Add sudorule and hbacrule to memberof and indirectmemberof attributes

Add Add tests for users, groups, hosts and hostgroups to verify membership

Update API to version 2.3

https://fedorahosted.org/freeipa/ticket/1170

API.txt

@@ -904,7 +904,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
 output: Output('result', <type 'bool'>, 'True means the operation was successful')
 output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
 command: group_find
-args: 1,19,4
+args: 1,23,4
 arg: Str('criteria?')
 option: Str('cn', attribute=True, autofill=False, cli_name='group_name', label=Gettext('Group name', domain='ipa', localedir=None), maxlength=255, multivalue=False, normalizer=<lambda>, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False, query=True, required=False)
@@ -925,6 +925,10 @@ option: List('in_netgroup?', cli_name='in_netgroups', label='netgroup', multival
 option: List('not_in_netgroup?', cli_name='not_in_netgroups', label='netgroup', multivalue=True)
 option: List('in_role?', cli_name='in_roles', label='role', multivalue=True)
 option: List('not_in_role?', cli_name='not_in_roles', label='role', multivalue=True)
+option: List('in_hbacrule?', cli_name='in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('not_in_hbacrule?', cli_name='not_in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('in_sudorule?', cli_name='in_sudorules', label='Sudo Rule', multivalue=True)
+option: List('not_in_sudorule?', cli_name='not_in_sudorules', label='Sudo Rule', multivalue=True)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly description of action performed')
 output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
 output: Output('count', <type 'int'>, 'Number of entries returned')
@@ -1313,7 +1317,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
 output: Output('result', <type 'bool'>, 'True means the operation was successful')
 output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
 command: host_find
-args: 1,23,4
+args: 1,27,4
 arg: Str('criteria?')
 option: Str('fqdn', validate_host, attribute=True, autofill=False, cli_name='hostname', label=Gettext('Host name', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False, query=True, required=False)
@@ -1334,6 +1338,10 @@ option: List('in_netgroup?', cli_name='in_netgroups', label='netgroup', multival
 option: List('not_in_netgroup?', cli_name='not_in_netgroups', label='netgroup', multivalue=True)
 option: List('in_role?', cli_name='in_roles', label='role', multivalue=True)
 option: List('not_in_role?', cli_name='not_in_roles', label='role', multivalue=True)
+option: List('in_hbacrule?', cli_name='in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('not_in_hbacrule?', cli_name='not_in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('in_sudorule?', cli_name='in_sudorules', label='Sudo Rule', multivalue=True)
+option: List('not_in_sudorule?', cli_name='not_in_sudorules', label='Sudo Rule', multivalue=True)
 option: List('enroll_by_user?', cli_name='enroll_by_users', label='user', multivalue=True)
 option: List('not_enroll_by_user?', cli_name='not_enroll_by_users', label='user', multivalue=True)
 option: List('man_by_host?', cli_name='man_by_hosts', label='host', multivalue=True)
@@ -1415,7 +1423,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
 output: Output('result', <type 'dict'>, 'list of deletions that failed')
 output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
 command: hostgroup_find
-args: 1,13,4
+args: 1,17,4
 arg: Str('criteria?')
 option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', label=Gettext('Host-group', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False, query=True, required=False)
@@ -1430,6 +1438,10 @@ option: List('hostgroup?', cli_name='hostgroups', label='hostgroup', multivalue=
 option: List('no_hostgroup?', cli_name='no_hostgroups', label='hostgroup', multivalue=True)
 option: List('in_hostgroup?', cli_name='in_hostgroups', label='hostgroup', multivalue=True)
 option: List('not_in_hostgroup?', cli_name='not_in_hostgroups', label='hostgroup', multivalue=True)
+option: List('in_hbacrule?', cli_name='in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('not_in_hbacrule?', cli_name='not_in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('in_sudorule?', cli_name='in_sudorules', label='Sudo Rule', multivalue=True)
+option: List('not_in_sudorule?', cli_name='not_in_sudorules', label='Sudo Rule', multivalue=True)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly description of action performed')
 output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
 output: Output('count', <type 'int'>, 'Number of entries returned')
@@ -2580,7 +2592,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
 output: Output('result', <type 'bool'>, 'True means the operation was successful')
 output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
 command: user_find
-args: 1,38,4
+args: 1,42,4
 arg: Str('criteria?')
 option: Str('uid', attribute=True, autofill=False, cli_name='login', default_from=DefaultFrom(<lambda>, 'givenname', 'sn'), label=Gettext('User login', domain='ipa', localedir=None), maxlength=255, multivalue=False, normalizer=<lambda>, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, query=True, required=False)
 option: Str('givenname', attribute=True, autofill=False, cli_name='first', label=Gettext('First name', domain='ipa', localedir=None), multivalue=False, query=True, required=False)
@@ -2620,6 +2632,10 @@ option: List('in_netgroup?', cli_name='in_netgroups', label='netgroup', multival
 option: List('not_in_netgroup?', cli_name='not_in_netgroups', label='netgroup', multivalue=True)
 option: List('in_role?', cli_name='in_roles', label='role', multivalue=True)
 option: List('not_in_role?', cli_name='not_in_roles', label='role', multivalue=True)
+option: List('in_hbacrule?', cli_name='in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('not_in_hbacrule?', cli_name='not_in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('in_sudorule?', cli_name='in_sudorules', label='Sudo Rule', multivalue=True)
+option: List('not_in_sudorule?', cli_name='not_in_sudorules', label='Sudo Rule', multivalue=True)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly description of action performed')
 output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
 output: Output('count', <type 'int'>, 'Number of entries returned')

VERSION

@@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=2
+IPA_API_VERSION_MINOR=3

ipalib/plugins/group.py

@@ -90,9 +90,10 @@ class group(LDAPObject):
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'member': ['user', 'group'],
-        'memberof': ['group', 'netgroup', 'role',],
+        'memberof': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'],
         'memberindirect': ['user', 'group', 'netgroup', 'role'],
-        'memberofindirect': ['group', 'netgroup', 'role'],
+        'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule',
+        'sudorule'],
     }
     rdnattr = 'cn'
 

ipalib/plugins/host.py

@@ -214,9 +214,10 @@ class host(LDAPObject):
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'enrolledby': ['user'],
-        'memberof': ['hostgroup', 'netgroup', 'role'],
+        'memberof': ['hostgroup', 'netgroup', 'role', 'hbacrule', 'sudorule'],
         'managedby': ['host'],
-        'memberofindirect': ['hostgroup', 'netgroup', 'role'],
+        'memberofindirect': ['hostgroup', 'netgroup', 'role', 'hbacrule',
+        'sudorule'],
     }
     bindable = True
     relationships = {

ipalib/plugins/hostgroup.py

@@ -65,9 +65,9 @@ class hostgroup(LDAPObject):
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'member': ['host', 'hostgroup'],
-        'memberof': ['hostgroup'],
+        'memberof': ['hostgroup', 'hbacrule', 'sudorule'],
         'memberindirect': ['host', 'hostgroup'],
-        'memberofindirect': ['host', 'hostgroup'],
+        'memberofindirect': ['host', 'hostgroup', 'hbacrule', 'sudorule'],
     }
 
     label = _('Host Groups')

ipalib/plugins/user.py

@@ -99,8 +99,8 @@ class user(LDAPObject):
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
-        'memberof': ['group', 'netgroup', 'role'],
+        'memberof': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'],
-        'memberofindirect': ['group', 'netgroup', 'role'],
+        'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'],
     }
     rdnattr = 'uid'
     bindable = True

tests/test_xmlrpc/test_hbac_plugin.py

@@ -24,7 +24,6 @@ from xmlrpc_test import XMLRPC_test, assert_attr_equal
 from ipalib import api
 from ipalib import errors
 
-
 class test_hbac(XMLRPC_test):
     """
     Test the `hbacrule` plugin.
@@ -179,6 +178,24 @@ class test_hbac(XMLRPC_test):
         assert_attr_equal(entry, 'memberuser_user', self.test_user)
         assert_attr_equal(entry, 'memberuser_group', self.test_group)
 
+    def test_9_a_show_user(self):
+        """
+        Test showing a user to verify HBAC rule membership
+        `xmlrpc.user_show`.
+        """
+        ret = api.Command['user_show'](self.test_user, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_HBAC rule', self.rule_name)
+
+    def test_9_b_show_group(self):
+        """
+        Test showing a group to verify HBAC rule membership
+        `xmlrpc.group_show`.
+        """
+        ret = api.Command['group_show'](self.test_group, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_HBAC rule', self.rule_name)
+
     def test_9_hbacrule_remove_user(self):
         """
         Test removing user and group from HBAC rule using `xmlrpc.hbacrule_remove_user'.
@@ -215,6 +232,24 @@ class test_hbac(XMLRPC_test):
         assert_attr_equal(entry, 'memberhost_host', self.test_host)
         assert_attr_equal(entry, 'memberhost_hostgroup', self.test_hostgroup)
 
+    def test_a_hbacrule_show_host(self):
+        """
+        Test showing host to verify HBAC rule membership
+        `xmlrpc.host_show`.
+        """
+        ret = api.Command['host_show'](self.test_host, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_HBAC rule', self.rule_name)
+
+    def test_a_hbacrule_show_hostgroup(self):
+        """
+        Test showing hostgroup to verify HBAC rule membership
+        `xmlrpc.hostgroup_show`.
+        """
+        ret = api.Command['hostgroup_show'](self.test_hostgroup, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_HBAC rule', self.rule_name)
+
     def test_b_hbacrule_remove_host(self):
         """
         Test removing host and hostgroup from HBAC rule using `xmlrpc.hbacrule_remove_host`.

tests/test_xmlrpc/test_sudorule_plugin.py

@@ -25,7 +25,6 @@ from xmlrpc_test import XMLRPC_test, assert_attr_equal
 from ipalib import api
 from ipalib import errors
 
-
 class test_sudorule(XMLRPC_test):
     """
     Test the `sudorule` plugin.
@@ -155,6 +154,24 @@ class test_sudorule(XMLRPC_test):
         assert_attr_equal(entry, 'memberuser_user', self.test_user)
         assert_attr_equal(entry, 'memberuser_group', self.test_group)
 
+    def test_9_a_show_user(self):
+        """
+        Test showing a user to verify Sudo rule membership
+        `xmlrpc.user_show`.
+        """
+        ret = api.Command['user_show'](self.test_user, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_Sudo Rule', self.rule_name)
+
+    def test_9_b_show_group(self):
+        """
+        Test showing a group to verify Sudo rule membership
+        `xmlrpc.group_show`.
+        """
+        ret = api.Command['group_show'](self.test_group, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_Sudo Rule', self.rule_name)
+
     def test_9_sudorule_remove_user(self):
         """
         Test removing user and group from Sudo rule using
@@ -359,6 +376,24 @@ class test_sudorule(XMLRPC_test):
         assert_attr_equal(entry, 'memberhost_host', self.test_host)
         assert_attr_equal(entry, 'memberhost_hostgroup', self.test_hostgroup)
 
+    def test_a_sudorule_show_host(self):
+        """
+        Test showing host to verify Sudo rule membership
+        `xmlrpc.host_show`.
+        """
+        ret = api.Command['host_show'](self.test_host, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_Sudo Rule', self.rule_name)
+
+    def test_a_sudorule_show_hostgroup(self):
+        """
+        Test showing hostgroup to verify Sudo rule membership
+        `xmlrpc.hostgroup_show`.
+        """
+        ret = api.Command['hostgroup_show'](self.test_hostgroup, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_Sudo Rule', self.rule_name)
+
     def test_b_sudorule_remove_host(self):
         """
         Test removing host and hostgroup from Sudo rule using