group: allow services as members of groups

Allow services to be members of the groups, like users and other groups
can already be.

This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.

Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

ipatests/test_xmlrpc/test_netgroup_plugin.py

@@ -320,6 +320,7 @@ class test_netgroup(Declarative):
                     member=dict(
                         group=tuple(),
                         user=tuple(),
+                        service=tuple(),
                     ),
                 ),
                 result={

ipatests/test_xmlrpc/test_selinuxusermap_plugin.py

@@ -240,6 +240,7 @@ class test_selinuxusermap(Declarative):
                     member=dict(
                         group=tuple(),
                         user=tuple(),
+                        service=tuple(),
                     ),
                 ),
                 result={

ipatests/test_xmlrpc/test_service_plugin.py

@@ -890,6 +890,7 @@ class test_service_allowed_to(Declarative):
     cleanup_commands = [
         ('user_del', [user1], {}),
         ('user_del', [user2], {}),
+        ('service_del', [d_service], {}),
         ('group_del', [group1], {}),
         ('group_del', [group2], {}),
         ('host_del', [fqdn1], {}),
@@ -938,6 +939,40 @@ class test_service_allowed_to(Declarative):
                 ),
             ),
         ),
+        # Create a service disconnected from any host
+        dict(
+            desc='Try to create service %r without any host' % d_service,
+            command=('service_add', [d_service],
+                     dict(force=True, skip_host_check=True)),
+            expected=dict(
+                value=d_service,
+                summary=u'Added service "%s"' % d_service,
+                result=dict(
+                    dn=d_servicedn,
+                    krbprincipalname=[d_service],
+                    krbcanonicalname=[d_service],
+                    objectclass=objectclasses.service,
+                    ipauniqueid=[fuzzy_uuid],
+                ),
+            ),
+        ),
+        dict(
+            desc='Add service %r to a group: %r' % (d_service, group1),
+            command=('group_add_member', [group1],
+                     dict(service=[d_service_no_realm])),
+            expected=dict(
+                completed=1,
+                failed=dict(member=dict(group=[],
+                                        service=[],
+                                        user=[])),
+                result=dict(
+                    cn=[group1],
+                    gidnumber=[fuzzy_digits],
+                    dn=group1_dn,
+                    member_service=[d_service],
+                ),
+            ),
+        ),
         dict(
             desc='Create group: %r' % group2,
             command=(

ipatests/test_xmlrpc/tracker/group_plugin.py

@@ -12,9 +12,10 @@ from ipatests.util import assert_deepequal, get_group_dn
 class GroupTracker(Tracker):
     """ Class for host plugin like tests """
     retrieve_keys = {u'dn', u'cn', u'gidnumber', u'member_user',
-                     u'member_group', u'description',
+                     u'member_group', u'member_service', u'description',
                      u'memberof_group', u'memberofindirect_group',
-                     u'memberindirect_group', u'memberindirect_user'}
+                     u'memberindirect_group', u'memberindirect_user',
+                     u'memberindirect_service'}
 
     retrieve_all_keys = retrieve_keys | {u'ipauniqueid', u'objectclass'}
 
@@ -112,7 +113,7 @@ class GroupTracker(Tracker):
         )
 
     def add_member(self, options):
-        """ Add a member (group OR user) and performs check """
+        """ Add a member (group OR user OR service) and performs check """
         if u'user' in options:
             try:
                 self.attrs[u'member_user'] =\
@@ -125,6 +126,12 @@ class GroupTracker(Tracker):
                     self.attrs[u'member_group'] + [options[u'group']]
             except KeyError:
                 self.attrs[u'member_group'] = [options[u'group']]
+        elif u'service' in options:
+            try:
+                self.attrs[u'member_service'] =\
+                    self.attrs[u'member_service'] + [options[u'service']]
+            except KeyError:
+                self.attrs[u'member_service'] = [options[u'service']]
 
         command = self.make_add_member_command(options)
         result = command()
@@ -136,6 +143,8 @@ class GroupTracker(Tracker):
             self.attrs[u'member_user'].remove(options[u'user'])
         elif u'group' in options:
             self.attrs[u'member_group'].remove(options[u'group'])
+        elif u'service' in options:
+            self.attrs[u'member_service'].remove(options[u'service'])
 
         try:
             if not self.attrs[u'member_user']:
@@ -147,6 +156,11 @@ class GroupTracker(Tracker):
                 del self.attrs[u'member_group']
         except KeyError:
             pass
+        try:
+            if not self.attrs[u'member_service']:
+                del self.attrs[u'member_service']
+        except KeyError:
+            pass
 
         command = self.make_remove_member_command(options)
         result = command()
@@ -207,7 +221,7 @@ class GroupTracker(Tracker):
         """ Checks 'group_add_member' command result """
         assert_deepequal(dict(
             completed=1,
-            failed={u'member': {u'group': (), u'user': ()}},
+            failed={u'member': {u'group': (), u'user': (), u'service': ()}},
             result=self.filter_attrs(self.add_member_keys)
         ), result)
 
@@ -216,7 +230,7 @@ class GroupTracker(Tracker):
         when expected result is failure of the operation"""
         expected = dict(
             completed=0,
-            failed={u'member': {u'group': (), u'user': ()}},
+            failed={u'member': {u'group': (), u'user': (), u'service': ()}},
             result=self.filter_attrs(self.add_member_keys)
         )
         if not options:
@@ -230,6 +244,9 @@ class GroupTracker(Tracker):
         elif u'group' in options:
             expected[u'failed'][u'member'][u'group'] = [(
                 options[u'group'], u'no such entry')]
+        elif u'service' in options:
+            expected[u'failed'][u'member'][u'service'] = [(
+                options[u'service'], u'no such entry')]
 
         assert_deepequal(expected, result)
 
@@ -238,7 +255,7 @@ class GroupTracker(Tracker):
         when expected result is failure of the operation"""
         expected = dict(
             completed=0,
-            failed={u'member': {u'group': (), u'user': ()}},
+            failed={u'member': {u'group': (), u'user': (), u'service': ()}},
             result=self.filter_attrs(self.add_member_keys)
         )
         if u'user' in options:
@@ -247,6 +264,9 @@ class GroupTracker(Tracker):
         elif u'group' in options:
             expected[u'failed'][u'member'][u'group'] = [(
                 options[u'group'], u'This entry is not a member')]
+        elif u'service' in options:
+            expected[u'failed'][u'member'][u'service'] = [(
+                options[u'service'], u'This entry is not a member')]
 
         assert_deepequal(expected, result)
 

ipatests/test_xmlrpc/tracker/user_plugin.py

@@ -514,7 +514,7 @@ class UserTracker(CertmapdataMixin, KerberosAliasMixin, Tracker):
         assert_deepequal(dict(
             completed=1,
             failed=dict(
-                member=dict(group=tuple(), user=tuple())
+                member=dict(group=tuple(), user=tuple(), service=tuple())
             ),
             result={
                 'dn': get_group_dn(admin_group),