Fix validator for SELinux user map settings in config plugin.

We need to compare two values and need to be aware of where those
values are coming from. They may come from options, setattr or
existing config. The format of that data is going to be different
depending on its source (always a list internally).

One may also set both at the same time so a standard validator cannot
be used because it lacks the context of the other value being set.

https://fedorahosted.org/freeipa/ticket/2938
https://fedorahosted.org/freeipa/ticket/2940

1 files changed, 20 insertions, 15 deletions

diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index c8230e23a..d632e2edf 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -250,30 +250,35 @@ class config_mod(LDAPUpdate):
                                 error=_('%(obj)s default attribute %(attr)s would not be allowed!') \
                                 % dict(obj=obj, attr=obj_attr))
 
-        if 'ipaselinuxusermapdefault' in options and options['ipaselinuxusermapdefault'] is None:
-            raise errors.ValidationError(name='ipaselinuxusermapdefault',
-                error=_('SELinux user map default user may not be empty'))
-
-        # Make sure the default user is in the list
-        if 'ipaselinuxusermapdefault' in options or \
-          'ipaselinuxusermaporder' in options:
+        # Combine the current entry and options into a single object to
+        # evaluate. This covers changes via setattr and options.
+        # Note: this is not done in a validator because we may be changing
+        #       the default user and map list at the same time and we don't
+        #       have both values in a validator.
+        validate = dict(options)
+        validate.update(entry_attrs)
+        if ('ipaselinuxusermapdefault' in validate or
+          'ipaselinuxusermaporder' in validate):
             config = None
-            if 'ipaselinuxusermapdefault' in options:
-                defaultuser = options['ipaselinuxusermapdefault']
+            failedattr = 'ipaselinuxusermaporder'
+            if 'ipaselinuxusermapdefault' in validate:
+                defaultuser = validate['ipaselinuxusermapdefault']
+                failedattr = 'ipaselinuxusermapdefault'
             else:
                 config = ldap.get_ipa_config()[1]
-                defaultuser = config['ipaselinuxusermapdefault']
+                defaultuser = config['ipaselinuxusermapdefault'][0]
 
-            if 'ipaselinuxusermaporder' in options:
-                order = options['ipaselinuxusermaporder']
+            if 'ipaselinuxusermaporder' in validate:
+                order = validate['ipaselinuxusermaporder']
+                userlist = order.split('$')
             else:
                 if not config:
                     config = ldap.get_ipa_config()[1]
                 order = config['ipaselinuxusermaporder']
-            userlist = order[0].split('$')
+                userlist = order[0].split('$')
             if defaultuser not in userlist:
-                raise errors.ValidationError(name='ipaselinuxusermaporder',
-                    error=_('Default SELinux user map default user not in order list'))
+                raise errors.ValidationError(name=failedattr,
+                    error=_('SELinux user map default user not in order list'))
 
         return dn