2010-09-27 15:51:28 -05:00
|
|
|
# Authors:
|
|
|
|
# Jr Aquino <jr.aquino@citrixonline.com>
|
|
|
|
# Pavel Zuna <pzuna@redhat.com>
|
|
|
|
#
|
|
|
|
# Copyright (C) 2010 Red Hat
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
#
|
2010-12-09 06:59:11 -06:00
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
2010-09-27 15:51:28 -05:00
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
2010-12-09 06:59:11 -06:00
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
2010-09-27 15:51:28 -05:00
|
|
|
"""
|
2016-04-28 03:30:05 -05:00
|
|
|
Test the `ipaserver/plugins/sudorule.py` module.
|
2010-09-27 15:51:28 -05:00
|
|
|
"""
|
|
|
|
|
2017-12-06 10:01:57 -06:00
|
|
|
import pytest
|
2015-09-11 06:43:28 -05:00
|
|
|
import six
|
2012-03-09 08:41:16 -06:00
|
|
|
|
2015-07-31 03:15:01 -05:00
|
|
|
from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test, assert_attr_equal
|
2021-09-27 15:54:05 -05:00
|
|
|
from ipatests.test_xmlrpc.xmlrpc_test import assert_deepequal
|
2010-09-27 15:51:28 -05:00
|
|
|
from ipalib import api
|
|
|
|
from ipalib import errors
|
|
|
|
|
2016-09-26 11:24:39 -05:00
|
|
|
# pylint: disable=unused-variable
|
|
|
|
|
2015-09-11 06:43:28 -05:00
|
|
|
if six.PY3:
|
|
|
|
unicode = str
|
|
|
|
|
|
|
|
|
2015-04-24 07:39:48 -05:00
|
|
|
@pytest.mark.tier1
|
2010-09-27 15:51:28 -05:00
|
|
|
class test_sudorule(XMLRPC_test):
|
|
|
|
"""
|
|
|
|
Test the `sudorule` plugin.
|
|
|
|
"""
|
|
|
|
rule_name = u'testing_sudorule1'
|
2012-03-01 13:02:28 -06:00
|
|
|
rule_name2 = u'testing_sudorule2'
|
2017-03-27 01:26:03 -05:00
|
|
|
rule_renamed = u'testing_mega_sudorule'
|
2010-09-27 15:51:28 -05:00
|
|
|
rule_command = u'/usr/bin/testsudocmd1'
|
|
|
|
rule_desc = u'description'
|
|
|
|
rule_desc_mod = u'description modified'
|
|
|
|
|
|
|
|
test_user = u'sudorule_test_user'
|
2010-12-17 10:29:33 -06:00
|
|
|
test_external_user = u'external_test_user'
|
2010-09-27 15:51:28 -05:00
|
|
|
test_group = u'sudorule_test_group'
|
2011-01-07 17:29:00 -06:00
|
|
|
test_external_group = u'external_test_group'
|
2012-03-01 13:02:28 -06:00
|
|
|
test_host = u'sudorule.testhost'
|
|
|
|
test_external_host = u'external.testhost'
|
2010-09-27 15:51:28 -05:00
|
|
|
test_hostgroup = u'sudorule_test_hostgroup'
|
2010-10-04 17:56:40 -05:00
|
|
|
test_sudoallowcmdgroup = u'sudorule_test_allowcmdgroup'
|
|
|
|
test_sudodenycmdgroup = u'sudorule_test_denycmdgroup'
|
2010-09-27 15:51:28 -05:00
|
|
|
test_command = u'/usr/bin/testsudocmd1'
|
2010-10-04 17:56:40 -05:00
|
|
|
test_denycommand = u'/usr/bin/testdenysudocmd1'
|
2010-12-13 12:00:59 -06:00
|
|
|
test_runasuser = u'manager'
|
|
|
|
test_runasgroup = u'manager'
|
2012-01-13 10:34:04 -06:00
|
|
|
test_category = u'all'
|
2010-12-17 10:29:33 -06:00
|
|
|
test_option = u'authenticate'
|
2021-09-27 15:54:05 -05:00
|
|
|
test_option2 = u'fqdn'
|
|
|
|
test_option3 = u'log_allowed'
|
2010-09-27 15:51:28 -05:00
|
|
|
|
2012-03-27 08:15:20 -05:00
|
|
|
test_invalid_user = u'+invalid#user'
|
|
|
|
test_invalid_host = u'+invalid&host.nonexist.com'
|
|
|
|
test_invalid_group = u'+invalid#group'
|
|
|
|
|
2010-09-27 15:51:28 -05:00
|
|
|
def test_0_sudorule_add(self):
|
|
|
|
"""
|
|
|
|
Test adding a new Sudo rule using `xmlrpc.sudorule_add`.
|
|
|
|
"""
|
|
|
|
ret = self.failsafe_add(api.Object.sudorule,
|
|
|
|
self.rule_name,
|
|
|
|
description=self.rule_desc,
|
|
|
|
)
|
|
|
|
entry = ret['result']
|
|
|
|
assert_attr_equal(entry, 'cn', self.rule_name)
|
|
|
|
assert_attr_equal(entry, 'description', self.rule_desc)
|
|
|
|
|
|
|
|
def test_1_sudorule_add(self):
|
|
|
|
"""
|
|
|
|
Test adding an duplicate Sudo rule using `xmlrpc.sudorule_add'.
|
|
|
|
"""
|
2017-12-06 10:01:57 -06:00
|
|
|
with pytest.raises(errors.DuplicateEntry):
|
|
|
|
api.Command['sudorule_add'](
|
|
|
|
self.rule_name
|
|
|
|
)
|
2010-09-27 15:51:28 -05:00
|
|
|
|
|
|
|
def test_2_sudorule_show(self):
|
|
|
|
"""
|
|
|
|
Test displaying a Sudo rule using `xmlrpc.sudorule_show`.
|
|
|
|
"""
|
|
|
|
entry = api.Command['sudorule_show'](self.rule_name)['result']
|
|
|
|
assert_attr_equal(entry, 'cn', self.rule_name)
|
|
|
|
assert_attr_equal(entry, 'description', self.rule_desc)
|
|
|
|
|
|
|
|
def test_3_sudorule_mod(self):
|
|
|
|
"""
|
|
|
|
Test modifying a Sudo rule using `xmlrpc.sudorule_mod`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_mod'](
|
|
|
|
self.rule_name, description=self.rule_desc_mod
|
|
|
|
)
|
|
|
|
entry = ret['result']
|
|
|
|
assert_attr_equal(entry, 'description', self.rule_desc_mod)
|
|
|
|
|
|
|
|
def test_6_sudorule_find(self):
|
|
|
|
"""
|
|
|
|
Test searching for Sudo rules using `xmlrpc.sudorule_find`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_find'](
|
2012-03-14 10:33:41 -05:00
|
|
|
cn=self.rule_name,
|
2010-09-27 15:51:28 -05:00
|
|
|
description=self.rule_desc_mod
|
|
|
|
)
|
|
|
|
assert ret['truncated'] is False
|
|
|
|
entries = ret['result']
|
|
|
|
assert_attr_equal(entries[0], 'cn', self.rule_name)
|
|
|
|
assert_attr_equal(entries[0], 'description', self.rule_desc_mod)
|
|
|
|
|
|
|
|
def test_7_sudorule_init_testing_data(self):
|
|
|
|
"""
|
|
|
|
Initialize data for more Sudo rule plugin testing.
|
|
|
|
"""
|
|
|
|
self.failsafe_add(api.Object.user,
|
|
|
|
self.test_user, givenname=u'first', sn=u'last'
|
|
|
|
)
|
2010-12-13 12:00:59 -06:00
|
|
|
self.failsafe_add(api.Object.user,
|
|
|
|
self.test_runasuser, givenname=u'first', sn=u'last'
|
|
|
|
)
|
2010-09-27 15:51:28 -05:00
|
|
|
self.failsafe_add(api.Object.group,
|
|
|
|
self.test_group, description=u'description'
|
|
|
|
)
|
|
|
|
self.failsafe_add(api.Object.host,
|
|
|
|
self.test_host, force=True
|
|
|
|
)
|
|
|
|
self.failsafe_add(api.Object.hostgroup,
|
|
|
|
self.test_hostgroup, description=u'description'
|
|
|
|
)
|
|
|
|
self.failsafe_add(api.Object.sudocmdgroup,
|
2010-10-04 17:56:40 -05:00
|
|
|
self.test_sudoallowcmdgroup, description=u'desc'
|
|
|
|
)
|
|
|
|
self.failsafe_add(api.Object.sudocmdgroup,
|
|
|
|
self.test_sudodenycmdgroup, description=u'desc'
|
2010-09-27 15:51:28 -05:00
|
|
|
)
|
|
|
|
self.failsafe_add(api.Object.sudocmd,
|
2012-03-14 10:33:41 -05:00
|
|
|
self.test_command, description=u'desc'
|
2010-09-27 15:51:28 -05:00
|
|
|
)
|
|
|
|
|
|
|
|
def test_8_sudorule_add_user(self):
|
|
|
|
"""
|
|
|
|
Test adding user and group to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_user`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_add_user'](
|
|
|
|
self.rule_name, user=self.test_user, group=self.test_group
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 2
|
|
|
|
failed = ret['failed']
|
|
|
|
assert 'memberuser' in failed
|
|
|
|
assert 'user' in failed['memberuser']
|
|
|
|
assert not failed['memberuser']['user']
|
|
|
|
assert 'group' in failed['memberuser']
|
|
|
|
assert not failed['memberuser']['group']
|
|
|
|
entry = ret['result']
|
|
|
|
assert_attr_equal(entry, 'memberuser_user', self.test_user)
|
|
|
|
assert_attr_equal(entry, 'memberuser_group', self.test_group)
|
|
|
|
|
2011-05-31 16:52:35 -05:00
|
|
|
def test_9_a_show_user(self):
|
|
|
|
"""
|
|
|
|
Test showing a user to verify Sudo rule membership
|
|
|
|
`xmlrpc.user_show`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['user_show'](self.test_user, all=True)
|
|
|
|
entry = ret['result']
|
2011-07-15 16:18:42 -05:00
|
|
|
assert_attr_equal(entry, 'memberof_sudorule', self.rule_name)
|
2011-05-31 16:52:35 -05:00
|
|
|
|
|
|
|
def test_9_b_show_group(self):
|
|
|
|
"""
|
|
|
|
Test showing a group to verify Sudo rule membership
|
|
|
|
`xmlrpc.group_show`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['group_show'](self.test_group, all=True)
|
|
|
|
entry = ret['result']
|
2011-07-15 16:18:42 -05:00
|
|
|
assert_attr_equal(entry, 'memberof_sudorule', self.rule_name)
|
2011-05-31 16:52:35 -05:00
|
|
|
|
2010-09-27 15:51:28 -05:00
|
|
|
def test_9_sudorule_remove_user(self):
|
|
|
|
"""
|
|
|
|
Test removing user and group from Sudo rule using
|
|
|
|
`xmlrpc.sudorule_remove_user'.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_remove_user'](
|
|
|
|
self.rule_name, user=self.test_user, group=self.test_group
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 2
|
|
|
|
failed = ret['failed']
|
|
|
|
assert 'memberuser' in failed
|
|
|
|
assert 'user' in failed['memberuser']
|
|
|
|
assert not failed['memberuser']['user']
|
|
|
|
assert 'group' in failed['memberuser']
|
|
|
|
assert not failed['memberuser']['group']
|
|
|
|
entry = ret['result']
|
|
|
|
assert 'memberuser_user' not in entry
|
|
|
|
assert 'memberuser_group' not in entry
|
|
|
|
|
2010-12-13 12:00:59 -06:00
|
|
|
def test_a_sudorule_add_runasuser(self):
|
|
|
|
"""
|
|
|
|
Test adding run as user to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_runasuser`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_add_runasuser'](
|
|
|
|
self.rule_name, user=self.test_runasuser
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 1
|
|
|
|
failed = ret['failed']
|
|
|
|
assert 'ipasudorunas' in failed
|
|
|
|
assert 'user' in failed['ipasudorunas']
|
|
|
|
assert not failed['ipasudorunas']['user']
|
|
|
|
entry = ret['result']
|
|
|
|
assert_attr_equal(entry, 'ipasudorunas_user', self.test_runasuser)
|
|
|
|
|
2012-03-27 08:15:20 -05:00
|
|
|
def test_a_sudorule_add_runasuser_invalid(self):
|
|
|
|
"""
|
|
|
|
Test adding run as invalid user to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_runasuser`.
|
|
|
|
"""
|
|
|
|
try:
|
|
|
|
api.Command['sudorule_add_runasuser'](
|
|
|
|
self.rule_name, user=self.test_invalid_user
|
|
|
|
)
|
|
|
|
except errors.ValidationError:
|
|
|
|
pass
|
|
|
|
else:
|
|
|
|
assert False
|
|
|
|
|
2010-12-13 12:00:59 -06:00
|
|
|
def test_b_sudorule_remove_runasuser(self):
|
|
|
|
"""
|
|
|
|
Test removing run as user to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_remove_runasuser'.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_remove_runasuser'](
|
|
|
|
self.rule_name, user=self.test_runasuser
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 1
|
|
|
|
failed = ret['failed']
|
|
|
|
assert 'ipasudorunas' in failed
|
|
|
|
assert 'user' in failed['ipasudorunas']
|
|
|
|
assert not failed['ipasudorunas']['user']
|
|
|
|
entry = ret['result']
|
|
|
|
assert 'ipasudorunas_user' not in entry
|
|
|
|
|
|
|
|
def test_a_sudorule_add_runasgroup(self):
|
|
|
|
"""
|
|
|
|
Test adding run as group to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_runasgroup`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_add_runasgroup'](
|
|
|
|
self.rule_name, group=self.test_runasgroup
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 1
|
|
|
|
failed = ret['failed']
|
|
|
|
assert 'ipasudorunasgroup' in failed
|
|
|
|
assert 'group' in failed['ipasudorunasgroup']
|
|
|
|
assert not failed['ipasudorunasgroup']['group']
|
|
|
|
entry = ret['result']
|
2010-12-17 10:29:33 -06:00
|
|
|
assert_attr_equal(entry, 'ipasudorunasgroup_group',
|
|
|
|
self.test_runasgroup)
|
2010-12-13 12:00:59 -06:00
|
|
|
|
2012-03-27 08:15:20 -05:00
|
|
|
def test_a_sudorule_add_runasgroup_invalid(self):
|
|
|
|
"""
|
|
|
|
Test adding run as invalid user to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_runasuser`.
|
|
|
|
"""
|
|
|
|
try:
|
|
|
|
api.Command['sudorule_add_runasgroup'](
|
|
|
|
self.rule_name, group=self.test_invalid_group
|
|
|
|
)
|
|
|
|
except errors.ValidationError:
|
|
|
|
pass
|
|
|
|
else:
|
|
|
|
assert False
|
|
|
|
|
2010-12-13 12:00:59 -06:00
|
|
|
def test_b_sudorule_remove_runasgroup(self):
|
|
|
|
"""
|
|
|
|
Test removing run as group to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_remove_runasgroup'.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_remove_runasgroup'](
|
|
|
|
self.rule_name, group=self.test_runasgroup
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 1
|
|
|
|
failed = ret['failed']
|
|
|
|
assert 'ipasudorunasgroup' in failed
|
|
|
|
assert 'group' in failed['ipasudorunasgroup']
|
|
|
|
assert not failed['ipasudorunasgroup']['group']
|
|
|
|
entry = ret['result']
|
|
|
|
assert 'ipasudorunasgroup_group' not in entry
|
|
|
|
|
2010-12-17 10:29:33 -06:00
|
|
|
def test_a_sudorule_add_externaluser(self):
|
|
|
|
"""
|
|
|
|
Test adding an external user to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_user`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_add_user'](
|
|
|
|
self.rule_name, user=self.test_external_user
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 1
|
|
|
|
failed = ret['failed']
|
|
|
|
entry = ret['result']
|
|
|
|
assert_attr_equal(entry, 'externaluser', self.test_external_user)
|
|
|
|
|
2012-03-27 08:15:20 -05:00
|
|
|
def test_a_sudorule_add_externaluser_invalid(self):
|
|
|
|
"""
|
|
|
|
Test adding an invalid external user to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_user`.
|
|
|
|
"""
|
|
|
|
try:
|
|
|
|
api.Command['sudorule_add_user'](
|
|
|
|
self.rule_name, user=self.test_invalid_user
|
|
|
|
)
|
|
|
|
except errors.ValidationError:
|
|
|
|
pass
|
|
|
|
else:
|
|
|
|
assert False
|
|
|
|
|
2010-12-17 10:29:33 -06:00
|
|
|
def test_b_sudorule_remove_externaluser(self):
|
|
|
|
"""
|
|
|
|
Test removing an external user from Sudo rule using
|
|
|
|
`xmlrpc.sudorule_remove_user'.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_remove_user'](
|
|
|
|
self.rule_name, user=self.test_external_user
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 1
|
|
|
|
failed = ret['failed']
|
|
|
|
entry = ret['result']
|
2011-07-19 15:39:40 -05:00
|
|
|
assert entry['externaluser'] == ()
|
2010-12-17 10:29:33 -06:00
|
|
|
|
2011-01-07 17:29:00 -06:00
|
|
|
def test_a_sudorule_add_runasexternaluser(self):
|
|
|
|
"""
|
|
|
|
Test adding an external runasuser to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_runasuser`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_add_runasuser'](
|
|
|
|
self.rule_name, user=self.test_external_user
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 1
|
|
|
|
failed = ret['failed']
|
|
|
|
entry = ret['result']
|
|
|
|
assert_attr_equal(entry, 'ipasudorunasextuser', self.test_external_user)
|
|
|
|
|
|
|
|
def test_b_sudorule_remove_runasexternaluser(self):
|
|
|
|
"""
|
|
|
|
Test removing an external runasuser from Sudo rule using
|
|
|
|
`xmlrpc.sudorule_remove_runasuser'.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_remove_runasuser'](
|
|
|
|
self.rule_name, user=self.test_external_user
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 1
|
|
|
|
failed = ret['failed']
|
|
|
|
entry = ret['result']
|
2011-07-19 15:39:40 -05:00
|
|
|
assert entry['ipasudorunasextuser'] == ()
|
2011-01-07 17:29:00 -06:00
|
|
|
|
|
|
|
def test_a_sudorule_add_runasexternalgroup(self):
|
|
|
|
"""
|
|
|
|
Test adding an external runasgroup to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_runasgroup`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_add_runasgroup'](
|
|
|
|
self.rule_name, group=self.test_external_group
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 1
|
|
|
|
failed = ret['failed']
|
|
|
|
entry = ret['result']
|
|
|
|
assert_attr_equal(entry, 'ipasudorunasextgroup', self.test_external_group)
|
|
|
|
|
|
|
|
def test_b_sudorule_remove_runasexternalgroup(self):
|
|
|
|
"""
|
|
|
|
Test removing an external runasgroup from Sudo rule using
|
|
|
|
`xmlrpc.sudorule_remove_runasgroup'.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_remove_runasgroup'](
|
|
|
|
self.rule_name, group=self.test_external_group
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 1
|
|
|
|
failed = ret['failed']
|
|
|
|
entry = ret['result']
|
2011-07-19 15:39:40 -05:00
|
|
|
assert entry['ipasudorunasextgroup'] == ()
|
2011-01-07 17:29:00 -06:00
|
|
|
|
2010-12-17 10:29:33 -06:00
|
|
|
def test_a_sudorule_add_option(self):
|
|
|
|
"""
|
|
|
|
Test adding an option to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_option`.
|
|
|
|
"""
|
2018-07-27 16:51:05 -05:00
|
|
|
# Add a user and group to the sudorule so we can test that
|
|
|
|
# membership is properly translated in add_option.
|
|
|
|
ret = api.Command['sudorule_add_user'](
|
|
|
|
self.rule_name, user=self.test_user, group=self.test_group
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 2
|
2010-12-17 10:29:33 -06:00
|
|
|
ret = api.Command['sudorule_add_option'](
|
|
|
|
self.rule_name, ipasudoopt=self.test_option
|
|
|
|
)
|
|
|
|
entry = ret['result']
|
|
|
|
assert_attr_equal(entry, 'ipasudoopt', self.test_option)
|
2018-07-27 16:51:05 -05:00
|
|
|
assert_attr_equal(entry, 'memberuser_user', self.test_user)
|
|
|
|
assert_attr_equal(entry, 'memberuser_group', self.test_group)
|
2010-12-17 10:29:33 -06:00
|
|
|
|
|
|
|
def test_b_sudorule_remove_option(self):
|
|
|
|
"""
|
|
|
|
Test removing an option from Sudo rule using
|
|
|
|
`xmlrpc.sudorule_remove_option'.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_remove_option'](
|
|
|
|
self.rule_name, ipasudoopt=self.test_option
|
|
|
|
)
|
2011-06-16 13:57:13 -05:00
|
|
|
entry = ret['result']
|
|
|
|
assert 'ipasudoopt' not in entry
|
2018-07-27 16:51:05 -05:00
|
|
|
# Verify that membership is properly converted in remove_option
|
|
|
|
assert_attr_equal(entry, 'memberuser_user', self.test_user)
|
|
|
|
assert_attr_equal(entry, 'memberuser_group', self.test_group)
|
|
|
|
# Clean up by removing the user and group added in add_option
|
|
|
|
ret = api.Command['sudorule_remove_user'](
|
|
|
|
self.rule_name, user=self.test_user, group=self.test_group
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 2
|
2010-12-17 10:29:33 -06:00
|
|
|
|
2021-09-27 15:54:05 -05:00
|
|
|
def test_c_sudorule_add_multiple_options(self):
|
|
|
|
"""
|
|
|
|
Test adding two options to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_option`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_add_option'](
|
|
|
|
self.rule_name,
|
|
|
|
ipasudoopt=(self.test_option, self.test_option2, self.test_option3)
|
|
|
|
)
|
|
|
|
entry = ret['result']
|
|
|
|
assert_deepequal(entry.get('ipasudoopt'),
|
|
|
|
(self.test_option, self.test_option2,
|
|
|
|
self.test_option3))
|
|
|
|
|
|
|
|
def test_d_sudorule_add_duplicate_option(self):
|
|
|
|
"""
|
|
|
|
Test adding a duplicate option to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_option`.
|
|
|
|
"""
|
|
|
|
with pytest.raises(errors.DuplicateEntry):
|
|
|
|
api.Command['sudorule_add_option'](
|
|
|
|
self.rule_name,
|
|
|
|
ipasudoopt=(self.test_option,)
|
|
|
|
)
|
|
|
|
|
|
|
|
def test_e_sudorule_remove_one_option(self):
|
|
|
|
"""
|
|
|
|
Test removing an option from Sudo rule using
|
|
|
|
`xmlrpc.sudorule_remove_option'.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_remove_option'](
|
|
|
|
self.rule_name, ipasudoopt=self.test_option
|
|
|
|
)
|
|
|
|
entry = ret['result']
|
|
|
|
assert_deepequal(entry.get('ipasudoopt'),
|
|
|
|
(self.test_option2, self.test_option3))
|
|
|
|
|
|
|
|
def test_f_sudorule_remove_multiple_options(self):
|
|
|
|
"""
|
|
|
|
Test removing an option from Sudo rule using
|
|
|
|
`xmlrpc.sudorule_remove_option'.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_remove_option'](
|
|
|
|
self.rule_name, ipasudoopt=(self.test_option2, self.test_option3)
|
|
|
|
)
|
|
|
|
entry = ret['result']
|
|
|
|
assert len(entry.get('ipasudoopt', [])) == 0
|
|
|
|
|
|
|
|
def test_g_sudorule_remove_unknown_option(self):
|
|
|
|
"""
|
|
|
|
Test removing an unknown option from Sudo rule using
|
|
|
|
`xmlrpc.sudorule_remove_option'.
|
|
|
|
"""
|
|
|
|
with pytest.raises(errors.AttrValueNotFound):
|
|
|
|
api.Command['sudorule_remove_option'](
|
|
|
|
self.rule_name,
|
|
|
|
ipasudoopt=(self.test_option,)
|
|
|
|
)
|
|
|
|
|
2010-09-27 15:51:28 -05:00
|
|
|
def test_a_sudorule_add_host(self):
|
|
|
|
"""
|
|
|
|
Test adding host and hostgroup to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_host`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_add_host'](
|
|
|
|
self.rule_name, host=self.test_host, hostgroup=self.test_hostgroup
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 2
|
|
|
|
failed = ret['failed']
|
|
|
|
assert 'memberhost' in failed
|
|
|
|
assert 'host' in failed['memberhost']
|
|
|
|
assert not failed['memberhost']['host']
|
|
|
|
assert 'hostgroup' in failed['memberhost']
|
|
|
|
assert not failed['memberhost']['hostgroup']
|
|
|
|
entry = ret['result']
|
|
|
|
assert_attr_equal(entry, 'memberhost_host', self.test_host)
|
|
|
|
assert_attr_equal(entry, 'memberhost_hostgroup', self.test_hostgroup)
|
|
|
|
|
2011-05-31 16:52:35 -05:00
|
|
|
def test_a_sudorule_show_host(self):
|
|
|
|
"""
|
|
|
|
Test showing host to verify Sudo rule membership
|
|
|
|
`xmlrpc.host_show`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['host_show'](self.test_host, all=True)
|
|
|
|
entry = ret['result']
|
2011-07-15 16:18:42 -05:00
|
|
|
assert_attr_equal(entry, 'memberof_sudorule', self.rule_name)
|
2011-05-31 16:52:35 -05:00
|
|
|
|
|
|
|
def test_a_sudorule_show_hostgroup(self):
|
|
|
|
"""
|
|
|
|
Test showing hostgroup to verify Sudo rule membership
|
|
|
|
`xmlrpc.hostgroup_show`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['hostgroup_show'](self.test_hostgroup, all=True)
|
|
|
|
entry = ret['result']
|
2011-07-15 16:18:42 -05:00
|
|
|
assert_attr_equal(entry, 'memberof_sudorule', self.rule_name)
|
2011-05-31 16:52:35 -05:00
|
|
|
|
2010-09-27 15:51:28 -05:00
|
|
|
def test_b_sudorule_remove_host(self):
|
|
|
|
"""
|
|
|
|
Test removing host and hostgroup from Sudo rule using
|
|
|
|
`xmlrpc.sudorule_remove_host`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_remove_host'](
|
|
|
|
self.rule_name, host=self.test_host, hostgroup=self.test_hostgroup
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 2
|
|
|
|
failed = ret['failed']
|
|
|
|
assert 'memberhost' in failed
|
|
|
|
assert 'host' in failed['memberhost']
|
|
|
|
assert not failed['memberhost']['host']
|
|
|
|
assert 'hostgroup' in failed['memberhost']
|
|
|
|
assert not failed['memberhost']['hostgroup']
|
|
|
|
entry = ret['result']
|
|
|
|
assert 'memberhost_host' not in entry
|
|
|
|
assert 'memberhost_hostgroup' not in entry
|
|
|
|
|
2010-12-17 10:29:33 -06:00
|
|
|
def test_a_sudorule_add_externalhost(self):
|
|
|
|
"""
|
|
|
|
Test adding an external host to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_host`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_add_host'](
|
|
|
|
self.rule_name, host=self.test_external_host
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 1
|
|
|
|
failed = ret['failed']
|
|
|
|
entry = ret['result']
|
|
|
|
assert_attr_equal(entry, 'externalhost', self.test_external_host)
|
|
|
|
|
2012-03-27 08:15:20 -05:00
|
|
|
def test_a_sudorule_add_externalhost_invalid(self):
|
|
|
|
"""
|
|
|
|
Test adding an invalid external host to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_host`.
|
|
|
|
"""
|
|
|
|
try:
|
|
|
|
api.Command['sudorule_add_host'](
|
|
|
|
self.rule_name, host=self.test_invalid_host
|
|
|
|
)
|
|
|
|
except errors.ValidationError:
|
|
|
|
pass
|
|
|
|
else:
|
|
|
|
assert False
|
|
|
|
|
2012-04-30 06:29:08 -05:00
|
|
|
def test_a_sudorule_mod_externalhost_invalid_addattr(self):
|
|
|
|
"""
|
|
|
|
Test adding an invalid external host to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_mod --addattr`.
|
|
|
|
"""
|
|
|
|
try:
|
|
|
|
api.Command['sudorule_mod'](
|
|
|
|
self.rule_name,
|
|
|
|
addattr='externalhost=%s' % self.test_invalid_host
|
|
|
|
)
|
2015-07-30 09:49:29 -05:00
|
|
|
except errors.ValidationError as e:
|
2012-04-30 06:29:08 -05:00
|
|
|
assert unicode(e) == ("invalid 'externalhost': only letters, " +
|
2014-01-31 08:52:35 -06:00
|
|
|
"numbers, '_', '-' are allowed. " +
|
|
|
|
"DNS label may not start or end with '-'")
|
2012-04-30 06:29:08 -05:00
|
|
|
else:
|
|
|
|
assert False
|
|
|
|
|
2010-12-17 10:29:33 -06:00
|
|
|
def test_b_sudorule_remove_externalhost(self):
|
|
|
|
"""
|
|
|
|
Test removing an external host from Sudo rule using
|
|
|
|
`xmlrpc.sudorule_remove_host`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_remove_host'](
|
|
|
|
self.rule_name, host=self.test_external_host
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 1
|
|
|
|
failed = ret['failed']
|
|
|
|
entry = ret['result']
|
2012-02-01 15:20:54 -06:00
|
|
|
assert len(entry['externalhost']) == 0
|
2010-12-17 10:29:33 -06:00
|
|
|
|
2010-10-04 17:56:40 -05:00
|
|
|
def test_a_sudorule_add_allow_command(self):
|
2010-09-27 15:51:28 -05:00
|
|
|
"""
|
2010-10-04 17:56:40 -05:00
|
|
|
Test adding allow command and cmdgroup to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_allow_command`.
|
2010-09-27 15:51:28 -05:00
|
|
|
"""
|
2010-10-04 17:56:40 -05:00
|
|
|
ret = api.Command['sudorule_add_allow_command'](
|
2010-09-27 15:51:28 -05:00
|
|
|
self.rule_name, sudocmd=self.test_command,
|
2010-10-04 17:56:40 -05:00
|
|
|
sudocmdgroup=self.test_sudoallowcmdgroup
|
2010-09-27 15:51:28 -05:00
|
|
|
)
|
|
|
|
assert ret['completed'] == 2
|
|
|
|
failed = ret['failed']
|
2010-10-04 17:56:40 -05:00
|
|
|
assert 'memberallowcmd' in failed
|
|
|
|
assert 'sudocmd' in failed['memberallowcmd']
|
|
|
|
assert not failed['memberallowcmd']['sudocmd']
|
|
|
|
assert 'sudocmdgroup' in failed['memberallowcmd']
|
|
|
|
assert not failed['memberallowcmd']['sudocmdgroup']
|
2010-09-27 15:51:28 -05:00
|
|
|
entry = ret['result']
|
2010-10-04 17:56:40 -05:00
|
|
|
assert_attr_equal(entry, 'memberallowcmd_sudocmd', self.test_command)
|
|
|
|
assert_attr_equal(entry, 'memberallowcmd_sudocmdgroup',
|
|
|
|
self.test_sudoallowcmdgroup)
|
2010-09-27 15:51:28 -05:00
|
|
|
|
2010-10-04 17:56:40 -05:00
|
|
|
def test_a_sudorule_remove_allow_command(self):
|
2010-09-27 15:51:28 -05:00
|
|
|
"""
|
2010-10-04 17:56:40 -05:00
|
|
|
Test removing allow command and sudocmdgroup from Sudo rule using
|
2010-09-27 15:51:28 -05:00
|
|
|
`xmlrpc.sudorule_remove_command`.
|
|
|
|
"""
|
2010-10-04 17:56:40 -05:00
|
|
|
ret = api.Command['sudorule_remove_allow_command'](
|
|
|
|
self.rule_name, sudocmd=self.test_command,
|
|
|
|
sudocmdgroup=self.test_sudoallowcmdgroup
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 2
|
|
|
|
failed = ret['failed']
|
|
|
|
assert 'memberallowcmd' in failed
|
|
|
|
assert 'sudocmd' in failed['memberallowcmd']
|
|
|
|
assert not failed['memberallowcmd']['sudocmd']
|
|
|
|
assert 'sudocmdgroup' in failed['memberallowcmd']
|
|
|
|
assert not failed['memberallowcmd']['sudocmdgroup']
|
|
|
|
entry = ret['result']
|
|
|
|
assert 'memberallowcmd_sudocmd' not in entry
|
|
|
|
assert 'memberallowcmd_sudocmdgroup' not in entry
|
|
|
|
|
|
|
|
def test_b_sudorule_add_deny_command(self):
|
|
|
|
"""
|
|
|
|
Test adding deny command and cmdgroup to Sudo rule using
|
|
|
|
`xmlrpc.sudorule_add_deny_command`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_add_deny_command'](
|
2010-09-27 15:51:28 -05:00
|
|
|
self.rule_name, sudocmd=self.test_command,
|
2010-10-04 17:56:40 -05:00
|
|
|
sudocmdgroup=self.test_sudodenycmdgroup
|
2010-09-27 15:51:28 -05:00
|
|
|
)
|
|
|
|
assert ret['completed'] == 2
|
|
|
|
failed = ret['failed']
|
2010-10-04 17:56:40 -05:00
|
|
|
assert 'memberdenycmd' in failed
|
|
|
|
assert 'sudocmd' in failed['memberdenycmd']
|
|
|
|
assert not failed['memberdenycmd']['sudocmd']
|
|
|
|
assert 'sudocmdgroup' in failed['memberdenycmd']
|
|
|
|
assert not failed['memberdenycmd']['sudocmdgroup']
|
2010-09-27 15:51:28 -05:00
|
|
|
entry = ret['result']
|
2010-10-04 17:56:40 -05:00
|
|
|
assert_attr_equal(entry, 'memberdenycmd_sudocmd', self.test_command)
|
|
|
|
assert_attr_equal(entry, 'memberdenycmd_sudocmdgroup',
|
|
|
|
self.test_sudodenycmdgroup)
|
|
|
|
|
|
|
|
def test_b_sudorule_remove_deny_command(self):
|
|
|
|
"""
|
|
|
|
Test removing deny command and sudocmdgroup from Sudo rule using
|
|
|
|
`xmlrpc.sudorule_remove_deny_command`.
|
|
|
|
"""
|
|
|
|
ret = api.Command['sudorule_remove_deny_command'](
|
|
|
|
self.rule_name, sudocmd=self.test_command,
|
|
|
|
sudocmdgroup=self.test_sudodenycmdgroup
|
|
|
|
)
|
|
|
|
assert ret['completed'] == 2
|
|
|
|
failed = ret['failed']
|
|
|
|
assert 'memberdenycmd' in failed
|
|
|
|
assert 'sudocmd' in failed['memberdenycmd']
|
|
|
|
assert not failed['memberdenycmd']['sudocmd']
|
|
|
|
assert 'sudocmdgroup' in failed['memberdenycmd']
|
|
|
|
assert not failed['memberdenycmd']['sudocmdgroup']
|
|
|
|
entry = ret['result']
|
|
|
|
assert 'memberdenycmd_sudocmd' not in entry
|
|
|
|
assert 'memberdenycmd_sudocmdgroup' not in entry
|
2010-09-27 15:51:28 -05:00
|
|
|
|
2012-01-13 10:34:04 -06:00
|
|
|
def test_c_sudorule_exclusiveuser(self):
|
|
|
|
"""
|
|
|
|
Test adding a user to an Sudo rule when usercat='all'
|
|
|
|
"""
|
|
|
|
api.Command['sudorule_mod'](self.rule_name, usercategory=u'all')
|
|
|
|
try:
|
2017-12-06 10:01:57 -06:00
|
|
|
with pytest.raises(errors.MutuallyExclusiveError):
|
|
|
|
api.Command['sudorule_add_user'](
|
|
|
|
self.rule_name, user=u'admin'
|
|
|
|
)
|
2012-03-09 08:41:16 -06:00
|
|
|
finally:
|
|
|
|
api.Command['sudorule_mod'](self.rule_name, usercategory=u'')
|
2012-01-13 10:34:04 -06:00
|
|
|
|
|
|
|
def test_d_sudorule_exclusiveuser(self):
|
|
|
|
"""
|
|
|
|
Test setting usercat='all' in an Sudo rule when there are users
|
|
|
|
"""
|
2012-03-09 08:41:16 -06:00
|
|
|
api.Command['sudorule_add_user'](self.rule_name, user=u'admin')
|
2012-01-13 10:34:04 -06:00
|
|
|
try:
|
2017-12-06 10:01:57 -06:00
|
|
|
with pytest.raises(errors.MutuallyExclusiveError):
|
|
|
|
api.Command['sudorule_mod'](
|
|
|
|
self.rule_name, usercategory=u'all'
|
|
|
|
)
|
2012-01-13 10:34:04 -06:00
|
|
|
finally:
|
2012-03-09 08:41:16 -06:00
|
|
|
api.Command['sudorule_remove_user'](self.rule_name, user=u'admin')
|
2012-01-13 10:34:04 -06:00
|
|
|
|
|
|
|
def test_e_sudorule_exclusivehost(self):
|
|
|
|
"""
|
|
|
|
Test adding a host to an Sudo rule when hostcat='all'
|
|
|
|
"""
|
|
|
|
api.Command['sudorule_mod'](self.rule_name, hostcategory=u'all')
|
|
|
|
try:
|
2017-12-06 10:01:57 -06:00
|
|
|
with pytest.raises(errors.MutuallyExclusiveError):
|
|
|
|
api.Command['sudorule_add_host'](
|
|
|
|
self.rule_name, host=self.test_host
|
|
|
|
)
|
2012-03-09 08:41:16 -06:00
|
|
|
finally:
|
|
|
|
api.Command['sudorule_mod'](self.rule_name, hostcategory=u'')
|
2012-01-13 10:34:04 -06:00
|
|
|
|
|
|
|
def test_f_sudorule_exclusivehost(self):
|
|
|
|
"""
|
|
|
|
Test setting hostcat='all' in an Sudo rule when there are hosts
|
|
|
|
"""
|
|
|
|
api.Command['sudorule_add_host'](self.rule_name, host=self.test_host)
|
|
|
|
try:
|
2017-12-06 10:01:57 -06:00
|
|
|
with pytest.raises(errors.MutuallyExclusiveError):
|
|
|
|
api.Command['sudorule_mod'](
|
|
|
|
self.rule_name, hostcategory=u'all'
|
|
|
|
)
|
2012-01-13 10:34:04 -06:00
|
|
|
finally:
|
|
|
|
api.Command['sudorule_remove_host'](self.rule_name, host=self.test_host)
|
|
|
|
|
|
|
|
def test_g_sudorule_exclusivecommand(self):
|
|
|
|
"""
|
|
|
|
Test adding a command to an Sudo rule when cmdcategory='all'
|
|
|
|
"""
|
|
|
|
api.Command['sudorule_mod'](self.rule_name, cmdcategory=u'all')
|
|
|
|
try:
|
2017-12-06 10:01:57 -06:00
|
|
|
with pytest.raises(errors.MutuallyExclusiveError):
|
|
|
|
api.Command['sudorule_add_allow_command'](
|
|
|
|
self.rule_name, sudocmd=self.test_command
|
|
|
|
)
|
2012-03-09 08:41:16 -06:00
|
|
|
finally:
|
|
|
|
api.Command['sudorule_mod'](self.rule_name, cmdcategory=u'')
|
2012-01-13 10:34:04 -06:00
|
|
|
|
|
|
|
def test_h_sudorule_exclusivecommand(self):
|
|
|
|
"""
|
|
|
|
Test setting cmdcategory='all' in an Sudo rule when there are commands
|
|
|
|
"""
|
|
|
|
api.Command['sudorule_add_allow_command'](self.rule_name, sudocmd=self.test_command)
|
|
|
|
try:
|
2017-12-06 10:01:57 -06:00
|
|
|
with pytest.raises(errors.MutuallyExclusiveError):
|
|
|
|
api.Command['sudorule_mod'](
|
|
|
|
self.rule_name, cmdcategory=u'all'
|
|
|
|
)
|
2012-01-13 10:34:04 -06:00
|
|
|
finally:
|
|
|
|
api.Command['sudorule_remove_allow_command'](self.rule_name, sudocmd=self.test_command)
|
|
|
|
|
|
|
|
def test_i_sudorule_exclusiverunas(self):
|
|
|
|
"""
|
|
|
|
Test adding a runasuser to an Sudo rule when ipasudorunasusercategory='all'
|
|
|
|
"""
|
|
|
|
api.Command['sudorule_mod'](self.rule_name, ipasudorunasusercategory=u'all')
|
|
|
|
try:
|
2017-12-06 10:01:57 -06:00
|
|
|
with pytest.raises(errors.MutuallyExclusiveError):
|
|
|
|
api.Command['sudorule_add_runasuser'](
|
|
|
|
self.rule_name, user=self.test_user
|
|
|
|
)
|
2012-03-09 08:41:16 -06:00
|
|
|
finally:
|
|
|
|
api.Command['sudorule_mod'](self.rule_name, ipasudorunasusercategory=u'')
|
2012-01-13 10:34:04 -06:00
|
|
|
|
Expand Referential Integrity checks
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.
Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.
As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. Thus, the following
indexes are added:
* manager (pres index only)
* secretary (pres index only)
* memberHost
* memberUser
* sourcehost
* memberservice
* managedby
* memberallowcmd
* memberdenycmd
* ipasudorunas
* ipasudorunasgroup
Referential Integrity plugin is updated to enforce RI for all these
attributes. Unit tests covering RI checks for all these attributes
were added as well.
Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.
https://fedorahosted.org/freeipa/ticket/2866
2012-09-12 03:00:35 -05:00
|
|
|
def test_j_1_sudorule_exclusiverunas(self):
|
2012-01-13 10:34:04 -06:00
|
|
|
"""
|
|
|
|
Test setting ipasudorunasusercategory='all' in an Sudo rule when there are runas users
|
|
|
|
"""
|
|
|
|
api.Command['sudorule_add_runasuser'](self.rule_name, user=self.test_user)
|
|
|
|
try:
|
2017-12-06 10:01:57 -06:00
|
|
|
with pytest.raises(errors.MutuallyExclusiveError):
|
|
|
|
api.Command['sudorule_mod'](
|
|
|
|
self.rule_name, ipasudorunasusercategory=u'all'
|
|
|
|
)
|
2012-01-13 10:34:04 -06:00
|
|
|
finally:
|
2021-01-24 05:34:22 -06:00
|
|
|
api.Command['sudorule_remove_runasuser'](self.rule_name,
|
|
|
|
user=self.test_user)
|
2012-01-13 10:34:04 -06:00
|
|
|
|
Expand Referential Integrity checks
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.
Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.
As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. Thus, the following
indexes are added:
* manager (pres index only)
* secretary (pres index only)
* memberHost
* memberUser
* sourcehost
* memberservice
* managedby
* memberallowcmd
* memberdenycmd
* ipasudorunas
* ipasudorunasgroup
Referential Integrity plugin is updated to enforce RI for all these
attributes. Unit tests covering RI checks for all these attributes
were added as well.
Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.
https://fedorahosted.org/freeipa/ticket/2866
2012-09-12 03:00:35 -05:00
|
|
|
def test_j_2_sudorule_referential_integrity(self):
|
|
|
|
"""
|
|
|
|
Test adding various links to Sudo rule
|
|
|
|
"""
|
|
|
|
api.Command['sudorule_add_user'](self.rule_name, user=self.test_user)
|
|
|
|
api.Command['sudorule_add_runasuser'](self.rule_name, user=self.test_runasuser,
|
|
|
|
group=self.test_group)
|
|
|
|
api.Command['sudorule_add_runasgroup'](self.rule_name, group=self.test_group)
|
|
|
|
api.Command['sudorule_add_host'](self.rule_name, host=self.test_host)
|
|
|
|
api.Command['sudorule_add_allow_command'](self.rule_name,
|
|
|
|
sudocmd=self.test_command)
|
|
|
|
api.Command['sudorule_add_deny_command'](self.rule_name,
|
|
|
|
sudocmdgroup=self.test_sudodenycmdgroup)
|
|
|
|
entry = api.Command['sudorule_show'](self.rule_name)['result']
|
|
|
|
assert_attr_equal(entry, 'cn', self.rule_name)
|
|
|
|
assert_attr_equal(entry, 'memberuser_user', self.test_user)
|
|
|
|
assert_attr_equal(entry, 'memberallowcmd_sudocmd', self.test_command)
|
|
|
|
assert_attr_equal(entry, 'memberdenycmd_sudocmdgroup',
|
|
|
|
self.test_sudodenycmdgroup)
|
|
|
|
assert_attr_equal(entry, 'memberhost_host', self.test_host)
|
|
|
|
assert_attr_equal(entry, 'ipasudorunas_user', self.test_runasuser)
|
|
|
|
assert_attr_equal(entry, 'ipasudorunas_group', self.test_group)
|
|
|
|
assert_attr_equal(entry, 'ipasudorunasgroup_group', self.test_group)
|
|
|
|
|
|
|
|
|
|
|
|
def test_k_1_sudorule_clear_testing_data(self):
|
2010-09-27 15:51:28 -05:00
|
|
|
"""
|
|
|
|
Clear data for Sudo rule plugin testing.
|
|
|
|
"""
|
|
|
|
api.Command['user_del'](self.test_user)
|
2010-12-13 12:00:59 -06:00
|
|
|
api.Command['user_del'](self.test_runasuser)
|
2010-09-27 15:51:28 -05:00
|
|
|
api.Command['group_del'](self.test_group)
|
|
|
|
api.Command['host_del'](self.test_host)
|
|
|
|
api.Command['hostgroup_del'](self.test_hostgroup)
|
2012-03-13 07:37:24 -05:00
|
|
|
api.Command['sudorule_remove_allow_command'](self.rule_name,
|
|
|
|
sudocmd=self.test_command)
|
2010-09-27 15:51:28 -05:00
|
|
|
api.Command['sudocmd_del'](self.test_command)
|
2010-10-04 17:56:40 -05:00
|
|
|
api.Command['sudocmdgroup_del'](self.test_sudoallowcmdgroup)
|
|
|
|
api.Command['sudocmdgroup_del'](self.test_sudodenycmdgroup)
|
|
|
|
|
Expand Referential Integrity checks
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.
Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.
As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. Thus, the following
indexes are added:
* manager (pres index only)
* secretary (pres index only)
* memberHost
* memberUser
* sourcehost
* memberservice
* managedby
* memberallowcmd
* memberdenycmd
* ipasudorunas
* ipasudorunasgroup
Referential Integrity plugin is updated to enforce RI for all these
attributes. Unit tests covering RI checks for all these attributes
were added as well.
Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.
https://fedorahosted.org/freeipa/ticket/2866
2012-09-12 03:00:35 -05:00
|
|
|
def test_k_2_sudorule_referential_integrity(self):
|
|
|
|
"""
|
|
|
|
Test that links in Sudo rule were removed by referential integrity plugin
|
|
|
|
"""
|
|
|
|
entry = api.Command['sudorule_show'](self.rule_name)['result']
|
|
|
|
assert_attr_equal(entry, 'cn', self.rule_name)
|
|
|
|
assert 'memberuser_user' not in entry
|
|
|
|
assert 'memberallowcmd_sudocmd' not in entry
|
|
|
|
assert 'memberdenycmd_sudocmdgroup' not in entry
|
|
|
|
assert 'memberhost_host' not in entry
|
|
|
|
assert 'ipasudorunas_user' not in entry
|
|
|
|
assert 'ipasudorunas_group' not in entry
|
|
|
|
assert 'ipasudorunasgroup_group' not in entry
|
|
|
|
|
2012-03-01 13:02:28 -06:00
|
|
|
def test_l_sudorule_order(self):
|
|
|
|
"""
|
|
|
|
Test that order uniqueness is maintained
|
|
|
|
"""
|
|
|
|
api.Command['sudorule_mod'](self.rule_name, sudoorder=1)
|
|
|
|
|
|
|
|
api.Command['sudorule_add'](self.rule_name2)
|
|
|
|
|
|
|
|
# mod of rule that has no order and set a duplicate
|
|
|
|
try:
|
|
|
|
api.Command['sudorule_mod'](self.rule_name2, sudoorder=1)
|
|
|
|
except errors.ValidationError:
|
|
|
|
pass
|
|
|
|
|
|
|
|
# Remove the rule so we can re-add it
|
|
|
|
api.Command['sudorule_del'](self.rule_name2)
|
|
|
|
|
|
|
|
# add a new rule with a duplicate order
|
2017-12-06 10:01:57 -06:00
|
|
|
with pytest.raises(errors.ValidationError):
|
2012-03-01 13:02:28 -06:00
|
|
|
api.Command['sudorule_add'](self.rule_name2, sudoorder=1)
|
|
|
|
|
|
|
|
# add a new rule with a unique order
|
|
|
|
api.Command['sudorule_add'](self.rule_name2, sudoorder=2)
|
2017-12-06 10:01:57 -06:00
|
|
|
with pytest.raises(errors.ValidationError):
|
2012-03-01 13:02:28 -06:00
|
|
|
api.Command['sudorule_mod'](self.rule_name2, sudoorder=1)
|
|
|
|
|
|
|
|
# Try setting both to 0
|
|
|
|
api.Command['sudorule_mod'](self.rule_name2, sudoorder=0)
|
2017-12-06 10:01:57 -06:00
|
|
|
with pytest.raises(errors.ValidationError):
|
2012-03-01 13:02:28 -06:00
|
|
|
api.Command['sudorule_mod'](self.rule_name, sudoorder=0)
|
|
|
|
|
2014-06-16 09:51:31 -05:00
|
|
|
# Try unsetting sudoorder from both rules
|
|
|
|
api.Command['sudorule_mod'](self.rule_name, sudoorder=None)
|
|
|
|
api.Command['sudorule_mod'](self.rule_name2, sudoorder=None)
|
|
|
|
|
2017-03-27 01:26:03 -05:00
|
|
|
def test_l_1_sudorule_rename(self):
|
|
|
|
"""
|
|
|
|
Test renaming an HBAC rule, rename it back afterwards
|
|
|
|
"""
|
|
|
|
api.Command['sudorule_mod'](
|
|
|
|
self.rule_name, rename=self.rule_renamed
|
|
|
|
)
|
|
|
|
entry = api.Command['sudorule_show'](self.rule_renamed)['result']
|
|
|
|
assert_attr_equal(entry, 'cn', self.rule_renamed)
|
|
|
|
# clean up by renaming the rule back
|
|
|
|
api.Command['sudorule_mod'](
|
|
|
|
self.rule_renamed, rename=self.rule_name
|
|
|
|
)
|
2010-09-27 15:51:28 -05:00
|
|
|
|
2012-03-01 13:02:28 -06:00
|
|
|
def test_m_sudorule_del(self):
|
2010-09-27 15:51:28 -05:00
|
|
|
"""
|
|
|
|
Test deleting a Sudo rule using `xmlrpc.sudorule_del`.
|
|
|
|
"""
|
2011-01-07 10:17:55 -06:00
|
|
|
api.Command['sudorule_del'](self.rule_name)
|
2010-09-27 15:51:28 -05:00
|
|
|
# verify that it's gone
|
2017-12-06 10:01:57 -06:00
|
|
|
with pytest.raises(errors.NotFound):
|
2010-09-27 15:51:28 -05:00
|
|
|
api.Command['sudorule_show'](self.rule_name)
|
2012-03-01 13:02:28 -06:00
|
|
|
api.Command['sudorule_del'](self.rule_name2)
|