extract virtual operation access check subroutine

Outside of virtual commands themselves there is no way to evaluate
access to perform a virtual operation.  Such a capability will be
needed for Dogtag-based certificate request validation using
Kerberos proxy credentials.

Add the 'check_operation_access' method for explicit virtual
operation access checks.  Refactor 'VirtualCommand.check_access()'
to use it.

Part of: https://pagure.io/freeipa/issue/5011
Part of: https://pagure.io/freeipa/issue/6423

Reviewed-By: Christian Heimes <cheimes@redhat.com>

ipaserver/plugins/virtual.py

@@ -59,16 +59,28 @@ class VirtualCommand(Command):
         if operation is None:
             operation = self.operation
 
-        ldap = self.api.Backend.ldap2
         logger.debug("IPA: virtual verify %s", operation)
 
-        operationdn = DN(('cn', operation), self.api.env.container_virtual, self.api.env.basedn)
+        return check_operation_access(self.api, operation)
 
-        try:
-            if not ldap.can_write(operationdn, "objectclass"):
-                raise errors.ACIError(
-                    info=_('not allowed to perform operation: %s') % operation)
-        except errors.NotFound:
-            raise errors.ACIError(info=_('No such virtual command'))
 
-        return True
+def check_operation_access(api, operation):
+    """
+    Check access of bound principal to given operation.
+
+    :return: ``True``
+    :raises: ``ACIError`` on access denied or ``NotFound`` for
+             unknown virtual operation
+
+    """
+    operationdn = DN(
+        ('cn', operation), api.env.container_virtual, api.env.basedn)
+
+    try:
+        if not api.Backend.ldap2.can_write(operationdn, "objectclass"):
+            raise errors.ACIError(
+                info=_('not allowed to perform operation: %s') % operation)
+    except errors.NotFound:
+        raise errors.ACIError(info=_('No such virtual command'))
+
+    return True