Provide API for management of host, service, and user principal aliases

New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.

'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
  e-mail) do not overlap with those of trusted AD domains

If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.

'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.

See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliases

https://fedorahosted.org/freeipa/ticket/1365
https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

1 files changed, 71 insertions, 0 deletions

diff --git a/ipalib/util.py b/ipalib/util.py
index 67865eb04..d101514ca 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -912,3 +912,74 @@ def set_krbcanonicalname(entry_attrs):
     if ('krbprincipalname' in entry_attrs
             and 'krbcanonicalname' not in entry_attrs):
         entry_attrs['krbcanonicalname'] = entry_attrs['krbprincipalname']
+
+
+def ensure_last_krbprincipalname(ldap, entry_attrs, *keys):
+    """
+    ensure that the LDAP entry has at least one value of krbprincipalname
+    and that this value is equal to krbcanonicalname
+
+    :param ldap: LDAP connection object
+    :param entry_attrs: LDAP entry made prior to update
+    :param options: command options
+    """
+    entry = ldap.get_entry(
+        entry_attrs.dn, ['krbcanonicalname', 'krbprincipalname'])
+
+    krbcanonicalname = entry.single_value.get('krbcanonicalname', None)
+
+    if krbcanonicalname in keys[-1]:
+        raise errors.ValidationError(
+            name='krbprincipalname',
+            error=_('at least one value equal to the canonical '
+                    'principal name must be present')
+        )
+
+
+def ensure_krbcanonicalname_set(ldap, entry_attrs):
+    old_entry = ldap.get_entry(
+        entry_attrs.dn,
+        ['krbcanonicalname', 'krbprincipalname', 'objectclass'])
+
+    if old_entry.single_value.get('krbcanonicalname', None) is not None:
+        return
+
+    set_krbcanonicalname(old_entry)
+
+    old_entry.pop('krbprincipalname', None)
+    old_entry.pop('objectclass', None)
+
+    entry_attrs.update(old_entry)
+
+
+def check_principal_realm_in_trust_namespace(api_instance, *keys):
+    """
+    Check that principal name's suffix does not overlap with UPNs and realm
+    names of trusted forests.
+
+    :param api_instance: API instance
+    :param suffixes: principal suffixes
+
+    :raises: ValidationError if the suffix coincides with realm name, UPN
+    suffix or netbios name of trusted domains
+    """
+    trust_objects = api_instance.Command.trust_find(u'', sizelimit=0)['result']
+
+    trust_suffix_namespace = set()
+
+    for obj in trust_objects:
+        trust_suffix_namespace.update(
+            set(upn.lower() for upn in obj['ipantadditionalsuffixes']))
+
+        trust_suffix_namespace.update(
+            set((obj['cn'][0].lower(), obj['ipantflatname'][0].lower())))
+
+    for principal in keys[-1]:
+        realm = principal.realm
+        upn = principal.upn_suffix if principal.is_enterprise else None
+
+        if realm in trust_suffix_namespace or upn in trust_suffix_namespace:
+            raise errors.ValidationError(
+                name='krbprincipalname',
+                error=_('realm or UPN suffix overlaps with trusted domain '
+                        'namespace'))