IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Verify ACIs are added correctly in tests

Browse Source 
To double-check the ACIs are correct, this uses different code
than the new permission plugin: the aci_show command.
A new option, location, is added to the command to support
these checks.
This commit is contained in:
Petr Viktorin 2013-11-29 12:57:30 +01:00 committed by Martin Kosek
parent d7ee87cfa1
commit f47669a5b9
3 changed files with 270 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
API.txt
View File

@ -92,10 +92,11 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None) output: Output('value', <type 'unicode'>, None)
command: aci_show command: aci_show
args: 1,4,3 args: 1,5,3
arg: Str('aciname', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) arg: Str('aciname', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True)
option: StrEnum('aciprefix', cli_name='prefix', values=(u'permission', u'delegation', u'selfservice', u'none')) option: StrEnum('aciprefix', cli_name='prefix', values=(u'permission', u'delegation', u'selfservice', u'none'))
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: DNParam('location?')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('version?', exclude='webui') option: Str('version?', exclude='webui')
output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None))

14
ipalib/plugins/aci.py
View File

@ -120,8 +120,8 @@ targetattr REPLACES the current attributes, it does not add to them.
from copy import deepcopy from copy import deepcopy
from ipalib import api, crud, errors from ipalib import api, crud, errors
from ipalib import Object, Command from ipalib import Object
from ipalib import Flag, Int, Str, StrEnum from ipalib import Flag, Str, StrEnum, DNParam
from ipalib.aci import ACI from ipalib.aci import ACI
from ipalib import output from ipalib import output
from ipalib import _, ngettext from ipalib import _, ngettext
@ -892,7 +892,12 @@ class aci_show(crud.Retrieve):
), ),
) )
takes_options = (_prefix_option,) takes_options = (
_prefix_option,
DNParam('location?',
label=_('Location of the ACI'),
)
)
def execute(self, aciname, **kw): def execute(self, aciname, **kw):
""" """
@ -905,7 +910,8 @@ class aci_show(crud.Retrieve):
""" """
ldap = self.api.Backend.ldap2 ldap = self.api.Backend.ldap2
entry = ldap.get_entry(self.api.env.basedn, ['aci']) dn = kw.get('location', self.api.env.basedn)
entry = ldap.get_entry(dn, ['aci'])
acis = _convert_strings_to_acis(entry.get('aci', [])) acis = _convert_strings_to_acis(entry.get('aci', []))

259
ipatests/test_xmlrpc/test_permission_plugin.py
View File

@ -22,10 +22,13 @@
Test the `ipalib/plugins/permission.py` module. Test the `ipalib/plugins/permission.py` module.
""" """
import os
from ipalib import api, errors from ipalib import api, errors
from ipatests.test_xmlrpc import objectclasses from ipatests.test_xmlrpc import objectclasses
from xmlrpc_test import Declarative from xmlrpc_test import Declarative
from ipapython.dn import DN from ipapython.dn import DN
import inspect
permission1 = u'testperm' permission1 = u'testperm'
permission1_dn = DN(('cn',permission1), permission1_dn = DN(('cn',permission1),
@ -86,6 +89,44 @@ users_dn = DN(api.env.container_user, api.env.basedn)
groups_dn = DN(api.env.container_group, api.env.basedn) groups_dn = DN(api.env.container_group, api.env.basedn)
def verify_permission_aci(name, dn, acistring):
"""Return test dict that verifies the ACI at the given location"""
return dict(
desc="Verify ACI of %s #(%s)" % (name, lineinfo(2)),
command=('aci_show', [name], dict(
aciprefix=u'permission', location=dn, raw=True)),
expected=dict(
result=dict(aci=acistring),
summary=None,
value=name,
),
)
def verify_permission_aci_missing(name, dn):
"""Return test dict that checks the ACI at the given location is missing"""
return dict(
desc="Verify ACI of %s is missing #(%s)" % (name, lineinfo(2)),
command=('aci_show', [name], dict(
aciprefix=u'permission', location=dn, raw=True)),
expected=errors.NotFound(
reason='ACI with name "%s" not found' % name),
)
def lineinfo(level):
"""Return "filename:lineno" for `level`-th caller"""
# Declarative tests hide tracebacks.
# Including this info in the test name makes it possible
# to locate failing tests.
frame = inspect.currentframe()
for i in range(level):
frame = frame.f_back
lineno = frame.f_lineno
filename = os.path.basename(frame.f_code.co_filename)
return '%s:%s' % (filename, lineno)
class test_permission_negative(Declarative): class test_permission_negative(Declarative):
"""Make sure invalid operations fail""" """Make sure invalid operations fail"""
@ -101,7 +142,6 @@ class test_permission_negative(Declarative):
reason=u'%s: permission not found' % permission1), reason=u'%s: permission not found' % permission1),
), ),
dict( dict(
desc='Try to update non-existent %r' % permission1, desc='Try to update non-existent %r' % permission1,
command=('permission_mod', [permission1], dict(ipapermright=u'all')), command=('permission_mod', [permission1], dict(ipapermright=u'all')),
@ -152,6 +192,8 @@ class test_permission_negative(Declarative):
'(e.g. target, targetfilter, attrs)'), '(e.g. target, targetfilter, attrs)'),
), ),
verify_permission_aci_missing(permission1, api.env.basedn),
dict( dict(
desc='Try to create invalid %r' % invalid_permission1, desc='Try to create invalid %r' % invalid_permission1,
command=('permission_add', [invalid_permission1], dict( command=('permission_add', [invalid_permission1], dict(
@ -162,6 +204,8 @@ class test_permission_negative(Declarative):
error='May only contain letters, numbers, -, _, ., and space'), error='May only contain letters, numbers, -, _, ., and space'),
), ),
verify_permission_aci_missing(permission1, users_dn),
dict( dict(
desc='Create %r so we can try breaking it' % permission1, desc='Create %r so we can try breaking it' % permission1,
command=( command=(
@ -280,6 +324,13 @@ class test_permission(Declarative):
), ),
), ),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Try to create duplicate %r' % permission1, desc='Try to create duplicate %r' % permission1,
@ -540,6 +591,14 @@ class test_permission(Declarative):
), ),
), ),
verify_permission_aci(
permission2, users_dn,
'(targetattr = "cn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(version 3.0;acl "permission:%s";' % permission2 +
'allow (write) groupdn = "ldap:///%s";)' % permission2_dn,
),
dict( dict(
desc='Search for %r' % permission1, desc='Search for %r' % permission1,
@ -766,6 +825,15 @@ class test_permission(Declarative):
), ),
), ),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (read) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Retrieve %r to verify update' % permission1, desc='Retrieve %r to verify update' % permission1,
@ -871,6 +939,17 @@ class test_permission(Declarative):
), ),
), ),
verify_permission_aci_missing(permission1, users_dn),
verify_permission_aci(
permission1_renamed, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1_renamed +
'allow (all) groupdn = "ldap:///%s";)' % permission1_renamed_dn,
),
dict( dict(
desc='Rename %r to permission %r' % (permission1_renamed, desc='Rename %r to permission %r' % (permission1_renamed,
@ -901,6 +980,17 @@ class test_permission(Declarative):
), ),
), ),
verify_permission_aci_missing(permission1_renamed, users_dn),
verify_permission_aci(
permission1_renamed_ucase, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1_renamed_ucase +
'allow (write) groupdn = "ldap:///%s";)' %
permission1_renamed_ucase_dn,
),
dict( dict(
desc='Change %r to a subtree type' % permission1_renamed_ucase, desc='Change %r to a subtree type' % permission1_renamed_ucase,
@ -928,6 +1018,15 @@ class test_permission(Declarative):
), ),
), ),
verify_permission_aci(
permission1_renamed_ucase, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1_renamed_ucase +
'allow (write) groupdn = "ldap:///%s";)' %
permission1_renamed_ucase_dn,
),
dict( dict(
desc='Reset --subtree of %r' % permission2, desc='Reset --subtree of %r' % permission2,
command=( command=(
@ -951,6 +1050,14 @@ class test_permission(Declarative):
), ),
), ),
verify_permission_aci(
permission2, api.env.basedn,
'(targetattr = "cn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(version 3.0;acl "permission:%s";' % permission2 +
'allow (write) groupdn = "ldap:///%s";)' % permission2_dn,
),
dict( dict(
desc='Search for %r using --subtree' % permission1, desc='Search for %r using --subtree' % permission1,
command=('permission_find', [], command=('permission_find', [],
@ -1027,6 +1134,7 @@ class test_permission(Declarative):
) )
), ),
verify_permission_aci_missing(permission1_renamed_ucase, users_dn),
dict( dict(
desc='Try to delete non-existent %r' % permission1, desc='Try to delete non-existent %r' % permission1,
@ -1062,6 +1170,7 @@ class test_permission(Declarative):
) )
), ),
verify_permission_aci_missing(permission2, users_dn),
dict( dict(
desc='Search for %r' % permission1, desc='Search for %r' % permission1,
@ -1128,6 +1237,15 @@ class test_permission(Declarative):
), ),
), ),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=editors', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Try to update non-existent memberof of %r' % permission1, desc='Try to update non-existent memberof of %r' % permission1,
command=('permission_mod', [permission1], dict( command=('permission_mod', [permission1], dict(
@ -1163,6 +1281,15 @@ class test_permission(Declarative):
), ),
), ),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Unset memberof of permission %r' % permission1, desc='Unset memberof of permission %r' % permission1,
command=( command=(
@ -1188,6 +1315,13 @@ class test_permission(Declarative):
), ),
), ),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Delete %r' % permission1, desc='Delete %r' % permission1,
@ -1199,6 +1333,7 @@ class test_permission(Declarative):
) )
), ),
verify_permission_aci_missing(permission1, users_dn),
dict( dict(
desc='Create targetgroup permission %r' % permission1, desc='Create targetgroup permission %r' % permission1,
@ -1227,6 +1362,14 @@ class test_permission(Declarative):
), ),
), ),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN('cn=editors', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Create %r' % permission3, desc='Create %r' % permission3,
command=( command=(
@ -1254,6 +1397,14 @@ class test_permission(Declarative):
), ),
), ),
verify_permission_aci(
permission3, users_dn,
'(targetattr = "cn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(version 3.0;acl "permission:%s";' % permission3 +
'allow (write) groupdn = "ldap:///%s";)' % permission3_dn,
),
dict( dict(
desc='Retrieve %r with --all --rights' % permission3, desc='Retrieve %r with --all --rights' % permission3,
command=('permission_show', [permission3], {'all' : True, 'rights' : True}), command=('permission_show', [permission3], {'all' : True, 'rights' : True}),
@ -1300,6 +1451,14 @@ class test_permission(Declarative):
), ),
), ),
verify_permission_aci(
permission3, users_dn,
'(targetattr = "cn || uid")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(version 3.0;acl "permission:%s";' % permission3 +
'allow (write) groupdn = "ldap:///%s";)' % permission3_dn,
),
dict( dict(
desc='Try to modify %r with invalid targetfilter' % permission1, desc='Try to modify %r with invalid targetfilter' % permission1,
command=('permission_mod', [permission1], command=('permission_mod', [permission1],
@ -1351,6 +1510,15 @@ class test_permission_sync_attributes(Declarative):
), ),
), ),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Unset location on %r, verify type is gone' % permission1, desc='Unset location on %r, verify type is gone' % permission1,
command=( command=(
@ -1378,6 +1546,15 @@ class test_permission_sync_attributes(Declarative):
), ),
), ),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Reset location on %r' % permission1, desc='Reset location on %r' % permission1,
command=( command=(
@ -1406,6 +1583,15 @@ class test_permission_sync_attributes(Declarative):
), ),
), ),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Unset target on %r, verify type is gone' % permission1, desc='Unset target on %r, verify type is gone' % permission1,
command=( command=(
@ -1432,6 +1618,14 @@ class test_permission_sync_attributes(Declarative):
), ),
), ),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Unset targetfilter on %r, verify memberof is gone' % permission1, desc='Unset targetfilter on %r, verify memberof is gone' % permission1,
command=( command=(
@ -1455,6 +1649,13 @@ class test_permission_sync_attributes(Declarative):
), ),
), ),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Set type of %r to group' % permission1, desc='Set type of %r to group' % permission1,
command=( command=(
@ -1480,6 +1681,14 @@ class test_permission_sync_attributes(Declarative):
), ),
), ),
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', '*'), groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Set target on %r, verify targetgroup is set' % permission1, desc='Set target on %r, verify targetgroup is set' % permission1,
command=( command=(
@ -1504,6 +1713,14 @@ class test_permission_sync_attributes(Declarative):
), ),
), ),
), ),
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
] ]
@ -1545,6 +1762,15 @@ class test_permission_sync_nice(Declarative):
), ),
), ),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Unset type on %r, verify target & location are gone' % permission1, desc='Unset type on %r, verify target & location are gone' % permission1,
command=( command=(
@ -1571,6 +1797,14 @@ class test_permission_sync_nice(Declarative):
), ),
), ),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Unset memberof on %r, verify targetfilter is gone' % permission1, desc='Unset memberof on %r, verify targetfilter is gone' % permission1,
command=( command=(
@ -1594,6 +1828,13 @@ class test_permission_sync_nice(Declarative):
), ),
), ),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Set type of %r to group' % permission1, desc='Set type of %r to group' % permission1,
command=( command=(
@ -1619,6 +1860,14 @@ class test_permission_sync_nice(Declarative):
), ),
), ),
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', '*'), groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict( dict(
desc='Set targetgroup on %r, verify target is set' % permission1, desc='Set targetgroup on %r, verify target is set' % permission1,
command=( command=(
@ -1643,6 +1892,14 @@ class test_permission_sync_nice(Declarative):
), ),
), ),
), ),
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
] ]