mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-27 00:26:33 -06:00
52f69aaa8a
IPA implements read/write permissions for DNS record or zones. Provided set of permissions and privileges can, however, only grant access to the whole DNS tree, which may not be appropriate. Administrators may miss more fine-grained permissions allowing them to delegate access per-zone. Create a new IPA auxiliary objectclass ipaDNSZone allowing a managedBy attribute for a DNS zone. This attribute will hold a group DN (in this case a permission) which allows its members to read or write in a zone. Member permissions in given zone will only have 2 limitations: 1) Members cannot delete the zone 2) Members cannot edit managedBy attribute Current DNS deny ACI used to enforce read access is removed so that DNS privileges are based on allow ACIs only, which is much more flexible approach as deny ACIs have always precedence and limit other extensions. Per-zone access is allowed in 3 generic ACIs placed in cn=dns,$SUFFIX so that no special ACIs has to be added to DNS zones itselves. 2 new commands have been added which allows an administrator to create the system permission allowing the per-zone access and fill a zone's managedBy attribute: * dnszone-add-permission: Add per-zone permission * dnszone-remove-permission: Remove per-zone permission https://fedorahosted.org/freeipa/ticket/2511
1190 lines
46 KiB
Python
1190 lines
46 KiB
Python
# Authors:
|
|
# Pavel Zuna <pzuna@redhat.com>
|
|
#
|
|
# Copyright (C) 2010 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
"""
|
|
Test the `ipalib/plugins/dns.py` module.
|
|
"""
|
|
|
|
import nose
|
|
from ipalib import api, errors
|
|
from ipalib.dn import *
|
|
from tests.test_xmlrpc import objectclasses
|
|
from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid
|
|
|
|
dnszone1 = u'dnszone.test'
|
|
dnszone1_dn = DN(('idnsname',dnszone1),('cn','dns'),api.env.basedn)
|
|
dnszone1_mname = u'ns1.%s.' % dnszone1
|
|
dnszone1_mname_dn = DN(('idnsname','ns1'), dnszone1_dn)
|
|
dnszone1_rname = u'root.%s.' % dnszone1
|
|
dnszone1_permission = u'Manage DNS zone %s' % dnszone1
|
|
dnszone1_permission_dn = DN(('cn',dnszone1_permission),
|
|
api.env.container_permission,api.env.basedn)
|
|
dnszone2 = u'dnszone2.test'
|
|
dnszone2_dn = DN(('idnsname',dnszone2),('cn','dns'),api.env.basedn)
|
|
dnszone2_mname = u'ns1.%s.' % dnszone2
|
|
dnszone2_rname = u'root.%s.' % dnszone2
|
|
revdnszone1 = u'15.142.80.in-addr.arpa.'
|
|
revdnszone1_ip = u'80.142.15.0/24'
|
|
revdnszone1_dn = DN(('idnsname',revdnszone1),('cn','dns'),api.env.basedn)
|
|
dnsres1 = u'testdnsres'
|
|
dnsres1_dn = DN(('idnsname',dnsres1), dnszone1_dn)
|
|
dnsres1_renamed = u'testdnsres-renamed'
|
|
dnsrev1 = u'80'
|
|
dnsrev1_dn = DN(('idnsname',dnsrev1), revdnszone1_dn)
|
|
dnsrev2 = u'81'
|
|
dnsrev2_dn = DN(('idnsname',dnsrev2), revdnszone1_dn)
|
|
|
|
class test_dns(Declarative):
|
|
|
|
@classmethod
|
|
def setUpClass(cls):
|
|
super(test_dns, cls).setUpClass()
|
|
|
|
if not api.Backend.xmlclient.isconnected():
|
|
api.Backend.xmlclient.connect(fallback=False)
|
|
try:
|
|
api.Command['dnszone_add'](dnszone1,
|
|
idnssoamname = dnszone1_mname,
|
|
idnssoarname = dnszone1_rname,
|
|
force = True,
|
|
)
|
|
api.Command['dnszone_del'](dnszone1)
|
|
except errors.NotFound:
|
|
raise nose.SkipTest('DNS is not configured')
|
|
except errors.DuplicateEntry:
|
|
pass
|
|
|
|
cleanup_commands = [
|
|
('dnszone_del', [dnszone1], {}),
|
|
('dnsrecord_del', [dnszone1, dnsres1], {'del_all' : True}),
|
|
('dnsrecord_del', [dnszone1, dnsres1_renamed], {'del_all' : True}),
|
|
('dnszone_del', [dnszone2], {}),
|
|
('dnszone_del', [revdnszone1], {}),
|
|
('dnsconfig_mod', [], {'idnsforwarders' : None,
|
|
'idnsforwardpolicy' : None,
|
|
'idnsallowsyncptr' : None,
|
|
'idnszonerefresh' : None,
|
|
}),
|
|
('permission_del', [dnszone1_permission], {'force': True}),
|
|
]
|
|
|
|
tests = [
|
|
|
|
dict(
|
|
desc='Try to retrieve non-existent zone %r' % dnszone1,
|
|
command=('dnszone_show', [dnszone1], {}),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: DNS zone not found' % dnszone1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to update non-existent zone %r' % dnszone1,
|
|
command=('dnszone_mod', [dnszone1], {'idnssoamname': u'foobar'}),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: DNS zone not found' % dnszone1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to delete non-existent zone %r' % dnszone1,
|
|
command=('dnszone_del', [dnszone1], {}),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: DNS zone not found' % dnszone1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to create zone with invalid name',
|
|
command=(
|
|
'dnszone_add', [u'invalid zone'], {
|
|
'idnssoamname': dnszone1_mname,
|
|
'idnssoarname': dnszone1_rname,
|
|
'ip_address' : u'1.2.3.4',
|
|
}
|
|
),
|
|
expected=errors.ValidationError(name='name',
|
|
error=u'only letters, numbers, and - are allowed. ' +
|
|
u'DNS label may not start or end with -'),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Create zone %r' % dnszone1,
|
|
command=(
|
|
'dnszone_add', [dnszone1], {
|
|
'idnssoamname': dnszone1_mname,
|
|
'idnssoarname': dnszone1_rname,
|
|
'ip_address' : u'1.2.3.4',
|
|
}
|
|
),
|
|
expected={
|
|
'value': dnszone1,
|
|
'summary': None,
|
|
'result': {
|
|
'dn': unicode(dnszone1_dn),
|
|
'idnsname': [dnszone1],
|
|
'idnszoneactive': [u'TRUE'],
|
|
'idnssoamname': [dnszone1_mname],
|
|
'nsrecord': [dnszone1_mname],
|
|
'idnssoarname': [dnszone1_rname],
|
|
'idnssoaserial': [fuzzy_digits],
|
|
'idnssoarefresh': [fuzzy_digits],
|
|
'idnssoaretry': [fuzzy_digits],
|
|
'idnssoaexpire': [fuzzy_digits],
|
|
'idnssoaminimum': [fuzzy_digits],
|
|
'idnsallowdynupdate': [u'FALSE'],
|
|
'idnsupdatepolicy': [u'grant %(realm)s krb5-self * A; '
|
|
u'grant %(realm)s krb5-self * AAAA; '
|
|
u'grant %(realm)s krb5-self * SSHFP;'
|
|
% dict(realm=api.env.realm)],
|
|
'idnsallowtransfer': [u'none;'],
|
|
'idnsallowquery': [u'any;'],
|
|
'objectclass': objectclasses.dnszone,
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to create duplicate zone %r' % dnszone1,
|
|
command=(
|
|
'dnszone_add', [dnszone1], {
|
|
'idnssoamname': dnszone1_mname,
|
|
'idnssoarname': dnszone1_rname,
|
|
'ip_address' : u'1.2.3.4',
|
|
}
|
|
),
|
|
expected=errors.DuplicateEntry(
|
|
message=u'DNS zone with name "%s" already exists' % dnszone1),
|
|
),
|
|
|
|
dict(
|
|
desc='Try to create a zone with nonexistent NS entry',
|
|
command=(
|
|
'dnszone_add', [dnszone2], {
|
|
'idnssoamname': dnszone2_mname,
|
|
'idnssoarname': dnszone2_rname,
|
|
}
|
|
),
|
|
expected=errors.NotFound(reason='Nameserver \'%s\' does not have a corresponding A/AAAA record' % (dnszone2_mname)),
|
|
),
|
|
|
|
dict(
|
|
desc='Create a zone with nonexistent NS entry with --force',
|
|
command=(
|
|
'dnszone_add', [dnszone2], {
|
|
'idnssoamname': dnszone2_mname,
|
|
'idnssoarname': dnszone2_rname,
|
|
'force' : True,
|
|
}
|
|
),
|
|
expected={
|
|
'value': dnszone2,
|
|
'summary': None,
|
|
'result': {
|
|
'dn': unicode(dnszone2_dn),
|
|
'idnsname': [dnszone2],
|
|
'idnszoneactive': [u'TRUE'],
|
|
'idnssoamname': [dnszone2_mname],
|
|
'nsrecord': [dnszone2_mname],
|
|
'idnssoarname': [dnszone2_rname],
|
|
'idnssoaserial': [fuzzy_digits],
|
|
'idnssoarefresh': [fuzzy_digits],
|
|
'idnssoaretry': [fuzzy_digits],
|
|
'idnssoaexpire': [fuzzy_digits],
|
|
'idnssoaminimum': [fuzzy_digits],
|
|
'idnsallowdynupdate': [u'FALSE'],
|
|
'idnsupdatepolicy': [u'grant %(realm)s krb5-self * A; '
|
|
u'grant %(realm)s krb5-self * AAAA; '
|
|
u'grant %(realm)s krb5-self * SSHFP;'
|
|
% dict(realm=api.env.realm)],
|
|
'idnsallowtransfer': [u'none;'],
|
|
'idnsallowquery': [u'any;'],
|
|
'objectclass': objectclasses.dnszone,
|
|
},
|
|
},
|
|
),
|
|
|
|
dict(
|
|
desc='Delete zone %r' % dnszone2,
|
|
command=('dnszone_del', [dnszone2], {}),
|
|
expected={
|
|
'value': dnszone2,
|
|
'summary': None,
|
|
'result': {'failed': u''},
|
|
},
|
|
),
|
|
|
|
dict(
|
|
desc='Retrieve zone %r' % dnszone1,
|
|
command=('dnszone_show', [dnszone1], {}),
|
|
expected={
|
|
'value': dnszone1,
|
|
'summary': None,
|
|
'result': {
|
|
'dn': unicode(dnszone1_dn),
|
|
'idnsname': [dnszone1],
|
|
'idnszoneactive': [u'TRUE'],
|
|
'nsrecord': [dnszone1_mname],
|
|
'idnssoamname': [dnszone1_mname],
|
|
'idnssoarname': [dnszone1_rname],
|
|
'idnssoaserial': [fuzzy_digits],
|
|
'idnssoarefresh': [fuzzy_digits],
|
|
'idnssoaretry': [fuzzy_digits],
|
|
'idnssoaexpire': [fuzzy_digits],
|
|
'idnssoaminimum': [fuzzy_digits],
|
|
'idnsallowtransfer': [u'none;'],
|
|
'idnsallowquery': [u'any;'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Update zone %r' % dnszone1,
|
|
command=('dnszone_mod', [dnszone1], {'idnssoarefresh': 5478}),
|
|
expected={
|
|
'value': dnszone1,
|
|
'summary': None,
|
|
'result': {
|
|
'idnsname': [dnszone1],
|
|
'idnszoneactive': [u'TRUE'],
|
|
'nsrecord': [dnszone1_mname],
|
|
'idnssoamname': [dnszone1_mname],
|
|
'idnssoarname': [dnszone1_rname],
|
|
'idnssoaserial': [fuzzy_digits],
|
|
'idnssoarefresh': [u'5478'],
|
|
'idnssoaretry': [fuzzy_digits],
|
|
'idnssoaexpire': [fuzzy_digits],
|
|
'idnssoaminimum': [fuzzy_digits],
|
|
'idnsallowtransfer': [u'none;'],
|
|
'idnsallowquery': [u'any;'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Create reverse zone %r' % revdnszone1,
|
|
command=(
|
|
'dnszone_add', [revdnszone1], {
|
|
'idnssoamname': dnszone1_mname,
|
|
'idnssoarname': dnszone1_rname,
|
|
'ip_address' : u'1.2.3.4',
|
|
}
|
|
),
|
|
expected={
|
|
'value': revdnszone1,
|
|
'summary': None,
|
|
'result': {
|
|
'dn': unicode(revdnszone1_dn),
|
|
'idnsname': [revdnszone1],
|
|
'idnszoneactive': [u'TRUE'],
|
|
'idnssoamname': [dnszone1_mname],
|
|
'nsrecord': [dnszone1_mname],
|
|
'idnssoarname': [dnszone1_rname],
|
|
'idnssoaserial': [fuzzy_digits],
|
|
'idnssoarefresh': [fuzzy_digits],
|
|
'idnssoaretry': [fuzzy_digits],
|
|
'idnssoaexpire': [fuzzy_digits],
|
|
'idnssoaminimum': [fuzzy_digits],
|
|
'idnsallowdynupdate': [u'FALSE'],
|
|
'idnsupdatepolicy': [u'grant %(realm)s krb5-subdomain %(zone)s PTR;'
|
|
% dict(realm=api.env.realm, zone=revdnszone1)],
|
|
'idnsallowtransfer': [u'none;'],
|
|
'idnsallowquery': [u'any;'],
|
|
'objectclass': objectclasses.dnszone,
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for zones with name server %r' % (dnszone1_mname),
|
|
command=('dnszone_find', [], {'idnssoamname': dnszone1_mname}),
|
|
expected={
|
|
'summary': None,
|
|
'count': 2,
|
|
'truncated': False,
|
|
'result': [{
|
|
'dn': unicode(revdnszone1_dn),
|
|
'idnsname': [revdnszone1],
|
|
'idnszoneactive': [u'TRUE'],
|
|
'nsrecord': [dnszone1_mname],
|
|
'idnssoamname': [dnszone1_mname],
|
|
'idnssoarname': [dnszone1_rname],
|
|
'idnssoaserial': [fuzzy_digits],
|
|
'idnssoarefresh': [fuzzy_digits],
|
|
'idnssoaretry': [fuzzy_digits],
|
|
'idnssoaexpire': [fuzzy_digits],
|
|
'idnssoaminimum': [fuzzy_digits],
|
|
'idnsallowtransfer': [u'none;'],
|
|
'idnsallowquery': [u'any;'],
|
|
},
|
|
{
|
|
'dn': unicode(dnszone1_dn),
|
|
'idnsname': [dnszone1],
|
|
'idnszoneactive': [u'TRUE'],
|
|
'nsrecord': [dnszone1_mname],
|
|
'idnssoamname': [dnszone1_mname],
|
|
'idnssoarname': [dnszone1_rname],
|
|
'idnssoaserial': [fuzzy_digits],
|
|
'idnssoarefresh': [u'5478'],
|
|
'idnssoaretry': [fuzzy_digits],
|
|
'idnssoaexpire': [fuzzy_digits],
|
|
'idnssoaminimum': [fuzzy_digits],
|
|
'idnsallowtransfer': [u'none;'],
|
|
'idnsallowquery': [u'any;'],
|
|
}],
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for zones with name server %r with --forward-only' % dnszone1_mname,
|
|
command=('dnszone_find', [], {'idnssoamname': dnszone1_mname, 'forward_only' : True}),
|
|
expected={
|
|
'summary': None,
|
|
'count': 1,
|
|
'truncated': False,
|
|
'result': [{
|
|
'dn': unicode(dnszone1_dn),
|
|
'idnsname': [dnszone1],
|
|
'idnszoneactive': [u'TRUE'],
|
|
'nsrecord': [dnszone1_mname],
|
|
'idnssoamname': [dnszone1_mname],
|
|
'idnssoarname': [dnszone1_rname],
|
|
'idnssoaserial': [fuzzy_digits],
|
|
'idnssoarefresh': [u'5478'],
|
|
'idnssoaretry': [fuzzy_digits],
|
|
'idnssoaexpire': [fuzzy_digits],
|
|
'idnssoaminimum': [fuzzy_digits],
|
|
'idnsallowtransfer': [u'none;'],
|
|
'idnsallowquery': [u'any;'],
|
|
}],
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Delete reverse zone %r' % revdnszone1,
|
|
command=('dnszone_del', [revdnszone1], {}),
|
|
expected={
|
|
'value': revdnszone1,
|
|
'summary': None,
|
|
'result': {'failed': u''},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Disable zone %r' % dnszone1,
|
|
command=('dnszone_disable', [dnszone1], {}),
|
|
expected={
|
|
'value': dnszone1,
|
|
'summary': u'Disabled DNS zone "%s"' % dnszone1,
|
|
'result': True,
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Check if zone %r is really disabled' % dnszone1,
|
|
command=('dnszone_show', [dnszone1], {}),
|
|
expected={
|
|
'value': dnszone1,
|
|
'summary': None,
|
|
'result': {
|
|
'dn': unicode(dnszone1_dn),
|
|
'idnsname': [dnszone1],
|
|
'idnszoneactive': [u'FALSE'],
|
|
'nsrecord': [dnszone1_mname],
|
|
'idnssoamname': [dnszone1_mname],
|
|
'idnssoarname': [dnszone1_rname],
|
|
'idnssoaserial': [fuzzy_digits],
|
|
'idnssoarefresh': [fuzzy_digits],
|
|
'idnssoaretry': [fuzzy_digits],
|
|
'idnssoaexpire': [fuzzy_digits],
|
|
'idnssoaminimum': [fuzzy_digits],
|
|
'idnsallowtransfer': [u'none;'],
|
|
'idnsallowquery': [u'any;'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Enable zone %r' % dnszone1,
|
|
command=('dnszone_enable', [dnszone1], {}),
|
|
expected={
|
|
'value': dnszone1,
|
|
'summary': u'Enabled DNS zone "%s"' % dnszone1,
|
|
'result': True,
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Check if zone %r is really enabled' % dnszone1,
|
|
command=('dnszone_show', [dnszone1], {}),
|
|
expected={
|
|
'value': dnszone1,
|
|
'summary': None,
|
|
'result': {
|
|
'dn': unicode(dnszone1_dn),
|
|
'idnsname': [dnszone1],
|
|
'idnszoneactive': [u'TRUE'],
|
|
'nsrecord': [dnszone1_mname],
|
|
'idnssoamname': [dnszone1_mname],
|
|
'idnssoarname': [dnszone1_rname],
|
|
'idnssoaserial': [fuzzy_digits],
|
|
'idnssoarefresh': [fuzzy_digits],
|
|
'idnssoaretry': [fuzzy_digits],
|
|
'idnssoaexpire': [fuzzy_digits],
|
|
'idnssoaminimum': [fuzzy_digits],
|
|
'idnsallowtransfer': [u'none;'],
|
|
'idnsallowquery': [u'any;'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to retrieve non-existent record %r in zone %r' % (dnsres1, dnszone1),
|
|
command=('dnsrecord_show', [dnszone1, dnsres1], {}),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: DNS resource record not found' % dnsres1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to delete non-existent record %r in zone %r' % (dnsres1, dnszone1),
|
|
command=('dnsrecord_del', [dnszone1, dnsres1], {'del_all' : True}),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: DNS resource record not found' % dnsres1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to delete root zone record \'@\' in %r' % (dnszone1),
|
|
command=('dnsrecord_del', [dnszone1, u'@'], {'del_all' : True}),
|
|
expected=errors.ValidationError(name='del_all',
|
|
error=u"Zone record '@' cannot be deleted"),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to create record with invalid name in zone %r' % dnszone1,
|
|
command=('dnsrecord_add', [dnszone1, u'invalid record'], {'arecord': u'127.0.0.1'}),
|
|
expected=errors.ValidationError(name='name',
|
|
error=u'only letters, numbers, _, and - are allowed. ' +
|
|
u'DNS label may not start or end with -'),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Create record %r in zone %r' % (dnszone1, dnsres1),
|
|
command=('dnsrecord_add', [dnszone1, dnsres1], {'arecord': u'127.0.0.1'}),
|
|
expected={
|
|
'value': dnsres1,
|
|
'summary': None,
|
|
'result': {
|
|
'dn': unicode(dnsres1_dn),
|
|
'idnsname': [dnsres1],
|
|
'objectclass': objectclasses.dnsrecord,
|
|
'arecord': [u'127.0.0.1'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for all records in zone %r' % dnszone1,
|
|
command=('dnsrecord_find', [dnszone1], {}),
|
|
expected={
|
|
'summary': None,
|
|
'count': 3,
|
|
'truncated': False,
|
|
'result': [
|
|
{
|
|
'dn': unicode(dnszone1_dn),
|
|
'nsrecord': (dnszone1_mname,),
|
|
'idnsname': [u'@'],
|
|
},
|
|
{
|
|
'dn': unicode(dnszone1_mname_dn),
|
|
'idnsname': [u'ns1'],
|
|
'arecord': [u'1.2.3.4'],
|
|
},
|
|
{
|
|
'dn': unicode(dnsres1_dn),
|
|
'idnsname': [dnsres1],
|
|
'arecord': [u'127.0.0.1'],
|
|
},
|
|
],
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Add A record to %r in zone %r' % (dnsres1, dnszone1),
|
|
command=('dnsrecord_add', [dnszone1, dnsres1], {'arecord': u'10.10.0.1'}),
|
|
expected={
|
|
'value': dnsres1,
|
|
'summary': None,
|
|
'result': {
|
|
'dn': unicode(dnsres1_dn),
|
|
'idnsname': [dnsres1],
|
|
'arecord': [u'127.0.0.1', u'10.10.0.1'],
|
|
'objectclass': objectclasses.dnsrecord,
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Remove A record from %r in zone %r' % (dnsres1, dnszone1),
|
|
command=('dnsrecord_del', [dnszone1, dnsres1], {'arecord': u'127.0.0.1'}),
|
|
expected={
|
|
'value': dnsres1,
|
|
'summary': None,
|
|
'result': {
|
|
'idnsname': [dnsres1],
|
|
'arecord': [u'10.10.0.1'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Add AAAA record to %r in zone %r using dnsrecord_mod' % (dnsres1, dnszone1),
|
|
command=('dnsrecord_mod', [dnszone1, dnsres1], {'aaaarecord': u'::1'}),
|
|
expected={
|
|
'value': dnsres1,
|
|
'summary': None,
|
|
'result': {
|
|
'idnsname': [dnsres1],
|
|
'arecord': [u'10.10.0.1'],
|
|
'aaaarecord': [u'::1'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Modify AAAA record in %r in zone %r' % (dnsres1, dnszone1),
|
|
command=('dnsrecord_mod', [dnszone1, dnsres1], {'aaaarecord': u'ff02::1'}),
|
|
expected={
|
|
'value': dnsres1,
|
|
'summary': None,
|
|
'result': {
|
|
'idnsname': [dnsres1],
|
|
'arecord': [u'10.10.0.1'],
|
|
'aaaarecord': [u'ff02::1'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Remove AAAA record from %r in zone %r using dnsrecord_mod' % (dnsres1, dnszone1),
|
|
command=('dnsrecord_mod', [dnszone1, dnsres1], {'aaaarecord': u''}),
|
|
expected={
|
|
'value': dnsres1,
|
|
'summary': None,
|
|
'result': {
|
|
'idnsname': [dnsres1],
|
|
'arecord': [u'10.10.0.1'],
|
|
},
|
|
},
|
|
),
|
|
|
|
dict(
|
|
desc='Try to add invalid MX record to zone %r using dnsrecord_add' % (dnszone1),
|
|
command=('dnsrecord_add', [dnszone1, u'@'], {'mxrecord': dnszone1_mname }),
|
|
expected=errors.ValidationError(name='mx_rec',
|
|
error=u'format must be specified as "PREFERENCE EXCHANGER" ' +
|
|
u' (see RFC 1035 for details)'),
|
|
),
|
|
|
|
dict(
|
|
desc='Add MX record to zone %r using dnsrecord_add' % (dnszone1),
|
|
command=('dnsrecord_add', [dnszone1, u'@'], {'mxrecord': u"0 %s" % dnszone1_mname }),
|
|
expected={
|
|
'value': u'@',
|
|
'summary': None,
|
|
'result': {
|
|
'objectclass': objectclasses.dnszone,
|
|
'dn': unicode(dnszone1_dn),
|
|
'idnsname': [u'@'],
|
|
'mxrecord': [u"0 %s" % dnszone1_mname],
|
|
'nsrecord': [dnszone1_mname],
|
|
},
|
|
},
|
|
),
|
|
|
|
dict(
|
|
desc='Try to add invalid SRV record to zone %r using dnsrecord_add' % (dnszone1),
|
|
command=('dnsrecord_add', [dnszone1, u'_foo._tcp'], {'srvrecord': dnszone1_mname}),
|
|
expected=errors.ValidationError(name='srv_rec',
|
|
error=u'format must be specified as "PRIORITY WEIGHT PORT TARGET" ' +
|
|
u' (see RFC 2782 for details)'),
|
|
),
|
|
|
|
dict(
|
|
desc='Try to add invalid SRV record via parts to zone %r using dnsrecord_add' % (dnszone1),
|
|
command=('dnsrecord_add', [dnszone1, u'_foo._tcp'], {'srv_part_priority': 0,
|
|
'srv_part_weight' : 0,
|
|
'srv_part_port' : 123,
|
|
'srv_part_target' : u'foo bar'}),
|
|
expected=errors.ValidationError(name='srv_target',
|
|
error=u'invalid domain-name: only letters, numbers, and - ' +
|
|
u'are allowed. DNS label may not start or end with -'),
|
|
),
|
|
|
|
dict(
|
|
desc='Try to add SRV record to zone %r both via parts and a raw value' % (dnszone1),
|
|
command=('dnsrecord_add', [dnszone1, u'_foo._tcp'], {'srv_part_priority': 0,
|
|
'srv_part_weight' : 0,
|
|
'srv_part_port' : 123,
|
|
'srv_part_target' : u'foo.bar.',
|
|
'srvrecord': [u"1 100 1234 %s" \
|
|
% dnszone1_mname]}),
|
|
expected=errors.ValidationError(name='srv_target',
|
|
error=u'Raw value of a DNS record was already set by ' +
|
|
u'"srv_rec" option'),
|
|
),
|
|
|
|
dict(
|
|
desc='Add SRV record to zone %r using dnsrecord_add' % (dnszone1),
|
|
command=('dnsrecord_add', [dnszone1, u'_foo._tcp'], {'srvrecord': u"0 100 1234 %s" % dnszone1_mname}),
|
|
expected={
|
|
'value': u'_foo._tcp',
|
|
'summary': None,
|
|
'result': {
|
|
'objectclass': objectclasses.dnsrecord,
|
|
'dn': unicode(DN(('idnsname', u'_foo._tcp'), dnszone1_dn)),
|
|
'idnsname': [u'_foo._tcp'],
|
|
'srvrecord': [u"0 100 1234 %s" % dnszone1_mname],
|
|
},
|
|
},
|
|
),
|
|
|
|
dict(
|
|
desc='Try to modify SRV record in zone %r without specifying modified value' % (dnszone1),
|
|
command=('dnsrecord_mod', [dnszone1, u'_foo._tcp'], {'srv_part_priority': 1,}),
|
|
expected=errors.RequirementError(name='srvrecord'),
|
|
),
|
|
|
|
dict(
|
|
desc='Try to modify SRV record in zone %r with non-existent modified value' % (dnszone1),
|
|
command=('dnsrecord_mod', [dnszone1, u'_foo._tcp'], {'srv_part_priority': 1,
|
|
'srvrecord' : [u"0 100 1234 does.not.exist."] }),
|
|
expected=errors.AttrValueNotFound(attr='SRV record',
|
|
value=u'0 100 1234 does.not.exist.'),
|
|
),
|
|
|
|
dict(
|
|
desc='Try to modify SRV record in zone %r with invalid part value' % (dnszone1),
|
|
command=('dnsrecord_mod', [dnszone1, u'_foo._tcp'], {'srv_part_priority': 100000,
|
|
'srvrecord' : [u"0 100 1234 %s" % dnszone1_mname] }),
|
|
expected=errors.ValidationError(name='srv_priority', error=u'can be at most 65535'),
|
|
),
|
|
|
|
dict(
|
|
desc='Modify SRV record in zone %r using parts' % (dnszone1),
|
|
command=('dnsrecord_mod', [dnszone1, u'_foo._tcp'], {'srv_part_priority': 1,
|
|
'srvrecord' : [u"0 100 1234 %s" % dnszone1_mname] }),
|
|
expected={
|
|
'value': u'_foo._tcp',
|
|
'summary': None,
|
|
'result': {
|
|
'idnsname': [u'_foo._tcp'],
|
|
'srvrecord': [u"1 100 1234 %s" % dnszone1_mname],
|
|
},
|
|
},
|
|
),
|
|
|
|
dict(
|
|
desc='Try to add invalid LOC record to zone %r using dnsrecord_add' % (dnszone1),
|
|
command=('dnsrecord_add', [dnszone1, u'@'], {'locrecord': u"91 11 42.4 N 16 36 29.6 E 227.64" }),
|
|
expected=errors.ValidationError(name='lat_deg',
|
|
error=u'can be at most 90'),
|
|
),
|
|
|
|
dict(
|
|
desc='Add LOC record to zone %r using dnsrecord_add' % (dnszone1),
|
|
command=('dnsrecord_add', [dnszone1, u'@'], {'locrecord': u"49 11 42.4 N 16 36 29.6 E 227.64" }),
|
|
expected={
|
|
'value': u'@',
|
|
'summary': None,
|
|
'result': {
|
|
'objectclass': objectclasses.dnszone,
|
|
'dn': unicode(dnszone1_dn),
|
|
'idnsname': [u'@'],
|
|
'mxrecord': [u"0 %s" % dnszone1_mname],
|
|
'nsrecord': [dnszone1_mname],
|
|
'locrecord': [u"49 11 42.400 N 16 36 29.600 E 227.64"],
|
|
},
|
|
},
|
|
),
|
|
|
|
dict(
|
|
desc='Try to add invalid CNAME record %r using dnsrecord_add' % (dnsres1),
|
|
command=('dnsrecord_add', [dnszone1, dnsres1], {'cnamerecord': u'-.example.com' }),
|
|
expected=errors.ValidationError(name='hostname',
|
|
error=u'invalid domain-name: only letters, numbers, and - ' +
|
|
u'are allowed. DNS label may not start or end with -'),
|
|
),
|
|
|
|
dict(
|
|
desc='Add CNAME record to %r using dnsrecord_add' % (dnsres1),
|
|
command=('dnsrecord_add', [dnszone1, dnsres1], {'cnamerecord': u'foo-1.example.com.' }),
|
|
expected={
|
|
'value': dnsres1,
|
|
'summary': None,
|
|
'result': {
|
|
'objectclass': objectclasses.dnsrecord,
|
|
'dn': unicode(dnsres1_dn),
|
|
'idnsname': [dnsres1],
|
|
'arecord': [u'10.10.0.1'],
|
|
'cnamerecord': [u'foo-1.example.com.'],
|
|
},
|
|
},
|
|
),
|
|
|
|
dict(
|
|
desc='Try to add invalid KX record %r using dnsrecord_add' % (dnsres1),
|
|
command=('dnsrecord_add', [dnszone1, dnsres1], {'kxrecord': u'foo-1.example.com' }),
|
|
expected=errors.ValidationError(name='kx_rec',
|
|
error=u'format must be specified as "PREFERENCE EXCHANGER" ' +
|
|
u' (see RFC 2230 for details)'),
|
|
),
|
|
|
|
dict(
|
|
desc='Add KX record to %r using dnsrecord_add' % (dnsres1),
|
|
command=('dnsrecord_add', [dnszone1, dnsres1], {'kxrecord': u'1 foo-1' }),
|
|
expected={
|
|
'value': dnsres1,
|
|
'summary': None,
|
|
'result': {
|
|
'objectclass': objectclasses.dnsrecord,
|
|
'dn': unicode(dnsres1_dn),
|
|
'idnsname': [dnsres1],
|
|
'arecord': [u'10.10.0.1'],
|
|
'cnamerecord': [u'foo-1.example.com.'],
|
|
'kxrecord': [u'1 foo-1'],
|
|
},
|
|
},
|
|
),
|
|
|
|
dict(
|
|
desc='Add TXT record to %r using dnsrecord_add' % (dnsres1),
|
|
command=('dnsrecord_add', [dnszone1, dnsres1], {'txtrecord': u'foo bar' }),
|
|
expected={
|
|
'value': dnsres1,
|
|
'summary': None,
|
|
'result': {
|
|
'objectclass': objectclasses.dnsrecord,
|
|
'dn': unicode(dnsres1_dn),
|
|
'idnsname': [dnsres1],
|
|
'arecord': [u'10.10.0.1'],
|
|
'cnamerecord': [u'foo-1.example.com.'],
|
|
'kxrecord': [u'1 foo-1'],
|
|
'txtrecord': [u'foo bar'],
|
|
},
|
|
},
|
|
),
|
|
|
|
dict(
|
|
desc='Add NSEC record to %r using dnsrecord_add' % (dnsres1),
|
|
command=('dnsrecord_add', [dnszone1, dnsres1], {
|
|
'nsec_part_next': dnszone1,
|
|
'nsec_part_types' : [u'TXT', u'A']}),
|
|
expected={
|
|
'value': dnsres1,
|
|
'summary': None,
|
|
'result': {
|
|
'objectclass': objectclasses.dnsrecord,
|
|
'dn': unicode(dnsres1_dn),
|
|
'idnsname': [dnsres1],
|
|
'arecord': [u'10.10.0.1'],
|
|
'cnamerecord': [u'foo-1.example.com.'],
|
|
'kxrecord': [u'1 foo-1'],
|
|
'txtrecord': [u'foo bar'],
|
|
'nsecrecord': [dnszone1 + u' TXT A'],
|
|
},
|
|
},
|
|
),
|
|
|
|
dict(
|
|
desc='Try to add unresolvable absolute NS record to %r using dnsrecord_add' % (dnsres1),
|
|
command=('dnsrecord_add', [dnszone1, dnsres1], {'nsrecord': u'does.not.exist.'}),
|
|
expected=errors.NotFound(reason=u"Nameserver 'does.not.exist.' does not have a corresponding A/AAAA record"),
|
|
),
|
|
|
|
dict(
|
|
desc='Try to add unresolvable relative NS record to %r using dnsrecord_add' % (dnsres1),
|
|
command=('dnsrecord_add', [dnszone1, dnsres1], {'nsrecord': u'does.not.exist'}),
|
|
expected=errors.NotFound(reason=u"Nameserver 'does.not.exist.%s.' does not have a corresponding A/AAAA record" % dnszone1),
|
|
),
|
|
|
|
dict(
|
|
desc='Add unresolvable NS record with --force to %r using dnsrecord_add' % (dnsres1),
|
|
command=('dnsrecord_add', [dnszone1, dnsres1], {'nsrecord': u'does.not.exist.',
|
|
'force' : True}),
|
|
expected={
|
|
'value': dnsres1,
|
|
'summary': None,
|
|
'result': {
|
|
'objectclass': objectclasses.dnsrecord,
|
|
'dn': unicode(dnsres1_dn),
|
|
'idnsname': [dnsres1],
|
|
'arecord': [u'10.10.0.1'],
|
|
'cnamerecord': [u'foo-1.example.com.'],
|
|
'kxrecord': [u'1 foo-1'],
|
|
'txtrecord': [u'foo bar'],
|
|
'nsecrecord': [dnszone1 + u' TXT A'],
|
|
'nsrecord': [u'does.not.exist.'],
|
|
},
|
|
},
|
|
),
|
|
|
|
dict(
|
|
desc='Try to to rename DNS zone %r root record' % (dnszone1),
|
|
command=('dnsrecord_mod', [dnszone1, u'@'], {'rename': dnsres1_renamed,}),
|
|
expected=errors.ValidationError(name='rename',
|
|
error=u'DNS zone root record cannot be renamed')
|
|
),
|
|
|
|
dict(
|
|
desc='Rename DNS record %r to %r' % (dnsres1, dnsres1_renamed),
|
|
command=('dnsrecord_mod', [dnszone1, dnsres1], {'rename': dnsres1_renamed,}),
|
|
expected={
|
|
'value': dnsres1,
|
|
'summary': None,
|
|
'result': {
|
|
'idnsname': [dnsres1_renamed],
|
|
'arecord': [u'10.10.0.1'],
|
|
'cnamerecord': [u'foo-1.example.com.'],
|
|
'kxrecord': [u'1 foo-1'],
|
|
'txtrecord': [u'foo bar'],
|
|
'nsecrecord': [dnszone1 + u' TXT A'],
|
|
'nsrecord': [u'does.not.exist.'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Delete record %r in zone %r' % (dnsres1_renamed, dnszone1),
|
|
command=('dnsrecord_del', [dnszone1, dnsres1_renamed], {'del_all': True }),
|
|
expected={
|
|
'value': dnsres1_renamed,
|
|
'summary': u'Deleted record "%s"' % dnsres1_renamed,
|
|
'result': {'failed': u''},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to create a reverse zone from invalid IP',
|
|
command=(
|
|
'dnszone_add', [], {
|
|
'name_from_ip': u'foo',
|
|
'idnssoamname': dnszone1_mname,
|
|
'idnssoarname': dnszone1_rname,
|
|
'ip_address' : u'1.2.3.4',
|
|
}
|
|
),
|
|
expected=errors.ValidationError(name='name_from_ip',
|
|
error=u'invalid IP network format'),
|
|
),
|
|
|
|
dict(
|
|
desc='Create reverse from IP %s zone using name_from_ip option' % revdnszone1_ip,
|
|
command=(
|
|
'dnszone_add', [], {
|
|
'name_from_ip': revdnszone1_ip,
|
|
'idnssoamname': dnszone1_mname,
|
|
'idnssoarname': dnszone1_rname,
|
|
'ip_address' : u'1.2.3.4',
|
|
}
|
|
),
|
|
expected={
|
|
'value': revdnszone1,
|
|
'summary': None,
|
|
'result': {
|
|
'dn': unicode(revdnszone1_dn),
|
|
'idnsname': [revdnszone1],
|
|
'idnszoneactive': [u'TRUE'],
|
|
'idnssoamname': [dnszone1_mname],
|
|
'nsrecord': [dnszone1_mname],
|
|
'idnssoarname': [dnszone1_rname],
|
|
'idnssoaserial': [fuzzy_digits],
|
|
'idnssoarefresh': [fuzzy_digits],
|
|
'idnssoaretry': [fuzzy_digits],
|
|
'idnssoaexpire': [fuzzy_digits],
|
|
'idnssoaminimum': [fuzzy_digits],
|
|
'idnsallowdynupdate': [u'FALSE'],
|
|
'idnsupdatepolicy': [u'grant %(realm)s krb5-subdomain %(zone)s PTR;'
|
|
% dict(realm=api.env.realm, zone=revdnszone1)],
|
|
'idnsallowtransfer': [u'none;'],
|
|
'idnsallowquery': [u'any;'],
|
|
'objectclass': objectclasses.dnszone,
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to add invalid PTR %r to %r using dnsrecord_add' % (dnsrev1, revdnszone1),
|
|
command=('dnsrecord_add', [revdnszone1, dnsrev1], {'ptrrecord': u'-.example.com' }),
|
|
expected=errors.ValidationError(name='hostname',
|
|
error=u'invalid domain-name: only letters, numbers, and - ' +
|
|
u'are allowed. DNS label may not start or end with -'),
|
|
),
|
|
|
|
dict(
|
|
desc='Add PTR record %r to %r using dnsrecord_add' % (dnsrev1, revdnszone1),
|
|
command=('dnsrecord_add', [revdnszone1, dnsrev1], {'ptrrecord': u'foo-1.example.com' }),
|
|
expected={
|
|
'value': dnsrev1,
|
|
'summary': None,
|
|
'result': {
|
|
'objectclass': objectclasses.dnsrecord,
|
|
'dn': unicode(dnsrev1_dn),
|
|
'idnsname': [dnsrev1],
|
|
'ptrrecord': [u'foo-1.example.com.'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Update global DNS settings',
|
|
command=('dnsconfig_mod', [], {'idnsforwarders' : [u'80.142.15.80'],}),
|
|
expected={
|
|
'value': u'',
|
|
'summary': None,
|
|
'result': {
|
|
'idnsforwarders': [u'80.142.15.80'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to add invalid allow-query to zone %r' % dnszone1,
|
|
command=('dnszone_mod', [dnszone1], {'idnsallowquery': u'localhost'}),
|
|
expected=errors.ValidationError(name='allow_query',
|
|
error=u'ACL name "localhost" is not supported'),
|
|
),
|
|
|
|
dict(
|
|
desc='Add allow-query ACL to zone %r' % dnszone1,
|
|
command=('dnszone_mod', [dnszone1], {'idnsallowquery': u'!10/8;any'}),
|
|
expected={
|
|
'value': dnszone1,
|
|
'summary': None,
|
|
'result': {
|
|
'idnsname': [dnszone1],
|
|
'idnszoneactive': [u'TRUE'],
|
|
'nsrecord': [dnszone1_mname],
|
|
'mxrecord': [u'0 ns1.dnszone.test.'],
|
|
'locrecord': [u"49 11 42.400 N 16 36 29.600 E 227.64"],
|
|
'idnssoamname': [dnszone1_mname],
|
|
'idnssoarname': [dnszone1_rname],
|
|
'idnssoaserial': [fuzzy_digits],
|
|
'idnssoarefresh': [u'5478'],
|
|
'idnssoaretry': [fuzzy_digits],
|
|
'idnssoaexpire': [fuzzy_digits],
|
|
'idnssoaminimum': [fuzzy_digits],
|
|
'idnsallowquery': [u'!10.0.0.0/8;any;'],
|
|
'idnsallowtransfer': [u'none;'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to add invalid allow-transfer to zone %r' % dnszone1,
|
|
command=('dnszone_mod', [dnszone1], {'idnsallowtransfer': u'10.'}),
|
|
expected=errors.ValidationError(name='allow_transfer',
|
|
error=u"failed to detect a valid IP address from u'10.'"),
|
|
),
|
|
|
|
dict(
|
|
desc='Add allow-transer ACL to zone %r' % dnszone1,
|
|
command=('dnszone_mod', [dnszone1], {'idnsallowtransfer': u'80.142.15.80'}),
|
|
expected={
|
|
'value': dnszone1,
|
|
'summary': None,
|
|
'result': {
|
|
'idnsname': [dnszone1],
|
|
'idnszoneactive': [u'TRUE'],
|
|
'nsrecord': [dnszone1_mname],
|
|
'mxrecord': [u'0 ns1.dnszone.test.'],
|
|
'locrecord': [u"49 11 42.400 N 16 36 29.600 E 227.64"],
|
|
'idnssoamname': [dnszone1_mname],
|
|
'idnssoarname': [dnszone1_rname],
|
|
'idnssoaserial': [fuzzy_digits],
|
|
'idnssoarefresh': [u'5478'],
|
|
'idnssoaretry': [fuzzy_digits],
|
|
'idnssoaexpire': [fuzzy_digits],
|
|
'idnssoaminimum': [fuzzy_digits],
|
|
'idnsallowquery': [u'!10.0.0.0/8;any;'],
|
|
'idnsallowtransfer': [u'80.142.15.80;'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to create duplicate PTR record for %r with --a-create-reverse' % dnsres1,
|
|
command=('dnsrecord_add', [dnszone1, dnsres1], {'arecord': u'80.142.15.80',
|
|
'a_extra_create_reverse' : True}),
|
|
expected=errors.DuplicateEntry(message=u'Reverse record for IP ' +
|
|
u'address 80.142.15.80 already exists in reverse zone ' +
|
|
u'15.142.80.in-addr.arpa..'),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Create A record %r in zone %r with --a-create-reverse' % (dnsres1, dnszone1),
|
|
command=('dnsrecord_add', [dnszone1, dnsres1], {'arecord': u'80.142.15.81',
|
|
'a_extra_create_reverse' : True}),
|
|
expected={
|
|
'value': dnsres1,
|
|
'summary': None,
|
|
'result': {
|
|
'dn': unicode(dnsres1_dn),
|
|
'idnsname': [dnsres1],
|
|
'objectclass': objectclasses.dnsrecord,
|
|
'arecord': [u'80.142.15.81'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Check reverse record for %r created via --a-create-reverse' % dnsres1,
|
|
command=('dnsrecord_show', [revdnszone1, dnsrev2], {}),
|
|
expected={
|
|
'value': dnsrev2,
|
|
'summary': None,
|
|
'result': {
|
|
'dn': unicode(dnsrev2_dn),
|
|
'idnsname': [dnsrev2],
|
|
'ptrrecord': [dnsres1 + '.' + dnszone1 + '.'],
|
|
},
|
|
},
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to add per-zone permission for unknown zone',
|
|
command=('dnszone_add_permission', [u'does.not.exist'], {}),
|
|
expected=errors.NotFound(reason=u'does.not.exist: DNS zone not found')
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Add per-zone permission for zone %r' % dnszone1,
|
|
command=(
|
|
'dnszone_add_permission', [dnszone1], {}
|
|
),
|
|
expected=dict(
|
|
result=True,
|
|
value=dnszone1_permission,
|
|
summary=u'Added system permission "%s"' % dnszone1_permission,
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to add duplicate per-zone permission for zone %r' % dnszone1,
|
|
command=(
|
|
'dnszone_add_permission', [dnszone1], {}
|
|
),
|
|
expected=errors.DuplicateEntry(message=u'permission with name '
|
|
'"%s" already exists' % dnszone1_permission)
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Make sure the permission was created %r' % dnszone1,
|
|
command=(
|
|
'permission_show', [dnszone1_permission], {}
|
|
),
|
|
expected=dict(
|
|
value=dnszone1_permission,
|
|
summary=None,
|
|
result={
|
|
'dn': lambda x: DN(x) == dnszone1_permission_dn,
|
|
'cn': [dnszone1_permission],
|
|
'ipapermissiontype': [u'SYSTEM'],
|
|
},
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to remove per-zone permission for unknown zone',
|
|
command=('dnszone_remove_permission', [u'does.not.exist'], {}),
|
|
expected=errors.NotFound(reason=u'does.not.exist: DNS zone not found')
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Remove per-zone permission for zone %r' % dnszone1,
|
|
command=(
|
|
'dnszone_remove_permission', [dnszone1], {}
|
|
),
|
|
expected=dict(
|
|
result=True,
|
|
value=dnszone1_permission,
|
|
summary=u'Removed system permission "%s"' % dnszone1_permission,
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Make sure the permission for zone %r was deleted' % dnszone1,
|
|
command=(
|
|
'permission_show', [dnszone1_permission], {}
|
|
),
|
|
expected=errors.NotFound(reason=u'%s: permission not found'
|
|
% dnszone1_permission)
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Delete zone %r' % dnszone1,
|
|
command=('dnszone_del', [dnszone1], {}),
|
|
expected={
|
|
'value': dnszone1,
|
|
'summary': None,
|
|
'result': {'failed': u''},
|
|
},
|
|
),
|
|
|
|
]
|
|
|