idviews: Allow users specify the raw anchor directly as identifier

For various reasons, it can happen that the users or groups that
have overrides defined in a given ID view are no longer resolvable.

Since user and group names are used to specify the ID override objects
too by leveraging the respective user's or group's ipaUniqueID,
we need to provide a fallback in case these user or group entries
no longer exist.

https://fedorahosted.org/freeipa/ticket/5026

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

1 files changed, 31 insertions, 11 deletions

diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index a7b1e0a78..2c843462a 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -17,6 +17,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+import re
 
 from ipalib.plugins.baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
                                      LDAPDelete, LDAPUpdate, LDAPSearch,
@@ -57,6 +58,12 @@ protected_default_trust_view_error = errors.ProtectedEntryError(
 
 DEFAULT_TRUST_VIEW_NAME = "default trust view"
 
+ANCHOR_REGEX = re.compile(
+    r':IPA:.*:[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}'
+    r'|'
+    r':SID:S-[0-9\-]+'
+)
+
 @register()
 class idview(LDAPObject):
     """
@@ -559,11 +566,19 @@ class baseidoverride(LDAPObject):
     override_object = None
 
     def get_dn(self, *keys, **options):
-        anchor = resolve_object_to_anchor(
-            self.backend,
-            self.override_object,
-            keys[-1]
-        )
+        # If user passed raw anchor, do not try
+        # to translate it.
+        if ANCHOR_REGEX.match(keys[-1]):
+            anchor = keys[-1]
+
+        # Otherwise, translate object into a
+        # legitimate object anchor.
+        else:
+            anchor = resolve_object_to_anchor(
+                self.backend,
+                self.override_object,
+                keys[-1]
+            )
 
         keys = keys[:-1] + (anchor, )
         return super(baseidoverride, self).get_dn(*keys, **options)
@@ -578,12 +593,17 @@ class baseidoverride(LDAPObject):
             anchor = entry_attrs.single_value['ipaanchoruuid']
 
             if anchor:
-                object_name = resolve_anchor_to_object_name(
-                    self.backend,
-                    self.override_object,
-                    anchor
-                )
-                entry_attrs.single_value['ipaanchoruuid'] = object_name
+                try:
+                    object_name = resolve_anchor_to_object_name(
+                        self.backend,
+                        self.override_object,
+                        anchor
+                    )
+                    entry_attrs.single_value['ipaanchoruuid'] = object_name
+                except errors.NotFound:
+                    # If we were unable to resolve the anchor,
+                    # keep it in the raw form
+                    pass
 
     def prohibit_ipa_users_in_default_view(self, dn, entry_attrs):
         # Check if parent object is Default Trust View, if so, prohibit