freeipa/ipatests/util.py

853 lines
23 KiB
Python
Raw Normal View History

# Authors:
# Jason Gerard DeRose <jderose@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
2008-10-07 23:20:00 -05:00
Common utility functions and classes for unit tests.
"""
import inspect
import os
from os import path
import tempfile
import shutil
2009-12-17 07:16:18 -06:00
import re
import uuid
import pytest
from contextlib import contextmanager
from pprint import pformat
import six
import ldap
import ldap.sasl
import ldap.modlist
import ipalib
from ipalib import api
from ipalib.plugable import Plugin
from ipalib.request import context
Use DN objects instead of strings * Convert every string specifying a DN into a DN object * Every place a dn was manipulated in some fashion it was replaced by the use of DN operators * Add new DNParam parameter type for parameters which are DN's * DN objects are used 100% of the time throughout the entire data pipeline whenever something is logically a dn. * Many classes now enforce DN usage for their attributes which are dn's. This is implmented via ipautil.dn_attribute_property(). The only permitted types for a class attribute specified to be a DN are either None or a DN object. * Require that every place a dn is used it must be a DN object. This translates into lot of:: assert isinstance(dn, DN) sprinkled through out the code. Maintaining these asserts is valuable to preserve DN type enforcement. The asserts can be disabled in production. The goal of 100% DN usage 100% of the time has been realized, these asserts are meant to preserve that. The asserts also proved valuable in detecting functions which did not obey their function signatures, such as the baseldap pre and post callbacks. * Moved ipalib.dn to ipapython.dn because DN class is shared with all components, not just the server which uses ipalib. * All API's now accept DN's natively, no need to convert to str (or unicode). * Removed ipalib.encoder and encode/decode decorators. Type conversion is now explicitly performed in each IPASimpleLDAPObject method which emulates a ldap.SimpleLDAPObject method. * Entity & Entry classes now utilize DN's * Removed __getattr__ in Entity & Entity clases. There were two problems with it. It presented synthetic Python object attributes based on the current LDAP data it contained. There is no way to validate synthetic attributes using code checkers, you can't search the code to find LDAP attribute accesses (because synthetic attriutes look like Python attributes instead of LDAP data) and error handling is circumscribed. Secondly __getattr__ was hiding Python internal methods which broke class semantics. * Replace use of methods inherited from ldap.SimpleLDAPObject via IPAdmin class with IPAdmin methods. Directly using inherited methods was causing us to bypass IPA logic. Mostly this meant replacing the use of search_s() with getEntry() or getList(). Similarly direct access of the LDAP data in classes using IPAdmin were replaced with calls to getValue() or getValues(). * Objects returned by ldap2.find_entries() are now compatible with either the python-ldap access methodology or the Entity/Entry access methodology. * All ldap operations now funnel through the common IPASimpleLDAPObject giving us a single location where we interface to python-ldap and perform conversions. * The above 4 modifications means we've greatly reduced the proliferation of multiple inconsistent ways to perform LDAP operations. We are well on the way to having a single API in IPA for doing LDAP (a long range goal). * All certificate subject bases are now DN's * DN objects were enhanced thusly: - find, rfind, index, rindex, replace and insert methods were added - AVA, RDN and DN classes were refactored in immutable and mutable variants, the mutable variants are EditableAVA, EditableRDN and EditableDN. By default we use the immutable variants preserving important semantics. To edit a DN cast it to an EditableDN and cast it back to DN when done editing. These issues are fully described in other documentation. - first_key_match was removed - DN equalty comparison permits comparison to a basestring * Fixed ldapupdate to work with DN's. This work included: - Enhance test_updates.py to do more checking after applying update. Add test for update_from_dict(). Convert code to use unittest classes. - Consolidated duplicate code. - Moved code which should have been in the class into the class. - Fix the handling of the 'deleteentry' update action. It's no longer necessary to supply fake attributes to make it work. Detect case where subsequent update applies a change to entry previously marked for deletetion. General clean-up and simplification of the 'deleteentry' logic. - Rewrote a couple of functions to be clearer and more Pythonic. - Added documentation on the data structure being used. - Simplfy the use of update_from_dict() * Removed all usage of get_schema() which was being called prior to accessing the .schema attribute of an object. If a class is using internal lazy loading as an optimization it's not right to require users of the interface to be aware of internal optimization's. schema is now a property and when the schema property is accessed it calls a private internal method to perform the lazy loading. * Added SchemaCache class to cache the schema's from individual servers. This was done because of the observation we talk to different LDAP servers, each of which may have it's own schema. Previously we globally cached the schema from the first server we connected to and returned that schema in all contexts. The cache includes controls to invalidate it thus forcing a schema refresh. * Schema caching is now senstive to the run time context. During install and upgrade the schema can change leading to errors due to out-of-date cached schema. The schema cache is refreshed in these contexts. * We are aware of the LDAP syntax of all LDAP attributes. Every attribute returned from an LDAP operation is passed through a central table look-up based on it's LDAP syntax. The table key is the LDAP syntax it's value is a Python callable that returns a Python object matching the LDAP syntax. There are a handful of LDAP attributes whose syntax is historically incorrect (e.g. DistguishedNames that are defined as DirectoryStrings). The table driven conversion mechanism is augmented with a table of hard coded exceptions. Currently only the following conversions occur via the table: - dn's are converted to DN objects - binary objects are converted to Python str objects (IPA convention). - everything else is converted to unicode using UTF-8 decoding (IPA convention). However, now that the table driven conversion mechanism is in place it would be trivial to do things such as converting attributes which have LDAP integer syntax into a Python integer, etc. * Expected values in the unit tests which are a DN no longer need to use lambda expressions to promote the returned value to a DN for equality comparison. The return value is automatically promoted to a DN. The lambda expressions have been removed making the code much simpler and easier to read. * Add class level logging to a number of classes which did not support logging, less need for use of root_logger. * Remove ipaserver/conn.py, it was unused. * Consolidated duplicate code wherever it was found. * Fixed many places that used string concatenation to form a new string rather than string formatting operators. This is necessary because string formatting converts it's arguments to a string prior to building the result string. You can't concatenate a string and a non-string. * Simplify logic in rename_managed plugin. Use DN operators to edit dn's. * The live version of ipa-ldap-updater did not generate a log file. The offline version did, now both do. https://fedorahosted.org/freeipa/ticket/1670 https://fedorahosted.org/freeipa/ticket/1671 https://fedorahosted.org/freeipa/ticket/1672 https://fedorahosted.org/freeipa/ticket/1673 https://fedorahosted.org/freeipa/ticket/1674 https://fedorahosted.org/freeipa/ticket/1392 https://fedorahosted.org/freeipa/ticket/2872
2012-05-13 06:36:35 -05:00
from ipapython.dn import DN
from ipapython.ipautil import run
Add options to run only ipaclient unittests A new option for ipa-run-tests makes the test runner ignore subdirectories or skips tests that depend on the ipaserver package or on a running framework for RPC integration tests. The new option enables testing of client-only builds. $ ipatests/ipa-run-tests --ipaclient-unittests ... platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1 rootdir: /home/heimes/redhat, inifile: tox.ini plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1 collected 451 items test_util.py ........ util.py .. test_ipaclient/test_csrgen.py ..............ssss... test_ipalib/test_aci.py ................... test_ipalib/test_backend.py ........ test_ipalib/test_base.py ............... test_ipalib/test_capabilities.py . test_ipalib/test_cli.py ... test_ipalib/test_config.py ............... test_ipalib/test_crud.py ............... test_ipalib/test_errors.py ....... test_ipalib/test_frontend.py ........................................ test_ipalib/test_messages.py .... test_ipalib/test_output.py ... test_ipalib/test_parameters.py ............................................................. test_ipalib/test_plugable.py ........ test_ipalib/test_rpc.py ......ssssssss test_ipalib/test_text.py ............................. test_ipalib/test_x509.py ... test_ipapython/test_cookie.py ............ test_ipapython/test_dn.py ........................... test_ipapython/test_ipautil.py .................................................................. test_ipapython/test_ipavalidate.py .......... test_ipapython/test_kerberos.py .............. test_ipapython/test_keyring.py .......... test_ipapython/test_ssh.py ............................... test_pkcs10/test_pkcs10.py ..... https://fedorahosted.org/freeipa/ticket/6517 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-02-17 01:39:54 -06:00
try:
# not available with client-only wheel packages
from ipalib.install.kinit import kinit_keytab, kinit_password
except ImportError:
kinit_keytab = kinit_password = None
try:
# not available with client-only wheel packages
from ipaplatform.paths import paths
except ImportError:
paths = None
if six.PY3:
unicode = str
PYTEST_VERSION = tuple(int(v) for v in pytest.__version__.split('.'))
def check_ipaclient_unittests(reason="Skip in ipaclient unittest mode"):
"""Call this in a package to skip the package in ipaclient-unittest mode
"""
if pytest.config.getoption('ipaclient_unittests', False):
if PYTEST_VERSION[0] >= 3:
# pytest 3+ does no longer allow pytest.skip() on module level
# pylint: disable=unexpected-keyword-arg
raise pytest.skip.Exception(reason, allow_module_level=True)
# pylint: enable=unexpected-keyword-arg
else:
raise pytest.skip(reason)
class TempDir(object):
def __init__(self):
self.__path = tempfile.mkdtemp(prefix='ipa.tests.')
assert self.path == self.__path
def __get_path(self):
assert path.abspath(self.__path) == self.__path
assert self.__path.startswith('/tmp/ipa.tests.')
assert path.isdir(self.__path) and not path.islink(self.__path)
return self.__path
path = property(__get_path)
def rmtree(self):
if self.__path is not None:
shutil.rmtree(self.path)
self.__path = None
def makedirs(self, *parts):
d = self.join(*parts)
if not path.exists(d):
os.makedirs(d)
assert path.isdir(d) and not path.islink(d)
return d
def touch(self, *parts):
d = self.makedirs(*parts[:-1])
f = path.join(d, parts[-1])
assert not path.exists(f)
open(f, 'w').close()
assert path.isfile(f) and not path.islink(f)
return f
def write(self, content, *parts):
d = self.makedirs(*parts[:-1])
f = path.join(d, parts[-1])
assert not path.exists(f)
open(f, 'w').write(content)
assert path.isfile(f) and not path.islink(f)
return f
def join(self, *parts):
return path.join(self.path, *parts)
def __del__(self):
self.rmtree()
def __enter__(self):
return self
def __exit__(self, exc_type, exc_val, exc_tb):
self.rmtree()
class TempHome(TempDir):
def __init__(self):
super(TempHome, self).__init__()
self.__home = os.environ['HOME']
os.environ['HOME'] = self.path
class ExceptionNotRaised(Exception):
"""
Exception raised when an *expected* exception is *not* raised during a
unit test.
"""
msg = 'expected %s'
def __init__(self, expected):
self.expected = expected
def __str__(self):
return self.msg % self.expected.__name__
def assert_equal(val1, val2):
"""
Assert ``val1`` and ``val2`` are the same type and of equal value.
"""
assert type(val1) is type(val2), '%r != %r' % (val1, val2)
assert val1 == val2, '%r != %r' % (val1, val2)
def assert_not_equal(val1, val2):
"""
Assert ``val1`` and ``val2`` are the same type and of non-equal value.
"""
assert type(val1) is type(val2), '%r != %r' % (val1, val2)
assert val1 != val2, '%r == %r' % (val1, val2)
2009-12-17 07:16:18 -06:00
class Fuzzy(object):
"""
Perform a fuzzy (non-strict) equality tests.
2009-12-17 07:16:18 -06:00
`Fuzzy` instances will likely be used when comparing nesting data-structures
using `assert_deepequal()`.
By default a `Fuzzy` instance is equal to everything. For example, all of
these evaluate to ``True``:
>>> Fuzzy() == False
True
>>> 7 == Fuzzy() # Order doesn't matter
True
>>> Fuzzy() == u'Hello False, Lucky 7!'
True
The first optional argument *regex* is a regular expression pattern to
match. For example, you could match a phone number like this:
>>> phone = Fuzzy('^\d{3}-\d{3}-\d{4}$')
>>> u'123-456-7890' == phone
True
Use of a regular expression by default implies the ``unicode`` type, so
comparing with an ``str`` instance will evaluate to ``False``:
>>> phone.type is six.text_type
True
>>> b'123-456-7890' == phone
False
The *type* kwarg allows you to specify a type constraint, so you can force
the above to work on ``str`` instances instead:
>>> '123-456-7890' == Fuzzy('^\d{3}-\d{3}-\d{4}$', type=str)
True
You can also use the *type* constraint on its own without the *regex*, for
example:
>>> 42 == Fuzzy(type=int)
True
>>> 42.0 == Fuzzy(type=int)
False
>>> 42.0 == Fuzzy(type=(int, float))
True
Finally the *test* kwarg is an optional callable that will be called to
perform the loose equality test. For example:
>>> 42 == Fuzzy(test=lambda other: other > 42)
False
>>> 43 == Fuzzy(test=lambda other: other > 42)
True
You can use *type* and *test* together. For example:
>>> 43 == Fuzzy(type=float, test=lambda other: other > 42)
False
>>> 42.5 == Fuzzy(type=float, test=lambda other: other > 42)
True
The *regex*, *type*, and *test* kwargs are all availabel via attributes on
the `Fuzzy` instance:
>>> fuzzy = Fuzzy('.+', type=str, test=lambda other: True)
>>> fuzzy.regex
'.+'
>>> fuzzy.type is str
True
>>> fuzzy.test # doctest:+ELLIPSIS
<function <lambda> at 0x...>
To aid debugging, `Fuzzy.__repr__()` reveals these kwargs as well:
>>> fuzzy # doctest:+ELLIPSIS
Fuzzy('.+', <... 'str'>, <function <lambda> at 0x...>)
2009-12-17 07:16:18 -06:00
"""
def __init__(self, regex=None, type=None, test=None):
"""
Initialize.
:param regex: A regular expression pattern to match, e.g.
``u'^\d+foo'``
:param type: A type or tuple of types to test using ``isinstance()``,
e.g. ``(int, float)``
:param test: A callable used to perform equality test, e.g.
``lambda other: other >= 18``
"""
assert regex is None or isinstance(regex, six.string_types)
2009-12-17 07:16:18 -06:00
assert test is None or callable(test)
if regex is None:
self.re = None
else:
self.re = re.compile(regex)
if type is None:
type = unicode
assert type in (unicode, bytes, six.string_types)
2009-12-17 07:16:18 -06:00
self.regex = regex
self.type = type
self.test = test
def __repr__(self):
return '%s(%r, %r, %r)' % (
2009-12-17 07:16:18 -06:00
self.__class__.__name__, self.regex, self.type, self.test
)
def __eq__(self, other):
if not (self.type is None or isinstance(other, self.type)):
return False
if not (self.re is None or self.re.search(other)):
return False
if not (self.test is None or self.test(other)):
return False
return True
def __ne__(self, other):
return not self.__eq__(other)
VALUE = """assert_deepequal: expected != got.
%s
expected = %r
got = %r
path = %r"""
TYPE = """assert_deepequal: type(expected) is not type(got).
%s
type(expected) = %r
type(got) = %r
expected = %r
got = %r
path = %r"""
LEN = """assert_deepequal: list length mismatch.
%s
len(expected) = %r
len(got) = %r
expected = %s
got = %s
path = %r"""
KEYS = """assert_deepequal: dict keys mismatch.
%s
missing keys = %r
extra keys = %r
expected = %s
got = %s
path = %r"""
EXPECTED_LEN = len(' expected = ')
GOT_LEN = len(' got = ')
def struct_to_string(struct, indent=1):
"""
Function to pretty-format a structure and optionally indent its lines
so they match the visual indention of the first line
"""
return pformat(struct).replace('\n', '\n' + ' ' * indent)
def assert_deepequal(expected, got, doc='', stack=tuple()):
"""
Recursively check for type and equality.
If a value in expected is callable then it will used as a callback to
test for equality on the got value. The callback is passed the got
value and returns True if equal, False otherwise.
If the tests fails, it will raise an ``AssertionError`` with detailed
information, including the path to the offending value. For example:
>>> expected = [u'Hello', dict(world=1)]
>>> got = [u'Hello', dict(world=1.0)]
>>> expected == got
True
>>> assert_deepequal(expected, got, doc='Testing my nested data') # doctest:+ELLIPSIS
Traceback (most recent call last):
...
AssertionError: assert_deepequal: type(expected) is not type(got).
Testing my nested data
type(expected) = <... 'int'>
type(got) = <... 'float'>
expected = 1
got = 1.0
path = (..., 'world')
Note that lists and tuples are considered equivalent, and the order of
their elements does not matter.
"""
try:
Add options to run only ipaclient unittests A new option for ipa-run-tests makes the test runner ignore subdirectories or skips tests that depend on the ipaserver package or on a running framework for RPC integration tests. The new option enables testing of client-only builds. $ ipatests/ipa-run-tests --ipaclient-unittests ... platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1 rootdir: /home/heimes/redhat, inifile: tox.ini plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1 collected 451 items test_util.py ........ util.py .. test_ipaclient/test_csrgen.py ..............ssss... test_ipalib/test_aci.py ................... test_ipalib/test_backend.py ........ test_ipalib/test_base.py ............... test_ipalib/test_capabilities.py . test_ipalib/test_cli.py ... test_ipalib/test_config.py ............... test_ipalib/test_crud.py ............... test_ipalib/test_errors.py ....... test_ipalib/test_frontend.py ........................................ test_ipalib/test_messages.py .... test_ipalib/test_output.py ... test_ipalib/test_parameters.py ............................................................. test_ipalib/test_plugable.py ........ test_ipalib/test_rpc.py ......ssssssss test_ipalib/test_text.py ............................. test_ipalib/test_x509.py ... test_ipapython/test_cookie.py ............ test_ipapython/test_dn.py ........................... test_ipapython/test_ipautil.py .................................................................. test_ipapython/test_ipavalidate.py .......... test_ipapython/test_kerberos.py .............. test_ipapython/test_keyring.py .......... test_ipapython/test_ssh.py ............................... test_pkcs10/test_pkcs10.py ..... https://fedorahosted.org/freeipa/ticket/6517 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-02-17 01:39:54 -06:00
pretty_print = pytest.config.getoption("pretty_print")
except (AttributeError, ValueError):
pretty_print = False
if pretty_print:
expected_str = struct_to_string(expected, EXPECTED_LEN)
got_str = struct_to_string(got, GOT_LEN)
else:
expected_str = repr(expected)
got_str = repr(got)
2009-12-17 07:16:18 -06:00
if isinstance(expected, tuple):
expected = list(expected)
if isinstance(got, tuple):
got = list(got)
Use DN objects instead of strings * Convert every string specifying a DN into a DN object * Every place a dn was manipulated in some fashion it was replaced by the use of DN operators * Add new DNParam parameter type for parameters which are DN's * DN objects are used 100% of the time throughout the entire data pipeline whenever something is logically a dn. * Many classes now enforce DN usage for their attributes which are dn's. This is implmented via ipautil.dn_attribute_property(). The only permitted types for a class attribute specified to be a DN are either None or a DN object. * Require that every place a dn is used it must be a DN object. This translates into lot of:: assert isinstance(dn, DN) sprinkled through out the code. Maintaining these asserts is valuable to preserve DN type enforcement. The asserts can be disabled in production. The goal of 100% DN usage 100% of the time has been realized, these asserts are meant to preserve that. The asserts also proved valuable in detecting functions which did not obey their function signatures, such as the baseldap pre and post callbacks. * Moved ipalib.dn to ipapython.dn because DN class is shared with all components, not just the server which uses ipalib. * All API's now accept DN's natively, no need to convert to str (or unicode). * Removed ipalib.encoder and encode/decode decorators. Type conversion is now explicitly performed in each IPASimpleLDAPObject method which emulates a ldap.SimpleLDAPObject method. * Entity & Entry classes now utilize DN's * Removed __getattr__ in Entity & Entity clases. There were two problems with it. It presented synthetic Python object attributes based on the current LDAP data it contained. There is no way to validate synthetic attributes using code checkers, you can't search the code to find LDAP attribute accesses (because synthetic attriutes look like Python attributes instead of LDAP data) and error handling is circumscribed. Secondly __getattr__ was hiding Python internal methods which broke class semantics. * Replace use of methods inherited from ldap.SimpleLDAPObject via IPAdmin class with IPAdmin methods. Directly using inherited methods was causing us to bypass IPA logic. Mostly this meant replacing the use of search_s() with getEntry() or getList(). Similarly direct access of the LDAP data in classes using IPAdmin were replaced with calls to getValue() or getValues(). * Objects returned by ldap2.find_entries() are now compatible with either the python-ldap access methodology or the Entity/Entry access methodology. * All ldap operations now funnel through the common IPASimpleLDAPObject giving us a single location where we interface to python-ldap and perform conversions. * The above 4 modifications means we've greatly reduced the proliferation of multiple inconsistent ways to perform LDAP operations. We are well on the way to having a single API in IPA for doing LDAP (a long range goal). * All certificate subject bases are now DN's * DN objects were enhanced thusly: - find, rfind, index, rindex, replace and insert methods were added - AVA, RDN and DN classes were refactored in immutable and mutable variants, the mutable variants are EditableAVA, EditableRDN and EditableDN. By default we use the immutable variants preserving important semantics. To edit a DN cast it to an EditableDN and cast it back to DN when done editing. These issues are fully described in other documentation. - first_key_match was removed - DN equalty comparison permits comparison to a basestring * Fixed ldapupdate to work with DN's. This work included: - Enhance test_updates.py to do more checking after applying update. Add test for update_from_dict(). Convert code to use unittest classes. - Consolidated duplicate code. - Moved code which should have been in the class into the class. - Fix the handling of the 'deleteentry' update action. It's no longer necessary to supply fake attributes to make it work. Detect case where subsequent update applies a change to entry previously marked for deletetion. General clean-up and simplification of the 'deleteentry' logic. - Rewrote a couple of functions to be clearer and more Pythonic. - Added documentation on the data structure being used. - Simplfy the use of update_from_dict() * Removed all usage of get_schema() which was being called prior to accessing the .schema attribute of an object. If a class is using internal lazy loading as an optimization it's not right to require users of the interface to be aware of internal optimization's. schema is now a property and when the schema property is accessed it calls a private internal method to perform the lazy loading. * Added SchemaCache class to cache the schema's from individual servers. This was done because of the observation we talk to different LDAP servers, each of which may have it's own schema. Previously we globally cached the schema from the first server we connected to and returned that schema in all contexts. The cache includes controls to invalidate it thus forcing a schema refresh. * Schema caching is now senstive to the run time context. During install and upgrade the schema can change leading to errors due to out-of-date cached schema. The schema cache is refreshed in these contexts. * We are aware of the LDAP syntax of all LDAP attributes. Every attribute returned from an LDAP operation is passed through a central table look-up based on it's LDAP syntax. The table key is the LDAP syntax it's value is a Python callable that returns a Python object matching the LDAP syntax. There are a handful of LDAP attributes whose syntax is historically incorrect (e.g. DistguishedNames that are defined as DirectoryStrings). The table driven conversion mechanism is augmented with a table of hard coded exceptions. Currently only the following conversions occur via the table: - dn's are converted to DN objects - binary objects are converted to Python str objects (IPA convention). - everything else is converted to unicode using UTF-8 decoding (IPA convention). However, now that the table driven conversion mechanism is in place it would be trivial to do things such as converting attributes which have LDAP integer syntax into a Python integer, etc. * Expected values in the unit tests which are a DN no longer need to use lambda expressions to promote the returned value to a DN for equality comparison. The return value is automatically promoted to a DN. The lambda expressions have been removed making the code much simpler and easier to read. * Add class level logging to a number of classes which did not support logging, less need for use of root_logger. * Remove ipaserver/conn.py, it was unused. * Consolidated duplicate code wherever it was found. * Fixed many places that used string concatenation to form a new string rather than string formatting operators. This is necessary because string formatting converts it's arguments to a string prior to building the result string. You can't concatenate a string and a non-string. * Simplify logic in rename_managed plugin. Use DN operators to edit dn's. * The live version of ipa-ldap-updater did not generate a log file. The offline version did, now both do. https://fedorahosted.org/freeipa/ticket/1670 https://fedorahosted.org/freeipa/ticket/1671 https://fedorahosted.org/freeipa/ticket/1672 https://fedorahosted.org/freeipa/ticket/1673 https://fedorahosted.org/freeipa/ticket/1674 https://fedorahosted.org/freeipa/ticket/1392 https://fedorahosted.org/freeipa/ticket/2872
2012-05-13 06:36:35 -05:00
if isinstance(expected, DN):
if isinstance(got, six.string_types):
Use DN objects instead of strings * Convert every string specifying a DN into a DN object * Every place a dn was manipulated in some fashion it was replaced by the use of DN operators * Add new DNParam parameter type for parameters which are DN's * DN objects are used 100% of the time throughout the entire data pipeline whenever something is logically a dn. * Many classes now enforce DN usage for their attributes which are dn's. This is implmented via ipautil.dn_attribute_property(). The only permitted types for a class attribute specified to be a DN are either None or a DN object. * Require that every place a dn is used it must be a DN object. This translates into lot of:: assert isinstance(dn, DN) sprinkled through out the code. Maintaining these asserts is valuable to preserve DN type enforcement. The asserts can be disabled in production. The goal of 100% DN usage 100% of the time has been realized, these asserts are meant to preserve that. The asserts also proved valuable in detecting functions which did not obey their function signatures, such as the baseldap pre and post callbacks. * Moved ipalib.dn to ipapython.dn because DN class is shared with all components, not just the server which uses ipalib. * All API's now accept DN's natively, no need to convert to str (or unicode). * Removed ipalib.encoder and encode/decode decorators. Type conversion is now explicitly performed in each IPASimpleLDAPObject method which emulates a ldap.SimpleLDAPObject method. * Entity & Entry classes now utilize DN's * Removed __getattr__ in Entity & Entity clases. There were two problems with it. It presented synthetic Python object attributes based on the current LDAP data it contained. There is no way to validate synthetic attributes using code checkers, you can't search the code to find LDAP attribute accesses (because synthetic attriutes look like Python attributes instead of LDAP data) and error handling is circumscribed. Secondly __getattr__ was hiding Python internal methods which broke class semantics. * Replace use of methods inherited from ldap.SimpleLDAPObject via IPAdmin class with IPAdmin methods. Directly using inherited methods was causing us to bypass IPA logic. Mostly this meant replacing the use of search_s() with getEntry() or getList(). Similarly direct access of the LDAP data in classes using IPAdmin were replaced with calls to getValue() or getValues(). * Objects returned by ldap2.find_entries() are now compatible with either the python-ldap access methodology or the Entity/Entry access methodology. * All ldap operations now funnel through the common IPASimpleLDAPObject giving us a single location where we interface to python-ldap and perform conversions. * The above 4 modifications means we've greatly reduced the proliferation of multiple inconsistent ways to perform LDAP operations. We are well on the way to having a single API in IPA for doing LDAP (a long range goal). * All certificate subject bases are now DN's * DN objects were enhanced thusly: - find, rfind, index, rindex, replace and insert methods were added - AVA, RDN and DN classes were refactored in immutable and mutable variants, the mutable variants are EditableAVA, EditableRDN and EditableDN. By default we use the immutable variants preserving important semantics. To edit a DN cast it to an EditableDN and cast it back to DN when done editing. These issues are fully described in other documentation. - first_key_match was removed - DN equalty comparison permits comparison to a basestring * Fixed ldapupdate to work with DN's. This work included: - Enhance test_updates.py to do more checking after applying update. Add test for update_from_dict(). Convert code to use unittest classes. - Consolidated duplicate code. - Moved code which should have been in the class into the class. - Fix the handling of the 'deleteentry' update action. It's no longer necessary to supply fake attributes to make it work. Detect case where subsequent update applies a change to entry previously marked for deletetion. General clean-up and simplification of the 'deleteentry' logic. - Rewrote a couple of functions to be clearer and more Pythonic. - Added documentation on the data structure being used. - Simplfy the use of update_from_dict() * Removed all usage of get_schema() which was being called prior to accessing the .schema attribute of an object. If a class is using internal lazy loading as an optimization it's not right to require users of the interface to be aware of internal optimization's. schema is now a property and when the schema property is accessed it calls a private internal method to perform the lazy loading. * Added SchemaCache class to cache the schema's from individual servers. This was done because of the observation we talk to different LDAP servers, each of which may have it's own schema. Previously we globally cached the schema from the first server we connected to and returned that schema in all contexts. The cache includes controls to invalidate it thus forcing a schema refresh. * Schema caching is now senstive to the run time context. During install and upgrade the schema can change leading to errors due to out-of-date cached schema. The schema cache is refreshed in these contexts. * We are aware of the LDAP syntax of all LDAP attributes. Every attribute returned from an LDAP operation is passed through a central table look-up based on it's LDAP syntax. The table key is the LDAP syntax it's value is a Python callable that returns a Python object matching the LDAP syntax. There are a handful of LDAP attributes whose syntax is historically incorrect (e.g. DistguishedNames that are defined as DirectoryStrings). The table driven conversion mechanism is augmented with a table of hard coded exceptions. Currently only the following conversions occur via the table: - dn's are converted to DN objects - binary objects are converted to Python str objects (IPA convention). - everything else is converted to unicode using UTF-8 decoding (IPA convention). However, now that the table driven conversion mechanism is in place it would be trivial to do things such as converting attributes which have LDAP integer syntax into a Python integer, etc. * Expected values in the unit tests which are a DN no longer need to use lambda expressions to promote the returned value to a DN for equality comparison. The return value is automatically promoted to a DN. The lambda expressions have been removed making the code much simpler and easier to read. * Add class level logging to a number of classes which did not support logging, less need for use of root_logger. * Remove ipaserver/conn.py, it was unused. * Consolidated duplicate code wherever it was found. * Fixed many places that used string concatenation to form a new string rather than string formatting operators. This is necessary because string formatting converts it's arguments to a string prior to building the result string. You can't concatenate a string and a non-string. * Simplify logic in rename_managed plugin. Use DN operators to edit dn's. * The live version of ipa-ldap-updater did not generate a log file. The offline version did, now both do. https://fedorahosted.org/freeipa/ticket/1670 https://fedorahosted.org/freeipa/ticket/1671 https://fedorahosted.org/freeipa/ticket/1672 https://fedorahosted.org/freeipa/ticket/1673 https://fedorahosted.org/freeipa/ticket/1674 https://fedorahosted.org/freeipa/ticket/1392 https://fedorahosted.org/freeipa/ticket/2872
2012-05-13 06:36:35 -05:00
got = DN(got)
if not (isinstance(expected, Fuzzy) or callable(expected) or type(expected) is type(got)):
raise AssertionError(
TYPE % (doc, type(expected), type(got), expected, got, stack)
)
if isinstance(expected, (list, tuple)):
if len(expected) != len(got):
raise AssertionError(
LEN % (doc, len(expected), len(got), expected_str, got_str,
stack)
)
# Sort list elements, unless they are dictionaries
if expected and isinstance(expected[0], dict):
s_got = got
s_expected = expected
else:
try:
s_got = sorted(got)
except TypeError:
s_got = got
try:
s_expected = sorted(expected)
except TypeError:
s_expected = expected
for (i, e_sub) in enumerate(s_expected):
g_sub = s_got[i]
assert_deepequal(e_sub, g_sub, doc, stack + (i,))
elif isinstance(expected, dict):
missing = set(expected).difference(got)
extra = set(got).difference(expected)
if missing or extra:
raise AssertionError(KEYS % (
doc, sorted(missing), sorted(extra), expected_str, got_str,
stack)
)
for key in sorted(expected):
e_sub = expected[key]
g_sub = got[key]
assert_deepequal(e_sub, g_sub, doc, stack + (key,))
elif callable(expected):
if not expected(got):
raise AssertionError(
VALUE % (doc, expected, got, stack)
)
2009-12-17 07:16:18 -06:00
elif expected != got:
raise AssertionError(
VALUE % (doc, expected, got, stack)
)
def raises(exception, callback, *args, **kw):
"""
Tests that the expected exception is raised; raises ExceptionNotRaised
if test fails.
"""
try:
callback(*args, **kw)
except exception as e:
return e
raise ExceptionNotRaised(exception)
def getitem(obj, key):
"""
Works like getattr but for dictionary interface. Use this in combination
with raises() to test that, for example, KeyError is raised.
"""
return obj[key]
def setitem(obj, key, value):
"""
Works like setattr but for dictionary interface. Use this in combination
with raises() to test that, for example, TypeError is raised.
"""
obj[key] = value
def delitem(obj, key):
"""
Works like delattr but for dictionary interface. Use this in combination
with raises() to test that, for example, TypeError is raised.
"""
del obj[key]
def no_set(obj, name, value='some_new_obj'):
"""
Tests that attribute cannot be set.
"""
raises(AttributeError, setattr, obj, name, value)
def no_del(obj, name):
"""
Tests that attribute cannot be deleted.
"""
raises(AttributeError, delattr, obj, name)
def read_only(obj, name, value='some_new_obj'):
"""
Tests that attribute is read-only. Returns attribute.
"""
# Test that it cannot be set:
no_set(obj, name, value)
# Test that it cannot be deleted:
no_del(obj, name)
# Return the attribute
return getattr(obj, name)
def is_prop(prop):
return type(prop) is property
class ClassChecker(object):
__cls = None
__subcls = None
def __get_cls(self):
if self.__cls is None:
self.__cls = self._cls # pylint: disable=E1101
assert inspect.isclass(self.__cls)
return self.__cls
cls = property(__get_cls)
def __get_subcls(self):
if self.__subcls is None:
self.__subcls = self.get_subcls()
assert inspect.isclass(self.__subcls)
return self.__subcls
subcls = property(__get_subcls)
def get_subcls(self):
raise AttributeError(
self.__class__.__name__,
'get_subcls()'
)
def teardown(self):
"""
nose tear-down fixture.
"""
2010-03-08 21:42:26 -06:00
context.__dict__.clear()
def get_api(**kw):
"""
Returns (api, home) tuple.
This function returns a tuple containing an `ipalib.plugable.API`
instance and a `TempHome` instance.
"""
home = TempHome()
api = ipalib.create_api(mode='unit_test')
api.env.in_tree = True
for (key, value) in kw.items():
api.env[key] = value
return (api, home)
def create_test_api(**kw):
"""
Returns (api, home) tuple.
This function returns a tuple containing an `ipalib.plugable.API`
instance and a `TempHome` instance.
"""
home = TempHome()
api = ipalib.create_api(mode='unit_test')
api.env.in_tree = True
for (key, value) in kw.items():
api.env[key] = value
return (api, home)
class PluginTester(object):
__plugin = None
def __get_plugin(self):
if self.__plugin is None:
self.__plugin = self._plugin # pylint: disable=E1101
assert issubclass(self.__plugin, Plugin)
return self.__plugin
plugin = property(__get_plugin)
def register(self, *plugins, **kw):
"""
Create a testing api and register ``self.plugin``.
This method returns an (api, home) tuple.
:param plugins: Additional \*plugins to register.
:param kw: Additional \**kw args to pass to `create_test_api`.
"""
(api, home) = create_test_api(**kw)
api.add_plugin(self.plugin)
for p in plugins:
api.add_plugin(p)
return (api, home)
def finalize(self, *plugins, **kw):
(api, home) = self.register(*plugins, **kw)
api.finalize()
return (api, home)
def instance(self, namespace, *plugins, **kw):
(api, home) = self.finalize(*plugins, **kw)
o = api[namespace][self.plugin.__name__]
return (o, api, home)
def teardown(self):
"""
nose tear-down fixture.
"""
2010-03-08 21:42:26 -06:00
context.__dict__.clear()
class dummy_ugettext(object):
__called = False
def __init__(self, translation=None):
if translation is None:
translation = u'The translation'
self.translation = translation
assert type(self.translation) is unicode
def __call__(self, message):
assert self.__called is False
self.__called = True
assert type(message) is str
assert not hasattr(self, 'message')
self.message = message
assert type(self.translation) is unicode
return self.translation
def called(self):
return self.__called
def reset(self):
assert type(self.translation) is unicode
assert type(self.message) is str
del self.message
assert self.__called is True
self.__called = False
class dummy_ungettext(object):
__called = False
def __init__(self):
self.translation_singular = u'The singular translation'
self.translation_plural = u'The plural translation'
def __call__(self, singular, plural, n):
assert type(singular) is str
assert type(plural) is str
assert type(n) is int
assert self.__called is False
self.__called = True
self.singular = singular
self.plural = plural
self.n = n
if n == 1:
return self.translation_singular
return self.translation_plural
class DummyMethod(object):
def __init__(self, callback, name):
self.__callback = callback
self.__name = name
def __call__(self, *args, **kw):
return self.__callback(self.__name, args, kw)
class DummyClass(object):
def __init__(self, *calls):
self.__calls = calls
self.__i = 0
for (name, _args, _kw, _result) in calls:
method = DummyMethod(self.__process, name)
setattr(self, name, method)
def __process(self, name_, args_, kw_):
if self.__i >= len(self.__calls):
raise AssertionError(
'extra call: %s, %r, %r' % (name_, args_, kw_)
)
(name, args, kw, result) = self.__calls[self.__i]
self.__i += 1
i = self.__i
if name_ != name:
raise AssertionError(
'call %d should be to method %r; got %r' % (i, name, name_)
)
if args_ != args:
raise AssertionError(
'call %d to %r should have args %r; got %r' % (i, name, args, args_)
)
if kw_ != kw:
raise AssertionError(
'call %d to %r should have kw %r, got %r' % (i, name, kw, kw_)
)
if isinstance(result, Exception):
raise result
return result
def _calledall(self):
return self.__i == len(self.__calls)
class MockLDAP(object):
def __init__(self):
self.connection = ldap.initialize(
'ldap://{host}'.format(host=ipalib.api.env.host)
)
auth = ldap.sasl.gssapi('')
self.connection.sasl_interactive_bind_s('', auth)
def add_entry(self, dn, mods):
try:
ldif = ldap.modlist.addModlist(mods)
self.connection.add_s(dn, ldif)
except ldap.ALREADY_EXISTS:
pass
def mod_entry(self, dn, mods):
self.connection.modify_s(dn, mods)
def del_entry(self, dn):
try:
self.connection.delete_s(dn)
except ldap.NO_SUCH_OBJECT:
pass
def unbind(self):
if self.connection is not None:
self.connection.unbind_s()
# contextmanager protocol
def __enter__(self):
return self
def __exit__(self, exc_type, exc_value, traceback):
self.unbind()
def prepare_config(template, values):
with open(template) as f:
template = f.read()
with tempfile.NamedTemporaryFile(mode='w', delete=False) as config:
config.write(template.format(**values))
return config.name
def unlock_principal_password(user, oldpw, newpw):
userdn = "uid={},{},{}".format(
user, api.env.container_user, api.env.basedn)
args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
'-s', newpw, '-x']
return run(args)
@contextmanager
def change_principal(principal, password=None, client=None, path=None,
canonicalize=False, enterprise=False, keytab=None):
"""Temporarily change the kerberos principal
Most of the test cases run with the admin ipa user which is granted
all access and exceptions from rules on some occasions.
When the test needs to test for an application of some kind
of a restriction it needs to authenticate as a different principal
with required set of rights to the operation.
The context manager changes the principal identity in two ways:
* using password
* using keytab
If the context manager is to be used with a keytab, the keytab
option must be its absolute path.
The context manager can be used to authenticate with enterprise
principals and aliases when given respective options.
"""
if path:
ccache_name = path
else:
ccache_name = os.path.join('/tmp', str(uuid.uuid4()))
if client is None:
client = api
client.Backend.rpcclient.disconnect()
try:
if keytab:
kinit_keytab(principal, keytab, ccache_name)
else:
kinit_password(principal, password, ccache_name,
canonicalize=canonicalize,
enterprise=enterprise)
client.Backend.rpcclient.connect(ccache=ccache_name)
try:
yield
finally:
client.Backend.rpcclient.disconnect()
finally:
# If we generated a ccache name, try to remove it, but don't fail
if not path:
try:
os.remove(ccache_name)
except OSError:
pass
client.Backend.rpcclient.connect()
@contextmanager
def get_entity_keytab(principal, options=None):
"""Requests a keytab for an entity
The keytab will generate new keys if not specified
otherwise in the options.
To retrieve existing keytab, use the -r option
"""
keytab_filename = os.path.join('/tmp', str(uuid.uuid4()))
try:
cmd = [paths.IPA_GETKEYTAB, '-p', principal, '-k', keytab_filename]
if options:
cmd.extend(options)
run(cmd)
yield keytab_filename
finally:
os.remove(keytab_filename)
@contextmanager
def host_keytab(hostname, options=None):
"""Retrieves keytab for a particular host
After leaving the context manager, the keytab file is
deleted.
"""
principal = u'host/{}'.format(hostname)
with get_entity_keytab(principal, options) as keytab:
yield keytab
def get_group_dn(cn):
return DN(('cn', cn), api.env.container_group, api.env.basedn)
def get_user_dn(uid):
return DN(('uid', uid), api.env.container_user, api.env.basedn)