mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-26 00:41:25 -06:00
9f26e395e5
Some tests were broken because of the recent changes in baseldap (#5892) as they were wrongly expecting an objectclass attribute. https://fedorahosted.org/freeipa/ticket/6198 Reviewed-By: Martin Basti <mbasti@redhat.com>
1365 lines
50 KiB
Python
1365 lines
50 KiB
Python
# Authors:
|
|
# Rob Crittenden <rcritten@redhat.com>
|
|
# Pavel Zuna <pzuna@redhat.com>
|
|
#
|
|
# Copyright (C) 2010 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
"""
|
|
Test the `ipaserver/plugins/permission.py` module with old API.
|
|
|
|
This ensures basic backwards compatibility for code before
|
|
http://www.freeipa.org/page/V3/Permissions_V2
|
|
"""
|
|
|
|
from ipalib import api, errors
|
|
from ipatests.test_xmlrpc import objectclasses
|
|
from ipatests.test_xmlrpc.xmlrpc_test import Declarative
|
|
from ipapython.dn import DN
|
|
import pytest
|
|
|
|
permission1 = u'testperm'
|
|
permission1_dn = DN(('cn',permission1),
|
|
api.env.container_permission,api.env.basedn)
|
|
|
|
|
|
permission1_renamed = u'testperm1_rn'
|
|
permission1_renamed_dn = DN(('cn',permission1_renamed),
|
|
api.env.container_permission,api.env.basedn)
|
|
|
|
permission1_renamed_ucase = u'Testperm_RN'
|
|
permission1_renamed_ucase_dn = DN(('cn',permission1_renamed_ucase),
|
|
api.env.container_permission,api.env.basedn)
|
|
|
|
|
|
permission2 = u'testperm2'
|
|
permission2_dn = DN(('cn',permission2),
|
|
api.env.container_permission,api.env.basedn)
|
|
|
|
permission3 = u'testperm3'
|
|
permission3_dn = DN(('cn',permission3),
|
|
api.env.container_permission,api.env.basedn)
|
|
permission3_attributelevelrights = {
|
|
'member': u'rscwo',
|
|
'seealso': u'rscwo',
|
|
'ipapermissiontype': u'rscwo',
|
|
'cn': u'rscwo',
|
|
'businesscategory': u'rscwo',
|
|
'objectclass': u'rscwo',
|
|
'memberof': u'rscwo',
|
|
'aci': u'rscwo',
|
|
'o': u'rscwo',
|
|
'owner': u'rscwo',
|
|
'ou': u'rscwo',
|
|
'targetgroup': u'rscwo',
|
|
'type': u'rscwo',
|
|
'nsaccountlock': u'rscwo',
|
|
'description': u'rscwo',
|
|
'attrs': u'rscwo',
|
|
'ipapermincludedattr': u'rscwo',
|
|
'ipapermbindruletype': u'rscwo',
|
|
'ipapermdefaultattr': u'rscwo',
|
|
'ipapermexcludedattr': u'rscwo',
|
|
'ipapermlocation': u'rscwo',
|
|
'ipapermright': u'rscwo',
|
|
'ipapermtarget': u'rscwo',
|
|
'ipapermtargetfilter': u'rscwo',
|
|
'ipapermtargetto': u'rscwo',
|
|
'ipapermtargetfrom': u'rscwo',
|
|
}
|
|
|
|
privilege1 = u'testpriv1'
|
|
privilege1_dn = DN(('cn',privilege1),
|
|
api.env.container_privilege,api.env.basedn)
|
|
|
|
invalid_permission1 = u'bad;perm'
|
|
|
|
users_dn = DN(api.env.container_user, api.env.basedn)
|
|
groups_dn = DN(api.env.container_group, api.env.basedn)
|
|
hbac_dn = DN(api.env.container_hbac, api.env.basedn)
|
|
|
|
|
|
@pytest.mark.tier1
|
|
class test_old_permission(Declarative):
|
|
default_version = u'2.65'
|
|
|
|
cleanup_commands = [
|
|
('permission_del', [permission1], {}),
|
|
('permission_del', [permission2], {}),
|
|
('permission_del', [permission3], {}),
|
|
('privilege_del', [privilege1], {}),
|
|
]
|
|
|
|
tests = [
|
|
|
|
dict(
|
|
desc='Try to retrieve non-existent %r' % permission1,
|
|
command=('permission_show', [permission1], {}),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: permission not found' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to update non-existent %r' % permission1,
|
|
command=('permission_mod', [permission1], dict(permissions=u'all')),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: permission not found' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to delete non-existent %r' % permission1,
|
|
command=('permission_del', [permission1], {}),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: permission not found' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for non-existent %r' % permission1,
|
|
command=('permission_find', [permission1], {}),
|
|
expected=dict(
|
|
count=0,
|
|
truncated=False,
|
|
summary=u'0 permissions matched',
|
|
result=[],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Create %r' % permission1,
|
|
command=(
|
|
'permission_add', [permission1], dict(
|
|
type=u'user',
|
|
permissions=u'write',
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=u'Added permission "%s"' % permission1,
|
|
result=dict(
|
|
dn=permission1_dn,
|
|
cn=[permission1],
|
|
objectclass=objectclasses.permission,
|
|
type=u'user',
|
|
permissions=[u'write'],
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to create duplicate %r' % permission1,
|
|
command=(
|
|
'permission_add', [permission1], dict(
|
|
type=u'user',
|
|
permissions=u'write',
|
|
),
|
|
),
|
|
expected=errors.DuplicateEntry(
|
|
message='permission with name "%s" already exists' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Create %r' % privilege1,
|
|
command=('privilege_add', [privilege1],
|
|
dict(description=u'privilege desc. 1')
|
|
),
|
|
expected=dict(
|
|
value=privilege1,
|
|
summary=u'Added privilege "%s"' % privilege1,
|
|
result=dict(
|
|
dn=privilege1_dn,
|
|
cn=[privilege1],
|
|
description=[u'privilege desc. 1'],
|
|
objectclass=objectclasses.privilege,
|
|
),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Add permission %r to privilege %r' % (permission1, privilege1),
|
|
command=('privilege_add_permission', [privilege1],
|
|
dict(permission=permission1)
|
|
),
|
|
expected=dict(
|
|
completed=1,
|
|
failed=dict(
|
|
member=dict(
|
|
permission=[],
|
|
),
|
|
),
|
|
result={
|
|
'dn': privilege1_dn,
|
|
'cn': [privilege1],
|
|
'description': [u'privilege desc. 1'],
|
|
'memberof_permission': [permission1],
|
|
}
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Retrieve %r' % permission1,
|
|
command=('permission_show', [permission1], {}),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=None,
|
|
result={
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Retrieve %r with --raw' % permission1,
|
|
command=('permission_show', [permission1], {'raw' : True}),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=None,
|
|
result={
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member': [privilege1_dn],
|
|
'aci': [u'(targetfilter = "(objectclass=posixaccount)")'+
|
|
u'(version 3.0;acl "permission:testperm";' +
|
|
u'allow (write) ' +
|
|
u'groupdn = "ldap:///%s";)' % DN(
|
|
('cn', 'testperm'), ('cn', 'permissions'),
|
|
('cn', 'pbac'), api.env.basedn)],
|
|
'ipapermright': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
|
|
'ipapermlocation': [users_dn],
|
|
},
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with members' % permission1,
|
|
command=('permission_find', [permission1], {'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r' % permission1,
|
|
command=('permission_find', [permission1], {}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r using --name with members' % permission1,
|
|
command=('permission_find', [], {
|
|
'cn': permission1, 'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r using --name' % permission1,
|
|
command=('permission_find', [], {'cn': permission1}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for non-existence permission using --name',
|
|
command=('permission_find', [], {'cn': u'notfound'}),
|
|
expected=dict(
|
|
count=0,
|
|
truncated=False,
|
|
summary=u'0 permissions matched',
|
|
result=[],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with members' % privilege1,
|
|
command=('permission_find', [privilege1], {'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r' % privilege1,
|
|
command=('permission_find', [privilege1], {}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with --raw with members' % permission1,
|
|
command=('permission_find', [permission1], {
|
|
'raw': True, 'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member': [privilege1_dn],
|
|
'aci': [u'(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \
|
|
DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn)],
|
|
'ipapermright': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
|
|
'ipapermlocation': [users_dn],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with --raw' % permission1,
|
|
command=('permission_find', [permission1], {'raw': True}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'aci': [
|
|
u'(targetfilter = "(objectclass=posixaccount)")'
|
|
u'(version 3.0;acl "permission:testperm";'
|
|
u'allow (write) groupdn = "ldap:///%s";)' %
|
|
DN(
|
|
('cn', 'testperm'), ('cn', 'permissions'),
|
|
('cn', 'pbac'), api.env.basedn
|
|
)
|
|
],
|
|
'ipapermright': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
|
|
'ipapermlocation': [users_dn],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Create %r' % permission2,
|
|
command=(
|
|
'permission_add', [permission2], dict(
|
|
type=u'user',
|
|
permissions=u'write',
|
|
setattr=u'owner=cn=test',
|
|
addattr=u'owner=cn=test2',
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission2,
|
|
summary=u'Added permission "%s"' % permission2,
|
|
result=dict(
|
|
dn=permission2_dn,
|
|
cn=[permission2],
|
|
objectclass=objectclasses.permission,
|
|
type=u'user',
|
|
permissions=[u'write'],
|
|
owner=[u'cn=test', u'cn=test2'],
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with members' % permission1,
|
|
command=('permission_find', [permission1], {'no_members': False}),
|
|
expected=dict(
|
|
count=2,
|
|
truncated=False,
|
|
summary=u'2 permissions matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
{
|
|
'dn': permission2_dn,
|
|
'cn': [permission2],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r' % permission1,
|
|
command=('permission_find', [permission1], {}),
|
|
expected=dict(
|
|
count=2,
|
|
truncated=False,
|
|
summary=u'2 permissions matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
{
|
|
'dn': permission2_dn,
|
|
'cn': [permission2],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with --pkey-only' % permission1,
|
|
command=('permission_find', [permission1], {'pkey_only' : True}),
|
|
expected=dict(
|
|
count=2,
|
|
truncated=False,
|
|
summary=u'2 permissions matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
},
|
|
{
|
|
'dn': permission2_dn,
|
|
'cn': [permission2],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search by ACI attribute with --pkey-only',
|
|
command=('permission_find', [], {'pkey_only': True,
|
|
'attrs': [u'krbminpwdlife']}),
|
|
expected=dict(
|
|
count=2,
|
|
truncated=False,
|
|
summary=u'2 permissions matched',
|
|
result=[
|
|
{
|
|
'dn': DN(('cn', 'System: Modify Group Password Policy'),
|
|
api.env.container_permission, api.env.basedn),
|
|
'cn': [u'System: Modify Group Password Policy'],
|
|
},
|
|
{
|
|
'dn': DN(('cn', 'System: Read Group Password Policy'),
|
|
api.env.container_permission, api.env.basedn),
|
|
'cn': [u'System: Read Group Password Policy'],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with members' % privilege1,
|
|
command=('privilege_find', [privilege1], {'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 privilege matched',
|
|
result=[
|
|
{
|
|
'dn': privilege1_dn,
|
|
'cn': [privilege1],
|
|
'description': [u'privilege desc. 1'],
|
|
'memberof_permission': [permission1],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r' % privilege1,
|
|
command=('privilege_find', [privilege1], {}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 privilege matched',
|
|
result=[
|
|
{
|
|
'dn': privilege1_dn,
|
|
'cn': [privilege1],
|
|
'description': [u'privilege desc. 1'],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc=('Search for %r with a limit of 1 (truncated) with members' %
|
|
permission1),
|
|
command=('permission_find', [permission1], dict(
|
|
sizelimit=1, no_members=False)),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=True,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
messages=({
|
|
'message': (u'Search result has been truncated: '
|
|
u'Configured size limit exceeded'),
|
|
'code': 13017,
|
|
'type': u'warning',
|
|
'name': u'SearchResultTruncated',
|
|
'data': {
|
|
'reason': u"Configured size limit exceeded"
|
|
}
|
|
},),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with a limit of 1 (truncated)' % permission1,
|
|
command=('permission_find', [permission1], dict(sizelimit=1)),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=True,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
messages=({
|
|
'message': (u'Search result has been truncated: '
|
|
u'Configured size limit exceeded'),
|
|
'code': 13017,
|
|
'type': u'warning',
|
|
'name': u'SearchResultTruncated',
|
|
'data': {
|
|
'reason': u"Configured size limit exceeded"
|
|
}
|
|
},),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with a limit of 2' % permission1,
|
|
command=('permission_find', [permission1], dict(sizelimit=2)),
|
|
expected=dict(
|
|
count=2,
|
|
truncated=False,
|
|
summary=u'2 permissions matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
{
|
|
'dn': permission2_dn,
|
|
'cn': [permission2],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
# This tests setting truncated to True in the post_callback of
|
|
# permission_find(). The return order in LDAP is not guaranteed
|
|
# so do not check the actual entry.
|
|
dict(
|
|
desc='Search for permissions by attr with a limit of 1 (truncated)',
|
|
command=('permission_find', [u'Modify'],
|
|
dict(attrs=u'ipaenabledflag', sizelimit=1)),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=True,
|
|
summary=u'1 permission matched',
|
|
result=[lambda res:
|
|
DN(res['dn']).endswith(DN(api.env.container_permission,
|
|
api.env.basedn)) and
|
|
'ipapermission' in res['objectclass']],
|
|
messages=({
|
|
'message': (u'Search result has been truncated: '
|
|
u'Configured size limit exceeded'),
|
|
'code': 13017,
|
|
'type': u'warning',
|
|
'name': u'SearchResultTruncated',
|
|
'data': {
|
|
'reason': u"Configured size limit exceeded"
|
|
}
|
|
},),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Update %r' % permission1,
|
|
command=(
|
|
'permission_mod', [permission1], dict(
|
|
permissions=u'read',
|
|
memberof=u'ipausers',
|
|
setattr=u'owner=cn=other-test',
|
|
addattr=u'owner=cn=other-test2',
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=u'Modified permission "%s"' % permission1,
|
|
result=dict(
|
|
dn=permission1_dn,
|
|
cn=[permission1],
|
|
objectclass=objectclasses.permission,
|
|
member_privilege=[privilege1],
|
|
type=u'user',
|
|
permissions=[u'read'],
|
|
memberof=u'ipausers',
|
|
owner=[u'cn=other-test', u'cn=other-test2'],
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Retrieve %r to verify update' % permission1,
|
|
command=('permission_show', [permission1], {}),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=None,
|
|
result={
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'read'],
|
|
'memberof': u'ipausers',
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
),
|
|
),
|
|
|
|
|
|
|
|
dict(
|
|
desc='Try to rename %r to existing permission %r' % (permission1,
|
|
permission2),
|
|
command=(
|
|
'permission_mod', [permission1], dict(rename=permission2,
|
|
permissions=u'all',)
|
|
),
|
|
expected=errors.DuplicateEntry(),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to rename %r to empty name' % (permission1),
|
|
command=(
|
|
'permission_mod', [permission1], dict(rename=u'',
|
|
permissions=u'all',)
|
|
),
|
|
expected=errors.ValidationError(name='rename',
|
|
error=u'New name can not be empty'),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Check integrity of original permission %r' % permission1,
|
|
command=('permission_show', [permission1], {}),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=None,
|
|
result={
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'read'],
|
|
'memberof': u'ipausers',
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Rename %r to permission %r' % (permission1,
|
|
permission1_renamed),
|
|
command=(
|
|
'permission_mod', [permission1], dict(rename=permission1_renamed,
|
|
permissions= u'all',)
|
|
),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=u'Modified permission "%s"' % permission1,
|
|
result={
|
|
'dn': permission1_renamed_dn,
|
|
'cn': [permission1_renamed],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'all'],
|
|
'memberof': u'ipausers',
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Rename %r to permission %r' % (permission1_renamed,
|
|
permission1_renamed_ucase),
|
|
command=(
|
|
'permission_mod', [permission1_renamed], dict(rename=permission1_renamed_ucase,
|
|
permissions= u'write',)
|
|
),
|
|
expected=dict(
|
|
value=permission1_renamed,
|
|
summary=u'Modified permission "%s"' % permission1_renamed,
|
|
result={
|
|
'dn': permission1_renamed_ucase_dn,
|
|
'cn': [permission1_renamed_ucase],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'memberof': u'ipausers',
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Change %r to a subtree type' % permission1_renamed_ucase,
|
|
command=(
|
|
'permission_mod', [permission1_renamed_ucase],
|
|
dict(subtree=u'ldap:///%s' % DN(('cn', 'accounts'), api.env.basedn),
|
|
type=None)
|
|
),
|
|
expected=dict(
|
|
value=permission1_renamed_ucase,
|
|
summary=u'Modified permission "%s"' % permission1_renamed_ucase,
|
|
result=dict(
|
|
dn=permission1_renamed_ucase_dn,
|
|
cn=[permission1_renamed_ucase],
|
|
objectclass=objectclasses.permission,
|
|
member_privilege=[privilege1],
|
|
subtree=u'ldap:///%s' % DN(('cn', 'accounts'), api.env.basedn),
|
|
permissions=[u'write'],
|
|
memberof=u'ipausers',
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r using --subtree with members' % permission1,
|
|
command=('permission_find', [], {
|
|
'subtree': u'ldap:///%s' % DN(
|
|
('cn', 'accounts'), api.env.basedn),
|
|
'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn':permission1_renamed_ucase_dn,
|
|
'cn':[permission1_renamed_ucase],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege':[privilege1],
|
|
'subtree':u'ldap:///%s' % DN(('cn', 'accounts'), api.env.basedn),
|
|
'permissions':[u'write'],
|
|
'memberof':u'ipausers',
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r using --subtree' % permission1,
|
|
command=('permission_find', [], {
|
|
'subtree': u'ldap:///%s' % DN(
|
|
('cn', 'accounts'), api.env.basedn)}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn':permission1_renamed_ucase_dn,
|
|
'cn':[permission1_renamed_ucase],
|
|
'objectclass': objectclasses.permission,
|
|
'subtree':u'ldap:///%s' % DN(
|
|
('cn', 'accounts'), api.env.basedn),
|
|
'permissions':[u'write'],
|
|
'memberof':u'ipausers',
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search using nonexistent --subtree',
|
|
command=('permission_find', [], {'subtree': u'ldap:///foo=bar'}),
|
|
expected=dict(
|
|
count=0,
|
|
truncated=False,
|
|
summary=u'0 permissions matched',
|
|
result=[],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search using --targetgroup with members',
|
|
command=('permission_find', [], {
|
|
'targetgroup': u'ipausers', 'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': DN(('cn', 'System: Add User to default group'),
|
|
api.env.container_permission, api.env.basedn),
|
|
'cn': [u'System: Add User to default group'],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [u'User Administrators'],
|
|
'attrs': [u'member'],
|
|
'targetgroup': u'ipausers',
|
|
'memberindirect_role': [u'User Administrator'],
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermtarget': [DN('cn=ipausers', groups_dn)],
|
|
'subtree': u'ldap:///%s' % groups_dn,
|
|
'ipapermdefaultattr': [u'member'],
|
|
'ipapermissiontype': [u'V2', u'MANAGED', u'SYSTEM'],
|
|
}
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search using --targetgroup',
|
|
command=('permission_find', [], {'targetgroup': u'ipausers'}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': DN(('cn', 'System: Add User to default group'),
|
|
api.env.container_permission, api.env.basedn),
|
|
'cn': [u'System: Add User to default group'],
|
|
'objectclass': objectclasses.permission,
|
|
'attrs': [u'member'],
|
|
'targetgroup': u'ipausers',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermtarget': [DN('cn=ipausers', groups_dn)],
|
|
'subtree': u'ldap:///%s' % groups_dn,
|
|
'ipapermdefaultattr': [u'member'],
|
|
'ipapermissiontype': [u'V2', u'MANAGED', u'SYSTEM'],
|
|
}
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Delete %r' % permission1_renamed_ucase,
|
|
command=('permission_del', [permission1_renamed_ucase], {}),
|
|
expected=dict(
|
|
result=dict(failed=u''),
|
|
value=permission1_renamed_ucase,
|
|
summary=u'Deleted permission "%s"' % permission1_renamed_ucase,
|
|
)
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to delete non-existent %r' % permission1,
|
|
command=('permission_del', [permission1], {}),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: permission not found' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to retrieve non-existent %r' % permission1,
|
|
command=('permission_show', [permission1], {}),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: permission not found' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to update non-existent %r' % permission1,
|
|
command=('permission_mod', [permission1], dict(rename=u'Foo')),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: permission not found' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Delete %r' % permission2,
|
|
command=('permission_del', [permission2], {}),
|
|
expected=dict(
|
|
result=dict(failed=u''),
|
|
value=permission2,
|
|
summary=u'Deleted permission "%s"' % permission2,
|
|
)
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r' % permission1,
|
|
command=('permission_find', [permission1], {}),
|
|
expected=dict(
|
|
count=0,
|
|
truncated=False,
|
|
summary=u'0 permissions matched',
|
|
result=[],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Delete %r' % privilege1,
|
|
command=('privilege_del', [privilege1], {}),
|
|
expected=dict(
|
|
result=dict(failed=u''),
|
|
value=privilege1,
|
|
summary=u'Deleted privilege "%s"' % privilege1,
|
|
)
|
|
),
|
|
|
|
dict(
|
|
desc='Try to create permission %r with non-existing memberof' % permission1,
|
|
command=(
|
|
'permission_add', [permission1], dict(
|
|
memberof=u'nonexisting',
|
|
permissions=u'write',
|
|
)
|
|
),
|
|
expected=errors.NotFound(reason=u'nonexisting: group not found'),
|
|
),
|
|
|
|
dict(
|
|
desc='Create memberof permission %r' % permission1,
|
|
command=(
|
|
'permission_add', [permission1], dict(
|
|
memberof=u'editors',
|
|
permissions=u'write',
|
|
type=u'user',
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=u'Added permission "%s"' % permission1,
|
|
result=dict(
|
|
dn=permission1_dn,
|
|
cn=[permission1],
|
|
objectclass=objectclasses.permission,
|
|
memberof=u'editors',
|
|
permissions=[u'write'],
|
|
type=u'user',
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
dict(
|
|
desc='Try to update non-existent memberof of %r' % permission1,
|
|
command=('permission_mod', [permission1], dict(
|
|
memberof=u'nonexisting')),
|
|
expected=errors.NotFound(reason=u'nonexisting: group not found'),
|
|
),
|
|
|
|
dict(
|
|
desc='Update memberof permission %r' % permission1,
|
|
command=(
|
|
'permission_mod', [permission1], dict(
|
|
memberof=u'admins',
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=u'Modified permission "%s"' % permission1,
|
|
result=dict(
|
|
dn=permission1_dn,
|
|
cn=[permission1],
|
|
objectclass=objectclasses.permission,
|
|
memberof=u'admins',
|
|
permissions=[u'write'],
|
|
type=u'user',
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
dict(
|
|
desc='Unset memberof of permission %r' % permission1,
|
|
command=(
|
|
'permission_mod', [permission1], dict(
|
|
memberof=None,
|
|
)
|
|
),
|
|
expected=dict(
|
|
summary=u'Modified permission "%s"' % permission1,
|
|
value=permission1,
|
|
result=dict(
|
|
dn=permission1_dn,
|
|
cn=[permission1],
|
|
objectclass=objectclasses.permission,
|
|
permissions=[u'write'],
|
|
type=u'user',
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Delete %r' % permission1,
|
|
command=('permission_del', [permission1], {}),
|
|
expected=dict(
|
|
result=dict(failed=u''),
|
|
value=permission1,
|
|
summary=u'Deleted permission "%s"' % permission1,
|
|
)
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Create targetgroup permission %r' % permission1,
|
|
command=(
|
|
'permission_add', [permission1], dict(
|
|
targetgroup=u'editors',
|
|
permissions=u'write',
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=u'Added permission "%s"' % permission1,
|
|
result=dict(
|
|
dn=permission1_dn,
|
|
cn=[permission1],
|
|
objectclass=objectclasses.permission,
|
|
targetgroup=u'editors',
|
|
permissions=[u'write'],
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
ipapermtarget=[DN('cn=editors', groups_dn)],
|
|
subtree=u'ldap:///%s' % api.env.basedn,
|
|
),
|
|
),
|
|
),
|
|
|
|
dict(
|
|
desc='Try to create invalid %r' % invalid_permission1,
|
|
command=('permission_add', [invalid_permission1], dict(
|
|
type=u'user',
|
|
permissions=u'write',
|
|
)),
|
|
expected=errors.ValidationError(name='name',
|
|
error='May only contain letters, numbers, -, _, ., and space'),
|
|
),
|
|
|
|
dict(
|
|
desc='Create %r' % permission3,
|
|
command=(
|
|
'permission_add', [permission3], dict(
|
|
type=u'user',
|
|
permissions=u'write',
|
|
attrs=[u'cn']
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission3,
|
|
summary=u'Added permission "%s"' % permission3,
|
|
result=dict(
|
|
dn=permission3_dn,
|
|
cn=[permission3],
|
|
objectclass=objectclasses.permission,
|
|
type=u'user',
|
|
permissions=[u'write'],
|
|
attrs=(u'cn',),
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
dict(
|
|
desc='Retrieve %r with --all --rights' % permission3,
|
|
command=('permission_show', [permission3], {'all' : True, 'rights' : True}),
|
|
expected=dict(
|
|
value=permission3,
|
|
summary=None,
|
|
result=dict(
|
|
dn=permission3_dn,
|
|
cn=[permission3],
|
|
objectclass=objectclasses.permission,
|
|
type=u'user',
|
|
attrs=(u'cn',),
|
|
ipapermincludedattr=[u'cn'],
|
|
permissions=[u'write'],
|
|
attributelevelrights=permission3_attributelevelrights,
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
dict(
|
|
desc='Modify %r with --all -rights' % permission3,
|
|
command=('permission_mod', [permission3], {'all' : True, 'rights': True, 'attrs':[u'cn',u'uid']}),
|
|
expected=dict(
|
|
value=permission3,
|
|
summary=u'Modified permission "%s"' % permission3,
|
|
result=dict(
|
|
dn=permission3_dn,
|
|
cn=[permission3],
|
|
objectclass=objectclasses.permission,
|
|
type=u'user',
|
|
attrs=(u'cn',u'uid'),
|
|
ipapermincludedattr=[u'cn', u'uid'],
|
|
permissions=[u'write'],
|
|
attributelevelrights=permission3_attributelevelrights,
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
]
|