Extend caacl entity

There is new checkbox in adding new caacl which can set whether the ACL applies on all
CAs or not. Also there is a new table with CAs on which is current ACL applied. User
can add and remove CAs from this table.

Part of: https://fedorahosted.org/freeipa/ticket/5939

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>

5 files changed, 80 insertions, 4 deletions

diff --git a/install/ui/less/widgets.less b/install/ui/less/widgets.less
index 0f9bc8c17..56a310462 100644
--- a/install/ui/less/widgets.less
+++ b/install/ui/less/widgets.less
@@ -188,3 +188,10 @@ tbody:empty { display: none; }
       font-weight: bold;
     }
 }
+
+/**
+ * Moves message next to the rule radio button to the right in caacl plugin.
+ */
+.rule-radio-note {
+    float: right;
+}
diff --git a/install/ui/src/freeipa/plugins/caacl.js b/install/ui/src/freeipa/plugins/caacl.js
index 57343d1e4..e101d25fb 100644
--- a/install/ui/src/freeipa/plugins/caacl.js
+++ b/install/ui/src/freeipa/plugins/caacl.js
@@ -87,6 +87,17 @@ var spec = {
         fields: [
             'cn',
             {
+                $type: 'checkboxes',
+                name: 'ipacacategory',
+                options: [
+                    {
+                        label: '@i18n:objects.caacl.all',
+                        value: 'all'
+                    }
+                ],
+                tooltip: '@i18n:objects.caacl.no_ca_msg'
+            },
+            {
                 $type: 'textarea',
                 name: 'description'
             }
@@ -245,6 +256,18 @@ var add_caacl_details_facet_widgets = function (spec) {
             name: 'memberservice_service',
             widget: 'who.service.memberservice_service',
             priority: IPA.caacl.remove_method_priority
+        },
+        // ca
+        {
+            $type: 'radio',
+            name: 'ipacacategory',
+            widget: 'who.ipaca.ipacacategory'
+        },
+        {
+            $type: 'rule_association_table',
+            name: 'ipamemberca_ca',
+            widget: 'who.ipaca.ipamemberca_ca',
+            priority: IPA.caacl.remove_method_priority
         }
     );
 
@@ -350,13 +373,36 @@ var add_caacl_details_facet_widgets = function (spec) {
                             remove_title: '@i18n:association.remove.member'
                         }
                     ]
+                },
+                {
+                    $factory: IPA.rule_details_widget,
+                    name: 'ipaca',
+                    radio_name: 'ipacacategory',
+                    note: '@i18n:objects.caacl.no_ca_msg',
+                    options: [
+                        { 'value': 'all', 'label': '@i18n:objects.caacl.any_ca' },
+                        { 'value': '', 'label': '@i18n:objects.caacl.specified_cas' }
+                    ],
+                    tables: [
+                        { 'name': 'ipamemberca_ca' }
+                    ],
+                    widgets: [
+                        {
+                            $type: 'rule_association_table',
+                            id: 'caacl-ipamemberca_ca',
+                            name: 'ipamemberca_ca',
+                            add_method: 'add_ca',
+                            remove_method: 'remove_ca',
+                            add_title: '@i18n:association.add.member',
+                            remove_title: '@i18n:association.remove.member'
+                        }
+                    ]
                 }
             ]
         }
     );
 };
 
-
 /**
  * CAACL entity specification object
  * @member plugins.caacl
diff --git a/install/ui/src/freeipa/rule.js b/install/ui/src/freeipa/rule.js
index 706827190..0f39d434f 100644
--- a/install/ui/src/freeipa/rule.js
+++ b/install/ui/src/freeipa/rule.js
@@ -24,11 +24,12 @@ define([
     './phases',
     './reg',
     './rpc',
+    './text',
     './details',
     './search',
     './association',
     './entity'],
-        function(IPA, $, phases, reg, rpc) {
+        function(IPA, $, phases, reg, rpc, text) {
 
 IPA.rule_details_widget = function(spec) {
 
@@ -40,6 +41,7 @@ IPA.rule_details_widget = function(spec) {
     that.options = spec.options || [];
     that.tables = spec.tables || [];
     that.columns = spec.columns;
+    that.note = spec.note;
 
     that.init = function() {
 
@@ -47,7 +49,8 @@ IPA.rule_details_widget = function(spec) {
             name: that.radio_name,
             options: that.options,
             entity: that.entity,
-            css_class: 'rule-enable-radio'
+            css_class: 'rule-enable-radio',
+            note: that.note
         });
 
         that.widgets.add_widget(that.enable_radio);
@@ -85,6 +88,11 @@ IPA.rule_radio_widget = function(spec) {
     spec = spec || {};
     var that = IPA.radio_widget(spec);
 
+    /**
+     * The text from note will be displayed after radio buttons.
+     */
+    that.note = spec.note || '';
+
     /** @inheritDoc */
     that.create = function(container) {
 
@@ -97,6 +105,13 @@ IPA.rule_radio_widget = function(spec) {
         if (that.undo) {
             that.create_undo(container);
         }
+
+        if (that.note) {
+            $('<div />', {
+                text: text.get(that.note),
+                'class': 'rule-radio-note'
+            }).appendTo(container);
+        }
     };
 
     return that;
@@ -274,4 +289,4 @@ phases.on('registration', function() {
 });
 
 return {};
-});
\ No newline at end of file
+});
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
index b19eafad3..eb5fb14cc 100644
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@@ -214,12 +214,16 @@
                             "map_type": "Map Type"
                         },
                         "caacl": {
+                            "all": "All",
+                            "any_ca": "Any CA",
                             "any_host": "Any Host",
                             "any_service": "Any Service",
                             "any_profile": "Any Profile",
                             "anyone": "Anyone",
                             "ipaenabledflag": "Rule status",
+                            "no_ca_msg": "If no CAs are specified, requests to the default CA are allowed.",
                             "profile": "Profiles",
+                            "specified_cas": "Specified CAs",
                             "specified_hosts": "Specified Hosts and Groups",
                             "specified_profiles": "Specified Profiles",
                             "specified_services": "Specified Services and Groups",
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index 5cb78c5ef..1d83b4648 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -351,12 +351,16 @@ class i18n_messages(Command):
                 "indirect": _("Indirect"),
             },
             "caacl": {
+                "all": _("All"),
+                "any_ca": _("Any CA"),
                 "any_host": _("Any Host"),
                 "any_service": _("Any Service"),
                 "any_profile": _("Any Profile"),
                 "anyone": _("Anyone"),
                 "ipaenabledflag": _("Rule status"),
+                "no_ca_msg": _("If no CAs are specified, requests to the default CA are allowed."),
                 "profile": _("Profiles"),
+                "specified_cas": _("Specified CAs"),
                 "specified_hosts": _("Specified Hosts and Groups"),
                 "specified_profiles": _("Specified Profiles"),
                 "specified_services": _("Specified Services and Groups"),