From 0855b014b1edcb1632a41e380220abd7bb5e481a Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Jun 30 2016 11:39:59 +0000
Subject: Add authentication indicators support to Host objects


https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>

---

diff --git a/API.txt b/API.txt
index 76e58ae..1992266 100644
--- a/API.txt
+++ b/API.txt
@@ -2257,7 +2257,7 @@ output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('value', type=[<type 'bool'>])
 output: Output('warning', type=[<type 'list'>, <type 'tuple'>, <type 'NoneType'>])
 command: host_add/1
-args: 1,23,3
+args: 1,24,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2268,6 +2268,7 @@ option: Str('ipaassignedidview?')
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', cli_name='sshpubkey')
+option: Str('krbprincipalauthind*', cli_name='auth_ind')
 option: Str('l?', cli_name='locality')
 option: Str('macaddress*')
 option: Flag('no_members', autofill=True, default=False)
@@ -2380,7 +2381,7 @@ output: Output('completed', type=[<type 'int'>])
 output: Output('failed', type=[<type 'dict'>])
 output: Entry('result')
 command: host_find/1
-args: 1,34,4
+args: 1,35,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('description?', autofill=False, cli_name='desc')
@@ -2392,6 +2393,7 @@ option: Str('in_netgroup*', cli_name='in_netgroups')
 option: Str('in_role*', cli_name='in_roles')
 option: Str('in_sudorule*', cli_name='in_sudorules')
 option: Str('ipaassignedidview?', autofill=False)
+option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
 option: Str('l?', autofill=False, cli_name='locality')
 option: Str('macaddress*', autofill=False)
 option: Str('man_by_host*', cli_name='man_by_hosts')
@@ -2421,7 +2423,7 @@ output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
 command: host_mod/1
-args: 1,24,3
+args: 1,25,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2431,6 +2433,7 @@ option: Str('ipaassignedidview?', autofill=False)
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
+option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
 option: Str('krbprincipalname?', cli_name='principalname')
 option: Str('l?', autofill=False, cli_name='locality')
 option: Str('macaddress*', autofill=False)
diff --git a/VERSION b/VERSION
index d4d7228..5c3aef2 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=202
-# Last change: schema: support plugin versioning
+IPA_API_VERSION_MINOR=203
+# Last change: host: added authentication indicators
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 0072431..1091f85 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -295,7 +295,7 @@ class host(LDAPObject):
         'fqdn', 'description', 'l', 'nshostlocation', 'krbprincipalname',
         'nshardwareplatform', 'nsosversion', 'usercertificate', 'memberof',
         'managedby', 'memberofindirect', 'macaddress',
-        'userclass', 'ipaallowedtoperform', 'ipaassignedidview',
+        'userclass', 'ipaallowedtoperform', 'ipaassignedidview', 'krbprincipalauthind'
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
@@ -530,6 +530,14 @@ class host(LDAPObject):
             label=_('Assigned ID View'),
             flags=['no_option'],
         ),
+        Str('krbprincipalauthind*',
+            cli_name='auth_ind',
+            label=_('Authentication Indicators'),
+            doc=_("Defines a whitelist for Authentication Indicators."
+                  " Use 'otp' to allow OTP-based 2FA authentications."
+                  " Use 'radius' to allow RADIUS-based 2FA authentications."
+                  " Other values may be used for custom configurations."),
+        ),
     ) + ticket_flags_params
 
     def get_dn(self, *keys, **options):
@@ -912,6 +920,13 @@ class host_mod(LDAPUpdate):
             if 'krbticketpolicyaux' not in entry_attrs['objectclass']:
                 entry_attrs['objectclass'].append('krbticketpolicyaux')
 
+        if 'krbprincipalauthind' in entry_attrs:
+            if 'objectclass' not in entry_attrs:
+                entry_attrs_old = ldap.get_entry(dn, ['objectclass'])
+                entry_attrs['objectclass'] = entry_attrs_old['objectclass']
+            if 'krbprincipalaux' not in entry_attrs['objectclass']:
+                entry_attrs['objectclass'].append('krbprincipalaux')
+
         add_sshpubkey_to_attrs_pre(self.context, attrs_list)
 
         return dn