IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

Verify ACIs are added correctly in tests

Browse Source 
To double-check the ACIs are correct, this uses different code
than the new permission plugin: the aci_show command.
A new option, location, is added to the command to support
these checks.
This commit is contained in:
Petr Viktorin 2013-11-29 12:57:30 +01:00 committed by Martin Kosek
parent d7ee87cfa1
commit f47669a5b9
3 changed files with 270 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
API.txt
View File

@ -92,10 +92,11 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: aci_show
args: 1,4,3
args: 1,5,3
arg: Str('aciname', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
option: StrEnum('aciprefix', cli_name='prefix', values=(u'permission', u'delegation', u'selfservice', u'none'))
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: DNParam('location?')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('version?', exclude='webui')
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))

14
ipalib/plugins/aci.py
View File

@ -120,8 +120,8 @@ targetattr REPLACES the current attributes, it does not add to them.
from copy import deepcopy
from ipalib import api, crud, errors
from ipalib import Object, Command
from ipalib import Flag, Int, Str, StrEnum
from ipalib import Object
from ipalib import Flag, Str, StrEnum, DNParam
from ipalib.aci import ACI
from ipalib import output
from ipalib import _, ngettext
@ -892,7 +892,12 @@ class aci_show(crud.Retrieve):
),
)
takes_options = (_prefix_option,)
takes_options = (
_prefix_option,
DNParam('location?',
label=_('Location of the ACI'),
)
)
def execute(self, aciname, **kw):
"""
@ -905,7 +910,8 @@ class aci_show(crud.Retrieve):
"""
ldap = self.api.Backend.ldap2
entry = ldap.get_entry(self.api.env.basedn, ['aci'])
dn = kw.get('location', self.api.env.basedn)
entry = ldap.get_entry(dn, ['aci'])
acis = _convert_strings_to_acis(entry.get('aci', []))

259
ipatests/test_xmlrpc/test_permission_plugin.py
View File

@ -22,10 +22,13 @@
Test the `ipalib/plugins/permission.py` module.
"""
import os
from ipalib import api, errors
from ipatests.test_xmlrpc import objectclasses
from xmlrpc_test import Declarative
from ipapython.dn import DN
import inspect
permission1 = u'testperm'
permission1_dn = DN(('cn',permission1),
@ -86,6 +89,44 @@ users_dn = DN(api.env.container_user, api.env.basedn)
groups_dn = DN(api.env.container_group, api.env.basedn)
def verify_permission_aci(name, dn, acistring):
"""Return test dict that verifies the ACI at the given location"""
return dict(
desc="Verify ACI of %s #(%s)" % (name, lineinfo(2)),
command=('aci_show', [name], dict(
aciprefix=u'permission', location=dn, raw=True)),
expected=dict(
result=dict(aci=acistring),
summary=None,
value=name,
),
)
def verify_permission_aci_missing(name, dn):
"""Return test dict that checks the ACI at the given location is missing"""
return dict(
desc="Verify ACI of %s is missing #(%s)" % (name, lineinfo(2)),
command=('aci_show', [name], dict(
aciprefix=u'permission', location=dn, raw=True)),
expected=errors.NotFound(
reason='ACI with name "%s" not found' % name),
)
def lineinfo(level):
"""Return "filename:lineno" for `level`-th caller"""
# Declarative tests hide tracebacks.
# Including this info in the test name makes it possible
# to locate failing tests.
frame = inspect.currentframe()
for i in range(level):
frame = frame.f_back
lineno = frame.f_lineno
filename = os.path.basename(frame.f_code.co_filename)
return '%s:%s' % (filename, lineno)
class test_permission_negative(Declarative):
"""Make sure invalid operations fail"""
@ -101,7 +142,6 @@ class test_permission_negative(Declarative):
reason=u'%s: permission not found' % permission1),
),
dict(
desc='Try to update non-existent %r' % permission1,
command=('permission_mod', [permission1], dict(ipapermright=u'all')),
@ -152,6 +192,8 @@ class test_permission_negative(Declarative):
'(e.g. target, targetfilter, attrs)'),
),
verify_permission_aci_missing(permission1, api.env.basedn),
dict(
desc='Try to create invalid %r' % invalid_permission1,
command=('permission_add', [invalid_permission1], dict(
@ -162,6 +204,8 @@ class test_permission_negative(Declarative):
error='May only contain letters, numbers, -, _, ., and space'),
),
verify_permission_aci_missing(permission1, users_dn),
dict(
desc='Create %r so we can try breaking it' % permission1,
command=(
@ -280,6 +324,13 @@ class test_permission(Declarative):
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Try to create duplicate %r' % permission1,
@ -540,6 +591,14 @@ class test_permission(Declarative):
),
),
verify_permission_aci(
permission2, users_dn,
'(targetattr = "cn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(version 3.0;acl "permission:%s";' % permission2 +
'allow (write) groupdn = "ldap:///%s";)' % permission2_dn,
),
dict(
desc='Search for %r' % permission1,
@ -766,6 +825,15 @@ class test_permission(Declarative):
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (read) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Retrieve %r to verify update' % permission1,
@ -871,6 +939,17 @@ class test_permission(Declarative):
),
),
verify_permission_aci_missing(permission1, users_dn),
verify_permission_aci(
permission1_renamed, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1_renamed +
'allow (all) groupdn = "ldap:///%s";)' % permission1_renamed_dn,
),
dict(
desc='Rename %r to permission %r' % (permission1_renamed,
@ -901,6 +980,17 @@ class test_permission(Declarative):
),
),
verify_permission_aci_missing(permission1_renamed, users_dn),
verify_permission_aci(
permission1_renamed_ucase, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1_renamed_ucase +
'allow (write) groupdn = "ldap:///%s";)' %
permission1_renamed_ucase_dn,
),
dict(
desc='Change %r to a subtree type' % permission1_renamed_ucase,
@ -928,6 +1018,15 @@ class test_permission(Declarative):
),
),
verify_permission_aci(
permission1_renamed_ucase, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1_renamed_ucase +
'allow (write) groupdn = "ldap:///%s";)' %
permission1_renamed_ucase_dn,
),
dict(
desc='Reset --subtree of %r' % permission2,
command=(
@ -951,6 +1050,14 @@ class test_permission(Declarative):
),
),
verify_permission_aci(
permission2, api.env.basedn,
'(targetattr = "cn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(version 3.0;acl "permission:%s";' % permission2 +
'allow (write) groupdn = "ldap:///%s";)' % permission2_dn,
),
dict(
desc='Search for %r using --subtree' % permission1,
command=('permission_find', [],
@ -1027,6 +1134,7 @@ class test_permission(Declarative):
)
),
verify_permission_aci_missing(permission1_renamed_ucase, users_dn),
dict(
desc='Try to delete non-existent %r' % permission1,
@ -1062,6 +1170,7 @@ class test_permission(Declarative):
)
),
verify_permission_aci_missing(permission2, users_dn),
dict(
desc='Search for %r' % permission1,
@ -1128,6 +1237,15 @@ class test_permission(Declarative):
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=editors', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Try to update non-existent memberof of %r' % permission1,
command=('permission_mod', [permission1], dict(
@ -1163,6 +1281,15 @@ class test_permission(Declarative):
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Unset memberof of permission %r' % permission1,
command=(
@ -1188,6 +1315,13 @@ class test_permission(Declarative):
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Delete %r' % permission1,
@ -1199,6 +1333,7 @@ class test_permission(Declarative):
)
),
verify_permission_aci_missing(permission1, users_dn),
dict(
desc='Create targetgroup permission %r' % permission1,
@ -1227,6 +1362,14 @@ class test_permission(Declarative):
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN('cn=editors', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Create %r' % permission3,
command=(
@ -1254,6 +1397,14 @@ class test_permission(Declarative):
),
),
verify_permission_aci(
permission3, users_dn,
'(targetattr = "cn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(version 3.0;acl "permission:%s";' % permission3 +
'allow (write) groupdn = "ldap:///%s";)' % permission3_dn,
),
dict(
desc='Retrieve %r with --all --rights' % permission3,
command=('permission_show', [permission3], {'all' : True, 'rights' : True}),
@ -1300,6 +1451,14 @@ class test_permission(Declarative):
),
),
verify_permission_aci(
permission3, users_dn,
'(targetattr = "cn || uid")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(version 3.0;acl "permission:%s";' % permission3 +
'allow (write) groupdn = "ldap:///%s";)' % permission3_dn,
),
dict(
desc='Try to modify %r with invalid targetfilter' % permission1,
command=('permission_mod', [permission1],
@ -1351,6 +1510,15 @@ class test_permission_sync_attributes(Declarative):
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Unset location on %r, verify type is gone' % permission1,
command=(
@ -1378,6 +1546,15 @@ class test_permission_sync_attributes(Declarative):
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Reset location on %r' % permission1,
command=(
@ -1406,6 +1583,15 @@ class test_permission_sync_attributes(Declarative):
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Unset target on %r, verify type is gone' % permission1,
command=(
@ -1432,6 +1618,14 @@ class test_permission_sync_attributes(Declarative):
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Unset targetfilter on %r, verify memberof is gone' % permission1,
command=(
@ -1455,6 +1649,13 @@ class test_permission_sync_attributes(Declarative):
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Set type of %r to group' % permission1,
command=(
@ -1480,6 +1681,14 @@ class test_permission_sync_attributes(Declarative):
),
),
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', '*'), groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Set target on %r, verify targetgroup is set' % permission1,
command=(
@ -1504,6 +1713,14 @@ class test_permission_sync_attributes(Declarative):
),
),
),
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
]
@ -1545,6 +1762,15 @@ class test_permission_sync_nice(Declarative):
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Unset type on %r, verify target & location are gone' % permission1,
command=(
@ -1571,6 +1797,14 @@ class test_permission_sync_nice(Declarative):
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Unset memberof on %r, verify targetfilter is gone' % permission1,
command=(
@ -1594,6 +1828,13 @@ class test_permission_sync_nice(Declarative):
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Set type of %r to group' % permission1,
command=(
@ -1619,6 +1860,14 @@ class test_permission_sync_nice(Declarative):
),
),
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', '*'), groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Set targetgroup on %r, verify target is set' % permission1,
command=(
@ -1643,6 +1892,14 @@ class test_permission_sync_nice(Declarative):
),
),
),
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
]