Reset per-indicator Kerberos policy

When 'ipa krbtpolicy-reset' is called, we need to reset all policy
settings, including per-indicator ones. Per-indicator policy uses
subtyped attributes (foo;bar), the current krbtpolicy-reset code does
not deal with those.

Add support for per-indicator policy reset. It is a bit tricky, as we
need to drop the values to defaults but avoid adding non-per-indicator
variants of the same attributes.

Add test to check that policy has been resetted by observing a new
Kerberos TGT for the user after its policy reset.

Fixes: https://pagure.io/freeipa/issue/8153

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>

ipaserver/plugins/krbtpolicy.py

@@ -68,6 +68,8 @@ register = Registry()
 _default_values = {
     'krbmaxticketlife': 86400,
     'krbmaxrenewableage': 604800,
+    'krbauthindmaxticketlife': 86400,
+    'krbauthindmaxrenewableage': 604800,
 }
 
 # These attributes never have non-optional values, so they should be
@@ -311,9 +313,26 @@ class krbtpolicy_reset(baseldap.LDAPQuery):
                 def_values[a] = None
         # if reseting global policy - set values to default
         else:
-            def_values = _default_values
+            def_values = _default_values.copy()
 
         entry = ldap.get_entry(dn, list(def_values))
+
+        # For per-indicator policies, drop them to defaults
+        for subtype in _supported_options:
+            for attr in _option_based_attrs:
+                name = '{};{}'.format(attr, subtype)
+                if name in entry:
+                    if uid is not None:
+                        def_values[name] = None
+                    else:
+                        def_values[name] = _default_values[attr]
+
+        # Remove non-subtyped attrs variants,
+        # they should never be used directly.
+        for attr in _option_based_attrs:
+            if attr in def_values:
+                del def_values[attr]
+
         entry.update(def_values)
         try:
             ldap.update_entry(entry)