diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2011-09-16 09:35:48 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2011-09-22 15:41:33 +0200 |
| commit | fb6abb2acc190d1c397f9e4e170c03bfcd39048d (patch) | |
| tree | 44b198d519821a2361e1ebff0dd4aa9cf9b4d41d /ipalib | |
| parent | 355b93ecf3fa130674b1888bec97e9c600bc7a95 (diff) | |
| download | freeipa-fb6abb2acc190d1c397f9e4e170c03bfcd39048d.tar.gz freeipa-fb6abb2acc190d1c397f9e4e170c03bfcd39048d.tar.xz freeipa-fb6abb2acc190d1c397f9e4e170c03bfcd39048d.zip | |
Normalize uid in user principal to lower-case and do validation
Use same normalization and validation in passwd plugin and add some
tests for invalid principals
https://fedorahosted.org/freeipa/ticket/1778
Diffstat (limited to 'ipalib')
| -rw-r--r-- | ipalib/plugins/passwd.py | 11 | ||||
| -rw-r--r-- | ipalib/plugins/user.py | 47 |
2 files changed, 48 insertions, 10 deletions
diff --git a/ipalib/plugins/passwd.py b/ipalib/plugins/passwd.py index 901a56f20..b7d82f355 100644 --- a/ipalib/plugins/passwd.py +++ b/ipalib/plugins/passwd.py @@ -22,6 +22,7 @@ from ipalib import Command from ipalib import Str, Password from ipalib import _ from ipalib import output +from ipalib.plugins.user import split_principal, validate_principal, normalize_principal __doc__ = _(""" Set a user's password @@ -46,12 +47,13 @@ class passwd(Command): __doc__ = _("Set a user's password.") takes_args = ( - Str('principal', + Str('principal', validate_principal, cli_name='user', label=_('User name'), primary_key=True, autofill=True, create_default=lambda **kw: util.get_current_principal(), + normalizer=lambda value: normalize_principal(value), ), Password('password', label=_('Password'), @@ -75,13 +77,6 @@ class passwd(Command): """ ldap = self.api.Backend.ldap2 - if principal.find('@') != -1: - principal_parts = principal.split('@') - if len(principal_parts) > 2: - raise errors.MalformedUserPrincipal(principal=principal) - else: - principal = '%s@%s' % (principal, self.api.env.realm) - (dn, entry_attrs) = ldap.find_entry_by_attr( 'krbprincipalname', principal, 'posixaccount', [''], ",".join([api.env.container_user, api.env.basedn]) diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 92a026d0a..35866d6e9 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -84,6 +84,48 @@ def convert_nsaccountlock(entry_attrs): nsaccountlock = Bool('temp') entry_attrs['nsaccountlock'] = nsaccountlock.convert(entry_attrs['nsaccountlock'][0]) +def split_principal(principal): + """ + Split the principal into its components and do some basic validation. + + Automatically append our realm if it wasn't provided. + """ + realm = None + parts = principal.split('@') + user = parts[0].lower() + if len(parts) > 2: + raise errors.MalformedUserPrincipal( + principal=principal + ) + + if len(parts) == 2: + realm = parts[1].upper() + # At some point we'll support multiple realms + if realm != api.env.realm: + raise errors.RealmMismatch() + else: + realm = api.env.realm + + return (user, realm) + +def validate_principal(ugettext, principal): + """ + All the real work is done in split_principal. + """ + (user, realm) = split_principal(principal) + return None + +def normalize_principal(principal): + """ + Ensure that the name in the principal is lower-case. The realm is + upper-case by convention but it isn't required. + + The principal is validated at this point. + """ + (user, realm) = split_principal(principal) + return unicode('%s@%s' % (user, realm)) + + class user(LDAPObject): """ User object. @@ -169,12 +211,13 @@ class user(LDAPObject): label=_('Login shell'), default=u'/bin/sh', ), - Str('krbprincipalname?', + Str('krbprincipalname?', validate_principal, cli_name='principal', label=_('Kerberos principal'), - default_from=lambda uid: '%s@%s' % (uid, api.env.realm), + default_from=lambda uid: '%s@%s' % (uid.lower(), api.env.realm), autofill=True, flags=['no_update'], + normalizer=lambda value: normalize_principal(value), ), Str('mail*', cli_name='email', |