A mod command should not be able to remove a required attribute.

Some attribute enforcement is done by schema, others should be done
by the required option in a Parameter. description, for example, is
required by many plugins but not the schema. We need to enforce in the
framework that required options are provided.

After all the setattr/addattr work is done run through the modifications
and ensure that no required values will be removed.

ticket 852

ipalib/plugins/baseldap.py

@@ -416,6 +416,14 @@ def _check_single_value_attrs(params, entry_attrs):
             if a in params and not params[a].multivalue:
                 raise errors.OnlyOneValueAllowed(attr=a)
 
+# setattr or --option='' can cause parameters to be empty that are otherwise
+# required, make sure we enforce that.
+def _check_empty_attrs(params, entry_attrs):
+    for (a, v) in entry_attrs.iteritems():
+        if v is None or (isinstance(v, basestring) and len(v) == 0):
+            if a in params and params[a].required:
+                raise errors.RequirementError(name=a)
+
 
 class CallbackInterface(Method):
     """
@@ -799,6 +807,7 @@ class LDAPUpdate(LDAPQuery, crud.Update):
                 )
 
         _check_single_value_attrs(self.params, entry_attrs)
+        _check_empty_attrs(self.obj.params, entry_attrs)
 
         rdnupdate = False
         try:

tests/test_xmlrpc/test_attr.py

@@ -18,7 +18,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 """
-Test --setattr and --addattr
+Test --setattr and --addattr and other attribute-specific issues
 """
 
 from ipalib import api, errors
@@ -175,4 +175,66 @@ class test_attr(Declarative):
             ),
         ),
 
+
+        dict(
+            desc='Try setting givenname to None with setattr in %r' % user1,
+            command=(
+                'user_mod', [user1], dict(setattr=(u'givenname='))
+            ),
+            expected=errors.RequirementError(name='givenname'),
+        ),
+
+
+        dict(
+            desc='Try setting givenname to None with option in %r' % user1,
+            command=(
+                'user_mod', [user1], dict(givenname=None)
+            ),
+            expected=errors.RequirementError(name='givenname'),
+        ),
+
+
+        dict(
+            desc='Make sure setting givenname works with option in %r' % user1,
+            command=(
+                'user_mod', [user1], dict(givenname=u'Fred')
+            ),
+            expected=dict(
+                result=dict(
+                    givenname=[u'Fred'],
+                    homedirectory=[u'/home/tuser1'],
+                    loginshell=[u'/bin/sh'],
+                    sn=[u'User1'],
+                    uid=[user1],
+                    memberof_group=[u'ipausers'],
+                    telephonenumber=[u'301-555-1212', u'202-888-9833', u'703-555-1212'],
+                    nsaccountlock=[u'False'],
+                ),
+                summary=u'Modified user "tuser1"',
+                value=user1,
+            ),
+        ),
+
+
+        dict(
+            desc='Make sure setting givenname works with setattr in %r' % user1,
+            command=(
+                'user_mod', [user1], dict(setattr=u'givenname=Finkle')
+            ),
+            expected=dict(
+                result=dict(
+                    givenname=[u'Finkle'],
+                    homedirectory=[u'/home/tuser1'],
+                    loginshell=[u'/bin/sh'],
+                    sn=[u'User1'],
+                    uid=[user1],
+                    memberof_group=[u'ipausers'],
+                    telephonenumber=[u'301-555-1212', u'202-888-9833', u'703-555-1212'],
+                    nsaccountlock=[u'False'],
+                ),
+                summary=u'Modified user "tuser1"',
+                value=user1,
+            ),
+        ),
+
     ]