From fa321b2cca07dc2bd27ab6fa868e05ddf69637df Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Jun 02 2023 07:58:02 +0000 Subject: Don't allow a group to be converted to POSIX and external This condition was checked in group-add but not in group-mod. This evaluation is done later in the pre_callback so that all the other machinations about posix are already done to make it easier to tell whether this condition is true or not. Fixes: https://pagure.io/freeipa/issue/8990 Signed-off-by: Rob Crittenden Reviewed-By: Florence Blanc-Renaud --- diff --git a/ipaserver/plugins/group.py b/ipaserver/plugins/group.py index 0333ed6..12a058b 100644 --- a/ipaserver/plugins/group.py +++ b/ipaserver/plugins/group.py @@ -505,6 +505,9 @@ class group_mod(LDAPUpdate): else: old_entry_attrs['objectclass'].append('ipaexternalgroup') entry_attrs['objectclass'] = old_entry_attrs['objectclass'] + if 'gidnumber' in entry_attrs: + raise errors.MutuallyExclusiveError(reason=_( + 'An external group cannot be POSIX')) # Can't check for this in a validator because we lack context if 'gidnumber' in options and options['gidnumber'] is None: diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py index 27bc21f..14b5998 100644 --- a/ipatests/test_xmlrpc/test_group_plugin.py +++ b/ipatests/test_xmlrpc/test_group_plugin.py @@ -466,6 +466,21 @@ class TestNonposixGroup(XMLRPC_test): ], ), result) + def test_upgrade_nonposix_to_posix_and_external(self, group): + """ Update non-posix group to promote it to posix group & external""" + command = group.make_update_command(dict(posix=True, external=True)) + with raises_exact(errors.MutuallyExclusiveError( + reason=u"An external group cannot be POSIX")): + command() + + def test_upgrade_nonposix_with_gid_and_external(self, group): + """ Update non-posix group to promote it to posix group & external""" + command = group.make_update_command(dict(gidnumber=12345, + external=True)) + with raises_exact(errors.MutuallyExclusiveError( + reason=u"An external group cannot be POSIX")): + command() + def test_upgrade_nonposix_to_posix(self, group): """ Update non-posix group to promote it to posix group """ group.attrs.update(gidnumber=[fuzzy_digits])