diff options
author | Tomas Babej <tbabej@redhat.com> | 2013-05-15 15:37:15 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-05-31 10:55:34 +0200 |
commit | c9370c4a8e16333859e165d61acd7dfef3f5abe2 (patch) | |
tree | c9400435e497d2916dc3e40b7c305504aed6be11 /ipalib/plugins | |
parent | 64738ba94ed83397a66d577482039778b261536d (diff) | |
download | freeipa-c9370c4a8e16333859e165d61acd7dfef3f5abe2.tar.gz freeipa-c9370c4a8e16333859e165d61acd7dfef3f5abe2.tar.xz freeipa-c9370c4a8e16333859e165d61acd7dfef3f5abe2.zip |
Do not allow removal of ID range of an active trust
When removing an ID range using idrange-del command, validation
in pre_callback ensures that the range does not belong to any
active trust. In such case, ValidationError is raised.
Unit tests to cover the functionality has been added.
https://fedorahosted.org/freeipa/ticket/3615
Diffstat (limited to 'ipalib/plugins')
-rw-r--r-- | ipalib/plugins/idrange.py | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py index 54f6fbb3e..d54879442 100644 --- a/ipalib/plugins/idrange.py +++ b/ipalib/plugins/idrange.py @@ -434,14 +434,31 @@ class idrange_del(LDAPDelete): def pre_callback(self, ldap, dn, *keys, **options): try: - (old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', 'ipaidrangesize']) + (old_dn, old_attrs) = ldap.get_entry(dn, ['ipabaseid', + 'ipaidrangesize', + 'ipanttrusteddomainsid']) except errors.NotFound: self.obj.handle_not_found(*keys) + # Check whether we leave any object with id in deleted range old_base_id = int(old_attrs.get('ipabaseid', [0])[0]) old_range_size = int(old_attrs.get('ipaidrangesize', [0])[0]) self.obj.check_ids_in_modified_range( old_base_id, old_range_size, 0, 0) + + # Check whether the range does not belong to the active trust + range_sid = old_attrs.get('ipanttrusteddomainsid') + + if range_sid is not None: + range_sid = range_sid[0] + result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid) + + if result['count'] > 0: + raise errors.DependentEntry( + label='Active Trust', + key=keys[0], + dependent=result['result'][0]['cn'][0]) + return dn class idrange_find(LDAPSearch): |