areguera / rpms / ipa

Forked from rpms/ipa 5 years ago
Clone

Blame SOURCES/0019-ipaserver-plugins-trust.py-pep8-compliance.patch

c58629
From aae0cc2fdaeead8ff33ade93e73d6aba25704659 Mon Sep 17 00:00:00 2001
c58629
From: Alexander Bokovoy <abokovoy@redhat.com>
c58629
Date: Fri, 17 Nov 2017 17:25:57 +0200
c58629
Subject: [PATCH] ipaserver/plugins/trust.py: pep8 compliance
c58629
c58629
Reviewed-By: Christian Heimes <cheimes@redhat.com>
c58629
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
c58629
---
c58629
 ipaserver/plugins/trust.py | 356 +++++++++++++++++++++++++++------------------
c58629
 1 file changed, 214 insertions(+), 142 deletions(-)
c58629
c58629
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
c58629
index d01529ee022d4a4f9b671a8f06156ed450326041..73e137abcec9625997a619fe64d4f615743247b1 100644
c58629
--- a/ipaserver/plugins/trust.py
c58629
+++ b/ipaserver/plugins/trust.py
c58629
@@ -81,10 +81,10 @@ Cross-realm trusts
c58629
 
c58629
 Manage trust relationship between IPA and Active Directory domains.
c58629
 
c58629
-In order to allow users from a remote domain to access resources in IPA
c58629
-domain, trust relationship needs to be established. Currently IPA supports
c58629
-only trusts between IPA and Active Directory domains under control of Windows
c58629
-Server 2008 or later, with functional level 2008 or later.
c58629
+In order to allow users from a remote domain to access resources in IPA domain,
c58629
+trust relationship needs to be established. Currently IPA supports only trusts
c58629
+between IPA and Active Directory domains under control of Windows Server 2008
c58629
+or later, with functional level 2008 or later.
c58629
 
c58629
 Please note that DNS on both IPA and Active Directory domain sides should be
c58629
 configured properly to discover each other. Trust relationship relies on
c58629
@@ -95,7 +95,8 @@ Examples:
c58629
 1. Establish cross-realm trust with Active Directory using AD administrator
c58629
    credentials:
c58629
 
c58629
-   ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> --password
c58629
+   ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> \
c58629
+           --password
c58629
 
c58629
 2. List all existing trust relationships:
c58629
 
c58629
@@ -110,35 +111,39 @@ Examples:
c58629
    ipa trust-del <ad.domain>
c58629
 
c58629
 Once trust relationship is established, remote users will need to be mapped
c58629
-to local POSIX groups in order to actually use IPA resources. The mapping should
c58629
-be done via use of external membership of non-POSIX group and then this group
c58629
-should be included into one of local POSIX groups.
c58629
+to local POSIX groups in order to actually use IPA resources. The mapping
c58629
+should be done via use of external membership of non-POSIX group and then
c58629
+this group should be included into one of local POSIX groups.
c58629
 
c58629
 Example:
c58629
 
c58629
-1. Create group for the trusted domain admins' mapping and their local POSIX group:
c58629
+1. Create group for the trusted domain admins' mapping and their local POSIX
c58629
+group:
c58629
 
c58629
-   ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
c58629
+   ipa group-add --desc='<ad.domain> admins external map' \
c58629
+           ad_admins_external --external
c58629
    ipa group-add --desc='<ad.domain> admins' ad_admins
c58629
 
c58629
-2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
c58629
-   group:
c58629
+2. Add security identifier of Domain Admins of the <ad.domain> to the
c58629
+   ad_admins_external group:
c58629
 
c58629
    ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'
c58629
 
c58629
-3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
c58629
+3. Allow members of ad_admins_external group to be associated with
c58629
+   ad_admins POSIX group:
c58629
 
c58629
    ipa group-add-member ad_admins --groups ad_admins_external
c58629
 
c58629
-4. List members of external members of ad_admins_external group to see their SIDs:
c58629
+4. List members of external members of ad_admins_external group to see
c58629
+   their SIDs:
c58629
 
c58629
    ipa group-show ad_admins_external
c58629
 
c58629
 
c58629
 GLOBAL TRUST CONFIGURATION
c58629
 
c58629
-When IPA AD trust subpackage is installed and ipa-adtrust-install is run,
c58629
-a local domain configuration (SID, GUID, NetBIOS name) is generated. These
c58629
+When IPA AD trust subpackage is installed and ipa-adtrust-install is run, a
c58629
+local domain configuration (SID, GUID, NetBIOS name) is generated. These
c58629
 identifiers are then used when communicating with a trusted domain of the
c58629
 particular type.
c58629
 
c58629
@@ -147,11 +152,11 @@ particular type.
c58629
    ipa trustconfig-show --type ad
c58629
 
c58629
 2. Modify global configuration for all trusts of Active Directory type and set
c58629
-   a different fallback primary group (fallback primary group GID is used as
c58629
-   a primary user GID if user authenticating to IPA domain does not have any other
c58629
-   primary GID already set):
c58629
+   a different fallback primary group (fallback primary group GID is used as a
c58629
+   primary user GID if user authenticating to IPA domain does not have any
c58629
+   other primary GID already set):
c58629
 
c58629
-   ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group"
c58629
+   ipa trustconfig-mod --type ad --fallback-primary-group "another AD group"
c58629
 
c58629
 3. Change primary fallback group back to default hidden group (any group with
c58629
    posixGroup object class is allowed):
c58629
@@ -185,6 +190,7 @@ def make_trust_dn(env, trust_type, dn):
c58629
         return DN(dn, container_dn)
c58629
     return dn
c58629
 
c58629
+
c58629
 def find_adtrust_masters(ldap, api):
c58629
     """
c58629
     Returns a list of names of IPA servers with ADTRUST component configured.
c58629
@@ -200,6 +206,7 @@ def find_adtrust_masters(ldap, api):
c58629
 
c58629
     return [entry.dn[1].value for entry in entries]
c58629
 
c58629
+
c58629
 def verify_samba_component_presence(ldap, api):
c58629
     """
c58629
     Verifies that Samba is installed and configured on this particular master.
c58629
@@ -233,7 +240,7 @@ def verify_samba_component_presence(ldap, api):
c58629
 
c58629
     # First check for packages missing
c58629
     elif not _bindings_installed:
c58629
-        error_message=_(
c58629
+        error_message = _(
c58629
             'Cannot perform the selected command without Samba 4 support '
c58629
             'installed. Make sure you have installed server-trust-ad '
c58629
             'sub-package of IPA.'
c58629
@@ -243,7 +250,7 @@ def verify_samba_component_presence(ldap, api):
c58629
 
c58629
     # Packages present, but ADTRUST instance is not configured
c58629
     elif not adtrust_present:
c58629
-        error_message=_(
c58629
+        error_message = _(
c58629
             'Cannot perform the selected command without Samba 4 instance '
c58629
             'configured on this machine. Make sure you have run '
c58629
             'ipa-adtrust-install on this server.'
c58629
@@ -263,7 +270,8 @@ def generate_creds(trustinstance, style, **options):
c58629
        **options     -- options with realm_admin and realm_passwd keys
c58629
 
c58629
     Result:
c58629
-       a string representing credentials with first % separating username and password
c58629
+       a string representing credentials with first % separating
c58629
+       username and password
c58629
        None is returned if realm_passwd key returns nothing from options
c58629
     """
c58629
     creds = None
c58629
@@ -284,8 +292,9 @@ def generate_creds(trustinstance, style, **options):
c58629
             else:
c58629
                 sp = admin_name.split(sep)
c58629
             if len(sp) == 1:
c58629
-                sp.append(trustinstance.remote_domain
c58629
-                          .info['dns_domain'].upper())
c58629
+                sp.append(
c58629
+                    trustinstance.remote_domain.info['dns_domain'].upper()
c58629
+                )
c58629
         creds = u"{name}%{password}".format(name=sep.join(sp),
c58629
                                             password=password)
c58629
     return creds
c58629
@@ -334,7 +343,8 @@ def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options):
c58629
         creds = None
c58629
         if trustinstance:
c58629
             # Re-use AD administrator credentials if they were provided
c58629
-            creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
c58629
+            creds = generate_creds(trustinstance,
c58629
+                                   style=CRED_STYLE_KERBEROS, **options)
c58629
             if creds:
c58629
                 domain_validator._admin_creds = creds
c58629
         # KDC might not get refreshed data at the first time,
c58629
@@ -417,21 +427,32 @@ def fetch_trusted_domains_over_dbus(myapi, log, forest_name):
c58629
         _stdout = ''
c58629
         _stderr = ''
c58629
         bus = dbus.SystemBus()
c58629
-        intf = bus.get_object(DBUS_IFACE_TRUST,"/", follow_name_owner_changes=True)
c58629
-        fetch_domains_method = intf.get_dbus_method('fetch_domains', dbus_interface=DBUS_IFACE_TRUST)
c58629
+        intf = bus.get_object(DBUS_IFACE_TRUST, "/",
c58629
+                              follow_name_owner_changes=True)
c58629
+        fetch_domains_method = intf.get_dbus_method(
c58629
+                'fetch_domains',
c58629
+                dbus_interface=DBUS_IFACE_TRUST)
c58629
         (_ret, _stdout, _stderr) = fetch_domains_method(forest_name)
c58629
     except dbus.DBusException as e:
c58629
-        log.error('Failed to call %(iface)s.fetch_domains helper.'
c58629
-                       'DBus exception is %(exc)s.' % dict(iface=DBUS_IFACE_TRUST, exc=str(e)))
c58629
+        log.error(
c58629
+            'Failed to call %(iface)s.fetch_domains helper. '
c58629
+            'DBus exception is %(exc)s.' % dict(iface=DBUS_IFACE_TRUST, exc=str(e))
c58629
+        )
c58629
         if _ret != 0:
c58629
-            log.error('Helper was called for forest %(forest)s, return code is %(ret)d' % dict(forest=forest_name, ret=_ret))
c58629
-            log.error('Standard output from the helper:\n%s---\n' % (_stdout))
c58629
-            log.error('Error output from the helper:\n%s--\n' % (_stderr))
c58629
-        raise errors.ServerCommandError(server=myapi.env.host,
c58629
-                                        error=_('Fetching domains from trusted forest failed. '
c58629
-                                                'See details in the error_log'))
c58629
+            log.error(
c58629
+                'Helper was called for forest %s, return code is %d',
c58629
+                forest_name, _ret
c58629
+            )
c58629
+            log.error('Standard output from the helper:\n%s---\n', _stdout)
c58629
+            log.error('Error output from the helper:\n%s--\n', _stderr)
c58629
+        raise errors.ServerCommandError(
c58629
+            server=myapi.env.host,
c58629
+            error=_('Fetching domains from trusted forest failed. '
c58629
+                    'See details in the error_log')
c58629
+        )
c58629
     return
c58629
 
c58629
+
c58629
 @register()
c58629
 class trust(LDAPObject):
c58629
     """
c58629
@@ -538,8 +559,8 @@ class trust(LDAPObject):
c58629
                 continue
c58629
             for value in values:
c58629
                 if not ipaserver.dcerpc.is_sid_valid(value):
c58629
-                    raise errors.ValidationError(name=attr,
c58629
-                            error=_("invalid SID: %(value)s") % dict(value=value))
c58629
+                    err = unicode(_("invalid SID: {SID}")).format(SID=value)
c58629
+                    raise errors.ValidationError(name=attr, error=err)
c58629
 
c58629
     def get_dn(self, *keys, **kwargs):
c58629
         trust_type = kwargs.get('trust_type')
c58629
@@ -600,7 +621,8 @@ class trust(LDAPObject):
c58629
                 add_message(
c58629
                     options['version'],
c58629
                     result,
c58629
-                    BrokenTrust(domain=entry.single_value['cn']))
c58629
+                    BrokenTrust(domain=entry.single_value['cn'])
c58629
+                )
c58629
 
c58629
 
c58629
 @register()
c58629
@@ -622,7 +644,7 @@ sides.
c58629
     range_types = {
c58629
         u'ipa-ad-trust': unicode(_('Active Directory domain range')),
c58629
         u'ipa-ad-trust-posix': unicode(_('Active Directory trust range with '
c58629
-                                        'POSIX attributes')),
c58629
+                                         'POSIX attributes')),
c58629
                   }
c58629
 
c58629
     takes_options = LDAPCreate.takes_options + (
c58629
@@ -720,9 +742,10 @@ sides.
c58629
 
c58629
         trust_filter = "cn=%s" % result['value']
c58629
         trusts, _truncated = ldap.find_entries(
c58629
-                         base_dn=DN(self.api.env.container_trusts, self.api.env.basedn),
c58629
-                         filter=trust_filter,
c58629
-                         attrs_list=attrs_list)
c58629
+            base_dn=DN(self.api.env.container_trusts, self.api.env.basedn),
c58629
+            filter=trust_filter,
c58629
+            attrs_list=attrs_list
c58629
+        )
c58629
 
c58629
         result['result'] = entry_to_dict(trusts[0], **options)
c58629
 
c58629
@@ -731,10 +754,11 @@ sides.
c58629
         # Note that add_new_domains_from_trust will add needed ranges for
c58629
         # the algorithmic ID mapping case.
c58629
         if (options.get('trust_type') == u'ad' and
c58629
-            options.get('trust_secret') is None):
c58629
+                options.get('trust_secret') is None):
c58629
+
c58629
             if options.get('bidirectional') == True:
c58629
-                # Bidirectional trust allows us to use cross-realm TGT, so we can
c58629
-                # run the call under original user's credentials
c58629
+                # Bidirectional trust allows us to use cross-realm TGT,
c58629
+                # so we can run the call under original user's credentials
c58629
                 res = fetch_domains_from_trust(self.api, self.trustinstance,
c58629
                                                **options)
c58629
                 add_new_domains_from_trust(
c58629
@@ -790,7 +814,9 @@ sides.
c58629
         # If domain name and realm does not match, IPA server is not be able
c58629
         # to establish trust with Active Directory.
c58629
 
c58629
-        realm_not_matching_domain = (self.api.env.domain.upper() != self.api.env.realm)
c58629
+        realm_not_matching_domain = (
c58629
+            self.api.env.domain.upper() != self.api.env.realm
c58629
+        )
c58629
 
c58629
         if options['trust_type'] == u'ad' and realm_not_matching_domain:
c58629
             raise errors.ValidationError(
c58629
@@ -917,11 +943,12 @@ sides.
c58629
                 )
c58629
 
c58629
             if range_type and range_type != old_range_type:
c58629
-                raise errors.ValidationError(name=_('range type change'),
c58629
-                    error=_('ID range for the trusted domain already exists, '
c58629
-                            'but it has a different type. Please remove the '
c58629
-                            'old range manually, or do not enforce type '
c58629
-                            'via --range-type option.'))
c58629
+                raise errors.ValidationError(
c58629
+                    name=_('range type change'),
c58629
+                    error=_('ID range for the trusted domain already '
c58629
+                            'exists, but it has a different type. Please '
c58629
+                            'remove the old range manually, or do not '
c58629
+                            'enforce type via --range-type option.'))
c58629
 
c58629
         return old_range, range_name, dom_sid
c58629
 
c58629
@@ -956,33 +983,55 @@ sides.
c58629
                     trust_type
c58629
                 )
c58629
             except errors.NotFound:
c58629
-                error_message=_("Unable to resolve domain controller for '%s' domain. ") % (keys[-1])
c58629
-                instructions=[]
c58629
+                _message = _("Unable to resolve domain controller for "
c58629
+                             "{domain} domain. ")
c58629
+                error_message = unicode(_message).format(domain=keys[-1])
c58629
+                instructions = []
c58629
+
c58629
                 if dns_container_exists(self.obj.backend):
c58629
                     try:
c58629
-                        dns_zone = self.api.Command.dnszone_show(keys[-1])['result']
c58629
-                        if ('idnsforwardpolicy' in dns_zone) and dns_zone['idnsforwardpolicy'][0] == u'only':
c58629
-                            instructions.append(_("Forward policy is defined for it in IPA DNS, "
c58629
-                                                   "perhaps forwarder points to incorrect host?"))
c58629
+                        dns_zone = self.api.Command.dnszone_show(
c58629
+                            keys[-1])['result']
c58629
+
c58629
+                        if (('idnsforwardpolicy' in dns_zone) and
c58629
+                                dns_zone['idnsforwardpolicy'][0] == u'only'):
c58629
+
c58629
+                            instructions.append(
c58629
+                                _("Forward policy is defined for it in "
c58629
+                                  "IPA DNS, perhaps forwarder points to "
c58629
+                                  "incorrect host?")
c58629
+                            )
c58629
                     except (errors.NotFound, KeyError):
c58629
-                        instructions.append(_("IPA manages DNS, please verify "
c58629
-                                              "your DNS configuration and "
c58629
-                                              "make sure that service records "
c58629
-                                              "of the '%(domain)s' domain can "
c58629
-                                              "be resolved. Examples how to "
c58629
-                                              "configure DNS with CLI commands "
c58629
-                                              "or the Web UI can be found in "
c58629
-                                              "the documentation. " ) %
c58629
-                                              dict(domain=keys[-1]))
c58629
+                        _instruction = _(
c58629
+                            "IPA manages DNS, please verify your DNS "
c58629
+                            "configuration and make sure that service "
c58629
+                            "records of the '{domain}' domain can be "
c58629
+                            "resolved. Examples how to configure DNS "
c58629
+                            "with CLI commands or the Web UI can be "
c58629
+                            "found in the documentation. "
c58629
+                        )
c58629
+                        instructions.append(
c58629
+                            unicode(_instruction).format(domain=keys[-1])
c58629
+                        )
c58629
                 else:
c58629
-                    instructions.append(_("Since IPA does not manage DNS records, ensure DNS "
c58629
-                                           "is configured to resolve '%(domain)s' domain from "
c58629
-                                           "IPA hosts and back.") % dict(domain=keys[-1]))
c58629
-                raise errors.NotFound(reason=error_message, instructions=instructions)
c58629
+                    _instruction = _(
c58629
+                        "Since IPA does not manage DNS records, ensure "
c58629
+                        "DNS is configured to resolve '{domain}' "
c58629
+                        "domain from IPA hosts and back."
c58629
+                    )
c58629
+                    instructions.append(
c58629
+                        unicode(_instruction).format(domain=keys[-1])
c58629
+                    )
c58629
+                raise errors.NotFound(
c58629
+                    reason=error_message,
c58629
+                    instructions=instructions
c58629
+                )
c58629
 
c58629
             if result is None:
c58629
-                raise errors.ValidationError(name=_('AD Trust setup'),
c58629
-                                             error=_('Unable to verify write permissions to the AD'))
c58629
+                raise errors.ValidationError(
c58629
+                    name=_('AD Trust setup'),
c58629
+                    error=_('Unable to verify write permissions to the AD')
c58629
+                )
c58629
 
c58629
             ret = dict(
c58629
                 value=pkey_to_value(
c58629
@@ -1019,12 +1068,14 @@ sides.
c58629
                 error=_('Not enough arguments specified to perform trust '
c58629
                         'setup'))
c58629
 
c58629
+
c58629
 @register()
c58629
 class trust_del(LDAPDelete):
c58629
     __doc__ = _('Delete a trust.')
c58629
 
c58629
     msg_summary = _('Deleted trust "%(value)s"')
c58629
 
c58629
+
c58629
 @register()
c58629
 class trust_mod(LDAPUpdate):
c58629
     __doc__ = _("""
c58629
@@ -1037,13 +1088,14 @@ class trust_mod(LDAPUpdate):
c58629
     msg_summary = _('Modified trust "%(value)s" '
c58629
                     '(change will be effective in 60 seconds)')
c58629
 
c58629
-    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
c58629
+    def pre_callback(self, ldap, dn, e_attrs, attrs_list, *keys, **options):
c58629
         assert isinstance(dn, DN)
c58629
 
c58629
-        self.obj.validate_sid_blacklists(entry_attrs)
c58629
+        self.obj.validate_sid_blacklists(e_attrs)
c58629
 
c58629
         return dn
c58629
 
c58629
+
c58629
 @register()
c58629
 class trust_find(LDAPSearch):
c58629
     __doc__ = _('Search for trusts.')
c58629
@@ -1054,9 +1106,10 @@ class trust_find(LDAPSearch):
c58629
         '%(count)d trust matched', '%(count)d trusts matched', 0
c58629
     )
c58629
 
c58629
-    # Since all trusts types are stored within separate containers under 'cn=trusts',
c58629
-    # search needs to be done on a sub-tree scope
c58629
-    def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
c58629
+    # Since all trusts types are stored within separate containers
c58629
+    # under 'cn=trusts', search needs to be done on a sub-tree scope
c58629
+    def pre_callback(self, ldap, filters, attrs_list,
c58629
+                     base_dn, scope, *args, **options):
c58629
         # list only trust, not trust domains
c58629
         return (filters, base_dn, ldap.SCOPE_SUBTREE)
c58629
 
c58629
@@ -1076,13 +1129,16 @@ class trust_find(LDAPSearch):
c58629
             trust_type = attrs.single_value.get('ipanttrusttype', None)
c58629
             attributes = attrs.single_value.get('ipanttrustattributes', 0)
c58629
             if not options.get('raw', False) and trust_type is not None:
c58629
-                attrs['trusttype'] = [trust_type_string(trust_type, attributes)]
c58629
+                attrs['trusttype'] = [
c58629
+                    trust_type_string(trust_type, attributes)
c58629
+                ]
c58629
                 del attrs['ipanttrusttype']
c58629
                 if attributes:
c58629
                     del attrs['ipanttrustattributes']
c58629
 
c58629
         return truncated
c58629
 
c58629
+
c58629
 @register()
c58629
 class trust_show(LDAPRetrieve):
c58629
     __doc__ = _('Display information about a trust.')
c58629
@@ -1098,7 +1154,7 @@ class trust_show(LDAPRetrieve):
c58629
 
c58629
         return result
c58629
 
c58629
-    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
c58629
+    def post_callback(self, ldap, dn, e_attrs, *keys, **options):
c58629
 
c58629
         assert isinstance(dn, DN)
c58629
         # Translate ipanttrusttype to trusttype
c58629
@@ -1106,25 +1162,28 @@ class trust_show(LDAPRetrieve):
c58629
         # if --raw not used
c58629
 
c58629
         if not options.get('raw', False):
c58629
-            trust_type = entry_attrs.single_value.get('ipanttrusttype', None)
c58629
-            attributes = entry_attrs.single_value.get('ipanttrustattributes', 0)
c58629
+            trust_type = e_attrs.single_value.get('ipanttrusttype', None)
c58629
+            attributes = e_attrs.single_value.get('ipanttrustattributes', 0)
c58629
             if trust_type is not None:
c58629
-                entry_attrs['trusttype'] = [trust_type_string(trust_type, attributes)]
c58629
-                del entry_attrs['ipanttrusttype']
c58629
+                e_attrs['trusttype'] = [
c58629
+                    trust_type_string(trust_type, attributes)
c58629
+                ]
c58629
+                del e_attrs['ipanttrusttype']
c58629
 
c58629
-            dir_str = entry_attrs.single_value.get('ipanttrustdirection', None)
c58629
+            dir_str = e_attrs.single_value.get('ipanttrustdirection', None)
c58629
             if dir_str is not None:
c58629
-                entry_attrs['trustdirection'] = [trust_direction_string(dir_str)]
c58629
-                del entry_attrs['ipanttrustdirection']
c58629
+                e_attrs['trustdirection'] = [trust_direction_string(dir_str)]
c58629
+                del e_attrs['ipanttrustdirection']
c58629
 
c58629
             if attributes:
c58629
-                del entry_attrs['ipanttrustattributes']
c58629
+                del e_attrs['ipanttrustattributes']
c58629
 
c58629
         return dn
c58629
 
c58629
 
c58629
 _trustconfig_dn = {
c58629
-    u'ad': DN(('cn', api.env.domain), api.env.container_cifsdomains, api.env.basedn),
c58629
+    u'ad': DN(('cn', api.env.domain),
c58629
+              api.env.container_cifsdomains, api.env.basedn),
c58629
 }
c58629
 
c58629
 
c58629
@@ -1184,8 +1243,10 @@ class trustconfig(LDAPObject):
c58629
         try:
c58629
             return _trustconfig_dn[kwargs['trust_type']]
c58629
         except KeyError:
c58629
-            raise errors.ValidationError(name='trust_type',
c58629
-                error=_("unsupported trust type"))
c58629
+            raise errors.ValidationError(
c58629
+                name='trust_type',
c58629
+                error=_("unsupported trust type")
c58629
+            )
c58629
 
c58629
     def _normalize_groupdn(self, entry_attrs):
c58629
         """
c58629
@@ -1254,8 +1315,8 @@ class trustconfig_mod(LDAPUpdate):
c58629
     msg_summary = _('Modified "%(value)s" trust configuration')
c58629
     has_output = output.simple_entry
c58629
 
c58629
-    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
c58629
-        self.obj._normalize_groupdn(entry_attrs)
c58629
+    def pre_callback(self, ldap, dn, e_attrs, attrs_list, *keys, **options):
c58629
+        self.obj._normalize_groupdn(e_attrs)
c58629
         return dn
c58629
 
c58629
     def execute(self, *keys, **options):
c58629
@@ -1263,14 +1324,13 @@ class trustconfig_mod(LDAPUpdate):
c58629
         result['value'] = pkey_to_value(options['trust_type'], options)
c58629
         return result
c58629
 
c58629
-    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
c58629
-        self.obj._convert_groupdn(entry_attrs, options)
c58629
+    def post_callback(self, ldap, dn, e_attrs, *keys, **options):
c58629
+        self.obj._convert_groupdn(e_attrs, options)
c58629
         self.api.Object.config.show_servroles_attributes(
c58629
-            entry_attrs, "AD trust agent", "AD trust controller", **options)
c58629
+            e_attrs, "AD trust agent", "AD trust controller", **options)
c58629
         return dn
c58629
 
c58629
 
c58629
-
c58629
 @register()
c58629
 class trustconfig_show(LDAPRetrieve):
c58629
     __doc__ = _('Show global trust configuration.')
c58629
@@ -1293,18 +1353,21 @@ class trustconfig_show(LDAPRetrieve):
c58629
 
c58629
 if _nss_idmap_installed:
c58629
     _idmap_type_dict = {
c58629
-        pysss_nss_idmap.ID_USER  : 'user',
c58629
-        pysss_nss_idmap.ID_GROUP : 'group',
c58629
-        pysss_nss_idmap.ID_BOTH  : 'both',
c58629
+        pysss_nss_idmap.ID_USER: 'user',
c58629
+        pysss_nss_idmap.ID_GROUP: 'group',
c58629
+        pysss_nss_idmap.ID_BOTH: 'both',
c58629
     }
c58629
+
c58629
     def idmap_type_string(level):
c58629
         string = _idmap_type_dict.get(int(level), 'unknown')
c58629
         return unicode(string)
c58629
 
c58629
+
c58629
 @register()
c58629
 class trust_resolve(Command):
c58629
     NO_CLI = True
c58629
-    __doc__ = _('Resolve security identifiers of users and groups in trusted domains')
c58629
+    __doc__ = _('Resolve security identifiers of users and groups '
c58629
+                'in trusted domains')
c58629
 
c58629
     takes_options = (
c58629
         Str('sids+',
c58629
@@ -1313,8 +1376,8 @@ class trust_resolve(Command):
c58629
     )
c58629
 
c58629
     has_output_params = (
c58629
-        Str('name', label= _('Name')),
c58629
-        Str('sid', label= _('SID')),
c58629
+        Str('name', label=_('Name')),
c58629
+        Str('sid', label=_('SID')),
c58629
     )
c58629
 
c58629
     has_output = (
c58629
@@ -1326,13 +1389,15 @@ class trust_resolve(Command):
c58629
         if not _nss_idmap_installed:
c58629
             return dict(result=result)
c58629
         try:
c58629
+            NAME_KEY = pysss_nss_idmap.NAME_KEY
c58629
+            TYPE_KEY = pysss_nss_idmap.TYPE_KEY
c58629
             sids = [str(x) for x in options['sids']]
c58629
             xlate = pysss_nss_idmap.getnamebysid(sids)
c58629
             for sid in xlate:
c58629
                 entry = dict()
c58629
                 entry['sid'] = [unicode(sid)]
c58629
-                entry['name'] = [unicode(xlate[sid][pysss_nss_idmap.NAME_KEY])]
c58629
-                entry['type'] = [idmap_type_string(xlate[sid][pysss_nss_idmap.TYPE_KEY])]
c58629
+                entry['name'] = [unicode(xlate[sid][NAME_KEY])]
c58629
+                entry['type'] = [idmap_type_string(xlate[sid][TYPE_KEY])]
c58629
                 result.append(entry)
c58629
         except ValueError:
c58629
             pass
c58629
@@ -1340,7 +1405,6 @@ class trust_resolve(Command):
c58629
         return dict(result=result)
c58629
 
c58629
 
c58629
-
c58629
 @register()
c58629
 class adtrust_is_enabled(Command):
c58629
     NO_CLI = True
c58629
@@ -1367,7 +1431,6 @@ class adtrust_is_enabled(Command):
c58629
         return dict(result=True)
c58629
 
c58629
 
c58629
-
c58629
 @register()
c58629
 class compat_is_enabled(Command):
c58629
     NO_CLI = True
c58629
@@ -1411,7 +1474,6 @@ class compat_is_enabled(Command):
c58629
         return dict(result=True)
c58629
 
c58629
 
c58629
-
c58629
 @register()
c58629
 class sidgen_was_run(Command):
c58629
     """
c58629
@@ -1461,7 +1523,7 @@ class trustdomain(LDAPObject):
c58629
     Object representing a domain of the AD trust.
c58629
     """
c58629
     parent_object = 'trust'
c58629
-    trust_type_idx = {'2':u'ad'}
c58629
+    trust_type_idx = {'2': u'ad'}
c58629
     object_name = _('trust domain')
c58629
     object_name_plural = _('trust domains')
c58629
     object_class = ['ipaNTTrustedDomain']
c58629
@@ -1478,40 +1540,39 @@ class trustdomain(LDAPObject):
c58629
         Str('cn',
c58629
             label=_('Domain name'),
c58629
             cli_name='domain',
c58629
-            primary_key=True
c58629
-        ),
c58629
+            primary_key=True),
c58629
         Str('ipantflatname?',
c58629
             cli_name='flat_name',
c58629
-            label=_('Domain NetBIOS name'),
c58629
-        ),
c58629
+            label=_('Domain NetBIOS name')),
c58629
         Str('ipanttrusteddomainsid?',
c58629
             cli_name='sid',
c58629
-            label=_('Domain Security Identifier'),
c58629
-        ),
c58629
+            label=_('Domain Security Identifier')),
c58629
         Flag('domain_enabled',
c58629
-            label=_('Domain enabled'),
c58629
-            flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
c58629
-        ),
c58629
+             label=_('Domain enabled'),
c58629
+             flags={'virtual_attribute',
c58629
+                    'no_create', 'no_update', 'no_search'}),
c58629
     )
c58629
 
c58629
-    # LDAPObject.get_dn() only passes all but last element of keys and no kwargs
c58629
-    # to the parent object's get_dn() no matter what you pass to it. Make own get_dn()
c58629
-    # as we really need all elements to construct proper dn.
c58629
+    # LDAPObject.get_dn() only passes all but last element of keys and no
c58629
+    # kwargs to the parent object's get_dn() no matter what you pass to it.
c58629
+    # Make own get_dn() as we really need all elements to construct proper dn.
c58629
     def get_dn(self, *keys, **kwargs):
c58629
         sdn = [('cn', x) for x in keys]
c58629
         sdn.reverse()
c58629
         trust_type = kwargs.get('trust_type')
c58629
         if not trust_type:
c58629
-            trust_type=u'ad'
c58629
+            trust_type = u'ad'
c58629
 
c58629
-        dn=make_trust_dn(self.env, trust_type, DN(*sdn))
c58629
+        dn = make_trust_dn(self.env, trust_type, DN(*sdn))
c58629
         return dn
c58629
 
c58629
+
c58629
 @register()
c58629
 class trustdomain_find(LDAPSearch):
c58629
     __doc__ = _('Search domains of the trust')
c58629
 
c58629
-    def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
c58629
+    def pre_callback(self, ldap, filters, attrs_list, base_dn,
c58629
+                     scope, *args, **options):
c58629
         return (filters, base_dn, ldap.SCOPE_SUBTREE)
c58629
 
c58629
     def post_callback(self, ldap, entries, truncated, *args, **options):
c58629
@@ -1532,7 +1593,6 @@ class trustdomain_find(LDAPSearch):
c58629
         return truncated
c58629
 
c58629
 
c58629
-
c58629
 @register()
c58629
 class trustdomain_mod(LDAPUpdate):
c58629
     __doc__ = _('Modify trustdomain of the trust')
c58629
@@ -1540,31 +1600,36 @@ class trustdomain_mod(LDAPUpdate):
c58629
     NO_CLI = True
c58629
     takes_options = LDAPUpdate.takes_options + (_trust_type_option,)
c58629
 
c58629
+
c58629
 @register()
c58629
 class trustdomain_add(LDAPCreate):
c58629
     __doc__ = _('Allow access from the trusted domain')
c58629
     NO_CLI = True
c58629
 
c58629
     takes_options = LDAPCreate.takes_options + (_trust_type_option,)
c58629
-    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
c58629
-        # ipaNTTrustPartner must always be set to the name of the trusted domain
c58629
-        # See MS-ADTS 6.1.6.7.13
c58629
-        entry_attrs['ipanttrustpartner'] = [dn[0]['cn']]
c58629
+
c58629
+    def pre_callback(self, ldap, dn, e_attrs, attrs_list, *keys, **options):
c58629
+        # ipaNTTrustPartner must always be set to the name of the trusted
c58629
+        # domain. See MS-ADTS 6.1.6.7.13
c58629
+        e_attrs['ipanttrustpartner'] = [dn[0]['cn']]
c58629
         return dn
c58629
 
c58629
 
c58629
 @register()
c58629
 class trustdomain_del(LDAPDelete):
c58629
-    __doc__ = _('Remove information about the domain associated with the trust.')
c58629
+    __doc__ = _('Remove information about the domain associated '
c58629
+                'with the trust.')
c58629
 
c58629
-    msg_summary = _('Removed information about the trusted domain "%(value)s"')
c58629
+    msg_summary = _('Removed information about the trusted domain '
c58629
+                    '"%(value)s"')
c58629
 
c58629
     def execute(self, *keys, **options):
c58629
         ldap = self.api.Backend.ldap2
c58629
         verify_samba_component_presence(ldap, self.api)
c58629
 
c58629
-        # Note that pre-/post- callback handling for LDAPDelete is causing pre_callback
c58629
-        # to always receive empty keys. We need to catch the case when root domain is being deleted
c58629
+        # Note that pre-/post- callback handling for LDAPDelete is causing
c58629
+        # pre_callback to always receive empty keys. We need to catch the case
c58629
+        # when root domain is being deleted
c58629
 
c58629
         for domain in keys[1]:
c58629
             try:
c58629
@@ -1603,10 +1668,10 @@ def fetch_domains_from_trust(myapi, trustinstance, **options):
c58629
     forest_root_name = trustinstance.remote_domain.info['dns_forest']
c58629
 
c58629
     # We want to use Kerberos if we have admin credentials even with SMB calls
c58629
-    # as eventually use of NTLMSSP will be deprecated for trusted domain operations
c58629
-    # If admin credentials are missing, 'creds' will be None and fetch_domains
c58629
-    # will use HTTP/ipa.master@IPA.REALM principal, e.g. Kerberos authentication
c58629
-    # as well.
c58629
+    # as eventually use of NTLMSSP will be deprecated for trusted domain
c58629
+    # operations If admin credentials are missing, 'creds' will be None and
c58629
+    # fetch_domains will use HTTP/ipa.master@IPA.REALM principal, e.g. Kerberos
c58629
+    # authentication as well.
c58629
     creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
c58629
     server = options.get('realm_server', None)
c58629
     domains = ipaserver.dcerpc.fetch_domains(
c58629
@@ -1616,7 +1681,8 @@ def fetch_domains_from_trust(myapi, trustinstance, **options):
c58629
     return domains
c58629
 
c58629
 
c58629
-def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **options):
c58629
+def add_new_domains_from_trust(myapi, trustinstance, trust_entry,
c58629
+                               domains, **options):
c58629
     result = []
c58629
     if not domains:
c58629
         return result
c58629
@@ -1728,8 +1794,11 @@ class trustdomain_enable(LDAPQuery):
c58629
         verify_samba_component_presence(ldap, self.api)
c58629
 
c58629
         if keys[0].lower() == keys[1].lower():
c58629
-            raise errors.ValidationError(name='domain',
c58629
-                error=_("Root domain of the trust is always enabled for the existing trust"))
c58629
+            raise errors.ValidationError(
c58629
+                name='domain',
c58629
+                error=_("Root domain of the trust is always enabled "
c58629
+                        "for the existing trust")
c58629
+            )
c58629
         try:
c58629
             trust_dn = self.obj.get_dn(keys[0], trust_type=u'ad')
c58629
             trust_entry = ldap.get_entry(trust_dn)
c58629
@@ -1766,8 +1835,11 @@ class trustdomain_disable(LDAPQuery):
c58629
         verify_samba_component_presence(ldap, self.api)
c58629
 
c58629
         if keys[0].lower() == keys[1].lower():
c58629
-            raise errors.ValidationError(name='domain',
c58629
-                error=_("cannot disable root domain of the trust, use trust-del to delete the trust itself"))
c58629
+            raise errors.ValidationError(
c58629
+                name='domain',
c58629
+                error=_("cannot disable root domain of the trust, "
c58629
+                        "use trust-del to delete the trust itself")
c58629
+            )
c58629
         try:
c58629
             trust_dn = self.obj.get_dn(keys[0], trust_type=u'ad')
c58629
             trust_entry = ldap.get_entry(trust_dn)
c58629
-- 
c58629
2.13.6
c58629