diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-09-16 09:35:48 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2011-09-22 15:41:19 +0200 |
| commit | a1430dcb2c8e63e3077d00878431c0698944a07d (patch) | |
| tree | 7843a84ec320eeff7e6951e5eebf9765b76bc11d /ipalib/plugins/user.py | |
| parent | 37836a2e6c07550d504a1075ea5626f160f13342 (diff) | |
| download | freeipa-a1430dcb2c8e63e3077d00878431c0698944a07d.tar.gz freeipa-a1430dcb2c8e63e3077d00878431c0698944a07d.tar.xz freeipa-a1430dcb2c8e63e3077d00878431c0698944a07d.zip | |
Normalize uid in user principal to lower-case and do validation
Use same normalization and validation in passwd plugin and add some
tests for invalid principals
https://fedorahosted.org/freeipa/ticket/1778
Diffstat (limited to 'ipalib/plugins/user.py')
| -rw-r--r-- | ipalib/plugins/user.py | 47 |
1 files changed, 45 insertions, 2 deletions
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 92a026d0a..35866d6e9 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -84,6 +84,48 @@ def convert_nsaccountlock(entry_attrs): nsaccountlock = Bool('temp') entry_attrs['nsaccountlock'] = nsaccountlock.convert(entry_attrs['nsaccountlock'][0]) +def split_principal(principal): + """ + Split the principal into its components and do some basic validation. + + Automatically append our realm if it wasn't provided. + """ + realm = None + parts = principal.split('@') + user = parts[0].lower() + if len(parts) > 2: + raise errors.MalformedUserPrincipal( + principal=principal + ) + + if len(parts) == 2: + realm = parts[1].upper() + # At some point we'll support multiple realms + if realm != api.env.realm: + raise errors.RealmMismatch() + else: + realm = api.env.realm + + return (user, realm) + +def validate_principal(ugettext, principal): + """ + All the real work is done in split_principal. + """ + (user, realm) = split_principal(principal) + return None + +def normalize_principal(principal): + """ + Ensure that the name in the principal is lower-case. The realm is + upper-case by convention but it isn't required. + + The principal is validated at this point. + """ + (user, realm) = split_principal(principal) + return unicode('%s@%s' % (user, realm)) + + class user(LDAPObject): """ User object. @@ -169,12 +211,13 @@ class user(LDAPObject): label=_('Login shell'), default=u'/bin/sh', ), - Str('krbprincipalname?', + Str('krbprincipalname?', validate_principal, cli_name='principal', label=_('Kerberos principal'), - default_from=lambda uid: '%s@%s' % (uid, api.env.realm), + default_from=lambda uid: '%s@%s' % (uid.lower(), api.env.realm), autofill=True, flags=['no_update'], + normalizer=lambda value: normalize_principal(value), ), Str('mail*', cli_name='email', |