Enable group inactivation by using the Class of Service plugin.

This adds 2 new groups: activated and inactivated.

If you, or a group you are a member of, is in inactivated then you are too.

If you, or a group you are a member of, is in the activated group, then you
are too.

In a fight between activated and inactivated, activated wins.

The DNs for doing this matching is case and white space sensitive.

The goal is to never have to actually set nsAccountLock in a user directly
but move them between these groups.

We need to decide where in the CLI this will happen. Right it is split
between ipa-deluser and ipa-usermod. To inactivate groups for now just
add the group to inactivate or active.

7 files changed, 82 insertions, 14 deletions

diff --git a/ipa-server/ipa-gui/ipagui/forms/group.py b/ipa-server/ipa-gui/ipagui/forms/group.py
index 04c0298ad..b67156641 100644
--- a/ipa-server/ipa-gui/ipagui/forms/group.py
+++ b/ipa-server/ipa-gui/ipagui/forms/group.py
@@ -9,6 +9,10 @@ class GroupFields():
 
     editprotected_hidden = widgets.HiddenField(name="editprotected")
 
+    nsAccountLock = widgets.SingleSelectField(name="nsAccountLock",
+            label="Group Status",
+            options = [("", "active"), ("true", "inactive")])
+
     group_orig = widgets.HiddenField(name="group_orig")
     member_data = widgets.HiddenField(name="member_data")
     dn_to_info_json = widgets.HiddenField(name="dn_to_info_json")
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py
index 7c05eebc0..dbcc77b9a 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/group.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/group.py
@@ -22,7 +22,7 @@ log = logging.getLogger(__name__)
 group_new_form = ipagui.forms.group.GroupNewForm()
 group_edit_form = ipagui.forms.group.GroupEditForm()
 
-group_fields = ['*']
+group_fields = ['*', 'nsAccountLock']
 
 class GroupController(IPAController):
 
@@ -75,6 +75,9 @@ class GroupController(IPAController):
             new_group.setValue('description', kw.get('description'))
 
             rv = client.add_group(new_group)
+
+            if kw.get('nsAccountLock'):
+                client.mark_group_inactive(kw.get('cn'))
         except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE):
             turbogears.flash("Group with name '%s' already exists" %
                     kw.get('cn'))
@@ -224,6 +227,12 @@ class GroupController(IPAController):
             turbogears.flash("Edit group cancelled")
             raise turbogears.redirect('/group/show', cn=cn[0])
 
+        if kw.get('editprotected') == '':
+            # if editprotected set these don't get sent in kw
+            orig_group_dict = loads(b64decode(kw.get('group_orig')))
+            kw['cn'] = orig_group_dict['cn']
+            kw['gidnumber'] = orig_group_dict['gidnumber']
+
         # Decode the member data, in case we need to round trip
         member_dicts = loads(b64decode(kw.get('member_data')))
 
@@ -251,6 +260,17 @@ class GroupController(IPAController):
                 if new_group.gidnumber != new_gid:
                     group_modified = True
                     new_group.setValue('gidnumber', new_gid)
+            else:
+                new_group.setValue('gidnumber', orig_group_dict.get('gidnumber'))
+                new_group.setValue('cn', orig_group_dict.get('cn'))
+            if new_group.cn != kw.get('cn'):
+                group_modified = True
+                new_group.setValue('cn', kw['cn'])
+
+            if group_modified:
+                rv = client.update_group(new_group)
+                #
+                # If the group update succeeds, but below operations fail, we
             if new_group.cn != kw.get('cn'):
                 group_modified = True
                 new_group.setValue('cn', kw['cn'])
@@ -268,6 +288,17 @@ class GroupController(IPAController):
             return dict(form=group_edit_form, group=kw, members=member_dicts,
                         tg_template='ipagui.templates.groupedit')
 
+        if kw.get('nsAccountLock') == '':
+            kw['nsAccountLock'] = "false"
+
+        modify_no_update = False
+        if kw.get('nsAccountLock') == "false" and new_group.getValues('nsaccountlock') == "true":
+            client.mark_group_active(kw.get('cn'))
+            modify_no_update = True
+        elif kw.get('nsAccountLock') == "true" and new_group.nsaccountlock != "true":
+            client.mark_group_inactive(kw.get('cn'))
+            modify_no_update = True
+
         #
         # Add members
         #
@@ -326,7 +357,7 @@ class GroupController(IPAController):
             cn0 = kw['cn'][0]
         else:
             cn0 = kw['cn']
-        if group_modified == True:
+        if group_modified == True or modify_no_update == True:
             turbogears.flash("%s updated!" % cn0)
         else:
             turbogears.flash("No modifications requested.")
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
index 579379c43..39343b595 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/user.py
@@ -197,14 +197,14 @@ class UserController(IPAController):
             new_user.setValue('carlicense', kw.get('carlicense'))
             new_user.setValue('labeleduri', kw.get('labeleduri'))
 
-            if kw.get('nsAccountLock'):
-                new_user.setValue('nsAccountLock', 'true')
-
             for custom_field in user_new_form.custom_fields:
                 new_user.setValue(custom_field.name,
                                   kw.get(custom_field.name, ''))
 
             rv = client.add_user(new_user)
+
+            if kw.get('nsAccountLock'):
+                client.mark_user_inactive(kw.get('uid'))
         except ipaerror.exception_for(ipaerror.LDAP_DUPLICATE):
             turbogears.flash("User with login '%s' already exists" %
                     kw.get('uid'))
@@ -482,12 +482,6 @@ class UserController(IPAController):
             new_user.setValue('carlicense', kw.get('carlicense'))
             new_user.setValue('labeleduri', kw.get('labeleduri'))
 
-
-            if kw.get('nsAccountLock'):
-                new_user.setValue('nsAccountLock', 'true')
-            else:
-                new_user.setValue('nsAccountLock', None)
-
             if kw.get('editprotected') == 'true':
                 if kw.get('userpassword'):
                     password_change = True
@@ -572,6 +566,20 @@ class UserController(IPAController):
                         user_groups=user_groups_dicts,
                         tg_template='ipagui.templates.useredit')
 
+        if kw.get('nsAccountLock') == '':
+            kw['nsAccountLock'] = "false"
+
+        try:
+            if kw.get('nsAccountLock') == "false" and new_user.getValues('nsaccountlock') == "true":
+                client.mark_user_active(kw.get('uid'))
+            elif kw.get('nsAccountLock') == "true" and new_user.nsaccountlock != "true":
+                client.mark_user_inactive(kw.get('uid'))
+        except ipaerror.IPAError, e:
+            turbogears.flash("User status change failed: " + str(e) + "<br/>" + e.detail[0]['desc'])
+            return dict(form=user_edit_form, user=kw,
+                        user_groups=user_groups_dicts,
+                        tg_template='ipagui.templates.useredit')
+
         turbogears.flash("%s updated!" % kw['uid'])
         raise turbogears.redirect('/user/show', uid=kw['uid'])
 
diff --git a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid
index d46bc731e..6a5c5adb8 100644
--- a/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid
+++ b/ipa-server/ipa-gui/ipagui/templates/groupeditform.kid
@@ -112,6 +112,16 @@ from ipagui.helpers import ipahelper
           </script>
         </td>
       </tr>
+      <tr>
+        <th>
+          <label class="fieldlabel" for="${group_fields.nsAccountLock.field_id}" py:content="group_fields.nsAccountLock.label" />:
+        </th>
+        <td>
+          <span py:replace="group_fields.nsAccountLock.display(value_for(group_fields.nsAccountLock))" />
+          <span py:if="tg.errors.get('nsAccountLock')" class="fielderror"
+                    py:content="tg.errors.get('nsAccountLock')" />
+         </td>
+       </tr>
     </table>
 
     <div>
diff --git a/ipa-server/ipa-gui/ipagui/templates/grouplist.kid b/ipa-server/ipa-gui/ipagui/templates/grouplist.kid
index 9f9bc4840..9489b3744 100644
--- a/ipa-server/ipa-gui/ipagui/templates/grouplist.kid
+++ b/ipa-server/ipa-gui/ipagui/templates/grouplist.kid
@@ -20,7 +20,7 @@
     </div>
     <div py:if='(groups != None) and (len(groups) > 0)'>
         <h2>${len(groups)} results returned:</h2>
-        <table id="resultstable" class="details sortable resizable">
+        <table id="resultstable" class="details sortable resizable" cellspacing="0">
           <thead>
             <tr>
                 <th>
@@ -32,7 +32,15 @@
             </tr>
           </thead>
           <tbody>
-            <tr py:for="group in groups">
+            <tr py:for="group in groups" py:if="group.nsAccountLock != 'true'">
+                <td>
+                    <a href="${tg.url('/group/show',cn=group.cn)}">${group.cn}</a>
+                </td>
+                <td>
+                    ${group.description}
+                </td>
+            </tr>
+            <tr id="inactive" py:for="group in groups" py:if="group.nsAccountLock == 'true'">
                 <td>
                     <a href="${tg.url('/group/show',cn=group.cn)}">${group.cn}</a>
                 </td>
diff --git a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid
index b2f37bf52..8713742d5 100644
--- a/ipa-server/ipa-gui/ipagui/templates/groupshow.kid
+++ b/ipa-server/ipa-gui/ipagui/templates/groupshow.kid
@@ -11,6 +11,7 @@ cn = group.get('cn')
 if isinstance(cn, list):
     cn = cn[0]
 edit_url = tg.url('/group/edit', cn=cn)
+from ipagui.helpers import userhelper
 ?>
 <div id="details">
     <h1>View Group</h1>
@@ -42,6 +43,12 @@ edit_url = tg.url('/group/edit', cn=cn)
           </th>
           <td>${group.get("gidnumber")}</td>
         </tr>
+        <tr>
+          <th>
+            <label class="fieldlabel" py:content="fields.nsAccountLock.label" />:
+          </th>
+          <td>${userhelper.account_status_display(group.get("nsAccountLock"))}</td>
+         </tr>
     </table>
 
     <h2 class="formsection">Group Members</h2>
diff --git a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid
index c95b36e39..88b778d8c 100644
--- a/ipa-server/ipa-gui/ipagui/templates/usereditform.kid
+++ b/ipa-server/ipa-gui/ipagui/templates/usereditform.kid
@@ -787,7 +787,7 @@ from ipagui.helpers import ipahelper
           group_dn = group.get('dn')
           group_dn_esc = ipahelper.javascript_string_escape(group_dn)
 
-          group_name = group.get('cn')[0]
+          group_name = group.get('cn')
           group_descr = "[group]"
           group_type = "group"