3f51ca
From aae0cc2fdaeead8ff33ade93e73d6aba25704659 Mon Sep 17 00:00:00 2001
3f51ca
From: Alexander Bokovoy <abokovoy@redhat.com>
3f51ca
Date: Fri, 17 Nov 2017 17:25:57 +0200
3f51ca
Subject: [PATCH] ipaserver/plugins/trust.py: pep8 compliance
3f51ca
3f51ca
Reviewed-By: Christian Heimes <cheimes@redhat.com>
3f51ca
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
3f51ca
---
3f51ca
 ipaserver/plugins/trust.py | 356 +++++++++++++++++++++++++++------------------
3f51ca
 1 file changed, 214 insertions(+), 142 deletions(-)
3f51ca
3f51ca
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
3f51ca
index d01529ee022d4a4f9b671a8f06156ed450326041..73e137abcec9625997a619fe64d4f615743247b1 100644
3f51ca
--- a/ipaserver/plugins/trust.py
3f51ca
+++ b/ipaserver/plugins/trust.py
3f51ca
@@ -81,10 +81,10 @@ Cross-realm trusts
3f51ca
 
3f51ca
 Manage trust relationship between IPA and Active Directory domains.
3f51ca
 
3f51ca
-In order to allow users from a remote domain to access resources in IPA
3f51ca
-domain, trust relationship needs to be established. Currently IPA supports
3f51ca
-only trusts between IPA and Active Directory domains under control of Windows
3f51ca
-Server 2008 or later, with functional level 2008 or later.
3f51ca
+In order to allow users from a remote domain to access resources in IPA domain,
3f51ca
+trust relationship needs to be established. Currently IPA supports only trusts
3f51ca
+between IPA and Active Directory domains under control of Windows Server 2008
3f51ca
+or later, with functional level 2008 or later.
3f51ca
 
3f51ca
 Please note that DNS on both IPA and Active Directory domain sides should be
3f51ca
 configured properly to discover each other. Trust relationship relies on
3f51ca
@@ -95,7 +95,8 @@ Examples:
3f51ca
 1. Establish cross-realm trust with Active Directory using AD administrator
3f51ca
    credentials:
3f51ca
 
3f51ca
-   ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> --password
3f51ca
+   ipa trust-add --type=ad <ad.domain> --admin <AD domain administrator> \
3f51ca
+           --password
3f51ca
 
3f51ca
 2. List all existing trust relationships:
3f51ca
 
3f51ca
@@ -110,35 +111,39 @@ Examples:
3f51ca
    ipa trust-del <ad.domain>
3f51ca
 
3f51ca
 Once trust relationship is established, remote users will need to be mapped
3f51ca
-to local POSIX groups in order to actually use IPA resources. The mapping should
3f51ca
-be done via use of external membership of non-POSIX group and then this group
3f51ca
-should be included into one of local POSIX groups.
3f51ca
+to local POSIX groups in order to actually use IPA resources. The mapping
3f51ca
+should be done via use of external membership of non-POSIX group and then
3f51ca
+this group should be included into one of local POSIX groups.
3f51ca
 
3f51ca
 Example:
3f51ca
 
3f51ca
-1. Create group for the trusted domain admins' mapping and their local POSIX group:
3f51ca
+1. Create group for the trusted domain admins' mapping and their local POSIX
3f51ca
+group:
3f51ca
 
3f51ca
-   ipa group-add --desc='<ad.domain> admins external map' ad_admins_external --external
3f51ca
+   ipa group-add --desc='<ad.domain> admins external map' \
3f51ca
+           ad_admins_external --external
3f51ca
    ipa group-add --desc='<ad.domain> admins' ad_admins
3f51ca
 
3f51ca
-2. Add security identifier of Domain Admins of the <ad.domain> to the ad_admins_external
3f51ca
-   group:
3f51ca
+2. Add security identifier of Domain Admins of the <ad.domain> to the
3f51ca
+   ad_admins_external group:
3f51ca
 
3f51ca
    ipa group-add-member ad_admins_external --external 'AD\\Domain Admins'
3f51ca
 
3f51ca
-3. Allow members of ad_admins_external group to be associated with ad_admins POSIX group:
3f51ca
+3. Allow members of ad_admins_external group to be associated with
3f51ca
+   ad_admins POSIX group:
3f51ca
 
3f51ca
    ipa group-add-member ad_admins --groups ad_admins_external
3f51ca
 
3f51ca
-4. List members of external members of ad_admins_external group to see their SIDs:
3f51ca
+4. List members of external members of ad_admins_external group to see
3f51ca
+   their SIDs:
3f51ca
 
3f51ca
    ipa group-show ad_admins_external
3f51ca
 
3f51ca
 
3f51ca
 GLOBAL TRUST CONFIGURATION
3f51ca
 
3f51ca
-When IPA AD trust subpackage is installed and ipa-adtrust-install is run,
3f51ca
-a local domain configuration (SID, GUID, NetBIOS name) is generated. These
3f51ca
+When IPA AD trust subpackage is installed and ipa-adtrust-install is run, a
3f51ca
+local domain configuration (SID, GUID, NetBIOS name) is generated. These
3f51ca
 identifiers are then used when communicating with a trusted domain of the
3f51ca
 particular type.
3f51ca
 
3f51ca
@@ -147,11 +152,11 @@ particular type.
3f51ca
    ipa trustconfig-show --type ad
3f51ca
 
3f51ca
 2. Modify global configuration for all trusts of Active Directory type and set
3f51ca
-   a different fallback primary group (fallback primary group GID is used as
3f51ca
-   a primary user GID if user authenticating to IPA domain does not have any other
3f51ca
-   primary GID already set):
3f51ca
+   a different fallback primary group (fallback primary group GID is used as a
3f51ca
+   primary user GID if user authenticating to IPA domain does not have any
3f51ca
+   other primary GID already set):
3f51ca
 
3f51ca
-   ipa trustconfig-mod --type ad --fallback-primary-group "alternative AD group"
3f51ca
+   ipa trustconfig-mod --type ad --fallback-primary-group "another AD group"
3f51ca
 
3f51ca
 3. Change primary fallback group back to default hidden group (any group with
3f51ca
    posixGroup object class is allowed):
3f51ca
@@ -185,6 +190,7 @@ def make_trust_dn(env, trust_type, dn):
3f51ca
         return DN(dn, container_dn)
3f51ca
     return dn
3f51ca
 
3f51ca
+
3f51ca
 def find_adtrust_masters(ldap, api):
3f51ca
     """
3f51ca
     Returns a list of names of IPA servers with ADTRUST component configured.
3f51ca
@@ -200,6 +206,7 @@ def find_adtrust_masters(ldap, api):
3f51ca
 
3f51ca
     return [entry.dn[1].value for entry in entries]
3f51ca
 
3f51ca
+
3f51ca
 def verify_samba_component_presence(ldap, api):
3f51ca
     """
3f51ca
     Verifies that Samba is installed and configured on this particular master.
3f51ca
@@ -233,7 +240,7 @@ def verify_samba_component_presence(ldap, api):
3f51ca
 
3f51ca
     # First check for packages missing
3f51ca
     elif not _bindings_installed:
3f51ca
-        error_message=_(
3f51ca
+        error_message = _(
3f51ca
             'Cannot perform the selected command without Samba 4 support '
3f51ca
             'installed. Make sure you have installed server-trust-ad '
3f51ca
             'sub-package of IPA.'
3f51ca
@@ -243,7 +250,7 @@ def verify_samba_component_presence(ldap, api):
3f51ca
 
3f51ca
     # Packages present, but ADTRUST instance is not configured
3f51ca
     elif not adtrust_present:
3f51ca
-        error_message=_(
3f51ca
+        error_message = _(
3f51ca
             'Cannot perform the selected command without Samba 4 instance '
3f51ca
             'configured on this machine. Make sure you have run '
3f51ca
             'ipa-adtrust-install on this server.'
3f51ca
@@ -263,7 +270,8 @@ def generate_creds(trustinstance, style, **options):
3f51ca
        **options     -- options with realm_admin and realm_passwd keys
3f51ca
 
3f51ca
     Result:
3f51ca
-       a string representing credentials with first % separating username and password
3f51ca
+       a string representing credentials with first % separating
3f51ca
+       username and password
3f51ca
        None is returned if realm_passwd key returns nothing from options
3f51ca
     """
3f51ca
     creds = None
3f51ca
@@ -284,8 +292,9 @@ def generate_creds(trustinstance, style, **options):
3f51ca
             else:
3f51ca
                 sp = admin_name.split(sep)
3f51ca
             if len(sp) == 1:
3f51ca
-                sp.append(trustinstance.remote_domain
3f51ca
-                          .info['dns_domain'].upper())
3f51ca
+                sp.append(
3f51ca
+                    trustinstance.remote_domain.info['dns_domain'].upper()
3f51ca
+                )
3f51ca
         creds = u"{name}%{password}".format(name=sep.join(sp),
3f51ca
                                             password=password)
3f51ca
     return creds
3f51ca
@@ -334,7 +343,8 @@ def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options):
3f51ca
         creds = None
3f51ca
         if trustinstance:
3f51ca
             # Re-use AD administrator credentials if they were provided
3f51ca
-            creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
3f51ca
+            creds = generate_creds(trustinstance,
3f51ca
+                                   style=CRED_STYLE_KERBEROS, **options)
3f51ca
             if creds:
3f51ca
                 domain_validator._admin_creds = creds
3f51ca
         # KDC might not get refreshed data at the first time,
3f51ca
@@ -417,21 +427,32 @@ def fetch_trusted_domains_over_dbus(myapi, log, forest_name):
3f51ca
         _stdout = ''
3f51ca
         _stderr = ''
3f51ca
         bus = dbus.SystemBus()
3f51ca
-        intf = bus.get_object(DBUS_IFACE_TRUST,"/", follow_name_owner_changes=True)
3f51ca
-        fetch_domains_method = intf.get_dbus_method('fetch_domains', dbus_interface=DBUS_IFACE_TRUST)
3f51ca
+        intf = bus.get_object(DBUS_IFACE_TRUST, "/",
3f51ca
+                              follow_name_owner_changes=True)
3f51ca
+        fetch_domains_method = intf.get_dbus_method(
3f51ca
+                'fetch_domains',
3f51ca
+                dbus_interface=DBUS_IFACE_TRUST)
3f51ca
         (_ret, _stdout, _stderr) = fetch_domains_method(forest_name)
3f51ca
     except dbus.DBusException as e:
3f51ca
-        log.error('Failed to call %(iface)s.fetch_domains helper.'
3f51ca
-                       'DBus exception is %(exc)s.' % dict(iface=DBUS_IFACE_TRUST, exc=str(e)))
3f51ca
+        log.error(
3f51ca
+            'Failed to call %(iface)s.fetch_domains helper. '
3f51ca
+            'DBus exception is %(exc)s.' % dict(iface=DBUS_IFACE_TRUST, exc=str(e))
3f51ca
+        )
3f51ca
         if _ret != 0:
3f51ca
-            log.error('Helper was called for forest %(forest)s, return code is %(ret)d' % dict(forest=forest_name, ret=_ret))
3f51ca
-            log.error('Standard output from the helper:\n%s---\n' % (_stdout))
3f51ca
-            log.error('Error output from the helper:\n%s--\n' % (_stderr))
3f51ca
-        raise errors.ServerCommandError(server=myapi.env.host,
3f51ca
-                                        error=_('Fetching domains from trusted forest failed. '
3f51ca
-                                                'See details in the error_log'))
3f51ca
+            log.error(
3f51ca
+                'Helper was called for forest %s, return code is %d',
3f51ca
+                forest_name, _ret
3f51ca
+            )
3f51ca
+            log.error('Standard output from the helper:\n%s---\n', _stdout)
3f51ca
+            log.error('Error output from the helper:\n%s--\n', _stderr)
3f51ca
+        raise errors.ServerCommandError(
3f51ca
+            server=myapi.env.host,
3f51ca
+            error=_('Fetching domains from trusted forest failed. '
3f51ca
+                    'See details in the error_log')
3f51ca
+        )
3f51ca
     return
3f51ca
 
3f51ca
+
3f51ca
 @register()
3f51ca
 class trust(LDAPObject):
3f51ca
     """
3f51ca
@@ -538,8 +559,8 @@ class trust(LDAPObject):
3f51ca
                 continue
3f51ca
             for value in values:
3f51ca
                 if not ipaserver.dcerpc.is_sid_valid(value):
3f51ca
-                    raise errors.ValidationError(name=attr,
3f51ca
-                            error=_("invalid SID: %(value)s") % dict(value=value))
3f51ca
+                    err = unicode(_("invalid SID: {SID}")).format(SID=value)
3f51ca
+                    raise errors.ValidationError(name=attr, error=err)
3f51ca
 
3f51ca
     def get_dn(self, *keys, **kwargs):
3f51ca
         trust_type = kwargs.get('trust_type')
3f51ca
@@ -600,7 +621,8 @@ class trust(LDAPObject):
3f51ca
                 add_message(
3f51ca
                     options['version'],
3f51ca
                     result,
3f51ca
-                    BrokenTrust(domain=entry.single_value['cn']))
3f51ca
+                    BrokenTrust(domain=entry.single_value['cn'])
3f51ca
+                )
3f51ca
 
3f51ca
 
3f51ca
 @register()
3f51ca
@@ -622,7 +644,7 @@ sides.
3f51ca
     range_types = {
3f51ca
         u'ipa-ad-trust': unicode(_('Active Directory domain range')),
3f51ca
         u'ipa-ad-trust-posix': unicode(_('Active Directory trust range with '
3f51ca
-                                        'POSIX attributes')),
3f51ca
+                                         'POSIX attributes')),
3f51ca
                   }
3f51ca
 
3f51ca
     takes_options = LDAPCreate.takes_options + (
3f51ca
@@ -720,9 +742,10 @@ sides.
3f51ca
 
3f51ca
         trust_filter = "cn=%s" % result['value']
3f51ca
         trusts, _truncated = ldap.find_entries(
3f51ca
-                         base_dn=DN(self.api.env.container_trusts, self.api.env.basedn),
3f51ca
-                         filter=trust_filter,
3f51ca
-                         attrs_list=attrs_list)
3f51ca
+            base_dn=DN(self.api.env.container_trusts, self.api.env.basedn),
3f51ca
+            filter=trust_filter,
3f51ca
+            attrs_list=attrs_list
3f51ca
+        )
3f51ca
 
3f51ca
         result['result'] = entry_to_dict(trusts[0], **options)
3f51ca
 
3f51ca
@@ -731,10 +754,11 @@ sides.
3f51ca
         # Note that add_new_domains_from_trust will add needed ranges for
3f51ca
         # the algorithmic ID mapping case.
3f51ca
         if (options.get('trust_type') == u'ad' and
3f51ca
-            options.get('trust_secret') is None):
3f51ca
+                options.get('trust_secret') is None):
3f51ca
+
3f51ca
             if options.get('bidirectional') == True:
3f51ca
-                # Bidirectional trust allows us to use cross-realm TGT, so we can
3f51ca
-                # run the call under original user's credentials
3f51ca
+                # Bidirectional trust allows us to use cross-realm TGT,
3f51ca
+                # so we can run the call under original user's credentials
3f51ca
                 res = fetch_domains_from_trust(self.api, self.trustinstance,
3f51ca
                                                **options)
3f51ca
                 add_new_domains_from_trust(
3f51ca
@@ -790,7 +814,9 @@ sides.
3f51ca
         # If domain name and realm does not match, IPA server is not be able
3f51ca
         # to establish trust with Active Directory.
3f51ca
 
3f51ca
-        realm_not_matching_domain = (self.api.env.domain.upper() != self.api.env.realm)
3f51ca
+        realm_not_matching_domain = (
3f51ca
+            self.api.env.domain.upper() != self.api.env.realm
3f51ca
+        )
3f51ca
 
3f51ca
         if options['trust_type'] == u'ad' and realm_not_matching_domain:
3f51ca
             raise errors.ValidationError(
3f51ca
@@ -917,11 +943,12 @@ sides.
3f51ca
                 )
3f51ca
 
3f51ca
             if range_type and range_type != old_range_type:
3f51ca
-                raise errors.ValidationError(name=_('range type change'),
3f51ca
-                    error=_('ID range for the trusted domain already exists, '
3f51ca
-                            'but it has a different type. Please remove the '
3f51ca
-                            'old range manually, or do not enforce type '
3f51ca
-                            'via --range-type option.'))
3f51ca
+                raise errors.ValidationError(
3f51ca
+                    name=_('range type change'),
3f51ca
+                    error=_('ID range for the trusted domain already '
3f51ca
+                            'exists, but it has a different type. Please '
3f51ca
+                            'remove the old range manually, or do not '
3f51ca
+                            'enforce type via --range-type option.'))
3f51ca
 
3f51ca
         return old_range, range_name, dom_sid
3f51ca
 
3f51ca
@@ -956,33 +983,55 @@ sides.
3f51ca
                     trust_type
3f51ca
                 )
3f51ca
             except errors.NotFound:
3f51ca
-                error_message=_("Unable to resolve domain controller for '%s' domain. ") % (keys[-1])
3f51ca
-                instructions=[]
3f51ca
+                _message = _("Unable to resolve domain controller for "
3f51ca
+                             "{domain} domain. ")
3f51ca
+                error_message = unicode(_message).format(domain=keys[-1])
3f51ca
+                instructions = []
3f51ca
+
3f51ca
                 if dns_container_exists(self.obj.backend):
3f51ca
                     try:
3f51ca
-                        dns_zone = self.api.Command.dnszone_show(keys[-1])['result']
3f51ca
-                        if ('idnsforwardpolicy' in dns_zone) and dns_zone['idnsforwardpolicy'][0] == u'only':
3f51ca
-                            instructions.append(_("Forward policy is defined for it in IPA DNS, "
3f51ca
-                                                   "perhaps forwarder points to incorrect host?"))
3f51ca
+                        dns_zone = self.api.Command.dnszone_show(
3f51ca
+                            keys[-1])['result']
3f51ca
+
3f51ca
+                        if (('idnsforwardpolicy' in dns_zone) and
3f51ca
+                                dns_zone['idnsforwardpolicy'][0] == u'only'):
3f51ca
+
3f51ca
+                            instructions.append(
3f51ca
+                                _("Forward policy is defined for it in "
3f51ca
+                                  "IPA DNS, perhaps forwarder points to "
3f51ca
+                                  "incorrect host?")
3f51ca
+                            )
3f51ca
                     except (errors.NotFound, KeyError):
3f51ca
-                        instructions.append(_("IPA manages DNS, please verify "
3f51ca
-                                              "your DNS configuration and "
3f51ca
-                                              "make sure that service records "
3f51ca
-                                              "of the '%(domain)s' domain can "
3f51ca
-                                              "be resolved. Examples how to "
3f51ca
-                                              "configure DNS with CLI commands "
3f51ca
-                                              "or the Web UI can be found in "
3f51ca
-                                              "the documentation. " ) %
3f51ca
-                                              dict(domain=keys[-1]))
3f51ca
+                        _instruction = _(
3f51ca
+                            "IPA manages DNS, please verify your DNS "
3f51ca
+                            "configuration and make sure that service "
3f51ca
+                            "records of the '{domain}' domain can be "
3f51ca
+                            "resolved. Examples how to configure DNS "
3f51ca
+                            "with CLI commands or the Web UI can be "
3f51ca
+                            "found in the documentation. "
3f51ca
+                        )
3f51ca
+                        instructions.append(
3f51ca
+                            unicode(_instruction).format(domain=keys[-1])
3f51ca
+                        )
3f51ca
                 else:
3f51ca
-                    instructions.append(_("Since IPA does not manage DNS records, ensure DNS "
3f51ca
-                                           "is configured to resolve '%(domain)s' domain from "
3f51ca
-                                           "IPA hosts and back.") % dict(domain=keys[-1]))
3f51ca
-                raise errors.NotFound(reason=error_message, instructions=instructions)
3f51ca
+                    _instruction = _(
3f51ca
+                        "Since IPA does not manage DNS records, ensure "
3f51ca
+                        "DNS is configured to resolve '{domain}' "
3f51ca
+                        "domain from IPA hosts and back."
3f51ca
+                    )
3f51ca
+                    instructions.append(
3f51ca
+                        unicode(_instruction).format(domain=keys[-1])
3f51ca
+                    )
3f51ca
+                raise errors.NotFound(
3f51ca
+                    reason=error_message,
3f51ca
+                    instructions=instructions
3f51ca
+                )
3f51ca
 
3f51ca
             if result is None:
3f51ca
-                raise errors.ValidationError(name=_('AD Trust setup'),
3f51ca
-                                             error=_('Unable to verify write permissions to the AD'))
3f51ca
+                raise errors.ValidationError(
3f51ca
+                    name=_('AD Trust setup'),
3f51ca
+                    error=_('Unable to verify write permissions to the AD')
3f51ca
+                )
3f51ca
 
3f51ca
             ret = dict(
3f51ca
                 value=pkey_to_value(
3f51ca
@@ -1019,12 +1068,14 @@ sides.
3f51ca
                 error=_('Not enough arguments specified to perform trust '
3f51ca
                         'setup'))
3f51ca
 
3f51ca
+
3f51ca
 @register()
3f51ca
 class trust_del(LDAPDelete):
3f51ca
     __doc__ = _('Delete a trust.')
3f51ca
 
3f51ca
     msg_summary = _('Deleted trust "%(value)s"')
3f51ca
 
3f51ca
+
3f51ca
 @register()
3f51ca
 class trust_mod(LDAPUpdate):
3f51ca
     __doc__ = _("""
3f51ca
@@ -1037,13 +1088,14 @@ class trust_mod(LDAPUpdate):
3f51ca
     msg_summary = _('Modified trust "%(value)s" '
3f51ca
                     '(change will be effective in 60 seconds)')
3f51ca
 
3f51ca
-    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
3f51ca
+    def pre_callback(self, ldap, dn, e_attrs, attrs_list, *keys, **options):
3f51ca
         assert isinstance(dn, DN)
3f51ca
 
3f51ca
-        self.obj.validate_sid_blacklists(entry_attrs)
3f51ca
+        self.obj.validate_sid_blacklists(e_attrs)
3f51ca
 
3f51ca
         return dn
3f51ca
 
3f51ca
+
3f51ca
 @register()
3f51ca
 class trust_find(LDAPSearch):
3f51ca
     __doc__ = _('Search for trusts.')
3f51ca
@@ -1054,9 +1106,10 @@ class trust_find(LDAPSearch):
3f51ca
         '%(count)d trust matched', '%(count)d trusts matched', 0
3f51ca
     )
3f51ca
 
3f51ca
-    # Since all trusts types are stored within separate containers under 'cn=trusts',
3f51ca
-    # search needs to be done on a sub-tree scope
3f51ca
-    def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
3f51ca
+    # Since all trusts types are stored within separate containers
3f51ca
+    # under 'cn=trusts', search needs to be done on a sub-tree scope
3f51ca
+    def pre_callback(self, ldap, filters, attrs_list,
3f51ca
+                     base_dn, scope, *args, **options):
3f51ca
         # list only trust, not trust domains
3f51ca
         return (filters, base_dn, ldap.SCOPE_SUBTREE)
3f51ca
 
3f51ca
@@ -1076,13 +1129,16 @@ class trust_find(LDAPSearch):
3f51ca
             trust_type = attrs.single_value.get('ipanttrusttype', None)
3f51ca
             attributes = attrs.single_value.get('ipanttrustattributes', 0)
3f51ca
             if not options.get('raw', False) and trust_type is not None:
3f51ca
-                attrs['trusttype'] = [trust_type_string(trust_type, attributes)]
3f51ca
+                attrs['trusttype'] = [
3f51ca
+                    trust_type_string(trust_type, attributes)
3f51ca
+                ]
3f51ca
                 del attrs['ipanttrusttype']
3f51ca
                 if attributes:
3f51ca
                     del attrs['ipanttrustattributes']
3f51ca
 
3f51ca
         return truncated
3f51ca
 
3f51ca
+
3f51ca
 @register()
3f51ca
 class trust_show(LDAPRetrieve):
3f51ca
     __doc__ = _('Display information about a trust.')
3f51ca
@@ -1098,7 +1154,7 @@ class trust_show(LDAPRetrieve):
3f51ca
 
3f51ca
         return result
3f51ca
 
3f51ca
-    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
3f51ca
+    def post_callback(self, ldap, dn, e_attrs, *keys, **options):
3f51ca
 
3f51ca
         assert isinstance(dn, DN)
3f51ca
         # Translate ipanttrusttype to trusttype
3f51ca
@@ -1106,25 +1162,28 @@ class trust_show(LDAPRetrieve):
3f51ca
         # if --raw not used
3f51ca
 
3f51ca
         if not options.get('raw', False):
3f51ca
-            trust_type = entry_attrs.single_value.get('ipanttrusttype', None)
3f51ca
-            attributes = entry_attrs.single_value.get('ipanttrustattributes', 0)
3f51ca
+            trust_type = e_attrs.single_value.get('ipanttrusttype', None)
3f51ca
+            attributes = e_attrs.single_value.get('ipanttrustattributes', 0)
3f51ca
             if trust_type is not None:
3f51ca
-                entry_attrs['trusttype'] = [trust_type_string(trust_type, attributes)]
3f51ca
-                del entry_attrs['ipanttrusttype']
3f51ca
+                e_attrs['trusttype'] = [
3f51ca
+                    trust_type_string(trust_type, attributes)
3f51ca
+                ]
3f51ca
+                del e_attrs['ipanttrusttype']
3f51ca
 
3f51ca
-            dir_str = entry_attrs.single_value.get('ipanttrustdirection', None)
3f51ca
+            dir_str = e_attrs.single_value.get('ipanttrustdirection', None)
3f51ca
             if dir_str is not None:
3f51ca
-                entry_attrs['trustdirection'] = [trust_direction_string(dir_str)]
3f51ca
-                del entry_attrs['ipanttrustdirection']
3f51ca
+                e_attrs['trustdirection'] = [trust_direction_string(dir_str)]
3f51ca
+                del e_attrs['ipanttrustdirection']
3f51ca
 
3f51ca
             if attributes:
3f51ca
-                del entry_attrs['ipanttrustattributes']
3f51ca
+                del e_attrs['ipanttrustattributes']
3f51ca
 
3f51ca
         return dn
3f51ca
 
3f51ca
 
3f51ca
 _trustconfig_dn = {
3f51ca
-    u'ad': DN(('cn', api.env.domain), api.env.container_cifsdomains, api.env.basedn),
3f51ca
+    u'ad': DN(('cn', api.env.domain),
3f51ca
+              api.env.container_cifsdomains, api.env.basedn),
3f51ca
 }
3f51ca
 
3f51ca
 
3f51ca
@@ -1184,8 +1243,10 @@ class trustconfig(LDAPObject):
3f51ca
         try:
3f51ca
             return _trustconfig_dn[kwargs['trust_type']]
3f51ca
         except KeyError:
3f51ca
-            raise errors.ValidationError(name='trust_type',
3f51ca
-                error=_("unsupported trust type"))
3f51ca
+            raise errors.ValidationError(
3f51ca
+                name='trust_type',
3f51ca
+                error=_("unsupported trust type")
3f51ca
+            )
3f51ca
 
3f51ca
     def _normalize_groupdn(self, entry_attrs):
3f51ca
         """
3f51ca
@@ -1254,8 +1315,8 @@ class trustconfig_mod(LDAPUpdate):
3f51ca
     msg_summary = _('Modified "%(value)s" trust configuration')
3f51ca
     has_output = output.simple_entry
3f51ca
 
3f51ca
-    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
3f51ca
-        self.obj._normalize_groupdn(entry_attrs)
3f51ca
+    def pre_callback(self, ldap, dn, e_attrs, attrs_list, *keys, **options):
3f51ca
+        self.obj._normalize_groupdn(e_attrs)
3f51ca
         return dn
3f51ca
 
3f51ca
     def execute(self, *keys, **options):
3f51ca
@@ -1263,14 +1324,13 @@ class trustconfig_mod(LDAPUpdate):
3f51ca
         result['value'] = pkey_to_value(options['trust_type'], options)
3f51ca
         return result
3f51ca
 
3f51ca
-    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
3f51ca
-        self.obj._convert_groupdn(entry_attrs, options)
3f51ca
+    def post_callback(self, ldap, dn, e_attrs, *keys, **options):
3f51ca
+        self.obj._convert_groupdn(e_attrs, options)
3f51ca
         self.api.Object.config.show_servroles_attributes(
3f51ca
-            entry_attrs, "AD trust agent", "AD trust controller", **options)
3f51ca
+            e_attrs, "AD trust agent", "AD trust controller", **options)
3f51ca
         return dn
3f51ca
 
3f51ca
 
3f51ca
-
3f51ca
 @register()
3f51ca
 class trustconfig_show(LDAPRetrieve):
3f51ca
     __doc__ = _('Show global trust configuration.')
3f51ca
@@ -1293,18 +1353,21 @@ class trustconfig_show(LDAPRetrieve):
3f51ca
 
3f51ca
 if _nss_idmap_installed:
3f51ca
     _idmap_type_dict = {
3f51ca
-        pysss_nss_idmap.ID_USER  : 'user',
3f51ca
-        pysss_nss_idmap.ID_GROUP : 'group',
3f51ca
-        pysss_nss_idmap.ID_BOTH  : 'both',
3f51ca
+        pysss_nss_idmap.ID_USER: 'user',
3f51ca
+        pysss_nss_idmap.ID_GROUP: 'group',
3f51ca
+        pysss_nss_idmap.ID_BOTH: 'both',
3f51ca
     }
3f51ca
+
3f51ca
     def idmap_type_string(level):
3f51ca
         string = _idmap_type_dict.get(int(level), 'unknown')
3f51ca
         return unicode(string)
3f51ca
 
3f51ca
+
3f51ca
 @register()
3f51ca
 class trust_resolve(Command):
3f51ca
     NO_CLI = True
3f51ca
-    __doc__ = _('Resolve security identifiers of users and groups in trusted domains')
3f51ca
+    __doc__ = _('Resolve security identifiers of users and groups '
3f51ca
+                'in trusted domains')
3f51ca
 
3f51ca
     takes_options = (
3f51ca
         Str('sids+',
3f51ca
@@ -1313,8 +1376,8 @@ class trust_resolve(Command):
3f51ca
     )
3f51ca
 
3f51ca
     has_output_params = (
3f51ca
-        Str('name', label= _('Name')),
3f51ca
-        Str('sid', label= _('SID')),
3f51ca
+        Str('name', label=_('Name')),
3f51ca
+        Str('sid', label=_('SID')),
3f51ca
     )
3f51ca
 
3f51ca
     has_output = (
3f51ca
@@ -1326,13 +1389,15 @@ class trust_resolve(Command):
3f51ca
         if not _nss_idmap_installed:
3f51ca
             return dict(result=result)
3f51ca
         try:
3f51ca
+            NAME_KEY = pysss_nss_idmap.NAME_KEY
3f51ca
+            TYPE_KEY = pysss_nss_idmap.TYPE_KEY
3f51ca
             sids = [str(x) for x in options['sids']]
3f51ca
             xlate = pysss_nss_idmap.getnamebysid(sids)
3f51ca
             for sid in xlate:
3f51ca
                 entry = dict()
3f51ca
                 entry['sid'] = [unicode(sid)]
3f51ca
-                entry['name'] = [unicode(xlate[sid][pysss_nss_idmap.NAME_KEY])]
3f51ca
-                entry['type'] = [idmap_type_string(xlate[sid][pysss_nss_idmap.TYPE_KEY])]
3f51ca
+                entry['name'] = [unicode(xlate[sid][NAME_KEY])]
3f51ca
+                entry['type'] = [idmap_type_string(xlate[sid][TYPE_KEY])]
3f51ca
                 result.append(entry)
3f51ca
         except ValueError:
3f51ca
             pass
3f51ca
@@ -1340,7 +1405,6 @@ class trust_resolve(Command):
3f51ca
         return dict(result=result)
3f51ca
 
3f51ca
 
3f51ca
-
3f51ca
 @register()
3f51ca
 class adtrust_is_enabled(Command):
3f51ca
     NO_CLI = True
3f51ca
@@ -1367,7 +1431,6 @@ class adtrust_is_enabled(Command):
3f51ca
         return dict(result=True)
3f51ca
 
3f51ca
 
3f51ca
-
3f51ca
 @register()
3f51ca
 class compat_is_enabled(Command):
3f51ca
     NO_CLI = True
3f51ca
@@ -1411,7 +1474,6 @@ class compat_is_enabled(Command):
3f51ca
         return dict(result=True)
3f51ca
 
3f51ca
 
3f51ca
-
3f51ca
 @register()
3f51ca
 class sidgen_was_run(Command):
3f51ca
     """
3f51ca
@@ -1461,7 +1523,7 @@ class trustdomain(LDAPObject):
3f51ca
     Object representing a domain of the AD trust.
3f51ca
     """
3f51ca
     parent_object = 'trust'
3f51ca
-    trust_type_idx = {'2':u'ad'}
3f51ca
+    trust_type_idx = {'2': u'ad'}
3f51ca
     object_name = _('trust domain')
3f51ca
     object_name_plural = _('trust domains')
3f51ca
     object_class = ['ipaNTTrustedDomain']
3f51ca
@@ -1478,40 +1540,39 @@ class trustdomain(LDAPObject):
3f51ca
         Str('cn',
3f51ca
             label=_('Domain name'),
3f51ca
             cli_name='domain',
3f51ca
-            primary_key=True
3f51ca
-        ),
3f51ca
+            primary_key=True),
3f51ca
         Str('ipantflatname?',
3f51ca
             cli_name='flat_name',
3f51ca
-            label=_('Domain NetBIOS name'),
3f51ca
-        ),
3f51ca
+            label=_('Domain NetBIOS name')),
3f51ca
         Str('ipanttrusteddomainsid?',
3f51ca
             cli_name='sid',
3f51ca
-            label=_('Domain Security Identifier'),
3f51ca
-        ),
3f51ca
+            label=_('Domain Security Identifier')),
3f51ca
         Flag('domain_enabled',
3f51ca
-            label=_('Domain enabled'),
3f51ca
-            flags={'virtual_attribute', 'no_create', 'no_update', 'no_search'},
3f51ca
-        ),
3f51ca
+             label=_('Domain enabled'),
3f51ca
+             flags={'virtual_attribute',
3f51ca
+                    'no_create', 'no_update', 'no_search'}),
3f51ca
     )
3f51ca
 
3f51ca
-    # LDAPObject.get_dn() only passes all but last element of keys and no kwargs
3f51ca
-    # to the parent object's get_dn() no matter what you pass to it. Make own get_dn()
3f51ca
-    # as we really need all elements to construct proper dn.
3f51ca
+    # LDAPObject.get_dn() only passes all but last element of keys and no
3f51ca
+    # kwargs to the parent object's get_dn() no matter what you pass to it.
3f51ca
+    # Make own get_dn() as we really need all elements to construct proper dn.
3f51ca
     def get_dn(self, *keys, **kwargs):
3f51ca
         sdn = [('cn', x) for x in keys]
3f51ca
         sdn.reverse()
3f51ca
         trust_type = kwargs.get('trust_type')
3f51ca
         if not trust_type:
3f51ca
-            trust_type=u'ad'
3f51ca
+            trust_type = u'ad'
3f51ca
 
3f51ca
-        dn=make_trust_dn(self.env, trust_type, DN(*sdn))
3f51ca
+        dn = make_trust_dn(self.env, trust_type, DN(*sdn))
3f51ca
         return dn
3f51ca
 
3f51ca
+
3f51ca
 @register()
3f51ca
 class trustdomain_find(LDAPSearch):
3f51ca
     __doc__ = _('Search domains of the trust')
3f51ca
 
3f51ca
-    def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
3f51ca
+    def pre_callback(self, ldap, filters, attrs_list, base_dn,
3f51ca
+                     scope, *args, **options):
3f51ca
         return (filters, base_dn, ldap.SCOPE_SUBTREE)
3f51ca
 
3f51ca
     def post_callback(self, ldap, entries, truncated, *args, **options):
3f51ca
@@ -1532,7 +1593,6 @@ class trustdomain_find(LDAPSearch):
3f51ca
         return truncated
3f51ca
 
3f51ca
 
3f51ca
-
3f51ca
 @register()
3f51ca
 class trustdomain_mod(LDAPUpdate):
3f51ca
     __doc__ = _('Modify trustdomain of the trust')
3f51ca
@@ -1540,31 +1600,36 @@ class trustdomain_mod(LDAPUpdate):
3f51ca
     NO_CLI = True
3f51ca
     takes_options = LDAPUpdate.takes_options + (_trust_type_option,)
3f51ca
 
3f51ca
+
3f51ca
 @register()
3f51ca
 class trustdomain_add(LDAPCreate):
3f51ca
     __doc__ = _('Allow access from the trusted domain')
3f51ca
     NO_CLI = True
3f51ca
 
3f51ca
     takes_options = LDAPCreate.takes_options + (_trust_type_option,)
3f51ca
-    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
3f51ca
-        # ipaNTTrustPartner must always be set to the name of the trusted domain
3f51ca
-        # See MS-ADTS 6.1.6.7.13
3f51ca
-        entry_attrs['ipanttrustpartner'] = [dn[0]['cn']]
3f51ca
+
3f51ca
+    def pre_callback(self, ldap, dn, e_attrs, attrs_list, *keys, **options):
3f51ca
+        # ipaNTTrustPartner must always be set to the name of the trusted
3f51ca
+        # domain. See MS-ADTS 6.1.6.7.13
3f51ca
+        e_attrs['ipanttrustpartner'] = [dn[0]['cn']]
3f51ca
         return dn
3f51ca
 
3f51ca
 
3f51ca
 @register()
3f51ca
 class trustdomain_del(LDAPDelete):
3f51ca
-    __doc__ = _('Remove information about the domain associated with the trust.')
3f51ca
+    __doc__ = _('Remove information about the domain associated '
3f51ca
+                'with the trust.')
3f51ca
 
3f51ca
-    msg_summary = _('Removed information about the trusted domain "%(value)s"')
3f51ca
+    msg_summary = _('Removed information about the trusted domain '
3f51ca
+                    '"%(value)s"')
3f51ca
 
3f51ca
     def execute(self, *keys, **options):
3f51ca
         ldap = self.api.Backend.ldap2
3f51ca
         verify_samba_component_presence(ldap, self.api)
3f51ca
 
3f51ca
-        # Note that pre-/post- callback handling for LDAPDelete is causing pre_callback
3f51ca
-        # to always receive empty keys. We need to catch the case when root domain is being deleted
3f51ca
+        # Note that pre-/post- callback handling for LDAPDelete is causing
3f51ca
+        # pre_callback to always receive empty keys. We need to catch the case
3f51ca
+        # when root domain is being deleted
3f51ca
 
3f51ca
         for domain in keys[1]:
3f51ca
             try:
3f51ca
@@ -1603,10 +1668,10 @@ def fetch_domains_from_trust(myapi, trustinstance, **options):
3f51ca
     forest_root_name = trustinstance.remote_domain.info['dns_forest']
3f51ca
 
3f51ca
     # We want to use Kerberos if we have admin credentials even with SMB calls
3f51ca
-    # as eventually use of NTLMSSP will be deprecated for trusted domain operations
3f51ca
-    # If admin credentials are missing, 'creds' will be None and fetch_domains
3f51ca
-    # will use HTTP/ipa.master@IPA.REALM principal, e.g. Kerberos authentication
3f51ca
-    # as well.
3f51ca
+    # as eventually use of NTLMSSP will be deprecated for trusted domain
3f51ca
+    # operations If admin credentials are missing, 'creds' will be None and
3f51ca
+    # fetch_domains will use HTTP/ipa.master@IPA.REALM principal, e.g. Kerberos
3f51ca
+    # authentication as well.
3f51ca
     creds = generate_creds(trustinstance, style=CRED_STYLE_KERBEROS, **options)
3f51ca
     server = options.get('realm_server', None)
3f51ca
     domains = ipaserver.dcerpc.fetch_domains(
3f51ca
@@ -1616,7 +1681,8 @@ def fetch_domains_from_trust(myapi, trustinstance, **options):
3f51ca
     return domains
3f51ca
 
3f51ca
 
3f51ca
-def add_new_domains_from_trust(myapi, trustinstance, trust_entry, domains, **options):
3f51ca
+def add_new_domains_from_trust(myapi, trustinstance, trust_entry,
3f51ca
+                               domains, **options):
3f51ca
     result = []
3f51ca
     if not domains:
3f51ca
         return result
3f51ca
@@ -1728,8 +1794,11 @@ class trustdomain_enable(LDAPQuery):
3f51ca
         verify_samba_component_presence(ldap, self.api)
3f51ca
 
3f51ca
         if keys[0].lower() == keys[1].lower():
3f51ca
-            raise errors.ValidationError(name='domain',
3f51ca
-                error=_("Root domain of the trust is always enabled for the existing trust"))
3f51ca
+            raise errors.ValidationError(
3f51ca
+                name='domain',
3f51ca
+                error=_("Root domain of the trust is always enabled "
3f51ca
+                        "for the existing trust")
3f51ca
+            )
3f51ca
         try:
3f51ca
             trust_dn = self.obj.get_dn(keys[0], trust_type=u'ad')
3f51ca
             trust_entry = ldap.get_entry(trust_dn)
3f51ca
@@ -1766,8 +1835,11 @@ class trustdomain_disable(LDAPQuery):
3f51ca
         verify_samba_component_presence(ldap, self.api)
3f51ca
 
3f51ca
         if keys[0].lower() == keys[1].lower():
3f51ca
-            raise errors.ValidationError(name='domain',
3f51ca
-                error=_("cannot disable root domain of the trust, use trust-del to delete the trust itself"))
3f51ca
+            raise errors.ValidationError(
3f51ca
+                name='domain',
3f51ca
+                error=_("cannot disable root domain of the trust, "
3f51ca
+                        "use trust-del to delete the trust itself")
3f51ca
+            )
3f51ca
         try:
3f51ca
             trust_dn = self.obj.get_dn(keys[0], trust_type=u'ad')
3f51ca
             trust_entry = ldap.get_entry(trust_dn)
3f51ca
-- 
3f51ca
2.13.6
3f51ca