diff options
author | Tomas Babej <tbabej@redhat.com> | 2014-09-22 12:58:05 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-09-30 10:42:06 +0200 |
commit | 13089eae527ae87cad69148be3d60077511dc517 (patch) | |
tree | cef107d17d5a2070abe8a91692f2cbad53b6a88c /ipalib/plugins/idviews.py | |
parent | b9425751b421484c97375df956ccda3cb9dc0e70 (diff) | |
download | freeipa-13089eae527ae87cad69148be3d60077511dc517.tar.gz freeipa-13089eae527ae87cad69148be3d60077511dc517.tar.xz freeipa-13089eae527ae87cad69148be3d60077511dc517.zip |
idviews: Handle Default Trust View properly in the framework
Make sure that:
1.) IPA users cannot be added to the Default Trust View
2.) Default Trust View cannot be deleted or renamed
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'ipalib/plugins/idviews.py')
-rw-r--r-- | ipalib/plugins/idviews.py | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index 536498358..d6263307d 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -45,6 +45,12 @@ other Identity Management solutions. register = Registry() +protected_default_trust_view_error = errors.ProtectedEntryError( + label=_('ID View'), + key=u"Default Trust View", + reason=_('system ID View') +) + @register() class idview(LDAPObject): @@ -97,12 +103,24 @@ class idview_del(LDAPDelete): __doc__ = _('Delete an ID View.') msg_summary = _('Deleted ID View "%(value)s"') + def pre_callback(self, ldap, dn, *keys, **options): + if "Default Trust View" in keys: + raise protected_default_trust_view_error + + return dn + @register() class idview_mod(LDAPUpdate): __doc__ = _('Modify an ID View.') msg_summary = _('Modified an ID View "%(value)s"') + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + if "Default Trust View" in keys: + raise protected_default_trust_view_error + + return dn + @register() class idview_find(LDAPSearch): @@ -519,6 +537,16 @@ class baseidoverride(LDAPObject): ) entry_attrs.single_value['ipaanchoruuid'] = object_name + def prohibit_ipa_users_in_default_view(self, dn, entry_attrs): + # Check if parent object is Default Trust View, if so, prohibit + # adding overrides for IPA objects + + if dn[1].value == 'Default Trust View': + if dn[0].value.startswith(IPA_ANCHOR_PREFIX): + raise errors.ValidationError( + name=_('ID View'), + error=_('Default Trust View cannot contain IPA users') + ) class baseidoverride_add(LDAPCreate): __doc__ = _('Add a new ID override.') @@ -526,6 +554,7 @@ class baseidoverride_add(LDAPCreate): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): self.obj.set_anchoruuid_from_dn(dn, entry_attrs) + self.obj.prohibit_ipa_users_in_default_view(dn, entry_attrs) return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): @@ -542,6 +571,16 @@ class baseidoverride_mod(LDAPUpdate): __doc__ = _('Modify an ID override.') msg_summary = _('Modified an ID override "%(value)s"') + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + if 'rename' in options: + raise errors.ValidationError( + name=_('ID override'), + error=_('ID overrides cannot be renamed') + ) + + self.obj.prohibit_ipa_users_in_default_view(dn, entry_attrs) + return dn + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options) return dn |