Add flag to list all service and user vaults

The vault-find plugin has two additional arguments to list all
service vaults or user vaults. Since the name of a vault is only unique
for a particular user or service, the commands also print the vault user
or vault service. The virtual attributes were added in rev
01dd951ddc0181b559eb3dd5ff0336c81e245628.

Example:

$ ipa vault-find --users
----------------
2 vaults matched
----------------
  Vault name: myvault
  Type: standard
  Vault user: admin

  Vault name: UserVault
  Type: standard
  Vault user: admin
----------------------------
Number of entries returned 2
----------------------------

$ ipa vault-find --services
----------------
2 vaults matched
----------------
  Vault name: myvault
  Type: standard
  Vault service: HTTP/ipatest.freeipa.local@FREEIPA.LOCAL

  Vault name: myvault
  Type: standard
  Vault service: ldap/ipatest.freeipa.local@FREEIPA.LOCAL
----------------------------
Number of entries returned 2
----------------------------

https://fedorahosted.org/freeipa/ticket/5150

Reviewed-By: Jan Cholasta <jcholast@redhat.com>

3 files changed, 38 insertions, 18 deletions

diff --git a/API.txt b/API.txt
index a39b22b60..f23d9a40c 100644
--- a/API.txt
+++ b/API.txt
@@ -5508,7 +5508,7 @@ output: Output('result', <type 'dict'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: ListOfPrimaryKeys('value', None, None)
 command: vault_find
-args: 1,13,4
+args: 1,15,4
 arg: Str('criteria?', noextrawhitespace=False)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Str('cn', attribute=True, autofill=False, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=False)
@@ -5518,10 +5518,12 @@ option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('pkey_only?', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('service?')
+option: Flag('services?', autofill=True, default=False)
 option: Flag('shared?', autofill=True, default=False)
 option: Int('sizelimit?', autofill=False, minvalue=0)
 option: Int('timelimit?', autofill=False, minvalue=0)
 option: Str('username?', cli_name='user')
+option: Flag('users?', autofill=True, default=False)
 option: Str('version?', exclude='webui')
 output: Output('count', <type 'int'>, None)
 output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
diff --git a/VERSION b/VERSION
index 6569eeb70..31a4af4a8 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=150
-# Last change: pvoborni - change type of vault type option to StrEnum
+IPA_API_VERSION_MINOR=151
+# Last change: cheimes - Add flag to list all service and user vaults
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 712e2d5dd..83dc085b5 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -343,21 +343,11 @@ class vault(LDAPObject):
         """
         Generates vault DN from parameters.
         """
-
         service = options.get('service')
         shared = options.get('shared')
         user = options.get('username')
 
-        count = 0
-        if service:
-            count += 1
-
-        if shared:
-            count += 1
-
-        if user:
-            count += 1
-
+        count = (bool(service) + bool(shared) + bool(user))
         if count > 1:
             raise errors.MutuallyExclusiveError(
                 reason=_('Service, shared, and user options ' +
@@ -387,8 +377,10 @@ class vault(LDAPObject):
             parent_dn = DN(('cn', service), ('cn', 'services'), container_dn)
         elif shared:
             parent_dn = DN(('cn', 'shared'), container_dn)
-        else:
+        elif user:
             parent_dn = DN(('cn', user), ('cn', 'users'), container_dn)
+        else:
+            raise RuntimeError
 
         return DN(rdns, parent_dn)
 
@@ -814,7 +806,16 @@ class vault_del(LDAPDelete):
 class vault_find(LDAPSearch):
     __doc__ = _('Search for vaults.')
 
-    takes_options = LDAPSearch.takes_options + vault_options
+    takes_options = LDAPSearch.takes_options + vault_options + (
+        Flag(
+            'services?',
+            doc=_('List all service vaults'),
+        ),
+        Flag(
+            'users?',
+            doc=_('List all user vaults'),
+        ),
+    )
 
     has_output_params = LDAPSearch.has_output_params
 
@@ -832,9 +833,26 @@ class vault_find(LDAPSearch):
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
 
-        base_dn = self.obj.get_dn(None, **options)
+        if options.get('users') or options.get('services'):
+            mutex = ['service', 'services', 'shared', 'username', 'users']
+            count = sum(bool(options.get(option)) for option in mutex)
+            if count > 1:
+                raise errors.MutuallyExclusiveError(
+                    reason=_('Service(s), shared, and user(s) options ' +
+                             'cannot be specified simultaneously'))
+
+            scope = ldap.SCOPE_SUBTREE
+            container_dn = DN(self.obj.container_dn,
+                              self.api.env.basedn)
+
+            if options.get('services'):
+                base_dn = DN(('cn', 'services'), container_dn)
+            else:
+                base_dn = DN(('cn', 'users'), container_dn)
+        else:
+            base_dn = self.obj.get_dn(None, **options)
 
-        return (filter, base_dn, scope)
+        return filter, base_dn, scope
 
     def post_callback(self, ldap, entries, truncated, *args, **options):
         for entry in entries: