Server Roles: make *config-show consume relevant roles/attributes

This patch modifies config objects so that the roles/attributes relevant to
the configuration are shown in the output:

* config-{show,mod} will show list of all IPA masters, CA servers and CA
  renewal master

* dnsconfig-{show,mod} will list all DNS server and DNS key master

* trustconfig-{show,mod} will list all AD trust controllers and agents

* vaultconfig-show will list all Key Recovery Agents

http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>

5 files changed, 117 insertions, 6 deletions

diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index afcb6b0c1..78e753592 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -1230,8 +1230,12 @@ class BindInstance(service.Service):
         set and thus overrides his configured options in named.conf.
         """
         result = self.api.Command.dnsconfig_show()
-        global_conf_set = any(param in result['result'] for \
-                              param in self.api.Object['dnsconfig'].params)
+
+        global_conf_set = any(
+            param.name in result['result'] for param in
+            self.api.Object['dnsconfig'].params() if
+            u'virtual_attribute' not in param.flags
+        )
 
         if not global_conf_set:
             print("Global DNS configuration in LDAP server is empty")
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index 46a40ddf7..95d1d6409 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -227,11 +227,40 @@ class config(LDAPObject):
             doc=_('Default types of supported user authentication'),
             values=(u'password', u'radius', u'otp', u'disabled'),
         ),
+        Str(
+            'ipa_master_server*',
+            label=_('IPA masters'),
+            doc=_('List of all IPA masters'),
+            flags={'virtual_attribute', 'no_create', 'no_update'}
+        ),
+        Str(
+            'ca_server_server*',
+            label=_('IPA CA servers'),
+            doc=_('IPA servers configured as certificate authority'),
+            flags={'virtual_attribute', 'no_create', 'no_update'}
+        ),
+        Str(
+            'ca_renewal_master_server?',
+            label=_('IPA CA renewal master'),
+            doc=_('Renewal master for IPA certificate authority'),
+            flags={'virtual_attribute', 'no_create', 'no_update'}
+        )
     )
 
     def get_dn(self, *keys, **kwargs):
         return DN(('cn', 'ipaconfig'), ('cn', 'etc'), api.env.basedn)
 
+    def show_servroles_attributes(self, entry_attrs, **options):
+        if options.get('raw', False):
+            return
+
+        backend = self.api.Backend.serverroles
+
+        ca_config = backend.config_retrieve("CA server")
+        master_config = backend.config_retrieve("IPA master")
+
+        entry_attrs.update(ca_config)
+        entry_attrs.update(master_config)
 
 
 @register()
@@ -350,9 +379,15 @@ class config_mod(LDAPUpdate):
 
         return dn
 
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        self.obj.show_servroles_attributes(entry_attrs, **options)
+        return dn
 
 
 @register()
 class config_show(LDAPRetrieve):
     __doc__ = _('Show the current configuration.')
 
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        self.obj.show_servroles_attributes(entry_attrs, **options)
+        return dn
diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py
index 9cca07c6d..db1790793 100644
--- a/ipaserver/plugins/dns.py
+++ b/ipaserver/plugins/dns.py
@@ -4064,6 +4064,18 @@ class dnsconfig(LDAPObject):
         Int('ipadnsversion?',  # available only in installer/upgrade
             label=_('IPA DNS version'),
         ),
+        Str(
+            'dns_server_server*',
+            label=_('IPA DNS servers'),
+            doc=_('List of IPA masters configured as DNS servers'),
+            flags={'virtual_attribute', 'no_create', 'no_update'}
+        ),
+        Str(
+            'dnssec_key_master_server?',
+            label=_('IPA DNSSec key master'),
+            doc=_('IPA server configured as DNSSec key master'),
+            flags={'virtual_attribute', 'no_create', 'no_update'}
+        )
     )
     managed_permissions = {
         'System: Write DNS Configuration': {
@@ -4107,9 +4119,22 @@ class dnsconfig(LDAPObject):
         return entry
 
     def postprocess_result(self, result):
-        if not any(param in result['result'] for param in self.params):
+        is_config_empty = not any(
+            param.name in result['result'] for param in self.params() if
+            u'virtual_attribute' not in param.flags
+        )
+        if is_config_empty:
             result['summary'] = unicode(_('Global DNS configuration is empty'))
 
+    def show_servroles_attributes(self, entry_attrs, **options):
+        if options.get('raw', False):
+            return
+
+        backend = self.api.Backend.serverroles
+        entry_attrs.update(
+            backend.config_retrieve("DNS server")
+        )
+
 
 @register()
 class dnsconfig_mod(LDAPUpdate):
@@ -4163,6 +4188,9 @@ class dnsconfig_mod(LDAPUpdate):
 
         return result
 
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        self.obj.show_servroles_attributes(entry_attrs, **options)
+        return dn
 
 
 @register()
@@ -4174,6 +4202,10 @@ class dnsconfig_show(LDAPRetrieve):
         self.obj.postprocess_result(result)
         return result
 
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        self.obj.show_servroles_attributes(entry_attrs, **options)
+        return dn
+
 
 
 @register()
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index f9b48f3a3..02d2e0e81 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -1179,6 +1179,18 @@ class trustconfig(LDAPObject):
             cli_name='fallback_primary_group',
             label=_('Fallback primary group'),
         ),
+        Str(
+            'ad_trust_agent_server*',
+            label=_('IPA AD trust agents'),
+            doc=_('IPA servers configured as AD trust agents'),
+            flags={'virtual_attribute', 'no_create', 'no_update'}
+        ),
+        Str(
+            'ad_trust_controller_server*',
+            label=_('IPA AD trust controllers'),
+            doc=_('IPA servers configured as AD trust controllers'),
+            flags={'virtual_attribute', 'no_create', 'no_update'}
+        ),
     )
 
     def get_dn(self, *keys, **kwargs):
@@ -1249,6 +1261,22 @@ class trustconfig(LDAPObject):
 
         entry_attrs['ipantfallbackprimarygroup'] = [groupdn[0][0].value]
 
+    def show_servroles(self, entry_attrs, **options):
+        if options.get('raw', False):
+            return
+
+        backend = self.api.Backend.serverroles
+
+        adtrust_agents = backend.config_retrieve(
+            "AD trust agent"
+        )
+        adtrust_controllers = backend.config_retrieve(
+            "AD trust controller"
+        )
+
+        entry_attrs.update(adtrust_agents)
+        entry_attrs.update(adtrust_controllers)
+
 
 @register()
 class trustconfig_mod(LDAPUpdate):
@@ -1268,6 +1296,7 @@ class trustconfig_mod(LDAPUpdate):
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         self.obj._convert_groupdn(entry_attrs, options)
+        self.obj.show_servroles(entry_attrs, **options)
         return dn
 
 
@@ -1285,6 +1314,8 @@ class trustconfig_show(LDAPRetrieve):
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
         self.obj._convert_groupdn(entry_attrs, options)
+        self.obj.show_servroles(entry_attrs, **options)
+
         return dn
 
 
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
index 05db63cdc..380e4d478 100644
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@@ -959,6 +959,12 @@ class vaultconfig(Object):
             'transport_cert',
             label=_('Transport Certificate'),
         ),
+        Str(
+            'kra_server_server*',
+            label=_('IPA KRA servers'),
+            doc=_('IPA servers configured as key recovery agents'),
+            flags={'virtual_attribute', 'no_create', 'no_update'}
+        )
     )
 
 
@@ -981,10 +987,13 @@ class vaultconfig_show(Retrieve):
 
         kra_client = self.api.Backend.kra.get_client()
         transport_cert = kra_client.system_certs.get_transport_cert()
+        config = {'transport_cert': transport_cert.binary}
+        config.update(
+            self.api.Backend.serverroles.config_retrieve("KRA server")
+        )
+
         return {
-            'result': {
-                'transport_cert': transport_cert.binary
-            },
+            'result': config,
             'value': None,
         }