Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.x

When upgrading from an "old" IPA, or installing the first "new" replica,
we need to keep allowing anonymous access to many user attributes.

Add an optional 'fixup_function' to the managed permission templates,
and use it to set the bind rule type to 'anonymous' when installing
(or upgrading to) the first "new" master.

This assumes that the anonymous read ACI will be removed in a "new" IPA.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>

1 files changed, 14 insertions, 0 deletions

diff --git a/ipaserver/install/plugins/update_managed_permissions.py b/ipaserver/install/plugins/update_managed_permissions.py
index 175a5bf47..72c1b131f 100644
--- a/ipaserver/install/plugins/update_managed_permissions.py
+++ b/ipaserver/install/plugins/update_managed_permissions.py
@@ -64,6 +64,14 @@ The template dictionary can have the following keys:
 * non_object
   - If true, no object-specific defaults are used (e.g. for
     ipapermtargetfilter, ipapermlocation).
+* fixup_function
+  - A callable that may modify the template in-place before it is applied.
+  - Called with the permission name, template dict, and keyword arguments:
+    - is_new: true if the permission was previously existing
+    - anonymous_read_aci: the legacy 'Enable Anonymous access' ACI as
+      an ipalib.aci.ACI object, or None if it does not exist
+    Extra keyword arguments must be ignored, since this list may grow
+    in the future.
 
 No other keys are allowed in the template
 """
@@ -313,6 +321,12 @@ class update_managed_permissions(PostUpdate):
 
         template = dict(template)
 
+        fixup_function = template.pop('fixup_function', None)
+        if fixup_function:
+            fixup_function(name, template,
+                           is_new=is_new,
+                           anonymous_read_aci=anonymous_read_aci)
+
         if template.pop('non_object', False):
             obj = None