IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

add --hosts and --hostgroup options to allow/retrieve keytab methods

Browse Source 
`--hosts` and `--hostgroup` options added to:
* service-allow-create-keytab
* service-allow-retrieve-keytab
* service-disallow-create-keytab
* service-disallow-retrieve-keytab
* host-allow-create-keytab
* host-allow-retrieve-keytab
* host-disallow-create-keytab
* host-disallow-retrieve-keytab

in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page

https://fedorahosted.org/freeipa/ticket/4777

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Petr Vobornik 2014-12-01 10:15:21 +01:00 committed by Jan Cholasta
parent 08f8acd88c
commit 026c9eca09
6 changed files with 257 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
API.txt
View File

@ -1826,10 +1826,12 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: host_allow_create_keytab
args: 1,6,3
args: 1,8,3
arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@ -1838,10 +1840,12 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: host_allow_retrieve_keytab
args: 1,6,3
args: 1,8,3
arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@ -1866,10 +1870,12 @@ output: Output('result', <type 'bool'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: host_disallow_create_keytab
args: 1,6,3
args: 1,8,3
arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@ -1878,10 +1884,12 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: host_disallow_retrieve_keytab
args: 1,6,3
args: 1,8,3
arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@ -3529,10 +3537,12 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: service_allow_create_keytab
args: 1,6,3
args: 1,8,3
arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@ -3541,10 +3551,12 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: service_allow_retrieve_keytab
args: 1,6,3
args: 1,8,3
arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@ -3568,10 +3580,12 @@ output: Output('result', <type 'bool'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: PrimaryKey('value', None, None)
command: service_disallow_create_keytab
args: 1,6,3
args: 1,8,3
arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('user*', alwaysask=True, cli_name='users', csv=True)
@ -3580,10 +3594,12 @@ output: Output('completed', <type 'int'>, None)
output: Output('failed', <type 'dict'>, None)
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))
command: service_disallow_retrieve_keytab
args: 1,6,3
args: 1,8,3
arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
option: Str('host*', alwaysask=True, cli_name='hosts', csv=True)
option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True)
option: Flag('no_members', autofill=True, default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('user*', alwaysask=True, cli_name='users', csv=True)

4
VERSION
View File

@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
IPA_API_VERSION_MINOR=109
# Last change: npmccallum - display qrcode by default
IPA_API_VERSION_MINOR=110
# Last change: pvoborni - allow to retrieve keytab by hosts

28
ipalib/plugins/host.py
View File

@ -211,12 +211,24 @@ host_output_params = (
Str('ipaallowedtoperform_read_keys_group',
label=_('Groups allowed to retrieve keytab'),
),
Str('ipaallowedtoperform_read_keys_host',
label=_('Hosts allowed to retrieve keytab'),
),
Str('ipaallowedtoperform_read_keys_hostgroup',
label=_('Host Groups allowed to retrieve keytab'),
),
Str('ipaallowedtoperform_write_keys_user',
label=_('Users allowed to create keytab'),
),
Str('ipaallowedtoperform_write_keys_group',
label=_('Groups allowed to create keytab'),
),
Str('ipaallowedtoperform_write_keys_host',
label=_('Hosts allowed to create keytab'),
),
Str('ipaallowedtoperform_write_keys_hostgroup',
label=_('Host Groups allowed to create keytab'),
),
Str('ipaallowedtoperform_read_keys',
label=_('Failed allowed to retrieve keytab'),
),
@ -284,8 +296,8 @@ class host(LDAPObject):
'managing': ['host'],
'memberofindirect': ['hostgroup', 'netgroup', 'role', 'hbacrule',
'sudorule'],
'ipaallowedtoperform_read_keys': ['user', 'group'],
'ipaallowedtoperform_write_keys': ['user', 'group'],
'ipaallowedtoperform_read_keys': ['user', 'group', 'host', 'hostgroup'],
'ipaallowedtoperform_write_keys': ['user', 'group', 'host', 'hostgroup'],
}
bindable = True
relationships = {
@ -1201,7 +1213,8 @@ class host_remove_managedby(LDAPRemoveMember):
@register()
class host_allow_retrieve_keytab(LDAPAddMember):
__doc__ = _('Allow users or groups to retrieve a keytab of this host.')
__doc__ = _('Allow users, groups, hosts or host groups to retrieve a keytab'
' of this host.')
member_attributes = ['ipaallowedtoperform_read_keys']
has_output_params = LDAPAddMember.has_output_params + host_output_params
@ -1219,7 +1232,8 @@ class host_allow_retrieve_keytab(LDAPAddMember):
@register()
class host_disallow_retrieve_keytab(LDAPRemoveMember):
__doc__ = _('Disallow users or groups to retrieve a keytab of this host.')
__doc__ = _('Disallow users, groups, hosts or host groups to retrieve a '
'keytab of this host.')
member_attributes = ['ipaallowedtoperform_read_keys']
has_output_params = LDAPRemoveMember.has_output_params + host_output_params
@ -1236,7 +1250,8 @@ class host_disallow_retrieve_keytab(LDAPRemoveMember):
@register()
class host_allow_create_keytab(LDAPAddMember):
__doc__ = _('Allow users or groups to create a keytab of this host.')
__doc__ = _('Allow users, groups, hosts or host groups to create a keytab '
'of this host.')
member_attributes = ['ipaallowedtoperform_write_keys']
has_output_params = LDAPAddMember.has_output_params + host_output_params
@ -1254,7 +1269,8 @@ class host_allow_create_keytab(LDAPAddMember):
@register()
class host_disallow_create_keytab(LDAPRemoveMember):
__doc__ = _('Disallow users or groups to create a keytab of this host.')
__doc__ = _('Disallow users, groups, hosts or host groups to create a '
'keytab of this host.')
member_attributes = ['ipaallowedtoperform_write_keys']
has_output_params = LDAPRemoveMember.has_output_params + host_output_params

28
ipalib/plugins/service.py
View File

@ -137,12 +137,24 @@ output_params = (
Str('ipaallowedtoperform_read_keys_group',
label=_('Groups allowed to retrieve keytab'),
),
Str('ipaallowedtoperform_read_keys_host',
label=_('Hosts allowed to retrieve keytab'),
),
Str('ipaallowedtoperform_read_keys_hostgroup',
label=_('Host Groups allowed to retrieve keytab'),
),
Str('ipaallowedtoperform_write_keys_user',
label=_('Users allowed to create keytab'),
),
Str('ipaallowedtoperform_write_keys_group',
label=_('Groups allowed to create keytab'),
),
Str('ipaallowedtoperform_write_keys_host',
label=_('Hosts allowed to create keytab'),
),
Str('ipaallowedtoperform_write_keys_hostgroup',
label=_('Host Groups allowed to create keytab'),
),
Str('ipaallowedtoperform_read_keys',
label=_('Failed allowed to retrieve keytab'),
),
@ -350,8 +362,8 @@ class service(LDAPObject):
attribute_members = {
'managedby': ['host'],
'memberof': ['role'],
'ipaallowedtoperform_read_keys': ['user', 'group'],
'ipaallowedtoperform_write_keys': ['user', 'group'],
'ipaallowedtoperform_read_keys': ['user', 'group', 'host', 'hostgroup'],
'ipaallowedtoperform_write_keys': ['user', 'group', 'host', 'hostgroup'],
}
bindable = True
relationships = {
@ -711,7 +723,8 @@ class service_remove_host(LDAPRemoveMember):
@register()
class service_allow_retrieve_keytab(LDAPAddMember):
__doc__ = _('Allow users or groups to retrieve a keytab of this service.')
__doc__ = _('Allow users, groups, hosts or host groups to retrieve a keytab'
' of this service.')
member_attributes = ['ipaallowedtoperform_read_keys']
has_output_params = LDAPAddMember.has_output_params + output_params
@ -729,7 +742,8 @@ class service_allow_retrieve_keytab(LDAPAddMember):
@register()
class service_disallow_retrieve_keytab(LDAPRemoveMember):
__doc__ = _('Disallow users or groups to retrieve a keytab of this service.')
__doc__ = _('Disallow users, groups, hosts or host groups to retrieve a '
'keytab of this service.')
member_attributes = ['ipaallowedtoperform_read_keys']
has_output_params = LDAPRemoveMember.has_output_params + output_params
@ -746,7 +760,8 @@ class service_disallow_retrieve_keytab(LDAPRemoveMember):
@register()
class service_allow_create_keytab(LDAPAddMember):
__doc__ = _('Allow users or groups to create a keytab of this service.')
__doc__ = _('Allow users, groups, hosts or host groups to create a keytab '
'of this service.')
member_attributes = ['ipaallowedtoperform_write_keys']
has_output_params = LDAPAddMember.has_output_params + output_params
@ -764,7 +779,8 @@ class service_allow_create_keytab(LDAPAddMember):
@register()
class service_disallow_create_keytab(LDAPRemoveMember):
__doc__ = _('Disallow users or groups to create a keytab of this service.')
__doc__ = _('Disallow users, groups, hosts or host groups to create a '
'keytab of this service.')
member_attributes = ['ipaallowedtoperform_write_keys']
has_output_params = LDAPRemoveMember.has_output_params + output_params

109
ipatests/test_xmlrpc/test_host_plugin.py
View File

@ -147,6 +147,9 @@ group1 = u'group1'
group1_dn = get_group_dn(group1)
group2 = u'group2'
group2_dn = get_group_dn(group2)
hostgroup1 = u'testhostgroup1'
hostgroup1_dn = DN(('cn',hostgroup1),('cn','hostgroups'),('cn','accounts'),
api.env.basedn)
class test_host(Declarative):
@ -1420,6 +1423,8 @@ class test_host_allowed_to(Declarative):
('group_del', [group1], {}),
('group_del', [group2], {}),
('host_del', [fqdn1], {}),
('host_del', [fqdn3], {}),
('hostgroup_del', [hostgroup1], {}),
]
tests = [
@ -1503,6 +1508,49 @@ class test_host_allowed_to(Declarative):
),
),
),
dict(
desc='Create %r' % fqdn3,
command=(
'host_add', [fqdn3],
dict(
force=True,
),
),
expected=dict(
value=fqdn3,
summary=u'Added host "%s"' % fqdn3,
result=dict(
dn=dn3,
fqdn=[fqdn3],
krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn3],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % hostgroup1,
command=('hostgroup_add', [hostgroup1],
dict(description=u'Test hostgroup 1')
),
expected=dict(
value=hostgroup1,
summary=u'Added hostgroup "testhostgroup1"',
result=dict(
dn=hostgroup1_dn,
cn=[hostgroup1],
objectclass=objectclasses.hostgroup,
description=[u'Test hostgroup 1'],
ipauniqueid=[fuzzy_uuid],
mepmanagedentry=[DN(('cn',hostgroup1),('cn','ng'),('cn','alt'),
api.env.basedn)],
),
),
),
# verify
dict(
@ -1513,6 +1561,8 @@ class test_host_allowed_to(Declarative):
failed=dict(
ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
),
),
@ -1535,6 +1585,8 @@ class test_host_allowed_to(Declarative):
failed=dict(
ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[[user1, u'This entry is already a member']],
),
),
@ -1553,20 +1605,25 @@ class test_host_allowed_to(Declarative):
desc='Allow %r, %r to a retrieve keytab of %r' % (
group1, group2, fqdn1),
command=('host_allow_retrieve_keytab', [fqdn1],
dict(group=[group1, group2])),
dict(group=[group1, group2], host=[fqdn3],
hostgroup=[hostgroup1])),
expected=dict(
failed=dict(
ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
),
),
completed=2,
completed=4,
result=dict(
dn=dn1,
fqdn=[fqdn1],
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1, group2],
ipaallowedtoperform_read_keys_host=[fqdn3],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[fqdn1],
),
@ -1581,6 +1638,8 @@ class test_host_allowed_to(Declarative):
failed=dict(
ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[[user2, u'This entry is not a member']],
),
),
@ -1590,6 +1649,8 @@ class test_host_allowed_to(Declarative):
fqdn=[fqdn1],
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1, group2],
ipaallowedtoperform_read_keys_host=[fqdn3],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[fqdn1],
),
@ -1604,6 +1665,8 @@ class test_host_allowed_to(Declarative):
failed=dict(
ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
),
),
@ -1613,6 +1676,8 @@ class test_host_allowed_to(Declarative):
fqdn=[fqdn1],
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn3],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[fqdn1],
),
@ -1623,22 +1688,29 @@ class test_host_allowed_to(Declarative):
desc='Allow %r, %r to a create keytab of %r' % (
group1, user1, fqdn1),
command=('host_allow_create_keytab', [fqdn1],
dict(group=[group1, group2], user=[user1])),
dict(group=[group1, group2], user=[user1], host=[fqdn3],
hostgroup=[hostgroup1])),
expected=dict(
failed=dict(
ipaallowedtoperform_write_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
),
),
completed=3,
completed=5,
result=dict(
dn=dn1,
fqdn=[fqdn1],
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn3],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1, group2],
ipaallowedtoperform_write_keys_host=[fqdn3],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[fqdn1],
),
@ -1648,12 +1720,15 @@ class test_host_allowed_to(Declarative):
dict(
desc='Duplicate add: %r, %r' % (user1, group1),
command=('host_allow_create_keytab', [fqdn1],
dict(group=[group1], user=[user1])),
dict(group=[group1], user=[user1], host=[fqdn3],
hostgroup=[hostgroup1])),
expected=dict(
failed=dict(
ipaallowedtoperform_write_keys=dict(
group=[[group1, u'This entry is already a member']],
host=[[fqdn3, u'This entry is already a member']],
user=[[user1, u'This entry is already a member']],
hostgroup=[[hostgroup1, u'This entry is already a member']],
),
),
completed=0,
@ -1662,8 +1737,12 @@ class test_host_allowed_to(Declarative):
fqdn=[fqdn1],
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn3],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1, group2],
ipaallowedtoperform_write_keys_host=[fqdn3],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[fqdn1],
),
@ -1678,6 +1757,8 @@ class test_host_allowed_to(Declarative):
failed=dict(
ipaallowedtoperform_write_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[[user2, u'This entry is not a member']],
),
),
@ -1687,8 +1768,12 @@ class test_host_allowed_to(Declarative):
fqdn=[fqdn1],
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn3],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1, group2],
ipaallowedtoperform_write_keys_host=[fqdn3],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[fqdn1],
),
@ -1703,6 +1788,8 @@ class test_host_allowed_to(Declarative):
failed=dict(
ipaallowedtoperform_write_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
),
),
@ -1712,8 +1799,12 @@ class test_host_allowed_to(Declarative):
fqdn=[fqdn1],
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn3],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1],
ipaallowedtoperform_write_keys_host=[fqdn3],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[fqdn1],
),
@ -1733,8 +1824,12 @@ class test_host_allowed_to(Declarative):
has_password=False,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn3],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1],
ipaallowedtoperform_write_keys_host=[fqdn3],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[fqdn1],
),
@ -1756,8 +1851,12 @@ class test_host_allowed_to(Declarative):
has_password=False,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn3],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1],
ipaallowedtoperform_write_keys_host=[fqdn3],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
managedby_host=[fqdn1],
),

92
ipatests/test_xmlrpc/test_service_plugin.py
View File

@ -54,6 +54,9 @@ group1 = u'group1'
group1_dn = get_group_dn(group1)
group2 = u'group2'
group2_dn = get_group_dn(group2)
hostgroup1 = u'testhostgroup1'
hostgroup1_dn = DN(('cn',hostgroup1),('cn','hostgroups'),('cn','accounts'),
api.env.basedn)
class test_service(Declarative):
@ -770,6 +773,7 @@ class test_service_allowed_to(Declarative):
('group_del', [group2], {}),
('host_del', [fqdn1], {}),
('service_del', [service1], {}),
('hostgroup_del', [hostgroup1], {}),
]
tests = [
@ -857,6 +861,25 @@ class test_service_allowed_to(Declarative):
),
),
),
dict(
desc='Create %r' % hostgroup1,
command=('hostgroup_add', [hostgroup1],
dict(description=u'Test hostgroup 1')
),
expected=dict(
value=hostgroup1,
summary=u'Added hostgroup "testhostgroup1"',
result=dict(
dn=hostgroup1_dn,
cn=[hostgroup1],
objectclass=objectclasses.hostgroup,
description=[u'Test hostgroup 1'],
ipauniqueid=[fuzzy_uuid],
mepmanagedentry=[DN(('cn',hostgroup1),('cn','ng'),('cn','alt'),
api.env.basedn)],
),
),
),
dict(
desc='Create %r' % service1,
command=('service_add', [service1_no_realm], dict(force=True)),
@ -882,6 +905,8 @@ class test_service_allowed_to(Declarative):
failed=dict(
ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
),
),
@ -903,6 +928,8 @@ class test_service_allowed_to(Declarative):
failed=dict(
ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[[user1, u'This entry is already a member']],
),
),
@ -917,22 +944,27 @@ class test_service_allowed_to(Declarative):
),
dict(
desc='Allow %r, %r to a retrieve keytab of %r' % (
group1, group2, service1),
desc='Allow %r, %r, %r to a retrieve keytab of %r' % (
group1, group2, fqdn1, service1),
command=('service_allow_retrieve_keytab', [service1],
dict(group=[group1, group2])),
dict(group=[group1, group2], host=[fqdn1],
hostgroup=[hostgroup1])),
expected=dict(
failed=dict(
ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
),
),
completed=2,
completed=4,
result=dict(
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1, group2],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
@ -947,6 +979,8 @@ class test_service_allowed_to(Declarative):
failed=dict(
ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[[user2, u'This entry is not a member']],
),
),
@ -955,6 +989,8 @@ class test_service_allowed_to(Declarative):
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1, group2],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
@ -969,6 +1005,8 @@ class test_service_allowed_to(Declarative):
failed=dict(
ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
),
),
@ -977,6 +1015,8 @@ class test_service_allowed_to(Declarative):
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
@ -984,24 +1024,31 @@ class test_service_allowed_to(Declarative):
),
dict(
desc='Allow %r, %r to a create keytab of %r' % (
group1, user1, service1),
desc='Allow %r, %r, %r to a create keytab of %r' % (
group1, user1, fqdn1, service1),
command=('service_allow_create_keytab', [service1],
dict(group=[group1, group2], user=[user1])),
dict(group=[group1, group2], user=[user1], host=[fqdn1],
hostgroup=[hostgroup1])),
expected=dict(
failed=dict(
ipaallowedtoperform_write_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
),
),
completed=3,
completed=5,
result=dict(
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1, group2],
ipaallowedtoperform_write_keys_host=[fqdn1],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
@ -1011,12 +1058,15 @@ class test_service_allowed_to(Declarative):
dict(
desc='Duplicate add: %r, %r' % (user1, group1),
command=('service_allow_create_keytab', [service1],
dict(group=[group1], user=[user1])),
dict(group=[group1], user=[user1], host=[fqdn1],
hostgroup=[hostgroup1])),
expected=dict(
failed=dict(
ipaallowedtoperform_write_keys=dict(
group=[[group1, u'This entry is already a member']],
host=[[fqdn1, u'This entry is already a member']],
user=[[user1, u'This entry is already a member']],
hostgroup=[[hostgroup1, u'This entry is already a member']],
),
),
completed=0,
@ -1024,8 +1074,12 @@ class test_service_allowed_to(Declarative):
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1, group2],
ipaallowedtoperform_write_keys_host=[fqdn1],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
@ -1040,6 +1094,8 @@ class test_service_allowed_to(Declarative):
failed=dict(
ipaallowedtoperform_write_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[[user2, u'This entry is not a member']],
),
),
@ -1048,8 +1104,12 @@ class test_service_allowed_to(Declarative):
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1, group2],
ipaallowedtoperform_write_keys_host=[fqdn1],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
@ -1064,6 +1124,8 @@ class test_service_allowed_to(Declarative):
failed=dict(
ipaallowedtoperform_write_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
),
),
@ -1072,8 +1134,12 @@ class test_service_allowed_to(Declarative):
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1],
ipaallowedtoperform_write_keys_host=[fqdn1],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
@ -1091,8 +1157,12 @@ class test_service_allowed_to(Declarative):
has_keytab=False,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1],
ipaallowedtoperform_write_keys_host=[fqdn1],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
@ -1110,8 +1180,12 @@ class test_service_allowed_to(Declarative):
result=dict(
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1],
ipaallowedtoperform_write_keys_host=[fqdn1],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
ipakrbokasdelegate=True,
krbprincipalname=[service1],
krbticketflags=[u'1048704'],