ipatests: added unlock_principal_password and change_principal

The unlock_principal_password unlocks the (new) user by running ldappasswd as the user. change_principal is an context manager that changes identity for the supplied api object by disconnecting and reconnecting the rpcclient in and outside of requested kerberos context. This context manager allows to run tests that cannot be executed as an admin user which can for example override an CA ACL. https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-09-22 15:21:33 +02:00 · 2015-09-22 15:21:33 +02:00 · d2ff5e4639
commit d2ff5e4639
parent 8d64485b2e
1 changed files with 40 additions and 0 deletions
--- a/ipatests/util.py
+++ b/ipatests/util.py
@ -27,6 +27,8 @@ from os import path
 import tempfile
 import shutil
 import re
+import uuid
+from contextlib import contextmanager

 import six
 import ldap
@ -34,9 +36,12 @@ import ldap.sasl
 import ldap.modlist

 import ipalib
+from ipalib import api
 from ipalib.plugable import Plugin
 from ipalib.request import context
 from ipapython.dn import DN
+from ipapython.ipautil import private_ccache, kinit_password, run
+from ipaplatform.paths import paths

 if six.PY3:
    unicode = str
@ -666,3 +671,38 @@ def prepare_config(template, values):
        config.write(template.format(**values))

    return config.name
+
+
+def unlock_principal_password(user, oldpw, newpw):
+    userdn = "uid={},{},{}".format(
+        user, api.env.container_user, api.env.basedn)
+
+    args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
+            '-s', newpw, '-x']
+    return run(args)
+
+
+@contextmanager
+def change_principal(user, password, client=None, path=None):
+
+    if path:
+        ccache_name = path
+    else:
+        ccache_name = os.path.join('/tmp', str(uuid.uuid4()))
+
+    if client is None:
+        client = api
+
+
+    client.Backend.rpcclient.disconnect()
+
+    with private_ccache(ccache_name):
+        kinit_password(user, password, ccache_name)
+        client.Backend.rpcclient.connect()
+
+        try:
+            yield
+        finally:
+            client.Backend.rpcclient.disconnect()
+
+    client.Backend.rpcclient.connect()