Migrate management framework plugins to use Principal parameter

All plugins will now use this parameter and common code for all operations on
Kerberos principals.  Additional semantic validators and normalizers were
added to determine or append a correct realm so that the previous behavior is
kept intact.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

1 files changed, 16 insertions, 41 deletions

diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 9c4af66f9..cbb04aaad 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -23,13 +23,16 @@ import six
 
 from ipalib import api, errors
 from ipalib import Flag, Int, Password, Str, Bool, StrEnum, DateTime, Bytes
+from ipalib.parameters import Principal
 from ipalib.plugable import Registry
 from .baseldap import (
     DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete,
     LDAPRetrieve, LDAPAddMember, LDAPRemoveMember)
-from .service import validate_certificate
+from ipaserver.plugins.service import (
+   validate_certificate, validate_realm, normalize_principal)
 from ipalib.request import context
 from ipalib import _
+from ipapython import kerberos
 from ipapython.ipautil import ipa_generate_password
 from ipapython.ipavalidate import Email
 from ipalib.util import (
@@ -93,45 +96,14 @@ def convert_nsaccountlock(entry_attrs):
         nsaccountlock = Bool('temp')
         entry_attrs['nsaccountlock'] = nsaccountlock.convert(entry_attrs['nsaccountlock'][0])
 
-def split_principal(principal):
-    """
-    Split the principal into its components and do some basic validation.
-
-    Automatically append our realm if it wasn't provided.
-    """
-    realm = None
-    parts = principal.split('@')
-    user = parts[0].lower()
-    if len(parts) > 2:
-        raise errors.MalformedUserPrincipal(principal=principal)
-
-    if len(parts) == 2:
-        realm = parts[1].upper()
-        # At some point we'll support multiple realms
-        if realm != api.env.realm:
-            raise errors.RealmMismatch()
-    else:
-        realm = api.env.realm
-
-    return (user, realm)
 
-def validate_principal(ugettext, principal):
-    """
-    All the real work is done in split_principal.
-    """
-    (user, realm) = split_principal(principal)
-    return None
-
-def normalize_principal(principal):
-    """
-    Ensure that the name in the principal is lower-case. The realm is
-    upper-case by convention but it isn't required.
-
-    The principal is validated at this point.
-    """
-    (user, realm) = split_principal(principal)
-    return unicode('%s@%s' % (user, realm))
+def normalize_user_principal(value):
+    principal = kerberos.Principal(normalize_principal(value))
+    lowercase_components = ((principal.username.lower(),) +
+                            principal.components[1:])
 
+    return unicode(
+        kerberos.Principal(lowercase_components, realm=principal.realm))
 
 
 def fix_addressbook_permission_bindrule(name, template, is_new,
@@ -239,13 +211,16 @@ class baseuser(LDAPObject):
             cli_name='shell',
             label=_('Login shell'),
         ),
-        Str('krbprincipalname?', validate_principal,
+        Principal(
+            'krbprincipalname?',
+            validate_realm,
             cli_name='principal',
             label=_('Kerberos principal'),
-            default_from=lambda uid: '%s@%s' % (uid.lower(), api.env.realm),
+            default_from=lambda uid: kerberos.Principal.from_text(
+                uid.lower(), realm=api.env.realm),
             autofill=True,
             flags=['no_update'],
-            normalizer=lambda value: normalize_principal(value),
+            normalizer=normalize_user_principal,
         ),
         DateTime('krbprincipalexpiration?',
             cli_name='principal_expiration',