From cd7b64103b24ce4b71420c8c93707046169c2c22 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 10 Dec 2010 13:31:58 -0500
Subject: Add group to group delegation plugin.

This is a thin wrapper around the ACI plugin that manages granting group A
the ability to write a set of attributes of group B.

ticket 532
---
 ipalib/plugins/aci.py | 48 +++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 41 insertions(+), 7 deletions(-)

(limited to 'ipalib/plugins/aci.py')

diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index d5f7d996f..5a57a309a 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -124,6 +124,8 @@ from ipalib import Flag, Int, List, Str, StrEnum
 from ipalib.aci import ACI
 from ipalib import output
 from ipalib import _, ngettext
+if api.env.in_server and api.env.context in ['lite', 'server']:
+    from ldap import explode_dn
 import logging
 
 _type_map = {
@@ -272,7 +274,9 @@ def _aci_to_kw(ldap, a, test=False):
                 # See if the target is a group. If so we set the
                 # targetgroup attr, otherwise we consider it a subtree
                 if api.env.container_group in target:
-                    kw['targetgroup'] = unicode(target)
+                    targetdn = unicode(target.replace('ldap:///',''))
+                    (dn, entry_attrs) = ldap.get_entry(targetdn, ['cn'])
+                    kw['targetgroup'] = entry_attrs['cn'][0]
                 else:
                     kw['subtree'] = unicode(target)
 
@@ -638,9 +642,10 @@ class aci_find(crud.Search):
 
         if 'memberof' in kw:
             try:
-                self.api.Command['group_show'](
+                result = self.api.Command['group_show'](
                     kw['memberof']
-                )
+                )['result']
+                dn = result['dn']
             except errors.NotFound:
                 pass
             else:
@@ -652,11 +657,9 @@ class aci_find(crud.Search):
                             results.remove(a)
                     else:
                         results.remove(a)
-                # uncomment next line if you add more search criteria
-                # acis = list(results)
 
-        for a in acis:
-            if 'type' in kw:
+        if 'type' in kw:
+            for a in acis:
                 if 'target' in a.target:
                     target = a.target['target']['expression']
                 else:
@@ -681,6 +684,37 @@ class aci_find(crud.Search):
                     except ValueError:
                         pass
 
+        if 'group' in kw:
+            for a in acis:
+                groupdn = a.bindrule['expression']
+                groupdn = groupdn.replace('ldap:///','')
+                cn = None
+                if groupdn.startswith('cn='):
+                    cn = explode_dn(groupdn)[0]
+                    cn = cn.replace('cn=','')
+                if cn is None or cn != kw['group']:
+                    try:
+                        results.remove(a)
+                    except ValueError:
+                        pass
+
+        if 'targetgroup' in kw:
+            for a in acis:
+                found = False
+                if 'target' in a.target:
+                    target = a.target['target']['expression']
+                    if api.env.container_group in target:
+                        targetdn = unicode(target.replace('ldap:///',''))
+                        cn = explode_dn(targetdn)[0]
+                        cn = cn.replace('cn=','')
+                        if cn == kw['targetgroup']:
+                            found = True
+                if not found:
+                    try:
+                        results.remove(a)
+                    except ValueError:
+                        pass
+
         # TODO: searching by: filter, subtree
 
         acis = []
-- 
cgit