ipatests: add integration test for "Read radius servers" perm

Add a new integration test for the following scenario: - create a user with the "User Administrator" role - as this user, create a user with a --radius=<radius_proxy_server> This scenario was previously failing because ipa user-add --radius requires read access to the radius server entries, and there was no permission granting this access. Related to https://pagure.io/freeipa/issue/7570 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2025-01-26 16:16:31 -06:00 · 2018-11-07 17:02:31 +01:00 · 2018-11-07 17:02:31 +01:00 · da4c12c3e6
commit da4c12c3e6
parent 5d603fce5d
1 changed files with 43 additions and 0 deletions
--- a/ipatests/test_integration/test_user_permissions.py
+++ b/ipatests/test_integration/test_user_permissions.py
@ -98,6 +98,49 @@ class TestUserPermissions(IntegrationTest):
        result = self.master.run_command(['ipa', 'stageuser-show', stageuser])
        assert 'Kerberos keys available: True' in result.stdout_text

+    def test_user_add_withradius(self):
+        """
+        Test that a user with User Administrator role can call
+        ipa user-add --radius myradius
+        to create a user with an assigned Radius Proxy Server.
+
+        This is a test case for issue 7570
+        """
+        # kinit admin
+        tasks.kinit_admin(self.master)
+
+        # Create a radius proxy server
+        radiusproxy = 'myradius'
+        secret = 'Secret123'
+        radius_secret_confirmation = "%s\n%s\n" % (secret, secret)
+        self.master.run_command(
+            ['ipa', 'radiusproxy-add', radiusproxy,
+             '--server', 'radius.example.com', '--secret'],
+            stdin_text=radius_secret_confirmation)
+
+        # Create a user with 'User Administrator' role
+        altuser = 'specialuser'
+        password = 'SpecialUser123'
+        password_confirmation = "%s\n%s\n" % (password, password)
+        self.master.run_command(
+            ['ipa', 'user-add', altuser, '--first', altuser, '--last', altuser,
+             '--password'],
+            stdin_text=password_confirmation)
+        self.master.run_command(
+            ['ipa', 'role-add-member', "User Administrator",
+             '--user', altuser])
+
+        # kinit as altuser to initialize the password
+        altuser_kinit = "%s\n%s\n%s\n" % (password, password, password)
+        self.master.run_command(['kinit', altuser], stdin_text=altuser_kinit)
+        # call ipa user-add with --radius=...
+        # this call requires read access to radius proxy servers
+        self.master.run_command(
+            ['ipa', 'user-add', '--first', 'test', '--last', 'test',
+             '--user-auth-type', 'radius', '--radius-username', 'testradius',
+             'testradius', '--radius', radiusproxy])
+
+

 class TestInstallClientNoAdmin(IntegrationTest):
    num_clients = 1