IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-26 00:41:25 -06:00
Code Issues Packages Projects Releases Wiki Activity
2f6b333187
freeipa/ipatests/test_xmlrpc/test_hbactest_plugin.py

221 lines
7.8 KiB
Python
Raw Normal View History

Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
# Authors:
# Pavel Zuna <pzuna@redhat.com>
# Alexander Bokovoy <abokovoy@redhat.com>
#
# Copyright (C) 2009-2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Test the `ipalib/plugins/hbactest.py` module.
"""
Remove unused imports This patch removes unused imports, alse pylint has been configured to check unused imports. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-16 09:06:03 -06:00
from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
from ipalib import api
from ipalib import errors
Deprecate HBAC source hosts from CLI Hide the commands and options listed below from the CLI, but keep them in the API. When called directly from the API, raise appropriate exceptions informing the user that the functionality has been deprecated. Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost. Affected options: sourcehostcategory, sourcehost_host and sourcehost_hostgroup (hbacrule); sourcehost (hbactest). https://fedorahosted.org/freeipa/ticket/3528
2013-04-12 10:38:09 -05:00
from nose.tools import raises
Applied tier0 and tier1 marks on unit tests and xmlrpc tests Web UI tests were marked as tier1 tests. The tier system is intended to be used together with CI system to make sure the more complicated tests are being run only when all of the basic functionality is working. The system is using pytest's marker system. E.g. an invocation of all tier1 tests with listing will look like: $ py.test -v -m tier1 ipatests or in case of out of tree tests: $ ipa-run-tests -m tier1 Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
2015-04-24 07:39:48 -05:00
import pytest
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
# Test strategy:
# 1. Create few allow rules: with user categories, with explicit users, with user groups, with groups, with services
# 2. Create users for test
# 3. Run detailed and non-detailed tests for explicitly specified rules, check expected result
#
Applied tier0 and tier1 marks on unit tests and xmlrpc tests Web UI tests were marked as tier1 tests. The tier system is intended to be used together with CI system to make sure the more complicated tests are being run only when all of the basic functionality is working. The system is using pytest's marker system. E.g. an invocation of all tier1 tests with listing will look like: $ py.test -v -m tier1 ipatests or in case of out of tree tests: $ ipa-run-tests -m tier1 Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
2015-04-24 07:39:48 -05:00
@pytest.mark.tier1
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
class test_hbactest(XMLRPC_test):
"""
Test the `hbactest` plugin.
"""
rule_names = [u'testing_rule1234_%d' % (d) for d in [1,2,3,4]]
rule_type = u'allow'
rule_service = u'ssh'
rule_descs = [u'description %d' % (d) for d in [1,2,3,4]]
test_user = u'hbacrule_test_user'
test_group = u'hbacrule_test_group'
Make hostnames adhere to new standards in hbactest plugin tests
2012-03-02 13:53:22 -06:00
test_host = u'hbacrule.testhost'
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
test_hostgroup = u'hbacrule_test_hostgroup'
Make hostnames adhere to new standards in hbactest plugin tests
2012-03-02 13:53:22 -06:00
test_sourcehost = u'hbacrule.testsrchost'
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
test_sourcehostgroup = u'hbacrule_test_src_hostgroup'
test_service = u'ssh'
HBAC test optional sourcehost option New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. If srchost option is used, warning is displayed to inform the user about changes. Text of plugin help was also updated. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. https://fedorahosted.org/freeipa/ticket/2085
2012-01-07 13:17:25 -06:00
# Auxiliary funcion for checking existence of warning for specified rule
def check_rule_presence(self,rule_name,warnings):
for warning in warnings:
if rule_name in warning:
return True
return False
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
def test_0_hbactest_addrules(self):
"""
Prepare data by adding test HBAC rules using `xmlrpc.hbacrule_add'.
"""
self.failsafe_add(api.Object.user,
self.test_user, givenname=u'first', sn=u'last'
)
self.failsafe_add(api.Object.group,
self.test_group, description=u'description'
)
self.failsafe_add(api.Object.host,
self.test_host, force=True
)
self.failsafe_add(api.Object.hostgroup,
self.test_hostgroup, description=u'description'
)
self.failsafe_add(api.Object.host,
self.test_sourcehost, force=True
)
self.failsafe_add(api.Object.hostgroup,
self.test_sourcehostgroup, description=u'desc'
)
self.failsafe_add(api.Object.hbacsvc,
Use valid argument names in tests Some of our tests used unintended extra options, or options with misspelled, wrongly copy-pasted or otherwise bad names. These are ignored, so the intended argument was treated as missing. The test itself can still pass but may be rendered ineffective or fragile. This only fixes those of such errors that appear in the test suite. Fixing code in the framework and actual rejecting of unknown arguments is deferred for later (ticket #2509).
2012-03-14 10:33:41 -05:00
self.test_service, description=u'desc'
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
)
for i in [0,1,2,3]:
api.Command['hbacrule_add'](
self.rule_names[i], accessruletype=self.rule_type, description=self.rule_descs[i],
)
ret = api.Command['hbacrule_add_user'](
self.rule_names[i], user=self.test_user, group=self.test_group
)
ret = api.Command['hbacrule_add_host'](
self.rule_names[i], host=self.test_host, hostgroup=self.test_hostgroup
)
ret = api.Command['hbacrule_add_service'](
self.rule_names[i], hbacsvc=self.test_service
)
if i & 1:
ret = api.Command['hbacrule_disable'](self.rule_names[i])
def test_a_hbactest_check_rules_detail(self):
"""
Test 'ipa hbactest --rules' (explicit IPA rules, detailed output)
"""
HBAC test optional sourcehost option New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. If srchost option is used, warning is displayed to inform the user about changes. Text of plugin help was also updated. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. https://fedorahosted.org/freeipa/ticket/2085
2012-01-07 13:17:25 -06:00
ret = api.Command['hbactest'](
user=self.test_user,
targethost=self.test_host,
service=self.test_service,
rules=self.rule_names
)
assert ret['value'] == True
Remove uses of the `types` module In Python 3, the types module no longer provide alternate names for built-in types, e.g. `types.StringType` can just be spelled `str`. NoneType is also removed; it needs to be replaced with type(None) Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-09-17 10:56:45 -05:00
assert ret['error'] is None
HBAC test optional sourcehost option New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. If srchost option is used, warning is displayed to inform the user about changes. Text of plugin help was also updated. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. https://fedorahosted.org/freeipa/ticket/2085
2012-01-07 13:17:25 -06:00
for i in [0,1,2,3]:
assert self.rule_names[i] in ret['matched']
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
def test_b_hbactest_check_rules_nodetail(self):
"""
Test 'ipa hbactest --rules --nodetail' (explicit IPA rules, no detailed output)
"""
HBAC test optional sourcehost option New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. If srchost option is used, warning is displayed to inform the user about changes. Text of plugin help was also updated. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. https://fedorahosted.org/freeipa/ticket/2085
2012-01-07 13:17:25 -06:00
ret = api.Command['hbactest'](
user=self.test_user,
targethost=self.test_host,
service=self.test_service,
rules=self.rule_names,
nodetail=True
)
assert ret['value'] == True
assert ret['error'] == None
assert ret['matched'] == None
assert ret['notmatched'] == None
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
def test_c_hbactest_check_rules_enabled_detail(self):
"""
Test 'ipa hbactest --enabled' (all enabled IPA rules, detailed output)
"""
ret = api.Command['hbactest'](
user=self.test_user,
targethost=self.test_host,
service=self.test_service,
enabled=True
)
# --enabled will try to work with _all_ enabled rules in IPA database
# It means we could have matched something else (unlikely but possible)
# Thus, check that our two enabled rules are in matched, nothing more
for i in [0,2]:
assert self.rule_names[i] in ret['matched']
def test_d_hbactest_check_rules_disabled_detail(self):
"""
Test 'ipa hbactest --disabled' (all disabled IPA rules, detailed output)
"""
ret = api.Command['hbactest'](
user=self.test_user,
targethost=self.test_host,
service=self.test_service,
disabled=True
)
# --disabled will try to work with _all_ disabled rules in IPA database
# It means we could have matched something else (unlikely but possible)
# Thus, check that our two disabled rules are in matched, nothing more
for i in [1,3]:
assert self.rule_names[i] in ret['matched']
def test_e_hbactest_check_non_existing_rule_detail(self):
"""
Test running 'ipa hbactest' with non-existing rule in --rules
"""
ret = api.Command['hbactest'](
user=self.test_user,
targethost=self.test_host,
service=self.test_service,
rules=[u'%s_1x1' % (rule) for rule in self.rule_names],
nodetail=True
)
assert ret['value'] == False
assert ret['matched'] == None
assert ret['notmatched'] == None
for rule in self.rule_names:
assert u'%s_1x1' % (rule) in ret['error']
HBAC test optional sourcehost option New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. If srchost option is used, warning is displayed to inform the user about changes. Text of plugin help was also updated. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. https://fedorahosted.org/freeipa/ticket/2085
2012-01-07 13:17:25 -06:00
Deprecate HBAC source hosts from CLI Hide the commands and options listed below from the CLI, but keep them in the API. When called directly from the API, raise appropriate exceptions informing the user that the functionality has been deprecated. Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost. Affected options: sourcehostcategory, sourcehost_host and sourcehost_hostgroup (hbacrule); sourcehost (hbactest). https://fedorahosted.org/freeipa/ticket/3528
2013-04-12 10:38:09 -05:00
@raises(errors.ValidationError)
def test_f_hbactest_check_sourcehost_option_is_deprecated(self):
"""
Test running 'ipa hbactest' with --srchost option raises ValidationError
"""
api.Command['hbactest'](
HBAC test optional sourcehost option New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. If srchost option is used, warning is displayed to inform the user about changes. Text of plugin help was also updated. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. https://fedorahosted.org/freeipa/ticket/2085
2012-01-07 13:17:25 -06:00
user=self.test_user,
targethost=self.test_host,
Deprecate HBAC source hosts from CLI Hide the commands and options listed below from the CLI, but keep them in the API. When called directly from the API, raise appropriate exceptions informing the user that the functionality has been deprecated. Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost. Affected options: sourcehostcategory, sourcehost_host and sourcehost_hostgroup (hbacrule); sourcehost (hbactest). https://fedorahosted.org/freeipa/ticket/3528
2013-04-12 10:38:09 -05:00
sourcehost=self.test_sourcehost,
HBAC test optional sourcehost option New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. If srchost option is used, warning is displayed to inform the user about changes. Text of plugin help was also updated. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. https://fedorahosted.org/freeipa/ticket/2085
2012-01-07 13:17:25 -06:00
service=self.test_service,
Deprecate HBAC source hosts from CLI Hide the commands and options listed below from the CLI, but keep them in the API. When called directly from the API, raise appropriate exceptions informing the user that the functionality has been deprecated. Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost. Affected options: sourcehostcategory, sourcehost_host and sourcehost_hostgroup (hbacrule); sourcehost (hbactest). https://fedorahosted.org/freeipa/ticket/3528
2013-04-12 10:38:09 -05:00
rules=[u'%s_1x1' % rule for rule in self.rule_names],
HBAC test optional sourcehost option New version of SSSD begins ignoring sourcehost value of HBAC rules by default. In order to match this behaviour the sourcehost option in hbactest is optional now, but the value of sourcehost is ignored in all rules. Every rule's sourcehost value is set to 'ALL' what turns sourchost value comparation off. If srchost option is used, warning is displayed to inform the user about changes. Text of plugin help was also updated. Also the unit tests for hbactest plugin were updated. Every test was doubled. The second ones test the plugin without sourcehost option. They are supposed to have the same result. https://fedorahosted.org/freeipa/ticket/2085
2012-01-07 13:17:25 -06:00
nodetail=True
)
Deprecate HBAC source hosts from CLI Hide the commands and options listed below from the CLI, but keep them in the API. When called directly from the API, raise appropriate exceptions informing the user that the functionality has been deprecated. Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost. Affected options: sourcehostcategory, sourcehost_host and sourcehost_hostgroup (hbacrule); sourcehost (hbactest). https://fedorahosted.org/freeipa/ticket/3528
2013-04-12 10:38:09 -05:00
def test_g_hbactest_clear_testing_data(self):
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
2011-07-22 08:30:44 -05:00
"""
Clear data for HBAC test plugin testing.
"""
for i in [0,1,2,3]:
api.Command['hbacrule_remove_host'](self.rule_names[i], host=self.test_host)
api.Command['hbacrule_remove_host'](self.rule_names[i], hostgroup=self.test_hostgroup)
api.Command['hbacrule_del'](self.rule_names[i])
api.Command['user_del'](self.test_user)
api.Command['group_del'](self.test_group)
api.Command['host_del'](self.test_host)
api.Command['hostgroup_del'](self.test_hostgroup)
api.Command['host_del'](self.test_sourcehost)
api.Command['hostgroup_del'](self.test_sourcehostgroup)
api.Command['hbacsvc_del'](self.test_service)
Reference in New Issue Copy Permalink