From a8d7ce5cf1ccd6c8a81fa5b4569afa3aa3c2882d Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 1 Dec 2015 10:42:38 +0100
Subject: aci: add IPA servers host group 'ipaservers'

https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
---
 ipalib/plugins/host.py      |  6 ++++++
 ipalib/plugins/hostgroup.py | 26 ++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

(limited to 'ipalib/plugins')

diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index fa867f370..842dff042 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -395,6 +395,12 @@ class host(LDAPObject):
         },
         'System: Manage Host Keytab': {
             'ipapermright': {'write'},
+            'ipapermtargetfilter': [
+                '(objectclass=ipahost)',
+                '(!(memberOf=%s))' % DN('cn=ipaservers',
+                                        api.env.container_hostgroup,
+                                        api.env.basedn),
+            ],
             'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},
             'replaces': [
                 '(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)',
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index 596290fcd..f3e0d7250 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -72,6 +72,8 @@ def get_complete_hostgroup_member_list(hostgroup):
 
 register = Registry()
 
+PROTECTED_HOSTGROUPS = (u'ipaservers',)
+
 
 @register()
 class hostgroup(LDAPObject):
@@ -121,6 +123,10 @@ class hostgroup(LDAPObject):
         },
         'System: Modify Hostgroup Membership': {
             'ipapermright': {'write'},
+            'ipapermtargetfilter': [
+                '(objectclass=ipahostgroup)',
+                '(!(cn=ipaservers))',
+            ],
             'ipapermdefaultattr': {'member'},
             'replaces': [
                 '(targetattr = "member")(target = "ldap:///cn=*,cn=hostgroups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Modify Hostgroup membership";allow (write) groupdn = "ldap:///cn=Modify Hostgroup membership,cn=permissions,cn=pbac,$SUFFIX";)',
@@ -229,6 +235,14 @@ class hostgroup_del(LDAPDelete):
 
     msg_summary = _('Deleted hostgroup "%(value)s"')
 
+    def pre_callback(self, ldap, dn, *keys, **options):
+        if keys[0] in PROTECTED_HOSTGROUPS:
+            raise errors.ProtectedEntryError(label=_(u'hostgroup'),
+                                             key=keys[0],
+                                             reason=_(u'privileged hostgroup'))
+
+        return dn
+
 
 @register()
 class hostgroup_mod(LDAPUpdate):
@@ -283,6 +297,18 @@ class hostgroup_add_member(LDAPAddMember):
 class hostgroup_remove_member(LDAPRemoveMember):
     __doc__ = _('Remove members from a hostgroup.')
 
+    def pre_callback(self, ldap, dn, found, not_found, *keys, **options):
+        if keys[0] in PROTECTED_HOSTGROUPS and 'host' in options:
+            result = api.Command.hostgroup_show(keys[0])
+            hosts_left = set(result['result'].get('member_host', []))
+            hosts_deleted = set(options['host'])
+            if hosts_left.issubset(hosts_deleted):
+                raise errors.LastMemberError(key=sorted(hosts_deleted)[0],
+                                             label=_(u'hostgroup'),
+                                             container=keys[0])
+
+        return dn
+
     def post_callback(self, ldap, completed, failed, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
         self.obj.suppress_netgroup_memberof(ldap, dn, entry_attrs)
-- 
cgit