6 files changed, 90 insertions, 64 deletions

diff --git a/ACI.txt b/ACI.txt
index bbc2e660c..24cb332ce 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -388,8 +388,6 @@ dn: cn=Domain Level,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "createtimestamp || entryusn || ipadomainlevel || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipadomainlevelconfig)")(version 3.0;acl "permission:System: Read Domain Level";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipaconfigstring || modifytimestamp || objectclass")(targetfilter = "(objectclass=nscontainer)")(version 3.0;acl "permission:System: Read IPA Masters";allow (compare,read,search) groupdn = "ldap:///cn=System: Read IPA Masters,cn=permissions,cn=pbac,dc=ipa,dc=example";)
-dn: cn=config
-aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=replication,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || modifytimestamp || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicachangecount || nsds5replicacleanruv || nsds5replicaid || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicatombstonepurgeinterval || nsds5replicatype || nsds5task || nsstate || objectclass")(targetfilter = "(objectclass=nsds5replica)")(version 3.0;acl "permission:System: Read Replication Information";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=example
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index bacd9e68a..067b4d26a 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -173,6 +173,15 @@ cn: Modify Replication Agreements
 ipapermissiontype: SYSTEM
 member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
 
+dn: cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: groupofnames
+objectClass: ipapermission
+cn: Read Replication Agreements
+ipapermissiontype: SYSTEM
+member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
+
 dn: cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX
 changetype: add
 objectClass: top
diff --git a/install/share/replica-acis.ldif b/install/share/replica-acis.ldif
index 673513087..fcfe7bd4a 100644
--- a/install/share/replica-acis.ldif
+++ b/install/share/replica-acis.ldif
@@ -3,6 +3,11 @@
 dn: cn=mapping tree,cn=config
 changetype: modify
 add: aci
+aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+
+dn: cn=mapping tree,cn=config
+changetype: modify
+add: aci
 aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
 dn: cn=mapping tree,cn=config
diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
index 7da48cfd1..4802ae045 100644
--- a/install/updates/20-aci.update
+++ b/install/updates/20-aci.update
@@ -72,6 +72,7 @@ dn: cn=mapping tree,cn=config
 add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
 dn: cn="$SUFFIX",cn=mapping tree,cn=config
 remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
@@ -86,8 +87,9 @@ remove:aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreemen
 
 # Removal of obsolete ACIs
 dn: cn=config
-# Replaced by 'System: Read Replication Agreements'
 remove:aci: (targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
+# ticket 5631: this ACI cannot be a managed ACI, because it is located in nonreplicated container
+remove:aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || nsds50ruv || nsds5beginreplicarefresh || nsds5debugreplicatimeout || nsds5flags || nsds5replicaabortcleanruv || nsds5replicaautoreferral || nsds5replicabackoffmax || nsds5replicabackoffmin || nsds5replicabinddn || nsds5replicabindmethod || nsds5replicabusywaittime || nsds5replicachangecount || nsds5replicachangessentsincestartup || nsds5replicacleanruv || nsds5replicacleanruvnotified || nsds5replicacredentials || nsds5replicaenabled || nsds5replicahost || nsds5replicaid || nsds5replicalastinitend || nsds5replicalastinitstart || nsds5replicalastinitstatus || nsds5replicalastupdateend || nsds5replicalastupdatestart || nsds5replicalastupdatestatus || nsds5replicalegacyconsumer || nsds5replicaname || nsds5replicaport || nsds5replicaprotocoltimeout || nsds5replicapurgedelay || nsds5replicareferral || nsds5replicaroot || nsds5replicasessionpausetime || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || nsds5replicatimeout || nsds5replicatombstonepurgeinterval || nsds5replicatransportinfo || nsds5replicatype || nsds5replicaupdateinprogress || nsds5replicaupdateschedule || nsds5task || nsds7directoryreplicasubtree || nsds7dirsynccookie || nsds7newwingroupsyncenabled || nsds7newwinusersyncenabled || nsds7windowsdomain || nsds7windowsreplicasubtree || nsruvreplicalastmodified || nsstate || objectclass || onewaysync || winsyncdirectoryfilter || winsyncinterval || winsyncmoveaction || winsyncsubtreepair || winsyncwindowsfilter")(targetfilter = "(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0;acl "permission:System: Read Replication Agreements";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
 
 dn: $SUFFIX
 remove:aci: (targetattr = "*")(target = "ldap:///cn=*,cn=roles,cn=accounts,$SUFFIX")(version 3.0; acl "No anonymous access to roles"; deny (read,search,compare) userdn != "ldap:///all";)
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 727c00b9f..9c9ee160f 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -19,5 +19,6 @@ plugin: update_upload_cacrt
 plugin: update_master_to_dnsforwardzones
 plugin: update_managed_post
 plugin: update_managed_permissions
+plugin: update_read_replication_agreements_permission
 plugin: update_idrange_baserid
 plugin: update_passync_privilege_update
diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index d68e24302..36ac5cca8 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -262,67 +262,6 @@ NONOBJECT_PERMISSIONS = {
             'ipantdomainguid', 'ipantfallbackprimarygroup',
         },
     },
-    'System: Read Replication Agreements': {
-        'ipapermlocation': DN('cn=config'),
-        'ipapermtargetfilter': {
-            '(|'
-                '(objectclass=nsds5Replica)'
-                '(objectclass=nsds5replicationagreement)'
-                '(objectclass=nsDSWindowsReplicationAgreement)'
-                '(objectClass=nsMappingTree)'
-            ')'
-        },
-        'ipapermbindruletype': 'permission',
-        'ipapermright': {'read', 'search', 'compare'},
-        'ipapermdefaultattr': {
-            'cn', 'objectclass',
-            # nsds5Replica
-            'nsds5replicaroot', 'nsds5replicaid', 'nsds5replicacleanruv',
-            'nsds5replicaabortcleanruv', 'nsds5replicatype',
-            'nsds5replicabinddn', 'nsstate', 'nsds5replicaname',
-            'nsds5flags', 'nsds5task', 'nsds5replicareferral',
-            'nsds5replicaautoreferral', 'nsds5replicapurgedelay',
-            'nsds5replicatombstonepurgeinterval', 'nsds5replicachangecount',
-            'nsds5replicalegacyconsumer', 'nsds5replicaprotocoltimeout',
-            'nsds5replicabackoffmin', 'nsds5replicabackoffmax',
-            # nsds5replicationagreement
-            'nsds5replicacleanruvnotified', 'nsds5replicahost',
-            'nsds5replicaport', 'nsds5replicatransportinfo',
-            'nsds5replicabinddn', 'nsds5replicacredentials',
-            'nsds5replicabindmethod', 'nsds5replicaroot',
-            'nsds5replicatedattributelist',
-            'nsds5replicatedattributelisttotal', 'nsds5replicaupdateschedule',
-            'nsds5beginreplicarefresh', 'description', 'nsds50ruv',
-            'nsruvreplicalastmodified', 'nsds5replicatimeout',
-            'nsds5replicachangessentsincestartup', 'nsds5replicalastupdateend',
-            'nsds5replicalastupdatestart', 'nsds5replicalastupdatestatus',
-            'nsds5replicaupdateinprogress', 'nsds5replicalastinitend',
-            'nsds5replicaenabled', 'nsds5replicalastinitstart',
-            'nsds5replicalastinitstatus', 'nsds5debugreplicatimeout',
-            'nsds5replicabusywaittime', 'nsds5replicastripattrs',
-            'nsds5replicasessionpausetime', 'nsds5replicaprotocoltimeout',
-            # nsDSWindowsReplicationAgreement
-            'nsds5replicahost', 'nsds5replicaport',
-            'nsds5replicatransportinfo', 'nsds5replicabinddn',
-            'nsds5replicacredentials', 'nsds5replicabindmethod',
-            'nsds5replicaroot', 'nsds5replicatedattributelist',
-            'nsds5replicaupdateschedule', 'nsds5beginreplicarefresh',
-            'description', 'nsds50ruv', 'nsruvreplicalastmodified',
-            'nsds5replicatimeout', 'nsds5replicachangessentsincestartup',
-            'nsds5replicalastupdateend', 'nsds5replicalastupdatestart',
-            'nsds5replicalastupdatestatus', 'nsds5replicaupdateinprogress',
-            'nsds5replicalastinitend', 'nsds5replicalastinitstart',
-            'nsds5replicalastinitstatus', 'nsds5debugreplicatimeout',
-            'nsds5replicabusywaittime', 'nsds5replicasessionpausetime',
-            'nsds7windowsreplicasubtree', 'nsds7directoryreplicasubtree',
-            'nsds7newwinusersyncenabled', 'nsds7newwingroupsyncenabled',
-            'nsds7windowsdomain', 'nsds7dirsynccookie', 'winsyncinterval',
-            'onewaysync', 'winsyncmoveaction', 'nsds5replicaenabled',
-            'winsyncdirectoryfilter', 'winsyncwindowsfilter',
-            'winsyncsubtreepair',
-        },
-        'default_privileges': {'Replication Administrators'},
-    },
     'System: Read DUA Profile': {
         'ipapermlocation': DN('ou=profile', api.env.basedn),
         'ipapermtargetfilter': {
@@ -729,3 +668,75 @@ class update_managed_permissions(Updater):
             raise ValueError(
                 'Unknown key(s) in managed permission template %s: %s' % (
                     name, ', '.join(template.keys())))
+
+
+@register()
+class update_read_replication_agreements_permission(Updater):
+    """'Read replication agreements' permission must not be managed permission
+
+    https://fedorahosted.org/freeipa/ticket/5631
+
+    Existing permission "cn=System: Read Replication Agreements" must be moved
+    to non-managed permission "cn=Read Replication Agreements" using modrdn
+    ldap operation to keep current membership of the permission set by user.
+
+    ACI is updated via update files
+    """
+
+    def execute(self, **options):
+        ldap = self.api.Backend.ldap2
+        old_perm_dn = DN(
+            ('cn', 'System: Read Replication Agreements'),
+            self.api.env.container_permission,
+            self.api.env.basedn
+        )
+
+        new_perm_dn = DN(
+            ('cn', 'Read Replication Agreements'),
+            self.api.env.container_permission,
+            self.api.env.basedn
+        )
+
+        try:
+            perm_entry = ldap.get_entry(old_perm_dn)
+        except errors.NotFound:
+            self.log.debug("Old permission not found")
+            return False, ()
+
+        try:
+            ldap.get_entry(new_perm_dn)
+        except errors.NotFound:
+            # we can happily upgrade
+            pass
+        else:
+            self.log.error("Permission '{}' cannot be upgraded. "
+                           "Permission with target name '{}' already "
+                           "exists".format(old_perm_dn, new_perm_dn))
+            return False, ()
+
+        # values are case insensitive
+        for t in list(perm_entry['ipapermissiontype']):
+            if t.lower() in ['managed', 'v2']:
+                perm_entry['ipapermissiontype'].remove(t)
+
+        for o in list(perm_entry['objectclass']):
+            if o.lower() == 'ipapermissionv2':
+                # remove permission V2 objectclass and related attributes
+                perm_entry['objectclass'].remove(o)
+                perm_entry['ipapermdefaultattr'] = []
+                perm_entry['ipapermright'] = []
+                perm_entry['ipapermbindruletype'] = []
+                perm_entry['ipapermlocation'] = []
+                perm_entry['ipapermtargetfilter'] = []
+
+        self.log.debug("Removing MANAGED attributes from permission %s",
+                       old_perm_dn)
+        try:
+            ldap.update_entry(perm_entry)
+        except errors.EmptyModlist:
+            pass
+
+        # do modrdn on permission
+        self.log.debug("modrdn: %s -> %s", old_perm_dn, new_perm_dn)
+        ldap.move_entry(old_perm_dn, new_perm_dn)
+        return False, ()