server: exclude Local commands from RPC

Local API commands are not supposed to be executed over RPC but only
locally on the server. They are already excluded from API schema, exclude
them also from RPC and `batch` and `json_metadata` commands.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>

3 files changed, 23 insertions, 10 deletions

diff --git a/ipaserver/plugins/batch.py b/ipaserver/plugins/batch.py
index aa4ace918..b0c89ec46 100644
--- a/ipaserver/plugins/batch.py
+++ b/ipaserver/plugins/batch.py
@@ -49,6 +49,7 @@ import six
 
 from ipalib import api, errors
 from ipalib import Command
+from ipalib.frontend import Local
 from ipalib.parameters import Str, Dict
 from ipalib.output import Output
 from ipalib.text import _
@@ -98,7 +99,8 @@ class batch(Command):
                 if 'params' not in arg:
                     raise errors.RequirementError(name='params')
                 name = arg['method']
-                if name not in self.Command:
+                if (name not in self.api.Command or
+                        isinstance(self.api.Command[name], Local)):
                     raise errors.CommandError(name=name)
 
                 # If params are not formated as a tuple(list, dict)
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index 5c1cfb885..5eee7572e 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -24,6 +24,7 @@ Plugins not accessible directly through the CLI, commands used internally
 """
 from ipalib import Command
 from ipalib import Str
+from ipalib.frontend import Local
 from ipalib.output import Output
 from ipalib.text import _
 from ipalib.util import json_serialize
@@ -91,13 +92,15 @@ class json_metadata(Command):
         try:
             if not methodname:
                 methodname = options['method']
-            if methodname in self.api.Method:
+            if (methodname in self.api.Method and
+                    not isinstance(self.api.Method[methodname], Local)):
                 m = self.api.Method[methodname]
                 methods = dict([(m.name, json_serialize(m))])
             elif methodname == "all":
                 methods = dict(
                     (m.name, json_serialize(m)) for m in self.api.Method()
-                    if m is self.api.Method[m.name]
+                    if (m is self.api.Method[m.name] and
+                        not isinstance(m, Local))
                 )
             empty = False
         except KeyError:
@@ -105,13 +108,15 @@ class json_metadata(Command):
 
         try:
             cmdname = options['command']
-            if cmdname in self.api.Command:
+            if (cmdname in self.api.Command and
+                    not isinstance(self.api.Command[cmdname], Local)):
                 c = self.api.Command[cmdname]
                 commands = dict([(c.name, json_serialize(c))])
             elif cmdname == "all":
                 commands = dict(
                     (c.name, json_serialize(c)) for c in self.api.Command()
-                    if c is self.api.Command[c.name]
+                    if (c is self.api.Command[c.name] and
+                        not isinstance(c, Local))
                 )
             empty = False
         except KeyError:
@@ -124,11 +129,13 @@ class json_metadata(Command):
             )
             methods = dict(
                 (m.name, json_serialize(m)) for m in self.api.Method()
-                if m is self.api.Method[m.name]
+                if (m is self.api.Method[m.name] and
+                    not isinstance(m, Local))
             )
             commands = dict(
                 (c.name, json_serialize(c)) for c in self.api.Command()
-                if c is self.api.Command[c.name]
+                if (c is self.api.Command[c.name] and
+                    not isinstance(c, Local))
             )
 
         retval = dict([
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 676149748..d036f3c27 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -40,6 +40,7 @@ from six.moves.urllib.parse import parse_qs
 
 from ipalib import plugable, errors
 from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
+from ipalib.frontend import Local
 from ipalib.backend import Executioner
 from ipalib.errors import (PublicError, InternalError, CommandError, JSONError,
     CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
@@ -344,7 +345,8 @@ class WSGIExecutioner(Executioner):
                 (name, args, options, _id) = self.simple_unmarshal(environ)
             if name in self._system_commands:
                 result = self._system_commands[name](self, *args, **options)
-            elif name not in self.Command:
+            elif (name not in self.api.Command or
+                    isinstance(self.api.Command[name], Local)):
                 raise CommandError(name=name)
             else:
                 result = self.Command[name](*args, **options)
@@ -696,7 +698,8 @@ class xmlserver(KerberosWSGIExecutioner):
             # TODO
             # for now let's not go out of our way to document standard XML-RPC
             return u'undef'
-        elif method_name in self.Command:
+        elif (method_name in self.api.Command and
+                not isinstance(self.api.Command[method_name], Local)):
             # All IPA commands return a dict (struct),
             # and take a params, options - list and dict (array, struct)
             return [[u'struct', u'array', u'struct']]
@@ -708,7 +711,8 @@ class xmlserver(KerberosWSGIExecutioner):
         method_name = self._get_method_name('system.methodHelp', *params)
         if method_name in self._system_commands:
             return u''
-        elif method_name in self.Command:
+        elif (method_name in self.api.Command and
+                not isinstance(self.api.Command[method_name], Local)):
             return unicode(self.Command[method_name].doc or '')
         else:
             raise errors.CommandError(name=method_name)