From bf6df3df9b388753a52a0040d9c15b1eabce41ca Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 17 Oct 2014 12:05:34 -0400 Subject: [PATCH] Added vault access control. New LDAP ACIs have been added to allow vault owners to manage the vaults and to allow members to access the vaults. New CLIs have been added to manage the owner and member list. The LDAP schema has been updated as well. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta --- API.txt | 92 ++++++++++++++--- VERSION | 4 +- install/share/60basev3.ldif | 3 +- install/share/vault.update | 15 ++- ipalib/plugins/vault.py | 118 ++++++++++++++++++++-- ipatests/test_xmlrpc/test_vault_plugin.py | 27 +++-- 6 files changed, 226 insertions(+), 33 deletions(-) diff --git a/API.txt b/API.txt index b715a967c..d4eb074bf 100644 --- a/API.txt +++ b/API.txt @@ -5426,27 +5426,58 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui option: Str('service?') option: Str('setattr*', cli_name='setattr', exclude='webui') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_add_internal -args: 1,10,3 +args: 1,11,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('description', attribute=True, cli_name='desc', multivalue=False, required=False) option: Bytes('ipavaultpublickey', attribute=True, cli_name='public_key', multivalue=False, required=False) option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', multivalue=False, required=False) option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', default=u'standard', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vault_add_member +args: 1,9,3 +arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service?') +option: Flag('shared?', autofill=True, default=False) +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('username?', cli_name='user') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: vault_add_owner +args: 1,9,3 +arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service?') +option: Flag('shared?', autofill=True, default=False) +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('username?', cli_name='user') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_archive args: 1,10,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) @@ -5458,7 +5489,7 @@ option: Str('password_file?', cli_name='password_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) @@ -5472,7 +5503,7 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui option: Str('service?') option: Bytes('session_key') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Bytes('vault_data') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) @@ -5484,32 +5515,33 @@ arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=True, option: Flag('continue', autofill=True, cli_name='continue', default=False) option: Str('service?') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Output('result', , None) output: Output('summary', (, ), None) output: ListOfPrimaryKeys('value', None, None) command: vault_find -args: 1,12,4 +args: 1,13,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('cn', attribute=True, autofill=False, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=False) option: Str('description', attribute=True, autofill=False, cli_name='desc', multivalue=False, query=True, required=False) option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, query=True, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('pkey_only?', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') option: Flag('shared?', autofill=True, default=False) option: Int('sizelimit?', autofill=False, minvalue=0) option: Int('timelimit?', autofill=False, minvalue=0) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Output('count', , None) output: ListOfEntries('result', (, ), Gettext('A list of LDAP entries', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: Output('truncated', , None) command: vault_mod -args: 1,14,3 +args: 1,15,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') @@ -5518,16 +5550,47 @@ option: Str('description', attribute=True, autofill=False, cli_name='desc', mult option: Bytes('ipavaultpublickey', attribute=True, autofill=False, cli_name='public_key', multivalue=False, required=False) option: Bytes('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', multivalue=False, required=False) option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', default=u'standard', multivalue=False, required=False) +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('service?') option: Str('setattr*', cli_name='setattr', exclude='webui') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) +command: vault_remove_member +args: 1,9,3 +arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service?') +option: Flag('shared?', autofill=True, default=False) +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('username?', cli_name='user') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) +command: vault_remove_owner +args: 1,9,3 +arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) +option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Flag('no_members', autofill=True, default=False, exclude='webui') +option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') +option: Str('service?') +option: Flag('shared?', autofill=True, default=False) +option: Str('user*', alwaysask=True, cli_name='users', csv=True) +option: Str('username?', cli_name='user') +option: Str('version?', exclude='webui') +output: Output('completed', , None) +output: Output('failed', , None) +output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: vault_retrieve args: 1,11,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) @@ -5540,7 +5603,7 @@ option: Str('private_key_file?', cli_name='private_key_file') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('service?') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) @@ -5553,20 +5616,21 @@ option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui option: Str('service?') option: Bytes('session_key') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: vault_show -args: 1,7,3 +args: 1,8,3 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('rights', autofill=True, default=False) option: Str('service?') option: Flag('shared?', autofill=True, default=False) -option: Str('user?') +option: Str('username?', cli_name='user') option: Str('version?', exclude='webui') output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Output('summary', (, ), None) diff --git a/VERSION b/VERSION index 16bd11798..38af6ec59 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=144 -# Last change: ab - trusts: add support for one-way trust and switch to it by default +IPA_API_VERSION_MINOR=145 +# Last change: edewata - added vault access control diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 5491f99f5..16d7c21d9 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -82,4 +82,5 @@ objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrap objectClasses: (2.16.840.1.113730.3.8.12.25 NAME 'ipaPrivateKeyObject' DESC 'Wrapped private keys' SUP top AUXILIARY MUST ( ipaPrivateKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.26 NAME 'ipaSecretKeyObject' DESC 'Wrapped secret keys' SUP top AUXILIARY MUST ( ipaSecretKey $ ipaWrappingKey $ ipaWrappingMech ) X-ORIGIN 'IPA v4.1' ) objectClasses: (2.16.840.1.113730.3.8.12.34 NAME 'ipaSecretKeyRefObject' DESC 'Indirect storage for encoded key material' SUP top AUXILIARY MUST ( ipaSecretKeyRef ) X-ORIGIN 'IPA v4.1' ) -objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.18.1.1 NAME 'ipaVault' DESC 'IPA vault' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ ipaVaultType $ ipaVaultSalt $ ipaVaultPublicKey $ owner $ member ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.18.1.2 NAME 'ipaVaultContainer' DESC 'IPA vault container' SUP top STRUCTURAL MUST ( cn ) MAY ( description $ owner ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/vault.update b/install/share/vault.update index dcd1e2a15..61a8940b5 100644 --- a/install/share/vault.update +++ b/install/share/vault.update @@ -5,20 +5,27 @@ default: cn: kra dn: cn=vaults,cn=kra,$SUFFIX default: objectClass: top -default: objectClass: nsContainer +default: objectClass: ipaVaultContainer default: cn: vaults +default: aci: (target="ldap:///cn=*,cn=users,cn=vaults,cn=kra,$SUFFIX")(version 3.0; acl "Allow users to create private container"; allow (add) userdn = "ldap:///uid=($$attr.cn),cn=users,cn=accounts,$SUFFIX";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect container owners can manage vaults in the container"; allow(read, search, compare, add, delete) userattr="parent[1].owner#GROUPDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault members can access the vault"; allow(read, search, compare) userattr="member#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault members can access the vault"; allow(read, search, compare) userattr="member#GROUPDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#USERDN";) +default: aci: (targetfilter="(objectClass=ipaVault)")(targetattr="*")(version 3.0; acl "Indirect vault owners can manage the vault"; allow(read, search, compare, write) userattr="owner#GROUPDN";) dn: cn=services,cn=vaults,cn=kra,$SUFFIX default: objectClass: top -default: objectClass: nsContainer +default: objectClass: ipaVaultContainer default: cn: services dn: cn=shared,cn=vaults,cn=kra,$SUFFIX default: objectClass: top -default: objectClass: nsContainer +default: objectClass: ipaVaultContainer default: cn: shared dn: cn=users,cn=vaults,cn=kra,$SUFFIX default: objectClass: top -default: objectClass: nsContainer +default: objectClass: ipaVaultContainer default: cn: users diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py index 9fcd619d1..37a32282e 100644 --- a/ipalib/plugins/vault.py +++ b/ipalib/plugins/vault.py @@ -42,7 +42,8 @@ from ipalib import output from ipalib.crud import PKQuery, Retrieve, Update from ipalib.plugable import Registry from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\ - LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value + LDAPSearch, LDAPUpdate, LDAPRetrieve, LDAPAddMember, LDAPRemoveMember,\ + pkey_to_value from ipalib.request import context from ipalib.plugins.user import split_principal from ipalib import _, ngettext @@ -195,6 +196,18 @@ EXAMPLES: """) + _(""" Retrieve data from asymmetric vault: ipa vault-retrieve --out data.bin --private-key-file private.pem +""") + _(""" + Add a vault owner: + ipa vault-add-owner --users +""") + _(""" + Delete a vault owner: + ipa vault-remove-owner --users +""") + _(""" + Add a vault member: + ipa vault-add-member --users +""") + _(""" + Delete a vault member: + ipa vault-remove-member --users """) register = Registry() @@ -210,7 +223,8 @@ vault_options = ( doc=_('Shared vault'), ), Str( - 'user?', + 'username?', + cli_name='user', doc=_('Username of the user vault'), ), ) @@ -234,12 +248,18 @@ class vault(LDAPObject): 'ipavaulttype', 'ipavaultsalt', 'ipavaultpublickey', + 'owner', + 'member', ] search_display_attributes = [ 'cn', 'description', 'ipavaulttype', ] + attribute_members = { + 'owner': ['user', 'group'], + 'member': ['user', 'group'], + } label = _('Vaults') label_singular = _('Vault') @@ -282,6 +302,16 @@ class vault(LDAPObject): doc=_('Vault public key'), flags=['no_search'], ), + Str( + 'owner_user?', + label=_('Owner users'), + flags=['no_create', 'no_update', 'no_search'], + ), + Str( + 'owner_group?', + label=_('Owner groups'), + flags=['no_create', 'no_update', 'no_search'], + ), ) def get_dn(self, *keys, **options): @@ -291,7 +321,7 @@ class vault(LDAPObject): service = options.get('service') shared = options.get('shared') - user = options.get('user') + user = options.get('username') count = 0 if service: @@ -337,7 +367,7 @@ class vault(LDAPObject): return DN(rdns, parent_dn) - def create_container(self, dn): + def create_container(self, dn, owner_dn): """ Creates vault container and its parents. """ @@ -354,8 +384,9 @@ class vault(LDAPObject): entry = self.backend.make_entry( dn, { - 'objectclass': ['nsContainer'], + 'objectclass': ['ipaVaultContainer'], 'cn': rdn['cn'], + 'owner': [owner_dn], }) # if entry can be added, return @@ -631,12 +662,21 @@ class vault_add_internal(LDAPCreate): raise errors.InvocationError( format=_('KRA service is not enabled')) + principal = getattr(context, 'principal') + (name, realm) = split_principal(principal) + if '/' in name: + owner_dn = self.api.Object.service.get_dn(name) + else: + owner_dn = self.api.Object.user.get_dn(name) + try: parent_dn = DN(*dn[1:]) - self.obj.create_container(parent_dn) + self.obj.create_container(parent_dn, owner_dn) except errors.DuplicateEntry, e: pass + entry_attrs['owner'] = owner_dn + return dn @@ -687,6 +727,8 @@ class vault_find(LDAPSearch): takes_options = LDAPSearch.takes_options + vault_options + has_output_params = LDAPSearch.has_output_params + msg_summary = ngettext( '%(count)d vault matched', '%(count)d vaults matched', @@ -742,6 +784,8 @@ class vault_show(LDAPRetrieve): takes_options = LDAPRetrieve.takes_options + vault_options + has_output_params = LDAPRetrieve.has_output_params + def pre_callback(self, ldap, dn, attrs_list, *keys, **options): assert isinstance(dn, DN) @@ -1328,6 +1372,68 @@ class vault_retrieve_internal(PKQuery): return response +@register() +class vault_add_owner(LDAPAddMember): + __doc__ = _('Add owners to a vault.') + + takes_options = LDAPAddMember.takes_options + vault_options + + member_attributes = ['owner'] + member_count_out = ('%i owner added.', '%i owners added.') + + has_output = ( + output.Entry('result'), + output.Output( + 'failed', + type=dict, + doc=_('Owners that could not be added'), + ), + output.Output( + 'completed', + type=int, + doc=_('Number of owners added'), + ), + ) + + +@register() +class vault_remove_owner(LDAPRemoveMember): + __doc__ = _('Remove owners from a vault.') + + takes_options = LDAPRemoveMember.takes_options + vault_options + + member_attributes = ['owner'] + member_count_out = ('%i owner removed.', '%i owners removed.') + + has_output = ( + output.Entry('result'), + output.Output( + 'failed', + type=dict, + doc=_('Owners that could not be removed'), + ), + output.Output( + 'completed', + type=int, + doc=_('Number of owners removed'), + ), + ) + + +@register() +class vault_add_member(LDAPAddMember): + __doc__ = _('Add members to a vault.') + + takes_options = LDAPAddMember.takes_options + vault_options + + +@register() +class vault_remove_member(LDAPRemoveMember): + __doc__ = _('Remove members from a vault.') + + takes_options = LDAPRemoveMember.takes_options + vault_options + + @register() class kra_is_enabled(Command): NO_CLI = True diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py index 3db93b207..fe2f2f67d 100644 --- a/ipatests/test_xmlrpc/test_vault_plugin.py +++ b/ipatests/test_xmlrpc/test_vault_plugin.py @@ -89,7 +89,7 @@ class test_vault_plugin(Declarative): 'continue': True }), ('vault_del', [vault_name], {'shared': True, 'continue': True}), - ('vault_del', [vault_name], {'user': user_name, 'continue': True}), + ('vault_del', [vault_name], {'username': user_name, 'continue': True}), ('vault_del', [standard_vault_name], {'continue': True}), ('vault_del', [symmetric_vault_name], {'continue': True}), ('vault_del', [asymmetric_vault_name], {'continue': True}), @@ -113,6 +113,7 @@ class test_vault_plugin(Declarative): 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -154,6 +155,7 @@ class test_vault_plugin(Declarative): % (vault_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -174,6 +176,7 @@ class test_vault_plugin(Declarative): 'cn': [vault_name], 'description': [u'Test vault'], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -212,6 +215,7 @@ class test_vault_plugin(Declarative): 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -257,6 +261,7 @@ class test_vault_plugin(Declarative): % (vault_name, service_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -278,6 +283,7 @@ class test_vault_plugin(Declarative): 'cn': [vault_name], 'description': [u'Test vault'], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -318,6 +324,7 @@ class test_vault_plugin(Declarative): 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -363,6 +370,7 @@ class test_vault_plugin(Declarative): % (vault_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -384,6 +392,7 @@ class test_vault_plugin(Declarative): 'cn': [vault_name], 'description': [u'Test vault'], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -412,7 +421,7 @@ class test_vault_plugin(Declarative): 'vault_add', [vault_name], { - 'user': user_name, + 'username': user_name, }, ), 'expected': { @@ -424,6 +433,7 @@ class test_vault_plugin(Declarative): 'objectclass': [u'top', u'ipaVault'], 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -434,7 +444,7 @@ class test_vault_plugin(Declarative): 'vault_find', [], { - 'user': user_name, + 'username': user_name, }, ), 'expected': { @@ -458,7 +468,7 @@ class test_vault_plugin(Declarative): 'vault_show', [vault_name], { - 'user': user_name, + 'username': user_name, }, ), 'expected': { @@ -469,6 +479,7 @@ class test_vault_plugin(Declarative): % (vault_name, user_name, api.env.basedn), 'cn': [vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -479,7 +490,7 @@ class test_vault_plugin(Declarative): 'vault_mod', [vault_name], { - 'user': user_name, + 'username': user_name, 'description': u'Test vault', }, ), @@ -490,6 +501,7 @@ class test_vault_plugin(Declarative): 'cn': [vault_name], 'description': [u'Test vault'], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -500,7 +512,7 @@ class test_vault_plugin(Declarative): 'vault_del', [vault_name], { - 'user': user_name, + 'username': user_name, }, ), 'expected': { @@ -528,6 +540,7 @@ class test_vault_plugin(Declarative): 'objectclass': [u'top', u'ipaVault'], 'cn': [standard_vault_name], 'ipavaulttype': [u'standard'], + 'owner_user': [u'admin'], }, }, }, @@ -586,6 +599,7 @@ class test_vault_plugin(Declarative): 'cn': [symmetric_vault_name], 'ipavaulttype': [u'symmetric'], 'ipavaultsalt': [fuzzy_string], + 'owner_user': [u'admin'], }, }, }, @@ -647,6 +661,7 @@ class test_vault_plugin(Declarative): 'cn': [asymmetric_vault_name], 'ipavaulttype': [u'asymmetric'], 'ipavaultpublickey': [public_key], + 'owner_user': [u'admin'], }, }, },