idview: add domain_resolution_order attribute

`idview-add` and `idview-mod` can now set and validate the attribute.
The required objectclass is added on-demand after modification

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

ACI.txt

@@ -183,7 +183,7 @@ aci: (targetattr = "createtimestamp || description || entryusn || gecos || gidnu
 dn: cn=ranges,cn=etc,dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || ipabaseid || ipabaserid || ipaidrangesize || ipanttrusteddomainsid || iparangetype || ipasecondarybaserid || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipaidrange)")(version 3.0;acl "permission:System: Read ID Ranges";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=views,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Read ID Views";allow (compare,read,search) userdn = "ldap:///all";)
+aci: (targetattr = "cn || createtimestamp || description || entryusn || ipadomainresolutionorder || modifytimestamp || objectclass")(targetfilter = "(objectclass=nsContainer)")(version 3.0;acl "permission:System: Read ID Views";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
 aci: (targetattr = "createtimestamp || entryusn || krbdefaultencsalttypes || krbmaxrenewableage || krbmaxticketlife || krbsupportedencsalttypes || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbticketpolicyaux)")(version 3.0;acl "permission:System: Read Default Kerberos Ticket Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Default Kerberos Ticket Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=users,cn=accounts,dc=ipa,dc=example

API.txt

@@ -3038,11 +3038,12 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: idview_add/1
-args: 1,6,3
+args: 1,7,3
 arg: Str('cn', cli_name='name')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('description?', cli_name='desc')
+option: Str('ipadomainresolutionorder?', cli_name='domain_resolution_order')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('setattr*', cli_name='setattr')
 option: Str('version?')
@@ -3083,12 +3084,13 @@ output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
 command: idview_mod/1
-args: 1,9,3
+args: 1,10,3
 arg: Str('cn', cli_name='name')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('delattr*', cli_name='delattr')
 option: Str('description?', autofill=False, cli_name='desc')
+option: Str('ipadomainresolutionorder?', autofill=False, cli_name='domain_resolution_order')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('rename?', cli_name='rename')
 option: Flag('rights', autofill=True, default=False)

VERSION.m4

@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 20100614120000)
 #                                                      #
 ########################################################
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 222)
->>>>>>> ipaconfig: add the ability to manipulate domain resolution order
+define(IPA_API_VERSION_MINOR, 223)
+# Last change: Add domain resolution order to ID views
 
 
 ########################################################

ipaserver/plugins/idviews.py

@@ -95,7 +95,8 @@ class idview(LDAPObject):
     object_name = _('ID View')
     object_name_plural = _('ID Views')
     object_class = ['ipaIDView', 'top']
-    default_attributes = ['cn', 'description']
+    possible_objectclasses = ['ipaNameResolutionData']
+    default_attributes = ['cn', 'description', 'ipadomainresolutionorder']
     rdn_is_primary_key = True
 
     label = _('ID Views')
@@ -123,6 +124,14 @@ class idview(LDAPObject):
             label=_('Hosts the view applies to'),
             flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
         ),
+        Str(
+            'ipadomainresolutionorder?',
+            cli_name='domain_resolution_order',
+            label=_('Domain resolution order'),
+            doc=_('colon-separated list of domains used for short name'
+                  ' qualification'),
+            flags={'no_search'}
+        )
     )
 
     permission_filter_objectclasses = ['nsContainer']
@@ -131,17 +140,34 @@ class idview(LDAPObject):
             'ipapermbindruletype': 'all',
             'ipapermright': {'read', 'search', 'compare'},
             'ipapermdefaultattr': {
-                'cn', 'description', 'objectClass',
+                'cn', 'description', 'ipadomainresolutionorder', 'objectClass',
             },
         },
     }
 
+    def ensure_possible_objectclasses(self, ldap, dn, entry_attrs):
+        orig_entry_attrs = ldap.get_entry(dn, ['objectclass'])
+
+        orig_objectclasses = {
+            o.lower() for o in orig_entry_attrs.get('objectclass', [])}
+
+        entry_attrs['objectclass'] = orig_entry_attrs['objectclass']
+
+        for obj_class_name in self.possible_objectclasses:
+            if obj_class_name.lower() not in orig_objectclasses:
+                entry_attrs['objectclass'].append(obj_class_name)
+
 
 @register()
 class idview_add(LDAPCreate):
     __doc__ = _('Add a new ID View.')
     msg_summary = _('Added ID View "%(value)s"')
 
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        self.api.Object.config.validate_domain_resolution_order(entry_attrs)
+
+        return dn
+
 
 @register()
 class idview_del(LDAPDelete):
@@ -166,6 +192,9 @@ class idview_mod(LDAPUpdate):
             if key.lower() == DEFAULT_TRUST_VIEW_NAME:
                 raise protected_default_trust_view_error
 
+        self.api.Object.config.validate_domain_resolution_order(entry_attrs)
+        self.obj.ensure_possible_objectclasses(ldap, dn, entry_attrs)
+
         return dn