From b95f4330c9433683f61c46f9605fd1d24bb8b998 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 14 Jan 2015 15:57:45 +0100
Subject: Changing the token owner changes also the manager

This works if the change is made to a token which is owned and managed by the
same person. The new owner then automatically becomes token's manager unless
the attribute 'managedBy' is explicitly set otherwise.

https://fedorahosted.org/freeipa/ticket/4681

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
---
 ipalib/plugins/otptoken.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'ipalib')

diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index 41a7f1087..b87145df8 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -395,6 +395,19 @@ class otptoken_mod(LDAPUpdate):
                                       error='is after the validity end')
         _normalize_owner(self.api.Object.user, entry_attrs)
 
+        # ticket #4681: if the owner of the token is changed and the
+        # user also manages this token, then we should automatically
+        # set the 'managedby' attribute to the new owner
+        if 'ipatokenowner' in entry_attrs and 'managedby' not in entry_attrs:
+            new_owner = entry_attrs.get('ipatokenowner', None)
+            prev_entry = ldap.get_entry(dn, attrs_list=['ipatokenowner',
+                                                        'managedby'])
+            prev_owner = prev_entry.get('ipatokenowner', None)
+            prev_managedby = prev_entry.get('managedby', None)
+
+            if (new_owner != prev_owner) and (prev_owner == prev_managedby):
+                entry_attrs.setdefault('managedby', new_owner)
+
         attrs_list.append("objectclass")
         return dn
 
-- 
cgit