tests: add test to check the default ACL

Also includes basic ACL manipulation and adding
and removing members to/from the acl.

https://fedorahosted.org/freeipa/ticket/57

Reviewed-By: Martin Basti <mbasti@redhat.com>

ipatests/test_xmlrpc/test_caacl_plugin.py

@@ -6,20 +6,20 @@
 Test the `ipalib.plugins.caacl` module.
 """
 
-import os
-
 import pytest
 
-from ipapython import ipautil
-from ipalib import errors, x509
-from ipapython.dn import DN
+from ipalib import errors
 from ipatests.test_xmlrpc.ldaptracker import Tracker
 from ipatests.test_xmlrpc.xmlrpc_test import (XMLRPC_test, fuzzy_caacldn,
-                                              fuzzy_uuid, fuzzy_ipauniqueid,
-                                              raises_exact)
+                                              fuzzy_uuid, fuzzy_ipauniqueid)
+
 from ipatests.test_xmlrpc import objectclasses
 from ipatests.util import assert_deepequal
 
+# reuse the fixture
+from ipatests.test_xmlrpc.test_certprofile_plugin import default_profile
+from ipatests.test_xmlrpc.test_stageuser_plugin import StageUserTracker
+
 
 class CAACLTracker(Tracker):
     """Tracker class for CA ACL LDAP object.
@@ -376,3 +376,124 @@ class CAACLTracker(Tracker):
         command = self.make_command(u'caacl_disable', self.name)
         self.attrs.update({u'ipaenabledflag': [u'FALSE']})
         command()
+
+
+@pytest.fixture(scope='class')
+def default_acl(request):
+    name = u'hosts_services_caIPAserviceCert'
+    tracker = CAACLTracker(name, service_category=u'all', host_category=u'all')
+    tracker.track_create()
+    tracker.attrs.update(
+        {u'ipamembercertprofile_certprofile': [u'caIPAserviceCert']})
+    return tracker
+
+
+@pytest.fixture(scope='class')
+def crud_acl(request):
+    name = u'crud-acl'
+    tracker = CAACLTracker(name)
+
+    return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def category_acl(request):
+    name = u'category_acl'
+    tracker = CAACLTracker(name, ipacertprofile_category=u'all',
+                           user_category=u'all', service_category=u'all',
+                           host_category=u'all')
+
+    return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
+def staged_user(request):
+    name = u'st-user'
+    tracker = StageUserTracker(name, u'stage', u'test')
+
+    return tracker.make_fixture(request)
+
+
+class TestDefaultACL(XMLRPC_test):
+    def test_default_acl_present(self, default_acl):
+        default_acl.retrieve()
+
+
+class TestCAACLbasicCRUD(XMLRPC_test):
+    def test_create(self, crud_acl):
+        crud_acl.create()
+
+    def test_delete(self, crud_acl):
+        crud_acl.delete()
+
+    def test_disable(self, crud_acl):
+        crud_acl.ensure_exists()
+        crud_acl.disable()
+        crud_acl.retrieve()
+
+    def test_disable_twice(self, crud_acl):
+        crud_acl.disable()
+        crud_acl.retrieve()
+
+    def test_enable(self, crud_acl):
+        crud_acl.enable()
+        crud_acl.retrieve()
+
+    def test_enable_twice(self, crud_acl):
+        crud_acl.enable()
+        crud_acl.retrieve()
+
+    def test_find(self, crud_acl):
+        crud_acl.find()
+
+
+class TestCAACLMembers(XMLRPC_test):
+    def test_category_member_exclusivity(self, category_acl, default_profile):
+        category_acl.create()
+        default_profile.ensure_exists()
+        with pytest.raises(errors.MutuallyExclusiveError):
+            category_acl.add_profile(default_profile.name, track=False)
+
+    def test_mod_delete_category(self, category_acl):
+        updates = dict(
+            hostcategory=None,
+            servicecategory=None,
+            ipacertprofilecategory=None,
+            usercategory=None)
+        category_acl.update(updates)
+
+    def test_add_profile(self, category_acl, default_profile):
+        category_acl.add_profile(certprofile=default_profile.name)
+        category_acl.retrieve()
+
+    def test_remove_profile(self, category_acl, default_profile):
+        category_acl.remove_profile(certprofile=default_profile.name)
+        category_acl.retrieve()
+
+    def test_add_invalid_value_service(self, category_acl, default_profile):
+        res = category_acl.add_service(service=default_profile.name, track=False)
+        assert len(res['failed']) == 1
+
+    # the same for other types
+
+    def test_add_invalid_value_user(self, category_acl, default_profile):
+        res = category_acl.add_user(user=default_profile.name, track=False)
+        assert len(res['failed']) == 1
+
+        res = category_acl.add_user(group=default_profile.name, track=False)
+        assert len(res['failed']) == 1
+
+    def test_add_invalid_value_host(self, category_acl, default_profile):
+        res = category_acl.add_host(host=default_profile.name, track=False)
+        assert len(res['failed']) == 1
+
+        res = category_acl.add_host(hostgroup=default_profile.name, track=False)
+        assert len(res['failed']) == 1
+
+    def test_add_invalid_value_profile(self, category_acl):
+        res = category_acl.add_profile(certprofile=category_acl.name, track=False)
+        assert len(res['failed']) == 1
+
+    def test_add_staged_user_to_acl(self, category_acl, staged_user):
+        res = category_acl.add_user(user=staged_user.name, track=False)
+        assert len(res['failed']) == 1