diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2016-07-20 15:46:22 +0200 |
---|---|---|
committer | Martin Babinsky <mbabinsk@redhat.com> | 2016-07-28 09:34:43 +0200 |
commit | da2305ddb99ab982c757ab723acc95cda3d2f025 (patch) | |
tree | afe9bf2950b457d0e185b932c08f16c0a5ee9363 | |
parent | 807702c986976ade8005ec344fcd827f70b2ba2f (diff) | |
download | freeipa-da2305ddb99ab982c757ab723acc95cda3d2f025.tar.gz freeipa-da2305ddb99ab982c757ab723acc95cda3d2f025.tar.xz freeipa-da2305ddb99ab982c757ab723acc95cda3d2f025.zip |
harden the check for trust namespace overlap in new principals
This check must handle the possibility of optional attributes
(ipantadditionalsuffixes and ipantflatname) missing in the trusted domain
entry.
https://fedorahosted.org/freeipa/ticket/6099
Reviewed-By: David Kupka <dkupka@redhat.com>
-rw-r--r-- | ipalib/util.py | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/ipalib/util.py b/ipalib/util.py index 0cd5c091e..805774006 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -975,11 +975,15 @@ def check_principal_realm_in_trust_namespace(api_instance, *keys): trust_suffix_namespace = set() for obj in trust_objects: - trust_suffix_namespace.update( - set(upn.lower() for upn in obj['ipantadditionalsuffixes'])) + nt_suffixes = obj.get('ipantadditionalsuffixes', []) trust_suffix_namespace.update( - set((obj['cn'][0].lower(), obj['ipantflatname'][0].lower()))) + set(upn.lower() for upn in nt_suffixes)) + + if 'ipantflatname' in obj: + trust_suffix_namespace.add(obj['ipantflatname'][0].lower()) + + trust_suffix_namespace.add(obj['cn'][0].lower()) for principal in keys[-1]: realm = principal.realm |