trust CLI: add ID range for new trusted domain

3 files changed, 66 insertions, 2 deletions

diff --git a/API.txt b/API.txt
index d32d6393b..aef12b7eb 100644
--- a/API.txt
+++ b/API.txt
@@ -3200,7 +3200,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
 output: Output('value', <type 'unicode'>, None)
 command: trust_add
-args: 1,10,3
+args: 1,12,3
 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True)
 option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Str('addattr*', cli_name='addattr', exclude='webui')
@@ -3209,6 +3209,8 @@ option: Str('realm_admin?', cli_name='admin')
 option: Password('realm_passwd?', cli_name='password', confirm=False)
 option: Str('realm_server?', cli_name='server')
 option: Password('trust_secret?', cli_name='trust_secret', confirm=False)
+option: Int('base_id?', cli_name='base_id')
+option: Int('range_size?', autofill=True, cli_name='range_size', default=200000)
 option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
 option: Str('version?', exclude='webui')
diff --git a/ipalib/plugins/range.py b/ipalib/plugins/range.py
index c1d918679..95b00b39b 100644
--- a/ipalib/plugins/range.py
+++ b/ipalib/plugins/range.py
@@ -24,6 +24,7 @@ from ipalib import Command
 from ipalib import errors
 from ipapython import ipautil
 from ipalib import util
+from ipapython.dn import DN
 
 
 __doc__ = _("""
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index a70293bff..1064a0678 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -24,6 +24,12 @@ from ipalib import Command
 from ipalib import errors
 from ipapython import ipautil
 from ipalib import util
+try:
+    import pysss_murmur
+    _murmur_installed = True
+except Exception, e:
+    _murmur_installed = False
+
 if api.env.in_server and api.env.context in ['lite', 'server']:
     try:
         import ipaserver.dcerpc
@@ -142,9 +148,18 @@ class trust_add(LDAPCreate):
             label=_('Shared secret for the trust'),
             confirm=False,
         ),
+        Int('base_id?',
+            cli_name='base_id',
+            label=_('First Posix ID of the range reserved for the trusted domain'),
+        ),
+        Int('range_size?',
+            cli_name='range_size',
+            label=_('Size of the ID range reserved for the trusted domain'),
+            default=200000,
+            autofill=True
+        ),
     )
 
-
     msg_summary = _('Added Active Directory trust for realm "%(value)s"')
 
     def execute(self, *keys, **options):
@@ -155,8 +170,54 @@ class trust_add(LDAPCreate):
                 raise errors.ValidationError(name=_('trust type'), error=_('only "ad" is supported'))
         else:
             raise errors.RequirementError(name=_('trust type'))
+
+        self.add_range(*keys, **options)
+
         return result
 
+    def add_range(self, *keys, **options):
+        new_obj = api.Command['trust_show'](keys[-1])
+        dom_sid = new_obj['result']['ipanttrusteddomainsid'][0];
+
+        range_name = keys[-1].upper()+'_id_range'
+
+        try:
+            old_range = api.Command['range_show'](range_name)
+        except errors.NotFound, e:
+            old_range = None
+
+        if old_range:
+            old_dom_sid = old_range['result']['ipanttrusteddomainsid'][0];
+
+            if old_dom_sid == dom_sid:
+                return
+
+            raise errors.ValidationError(name=_('range exists'),
+                    error=_('ID range with the same name but different ' \
+                            'domain SID already exists. The ID range for ' \
+                            'the new trusted domain must be created manually.'))
+
+        if 'base_id' in options:
+            base_id = options['base_id']
+        else:
+            if not _murmur_installed:
+                raise errors.ValidationError(name=_('missing base_id'),
+                    error=_('pysss_murmur is not available on the server ' \
+                            'and no base_id is given, ' \
+                            'ID range must be create manually'))
+
+            base_id = 200000 + (pysss_murmur.murmurhash3(dom_sid, len(dom_sid), 0xdeadbeef) % 10000) * 200000
+
+        try:
+            new_range = api.Command['range_add'](range_name,
+                                                 ipabaseid=base_id,
+                                                 ipaidrangesize=options['range_size'],
+                                                 ipabaserid=0,
+                                                 ipanttrusteddomainsid=dom_sid)
+        except Exception, e:
+            raise errors.ValidationError(name=_('ID range exists'),
+                   error = _('ID range already exists, must be added manually'))
+
     def execute_ad(self, *keys, **options):
         # Join domain using full credentials and with random trustdom
         # secret (will be generated by the join method)