IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity
6ce44c4f05
freeipa/ipatests/test_xmlrpc/test_permission_plugin.py
Petr Viktorin 6ce44c4f05 permission plugin: Auto-add operational atttributes to read permissions 
The attributes entryusn, createtimestamp, and modifytimestamp
should be readable whenever thir entry is, i.e. when we allow reading
the objectclass.
Automatically add them to every read permission that includes objectclass.

https://fedorahosted.org/freeipa/ticket/4534

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-12 18:22:17 +02:00

4065 lines
148 KiB
Python
Raw Blame History

# Authors:
# Rob Crittenden <rcritten@redhat.com>
# Pavel Zuna <pzuna@redhat.com>
#
# Copyright (C) 2010 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Test the `ipalib/plugins/permission.py` module.
"""
import os
import nose
from ipalib import api, errors
from ipatests.test_xmlrpc import objectclasses
from xmlrpc_test import Declarative
from ipapython.dn import DN
import inspect
try:
from ipaserver.plugins.ldap2 import ldap2
except ImportError:
have_ldap2 = False
else:
import krbV
have_ldap2 = True
permission1 = u'testperm'
permission1_dn = DN(('cn',permission1),
api.env.container_permission,api.env.basedn)
permission1_renamed = u'testperm1_rn'
permission1_renamed_dn = DN(('cn',permission1_renamed),
api.env.container_permission,api.env.basedn)
permission1_renamed_ucase = u'Testperm_RN'
permission1_renamed_ucase_dn = DN(('cn',permission1_renamed_ucase),
api.env.container_permission,api.env.basedn)
permission2 = u'testperm2'
permission2_dn = DN(('cn',permission2),
api.env.container_permission,api.env.basedn)
permission3 = u'testperm3'
permission3_dn = DN(('cn',permission3),
api.env.container_permission,api.env.basedn)
permission3_attributelevelrights = {
'member': u'rscwo',
'seealso': u'rscwo',
'ipapermissiontype': u'rscwo',
'cn': u'rscwo',
'businesscategory': u'rscwo',
'objectclass': u'rscwo',
'memberof': u'rscwo',
'aci': u'rscwo',
'ipapermlocation': u'rscwo',
'o': u'rscwo',
'ipapermincludedattr': u'rscwo',
'ipapermdefaultattr': u'rscwo',
'ipapermexcludedattr': u'rscwo',
'owner': u'rscwo',
'ou': u'rscwo',
'ipapermright': u'rscwo',
'nsaccountlock': u'rscwo',
'description': u'rscwo',
'ipapermtargetfilter': u'rscwo',
'ipapermbindruletype': u'rscwo',
'ipapermlocation': u'rscwo',
'ipapermtarget': u'rscwo',
'type': u'rscwo',
'targetgroup': u'rscwo',
'attrs': u'rscwo',
}
privilege1 = u'testpriv1'
privilege1_dn = DN(('cn',privilege1),
api.env.container_privilege,api.env.basedn)
invalid_permission1 = u'bad;perm'
users_dn = DN(api.env.container_user, api.env.basedn)
groups_dn = DN(api.env.container_group, api.env.basedn)
etc_dn = DN('cn=etc', api.env.basedn)
nonexistent_dn = DN('cn=does not exist', api.env.basedn)
admin_dn = DN('uid=admin', users_dn)
group_filter = u'(|(objectclass=ipausergroup)(objectclass=posixgroup))'
def verify_permission_aci(name, dn, acistring):
"""Return test dict that verifies the ACI at the given location"""
return dict(
desc="Verify ACI of %s #(%s)" % (name, lineinfo(2)),
command=('aci_show', [name], dict(
aciprefix=u'permission', location=dn, raw=True)),
expected=dict(
result=dict(aci=acistring),
summary=None,
value=name,
),
)
def verify_permission_aci_missing(name, dn):
"""Return test dict that checks the ACI at the given location is missing"""
return dict(
desc="Verify ACI of %s is missing #(%s)" % (name, lineinfo(2)),
command=('aci_show', [name], dict(
aciprefix=u'permission', location=dn, raw=True)),
expected=errors.NotFound(
reason='ACI with name "%s" not found' % name),
)
def lineinfo(level):
"""Return "filename:lineno" for `level`-th caller"""
# Declarative tests hide tracebacks.
# Including this info in the test name makes it possible
# to locate failing tests.
frame = inspect.currentframe()
for i in range(level):
frame = frame.f_back
lineno = frame.f_lineno
filename = os.path.basename(frame.f_code.co_filename)
return '%s:%s' % (filename, lineno)
class test_permission_negative(Declarative):
"""Make sure invalid operations fail"""
cleanup_commands = [
('permission_del', [permission1], {'force': True}),
]
tests = [
dict(
desc='Try to retrieve non-existent %r' % permission1,
command=('permission_show', [permission1], {}),
expected=errors.NotFound(
reason=u'%s: permission not found' % permission1),
),
dict(
desc='Try to update non-existent %r' % permission1,
command=('permission_mod', [permission1], dict(ipapermright=u'all')),
expected=errors.NotFound(
reason=u'%s: permission not found' % permission1),
),
dict(
desc='Try to delete non-existent %r' % permission1,
command=('permission_del', [permission1], {}),
expected=errors.NotFound(
reason=u'%s: permission not found' % permission1),
),
dict(
desc='Search for non-existent %r' % permission1,
command=('permission_find', [permission1], {}),
expected=dict(
count=0,
truncated=False,
summary=u'0 permissions matched',
result=[],
),
),
dict(
desc='Try creating %r with no ipapermright' % permission1,
command=(
'permission_add', [permission1], dict(
type=u'user',
attrs=[u'sn'],
)
),
expected=errors.RequirementError(name='ipapermright'),
),
dict(
desc='Try creating %r with no target option' % permission1,
command=(
'permission_add', [permission1], dict(
ipapermright=u'write',
)
),
expected=errors.ValidationError(
name='target',
error='there must be at least one target entry specifier '
'(e.g. target, targetfilter, attrs)'),
),
verify_permission_aci_missing(permission1, api.env.basedn),
dict(
desc='Try to create invalid %r' % invalid_permission1,
command=('permission_add', [invalid_permission1], dict(
type=u'user',
ipapermright=u'write',
)),
expected=errors.ValidationError(name='name',
error='May only contain letters, numbers, -, _, ., and space'),
),
verify_permission_aci_missing(permission1, users_dn),
dict(
desc='Try creating %r with bad attribute name' % permission1,
command=(
'permission_add', [permission1], dict(
type=u'user',
ipapermright=u'write',
attrs=u'bogusattr',
)
),
expected=errors.InvalidSyntax(
attr=r'targetattr "bogusattr" does not exist in schema. '
r'Please add attributeTypes "bogusattr" to '
r'schema if necessary. '
r'ACL Syntax Error(-5):'
r'(targetattr = \22bogusattr\22)'
r'(targetfilter = \22(objectclass=posixaccount)\22)'
r'(version 3.0;acl \22permission:%(name)s\22;'
r'allow (write) groupdn = \22ldap:///%(dn)s\22;)' % dict(
name=permission1,
dn=permission1_dn),
),
),
verify_permission_aci_missing(permission1, users_dn),
dict(
desc='Try to create permission with : in the name',
command=('permission_add', ['bad:' + permission1], dict(
type=u'user',
ipapermright=u'write',
)),
expected=errors.ValidationError(name='name',
error='May only contain letters, numbers, -, _, ., and space'),
),
verify_permission_aci_missing(permission1, users_dn),
dict(
desc='Try to create permission with full and extra target filter',
command=('permission_add', [permission1], dict(
type=u'user',
ipapermright=u'write',
ipapermtargetfilter=u'(cn=*)',
extratargetfilter=u'(sn=*)',
)),
expected=errors.ValidationError(name='ipapermtargetfilter',
error='cannot specify full target filter and extra target '
'filter simultaneously'),
),
verify_permission_aci_missing(permission1, users_dn),
dict(
desc='Create %r so we can try breaking it' % permission1,
command=(
'permission_add', [permission1], dict(
type=u'user',
ipapermright=[u'write'],
attrs=[u'sn'],
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
dict(
desc='Try remove ipapermright from %r' % permission1,
command=(
'permission_mod', [permission1], dict(
ipapermright=None,
)
),
expected=errors.RequirementError(name='ipapermright'),
),
dict(
desc='Try to remove type from %r' % permission1,
command=(
'permission_mod', [permission1], dict(
attrs=None,
type=None,
)
),
expected=errors.ValidationError(
name='target',
error='there must be at least one target entry specifier '
'(e.g. target, targetfilter, attrs)'),
),
dict(
desc='Try to "remove" empty memberof from %r' % permission1,
command=(
'permission_mod', [permission1], dict(
memberof=None,
)
),
expected=errors.EmptyModlist(),
),
dict(
desc='Try to remove targetfilter and memberof from %r' % permission1,
command=(
'permission_mod', [permission1], dict(
attrs=None,
ipapermtargetfilter=None,
)
),
expected=errors.ValidationError(
name='target',
error='there must be at least one target entry specifier '
'(e.g. target, targetfilter, attrs)'),
),
dict(
desc='Try to rename %r to invalid %r' % (
permission1, invalid_permission1),
command=('permission_mod', [permission1], dict(
rename=invalid_permission1,
)),
expected=errors.ValidationError(name='rename',
error='May only contain letters, numbers, -, _, ., and space'),
),
dict(
desc='Try setting ipapermexcludedattr on %r' % permission1,
command=(
'permission_mod', [permission1], dict(
ipapermexcludedattr=[u'cn'],
)
),
expected=errors.ValidationError(
name='ipapermexcludedattr',
error='only available on managed permissions'),
),
dict(
desc='Try to setting both full and extra target filter on %s' % permission1,
command=('permission_mod', [permission1], dict(
ipapermtargetfilter=u'(cn=*)',
extratargetfilter=u'(sn=*)',
)),
expected=errors.ValidationError(name='ipapermtargetfilter',
error='cannot specify full target filter and extra target '
'filter simultaneously'),
),
]
class test_permission(Declarative):
"""Misc. tests for the permission plugin"""
cleanup_commands = [
('permission_del', [permission1], {'force': True}),
('permission_del', [permission2], {'force': True}),
('permission_del', [permission3], {'force': True}),
('permission_del', [permission1_renamed], {'force': True}),
('permission_del', [permission1_renamed_ucase], {'force': True}),
('privilege_del', [privilege1], {}),
]
tests = [
dict(
desc='Create %r' % permission1,
command=(
'permission_add', [permission1], dict(
type=u'user',
ipapermright=[u'write'],
attrs=[u'sn'],
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Try to create duplicate %r' % permission1,
command=(
'permission_add', [permission1], dict(
type=u'user',
ipapermright=[u'write'],
attrs=[u'sn'],
),
),
expected=errors.DuplicateEntry(
message='permission with name "%s" already exists' % permission1),
),
dict(
desc='Create %r' % privilege1,
command=('privilege_add', [privilege1],
dict(description=u'privilege desc. 1')
),
expected=dict(
value=privilege1,
summary=u'Added privilege "%s"' % privilege1,
result=dict(
dn=privilege1_dn,
cn=[privilege1],
description=[u'privilege desc. 1'],
objectclass=objectclasses.privilege,
),
),
),
dict(
desc='Add permission %r to privilege %r' % (permission1, privilege1),
command=('privilege_add_permission', [privilege1],
dict(permission=permission1)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
permission=[],
),
),
result={
'dn': privilege1_dn,
'cn': [privilege1],
'description': [u'privilege desc. 1'],
'memberof_permission': [permission1],
'objectclass': objectclasses.privilege,
}
),
),
dict(
desc='Retrieve %r' % permission1,
command=('permission_show', [permission1], {}),
expected=dict(
value=permission1,
summary=None,
result={
'dn': permission1_dn,
'cn': [permission1],
'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
},
),
),
dict(
desc='Retrieve %r with --raw' % permission1,
command=('permission_show', [permission1], {'raw': True}),
expected=dict(
value=permission1,
summary=None,
result={
'dn': permission1_dn,
'cn': [permission1],
'objectclass': objectclasses.permission,
'member': [privilege1_dn],
'ipapermincludedattr': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermright': [u'write'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
'aci': ['(targetattr = "sn")'
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%(name)s";'
'allow (write) groupdn = "ldap:///%(pdn)s";)' %
{'tdn': DN(('uid', '*'), users_dn),
'name': permission1,
'pdn': permission1_dn}],
},
),
),
dict(
desc='Search for %r' % permission1,
command=('permission_find', [permission1], {}),
expected=dict(
count=1,
truncated=False,
summary=u'1 permission matched',
result=[
{
'dn': permission1_dn,
'cn': [permission1],
'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
},
],
),
),
dict(
desc='Search for %r using --name' % permission1,
command=('permission_find', [], {'cn': permission1}),
expected=dict(
count=1,
truncated=False,
summary=u'1 permission matched',
result=[
{
'dn': permission1_dn,
'cn': [permission1],
'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
},
],
),
),
dict(
desc='Search for non-existent permission using --name',
command=('permission_find', [], {'cn': u'notfound'}),
expected=dict(
count=0,
truncated=False,
summary=u'0 permissions matched',
result=[],
),
),
dict(
desc='Search for %r' % privilege1,
command=('permission_find', [privilege1], {}),
expected=dict(
count=1,
truncated=False,
summary=u'1 permission matched',
result=[
{
'dn': permission1_dn,
'cn': [permission1],
'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
},
],
),
),
dict(
desc='Search for %r with --raw' % permission1,
command=('permission_find', [permission1], {'raw': True}),
expected=dict(
count=1,
truncated=False,
summary=u'1 permission matched',
result=[
{
'dn': permission1_dn,
'cn': [permission1],
'objectclass': objectclasses.permission,
'member': [privilege1_dn],
'ipapermincludedattr': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermright': [u'write'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
'aci': ['(targetattr = "sn")'
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%(name)s";'
'allow (write) groupdn = "ldap:///%(pdn)s";)' %
{'tdn': DN(('uid', '*'), users_dn),
'name': permission1,
'pdn': permission1_dn}],
},
],
),
),
dict(
desc='Create %r' % permission2,
command=(
'permission_add', [permission2], dict(
type=u'user',
ipapermright=u'write',
setattr=u'owner=cn=test',
addattr=u'owner=cn=test2',
attrs=[u'cn'],
)
),
expected=dict(
value=permission2,
summary=u'Added permission "%s"' % permission2,
result=dict(
dn=permission2_dn,
cn=[permission2],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
owner=[u'cn=test', u'cn=test2'],
attrs=[u'cn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission2, users_dn,
'(targetattr = "cn")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission2 +
'allow (write) groupdn = "ldap:///%s";)' % permission2_dn,
),
dict(
desc='Search for %r' % permission1,
command=('permission_find', [permission1], {}),
expected=dict(
count=2,
truncated=False,
summary=u'2 permissions matched',
result=[
{
'dn': permission1_dn,
'cn': [permission1],
'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
},
{
'dn': permission2_dn,
'cn': [permission2],
'objectclass': objectclasses.permission,
'type': [u'user'],
'ipapermright': [u'write'],
'attrs': [u'cn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
},
],
),
),
dict(
desc='Search for %r with --pkey-only' % permission1,
command=('permission_find', [permission1], {'pkey_only' : True}),
expected=dict(
count=2,
truncated=False,
summary=u'2 permissions matched',
result=[
{
'dn': permission1_dn,
'cn': [permission1],
},
{
'dn': permission2_dn,
'cn': [permission2],
},
],
),
),
dict(
desc='Search by ACI attribute with --pkey-only',
command=('permission_find', [], {'pkey_only': True,
'attrs': [u'krbminpwdlife']}),
expected=dict(
count=2,
truncated=False,
summary=u'2 permissions matched',
result=[
{
'dn': DN(('cn', 'System: Modify Group Password Policy'),
api.env.container_permission, api.env.basedn),
'cn': [u'System: Modify Group Password Policy'],
},
{
'dn': DN(('cn', 'System: Read Group Password Policy'),
api.env.container_permission, api.env.basedn),
'cn': [u'System: Read Group Password Policy'],
},
],
),
),
dict(
desc='Search for %r' % privilege1,
command=('privilege_find', [privilege1], {}),
expected=dict(
count=1,
truncated=False,
summary=u'1 privilege matched',
result=[
{
'dn': privilege1_dn,
'cn': [privilege1],
'description': [u'privilege desc. 1'],
'memberof_permission': [permission1],
},
],
),
),
dict(
desc='Search for %r with a limit of 1 (truncated)' % permission1,
command=('permission_find', [permission1], dict(sizelimit=1)),
expected=dict(
count=1,
truncated=True,
summary=u'1 permission matched',
result=[
{
'dn': permission1_dn,
'cn': [permission1],
'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
},
],
),
),
dict(
desc='Search for %r with a limit of 2' % permission1,
command=('permission_find', [permission1], dict(sizelimit=2)),
expected=dict(
count=2,
truncated=False,
summary=u'2 permissions matched',
result=[
{
'dn': permission1_dn,
'cn': [permission1],
'objectclass': objectclasses.permission,
'type': [u'user'],
'ipapermright': [u'write'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'member_privilege': [privilege1],
},
{
'dn': permission2_dn,
'cn': [permission2],
'objectclass': objectclasses.permission,
'type': [u'user'],
'ipapermright': [u'write'],
'attrs': [u'cn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
},
],
),
),
# This tests setting truncated to True in the post_callback of
# permission_find(). The return order in LDAP is not guaranteed
# so do not check the actual entry.
dict(
desc='Search for permissions by attr with a limit of 1 (truncated)',
command=('permission_find', [u'Modify'],
dict(attrs=u'ipaenabledflag', sizelimit=1)),
expected=dict(
count=1,
truncated=True,
summary=u'1 permission matched',
result=[lambda res:
DN(res['dn']).endswith(DN(api.env.container_permission,
api.env.basedn)) and
'ipapermission' in res['objectclass']],
),
),
dict(
desc='Update %r' % permission1,
command=(
'permission_mod', [permission1], dict(
ipapermright=u'read',
memberof=u'ipausers',
setattr=u'owner=cn=other-test',
addattr=u'owner=cn=other-test2',
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
member_privilege=[privilege1],
type=[u'user'],
ipapermright=[u'read'],
memberof=[u'ipausers'],
owner=[u'cn=other-test', u'cn=other-test2'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(&' +
'(memberOf=%s)' % DN('cn=ipausers', groups_dn) +
'(objectclass=posixaccount))")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (read) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Retrieve %r to verify update' % permission1,
command=('permission_show', [permission1], {}),
expected=dict(
value=permission1,
summary=None,
result={
'dn': permission1_dn,
'cn': [permission1],
'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'read'],
'memberof': [u'ipausers'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
},
),
),
dict(
desc='Try to rename %r to existing permission %r' % (permission1,
permission2),
command=(
'permission_mod', [permission1], dict(rename=permission2,
ipapermright=u'all',)
),
expected=errors.DuplicateEntry(),
),
dict(
desc='Try to rename %r to empty name' % (permission1),
command=(
'permission_mod', [permission1], dict(rename=u'',
ipapermright=u'all',)
),
expected=errors.ValidationError(name='rename',
error=u'New name can not be empty'),
),
dict(
desc='Check integrity of original permission %r' % permission1,
command=('permission_show', [permission1], {}),
expected=dict(
value=permission1,
summary=None,
result={
'dn': permission1_dn,
'cn': [permission1],
'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'read'],
'memberof': [u'ipausers'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
},
),
),
dict(
desc='Rename %r to permission %r' % (permission1,
permission1_renamed),
command=(
'permission_mod', [permission1], dict(rename=permission1_renamed,
ipapermright= u'all',)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result={
'dn': permission1_renamed_dn,
'cn': [permission1_renamed],
'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'all'],
'memberof': [u'ipausers'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
},
),
),
verify_permission_aci_missing(permission1, users_dn),
verify_permission_aci(
permission1_renamed, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(&' +
'(memberOf=%s)' % DN('cn=ipausers', groups_dn) +
'(objectclass=posixaccount))")' +
'(version 3.0;acl "permission:%s";' % permission1_renamed +
'allow (all) groupdn = "ldap:///%s";)' % permission1_renamed_dn,
),
dict(
desc='Rename %r to permission %r' % (permission1_renamed,
permission1_renamed_ucase),
command=(
'permission_mod', [permission1_renamed], dict(rename=permission1_renamed_ucase,
ipapermright= u'write',)
),
expected=dict(
value=permission1_renamed,
summary=u'Modified permission "%s"' % permission1_renamed,
result={
'dn': permission1_renamed_ucase_dn,
'cn': [permission1_renamed_ucase],
'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
'memberof': [u'ipausers'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
},
),
),
verify_permission_aci_missing(permission1_renamed, users_dn),
verify_permission_aci(
permission1_renamed_ucase, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(&' +
'(memberOf=%s)' % DN('cn=ipausers', groups_dn) +
'(objectclass=posixaccount))")' +
'(version 3.0;acl "permission:%s";' % permission1_renamed_ucase +
'allow (write) groupdn = "ldap:///%s";)' %
permission1_renamed_ucase_dn,
),
dict(
desc='Change %r to a subtree type' % permission1_renamed_ucase,
command=(
'permission_mod', [permission1_renamed_ucase],
dict(ipapermlocation=users_dn, type=None)
),
expected=dict(
value=permission1_renamed_ucase,
summary=u'Modified permission "%s"' % permission1_renamed_ucase,
result=dict(
dn=permission1_renamed_ucase_dn,
cn=[permission1_renamed_ucase],
objectclass=objectclasses.permission,
member_privilege=[privilege1],
ipapermlocation=[users_dn],
ipapermright=[u'write'],
memberof=[u'ipausers'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
),
),
),
verify_permission_aci(
permission1_renamed_ucase, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1_renamed_ucase +
'allow (write) groupdn = "ldap:///%s";)' %
permission1_renamed_ucase_dn,
),
dict(
desc='Reset --subtree of %r' % permission2,
command=(
'permission_mod', [permission2],
dict(ipapermlocation=api.env.basedn)
),
expected=dict(
value=permission2,
summary=u'Modified permission "%s"' % permission2,
result={
'dn': permission2_dn,
'cn': [permission2],
'objectclass': objectclasses.permission,
'ipapermright': [u'write'],
'attrs': [u'cn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'extratargetfilter': [u'(objectclass=posixaccount)'],
'ipapermlocation': [api.env.basedn],
},
),
),
verify_permission_aci(
permission2, api.env.basedn,
'(targetattr = "cn")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission2 +
'allow (write) groupdn = "ldap:///%s";)' % permission2_dn,
),
dict(
desc='Change subtree of %r to admin' % permission1_renamed_ucase,
command=(
'permission_mod', [permission1_renamed_ucase],
dict(ipapermlocation=admin_dn)
),
expected=dict(
value=permission1_renamed_ucase,
summary=u'Modified permission "%s"' % permission1_renamed_ucase,
result=dict(
dn=permission1_renamed_ucase_dn,
cn=[permission1_renamed_ucase],
objectclass=objectclasses.permission,
member_privilege=[privilege1],
ipapermlocation=[admin_dn],
ipapermright=[u'write'],
memberof=[u'ipausers'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
),
),
),
verify_permission_aci(
permission1_renamed_ucase, admin_dn,
'(targetattr = "sn")' +
'(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1_renamed_ucase +
'allow (write) groupdn = "ldap:///%s";)' %
permission1_renamed_ucase_dn,
),
dict(
desc='Search for %r using --subtree' % permission1_renamed_ucase,
command=('permission_find', [],
{'ipapermlocation': u'ldap:///%s' % admin_dn}),
expected=dict(
count=1,
truncated=False,
summary=u'1 permission matched',
result=[
{
'dn':permission1_renamed_ucase_dn,
'cn':[permission1_renamed_ucase],
'objectclass': objectclasses.permission,
'member_privilege':[privilege1],
'ipapermlocation': [admin_dn],
'ipapermright':[u'write'],
'memberof':[u'ipausers'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
},
],
),
),
dict(
desc='Search using nonexistent --subtree',
command=('permission_find', [], {'ipapermlocation': u'foo'}),
expected=errors.ConversionError(
name='subtree', error='malformed RDN string = "foo"'),
),
dict(
desc='Search using --targetgroup',
command=('permission_find', [], {'targetgroup': u'ipausers'}),
expected=dict(
count=1,
truncated=False,
summary=u'1 permission matched',
result=[
{
'dn': DN(('cn', 'System: Add User to default group'),
api.env.container_permission, api.env.basedn),
'cn': [u'System: Add User to default group'],
'objectclass': objectclasses.permission,
'member_privilege': [u'User Administrators'],
'attrs': [u'member'],
'targetgroup': [u'ipausers'],
'memberindirect_role': [u'User Administrator'],
'ipapermright': [u'write'],
'ipapermbindruletype': [u'permission'],
'ipapermtarget': [DN(
'cn=ipausers', api.env.container_group,
api.env.basedn)],
'ipapermlocation': [groups_dn],
'ipapermdefaultattr': [u'member'],
'ipapermissiontype': [u'V2', u'MANAGED', u'SYSTEM'],
}
],
),
),
dict(
desc='Delete %r' % permission1_renamed_ucase,
command=('permission_del', [permission1_renamed_ucase], {}),
expected=dict(
result=dict(failed=[]),
value=[permission1_renamed_ucase],
summary=u'Deleted permission "%s"' % permission1_renamed_ucase,
)
),
verify_permission_aci_missing(permission1_renamed_ucase, users_dn),
dict(
desc='Try to delete non-existent %r' % permission1,
command=('permission_del', [permission1], {}),
expected=errors.NotFound(
reason=u'%s: permission not found' % permission1),
),
dict(
desc='Try to retrieve non-existent %r' % permission1,
command=('permission_show', [permission1], {}),
expected=errors.NotFound(
reason=u'%s: permission not found' % permission1),
),
dict(
desc='Try to update non-existent %r' % permission1,
command=('permission_mod', [permission1], dict(rename=u'Foo')),
expected=errors.NotFound(
reason=u'%s: permission not found' % permission1),
),
dict(
desc='Delete %r' % permission2,
command=('permission_del', [permission2], {}),
expected=dict(
result=dict(failed=[]),
value=[permission2],
summary=u'Deleted permission "%s"' % permission2,
)
),
verify_permission_aci_missing(permission2, users_dn),
dict(
desc='Search for %r' % permission1,
command=('permission_find', [permission1], {}),
expected=dict(
count=0,
truncated=False,
summary=u'0 permissions matched',
result=[],
),
),
dict(
desc='Delete %r' % privilege1,
command=('privilege_del', [privilege1], {}),
expected=dict(
result=dict(failed=[]),
value=[privilege1],
summary=u'Deleted privilege "%s"' % privilege1,
)
),
dict(
desc='Try to create permission %r with non-existing memberof' % permission1,
command=(
'permission_add', [permission1], dict(
memberof=u'nonexisting',
ipapermright=u'write',
attrs=[u'cn'],
)
),
expected=errors.NotFound(reason=u'nonexisting: group not found'),
),
dict(
desc='Create memberof permission %r' % permission1,
command=(
'permission_add', [permission1], dict(
memberof=u'editors',
ipapermright=u'write',
type=u'user',
attrs=[u'sn'],
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
memberof=[u'editors'],
ipapermright=[u'write'],
type=[u'user'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(&(memberOf=%s)' % DN('cn=editors', groups_dn) +
'(objectclass=posixaccount))")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Try to update non-existent memberof of %r' % permission1,
command=('permission_mod', [permission1], dict(
memberof=u'nonexisting')),
expected=errors.NotFound(reason=u'nonexisting: group not found'),
),
dict(
desc='Update memberof permission %r' % permission1,
command=(
'permission_mod', [permission1], dict(
memberof=u'admins',
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
memberof=[u'admins'],
ipapermright=[u'write'],
type=[u'user'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(&' +
'(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount))")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Unset memberof of permission %r' % permission1,
command=(
'permission_mod', [permission1], dict(
memberof=None,
)
),
expected=dict(
summary=u'Modified permission "%s"' % permission1,
value=permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
type=[u'user'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Delete %r' % permission1,
command=('permission_del', [permission1], {}),
expected=dict(
result=dict(failed=[]),
value=[permission1],
summary=u'Deleted permission "%s"' % permission1,
)
),
verify_permission_aci_missing(permission1, users_dn),
dict(
desc='Create targetgroup permission %r' % permission1,
command=(
'permission_add', [permission1], dict(
targetgroup=u'editors',
ipapermright=u'write',
attrs=[u'sn'],
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
targetgroup=[u'editors'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermtarget=[DN(('cn', 'editors'), groups_dn)],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[api.env.basedn],
),
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN('cn=editors', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Create %r' % permission3,
command=(
'permission_add', [permission3], dict(
type=u'user',
ipapermright=u'write',
attrs=[u'cn']
)
),
expected=dict(
value=permission3,
summary=u'Added permission "%s"' % permission3,
result=dict(
dn=permission3_dn,
cn=[permission3],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=(u'cn',),
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission3, users_dn,
'(targetattr = "cn")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission3 +
'allow (write) groupdn = "ldap:///%s";)' % permission3_dn,
),
dict(
desc='Retrieve %r with --all --rights' % permission3,
command=('permission_show', [permission3], {'all' : True, 'rights' : True}),
expected=dict(
value=permission3,
summary=None,
result=dict(
dn=permission3_dn,
cn=[permission3],
objectclass=objectclasses.permission,
type=[u'user'],
attrs=[u'cn'],
ipapermincludedattr=[u'cn'],
ipapermright=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
dict(
desc='Modify %r with --all --rights' % permission3,
command=('permission_mod', [permission3], {
'all': True, 'rights': True,
'attrs': [u'cn', u'uid']}),
expected=dict(
value=permission3,
summary=u'Modified permission "%s"' % permission3,
result=dict(
dn=permission3_dn,
cn=[permission3],
objectclass=objectclasses.permission,
type=[u'user'],
attrs=[u'cn', u'uid'],
ipapermincludedattr=[u'cn', u'uid'],
ipapermright=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission3, users_dn,
'(targetattr = "cn || uid")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission3 +
'allow (write) groupdn = "ldap:///%s";)' % permission3_dn,
),
dict(
desc='Try to modify %r with naked targetfilter' % permission1,
command=('permission_mod', [permission1],
{'ipapermtargetfilter': u"cn=admin"}),
expected=errors.ValidationError(
name='rawfilter',
error='must be enclosed in parentheses'),
),
dict(
desc='Try to modify %r with invalid targetfilter' % permission1,
command=('permission_mod', [permission1],
{'ipapermtargetfilter': u"(ceci n'est pas un filtre)"}),
expected=errors.ValidationError(
name='ipapermtargetfilter',
error='Bad search filter'),
),
dict(
desc='Try setting nonexisting location on %r' % permission1,
command=(
'permission_mod', [permission1], dict(
ipapermlocation=nonexistent_dn,
)
),
expected=errors.ValidationError(
name='ipapermlocation',
error='Entry %s does not exist' % nonexistent_dn)
),
dict(
desc='Search for nonexisting permission with ":" in the name',
command=(
'permission_find', ['doesnotexist:' + permission1], {}
),
expected=dict(
count=0,
truncated=False,
summary=u'0 permissions matched',
result=[],
),
),
]
class test_permission_rollback(Declarative):
"""Test rolling back changes after failed update"""
cleanup_commands = [
('permission_del', [permission1], {'force': True}),
]
_verifications = [
dict(
desc='Retrieve %r' % permission1,
command=('permission_show', [permission1], {}),
expected=dict(
value=permission1,
summary=None,
result={
'dn': permission1_dn,
'cn': [permission1],
'objectclass': objectclasses.permission,
'ipapermright': [u'write'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
'ipapermtarget': [DN(('uid', 'admin'), users_dn)],
},
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('uid', 'admin'), users_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
verify_permission_aci_missing(permission1, etc_dn)
]
tests = [
dict(
desc='Create %r' % permission1,
command=(
'permission_add', [permission1], dict(
ipapermlocation=users_dn,
ipapermtarget=DN('uid=admin', users_dn),
ipapermright=[u'write'],
attrs=[u'sn'],
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtarget=[DN(('uid', 'admin'), users_dn)],
),
),
),
] + _verifications + [
dict(
desc='Move %r to non-existent DN' % permission1,
command=(
'permission_mod', [permission1], dict(
ipapermlocation=DN('foo=bar'),
)
),
expected=errors.ValidationError(
name='ipapermlocation',
error='Entry foo=bar does not exist'),
),
] + _verifications + [
dict(
desc='Move %r to another DN' % permission1,
command=('permission_mod', [permission1],
dict(ipapermlocation=etc_dn)
),
expected=errors.InvalidSyntax(
attr=r'ACL Invalid Target Error(-8): '
r'Target is beyond the scope of the ACL'
r'(SCOPE:%(sdn)s) '
r'(targetattr = \22sn\22)'
r'(target = \22ldap:///%(tdn)s\22)'
r'(version 3.0;acl \22permission:testperm\22;'
r'allow (write) groupdn = \22ldap:///%(pdn)s\22;)' % dict(
sdn=etc_dn,
tdn=DN('uid=admin', users_dn),
pdn=permission1_dn)),
),
] + _verifications + [
dict(
desc='Try adding an invalid attribute on %r with --all --rights' % permission1,
command=(
'permission_mod', [permission1], dict(
attrs=[u'cn', u'bogusattributexyz'],
rights=True,
all=True,
)
),
expected=errors.InvalidSyntax(
attr=r'targetattr "bogusattributexyz" does not exist '
r'in schema. Please add attributeTypes '
r'"bogusattributexyz" to schema if necessary. ACL Syntax '
r'Error(-5):(targetattr = \22bogusattributexyz || cn\22)'
r'(target = \22ldap:///%(tdn)s\22)'
r'(version 3.0;acl \22permission:%(name)s\22;'
r'allow (write) groupdn = \22ldap:///%(dn)s\22;)' % dict(
tdn=DN('uid=admin', users_dn),
name=permission1,
dn=permission1_dn),
),
),
] + _verifications
class test_permission_sync_attributes(Declarative):
"""Test the effects of setting permission attributes"""
cleanup_commands = [
('permission_del', [permission1], {'force': True}),
]
tests = [
dict(
desc='Create %r' % permission1,
command=(
'permission_add', [permission1], dict(
ipapermlocation=users_dn,
ipapermright=u'write',
attrs=u'sn',
ipapermtargetfilter=[
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
memberof=[u'admins'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(&(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount))")'
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Unset location on %r, verify type is gone' % permission1,
command=(
'permission_mod', [permission1], dict(
ipapermlocation=None,
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
extratargetfilter=[
u'(objectclass=posixaccount)'],
memberof=[u'admins'],
ipapermlocation=[api.env.basedn],
),
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(targetfilter = "(&(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount))")'
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
verify_permission_aci_missing(permission1, users_dn),
dict(
desc='Reset location on %r' % permission1,
command=(
'permission_mod', [permission1], dict(
ipapermlocation=users_dn,
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
memberof=[u'admins'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(&(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount))")'
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
verify_permission_aci_missing(permission1, api.env.basedn),
dict(
desc='Unset objectclass filter on %r, verify type is gone' % permission1,
command=(
'permission_mod', [permission1], dict(
ipapermtargetfilter=u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn),
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
memberof=[u'admins'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Unset targetfilter on %r, verify memberof is gone' % permission1,
command=(
'permission_mod', [permission1], dict(
ipapermtargetfilter=None,
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Set type of %r to group' % permission1,
command=(
'permission_mod', [permission1], dict(
type=u'group',
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[groups_dn],
),
),
),
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(targetfilter = "%s")' % group_filter +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Set target on %r, verify targetgroup is set' % permission1,
command=(
'permission_mod', [permission1], dict(
ipapermtarget=DN('cn=editors', groups_dn),
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN('cn=editors', groups_dn)],
ipapermlocation=[groups_dn],
targetgroup=[u'editors'],
),
),
),
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
'(targetfilter = "%s")' % group_filter +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Set extra targetfilter on %r' % permission1,
command=(
'permission_mod', [permission1], dict(
extratargetfilter=u'(cn=blabla)',
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN('cn=editors', groups_dn)],
ipapermlocation=[groups_dn],
targetgroup=[u'editors'],
extratargetfilter=[u'(cn=blabla)'],
),
),
),
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
'(targetfilter = "(&(cn=blabla)%s)")' % group_filter +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Retrieve %r with --all' % permission1,
command=(
'permission_show', [permission1], dict(all=True)
),
expected=dict(
value=permission1,
summary=None,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermincludedattr=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN('cn=editors', groups_dn)],
ipapermlocation=[groups_dn],
targetgroup=[u'editors'],
extratargetfilter=[u'(cn=blabla)'],
ipapermtargetfilter=[u'(cn=blabla)', group_filter],
),
),
),
dict(
desc='Set type of %r back to user' % permission1,
command=(
'permission_mod', [permission1], dict(
type=u'user', ipapermtarget=None,
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
extratargetfilter=[u'(cn=blabla)'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(&(cn=blabla)(objectclass=posixaccount))")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
]
class test_permission_sync_nice(Declarative):
"""Test the effects of setting convenience options on permissions"""
cleanup_commands = [
('permission_del', [permission1], {'force': True}),
]
tests = [
dict(
desc='Create %r' % permission1,
command=(
'permission_add', [permission1], dict(
type=u'user',
ipapermright=u'write',
attrs=u'sn',
memberof=u'admins',
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
memberof=[u'admins'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(&(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount))")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Unset type on %r, verify target & filter are gone' % permission1,
command=(
'permission_mod', [permission1], dict(
type=None,
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
memberof=[u'admins'],
ipapermlocation=[api.env.basedn],
),
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Unset memberof on %r, verify targetfilter is gone' % permission1,
command=(
'permission_mod', [permission1], dict(
memberof=None,
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[api.env.basedn],
),
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Set type of %r to group' % permission1,
command=(
'permission_mod', [permission1], dict(
type=u'group',
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[groups_dn],
),
),
),
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(targetfilter = "%s")' % group_filter +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Set targetgroup on %r, verify target is set' % permission1,
command=(
'permission_mod', [permission1], dict(
targetgroup=u'editors',
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN('cn=editors', groups_dn)],
ipapermlocation=[groups_dn],
targetgroup=[u'editors'],
),
),
),
verify_permission_aci(
permission1, groups_dn,
'(targetattr = "sn")' +
'(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
'(targetfilter = "%s")' % group_filter +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
]
class test_permission_targetfilter(Declarative):
"""Test the targetfilter options on permissions"""
cleanup_commands = [
('permission_del', [permission1], {'force': True}),
]
_initial_aci = (
'(targetattr = "sn")' +
'(targetfilter = "(&' +
'(cn=*)' +
'(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount)' +
'(sn=*)' +
')")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn
)
tests = [
dict(
desc='Create %r' % permission1,
command=(
'permission_add', [permission1], dict(
type=u'user',
ipapermright=u'write',
attrs=u'sn',
memberof=u'admins',
extratargetfilter=[u'(cn=*)', u'(sn=*)'],
all=True,
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermincludedattr=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
memberof=[u'admins'],
extratargetfilter=[u'(cn=*)', u'(sn=*)'],
ipapermtargetfilter=[
u'(cn=*)', u'(sn=*)',
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
),
),
),
verify_permission_aci(permission1, users_dn, _initial_aci),
dict(
desc='Retrieve %r' % permission1,
command=(
'permission_show', [permission1], dict()
),
expected=dict(
value=permission1,
summary=None,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
memberof=[u'admins'],
extratargetfilter=[u'(cn=*)', u'(sn=*)'],
),
),
),
dict(
desc='Retrieve %r with --all' % permission1,
command=(
'permission_show', [permission1], dict(all=True)
),
expected=dict(
value=permission1,
summary=None,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermincludedattr=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
memberof=[u'admins'],
extratargetfilter=[u'(cn=*)', u'(sn=*)'],
ipapermtargetfilter=[
u'(cn=*)', u'(sn=*)',
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
),
),
),
dict(
desc='Retrieve %r with --raw' % permission1,
command=(
'permission_show', [permission1], dict(raw=True)
),
expected=dict(
value=permission1,
summary=None,
result=dict(
dn=permission1_dn,
cn=[permission1],
aci=[_initial_aci],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
ipapermincludedattr=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtargetfilter=[
u'(cn=*)', u'(sn=*)',
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
),
),
),
dict(
desc='Retrieve %r with --all and --raw' % permission1,
command=(
'permission_show', [permission1], dict(all=True, raw=True)
),
expected=dict(
value=permission1,
summary=None,
result=dict(
dn=permission1_dn,
cn=[permission1],
aci=[_initial_aci],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
ipapermincludedattr=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
ipapermtargetfilter=[
u'(cn=*)', u'(sn=*)',
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
),
),
),
dict(
desc='Modify extratargetfilter of %r' % permission1,
command=(
'permission_mod', [permission1], dict(
extratargetfilter=[u'(cn=*)', u'(l=*)'],
all=True,
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermincludedattr=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
memberof=[u'admins'],
extratargetfilter=[u'(cn=*)', u'(l=*)'],
ipapermtargetfilter=[
u'(cn=*)', u'(l=*)',
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(&' +
'(cn=*)' +
'(l=*)' +
'(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount)' +
')")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn
),
dict(
desc='Remove raw targetfilter of %r' % permission1,
command=(
'permission_mod', [permission1], dict(
ipapermtargetfilter=None,
all=True,
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermincludedattr=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn
),
dict(
desc='Set extra targetfilter on %r to restore' % permission1,
command=(
'permission_mod', [permission1], dict(
extratargetfilter=[
u'(cn=*)',
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
all=True,
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermincludedattr=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
memberof=[u'admins'],
extratargetfilter=[u'(cn=*)'],
ipapermtargetfilter=[
u'(cn=*)',
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(&' +
'(cn=*)' +
'(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount)' +
')")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn
),
] + [
dict(
desc='Search for %r using %s %s' % (permission1, value_name, option_name),
command=(
'permission_find', [permission1],
{option_name: value, 'all': True}
),
expected=dict(
summary=u'1 permission matched' if should_find else u'0 permissions matched',
truncated=False,
count=1 if should_find else 0,
result=[dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermincludedattr=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
memberof=[u'admins'],
extratargetfilter=[u'(cn=*)'],
ipapermtargetfilter=[
u'(cn=*)',
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)'],
)] if should_find else [],
),
)
for option_name in (
'extratargetfilter',
'ipapermtargetfilter',
)
for value_name, value, should_find in (
('"extra"', u'(cn=*)', True),
('"non-extra"', u'(objectclass=posixaccount)', True),
('non-existing', u'(sn=insert a very improbable last name)', False),
)
] + [
dict(
desc='Set extra objectclass filter on %r' % permission1,
command=(
'permission_mod', [permission1], dict(
extratargetfilter=[u'(cn=*)', u'(objectclass=top)'],
all=True,
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermincludedattr=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
memberof=[u'admins'],
extratargetfilter=[u'(cn=*)', u'(objectclass=top)'],
ipapermtargetfilter=[
u'(cn=*)',
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=posixaccount)',
u'(objectclass=top)'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "sn")' +
'(targetfilter = "(&' +
'(cn=*)' +
'(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=posixaccount)' +
'(objectclass=top)' +
')")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn
),
dict(
desc='Unset type on %r to verify extra objectclass filter stays' % permission1,
command=(
'permission_mod', [permission1], dict(
type=None,
all=True,
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermincludedattr=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[api.env.basedn],
memberof=[u'admins'],
extratargetfilter=[u'(cn=*)', u'(objectclass=top)'],
ipapermtargetfilter=[
u'(cn=*)',
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(objectclass=top)'],
),
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(targetfilter = "(&' +
'(cn=*)' +
'(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(objectclass=top)' +
')")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn
),
dict(
desc='Set wildcard memberof filter on %r' % permission1,
command=(
'permission_mod', [permission1], dict(
extratargetfilter=u'(memberof=*)',
all=True,
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermincludedattr=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[api.env.basedn],
memberof=[u'admins'],
extratargetfilter=[u'(memberof=*)'],
ipapermtargetfilter=[
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn),
u'(memberof=*)'],
),
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(targetfilter = "(&' +
'(memberOf=%s)' % DN('cn=admins', groups_dn) +
'(memberof=*)' +
')")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn
),
dict(
desc='Remove --memberof on %r to verify wildcard is still there' % permission1,
command=(
'permission_mod', [permission1], dict(
memberof=[],
all=True,
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
attrs=[u'sn'],
ipapermincludedattr=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[api.env.basedn],
extratargetfilter=[u'(memberof=*)'],
ipapermtargetfilter=[u'(memberof=*)'],
),
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetattr = "sn")' +
'(targetfilter = "(memberof=*)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn
),
]
def _make_permission_flag_tests(flags, expected_message):
return [
dict(
desc='Create %r with flags %s' % (permission1, flags),
command=(
'permission_add_noaci', [permission1], dict(
ipapermissiontype=flags,
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.system_permission,
ipapermissiontype=flags,
),
),
),
dict(
desc='Try to modify %r' % permission1,
command=('permission_mod', [permission1], {'type': u'user'}),
expected=errors.ACIError(info=expected_message),
),
dict(
desc='Try to delete %r' % permission1,
command=('permission_del', [permission1], {}),
expected=errors.ACIError(info=expected_message),
),
dict(
desc='Add %r to %r' % (permission1, privilege1),
command=('privilege_add_permission', [privilege1],
{'permission': permission1}),
expected=dict(
completed=1,
failed=dict(
member=dict(
permission=[],
),
),
result={
'dn': privilege1_dn,
'cn': [privilege1],
'description': [u'privilege desc. 1'],
'memberof_permission': [permission1],
'objectclass': objectclasses.privilege,
}
),
),
dict(
desc='Delete %r with --force' % permission1,
command=('permission_del', [permission1], {'force': True}),
expected=dict(
result=dict(failed=[]),
value=[permission1],
summary=u'Deleted permission "%s"' % permission1,
),
),
]
class test_permission_flags(Declarative):
"""Test that permission flags are handled correctly"""
cleanup_commands = [
('permission_del', [permission1], {'force': True}),
('privilege_del', [privilege1], {}),
]
tests = [
dict(
desc='Create %r' % privilege1,
command=('privilege_add', [privilege1],
dict(description=u'privilege desc. 1')
),
expected=dict(
value=privilege1,
summary=u'Added privilege "%s"' % privilege1,
result=dict(
dn=privilege1_dn,
cn=[privilege1],
description=[u'privilege desc. 1'],
objectclass=objectclasses.privilege,
),
),
),
] + (
_make_permission_flag_tests(
[u'SYSTEM'],
'A SYSTEM permission may not be modified or removed') +
_make_permission_flag_tests(
[u'??'],
'Permission with unknown flag ?? may not be modified or removed') +
_make_permission_flag_tests(
[u'SYSTEM', u'??'],
'Permission with unknown flag ?? may not be modified or removed'))
class test_permission_legacy(Declarative):
"""Tests for non-upgraded permissions"""
tests = [
dict(
desc='Search for all permissions in $SUFFIX',
command=('permission_find', [],
{'ipapermlocation': api.env.basedn}),
expected=dict(
count=16,
truncated=False,
summary=u'16 permissions matched',
result=lambda s: True,
),
),
]
class test_permission_bindtype(Declarative):
cleanup_commands = [
('permission_del', [permission1], {'force': True}),
('permission_del', [permission1_renamed], {'force': True}),
('privilege_del', [privilege1], {}),
]
tests = [
dict(
desc='Create anonymous %r' % permission1,
command=(
'permission_add', [permission1], dict(
type=u'user',
ipapermright=u'write',
ipapermbindruletype=u'anonymous',
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'anonymous'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) userdn = "ldap:///anyone";)',
),
dict(
desc='Create %r' % privilege1,
command=('privilege_add', [privilege1],
dict(description=u'privilege desc. 1')
),
expected=dict(
value=privilege1,
summary=u'Added privilege "%s"' % privilege1,
result=dict(
dn=privilege1_dn,
cn=[privilege1],
description=[u'privilege desc. 1'],
objectclass=objectclasses.privilege,
),
),
),
dict(
desc='Try to add %r to %r' % (permission1, privilege1),
command=(
'privilege_add_permission', [privilege1], dict(
permission=[permission1],
)
),
expected=errors.ValidationError(
name='permission',
error=u'cannot add permission "%s" with bindtype "%s" to a '
'privilege' % (permission1, 'anonymous')),
),
dict(
desc='Change binddn of %r to all' % permission1,
command=(
'permission_mod', [permission1], dict(
type=u'user',
ipapermbindruletype=u'all',
)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) userdn = "ldap:///all";)',
),
dict(
desc='Try to add %r to %r' % (permission1, privilege1),
command=(
'privilege_add_permission', [privilege1], dict(
permission=[permission1],
)
),
expected=errors.ValidationError(
name='permission',
error=u'cannot add permission "%s" with bindtype "%s" to a '
'privilege' % (permission1, 'all')),
),
dict(
desc='Search for %r using --bindtype' % permission1,
command=('permission_find', [permission1],
{'ipapermbindruletype': u'all'}),
expected=dict(
count=1,
truncated=False,
summary=u'1 permission matched',
result=[
dict(
dn=permission1_dn,
cn=[permission1],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
],
),
),
dict(
desc='Search for %r using bad --bindtype' % permission1,
command=('permission_find', [permission1],
{'ipapermbindruletype': u'anonymous'}),
expected=dict(
count=0,
truncated=False,
summary=u'0 permissions matched',
result=[],
),
),
dict(
desc='Add zero permissions to %r' % (privilege1),
command=('privilege_add_permission', [privilege1], {}),
expected=dict(
completed=0,
failed=dict(member=dict(permission=[])),
result=dict(
dn=privilege1_dn,
cn=[privilege1],
description=[u'privilege desc. 1'],
objectclass=objectclasses.privilege,
),
),
),
dict(
desc='Rename %r to permission %r' % (permission1,
permission1_renamed),
command=(
'permission_mod', [permission1], dict(rename=permission1_renamed)
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_renamed_dn,
cn=[permission1_renamed],
type=[u'user'],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission1_renamed, users_dn,
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1_renamed +
'allow (write) userdn = "ldap:///all";)',
),
dict(
desc='Reset binddn of %r to permission' % permission1_renamed,
command=(
'permission_mod', [permission1_renamed], dict(
type=u'user',
ipapermbindruletype=u'permission',
)
),
expected=dict(
value=permission1_renamed,
summary=u'Modified permission "%s"' % permission1_renamed,
result=dict(
dn=permission1_renamed_dn,
cn=[permission1_renamed],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission1_renamed, users_dn,
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1_renamed +
'allow (write) groupdn = "ldap:///%s";)' % permission1_renamed_dn,
),
dict(
desc='Rename %r back to %r' % (permission1_renamed, permission1),
command=(
'permission_mod', [permission1_renamed],
dict(rename=permission1)
),
expected=dict(
value=permission1_renamed,
summary=u'Modified permission "%s"' % permission1_renamed,
result=dict(
dn=permission1_dn,
cn=[permission1],
type=[u'user'],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Add %r to %r' % (permission1, privilege1),
command=(
'privilege_add_permission', [privilege1], dict(
permission=[permission1],
)
),
expected=dict(
completed=1,
failed=dict(member=dict(permission=[])),
result=dict(
dn=privilege1_dn,
cn=[privilege1],
description=[u'privilege desc. 1'],
memberof_permission=[permission1],
objectclass=objectclasses.privilege,
)
),
),
dict(
desc='Try to change binddn of %r to anonymous' % permission1,
command=(
'permission_mod', [permission1], dict(
type=u'user',
ipapermbindruletype=u'anonymous',
)
),
expected=errors.ValidationError(
name='ipapermbindruletype',
error=u'cannot set bindtype for a permission that is '
'assigned to a privilege')
),
]
class test_managed_permissions(Declarative):
cleanup_commands = [
('permission_del', [permission1], {'force': True}),
('permission_del', [permission2], {'force': True}),
]
@classmethod
def setUpClass(cls):
super(test_managed_permissions, cls).setUpClass()
if not have_ldap2:
raise nose.SkipTest('server plugin not available')
def add_managed_permission(self):
"""Add a managed permission and the corresponding ACI"""
ldap = ldap2(shared_instance=False)
ldap.connect(ccache=krbV.default_context().default_ccache())
result = api.Command.permission_add(permission1, type=u'user',
ipapermright=u'write',
attrs=[u'cn'])
# TODO: This hack relies on the permission internals.
# Change as necessary.
# Add permission DN
entry = ldap.get_entry(permission1_dn)
entry['ipapermdefaultattr'] = ['l', 'o', 'cn']
ldap.update_entry(entry)
# Update the ACI via the API
result = api.Command.permission_mod(permission1,
attrs=[u'l', u'o', u'cn'])
# Set the permission type to MANAGED
entry = ldap.get_entry(permission1_dn)
entry['ipapermissiontype'].append('MANAGED')
ldap.update_entry(entry)
tests = [
add_managed_permission,
dict(
desc='Show pre-created %r' % permission1,
command=('permission_show', [permission1], {'all': True}),
expected=dict(
value=permission1,
summary=None,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermlocation=[users_dn],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'cn'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "cn || l || o")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
] + [
# Verify that most permission attributes can't be changed
dict(
desc='Try to modify %s in %r' % (attr_name, permission1),
command=('permission_mod', [permission1],
{attr_name: value}),
expected=errors.ValidationError(
name=err_attr or attr_name,
error='not modifiable on managed permissions'),
)
for attr_name, err_attr, value in (
('ipapermlocation', None, users_dn),
('ipapermright', None, u'compare'),
('ipapermtarget', None, users_dn),
('ipapermtargetfilter', None, u'(ou=engineering)'),
('memberof', 'ipapermtargetfilter', u'admins'),
('targetgroup', 'ipapermtarget', u'admins'),
('type', 'ipapermlocation', u'group'),
('extratargetfilter', 'extratargetfilter', u'(cn=*)'),
)
] + [
dict(
desc='Try to rename %r' % permission1,
command=('permission_mod', [permission1],
{'rename': permission2}),
expected=errors.ValidationError(
name='rename',
error='cannot rename managed permissions'),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "cn || l || o")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Modify included and excluded attrs in %r' % permission1,
command=('permission_mod', [permission1],
{'ipapermincludedattr': [u'dc'],
'ipapermexcludedattr': [u'cn'],
'all': True}),
expected=dict(
value=permission1,
summary=u'Modified permission "testperm"',
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermlocation=[users_dn],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'dc'],
ipapermincludedattr=[u'dc'],
ipapermexcludedattr=[u'cn'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "dc || l || o")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Modify included attrs in %r' % permission1,
command=('permission_mod', [permission1],
{'ipapermincludedattr': [u'cn', u'sn'],
'all': True}),
expected=dict(
value=permission1,
summary=u'Modified permission "testperm"',
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermlocation=[users_dn],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'sn'],
ipapermincludedattr=[u'cn', u'sn'],
ipapermexcludedattr=[u'cn'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "l || o || sn")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Add ineffective included attr to %r' % permission1,
command=('permission_mod', [permission1],
{'ipapermincludedattr': [u'cn', u'sn', u'o'],
'all': True}),
expected=dict(
value=permission1,
summary=u'Modified permission "testperm"',
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermlocation=[users_dn],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'sn'],
ipapermincludedattr=[u'cn', u'sn', u'o'],
ipapermexcludedattr=[u'cn'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "l || o || sn")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Modify excluded attrs in %r' % permission1,
command=('permission_mod', [permission1],
{'ipapermexcludedattr': [u'cn', u'sn'],
'all': True}),
expected=dict(
value=permission1,
summary=u'Modified permission "testperm"',
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermlocation=[users_dn],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o'],
ipapermincludedattr=[u'cn', u'sn', u'o'],
ipapermexcludedattr=[u'cn', u'sn'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "l || o")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Modify bind rule in %r' % permission1,
command=('permission_mod', [permission1],
{'ipapermbindruletype': u'all'}),
expected=dict(
value=permission1,
summary=u'Modified permission "testperm"',
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o'],
ipapermincludedattr=[u'cn', u'sn', u'o'],
ipapermexcludedattr=[u'cn', u'sn'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "l || o")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) userdn = "ldap:///all";)',
),
dict(
desc='Show %r with no options' % permission1,
command=('permission_show', [permission1], {}),
expected=dict(
value=permission1,
summary=None,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o'],
ipapermincludedattr=[u'cn', u'sn', u'o'],
ipapermexcludedattr=[u'cn', u'sn'],
),
),
),
dict(
desc='Show %r with --all' % permission1,
command=('permission_show', [permission1], {'all': True}),
expected=dict(
value=permission1,
summary=None,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o'],
ipapermincludedattr=[u'cn', u'sn', u'o'],
ipapermexcludedattr=[u'cn', u'sn'],
),
),
),
dict(
desc='Show %r with --raw' % permission1,
command=('permission_show', [permission1], {'raw': True}),
expected=dict(
value=permission1,
summary=None,
result=dict(
dn=permission1_dn,
cn=[permission1],
aci=['(targetattr = "l || o")'
'(targetfilter = "(objectclass=posixaccount)")'
'(version 3.0;acl "permission:%(name)s";'
'allow (write) userdn = "ldap:///all";)' %
{'name': permission1}],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
ipapermdefaultattr=[u'l', u'o', u'cn'],
ipapermincludedattr=[u'cn', u'sn', u'o'],
ipapermexcludedattr=[u'cn', u'sn'],
),
),
),
dict(
desc='Modify attrs of %r to normalize' % permission1,
command=('permission_mod', [permission1],
{'attrs': [u'l', u'o']}),
expected=dict(
value=permission1,
summary=u'Modified permission "testperm"',
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o'],
ipapermexcludedattr=[u'cn'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "l || o")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) userdn = "ldap:///all";)',
),
dict(
desc='Modify attrs of %r to add sn' % permission1,
command=('permission_mod', [permission1],
{'attrs': [u'l', u'o', u'sn']}),
expected=dict(
value=permission1,
summary=u'Modified permission "testperm"',
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'sn'],
ipapermincludedattr=[u'sn'],
ipapermexcludedattr=[u'cn'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "l || o || sn")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) userdn = "ldap:///all";)',
),
dict(
desc='Search for %r using all its --attrs' % permission1,
command=('permission_find', [permission1],
{'cn': permission1, 'attrs': [u'l', u'o', u'sn']}),
expected=dict(
count=1,
truncated=False,
summary=u'1 permission matched',
result=[dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'sn'],
ipapermincludedattr=[u'sn'],
ipapermexcludedattr=[u'cn'],
)],
),
),
dict(
desc='Search for %r using some --attrs' % permission1,
command=('permission_find', [permission1],
{'cn': permission1, 'attrs': [u'l', u'sn']}),
expected=dict(
count=1,
truncated=False,
summary=u'1 permission matched',
result=[dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'sn'],
ipapermincludedattr=[u'sn'],
ipapermexcludedattr=[u'cn'],
)],
),
),
dict(
desc='Search for %r using excluded --attrs' % permission1,
command=('permission_find', [permission1],
{'cn': permission1, 'attrs': [u'sn', u'cn']}),
expected=dict(
count=0,
truncated=False,
summary=u'0 permissions matched',
result=[],
),
),
dict(
desc='Modify attrs of %r to allow cn again' % permission1,
command=('permission_mod', [permission1],
{'attrs': [u'l', u'o', u'sn', u'cn']}),
expected=dict(
value=permission1,
summary=u'Modified permission "testperm"',
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'all'],
ipapermlocation=[users_dn],
ipapermdefaultattr=[u'l', u'o', u'cn'],
attrs=[u'l', u'o', u'sn', u'cn'],
ipapermincludedattr=[u'sn'],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetattr = "cn || l || o || sn")' +
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) userdn = "ldap:///all";)',
),
dict(
desc='Try to delete %r' % permission1,
command=('permission_del', [permission1], {}),
expected=errors.ACIError(
info='cannot delete managed permissions'),
),
dict(
desc='Delete %r with --force' % permission1,
command=('permission_del', [permission1], {'force': True}),
expected=dict(
result=dict(failed=[]),
value=[permission1],
summary=u'Deleted permission "%s"' % permission1,
),
),
]
class test_permission_filters(Declarative):
"""Test multi-valued filters, type, memberof"""
cleanup_commands = [
('permission_del', [permission1], {'force': True}),
]
tests = [
dict(
desc='Create %r with many filters' % permission1,
command=(
'permission_add', [permission1], dict(
type=u'user',
memberof=u'ipausers',
ipapermright=u'write',
ipapermtargetfilter=[
u'(objectclass=top)',
u'(memberof=%s)' % DN(('cn', 'admins'), groups_dn),
]
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
memberof=[u'admins', u'ipausers'],
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
extratargetfilter=[
u'(objectclass=top)',
],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetfilter = "(&'
'(memberOf=%s)' % DN(('cn', 'ipausers'), groups_dn) +
'(memberof=%s)' % DN(('cn', 'admins'), groups_dn) +
'(objectclass=posixaccount)(objectclass=top)' +
')")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Remove type from %r while setting other filters' % permission1,
command=(
'permission_mod', [permission1],
dict(
type=None,
memberof=u'ipausers',
ipapermtargetfilter=[
u'(objectclass=ipauser)',
u'(memberof=%s)' % DN(('cn', 'admins'), groups_dn),
],
),
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
memberof=[u'admins', u'ipausers'],
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[api.env.basedn],
extratargetfilter=[
u'(objectclass=ipauser)',
],
),
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetfilter = "(&'
'(memberOf=%s)' % DN(('cn', 'ipausers'), groups_dn) +
'(memberof=%s)' % DN(('cn', 'admins'), groups_dn) +
'(objectclass=ipauser)' +
')")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Remove memberof from %r while adding a filter' % permission1,
command=(
'permission_mod', [permission1],
dict(
memberof=None,
addattr=u'ipapermtargetfilter=(cn=xyz)',
),
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[api.env.basedn],
extratargetfilter=[
u'(cn=xyz)',
u'(objectclass=ipauser)',
],
),
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetfilter = "(&'
'(cn=xyz)' +
'(objectclass=ipauser)' +
')")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Set memberof, type and filter on %r at once' % permission1,
command=(
'permission_mod', [permission1],
dict(
type=u'user',
memberof=u'admins',
ipapermtargetfilter=u'(uid=abc)',
),
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
memberof=[u'admins'],
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
extratargetfilter=[
u'(uid=abc)',
],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetfilter = "(&'
u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn) +
'(objectclass=posixaccount)' +
'(uid=abc)' +
')")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Remove memberof & type from %r at once' % permission1,
command=(
'permission_mod', [permission1],
dict(
type=None,
memberof=None,
),
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[api.env.basedn],
extratargetfilter=[
u'(uid=abc)',
],
),
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetfilter = "(uid=abc)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Add multiple memberof to %r' % permission1,
command=(
'permission_mod', [permission1],
dict(
memberof=[u'admins', u'editors'],
),
),
expected=dict(
value=permission1,
summary=u'Modified permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
memberof=[u'admins', u'editors'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[api.env.basedn],
extratargetfilter=[u'(uid=abc)'],
),
),
),
verify_permission_aci(
permission1, api.env.basedn,
'(targetfilter = "(&'
'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn) +
'(memberOf=%s)' % DN(('cn', 'editors'), groups_dn) +
'(uid=abc)' +
')")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Delete %r' % permission1,
command=('permission_del', [permission1], {}),
expected=dict(
result=dict(failed=[]),
value=[permission1],
summary=u'Deleted permission "%s"' % permission1,
)
),
verify_permission_aci_missing(permission1, api.env.basedn),
dict(
desc='Create %r with empty filters [#4206]' % permission1,
command=(
'permission_add', [permission1], dict(
type=u'user',
ipapermright=u'write',
ipapermtargetfilter=u'',
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
),
),
),
verify_permission_aci(
permission1, users_dn,
'(targetfilter = "(objectclass=posixaccount)")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
),
]
class test_permission_in_accounts(Declarative):
"""Test managing a permission in cn=accounts"""
tests = [
dict(
desc='Create %r in cn=accounts' % permission1,
command=(
'permission_add', [permission1], dict(
ipapermlocation=DN('cn=accounts', api.env.basedn),
ipapermright=u'add',
attrs=[u'cn'],
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
attrs=[u'cn'],
ipapermright=[u'add'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[DN('cn=accounts', api.env.basedn)],
),
),
),
verify_permission_aci(
permission1, DN('cn=accounts', api.env.basedn),
'(targetattr = "cn")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (add) groupdn = "ldap:///%s";)' % permission1_dn,
),
dict(
desc='Delete %r' % permission1,
command=(
'permission_del', [permission1], {}
),
expected=dict(
result=dict(failed=[]),
value=[permission1],
summary=u'Deleted permission "%s"' % permission1,
)
),
verify_permission_aci_missing(permission1, api.env.basedn),
]
class test_autoadd_operational_attrs(Declarative):
"""Test that read access to operational attributes is automatically added
"""
cleanup_commands = [
('permission_del', [permission1], {'force': True}),
]
tests = [
dict(
desc='Create %r' % permission1,
command=(
'permission_add', [permission1], dict(
ipapermlocation=DN('cn=accounts', api.env.basedn),
ipapermright=u'read',
attrs=[u'ObjectClass'],
)
),
expected=dict(
value=permission1,
summary=u'Added permission "%s"' % permission1,
result=dict(
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
attrs=[u'ObjectClass', u'entryusn', u'createtimestamp',
u'modifytimestamp'],
ipapermright=[u'read'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[DN('cn=accounts', api.env.basedn)],
),
),
),
verify_permission_aci(
permission1, DN('cn=accounts', api.env.basedn),
'(targetattr = "ObjectClass || createtimestamp || entryusn || ' +
'modifytimestamp")' +
'(version 3.0;acl "permission:%s";' % permission1 +
'allow (read) groupdn = "ldap:///%s";)' % permission1_dn,
),
]
Reference in New Issue View Git Blame Copy Permalink