idviews: Remove ID overrides for permanently removed users and groups

For IPA users and groups we are able to trigger a removal of
any relevant ID overrides in user-del and group-del commands.

https://fedorahosted.org/freeipa/ticket/5026

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

3 files changed, 40 insertions, 5 deletions

diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index 5d33ba217..edecebb06 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -22,6 +22,7 @@ from ipalib import api
 from ipalib import Int, Str
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import *
+from ipalib.plugins.idviews import remove_ipaobject_overrides
 from ipalib.plugins import baseldap
 from ipalib import _, ngettext
 if api.env.in_server and api.env.context in ['lite', 'server']:
@@ -316,6 +317,10 @@ class group_del(LDAPDelete):
                 reason=_(u'privileged group'))
         if 'mepmanagedby' in group_attrs:
             raise errors.ManagedGroupError()
+
+        # Remove any ID overrides tied with this group
+        remove_ipaobject_overrides(ldap, self.obj.api, dn)
+
         return dn
 
     def post_callback(self, ldap, dn, *keys, **options):
diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index 2c843462a..9f58c8327 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -537,6 +537,31 @@ def resolve_anchor_to_object_name(ldap, obj_type, anchor):
                % dict(anchor=anchor))
 
 
+def remove_ipaobject_overrides(ldap, api, dn):
+    """
+    Removes all ID overrides for given object. This method is to be
+    consumed by -del commands of the given objects (users, groups).
+    """
+
+    entry = ldap.get_entry(dn, attrs_list=['ipaUniqueID'])
+    object_uuid = entry.single_value['ipaUniqueID']
+
+    override_filter = '(ipaanchoruuid=:IPA:{0}:{1})'.format(api.env.domain,
+                                                            object_uuid)
+    try:
+        entries, truncated = ldap.find_entries(
+            override_filter,
+            base_dn=DN(api.env.container_views, api.env.basedn),
+            paged_search=True
+        )
+    except errors.EmptyResult:
+        pass
+    else:
+        # In case we found something, delete it
+        for entry in entries:
+            ldap.delete_entry(entry)
+
+
 # This is not registered on purpose, it's a base class for ID overrides
 class baseidoverride(LDAPObject):
     """
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index d2404e2ed..0b90519b2 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -31,6 +31,7 @@ from ipalib.plugins.baseuser import baseuser, baseuser_add, baseuser_del, \
     status_baseuser_output_params, baseuser_pwdchars, \
     validate_nsaccountlock, radius_dn2pk, convert_nsaccountlock, split_principal, validate_principal, \
     normalize_principal, fix_addressbook_permission_bindrule
+from ipalib.plugins.idviews import remove_ipaobject_overrides
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import *
 from ipalib.plugins import baseldap
@@ -620,11 +621,15 @@ class user_del(baseuser_del):
 
         dn = self.obj.get_dn(*keys, **options)
 
-        if (not options.get('preserve', True) or
-                dn.endswith(DN(self.obj.delete_container_dn,
-                               self.api.env.basedn))):
-            # We are going to permanent delete or the user is already in the delete container.
-            # So we issue a true DEL on that entry
+        # We are going to permanent delete or the user is already in the delete container.
+        delete_container = DN(self.obj.delete_container_dn, self.api.env.basedn)
+        user_from_delete_container = dn.endswith(delete_container)
+
+        if not options.get('preserve', True) or user_from_delete_container:
+            # Remove any ID overrides tied with this user
+            remove_ipaobject_overrides(self.obj.backend, self.obj.api, dn)
+
+            # Issue a true DEL on that entry
             return super(user_del, self).execute(*keys, **options)
 
         # The user to delete is active and there is no 'no_preserve' option