diff options
author | Tomas Babej <tbabej@redhat.com> | 2015-09-03 13:22:41 +0200 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2015-10-12 13:34:20 +0200 |
commit | 6a2f47acbe301759899d477e524af8968a7c97c1 (patch) | |
tree | 6348ce485f12f9c9b3778dc4fd79227f2efa0e3c /ipalib/plugins/realmdomains.py | |
parent | fc6e1f0bb5e09c1c7036a0cebdb54905f34b1fb9 (diff) | |
download | freeipa-6a2f47acbe301759899d477e524af8968a7c97c1.tar.gz freeipa-6a2f47acbe301759899d477e524af8968a7c97c1.tar.xz freeipa-6a2f47acbe301759899d477e524af8968a7c97c1.zip |
realmdomains: Add validation that realmdomain being added is indeed from our realm
https://fedorahosted.org/freeipa/ticket/5278
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipalib/plugins/realmdomains.py')
-rw-r--r-- | ipalib/plugins/realmdomains.py | 100 |
1 files changed, 76 insertions, 24 deletions
diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py index 27c4fa228..2da54309b 100644 --- a/ipalib/plugins/realmdomains.py +++ b/ipalib/plugins/realmdomains.py @@ -25,6 +25,7 @@ from ipalib import _ from ipalib.plugable import Registry from ipalib.plugins.baseldap import LDAPObject, LDAPUpdate, LDAPRetrieve from ipalib.util import has_soa_or_ns_record, validate_domain_name +from ipalib.util import detect_dns_zone_realm_type from ipapython.dn import DN from ipapython.ipautil import get_domain_name @@ -130,6 +131,77 @@ class realmdomains_mod(LDAPUpdate): ), ) + def validate_domains(self, domains, force): + """ + Validates the list of domains as candidates for additions to the + realmdomains list. + + Requirements: + - Each domain has SOA or NS record + - Each domain belongs to the current realm + """ + + # Unless forced, check that each domain has SOA or NS records + if not force: + invalid_domains = [ + d for d in domains + if not has_soa_or_ns_record(d) + ] + + if invalid_domains: + raise errors.ValidationError( + name='domain', + error= _( + "DNS zone for each realmdomain must contain " + "SOA or NS records. No records found for: %s" + ) % ','.join(invalid_domains) + ) + + # Check realm alliegence for each domain + domains_with_realm = [ + (domain, detect_dns_zone_realm_type(self.api, domain)) + for domain in domains + ] + + foreign_domains = [ + domain for domain, realm in domains_with_realm + if realm == 'foreign' + ] + + unknown_domains = [ + domain for domain, realm in domains_with_realm + if realm == 'unknown' + ] + + # If there are any foreing realm domains, bail out + if foreign_domains: + raise errors.ValidationError( + name='domain', + error=_( + 'The following domains do not belong ' + 'to this realm: %(domains)s' + ) % dict(domains=','.join(foreign_domains)) + ) + + # If there are any unknown domains, error out, + # asking for _kerberos TXT records + + # Note: This can be forced, since realmdomains-mod + # is called from dnszone-add where we know that + # the domain being added belongs to our realm + if not force and unknown_domains: + raise errors.ValidationError( + name='domain', + error=_( + 'The realm of the folllowing domains could ' + 'not be detected: %(domains)s. If these are ' + 'domains that belong to the this realm, please ' + 'create a _kerberos TXT record containing "%(realm)s" ' + 'in each of them.' + ) % dict(domains=','.join(unknown_domains), + realm=self.api.env.realm) + ) + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): assert isinstance(dn, DN) associateddomain = entry_attrs.get('associateddomain') @@ -139,11 +211,6 @@ class realmdomains_mod(LDAPUpdate): current_domain = get_domain_name() - missing_soa_ns_record_error = _( - "DNS zone for each realmdomain must contain " - "SOA or NS records. No records found for: %s" - ) - # User specified the list of domains explicitly if associateddomain: if add_domain or del_domain: @@ -163,19 +230,9 @@ class realmdomains_mod(LDAPUpdate): error=_("IPA server domain cannot be omitted") ) - # Unless forced, check that each domain has SOA or NS records - if not force: - bad_domains = [ - d for d in associateddomain - if not has_soa_or_ns_record(d) - ] - - if bad_domains: - bad_domains = ', '.join(bad_domains) - raise errors.ValidationError( - name='domain', - error=missing_soa_ns_record_error % bad_domains - ) + # Validate that each domain satisfies the requirements + # for realmdomain + self.validate_domains(domains=associateddomain, force=force) return dn @@ -184,12 +241,7 @@ class realmdomains_mod(LDAPUpdate): domains = ldap.get_entry(dn)['associateddomain'] if add_domain: - if not force and not has_soa_or_ns_record(add_domain): - raise errors.ValidationError( - name='add_domain', - error=missing_soa_ns_record_error % add_domain - ) - + self.validate_domains(domains=[add_domain], force=force) del entry_attrs['add_domain'] domains.append(add_domain) |