idviews: Handle Default Trust View properly in the framework

Make sure that:
1.) IPA users cannot be added to the Default Trust View
2.) Default Trust View cannot be deleted or renamed

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

1 files changed, 39 insertions, 0 deletions

diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index 536498358..d6263307d 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -45,6 +45,12 @@ other Identity Management solutions.
 
 register = Registry()
 
+protected_default_trust_view_error = errors.ProtectedEntryError(
+    label=_('ID View'),
+    key=u"Default Trust View",
+    reason=_('system ID View')
+)
+
 
 @register()
 class idview(LDAPObject):
@@ -97,12 +103,24 @@ class idview_del(LDAPDelete):
     __doc__ = _('Delete an ID View.')
     msg_summary = _('Deleted ID View "%(value)s"')
 
+    def pre_callback(self, ldap, dn, *keys, **options):
+        if "Default Trust View" in keys:
+            raise protected_default_trust_view_error
+
+        return dn
+
 
 @register()
 class idview_mod(LDAPUpdate):
     __doc__ = _('Modify an ID View.')
     msg_summary = _('Modified an ID View "%(value)s"')
 
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        if "Default Trust View" in keys:
+            raise protected_default_trust_view_error
+
+        return dn
+
 
 @register()
 class idview_find(LDAPSearch):
@@ -519,6 +537,16 @@ class baseidoverride(LDAPObject):
                 )
                 entry_attrs.single_value['ipaanchoruuid'] = object_name
 
+    def prohibit_ipa_users_in_default_view(self, dn, entry_attrs):
+        # Check if parent object is Default Trust View, if so, prohibit
+        # adding overrides for IPA objects
+
+        if dn[1].value == 'Default Trust View':
+            if dn[0].value.startswith(IPA_ANCHOR_PREFIX):
+                raise errors.ValidationError(
+                    name=_('ID View'),
+                    error=_('Default Trust View cannot contain IPA users')
+                    )
 
 class baseidoverride_add(LDAPCreate):
     __doc__ = _('Add a new ID override.')
@@ -526,6 +554,7 @@ class baseidoverride_add(LDAPCreate):
 
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         self.obj.set_anchoruuid_from_dn(dn, entry_attrs)
+        self.obj.prohibit_ipa_users_in_default_view(dn, entry_attrs)
         return dn
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -542,6 +571,16 @@ class baseidoverride_mod(LDAPUpdate):
     __doc__ = _('Modify an ID override.')
     msg_summary = _('Modified an ID override "%(value)s"')
 
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        if 'rename' in options:
+            raise errors.ValidationError(
+                name=_('ID override'),
+                error=_('ID overrides cannot be renamed')
+                )
+
+        self.obj.prohibit_ipa_users_in_default_view(dn, entry_attrs)
+        return dn
+
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         self.obj.convert_anchor_to_human_readable_form(entry_attrs, **options)
         return dn