Catch ACI errors better when adding a permission.

We create the aci with the --test flag to test its validity but it doesn't do the same level of tests that actually adding an aci to LDAP does. Catch any syntax errors that get thrown and clean up as best we can. ticket 621
author: Rob Crittenden <rcritten@redhat.com> 2010-12-17 15:35:24 -0500
committer: Simo Sorce <ssorce@redhat.com> 2010-12-17 18:04:37 -0500
commit: eb9cb783ee171e2f8e9921399db65280ba9dfd21 (patch)
tree: 12da38395bbba9fec0f696e08d8103794e4f7b1a /ipalib
parent: 1600146c942eedcbeb4f67537ee35d1e73c46b24 (diff)
download: freeipa-eb9cb783ee171e2f8e9921399db65280ba9dfd21.tar.gz
freeipa-eb9cb783ee171e2f8e9921399db65280ba9dfd21.tar.xz
freeipa-eb9cb783ee171e2f8e9921399db65280ba9dfd21.zip
1 files changed, 17 insertions, 3 deletions
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 0587564ed..058a2cd3e 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -185,8 +185,21 @@ class permission_add(LDAPCreate):
             for attr in self.obj.aci_attributes:
                 if attr in result:
                     entry_attrs[attr] = result[attr]
+        except errors.InvalidSyntax, e:
+            # A syntax error slipped past our attempt at validation, clean up
+            self.api.Command.permission_del(keys[-1])
+            raise e
         except Exception, e:
-            self.api.Command.aci_del(keys[-1])
+            # Something bad happened, clean up as much as we can and return
+            # that error
+            try:
+                self.api.Command.permission_del(keys[-1])
+            except Exception, ignore:
+                pass
+            try:
+                self.api.Command.aci_del(keys[-1])
+            except Exception, ignore:
+                pass
             raise e
         return dn
 
@@ -317,7 +330,7 @@ class permission_find(LDAPSearch):
                     if aci['permission'] == attrs['cn']:
                         found = True
                         break
-                if not found in aci:
+                if not found:
                     permission = self.api.Command.permission_show(aci['permission'])
                     attrs = permission['result']
                     for attr in self.obj.aci_attributes:
@@ -325,7 +338,8 @@ class permission_find(LDAPSearch):
                             attrs[attr] = aci[attr]
                     dn = attrs['dn']
                     del attrs['dn']
-                    newentries.append((dn, attrs))
+                    if (dn, attrs) not in entries:
+                        newentries.append((dn, attrs))
 
         return newentries
author	Rob Crittenden <rcritten@redhat.com>	2010-12-17 15:35:24 -0500
committer	Simo Sorce <ssorce@redhat.com>	2010-12-17 18:04:37 -0500
commit	eb9cb783ee171e2f8e9921399db65280ba9dfd21 (patch)
tree	12da38395bbba9fec0f696e08d8103794e4f7b1a /ipalib
parent	1600146c942eedcbeb4f67537ee35d1e73c46b24 (diff)
download	freeipa-eb9cb783ee171e2f8e9921399db65280ba9dfd21.tar.gz freeipa-eb9cb783ee171e2f8e9921399db65280ba9dfd21.tar.xz freeipa-eb9cb783ee171e2f8e9921399db65280ba9dfd21.zip