Add missing object classes from principal config when persisting p

rincipals.
conestack · May 6, 2019 · bf82240 · bf82240
1 parent 5f4b3e4
commit bf82240
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 0 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,6 +4,9 @@ History
 1.0b9 (unreleased)
 ------------------
 
+- Add missing object classes from principal config when persisting principals.
+  [rnix]
+
 - Remove attribute from entry if setting it's value to ``node.utils.UNSET`` or
   empty string. Most LDAP implementations not allow setting empty values, thus
   we delete the entire attribute in this case.

diff --git a/src/node/ext/ldap/tests/test_ugm_principals.py b/src/node/ext/ldap/tests/test_ugm_principals.py
@@ -143,6 +143,33 @@ def test_user_basics(self):
             '<cn=n?sty\, User,ou=customers,dc=my-domain,dc=com:cn=n?sty\, User - False>'
         ])
 
+        # test object classes changes in config
+        self.assertEqual(
+            users.context.child_defaults['objectClass'],
+            ['person']
+        )
+        users.context.child_defaults['objectClass'] = [
+            'person',
+            'extensibleObject'
+        ]
+        self.assertEqual(
+            mueller.context.attrs['objectClass'],
+            ['top', 'person']
+        )
+        mueller()
+        self.assertEqual(
+            sorted(mueller.context.attrs['objectClass']),
+            ['extensibleObject', 'person', 'top']
+        )
+        # note, by default, existing object classes missing in configured
+        # creation default object classes are NOT removed.
+        users.context.child_defaults['objectClass'] = ['person']
+        mueller()
+        self.assertEqual(
+            sorted(mueller.context.attrs['objectClass']),
+            ['extensibleObject', 'person', 'top']
+        )
+
     def test_authentication(self):
         props = testing.props
         ucfg = testing.ucfg

diff --git a/src/node/ext/ldap/ugm/_api.py b/src/node/ext/ldap/ugm/_api.py
@@ -159,6 +159,18 @@ def principal_attributes_factory(self, name=None, parent=None):
     @default
     @locktree
     def __call__(self):
+        # add object classes from creation defaults. if missing.
+        # happens if object classes are added after principals were already
+        # created with another set of default object classes or if editing
+        # existing principals from a database not created with this
+        # API/configuration.
+        attrs = self.context.attrs
+        ocs = attrs['objectClass']
+        ocs = [ocs] if isinstance(ocs, six.text_type) else ocs
+        default_ocs = self.parent.context.child_defaults['objectClass']
+        if set(ocs) != set(default_ocs):
+            new_ocs = list(set(ocs).union(set(default_ocs)))
+            attrs['objectClass'] = new_ocs
         self.context()