Enable filtering search results by member attributes.

LDAPSearch base class has now the ability to generate additional
options for objects with member attributes. These options are
used to filter search results - search only for objects without
the specified members.

Example:
ipa group-find --no-users=admin

Only direct members are taken into account.

Ticket #288

4 files changed, 37 insertions, 2 deletions

diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py
index 46a98643e..0603d323b 100644
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@@ -1186,6 +1186,9 @@ class LDAPSearch(CallbackInterface, crud.Search):
     """
     Retrieve all LDAP entries matching the given criteria.
     """
+    member_attributes = []
+    member_param_doc = 'exclude %s with member %s (comma-separated list)'
+
     takes_options = (
         Int('timelimit?',
             label=_('Time Limit'),
@@ -1213,6 +1216,33 @@ class LDAPSearch(CallbackInterface, crud.Search):
     def get_options(self):
         for option in super(LDAPSearch, self).get_options():
             yield option
+        for attr in self.member_attributes:
+            for ldap_obj_name in self.obj.attribute_members[attr]:
+                ldap_obj = self.api.Object[ldap_obj_name]
+                name = to_cli(ldap_obj_name)
+                doc = self.member_param_doc % (
+                    self.obj.object_name_plural, ldap_obj.object_name_plural
+                )
+                yield List('no_%s?' % name, cli_name='no_%ss' % name, doc=doc,
+                           label=ldap_obj.object_name)
+
+    def get_member_filter(self, ldap, **options):
+        filter = ''
+        for attr in self.member_attributes:
+            for ldap_obj_name in self.obj.attribute_members[attr]:
+                param_name = 'no_%s' % to_cli(ldap_obj_name)
+                if param_name in options:
+                    dns = []
+                    ldap_obj = self.api.Object[ldap_obj_name]
+                    for pkey in options[param_name]:
+                        dns.append(ldap_obj.get_dn(pkey))
+                    flt = ldap.make_filter_from_attr(
+                        attr, dns, ldap.MATCH_NONE
+                    )
+                    filter = ldap.combine_filters(
+                        (filter, flt), ldap.MATCH_ALL
+                    )
+        return filter
 
     has_output_params = global_output_params
 
@@ -1254,8 +1284,10 @@ class LDAPSearch(CallbackInterface, crud.Search):
             search_kw[a] = term
         term_filter = ldap.make_filter(search_kw, exact=False)
 
+        member_filter = self.get_member_filter(ldap, **options)
+
         filter = ldap.combine_filters(
-            (term_filter, attr_filter), rules=ldap.MATCH_ALL
+            (term_filter, attr_filter, member_filter), rules=ldap.MATCH_ALL
         )
 
         scope = ldap.SCOPE_ONELEVEL
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 75f40c573..6d321064d 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -212,6 +212,8 @@ class group_find(LDAPSearch):
     """
     Search for groups.
     """
+    member_attributes = ['member']
+
     msg_summary = ngettext(
         '%(count)d group matched', '%(count)d groups matched', 0
     )
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index 1c4cc28e8..d8e1331cc 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -123,7 +123,7 @@ class hostgroup_find(LDAPSearch):
     """
     Search for hostgroups.
     """
-
+    member_attributes = ['member']
     msg_summary = ngettext(
         '%(count)d hostgroup matched', '%(count)d hostgroups matched'
     )
diff --git a/ipalib/plugins/netgroup.py b/ipalib/plugins/netgroup.py
index e79aca2ad..a000c41e4 100644
--- a/ipalib/plugins/netgroup.py
+++ b/ipalib/plugins/netgroup.py
@@ -171,6 +171,7 @@ class netgroup_find(LDAPSearch):
     """
     Search for a netgroup.
     """
+    member_attributes = ['member', 'memberuser', 'memberhost']
     has_output_params = LDAPSearch.has_output_params + output_params
     msg_summary = ngettext(
         '%(count)d netgroup matched', '%(count)d netgroups matched'