prefix since SID contains information
-                # about the domain
-                return SID_ANCHOR_PREFIX + sid
+                # We need to verify that the object type is correct
+                type_correct = verify_trusted_domain_object_type(
+                        domain_validator, obj_type, sid)
+
+                if type_correct:
+                    # There is no domain prefix since SID contains information
+                    # about the domain
+                    return SID_ANCHOR_PREFIX + sid
+
     except errors.ValidationError:
         # Domain validator raises Validation Error if object name does not
         # contain domain part (either NETBIOS\ prefix or @domain.name suffix)
@@ -539,7 +575,13 @@ def resolve_anchor_to_object_name(ldap, obj_type, anchor):
             domain_validator = ipaserver.dcerpc.DomainValidator(api)
             if domain_validator.is_configured():
                 name = domain_validator.get_trusted_domain_object_from_sid(sid)
-                return name
+
+                # We need to verify that the object type is correct
+                type_correct = verify_trusted_domain_object_type(
+                        domain_validator, obj_type, name)
+
+                if type_correct:
+                    return name
 
     # No acceptable object was found
     raise errors.NotFound(
-- 
2.4.3