mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-13 09:41:55 -06:00
d55d8bfa7e
Update ipaSudoRule objectClass on upgrades to add new attributes. Ensure uniqueness of sudoOrder in rules. The attributes sudoNotBefore and sudoNotAfter are being added to schema but not as Params. https://fedorahosted.org/freeipa/ticket/1314
680 lines
25 KiB
Python
680 lines
25 KiB
Python
# Authors:
|
|
# Jr Aquino <jr.aquino@citrixonline.com>
|
|
# Pavel Zuna <pzuna@redhat.com>
|
|
#
|
|
# Copyright (C) 2010 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
"""
|
|
Test the `ipalib/plugins/sudorule.py` module.
|
|
"""
|
|
|
|
from xmlrpc_test import XMLRPC_test, assert_attr_equal
|
|
from ipalib import api
|
|
from ipalib import errors
|
|
|
|
class test_sudorule(XMLRPC_test):
|
|
"""
|
|
Test the `sudorule` plugin.
|
|
"""
|
|
rule_name = u'testing_sudorule1'
|
|
rule_name2 = u'testing_sudorule2'
|
|
rule_command = u'/usr/bin/testsudocmd1'
|
|
rule_desc = u'description'
|
|
rule_desc_mod = u'description modified'
|
|
|
|
test_user = u'sudorule_test_user'
|
|
test_external_user = u'external_test_user'
|
|
test_group = u'sudorule_test_group'
|
|
test_external_group = u'external_test_group'
|
|
test_host = u'sudorule.testhost'
|
|
test_external_host = u'external.testhost'
|
|
test_hostgroup = u'sudorule_test_hostgroup'
|
|
test_sudoallowcmdgroup = u'sudorule_test_allowcmdgroup'
|
|
test_sudodenycmdgroup = u'sudorule_test_denycmdgroup'
|
|
test_command = u'/usr/bin/testsudocmd1'
|
|
test_denycommand = u'/usr/bin/testdenysudocmd1'
|
|
test_runasuser = u'manager'
|
|
test_runasgroup = u'manager'
|
|
test_category = u'all'
|
|
test_option = u'authenticate'
|
|
|
|
def test_0_sudorule_add(self):
|
|
"""
|
|
Test adding a new Sudo rule using `xmlrpc.sudorule_add`.
|
|
"""
|
|
ret = self.failsafe_add(api.Object.sudorule,
|
|
self.rule_name,
|
|
description=self.rule_desc,
|
|
)
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'cn', self.rule_name)
|
|
assert_attr_equal(entry, 'description', self.rule_desc)
|
|
|
|
def test_1_sudorule_add(self):
|
|
"""
|
|
Test adding an duplicate Sudo rule using `xmlrpc.sudorule_add'.
|
|
"""
|
|
try:
|
|
api.Command['sudorule_add'](
|
|
self.rule_name
|
|
)
|
|
except errors.DuplicateEntry:
|
|
pass
|
|
else:
|
|
assert False
|
|
|
|
def test_2_sudorule_show(self):
|
|
"""
|
|
Test displaying a Sudo rule using `xmlrpc.sudorule_show`.
|
|
"""
|
|
entry = api.Command['sudorule_show'](self.rule_name)['result']
|
|
assert_attr_equal(entry, 'cn', self.rule_name)
|
|
assert_attr_equal(entry, 'description', self.rule_desc)
|
|
|
|
def test_3_sudorule_mod(self):
|
|
"""
|
|
Test modifying a Sudo rule using `xmlrpc.sudorule_mod`.
|
|
"""
|
|
ret = api.Command['sudorule_mod'](
|
|
self.rule_name, description=self.rule_desc_mod
|
|
)
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'description', self.rule_desc_mod)
|
|
|
|
def test_6_sudorule_find(self):
|
|
"""
|
|
Test searching for Sudo rules using `xmlrpc.sudorule_find`.
|
|
"""
|
|
ret = api.Command['sudorule_find'](
|
|
name=self.rule_name,
|
|
description=self.rule_desc_mod
|
|
)
|
|
assert ret['truncated'] is False
|
|
entries = ret['result']
|
|
assert_attr_equal(entries[0], 'cn', self.rule_name)
|
|
assert_attr_equal(entries[0], 'description', self.rule_desc_mod)
|
|
|
|
def test_7_sudorule_init_testing_data(self):
|
|
"""
|
|
Initialize data for more Sudo rule plugin testing.
|
|
"""
|
|
self.failsafe_add(api.Object.user,
|
|
self.test_user, givenname=u'first', sn=u'last'
|
|
)
|
|
self.failsafe_add(api.Object.user,
|
|
self.test_runasuser, givenname=u'first', sn=u'last'
|
|
)
|
|
self.failsafe_add(api.Object.group,
|
|
self.test_group, description=u'description'
|
|
)
|
|
self.failsafe_add(api.Object.host,
|
|
self.test_host, force=True
|
|
)
|
|
self.failsafe_add(api.Object.hostgroup,
|
|
self.test_hostgroup, description=u'description'
|
|
)
|
|
self.failsafe_add(api.Object.sudocmdgroup,
|
|
self.test_sudoallowcmdgroup, description=u'desc'
|
|
)
|
|
self.failsafe_add(api.Object.sudocmdgroup,
|
|
self.test_sudodenycmdgroup, description=u'desc'
|
|
)
|
|
self.failsafe_add(api.Object.sudocmd,
|
|
self.test_command, description=u'desc', force=True
|
|
)
|
|
|
|
def test_8_sudorule_add_user(self):
|
|
"""
|
|
Test adding user and group to Sudo rule using
|
|
`xmlrpc.sudorule_add_user`.
|
|
"""
|
|
ret = api.Command['sudorule_add_user'](
|
|
self.rule_name, user=self.test_user, group=self.test_group
|
|
)
|
|
assert ret['completed'] == 2
|
|
failed = ret['failed']
|
|
assert 'memberuser' in failed
|
|
assert 'user' in failed['memberuser']
|
|
assert not failed['memberuser']['user']
|
|
assert 'group' in failed['memberuser']
|
|
assert not failed['memberuser']['group']
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'memberuser_user', self.test_user)
|
|
assert_attr_equal(entry, 'memberuser_group', self.test_group)
|
|
|
|
def test_9_a_show_user(self):
|
|
"""
|
|
Test showing a user to verify Sudo rule membership
|
|
`xmlrpc.user_show`.
|
|
"""
|
|
ret = api.Command['user_show'](self.test_user, all=True)
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'memberof_sudorule', self.rule_name)
|
|
|
|
def test_9_b_show_group(self):
|
|
"""
|
|
Test showing a group to verify Sudo rule membership
|
|
`xmlrpc.group_show`.
|
|
"""
|
|
ret = api.Command['group_show'](self.test_group, all=True)
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'memberof_sudorule', self.rule_name)
|
|
|
|
def test_9_sudorule_remove_user(self):
|
|
"""
|
|
Test removing user and group from Sudo rule using
|
|
`xmlrpc.sudorule_remove_user'.
|
|
"""
|
|
ret = api.Command['sudorule_remove_user'](
|
|
self.rule_name, user=self.test_user, group=self.test_group
|
|
)
|
|
assert ret['completed'] == 2
|
|
failed = ret['failed']
|
|
assert 'memberuser' in failed
|
|
assert 'user' in failed['memberuser']
|
|
assert not failed['memberuser']['user']
|
|
assert 'group' in failed['memberuser']
|
|
assert not failed['memberuser']['group']
|
|
entry = ret['result']
|
|
assert 'memberuser_user' not in entry
|
|
assert 'memberuser_group' not in entry
|
|
|
|
def test_a_sudorule_add_runasuser(self):
|
|
"""
|
|
Test adding run as user to Sudo rule using
|
|
`xmlrpc.sudorule_add_runasuser`.
|
|
"""
|
|
ret = api.Command['sudorule_add_runasuser'](
|
|
self.rule_name, user=self.test_runasuser
|
|
)
|
|
assert ret['completed'] == 1
|
|
failed = ret['failed']
|
|
assert 'ipasudorunas' in failed
|
|
assert 'user' in failed['ipasudorunas']
|
|
assert not failed['ipasudorunas']['user']
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'ipasudorunas_user', self.test_runasuser)
|
|
|
|
def test_b_sudorule_remove_runasuser(self):
|
|
"""
|
|
Test removing run as user to Sudo rule using
|
|
`xmlrpc.sudorule_remove_runasuser'.
|
|
"""
|
|
ret = api.Command['sudorule_remove_runasuser'](
|
|
self.rule_name, user=self.test_runasuser
|
|
)
|
|
assert ret['completed'] == 1
|
|
failed = ret['failed']
|
|
assert 'ipasudorunas' in failed
|
|
assert 'user' in failed['ipasudorunas']
|
|
assert not failed['ipasudorunas']['user']
|
|
entry = ret['result']
|
|
assert 'ipasudorunas_user' not in entry
|
|
|
|
def test_a_sudorule_add_runasgroup(self):
|
|
"""
|
|
Test adding run as group to Sudo rule using
|
|
`xmlrpc.sudorule_add_runasgroup`.
|
|
"""
|
|
ret = api.Command['sudorule_add_runasgroup'](
|
|
self.rule_name, group=self.test_runasgroup
|
|
)
|
|
assert ret['completed'] == 1
|
|
failed = ret['failed']
|
|
assert 'ipasudorunasgroup' in failed
|
|
assert 'group' in failed['ipasudorunasgroup']
|
|
assert not failed['ipasudorunasgroup']['group']
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'ipasudorunasgroup_group',
|
|
self.test_runasgroup)
|
|
|
|
def test_b_sudorule_remove_runasgroup(self):
|
|
"""
|
|
Test removing run as group to Sudo rule using
|
|
`xmlrpc.sudorule_remove_runasgroup'.
|
|
"""
|
|
ret = api.Command['sudorule_remove_runasgroup'](
|
|
self.rule_name, group=self.test_runasgroup
|
|
)
|
|
assert ret['completed'] == 1
|
|
failed = ret['failed']
|
|
assert 'ipasudorunasgroup' in failed
|
|
assert 'group' in failed['ipasudorunasgroup']
|
|
assert not failed['ipasudorunasgroup']['group']
|
|
entry = ret['result']
|
|
assert 'ipasudorunasgroup_group' not in entry
|
|
|
|
def test_a_sudorule_add_externaluser(self):
|
|
"""
|
|
Test adding an external user to Sudo rule using
|
|
`xmlrpc.sudorule_add_user`.
|
|
"""
|
|
ret = api.Command['sudorule_add_user'](
|
|
self.rule_name, user=self.test_external_user
|
|
)
|
|
assert ret['completed'] == 1
|
|
failed = ret['failed']
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'externaluser', self.test_external_user)
|
|
|
|
def test_b_sudorule_remove_externaluser(self):
|
|
"""
|
|
Test removing an external user from Sudo rule using
|
|
`xmlrpc.sudorule_remove_user'.
|
|
"""
|
|
ret = api.Command['sudorule_remove_user'](
|
|
self.rule_name, user=self.test_external_user
|
|
)
|
|
assert ret['completed'] == 1
|
|
failed = ret['failed']
|
|
entry = ret['result']
|
|
assert entry['externaluser'] == ()
|
|
|
|
def test_a_sudorule_add_runasexternaluser(self):
|
|
"""
|
|
Test adding an external runasuser to Sudo rule using
|
|
`xmlrpc.sudorule_add_runasuser`.
|
|
"""
|
|
ret = api.Command['sudorule_add_runasuser'](
|
|
self.rule_name, user=self.test_external_user
|
|
)
|
|
assert ret['completed'] == 1
|
|
failed = ret['failed']
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'ipasudorunasextuser', self.test_external_user)
|
|
|
|
def test_b_sudorule_remove_runasexternaluser(self):
|
|
"""
|
|
Test removing an external runasuser from Sudo rule using
|
|
`xmlrpc.sudorule_remove_runasuser'.
|
|
"""
|
|
ret = api.Command['sudorule_remove_runasuser'](
|
|
self.rule_name, user=self.test_external_user
|
|
)
|
|
assert ret['completed'] == 1
|
|
failed = ret['failed']
|
|
entry = ret['result']
|
|
assert entry['ipasudorunasextuser'] == ()
|
|
|
|
def test_a_sudorule_add_runasexternalgroup(self):
|
|
"""
|
|
Test adding an external runasgroup to Sudo rule using
|
|
`xmlrpc.sudorule_add_runasgroup`.
|
|
"""
|
|
ret = api.Command['sudorule_add_runasgroup'](
|
|
self.rule_name, group=self.test_external_group
|
|
)
|
|
assert ret['completed'] == 1
|
|
failed = ret['failed']
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'ipasudorunasextgroup', self.test_external_group)
|
|
|
|
def test_b_sudorule_remove_runasexternalgroup(self):
|
|
"""
|
|
Test removing an external runasgroup from Sudo rule using
|
|
`xmlrpc.sudorule_remove_runasgroup'.
|
|
"""
|
|
ret = api.Command['sudorule_remove_runasgroup'](
|
|
self.rule_name, group=self.test_external_group
|
|
)
|
|
assert ret['completed'] == 1
|
|
failed = ret['failed']
|
|
entry = ret['result']
|
|
assert entry['ipasudorunasextgroup'] == ()
|
|
|
|
def test_a_sudorule_add_option(self):
|
|
"""
|
|
Test adding an option to Sudo rule using
|
|
`xmlrpc.sudorule_add_option`.
|
|
"""
|
|
ret = api.Command['sudorule_add_option'](
|
|
self.rule_name, ipasudoopt=self.test_option
|
|
)
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'ipasudoopt', self.test_option)
|
|
|
|
def test_b_sudorule_remove_option(self):
|
|
"""
|
|
Test removing an option from Sudo rule using
|
|
`xmlrpc.sudorule_remove_option'.
|
|
"""
|
|
ret = api.Command['sudorule_remove_option'](
|
|
self.rule_name, ipasudoopt=self.test_option
|
|
)
|
|
entry = ret['result']
|
|
assert 'ipasudoopt' not in entry
|
|
|
|
def test_a_sudorule_add_host(self):
|
|
"""
|
|
Test adding host and hostgroup to Sudo rule using
|
|
`xmlrpc.sudorule_add_host`.
|
|
"""
|
|
ret = api.Command['sudorule_add_host'](
|
|
self.rule_name, host=self.test_host, hostgroup=self.test_hostgroup
|
|
)
|
|
assert ret['completed'] == 2
|
|
failed = ret['failed']
|
|
assert 'memberhost' in failed
|
|
assert 'host' in failed['memberhost']
|
|
assert not failed['memberhost']['host']
|
|
assert 'hostgroup' in failed['memberhost']
|
|
assert not failed['memberhost']['hostgroup']
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'memberhost_host', self.test_host)
|
|
assert_attr_equal(entry, 'memberhost_hostgroup', self.test_hostgroup)
|
|
|
|
def test_a_sudorule_show_host(self):
|
|
"""
|
|
Test showing host to verify Sudo rule membership
|
|
`xmlrpc.host_show`.
|
|
"""
|
|
ret = api.Command['host_show'](self.test_host, all=True)
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'memberof_sudorule', self.rule_name)
|
|
|
|
def test_a_sudorule_show_hostgroup(self):
|
|
"""
|
|
Test showing hostgroup to verify Sudo rule membership
|
|
`xmlrpc.hostgroup_show`.
|
|
"""
|
|
ret = api.Command['hostgroup_show'](self.test_hostgroup, all=True)
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'memberof_sudorule', self.rule_name)
|
|
|
|
def test_b_sudorule_remove_host(self):
|
|
"""
|
|
Test removing host and hostgroup from Sudo rule using
|
|
`xmlrpc.sudorule_remove_host`.
|
|
"""
|
|
ret = api.Command['sudorule_remove_host'](
|
|
self.rule_name, host=self.test_host, hostgroup=self.test_hostgroup
|
|
)
|
|
assert ret['completed'] == 2
|
|
failed = ret['failed']
|
|
assert 'memberhost' in failed
|
|
assert 'host' in failed['memberhost']
|
|
assert not failed['memberhost']['host']
|
|
assert 'hostgroup' in failed['memberhost']
|
|
assert not failed['memberhost']['hostgroup']
|
|
entry = ret['result']
|
|
assert 'memberhost_host' not in entry
|
|
assert 'memberhost_hostgroup' not in entry
|
|
|
|
def test_a_sudorule_add_externalhost(self):
|
|
"""
|
|
Test adding an external host to Sudo rule using
|
|
`xmlrpc.sudorule_add_host`.
|
|
"""
|
|
ret = api.Command['sudorule_add_host'](
|
|
self.rule_name, host=self.test_external_host
|
|
)
|
|
assert ret['completed'] == 1
|
|
failed = ret['failed']
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'externalhost', self.test_external_host)
|
|
|
|
def test_b_sudorule_remove_externalhost(self):
|
|
"""
|
|
Test removing an external host from Sudo rule using
|
|
`xmlrpc.sudorule_remove_host`.
|
|
"""
|
|
ret = api.Command['sudorule_remove_host'](
|
|
self.rule_name, host=self.test_external_host
|
|
)
|
|
assert ret['completed'] == 1
|
|
failed = ret['failed']
|
|
entry = ret['result']
|
|
assert len(entry['externalhost']) == 0
|
|
|
|
def test_a_sudorule_add_allow_command(self):
|
|
"""
|
|
Test adding allow command and cmdgroup to Sudo rule using
|
|
`xmlrpc.sudorule_add_allow_command`.
|
|
"""
|
|
ret = api.Command['sudorule_add_allow_command'](
|
|
self.rule_name, sudocmd=self.test_command,
|
|
sudocmdgroup=self.test_sudoallowcmdgroup
|
|
)
|
|
assert ret['completed'] == 2
|
|
failed = ret['failed']
|
|
assert 'memberallowcmd' in failed
|
|
assert 'sudocmd' in failed['memberallowcmd']
|
|
assert not failed['memberallowcmd']['sudocmd']
|
|
assert 'sudocmdgroup' in failed['memberallowcmd']
|
|
assert not failed['memberallowcmd']['sudocmdgroup']
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'memberallowcmd_sudocmd', self.test_command)
|
|
assert_attr_equal(entry, 'memberallowcmd_sudocmdgroup',
|
|
self.test_sudoallowcmdgroup)
|
|
|
|
def test_a_sudorule_remove_allow_command(self):
|
|
"""
|
|
Test removing allow command and sudocmdgroup from Sudo rule using
|
|
`xmlrpc.sudorule_remove_command`.
|
|
"""
|
|
ret = api.Command['sudorule_remove_allow_command'](
|
|
self.rule_name, sudocmd=self.test_command,
|
|
sudocmdgroup=self.test_sudoallowcmdgroup
|
|
)
|
|
assert ret['completed'] == 2
|
|
failed = ret['failed']
|
|
assert 'memberallowcmd' in failed
|
|
assert 'sudocmd' in failed['memberallowcmd']
|
|
assert not failed['memberallowcmd']['sudocmd']
|
|
assert 'sudocmdgroup' in failed['memberallowcmd']
|
|
assert not failed['memberallowcmd']['sudocmdgroup']
|
|
entry = ret['result']
|
|
assert 'memberallowcmd_sudocmd' not in entry
|
|
assert 'memberallowcmd_sudocmdgroup' not in entry
|
|
|
|
def test_b_sudorule_add_deny_command(self):
|
|
"""
|
|
Test adding deny command and cmdgroup to Sudo rule using
|
|
`xmlrpc.sudorule_add_deny_command`.
|
|
"""
|
|
ret = api.Command['sudorule_add_deny_command'](
|
|
self.rule_name, sudocmd=self.test_command,
|
|
sudocmdgroup=self.test_sudodenycmdgroup
|
|
)
|
|
assert ret['completed'] == 2
|
|
failed = ret['failed']
|
|
assert 'memberdenycmd' in failed
|
|
assert 'sudocmd' in failed['memberdenycmd']
|
|
assert not failed['memberdenycmd']['sudocmd']
|
|
assert 'sudocmdgroup' in failed['memberdenycmd']
|
|
assert not failed['memberdenycmd']['sudocmdgroup']
|
|
entry = ret['result']
|
|
assert_attr_equal(entry, 'memberdenycmd_sudocmd', self.test_command)
|
|
assert_attr_equal(entry, 'memberdenycmd_sudocmdgroup',
|
|
self.test_sudodenycmdgroup)
|
|
|
|
def test_b_sudorule_remove_deny_command(self):
|
|
"""
|
|
Test removing deny command and sudocmdgroup from Sudo rule using
|
|
`xmlrpc.sudorule_remove_deny_command`.
|
|
"""
|
|
ret = api.Command['sudorule_remove_deny_command'](
|
|
self.rule_name, sudocmd=self.test_command,
|
|
sudocmdgroup=self.test_sudodenycmdgroup
|
|
)
|
|
assert ret['completed'] == 2
|
|
failed = ret['failed']
|
|
assert 'memberdenycmd' in failed
|
|
assert 'sudocmd' in failed['memberdenycmd']
|
|
assert not failed['memberdenycmd']['sudocmd']
|
|
assert 'sudocmdgroup' in failed['memberdenycmd']
|
|
assert not failed['memberdenycmd']['sudocmdgroup']
|
|
entry = ret['result']
|
|
assert 'memberdenycmd_sudocmd' not in entry
|
|
assert 'memberdenycmd_sudocmdgroup' not in entry
|
|
|
|
def test_c_sudorule_exclusiveuser(self):
|
|
"""
|
|
Test adding a user to an Sudo rule when usercat='all'
|
|
"""
|
|
api.Command['sudorule_mod'](self.rule_name, usercategory=u'all')
|
|
try:
|
|
api.Command['sudorule_add_user'](self.rule_name, users='admin')
|
|
except errors.MutuallyExclusiveError:
|
|
pass
|
|
api.Command['sudorule_mod'](self.rule_name, usercategory=u'')
|
|
|
|
def test_d_sudorule_exclusiveuser(self):
|
|
"""
|
|
Test setting usercat='all' in an Sudo rule when there are users
|
|
"""
|
|
api.Command['sudorule_add_user'](self.rule_name, users='admin')
|
|
try:
|
|
api.Command['sudorule_mod'](self.rule_name, usercategory=u'all')
|
|
except errors.MutuallyExclusiveError:
|
|
pass
|
|
finally:
|
|
api.Command['sudorule_remove_user'](self.rule_name, users='admin')
|
|
|
|
def test_e_sudorule_exclusivehost(self):
|
|
"""
|
|
Test adding a host to an Sudo rule when hostcat='all'
|
|
"""
|
|
api.Command['sudorule_mod'](self.rule_name, hostcategory=u'all')
|
|
try:
|
|
api.Command['sudorule_add_host'](self.rule_name, host=self.test_host)
|
|
except errors.MutuallyExclusiveError:
|
|
pass
|
|
api.Command['sudorule_mod'](self.rule_name, hostcategory=u'')
|
|
|
|
def test_f_sudorule_exclusivehost(self):
|
|
"""
|
|
Test setting hostcat='all' in an Sudo rule when there are hosts
|
|
"""
|
|
api.Command['sudorule_add_host'](self.rule_name, host=self.test_host)
|
|
try:
|
|
api.Command['sudorule_mod'](self.rule_name, hostcategory=u'all')
|
|
except errors.MutuallyExclusiveError:
|
|
pass
|
|
finally:
|
|
api.Command['sudorule_remove_host'](self.rule_name, host=self.test_host)
|
|
|
|
def test_g_sudorule_exclusivecommand(self):
|
|
"""
|
|
Test adding a command to an Sudo rule when cmdcategory='all'
|
|
"""
|
|
api.Command['sudorule_mod'](self.rule_name, cmdcategory=u'all')
|
|
try:
|
|
api.Command['sudorule_add_allow_command'](self.rule_name, sudocmd=self.test_command)
|
|
except errors.MutuallyExclusiveError:
|
|
pass
|
|
api.Command['sudorule_mod'](self.rule_name, cmdcategory=u'')
|
|
|
|
def test_h_sudorule_exclusivecommand(self):
|
|
"""
|
|
Test setting cmdcategory='all' in an Sudo rule when there are commands
|
|
"""
|
|
api.Command['sudorule_add_allow_command'](self.rule_name, sudocmd=self.test_command)
|
|
try:
|
|
api.Command['sudorule_mod'](self.rule_name, cmdcategory=u'all')
|
|
except errors.MutuallyExclusiveError:
|
|
pass
|
|
finally:
|
|
api.Command['sudorule_remove_allow_command'](self.rule_name, sudocmd=self.test_command)
|
|
|
|
def test_i_sudorule_exclusiverunas(self):
|
|
"""
|
|
Test adding a runasuser to an Sudo rule when ipasudorunasusercategory='all'
|
|
"""
|
|
api.Command['sudorule_mod'](self.rule_name, ipasudorunasusercategory=u'all')
|
|
try:
|
|
api.Command['sudorule_add_runasuser'](self.rule_name, sudocmd=self.test_user)
|
|
except errors.MutuallyExclusiveError:
|
|
pass
|
|
api.Command['sudorule_mod'](self.rule_name, ipasudorunasusercategory=u'')
|
|
|
|
def test_j_sudorule_exclusiverunas(self):
|
|
"""
|
|
Test setting ipasudorunasusercategory='all' in an Sudo rule when there are runas users
|
|
"""
|
|
api.Command['sudorule_add_runasuser'](self.rule_name, user=self.test_user)
|
|
try:
|
|
api.Command['sudorule_mod'](self.rule_name, ipasudorunasusercategory=u'all')
|
|
except errors.MutuallyExclusiveError:
|
|
pass
|
|
finally:
|
|
api.Command['sudorule_remove_runasuser'](self.rule_name, user=self.test_command)
|
|
|
|
def test_k_sudorule_clear_testing_data(self):
|
|
"""
|
|
Clear data for Sudo rule plugin testing.
|
|
"""
|
|
api.Command['user_del'](self.test_user)
|
|
api.Command['user_del'](self.test_runasuser)
|
|
api.Command['group_del'](self.test_group)
|
|
api.Command['host_del'](self.test_host)
|
|
api.Command['hostgroup_del'](self.test_hostgroup)
|
|
api.Command['sudocmd_del'](self.test_command)
|
|
api.Command['sudocmdgroup_del'](self.test_sudoallowcmdgroup)
|
|
api.Command['sudocmdgroup_del'](self.test_sudodenycmdgroup)
|
|
|
|
def test_l_sudorule_order(self):
|
|
"""
|
|
Test that order uniqueness is maintained
|
|
"""
|
|
api.Command['sudorule_mod'](self.rule_name, sudoorder=1)
|
|
|
|
api.Command['sudorule_add'](self.rule_name2)
|
|
|
|
# mod of rule that has no order and set a duplicate
|
|
try:
|
|
api.Command['sudorule_mod'](self.rule_name2, sudoorder=1)
|
|
except errors.ValidationError:
|
|
pass
|
|
|
|
# Remove the rule so we can re-add it
|
|
api.Command['sudorule_del'](self.rule_name2)
|
|
|
|
# add a new rule with a duplicate order
|
|
try:
|
|
api.Command['sudorule_add'](self.rule_name2, sudoorder=1)
|
|
except errors.ValidationError:
|
|
pass
|
|
|
|
# add a new rule with a unique order
|
|
api.Command['sudorule_add'](self.rule_name2, sudoorder=2)
|
|
try:
|
|
api.Command['sudorule_mod'](self.rule_name2, sudoorder=1)
|
|
except errors.ValidationError:
|
|
pass
|
|
|
|
# Try setting both to 0
|
|
api.Command['sudorule_mod'](self.rule_name2, sudoorder=0)
|
|
try:
|
|
api.Command['sudorule_mod'](self.rule_name, sudoorder=0)
|
|
except errors.ValidationError:
|
|
pass
|
|
|
|
|
|
def test_m_sudorule_del(self):
|
|
"""
|
|
Test deleting a Sudo rule using `xmlrpc.sudorule_del`.
|
|
"""
|
|
api.Command['sudorule_del'](self.rule_name)
|
|
# verify that it's gone
|
|
try:
|
|
api.Command['sudorule_show'](self.rule_name)
|
|
except errors.NotFound:
|
|
pass
|
|
else:
|
|
assert False
|
|
api.Command['sudorule_del'](self.rule_name2)
|