Disallow setattr on no_update/no_create params

Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.

For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.

Document the 'no_option' flag. Add some tests.

https://fedorahosted.org/freeipa/ticket/2580

ipalib/parameters.py

@@ -330,6 +330,9 @@ class Param(ReadOnly):
               commands
             * no_update: do not include the parameter for crud.update based
               commands
+            * no_option: this attribute is not displayed in the CLI, usually
+              because there's a better way of setting it (for example, a
+              separate command)
             * virtual_attribute: the parameter is not stored physically in the
               LDAP and thus attribute `attribute` is not enabled
             * suppress_empty (Output parameters only): do not display parameter

ipalib/plugable.py

@@ -646,7 +646,7 @@ class API(DictProxy):
                 if self.env.startup_traceback:
                     import traceback
                     self.log.error('could not load plugin module %r\n%s', pyfile, traceback.format_exc())
-                raise e
+                raise
 
     def finalize(self):
         """

ipalib/plugins/baseldap.py

@@ -320,7 +320,7 @@ def validate_externalhost(ugettext, hostname):
 
 external_host_param = Str('externalhost*', validate_externalhost,
         label=_('External host'),
-        flags=['no_create', 'no_update', 'no_search'],
+        flags=['no_option'],
 )
 
 
@@ -819,6 +819,11 @@ last, after all sets and adds."""),
             m = re.match("\s*(.*?)\s*=\s*(.*?)\s*$", a)
             attr = str(m.group(1)).lower()
             value = m.group(2)
+            if attr in self.obj.params and attr not in self.params:
+                # The attribute is managed by IPA, but it didn't get cloned
+                # to the command. This happens with no_update/no_create attrs.
+                raise errors.ValidationError(
+                    name=attr, error=_('attribute is not configurable'))
             if len(value) == 0:
                 # None means "delete this attribute"
                 value = None
@@ -919,17 +924,10 @@ last, after all sets and adds."""),
         # normalize all values
         changedattrs = setattrs | addattrs | delattrs
         for attr in changedattrs:
-            if attr in self.obj.params:
+            if attr in self.params and self.params[attr].attribute:
                 # convert single-value params to scalars
+                param = self.params[attr]
                 value = entry_attrs[attr]
-                try:
-                    param = self.params[attr]
-                except KeyError:
-                    # The CRUD classes filter their disallowed parameters out.
-                    # Yet {set,add,del}attr are powerful enough to change these
-                    # (e.g. Config's ipacertificatesubjectbase)
-                    # So, use the parent's attribute
-                    param = self.obj.params[attr]
                 if not param.multivalue:
                     if len(value) == 1:
                         value = value[0]

ipalib/plugins/hbacrule.py

@@ -18,7 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from ipalib import api, errors
-from ipalib import AccessTime, Password, Str, StrEnum
+from ipalib import AccessTime, Password, Str, StrEnum, Bool
 from ipalib.plugins.baseldap import *
 from ipalib import _, ngettext
 
@@ -183,9 +183,9 @@ class hbacrule(LDAPObject):
             cli_name='desc',
             label=_('Description'),
         ),
-        Flag('ipaenabledflag?',
+        Bool('ipaenabledflag?',
              label=_('Enabled'),
-             flags=['no_create', 'no_update', 'no_search'],
+             flags=['no_option'],
         ),
         Str('memberuser_user?',
             label=_('Users'),

ipalib/plugins/selinuxusermap.py

@@ -18,7 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from ipalib import api, errors
-from ipalib import Str, StrEnum
+from ipalib import Str, StrEnum, Bool
 from ipalib.plugins.baseldap import *
 from ipalib import _, ngettext
 from ipalib.plugins.hbacrule import is_all
@@ -172,9 +172,9 @@ class selinuxusermap(LDAPObject):
             cli_name='desc',
             label=_('Description'),
         ),
-        Flag('ipaenabledflag?',
+        Bool('ipaenabledflag?',
              label=_('Enabled'),
-             flags=['no_create', 'no_update', 'no_search'],
+             flags=['no_option'],
         ),
         Str('memberuser_user?',
             label=_('Users'),

ipalib/plugins/sudorule.py

@@ -18,7 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from ipalib import api, errors
-from ipalib import Str, StrEnum
+from ipalib import Str, StrEnum, Bool
 from ipalib.plugins.baseldap import *
 from ipalib.plugins.hbacrule import is_all
 from ipalib import _, ngettext
@@ -110,9 +110,9 @@ class sudorule(LDAPObject):
             cli_name='desc',
             label=_('Description'),
         ),
-        Flag('ipaenabledflag?',
+        Bool('ipaenabledflag?',
              label=_('Enabled'),
-             flags=['no_create', 'no_update', 'no_search'],
+             flags=['no_option'],
         ),
         StrEnum('usercategory?',
             cli_name='usercat',

ipalib/plugins/user.py

@@ -338,7 +338,7 @@ class user(LDAPObject):
         ),
         Bool('nsaccountlock?',
             label=_('Account disabled'),
-            flags=['no_create', 'no_update', 'no_search'],
+            flags=['no_option'],
         ),
         Bytes('ipasshpubkey*', validate_sshpubkey,
             cli_name='sshpubkey',