Validate DN & RDN parameters for migrate command

Ticket #2555 We were generating a traceback (server error) if a malformed RDN was passed as a parameter to the migrate command. * add parameter validation functions validate_dn_param() and validate_rdn_param() to ipalib.util. Those functions simply invoke the DN or RDN constructor from our dn module passing it the string representation. If the constructor does not throw an error it's valid. * Add the parameter validation function pointers to the Param objects in the migrate command. * Make the usercontainer and groupcontainer parameters required. passing --usercontainer= on the command line will produce ipa: ERROR: 'user_container' is required * Fix _get_search_bases() so if a container dn is empty it it just uses the base dn alone instead of faulting (currently bullet-proofing because now the containers are required). * Update the doc for usercontainer and groupcontainer to reflect the fact they are DN's not RDN's. A RDN can only be one level and it should be possible to have a container more than one RDN removed from the base.
author: John Dennis <jdennis@redhat.com> 2012-04-16 08:33:26 +0200
committer: Martin Kosek <mkosek@redhat.com> 2012-04-16 08:35:03 +0200
commit: d317c2a0d1114cb0c53c9a333538f579624e4a9b (patch)
tree: b7a25b9ce35a8ad4ff3e0cf3c6f0efda3e391a37 /ipalib
parent: 98e662b96f4e533693465131675ae01f777bde4e (diff)
download: freeipa-d317c2a0d1114cb0c53c9a333538f579624e4a9b.tar.gz
freeipa-d317c2a0d1114cb0c53c9a333538f579624e4a9b.tar.xz
freeipa-d317c2a0d1114cb0c53c9a333538f579624e4a9b.zip
2 files changed, 27 insertions, 8 deletions
diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
index 873ff4c4a..89076f64d 100644
--- a/ipalib/plugins/migration.py
+++ b/ipalib/plugins/migration.py
@@ -23,6 +23,7 @@ import ldap as _ldap
 from ipalib import api, errors, output
 from ipalib import Command, Password, Str, Flag, StrEnum
 from ipalib.cli import to_cli
+from ipalib.util import validate_dn_param
 from ipalib.dn import *
 from ipalib.plugins.user import NO_UPG_MAGIC
 if api.env.in_server and api.env.context in ['lite', 'server']:
@@ -418,23 +419,23 @@ class migrate_ds(Command):
     )
 
     takes_options = (
-        Str('binddn?',
+        Str('binddn?', validate_dn_param,
             cli_name='bind_dn',
             label=_('Bind DN'),
             default=u'cn=directory manager',
             autofill=True,
         ),
-        Str('usercontainer?',
+        Str('usercontainer', validate_dn_param,
             cli_name='user_container',
             label=_('User container'),
-            doc=_('RDN of container for users in DS relative to base DN'),
+            doc=_('DN of container for users in DS relative to base DN'),
             default=u'ou=people',
             autofill=True,
         ),
-        Str('groupcontainer?',
+        Str('groupcontainer', validate_dn_param,
             cli_name='group_container',
             label=_('Group container'),
-            doc=_('RDN of container for groups in DS relative to base DN'),
+            doc=_('DN of container for groups in DS relative to base DN'),
             default=u'ou=groups',
             autofill=True,
         ),
@@ -589,9 +590,12 @@ can use their Kerberos accounts.''')
     def _get_search_bases(self, options, ds_base_dn, migrate_order):
         search_bases = dict()
         for ldap_obj_name in migrate_order:
-            search_bases[ldap_obj_name] = '%s,%s' % (
-                options['%scontainer' % to_cli(ldap_obj_name)], ds_base_dn
-            )
+            container = options.get('%scontainer' % to_cli(ldap_obj_name))
+            if container:
+                search_base = str(DN(container, ds_base_dn))
+            else:
+                search_base = ds_base_dn
+            search_bases[ldap_obj_name] = search_base
         return search_bases
 
     def migrate(self, ldap, config, ds_ldap, ds_base_dn, options):
diff --git a/ipalib/util.py b/ipalib/util.py
index a79f41cc3..659e178df 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -31,6 +31,7 @@ from weakref import WeakKeyDictionary
 
 from ipalib import errors
 from ipalib.text import _
+from ipalib.dn import DN, RDN
 from ipapython import dnsclient
 from ipapython.ipautil import decode_ssh_pubkey
 
@@ -484,3 +485,17 @@ def gen_dns_update_policy(realm, rrtypes=('A', 'AAAA', 'SSHFP')):
     policy += ";"
 
     return policy
+
+def validate_rdn_param(ugettext, value):
+    try:
+        rdn = RDN(value)
+    except Exception, e:
+        return str(e)
+    return None
+
+def validate_dn_param(ugettext, value):
+    try:
+        rdn = DN(value)
+    except Exception, e:
+        return str(e)
+    return None
author	John Dennis <jdennis@redhat.com>	2012-04-16 08:33:26 +0200
committer	Martin Kosek <mkosek@redhat.com>	2012-04-16 08:35:03 +0200
commit	d317c2a0d1114cb0c53c9a333538f579624e4a9b (patch)
tree	b7a25b9ce35a8ad4ff3e0cf3c6f0efda3e391a37 /ipalib
parent	98e662b96f4e533693465131675ae01f777bde4e (diff)
download	freeipa-d317c2a0d1114cb0c53c9a333538f579624e4a9b.tar.gz freeipa-d317c2a0d1114cb0c53c9a333538f579624e4a9b.tar.xz freeipa-d317c2a0d1114cb0c53c9a333538f579624e4a9b.zip