Commit Graph

62 Commits

Author SHA1 Message Date
Rob Crittenden
dc73813b8a Warn for permissions with read/write/search/compare and no attrs
An ACI with rights of read, write, search and/or compare without
attributes to apply the rights to is effectively a no-op. Allow
the ACI to be created but include a warning. Ignore the add
and delete rights. While they make no sense in the context of
the other rights we should still warn that they are a no-op
with no attributes.

Use the existing make_aci() object method to create the
message and update the add/mod callers to capture and add the
message to the result if one is provided.

When updating an existing ACI the effective attributes will
not be included so fall back to the attributes in the resulting
permission.

Prior to checking for rights and attributes convert any deprecated
names for older clients into the newer values needed by make_aci

This is exercised by existing xmlrpc permission tests that
create such permissions without attributes.

https://pagure.io/freeipa/issue/9188

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-07-15 16:59:15 +02:00
Rob Crittenden
8dd2eb45c6 ipatests: test that modifying a permission attrs handles failure
Add a test to ensure that a change to a permission that will
result in an invalid ACI is rolled back.

https://pagure.io/freeipa/issue/8646

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-13 13:50:45 +01:00
Christian Heimes
9dda004f27 Allow permissions with 'self' bindruletype
Make it possible to create a managed permission with
ipapermbindruletype="self". The ACI will have bind rule
'(userdn = "ldap:///self")'.

Example
-------

Allow users to modify their own fasTimezone and fasIRCNick attributes:

```
managed_permissions = {
    "System: Self-Modify FAS user attributes": {
        "ipapermright": {"write"},
        "ipapermtargetfilter": ["(objectclass=fasuser)"],
        "ipapermbindruletype": "self",
        "ipapermdefaultattr": ["fasTimezone", "fasIRCNick"],
    }
}
```

See: https://github.com/fedora-infra/freeipa-fas/pull/107
Fixes: https://pagure.io/freeipa/issue/8348
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-07 10:18:03 +03:00
Stanislav Levin
fec66942d4 pytest: Migrate unittest/nose to Pytest fixtures
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.

This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace unittest.TestCase subclasses
2) replace unittest test controls (SkipTest, fail, etc.)
3) replace unittest assertions

Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-02-12 18:08:32 +02:00
Stanislav Levin
292d686c0b pytest: Migrate xunit-style setups to Pytest fixtures
Even though Pytest supports xunit style setups, unittest and nose
tests, this support is limited and may be dropped in the future
releases. Worst of all is that the mixing of various test
frameworks results in weird conflicts and of course, is not widely
tested.

This is a part of work to remove the mixing of test idioms in the
IPA's test suite:
1) replace xunit style
2) employ the fixtures' interdependencies

Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-02-12 18:08:32 +02:00
Christian Heimes
d7426ccbe7 Replace nose with unittest and pytest
* Replace raise nose.SkipTest with raise unittest.SkipTest
* Replace nose.tools.assert_equal(a, b) with assert a == b
* Replace nose.tools.raises with pytest.raises
* Convert @raises decorator to pytest.raises() but just for relevant
  lines.
* Remove nose dependency

I left the nose_compat pytest plugin in place. It can be removed in
another request in case it is no longer used.

https://pagure.io/freeipa/issue/7301

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-12 16:16:58 +01:00
Fraser Tweedale
bdbb1c34a2 Remove "Request Certificate with SubjectAltName" permission
subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated).  Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.

Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.

So remove the permission, the associated virtual operation, and the
associated code in cert_request.

Fixes: https://fedorahosted.org/freeipa/ticket/6526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-21 17:04:18 +01:00
Martin Basti
9d83be3647 Remove unused variables in tests
This commit removes or marks unused variables as "expected to be unused"
by using '_' prefix.

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Stanislav Laznicka
427bbf6c0d The LDAP*ReverseMember shouldn't imply --all is always specified
The LDAP*ReverseMember methods would always return the whole LDAP
object even though --all is not specified.
Also had to fix some tests as objectClass will not be returned by
default now.

https://fedorahosted.org/freeipa/ticket/5892

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-29 10:44:30 +02:00
Jan Cholasta
6e44557b60 ipalib: move server-side plugins to ipaserver
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.

Remove the now unused ipalib.plugins package.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Martin Basti
5f42b42bd4 Performance: Find commands: do not process members by default
In all *-find commands, member attributes shouldn't be processed due
high amount fo ldpaserches cause serious performance issues. For this
reason --no-members option is set by default in CLI and API.

To get members in *-find command option --all in CLI is rquired or
'no_members=False' or 'all=True' must be set in API call.

For other commands processing of members stays unchanged. WebUI is not
affected by this change.

https://fedorahosted.org/freeipa/ticket/4995

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-05-31 14:08:54 +02:00
Jan Cholasta
2f6b333187 frontend: re-raise remote RequirementError using CLI name in CLI
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
e0275abe6f rpc: include structured error information in responses
Include keyword arguments of exceptions in RPC responses. This is limited
to JSON-RPC, as XML-RPC does not support additional data in error
responses.

Include keyword arguments of messages in RPC responses.

Include keyword arguments of exceptions in batch command result.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Martin Babinsky
62bb478e11 specify type of exceeded limit when warning about truncated search results
API commands inheriting from LDAPSearch should mention which limit was
exceeded in the warning message sent with truncated results.

https://fedorahosted.org/freeipa/ticket/5677

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-13 17:52:22 +02:00
Milan Kubík
b32c9d639e ipatests: extend permission plugin test with new expected output
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-02-25 16:31:15 +01:00
Martin Basti
9f49246476 Enable pylint unused-format-string-key check
Enables check and fixes:
ipatests/test_xmlrpc/test_permission_plugin.py:534:
[W1301(unused-format-string-key), test_permission] Unused key 'tdn' in
format string dictionary)
ipatests/test_xmlrpc/test_permission_plugin.py:652:
[W1301(unused-format-string-key), test_permission] Unused key 'tdn' in
format string dictionary)

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Martin Basti
89e16a8053 Enable pylint duplicated-key check
Enables check and fixes:
ipatests/test_xmlrpc/test_permission_plugin.py:65:
[W0109(duplicate-key), ] Duplicate key 'ipapermlocation' in dictionary)

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Milan Kubik
0a64e9bd70 Applied tier0 and tier1 marks on unit tests and xmlrpc tests
Web UI tests were marked as tier1 tests.

The tier system is intended to be used together with CI system
to make sure the more complicated tests are being run only
when all of the basic functionality is working.

The system is using pytest's marker system. E.g. an invocation of
all tier1 tests with listing will look like:

    $ py.test -v -m tier1 ipatests

or in case of out of tree tests:

    $ ipa-run-tests -m tier1

Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
2015-11-09 11:49:17 +01:00
Petr Viktorin
905d81f500 ipalib.aci: Port to Python 3
- Don't encode under Python 3, where shlex would choke on bytes
- Sort the attrs dictionary in export_to_string, so the tests are
  deterministic. (The iteration order of dicts was always unspecified,
  but was always the same in practice under CPython 2.)

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-10-13 14:16:32 +02:00
Abhijeet Kasurde
1b70521e6b Updated number of legacy permission in ipatests
Since IPA 4.2 has an additional permission
"Request Certificate ignoring CA ACLs", the number of legacy
permission in testcase is updated from 8 to 9.

https://fedorahosted.org/freeipa/ticket/5264

Signed off-by: Abhijeet Kasurde <akasurde@redhat.com>

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-09-16 12:58:03 +02:00
Petr Viktorin
8de13bd7dd Use the print function
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Michael Simacek
aad73fad60 Port from python-krbV to python-gssapi
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.

- Removed Backend.krb and KRB5_CCache classes
  They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
  in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
  Using api.env.realm instead of krbV call

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-08-26 09:41:36 +02:00
Petr Viktorin
5435a8a32a Use absolute imports
In Python 3, implicit relative imports will not be supported.
Use fully-qualified imports everywhere.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Jan Cholasta
e39fe4ed31 plugable: Pass API to plugins on initialization rather than using set_api
https://fedorahosted.org/freeipa/ticket/3090

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-01 13:05:30 +00:00
Thierry Bordaz
51937cc571 User life cycle: Stage user Administrators permission/priviledge
Creation of stage user administrator

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-05-18 09:37:21 +02:00
Petr Viktorin
375e9f7c4b tests: Use PEP8-compliant setup/teardown method names
The setUp/dearDown names are used in the unittest module, but there is no reason
to use them in non-`unittest` test cases.
Nose supports both styles (but mixing them can cause trouble when
calling super()'s methods).
Pytest only supports the new ones.

https://fedorahosted.org/freeipa/ticket/4610

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-11-21 12:14:44 +01:00
Petr Viktorin
f3b1471af9 test_permission_plugin: Check legacy permissions
Currently a number of v2 permissions are in $SUFFIX, which the original
test did not anticipate.

Properly check that legacy permissions are found.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-25 13:21:28 +02:00
Petr Viktorin
6ce44c4f05 permission plugin: Auto-add operational atttributes to read permissions
The attributes entryusn, createtimestamp, and modifytimestamp
should be readable whenever thir entry is, i.e. when we allow reading
the objectclass.
Automatically add them to every read permission that includes objectclass.

https://fedorahosted.org/freeipa/ticket/4534

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-12 18:22:17 +02:00
Petr Viktorin
cd4fd60c0e test_xmlrpc: Update tests
- The number of permissions in $SUFFIX changed.
- A new ACI was added to realmdomains

Update the tests.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-07-18 15:03:12 +02:00
Petr Viktorin
fdef2e1bd8 permission plugin: Ignore unparseable ACIs
When manipulating a permission for an entry that has an ACI
that the parser cannot process, skip this ACI instead of
failing.

Add a test that manipulates permission in cn=accounts,
where there are complex ipaAllowedOperation-based ACIs.

Workaround for: https://fedorahosted.org/freeipa/ticket/4376

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-07-01 09:35:38 +02:00
Petr Viktorin
628bed8673 test_permission_plugin: Fix permission_find test for legacy permissions
Most of the legacy permissions have been removed.
Do not test that there are many of them.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
ac8539bd34 Add posixgroup to groups' permission object filter
Private groups don't have the 'ipausergroup' objectclass.
Add posixgroup to the objectclass filters to make
"--type group" permissions apply to all groups.

https://fedorahosted.org/freeipa/ticket/4372

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 10:54:43 +02:00
Petr Viktorin
013bf3d4e2 Test and docstring fixes
The recent conversions to managed permissions left behind a few
failing tests. Fix them.

Also fix a now incorrect docstring in ipalib.config.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 10:54:42 +02:00
Petr Viktorin
3974c75053 test_permission_plugin: limit results in targetfilter find test
The test was finding recently added default permissions. Limit it to
the test permission only.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
2014-06-04 13:35:13 +02:00
Jan Cholasta
4314d02fbf Allow primary keys to use different type than unicode.
Also return list of primary keys instead of a single unicode CSV value from
LDAPDelete-based commands.

This introduces a new capability 'primary_key_types' for backward
compatibility with old clients.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-04-18 14:59:20 +02:00
Petr Viktorin
b53f2d28fd Add managed read permissions to krbtpolicy
Unlike other objects, the ticket policy is stored in different
subtrees: global policy in cn=kerberos and per-user policy in
cn=users,cn=accounts.
Add two permissions, one for each location.

Also, modify tests so that adding new permissions in cn=users
doesn't cause failures.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
2014-04-16 16:10:43 +02:00
Petr Viktorin
3deb76cf17 Fix expected output in permission tests
There is now a second permission affecting krbMinPwdLife.
Add it to expected output.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-15 09:45:40 +02:00
Petr Viktorin
1df9b5836a Allow modifying permissions with ":" in the name
The ":" character will be reserved for default permissions, so that
users cannot create a permission with a name that will later be
added as a default.

Allow the ":" character modifying/deleting permissions*, but not
when creating them. Also do not allow the new name to contain ":"
when renaming.

(* modify/delete have unrelated restrictions on managed permissions)

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-25 14:18:12 +01:00
Petr Viktorin
d0e83dbccf test_permission_plugin: Fix tests that make too broad assumptions
The test that searches with a limit of 1 assumes a specific order
LDAP returns entries in. Future patches will change this order.
Do not check the specific entry returned.

The test that searched for --bindtype assumed that no anonymous
permissions exist in a clean install. Again, this will be changed
in future patches.
Add a name to the bindtype test, and add a negatitive test to
verify the filtering works.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-25 14:18:12 +01:00
Petr Viktorin
3dcad00b94 permission plugin: Do not add the ipapermissionv2 for output
As with the flags, the objectclass should be returned as it is
on the entry.

https://fedorahosted.org/freeipa/ticket/4257

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-24 15:44:23 +01:00
Petr Viktorin
64cc4d81cc permission plugin: Do not change extra target filters by "views"
Previously, setting/deleting the "--type" virtual attribute removed
all (objectclass=...) target filters.
Change so that only the filter associated with --type is removed.

The same change applies to --memberof: only filters associated
with the option are removed when --memberof is (un-)set.

Follow-up to https://fedorahosted.org/freeipa/ticket/4216

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-14 10:14:05 +01:00
Petr Viktorin
29eef98c76 permission plugin: Support searching by extratargetfilter
The extratargetfilter behaves exactly like targetfilter, so that e.g.
  ipa permission-find --filter=(objectclass=ipausergroup)
finds all permissions with that filter in the ACI.

Part of the work for https://fedorahosted.org/freeipa/ticket/4216

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-14 10:14:05 +01:00
Petr Viktorin
fe2a41e8a3 permission plugin: Add tests for extratargetfilter
Part of the work for: https://fedorahosted.org/freeipa/ticket/4216

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-14 10:14:05 +01:00
Petr Viktorin
254c82727f permission CLI: Rename filter to rawfilter, extratargetfilter to filter
Since extratargetfilter is shown by default, change it to also have
the "default" (i.e. shorter) option name.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-14 10:14:05 +01:00
Petr Viktorin
3120a6833e permission plugin: Output the extratargetfilter virtual attribute
The --filter, --type, and --memberof options interact in a way that's
difficult to recreate in the UI: type and memberof are "views" on the
filter, they affect it and are affected by it

Add a "extratagretfilter" view that only contains the filters
not linked to type or memberof.

Show extra target filter, and not the full target filter, by default;
show both with --all, and full filter only with --raw.

Write support will be added in a subsequent patch.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4216

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-14 10:14:05 +01:00
Petr Viktorin
d3a34591a8 permission_add: Remove permission entry if adding the ACI fails
https://fedorahosted.org/freeipa/ticket/4187

Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
2014-03-12 12:17:08 +01:00
Petr Viktorin
d727599aa8 permissions plugin: Don't crash with empty targetfilter
https://fedorahosted.org/freeipa/ticket/4206

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 20:06:52 +01:00
Petr Viktorin
0c2aec1be5 permission plugin: Allow multiple values for memberof
Design: http://www.freeipa.org/page/V3/Multivalued_target_filters_in_permissions
Additional fix for: https://fedorahosted.org/freeipa/ticket/4074

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 20:05:28 +01:00
Petr Viktorin
02e61961da permission-mod: Remove attributelevelrights before reverting entry
LDAPUpdate adds the display-only 'attributelevelrights' attribute,
which doesn't exist in LDAP. Remove it before reverting entry.

https://fedorahosted.org/freeipa/ticket/4212

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-07 16:52:40 +01:00
Petr Viktorin
fa5cbe7cb2 Test fixed modlist generation code
https://fedorahosted.org/freeipa/ticket/4138
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-03-03 12:14:09 +01:00