Warn user if trust is broken

Detect missing ipaNTSecurityIdentifier and print message for a user,
that the trust is broken as result of trust-show and trust-find commands.

https://fedorahosted.org/freeipa/ticket/5665

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

2 files changed, 52 insertions, 0 deletions

diff --git a/ipalib/messages.py b/ipalib/messages.py
index e43584b10..dbbc34ab1 100644
--- a/ipalib/messages.py
+++ b/ipalib/messages.py
@@ -341,6 +341,17 @@ class SearchResultTruncated(PublicMessage):
     format = _("Search result has been truncated to configured search limit.")
 
 
+class BrokenTrust(PublicMessage):
+    """
+    **13018** Trust for a specified domain is broken
+    """
+
+    errno = 13018
+    type = "warning"
+    format = _("Your trust to %(domain)s is broken. Please re-create it by "
+               "running 'ipa trust-add' again.")
+
+
 def iter_messages(variables, base):
     """Return a tuple with all subclasses
     """
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index f68b94b9a..ba0c98e2f 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -20,6 +20,9 @@
 
 import six
 
+from ipalib.messages import (
+    add_message,
+    BrokenTrust)
 from ipalib.plugable import Registry
 from ipalib.plugins.baseldap import (
     pkey_to_value,
@@ -586,6 +589,30 @@ class trust(LDAPObject):
 
         return make_trust_dn(self.env, trust_type, DN(*sdn))
 
+    def warning_if_ad_trust_dom_have_missing_SID(self, result, **options):
+        """Due bug https://fedorahosted.org/freeipa/ticket/5665 there might be
+        AD trust domain without generated SID, warn user about it.
+        """
+        ldap = self.api.Backend.ldap2
+
+        try:
+            entries, truncated = ldap.find_entries(
+                base_dn=DN(self.container_dn, self.api.env.basedn),
+                attrs_list=['cn'],
+                filter='(&(ipaNTTrustPartner=*)'
+                       '(!(ipaNTSecurityIdentifier=*)))',
+            )
+        except errors.NotFound:
+            pass
+        else:
+            for entry in entries:
+                 add_message(
+                    options['version'],
+                    result,
+                    BrokenTrust(domain=entry.single_value['cn'])
+                 )
+
+
 @register()
 class trust_add(LDAPCreate):
     __doc__ = _('''
@@ -1043,6 +1070,13 @@ class trust_find(LDAPSearch):
         filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL)
         return (filter, base_dn, ldap.SCOPE_SUBTREE)
 
+    def execute(self, *args, **options):
+        result = super(trust_find, self).execute(*args, **options)
+
+        self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options)
+
+        return result
+
     def post_callback(self, ldap, entries, truncated, *args, **options):
         if options.get('pkey_only', False):
             return truncated
@@ -1062,6 +1096,13 @@ class trust_show(LDAPRetrieve):
     has_output_params = LDAPRetrieve.has_output_params + trust_output_params +\
                         (Str('ipanttrusttype'), Str('ipanttrustdirection'))
 
+    def execute(self, *keys, **options):
+        result = super(trust_show, self).execute(*keys, **options)
+
+        self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options)
+
+        return result
+
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
 
         assert isinstance(dn, DN)