From fea3b121a2e16d493dbadbc2f32cfeb02bf8919c Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Tue, 2 Sep 2014 14:47:29 +0200
Subject: trusts: Add conversion from SID to object name

---
 ipaserver/dcerpc.py | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 3944b19e0..ad5a9a895 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -57,6 +57,8 @@ import pysss_nss_idmap
 import pysss
 from ipaplatform.paths import paths
 
+from ldap.filter import escape_filter_chars
+
 __doc__ = _("""
 Classes to manage trust joins using DCE-RPC calls
 
@@ -350,6 +352,53 @@ class DomainValidator(object):
             raise errors.ValidationError(name=_('trusted domain object'),
                error= _('Trusted domain did not return a valid SID for the object'))
 
+    def get_trusted_domain_object_from_sid(self, sid):
+        root_logger.info("Converting SID to object name: %s" % sid)
+
+        # Check if the given SID is valid
+        if not self.is_trusted_sid_valid(sid):
+            raise errors.ValidationError(name='sid', error='SID is not valid')
+
+        # Use pysss_nss_idmap to obtain the name
+        result = pysss_nss_idmap.getnamebysid(sid).get(sid)
+
+        valid_types = (pysss_nss_idmap.ID_USER,
+                       pysss_nss_idmap.ID_GROUP,
+                       pysss_nss_idmap.ID_BOTH)
+
+        if result:
+            if result.get('type') in valid_types:
+                # return result.get('name')
+                root_logger.error("Found this: %s" % result.get('name'))
+
+        # If unsuccessful, search AD DC LDAP
+        root_logger.info("Searching AD DC LDAP")
+
+        escaped_sid = escape_filter_chars(
+            security.dom_sid(sid).__ndr_pack__(),
+            2  # 2 means every character needs to be escaped
+        )
+
+        attrs = ['sAMAccountName']
+        filter = r'(&(objectSid=%(sid)s)(|(objectClass=user)(objectClass=group)))' \
+                % dict(sid=escaped_sid)  # sid in binary
+        domain = self.get_domain_by_sid(sid)
+
+        entries = self.get_trusted_domain_objects(domain=domain,
+                                                  filter=filter,
+                                                  attrs=attrs)
+
+        if len(entries) > 1:
+            # Treat non-unique entries as invalid
+            raise errors.ValidationError(name=_('trusted domain object'),
+               error= _('Trusted domain did not return a unique object'))
+
+        object_name = (entries[0].single_value.get('sAMAccountName').lower() +
+                       '@' +
+                       domain.lower())
+
+        return unicode(object_name)
+
     def __get_trusted_domain_user_and_groups(self, object_name):
         """
         Returns a tuple with user SID and a list of SIDs of all groups he is
-- 
cgit