diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2015-10-16 19:16:46 +0200 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2015-10-21 12:33:39 +0200 |
commit | 6a401fbf31bd35220b47ad2a8552d1f93928a2eb (patch) | |
tree | 2e8bc8504e2b66097e6024021b8897a91cf38403 /ipalib/plugins | |
parent | d81260ef60b64c312e3a164e90ac4faad75c5d82 (diff) | |
download | freeipa-6a401fbf31bd35220b47ad2a8552d1f93928a2eb.tar.gz freeipa-6a401fbf31bd35220b47ad2a8552d1f93928a2eb.tar.xz freeipa-6a401fbf31bd35220b47ad2a8552d1f93928a2eb.zip |
execute user-del pre-callback also during user preservation
user preservation code was not using the pre-callback function which did check
whether a protected member is being deleted and facilitated the
orphaning/deletion of OTP tokens owner/managed by the user.
https://fedorahosted.org/freeipa/ticket/5362
https://fedorahosted.org/freeipa/ticket/5372
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Diffstat (limited to 'ipalib/plugins')
-rw-r--r-- | ipalib/plugins/user.py | 49 |
1 files changed, 28 insertions, 21 deletions
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index 848836cd1..5c3e78b13 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -617,6 +617,10 @@ class user_del(baseuser_del): except errors.NotFound: self.obj.handle_not_found(pkey) + for callback in self.get_callbacks('pre'): + dn = callback(self, ldap, dn, pkey, **options) + assert isinstance(dn, DN) + # start to move the entry to Delete container self._exc_wrapper(pkey, options, ldap.move_entry)(dn, delete_dn, del_old=True) @@ -671,28 +675,31 @@ class user_del(baseuser_del): # For User life Cycle: user-del is a common plugin # command to delete active user (active container) and # delete user (delete container). - # If the target entry is a Delete entry, skip the updates - # protected member and otptoken owner - if not dn.endswith(DN(self.obj.delete_container_dn, api.env.basedn)): - check_protected_member(keys[-1]) - - # Delete all tokens owned and managed by this user. - # Orphan all tokens owned but not managed by this user. - owner = self.api.Object.user.get_primary_key_from_dn(dn) - results = self.api.Command.otptoken_find(ipatokenowner=owner)['result'] - for token in results: - orphan = not [x for x in token.get('managedby_user', []) if x == owner] - token = self.api.Object.otptoken.get_primary_key_from_dn(token['dn']) - if orphan: - self.api.Command.otptoken_mod(token, ipatokenowner=None) - else: - self.api.Command.otptoken_del(token) + # If the target entry is a Delete entry, skip the orphaning/removal + # of OTP tokens. + check_protected_member(keys[-1]) - # Remove any ID overrides tied with this user - try: - remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn) - except errors.NotFound: - self.obj.handle_not_found(*keys) + if not options.get('preserve', False): + # Remove any ID overrides tied with this user + try: + remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn) + except errors.NotFound: + self.obj.handle_not_found(*keys) + + if dn.endswith(DN(self.obj.delete_container_dn, api.env.basedn)): + return dn + + # Delete all tokens owned and managed by this user. + # Orphan all tokens owned but not managed by this user. + owner = self.api.Object.user.get_primary_key_from_dn(dn) + results = self.api.Command.otptoken_find(ipatokenowner=owner)['result'] + for token in results: + orphan = not [x for x in token.get('managedby_user', []) if x == owner] + token = self.api.Object.otptoken.get_primary_key_from_dn(token['dn']) + if orphan: + self.api.Command.otptoken_mod(token, ipatokenowner=None) + else: + self.api.Command.otptoken_del(token) return dn |