ipatests: test that modifying a permission attrs handles failure

Add a test to ensure that a change to a permission that will result in an invalid ACI is rolled back. https://pagure.io/freeipa/issue/8646 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-12-23 07:33:27 -06:00 · 2021-01-08 17:27:09 -05:00 · 2021-01-08 17:27:09 -05:00 · 8dd2eb45c6
commit 8dd2eb45c6
parent 59d6c4da73
1 changed files with 25 additions and 0 deletions
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@ -3849,6 +3849,31 @@ class test_managed_permissions(Declarative):
            'allow (write) userdn = "ldap:///all";)',
        ),

+        dict(
+            desc='Try to add invalid attribute to %r' % permission1,
+            command=('permission_mod', [permission1],
+                     {'attrs': [u'calicense',]}),
+            expected=errors.InvalidSyntax(
+                attr=r'targetattr "calicense" does not exist in schema. '
+                     r'Please add attributeTypes "calicense" to '
+                     r'schema if necessary. '
+                     r'ACL Syntax Error(-5):'
+                     r'(targetattr = \22calicense\22)'
+                     r'(targetfilter = \22(objectclass=posixaccount)\22)'
+                     r'(version 3.0;acl \22permission:%(name)s\22;'
+                     r'allow (write) userdn = \22ldap:///all\22;)' %
+                     dict(name=permission1),
+            ),
+        ),
+
+        verify_permission_aci(
+            permission1, users_dn,
+            '(targetattr = "l || o || sn")' \
+            '(targetfilter = "(objectclass=posixaccount)")' \
+            '(version 3.0;acl "permission:%s";' \
+            'allow (write) userdn = "ldap:///all";)' % permission1,
+        ),
+
        dict(
            desc='Search for %r using all its --attrs' % permission1,
            command=('permission_find', [permission1],