From 1c73ac91a4c76cbada91f2b30d8b731b91af5195 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Aug 17 2016 14:41:38 +0000
Subject: service: add flag to allow S4U2Self


Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

---

diff --git a/API.txt b/API.txt
index 535d8ec..5b83bfb 100644
--- a/API.txt
+++ b/API.txt
@@ -2260,7 +2260,7 @@ output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('value', type=[<type 'bool'>])
 output: Output('warning', type=[<type 'list'>, <type 'tuple'>, <type 'NoneType'>])
 command: host_add/1
-args: 1,24,3
+args: 1,25,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2269,6 +2269,7 @@ option: Flag('force', autofill=True, default=False)
 option: Str('ip_address?')
 option: Str('ipaassignedidview?')
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', cli_name='sshpubkey')
 option: Str('krbprincipalauthind*', cli_name='auth_ind')
@@ -2437,7 +2438,7 @@ output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
 command: host_mod/1
-args: 1,25,3
+args: 1,26,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2445,6 +2446,7 @@ option: Str('delattr*', cli_name='delattr')
 option: Str('description?', autofill=False, cli_name='desc')
 option: Str('ipaassignedidview?', autofill=False)
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', autofill=False, cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
 option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
@@ -4293,13 +4295,14 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: service_add/1
-args: 1,12,3
+args: 1,13,3
 arg: Principal('krbcanonicalname', cli_name='canonical_principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Flag('force', autofill=True, default=False)
 option: StrEnum('ipakrbauthzdata*', cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
 option: Str('krbprincipalauthind*', cli_name='auth_ind')
 option: Flag('no_members', autofill=True, default=False)
@@ -4435,13 +4438,14 @@ output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
 command: service_mod/1
-args: 1,14,3
+args: 1,15,3
 arg: Principal('krbcanonicalname', cli_name='canonical_principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('delattr*', cli_name='delattr')
 option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', autofill=False, cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
 option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
 option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
diff --git a/VERSION b/VERSION
index ca48996..a8b89ed 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=211
-# Last change: mbabinsk: allow 'value' output param in commands without primary key
+IPA_API_VERSION_MINOR=212
+# Last change: ab: service: add flag to allow S4U2Self
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index a44dcaa..04d1916 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -171,11 +171,18 @@ ticket_flags_params = (
         doc=_('Client credentials may be delegated to the service'),
         flags=['virtual_attribute', 'no_search'],
     ),
+    Bool('ipakrboktoauthasdelegate?',
+        cli_name='ok_to_auth_as_delegate',
+        label=_('Trusted to authenticate as user'),
+        doc=_('The service is allowed to authenticate on behalf of a client'),
+        flags=['virtual_attribute', 'no_search'],
+    ),
 )
 
 _ticket_flags_map = {
     'ipakrbrequirespreauth': 0x00000080,
     'ipakrbokasdelegate': 0x00100000,
+    'ipakrboktoauthasdelegate': 0x00200000,
 }
 
 _ticket_flags_default = _ticket_flags_map['ipakrbrequirespreauth']