diff options
author | Rob Crittenden <rcritten@redhat.com> | 2010-12-21 22:39:55 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-01-10 10:27:23 -0500 |
commit | 0a79836082b897ebf734d9073583769cb276937c (patch) | |
tree | 3269cf575f989df3ba9b88f13e0be70982018ebf /ipalib/plugins/aci.py | |
parent | c69f4d0fed05a355ae5b9168066ad0ad01eb6487 (diff) | |
download | freeipa-0a79836082b897ebf734d9073583769cb276937c.tar.gz freeipa-0a79836082b897ebf734d9073583769cb276937c.tar.xz freeipa-0a79836082b897ebf734d9073583769cb276937c.zip |
Setting an empty set of target attributes should raise an exception.
It is possible to create an ACI with attributes and then try to set that
to None via a mod command later. We need to catch this and raise an exception.
If all attributes are set to None in an aci then the attr target is removed
from the ACI. This could result in an illegal ACI if there are no other
targets. Having no targets is a legal state, just not a legal final state.
ticket 647
Diffstat (limited to 'ipalib/plugins/aci.py')
-rw-r--r-- | ipalib/plugins/aci.py | 61 |
1 files changed, 32 insertions, 29 deletions
diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index ca0277af..0193be5d 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -207,35 +207,38 @@ def _make_aci(current, aciname, kw): except errors.NotFound: raise errors.NotFound(reason=_("Group '%s' does not exist") % kw['group']) - a = ACI(current) - a.name = aciname - a.permissions = kw['permissions'] - if 'selfaci' in kw and kw['selfaci']: - a.set_bindrule('userdn = "ldap:///self"') - else: - dn = entry_attrs['dn'] - a.set_bindrule('groupdn = "ldap:///%s"' % dn) - if 'attrs' in kw: - a.set_target_attr(kw['attrs']) - if 'memberof' in kw: - entry_attrs = api.Command['group_show'](kw['memberof'])['result'] - a.set_target_filter('memberOf=%s' % entry_attrs['dn']) - if 'filter' in kw: - a.set_target_filter(kw['filter']) - if 'type' in kw: - target = _type_map[kw['type']] - a.set_target(target) - if 'targetgroup' in kw: - # Purposely no try here so we'll raise a NotFound - entry_attrs = api.Command['group_show'](kw['targetgroup'])['result'] - target = 'ldap:///%s' % entry_attrs['dn'] - a.set_target(target) - if 'subtree' in kw: - # See if the subtree is a full URI - target = kw['subtree'] - if not target.startswith('ldap:///'): - target = 'ldap:///%s' % target - a.set_target(target) + try: + a = ACI(current) + a.name = aciname + a.permissions = kw['permissions'] + if 'selfaci' in kw and kw['selfaci']: + a.set_bindrule('userdn = "ldap:///self"') + else: + dn = entry_attrs['dn'] + a.set_bindrule('groupdn = "ldap:///%s"' % dn) + if 'attrs' in kw: + a.set_target_attr(kw['attrs']) + if 'memberof' in kw: + entry_attrs = api.Command['group_show'](kw['memberof'])['result'] + a.set_target_filter('memberOf=%s' % entry_attrs['dn']) + if 'filter' in kw: + a.set_target_filter(kw['filter']) + if 'type' in kw: + target = _type_map[kw['type']] + a.set_target(target) + if 'targetgroup' in kw: + # Purposely no try here so we'll raise a NotFound + entry_attrs = api.Command['group_show'](kw['targetgroup'])['result'] + target = 'ldap:///%s' % entry_attrs['dn'] + a.set_target(target) + if 'subtree' in kw: + # See if the subtree is a full URI + target = kw['subtree'] + if not target.startswith('ldap:///'): + target = 'ldap:///%s' % target + a.set_target(target) + except SyntaxError, e: + raise errors.ValidationError(name='target', error=_('Syntax Error: %(error)s') % dict(error=str(e))) return a |