From 91a5d3349be3a8c6044684405a4e66f4ed1dd543 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic <akrivoka@redhat.com>
Date: Mon, 10 Jun 2013 18:57:08 -0400
Subject: Require rid-base and secondary-rid-base in idrange-add after
 ipa-adtrust-install

Add a new API command 'adtrust_is_enabled', which can be used to determine
whether ipa-adtrust-install has been run on the system. This new command is not
visible in IPA CLI.

Use this command in idrange_add to conditionally require rid-base and
secondary-rid-base options.

Add tests to cover the new functionality

https://fedorahosted.org/freeipa/ticket/3634
---
 ipalib/plugins/idrange.py | 35 ++++++++++++++++++++++++++++++++++-
 ipalib/plugins/trust.py   | 32 ++++++++++++++++++++++++++++----
 2 files changed, 62 insertions(+), 5 deletions(-)

(limited to 'ipalib/plugins')

diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
index 54b835e2..f258cbb1 100644
--- a/ipalib/plugins/idrange.py
+++ b/ipalib/plugins/idrange.py
@@ -356,7 +356,7 @@ class idrange_add(LDAPCreate):
 
     may be given for a new ID range for the local domain while
 
-        --rid-bas
+        --rid-base
         --dom-sid
 
     must be given to add a new range for a trusted AD domain.
@@ -381,6 +381,9 @@ class idrange_add(LDAPCreate):
 
         Also ensure that secondary-rid-base is prompted for when rid-base is
         specified and vice versa, in case that dom-sid was not specified.
+
+        Also ensure that rid-base and secondary-rid-base is prompted for
+        if ipa-adtrust-install has been run on the system.
         """
 
         # dom-sid can be specified using dom-sid or dom-name options
@@ -410,6 +413,22 @@ class idrange_add(LDAPCreate):
                 value = self.prompt_param(self.params['ipabaserid'])
                 kw.update(dict(ipabaserid=value))
 
+        # Prompt for rid-base and secondary-rid-base if ipa-adtrust-install
+        # has been run on the system
+        adtrust_is_enabled = api.Command['adtrust_is_enabled']()['result']
+
+        if adtrust_is_enabled:
+            rid_base = kw.get('ipabaserid', None)
+            secondary_rid_base = kw.get('ipasecondarybaserid', None)
+
+            if rid_base is None:
+                value = self.prompt_param(self.params['ipabaserid'])
+                kw.update(dict(ipabaserid=value))
+
+            if secondary_rid_base is None:
+                value = self.prompt_param(self.params['ipasecondarybaserid'])
+                kw.update(dict(ipasecondarybaserid=value))
+
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
 
@@ -495,6 +514,20 @@ class idrange_add(LDAPCreate):
                             error=_("Primary RID range and secondary RID range"
                                     " cannot overlap"))
 
+            # rid-base and secondary-rid-base must be set if
+            # ipa-adtrust-install has been run on the system
+            adtrust_is_enabled = api.Command['adtrust_is_enabled']()['result']
+
+            if adtrust_is_enabled and not (
+                    is_set('ipabaserid') and is_set('ipasecondarybaserid')):
+                raise errors.ValidationError(
+                    name='ID Range setup',
+                    error=_(
+                        'You must specify both rid-base and '
+                        'secondary-rid-base options, because '
+                        'ipa-adtrust-install has already been run.'
+                    )
+                )
         return dn
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 5c9360b5..d2b58399 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -20,12 +20,9 @@
 
 from ipalib.plugins.baseldap import *
 from ipalib.plugins.dns import dns_container_exists
-from ipalib import api, Str, StrEnum, Password, DefaultFrom, _, ngettext, Object
-from ipalib.parameters import Enum
+from ipalib import api, Str, StrEnum, Password, _, ngettext
 from ipalib import Command
 from ipalib import errors
-from ipapython import ipautil
-from ipalib import util
 try:
     import pysss_murmur #pylint: disable=F0401
     _murmur_installed = True
@@ -843,3 +840,30 @@ class trust_resolve(Command):
         return dict(result=result)
 
 api.register(trust_resolve)
+
+
+class adtrust_is_enabled(Command):
+    NO_CLI = True
+
+    __doc__ = _('Determine whether ipa-adtrust-install has been run on this '
+                'system')
+
+    def execute(self, *keys, **options):
+        ldap = self.api.Backend.ldap2
+        adtrust_dn = DN(
+            ('cn', 'ADTRUST'),
+            ('cn', api.env.host),
+            ('cn', 'masters'),
+            ('cn', 'ipa'),
+            ('cn', 'etc'),
+            api.env.basedn
+        )
+
+        try:
+            ldap.get_entry(adtrust_dn)
+        except errors.NotFound:
+            return dict(result=False)
+
+        return dict(result=True)
+
+api.register(adtrust_is_enabled)
-- 
cgit