6 files changed, 121 insertions, 16 deletions

diff --git a/ipa-admintools/ipa-adddelegation b/ipa-admintools/ipa-adddelegation
index b29c9671b..e2254fd2d 100644
--- a/ipa-admintools/ipa-adddelegation
+++ b/ipa-admintools/ipa-adddelegation
@@ -139,6 +139,14 @@ def main():
 
     client.update_entry(aci_entry)
 
+    # Now add to the editors group so they can make changes in the UI
+    try:
+        group = client.get_entry_by_cn("editors")
+        client.add_group_to_group(new_aci.source_group, group.dn)
+    except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST):
+        # This is ok, ignore it
+        pass
+
     print "Delegation %s successfully added" % args[1]
     return 0
 
diff --git a/ipa-admintools/ipa-deldelegation b/ipa-admintools/ipa-deldelegation
index ac0ae798e..bc05b2837 100644
--- a/ipa-admintools/ipa-deldelegation
+++ b/ipa-admintools/ipa-deldelegation
@@ -51,12 +51,15 @@ def main():
         aci_str_list = [aci_str_list]
 
     acistr = None
+    aci_list = []
     for aci_str in aci_str_list:
         try:
             aci = ipa.aci.ACI(aci_str)
             if aci.name == args[1]:
                 acistr = aci_str
-                break
+                source_group = aci.source_group
+            else:
+                aci_list.append(aci)
         except SyntaxError:
             # ignore aci_str's that ACI can't parse
             pass
@@ -72,6 +75,18 @@ def main():
     aci_entry.setValue('aci', new_aci_str_list)
 
     client.update_entry(aci_entry)
+
+    last = True
+    # If this is the last delegation for a group, remove it from editors
+    for a in aci_list:
+        if source_group == a.source_group:
+            last = False
+            break
+
+    if last:
+        group = client.get_entry_by_cn("editors")
+        client.remove_member_from_group(source_group, group.dn)
+
     print "Delegation removed."
 
     return 0
diff --git a/ipa-admintools/ipa-moddelegation b/ipa-admintools/ipa-moddelegation
index 773c784df..61aab5e12 100644
--- a/ipa-admintools/ipa-moddelegation
+++ b/ipa-admintools/ipa-moddelegation
@@ -49,9 +49,9 @@ def main():
 
     if options.list:
         client = ipaclient.IPAClient()
-        list = client.get_all_attrs()
+        l = client.get_all_attrs()
 
-        for x in list:
+        for x in l:
             print x
         return 0
 
@@ -124,12 +124,15 @@ def main():
 
     old_aci = None
     acistr = None
+    aci_list = []
     for aci_str in aci_str_list:
         try:
             old_aci = ipa.aci.ACI(aci_str)
             if old_aci.name == args[1]:
                 acistr = aci_str
-                break
+                orig_group = old_aci.source_group
+            else:
+                aci_list.append(old_aci)
         except SyntaxError:
             # ignore aci_str's that ACI can't parse
             pass
@@ -162,6 +165,26 @@ def main():
 
     client.update_entry(aci_entry)
 
+    if options.source:
+        last = True
+        # If this is the last delegation for a group, remove it from editors
+        for a in aci_list:
+            if orig_group == a.source_group:
+                last = False
+                break
+
+        if last:
+            group = client.get_entry_by_cn("editors")
+            client.remove_member_from_group(orig_group, group.dn)
+
+        # Now add to the editors group so they can make changes in the UI
+        try:
+            group = client.get_entry_by_cn("editors")
+            client.add_group_to_group(new_aci.source_group, group.dn)
+        except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST):
+            # This is ok, ignore it
+            pass
+
     print "Delegation %s successfully updated" % args[1]
     return 0
 
diff --git a/ipa-server/ipa-gui/ipagui/proxyprovider.py b/ipa-server/ipa-gui/ipagui/proxyprovider.py
index ab45a6db8..5a145de14 100644
--- a/ipa-server/ipa-gui/ipagui/proxyprovider.py
+++ b/ipa-server/ipa-gui/ipagui/proxyprovider.py
@@ -24,6 +24,7 @@ from ipaserver import funcs
 import ipa.config
 import ipa.group
 import ipa.user
+import ldap
 
 log = logging.getLogger("turbogears.identity")
 
@@ -41,18 +42,18 @@ class IPA_User(object):
         client = ipa.ipaclient.IPAClient(transport)
         client.set_krbccache(os.environ["KRB5CCNAME"])
         try:
-            user = client.get_user_by_principal(user_name, ['dn'])
+            # Use memberof so we can see recursive group memberships as well.
+            user = client.get_user_by_principal(user_name, ['dn', 'memberof'])
             self.groups = []
-            groups = client.get_groups_by_member(user.dn, ['dn', 'cn'])
-            if isinstance(groups, str):
-                groups = [groups]
-            for ginfo in groups:
-                # cn may be multi-valued, add them all just in case
-                cn = ginfo.getValue('cn')
-                if isinstance(cn, str):
-                    cn = [cn]
-                for c in cn:
-                    self.groups.append(c)
+            memberof = user.getValues('memberof')
+            if isinstance(memberof, str):
+                memberof = [memberof]
+            for mo in memberof:
+                rdn_list = ldap.explode_dn(mo, 0)
+                first_rdn = rdn_list[0]
+                (type,value) = first_rdn.split('=')
+                if type == "cn":
+                    self.groups.append(value)
         except:
             raise
 
diff --git a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
index 9b7e93059..73b0cbe6c 100644
--- a/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
+++ b/ipa-server/ipa-gui/ipagui/subcontrollers/delegation.py
@@ -134,6 +134,15 @@ class DelegationController(IPAController):
             aci_entry.setValue('aci', new_aci.export_to_string())
 
             client.update_entry(aci_entry)
+
+            # Now add to the editors group so they can make changes in the UI
+            try:
+                group = client.get_entry_by_cn("editors")
+                client.add_group_to_group(new_aci.source_group, group.dn)
+            except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST):
+                # This is ok, ignore it
+                pass
+
         except ipaerror.IPAError, e:
             turbogears.flash("Delgate add failed: " + str(e) + "<br/>" + e.detail[0]['desc'])
             return dict(form=delegate_form, delegate=kw,
@@ -216,11 +225,37 @@ class DelegationController(IPAController):
             new_aci_str = new_aci.export_to_string()
 
             new_aci_str_list = copy.copy(aci_str_list)
+            old_aci = ipa.aci.ACI(new_aci_str_list[old_aci_index])
             new_aci_str_list[old_aci_index] = new_aci_str
             aci_entry.setValue('aci', new_aci_str_list)
 
             client.update_entry(aci_entry)
 
+            if new_aci.source_group != old_aci.source_group:
+                aci_list = []
+                last = True
+                for aci_str in new_aci_str_list:
+                    try:
+                        aci = ipa.aci.ACI(aci_str)
+                        if aci.source_group == old_aci.source_group:
+                            last = False
+                            break
+                    except SyntaxError:
+                        # ignore aci_str's that ACI can't parse
+                        pass
+                if last:
+                    group = client.get_entry_by_cn("editors")
+                    client.remove_member_from_group(old_aci.source_group, group.dn)
+
+                # Now add to the editors group so they can make changes in the UI
+                try:
+                    group = client.get_entry_by_cn("editors")
+                    client.add_group_to_group(new_aci.source_group, group.dn)
+                except ipa.ipaerror.exception_for(ipa.ipaerror.LDAP_EMPTY_MODLIST):
+                    # This is ok, ignore it
+                    pass
+
+
             turbogears.flash("delegate updated")
             raise turbogears.redirect('/delegate/list')
         except (SyntaxError, ipaerror.IPAError), e:
@@ -291,12 +326,28 @@ class DelegationController(IPAController):
                         "concurrently modified.")
                 raise turbogears.redirect('/delegate/list')
 
+            old_aci = ipa.aci.ACI(aci_str_list[old_aci_index])
             new_aci_str_list = copy.copy(aci_str_list)
             del new_aci_str_list[old_aci_index]
             aci_entry.setValue('aci', new_aci_str_list)
 
             client.update_entry(aci_entry)
 
+            aci_list = []
+            last = True
+            for aci_str in new_aci_str_list:
+                try:
+                    aci = ipa.aci.ACI(aci_str)
+                    if aci.source_group == old_aci.source_group:
+                        last = False
+                        break
+                except SyntaxError:
+                    # ignore aci_str's that ACI can't parse
+                    pass
+            if last:
+                group = client.get_entry_by_cn("editors")
+                client.remove_member_from_group(old_aci.source_group, group.dn)
+
             turbogears.flash("delegate deleted")
             raise turbogears.redirect('/delegate/list')
         except (SyntaxError, ipaerror.IPAError), e:
diff --git a/ipa-server/xmlrpc-server/funcs.py b/ipa-server/xmlrpc-server/funcs.py
index 6bd404012..d4cbb3ef4 100644
--- a/ipa-server/xmlrpc-server/funcs.py
+++ b/ipa-server/xmlrpc-server/funcs.py
@@ -1123,7 +1123,14 @@ class IPAServer:
             return True
 
     def get_groups_by_member (self, member_dn, sattrs, opts=None):
-        """Get a specific group's entry. Return as a dict of values.
+        """Get all of the groups an object is explicitly a member of.
+
+           This does not include groups an entry may be a member of as a
+           result of recursion (being a group that is a member of another
+           group). In other words, this searches on 'member' and not
+           'memberof'.
+
+           Return as a dict of values.
            Multi-valued fields are represented as lists.
         """
         if not member_dn: