mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario
Testing if manager whose rights defined by the group membership is able to add group members, after upgrade of ipa server. Using ACI modification to demonstrate unability before upgrading ipa server. Related: https://pagure.io/freeipa/issue/9286 Also added some generally helpful functions to tasks.py Signed-off-by: Erik Belko <ebelko@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com> Reviewed-By: Michal Polovka <mpolovka@redhat.com>
This commit is contained in:
parent
35c36f9b4e
commit
4acd9fe9f7
@ -2081,6 +2081,25 @@ def group_add(host, groupname, extra_args=()):
|
||||
return host.run_command(cmd)
|
||||
|
||||
|
||||
def group_del(host, groupname):
|
||||
cmd = [
|
||||
"ipa", "group-del", groupname,
|
||||
]
|
||||
return host.run_command(cmd)
|
||||
|
||||
|
||||
def group_add_member(host, groupname, users=None,
|
||||
raiseonerr=True, extra_args=()):
|
||||
cmd = [
|
||||
"ipa", "group-add-member", groupname
|
||||
]
|
||||
if users:
|
||||
cmd.append("--users")
|
||||
cmd.append(users)
|
||||
cmd.extend(extra_args)
|
||||
return host.run_command(cmd, raiseonerr=raiseonerr)
|
||||
|
||||
|
||||
def ldapmodify_dm(host, ldif_text, **kwargs):
|
||||
"""Run ldapmodify as Directory Manager
|
||||
|
||||
|
@ -212,3 +212,84 @@ class TestMemberManager(IntegrationTest):
|
||||
"'write' privilege to the 'memberManager' attribute of entry"
|
||||
)
|
||||
assert expected in result.stdout_text
|
||||
|
||||
@tasks.pytest.fixture
|
||||
def prepare_mbr_manager_upgrade(self):
|
||||
user = "idmuser"
|
||||
password = "Secret123"
|
||||
group1 = "role-groupmanager"
|
||||
group2 = "role-usergroup-A"
|
||||
|
||||
master = self.master
|
||||
|
||||
tasks.kinit_admin(master)
|
||||
tasks.group_add(master, group1)
|
||||
tasks.group_add(master, group2)
|
||||
tasks.create_active_user(master, user, password)
|
||||
|
||||
tasks.kinit_admin(master)
|
||||
tasks.group_add_member(master, group1, user)
|
||||
master.run_command(["ipa", "group-add-member-manager", "--groups",
|
||||
group1, group2])
|
||||
|
||||
yield user, password, group2
|
||||
|
||||
# cleanup
|
||||
tasks.kinit_admin(master)
|
||||
tasks.user_del(master, user)
|
||||
tasks.group_del(master, group1)
|
||||
tasks.group_del(master, group2)
|
||||
|
||||
def test_member_manager_upgrade_scenario(self, prepare_mbr_manager_upgrade):
|
||||
"""
|
||||
Testing if manager whose rights defined by the group membership
|
||||
is able to add group members, after upgrade of ipa server.
|
||||
Using ACI modification to demonstrate unability before upgrading
|
||||
ipa server.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9286
|
||||
"""
|
||||
user, password, group2 = prepare_mbr_manager_upgrade
|
||||
|
||||
master = self.master
|
||||
|
||||
base_dn = self.master.domain.basedn
|
||||
aci_hostgroup = (
|
||||
'(targetattr = "member")(targetfilter = '
|
||||
'"(objectclass=ipaHostGroup)")'
|
||||
'(version 3.0; acl "Allow member managers '
|
||||
'to modify members of host groups"; allow (write) userattr = '
|
||||
'"memberManager#USERDN" or userattr = "memberManager#GROUPDN";)'
|
||||
)
|
||||
aci_usergroup = (
|
||||
'(targetattr = "member")(targetfilter = '
|
||||
'"(objectclass=ipaUserGroup)")'
|
||||
'(version 3.0; acl "Allow member managers '
|
||||
'to modify members of user groups"; allow (write) userattr = '
|
||||
'"memberManager#USERDN" or userattr = "memberManager#GROUPDN";)'
|
||||
)
|
||||
ldif_entry = tasks.textwrap.dedent(
|
||||
"""
|
||||
dn: cn=hostgroups,cn=accounts,{base_dn}
|
||||
changetype: modify
|
||||
delete: aci
|
||||
aci: {aci_hostgroup}
|
||||
|
||||
dn: cn=groups,cn=accounts,{base_dn}
|
||||
changetype: modify
|
||||
delete: aci
|
||||
aci: {aci_usergroup}
|
||||
""").format(base_dn=base_dn,
|
||||
aci_hostgroup=aci_hostgroup,
|
||||
aci_usergroup=aci_usergroup)
|
||||
tasks.ldapmodify_dm(master, ldif_entry)
|
||||
|
||||
tasks.kinit_as_user(master, user, password)
|
||||
# in this point this command should fail
|
||||
result = tasks.group_add_member(master, group2, "admin",
|
||||
raiseonerr=False)
|
||||
assert result.returncode == 1
|
||||
assert "Insufficient access" in result.stdout_text
|
||||
|
||||
master.run_command(['ipa-server-upgrade'])
|
||||
tasks.group_add_member(master, group2, "admin")
|
||||
|
Loading…
Reference in New Issue
Block a user