Provide API for management of host, service, and user principal aliases

New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.

'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
  e-mail) do not overlap with those of trusted AD domains

If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.

'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.

See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliases

https://fedorahosted.org/freeipa/ticket/1365
https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

4 files changed, 136 insertions, 31 deletions

diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index cbb04aaad..c80d5ac0d 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -27,7 +27,8 @@ from ipalib.parameters import Principal
 from ipalib.plugable import Registry
 from .baseldap import (
     DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete,
-    LDAPRetrieve, LDAPAddMember, LDAPRemoveMember)
+    LDAPRetrieve, LDAPAddAttribute, LDAPRemoveAttribute, LDAPAddMember,
+    LDAPRemoveMember)
 from ipaserver.plugins.service import (
    validate_certificate, validate_realm, normalize_principal)
 from ipalib.request import context
@@ -42,7 +43,10 @@ from ipalib.util import (
     remove_sshpubkey_from_output_post,
     remove_sshpubkey_from_output_list_post,
     add_sshpubkey_to_attrs_pre,
-    set_krbcanonicalname
+    set_krbcanonicalname,
+    check_principal_realm_in_trust_namespace,
+    ensure_last_krbprincipalname,
+    ensure_krbcanonicalname_set
 )
 
 if six.PY3:
@@ -212,14 +216,20 @@ class baseuser(LDAPObject):
             label=_('Login shell'),
         ),
         Principal(
-            'krbprincipalname?',
+            'krbcanonicalname?',
+            validate_realm,
+            label=_('Principal name'),
+            flags={'no_option', 'no_create', 'no_update', 'no_search'},
+            normalizer=normalize_user_principal
+        ),
+        Principal(
+            'krbprincipalname*',
             validate_realm,
             cli_name='principal',
-            label=_('Kerberos principal'),
-            default_from=lambda uid: kerberos.Principal.from_text(
+            label=_('Principal alias'),
+            default_from=lambda uid: kerberos.Principal(
                 uid.lower(), realm=api.env.realm),
             autofill=True,
-            flags=['no_update'],
             normalizer=normalize_user_principal,
         ),
         DateTime('krbprincipalexpiration?',
@@ -621,3 +631,20 @@ class baseuser_add_manager(LDAPAddMember):
 
 class baseuser_remove_manager(LDAPRemoveMember):
     member_attributes = ['manager']
+
+
+class baseuser_add_principal(LDAPAddAttribute):
+    attribute = 'krbprincipalname'
+
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        check_principal_realm_in_trust_namespace(self.api, *keys)
+        ensure_krbcanonicalname_set(ldap, entry_attrs)
+        return dn
+
+
+class baseuser_remove_principal(LDAPRemoveAttribute):
+    attribute = 'krbprincipalname'
+
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        ensure_last_krbprincipalname(ldap, entry_attrs, *keys)
+        return dn
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 11bddb505..1c1e934b9 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -35,7 +35,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
                                      LDAPAddAttribute, LDAPRemoveAttribute,
                                      LDAPAddAttributeViaOption,
                                      LDAPRemoveAttributeViaOption)
-from ipaserver.plugins.service import (
+from .service import (
     validate_realm, normalize_principal, validate_certificate,
     set_certificate_attrs, ticket_flags_params, update_krbticketflags,
     set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
@@ -406,6 +406,12 @@ class host(LDAPObject):
             'ipapermdefaultattr': {'usercertificate'},
             'default_privileges': {'Host Administrators', 'Host Enrollment'},
         },
+        'System: Manage Host Principals': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {'krbprincipalname', 'krbcanonicalname'},
+            'default_privileges': {'Host Administrators', 'Host Enrollment'},
+        },
         'System: Manage Host Enrollment Password': {
             'ipapermbindruletype': 'permission',
             'ipapermright': {'write'},
@@ -515,11 +521,18 @@ class host(LDAPObject):
             flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
         ),
         Principal(
-            'krbprincipalname?',
+            'krbcanonicalname?',
             validate_realm,
             label=_('Principal name'),
             normalizer=normalize_principal,
-            flags=['no_create', 'no_update', 'no_search'],
+            flags={'no_create', 'no_update', 'no_search'},
+        ),
+        Principal(
+            'krbprincipalname*',
+            validate_realm,
+            label=_('Principal alias'),
+            normalizer=normalize_principal,
+            flags=['no_create', 'no_search'],
         ),
         Str('macaddress*',
             normalizer=lambda value: value.upper(),
@@ -839,15 +852,6 @@ class host_mod(LDAPUpdate):
     member_attributes = ['managedby']
 
     takes_options = LDAPUpdate.takes_options + (
-        Principal(
-            'krbprincipalname?',
-            validate_realm,
-            cli_name='principalname',
-            label=_('Principal name'),
-            doc=_('Kerberos principal name for this host'),
-            normalizer=normalize_principal,
-            attribute=True,
-        ),
         Flag('updatedns?',
             doc=_('Update DNS entries'),
             default=False,
@@ -1332,3 +1336,26 @@ class host_remove_cert(LDAPRemoveAttributeViaOption):
             revoke_certs(options['usercertificate'], self.log)
 
         return dn
+
+
+@register()
+class host_add_principal(LDAPAddAttribute):
+    __doc__ = _('Add new principal alias to host entry')
+    msg_summary = _('Added new aliases to host "%(value)s"')
+    attribute = 'krbprincipalname'
+
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        util.check_principal_realm_in_trust_namespace(self.api, *keys)
+        util.ensure_krbcanonicalname_set(ldap, entry_attrs)
+        return dn
+
+
+@register()
+class host_remove_principal(LDAPRemoveAttribute):
+    __doc__ = _('Remove principal alias from a host entry')
+    msg_summary = _('Removed aliases from host "%(value)s"')
+    attribute = 'krbprincipalname'
+
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        util.ensure_last_krbprincipalname(ldap, entry_attrs, *keys)
+        return dn
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 7b0832b23..417be0011 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -422,6 +422,13 @@ class service(LDAPObject):
             ],
             'default_privileges': {'Service Administrators'},
         },
+        'System: Manage Service Principals': {
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {'krbprincipalname', 'krbcanonicalname'},
+            'default_privileges': {
+                'Service Administrators',
+            },
+        },
         'System: Remove Services': {
             'ipapermright': {'delete'},
             'replaces': [
@@ -439,12 +446,22 @@ class service(LDAPObject):
             'krbcanonicalname',
             validate_realm,
             cli_name='canonical_principal',
-            label=_('Principal'),
+            label=_('Principal name'),
             doc=_('Service principal'),
             primary_key=True,
             normalizer=normalize_principal,
             require_service=True
         ),
+        Principal(
+            'krbprincipalname*',
+            validate_realm,
+            cli_name='principal',
+            label=_('Principal alias'),
+            doc=_('Service principal alias'),
+            normalizer=normalize_principal,
+            require_service=True,
+            flags={'no_create'}
+        ),
         Bytes('usercertificate*', validate_certificate,
             cli_name='certificate',
             label=_('Certificate'),
@@ -503,16 +520,6 @@ class service(LDAPObject):
                   " Use 'radius' to allow RADIUS-based 2FA authentications."
                   " Other values may be used for custom configurations."),
         ),
-        Principal(
-            'krbprincipalname',
-            validate_realm,
-            cli_name='principal',
-            label=_('Principal Alias'),
-            doc=_('Service principal alias'),
-            normalizer=normalize_principal,
-            require_service=True,
-            flags={'no_create', 'no_update'}
-        ),
     ) + ticket_flags_params
 
     def validate_ipakrbauthzdata(self, entry):
@@ -819,7 +826,6 @@ class service_show(LDAPRetrieve):
 
         return dn
 
-
 @register()
 class service_add_host(LDAPAddMember):
     __doc__ = _('Add hosts that can manage this service.')
@@ -978,3 +984,26 @@ class service_remove_cert(LDAPRemoveAttributeViaOption):
             revoke_certs(options['usercertificate'], self.log)
 
         return dn
+
+
+@register()
+class service_add_principal(LDAPAddAttribute):
+    __doc__ = _('Add new principal alias to a service')
+    msg_summary = _('Added new aliases to the service principal "%(value)s"')
+    attribute = 'krbprincipalname'
+
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        util.check_principal_realm_in_trust_namespace(self.api, *keys)
+        util.ensure_krbcanonicalname_set(ldap, entry_attrs)
+        return dn
+
+
+@register()
+class service_remove_principal(LDAPRemoveAttribute):
+    __doc__ = _('Remove principal alias from a service')
+    msg_summary = _('Removed aliases to the service principal "%(value)s"')
+    attribute = 'krbprincipalname'
+
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        util.ensure_last_krbprincipalname(ldap, entry_attrs, *keys)
+        return dn
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index c231847d5..b3ae7646f 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -43,7 +43,9 @@ from .baseuser import (
     convert_nsaccountlock,
     fix_addressbook_permission_bindrule,
     baseuser_add_manager,
-    baseuser_remove_manager)
+    baseuser_remove_manager,
+    baseuser_add_principal,
+    baseuser_remove_principal)
 from .idviews import remove_ipaobject_overrides
 from ipalib.plugable import Registry
 from .baseldap import (
@@ -287,6 +289,14 @@ class user(baseuser):
                 'Modify Users and Reset passwords',
             },
         },
+        'System: Manage User Principals': {
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {'krbprincipalname', 'krbcanonicalname'},
+            'default_privileges': {
+                'User Administrators',
+                'Modify Users and Reset passwords',
+            },
+        },
         'System: Modify Users': {
             'ipapermright': {'write'},
             'ipapermdefaultattr': {
@@ -1187,3 +1197,15 @@ class user_add_manager(baseuser_add_manager):
 @register()
 class user_remove_manager(baseuser_remove_manager):
     __doc__ = _("Remove a manager to the user entry")
+
+
+@register()
+class user_add_principal(baseuser_add_principal):
+    __doc__ = _('Add new principal alias to the user entry')
+    msg_summary = _('Added new aliases to user "%(value)s"')
+
+
+@register()
+class user_remove_principal(baseuser_remove_principal):
+    __doc__ = _('Remove principal alias from the user entry')
+    msg_summary = _('Removed aliases from user "%(value)s"')