Prevent changing protected group's name using --setattr

The name of any protected group now cannot be changed by modifing
the cn attribute using --setattr. Unit tests have been added to
make sure there is no regression.

https://fedorahosted.org/freeipa/ticket/3354

ipalib/plugins/group.py

@@ -265,7 +265,7 @@ class group_mod(LDAPUpdate):
 
         is_protected_group = keys[-1] in PROTECTED_GROUPS
 
-        if 'rename' in options:
+        if 'rename' in options or 'cn' in entry_attrs:
             if is_protected_group:
                 raise errors.ProtectedEntryError(label=u'group', key=keys[-1],
                     reason=u'Cannot be renamed')

tests/test_xmlrpc/test_group_plugin.py

@@ -878,6 +878,13 @@ class test_group(Declarative):
                 key='admins', reason='Cannot be renamed'),
         ),
 
+        dict(
+            desc='Try to rename the admins group via setattr',
+            command=('group_mod', [u'admins'], {'setattr': u'cn=loosers'}),
+            expected=errors.ProtectedEntryError(label=u'group',
+                key='admins', reason='Cannot be renamed'),
+        ),
+
         dict(
             desc='Try to modify the admins group to support external membership',
             command=('group_mod', [u'admins'], dict(external=True)),
@@ -899,6 +906,14 @@ class test_group(Declarative):
                 key='trust admins', reason='Cannot be renamed'),
         ),
 
+        dict(
+            desc='Try to rename the trust admins group via setattr',
+            command=('group_mod', [u'trust admins'], {'setattr': u'cn=loosers'}),
+            expected=errors.ProtectedEntryError(label=u'group',
+                key='trust admins', reason='Cannot be renamed'),
+        ),
+
+
         dict(
             desc='Try to modify the trust admins group to support external membership',
             command=('group_mod', [u'trust admins'], dict(external=True)),