From ca26e32beb77fbd8fcc66e6eea07c6eeeb9261c9 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Mar 2017 06:58:25 +0000
Subject: [PATCH] cert: do not limit internal searches in cert-find

Instead, apply the limits on the combined result.

This fixes (absence of) `--sizelimit` leading to strange behavior, such as
`cert-find --users user` returning a non-empty result only with
`--sizelimit 0`.

https://pagure.io/freeipa/issue/6716

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 ipaserver/plugins/cert.py | 28 ++++++++++------------------
 1 file changed, 10 insertions(+), 18 deletions(-)

diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 9f901076075809592ad5ddeec8d71c273d4853c9..1a6d04533cebb2eb00022981dae9ffe5b785ba8b 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1324,7 +1324,7 @@ class cert_find(Search, CertMethod):
 
         return result, False, True
 
-    def _ca_search(self, all, raw, pkey_only, sizelimit, exactly, **options):
+    def _ca_search(self, all, raw, pkey_only, exactly, **options):
         ra_options = {}
         for name in ('revocation_reason',
                      'issuer',
@@ -1343,10 +1343,6 @@ class cert_find(Search, CertMethod):
             elif isinstance(value, DN):
                 value = unicode(value)
             ra_options[name] = value
-        if sizelimit > 0:
-            # Dogtag doesn't tell that the size limit was exceeded
-            # search for one more entry so that we can tell ourselves
-            ra_options['sizelimit'] = sizelimit + 1
         if exactly:
             ra_options['exactly'] = True
 
@@ -1369,11 +1365,6 @@ class cert_find(Search, CertMethod):
 
         ra = self.api.Backend.ra
         for ra_obj in ra.find(ra_options):
-            if sizelimit > 0 and len(result) >= sizelimit:
-                self.add_message(messages.SearchResultTruncated(
-                        reason=errors.SizeLimitExceeded()))
-                break
-
             issuer = DN(ra_obj['issuer'])
             serial_number = ra_obj['serial_number']
 
@@ -1411,8 +1402,7 @@ class cert_find(Search, CertMethod):
 
         return result, False, complete
 
-    def _ldap_search(self, all, raw, pkey_only, no_members, timelimit,
-                     sizelimit, **options):
+    def _ldap_search(self, all, raw, pkey_only, no_members, **options):
         ldap = self.api.Backend.ldap2
 
         filters = []
@@ -1453,8 +1443,8 @@ class cert_find(Search, CertMethod):
                 base_dn=self.api.env.basedn,
                 filter=filter,
                 attrs_list=['usercertificate'],
-                time_limit=timelimit,
-                size_limit=sizelimit,
+                time_limit=0,
+                size_limit=0,
             )
         except errors.EmptyResult:
             entries = []
@@ -1527,13 +1517,9 @@ class cert_find(Search, CertMethod):
                 raw=raw,
                 pkey_only=pkey_only,
                 no_members=no_members,
-                timelimit=timelimit,
-                sizelimit=sizelimit,
                 **options)
 
             if sub_complete:
-                sizelimit = 0
-
                 for key in tuple(result):
                     if key not in sub_result:
                         del result[key]
@@ -1552,6 +1538,12 @@ class cert_find(Search, CertMethod):
             complete = complete or sub_complete
 
         result = list(six.itervalues(result))
+        if sizelimit > 0 and len(result) > sizelimit:
+            if not truncated:
+                self.add_message(messages.SearchResultTruncated(
+                        reason=errors.SizeLimitExceeded()))
+            result = result[:sizelimit]
+            truncated = True
 
         ret = dict(
             result=result
-- 
2.12.1