freeipa/ipatests/test_xmlrpc/test_user_plugin.py
Tomas Babej d83af7d38d baseldap: Properly handle the case of renaming object to the same name
When renaming a object to the same name, errors.EmptyModList is raised.
This is not properly handled, and can cause other modifications in the
LDAPUpdate command to be ignored.

https://fedorahosted.org/freeipa/ticket/4548

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-29 15:24:58 +02:00

1643 lines
54 KiB
Python

# Authors:
# Rob Crittenden <rcritten@redhat.com>
# Pavel Zuna <pzuna@redhat.com>
# Jason Gerard DeRose <jderose@redhat.com>
#
# Copyright (C) 2008, 2009 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Test the `ipalib/plugins/user.py` module.
"""
import datetime
import ldap
import re
from ipalib import api, errors
from ipatests.test_xmlrpc import objectclasses
from ipatests.util import assert_equal, assert_not_equal, raises
from xmlrpc_test import (XMLRPC_test, Declarative, fuzzy_digits, fuzzy_uuid,
fuzzy_password, fuzzy_string, fuzzy_dergeneralizedtime,
add_sid, add_oc)
from ipapython.dn import DN
user1 = u'tuser1'
user2 = u'tuser2'
admin1 = u'admin'
admin2 = u'admin2'
renameduser1 = u'tuser'
group1 = u'group1'
admins_group = u'admins'
invaliduser1 = u'+tuser1'
invaliduser2 = u'tuser1234567890123456789012345678901234567890'
sshpubkey = (u'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDGAX3xAeLeaJggwTqMjxNwa6X'
'HBUAikXPGMzEpVrlLDCZtv00djsFTBi38PkgxBJVkgRWMrcBsr/35lq7P6w8KGI'
'wA8GI48Z0qBS2NBMJ2u9WQ2hjLN6GdMlo77O0uJY3251p12pCVIS/bHRSq8kHO2'
'No8g7KA9fGGcagPfQH+ee3t7HUkpbQkFTmbPPN++r3V8oVUk5LxbryB3UIIVzNm'
'cSIn3JrXynlvui4MixvrtX6zx+O/bBo68o8/eZD26QrahVbA09fivrn/4h3TM01'
'9Eu/c2jOdckfU3cHUV/3Tno5d6JicibyaoDDK7S/yjdn5jhaz8MSEayQvFkZkiF'
'0L public key test')
sshpubkeyfp = (u'13:67:6B:BF:4E:A2:05:8E:AE:25:8B:A1:31:DE:6F:1B '
'public key test (ssh-rsa)')
validlanguage1 = u'en-US;q=0.987 , en, abcdfgh-abcdefgh;q=1 , a;q=1.000'
validlanguage2 = u'*'
invalidlanguage1 = u'abcdfghji-abcdfghji'
invalidlanguage2 = u'en-us;q=0,123'
invalidlanguage3 = u'en-us;q=0.1234'
invalidlanguage4 = u'en-us;q=1.1'
invalidlanguage5 = u'en-us;q=1.0000'
principal_expiration_string = "2020-12-07T19:54:13Z"
principal_expiration_date = datetime.datetime(2020, 12, 7, 19, 54, 13)
invalid_expiration_string = "2020-12-07 19:54:13"
expired_expiration_string = "1991-12-07T19:54:13Z"
# Date in ISO format (2013-12-10T12:00:00)
isodate_re = re.compile('^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$')
def get_user_result(uid, givenname, sn, operation='show', omit=[],
**overrides):
"""Get a user result for a user-{add,mod,find,show} command
This gives the result as from a user_add(uid, givenname=givenname, sn=sn);
modifications to that can be specified in ``omit`` and ``overrides``.
The ``operation`` can be one of:
- add
- show
- show-all ((show with the --all flag)
- find
- mod
Attributes named in ``omit`` are removed from the result; any additional
or non-default values can be specified in ``overrides``.
"""
# sn can be None; this should only be used from `get_admin_result`
cn = overrides.get('cn', ['%s %s' % (givenname, sn or '')])
cn[0] = cn[0].strip()
result = add_sid(dict(
homedirectory=[u'/home/%s' % uid],
loginshell=[u'/bin/sh'],
uid=[uid],
uidnumber=[fuzzy_digits],
gidnumber=[fuzzy_digits],
mail=[u'%s@%s' % (uid, api.env.domain)],
has_keytab=False,
has_password=False,
))
if sn:
result['sn'] = [sn]
if givenname:
result['givenname'] = [givenname]
if operation in ('add', 'show', 'show-all', 'find'):
result.update(
dn=get_user_dn(uid),
)
if operation in ('add', 'show-all'):
result.update(
cn=cn,
displayname=cn,
gecos=cn,
initials=[givenname[0] + (sn or '')[:1]],
ipauniqueid=[fuzzy_uuid],
mepmanagedentry=[get_group_dn(uid)],
objectclass=add_oc(objectclasses.user, u'ipantuserattrs'),
krbprincipalname=[u'%s@%s' % (uid, api.env.realm)],
)
if operation in ('show', 'show-all', 'find', 'mod'):
result.update(
nsaccountlock=False,
)
if operation in ('add', 'show', 'show-all', 'mod'):
result.update(
memberof_group=[u'ipausers'],
)
for key in omit:
del result[key]
result.update(overrides)
return result
def get_admin_result(operation='show', **overrides):
"""Give the result for the default admin user
Any additional or non-default values can be given in ``overrides``.
"""
result = get_user_result(u'admin', None, u'Administrator', operation,
omit=['mail'],
has_keytab=True,
has_password=True,
loginshell=[u'/bin/bash'],
**overrides)
return result
def get_user_dn(uid):
return DN(('uid', uid), api.env.container_user, api.env.basedn)
def get_group_dn(cn):
return DN(('cn', cn), api.env.container_group, api.env.basedn)
def upg_check(response):
"""Check that the user was assigned to the corresponding private group."""
assert_equal(response['result']['uidnumber'],
response['result']['gidnumber'])
return True
def not_upg_check(response):
"""
Check that the user was not assigned to the corresponding
private group.
"""
assert_not_equal(response['result']['uidnumber'],
response['result']['gidnumber'])
return True
class test_user(Declarative):
cleanup_commands = [
('user_del', [user1, user2, renameduser1, admin2], {'continue': True}),
('group_del', [group1], {}),
('automember_default_group_remove', [], {'type': u'group'}),
]
tests = [
dict(
desc='Try to retrieve non-existent "%s"' % user1,
command=('user_show', [user1], {}),
expected=errors.NotFound(reason=u'%s: user not found' % user1),
),
dict(
desc='Try to update non-existent "%s"' % user1,
command=('user_mod', [user1], dict(givenname=u'Foo')),
expected=errors.NotFound(reason=u'%s: user not found' % user1),
),
dict(
desc='Try to delete non-existent "%s"' % user1,
command=('user_del', [user1], {}),
expected=errors.NotFound(reason=u'%s: user not found' % user1),
),
dict(
desc='Try to rename non-existent "%s"' % user1,
command=('user_mod', [user1],
dict(setattr=u'uid=%s' % renameduser1)),
expected=errors.NotFound(reason=u'%s: user not found' % user1),
),
dict(
desc='Create "%s"' % user1,
command=(
'user_add',
[user1],
dict(
givenname=u'Test',
sn=u'User1',
userclass=u'testusers'
)
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(
user1,
u'Test',
u'User1',
'add',
userclass=[u'testusers'],
objectclass=add_oc(
objectclasses.user,
u'ipantuserattrs'
) + [u'ipauser']
),
),
extra_check = upg_check,
),
dict(
desc='Try to create duplicate "%s"' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1')
),
expected=errors.DuplicateEntry(
message=u'user with name "%s" already exists' % user1),
),
dict(
desc='Retrieve "%s"' % user1,
command=(
'user_show', [user1], {}
),
expected=dict(
result=get_user_result(
user1,
u'Test',
u'User1',
'show',
userclass=[u'testusers']
),
value=user1,
summary=None,
),
),
dict(
desc='Remove userclass for user "%s"' % user1,
command=('user_mod', [user1], dict(userclass=u'')),
expected=dict(
result=get_user_result(user1, u'Test', u'User1', 'mod'),
value=user1,
summary=u'Modified user "%s"' % user1,
),
),
dict(
desc='Search for "%s" with all=True' % user1,
command=(
'user_find', [user1], {'all': True}
),
expected=dict(
result=[
get_user_result(
user1,
u'Test',
u'User1',
'show-all',
objectclass=add_oc(
objectclasses.user,
u'ipantuserattrs'
) + [u'ipauser']
),
],
summary=u'1 user matched',
count=1, truncated=False,
),
),
dict(
desc='Search for "%s" with pkey-only=True' % user1,
command=(
'user_find', [user1], {'pkey_only': True}
),
expected=dict(
result=[
{
'dn': get_user_dn(user1),
'uid': [user1],
},
],
summary=u'1 user matched',
count=1, truncated=False,
),
),
dict(
desc='Search for "%s" with minimal attributes' % user1,
command=(
'user_find', [user1], {}
),
expected=dict(
result=[
get_user_result(user1, u'Test', u'User1', 'find'),
],
summary=u'1 user matched',
count=1,
truncated=False,
),
),
dict(
desc='Search for all users',
command=(
'user_find', [], {}
),
expected=dict(
result=[
get_admin_result('find'),
get_user_result(user1, u'Test', u'User1', 'find'),
],
summary=u'2 users matched',
count=2,
truncated=False,
),
),
dict(
desc='Search for all users with a limit of 1',
command=(
'user_find', [], dict(sizelimit=1,),
),
expected=dict(
result=[get_admin_result('find')],
summary=u'1 user matched',
count=1,
truncated=True,
),
),
dict(
desc='Disable "%s"' % user1,
command=(
'user_disable', [user1], {}
),
expected=dict(
result=True,
value=user1,
summary=u'Disabled user account "%s"' % user1,
),
),
dict(
desc='Assert user is disabled',
command=('user_find', [user1], {}),
expected=dict(
result=[get_user_result(user1, u'Test', u'User1', 'find',
nsaccountlock=True)],
summary=u'1 user matched',
count=1,
truncated=False,
),
),
dict(
desc='Enable "%s"' % user1,
command=(
'user_enable', [user1], {}
),
expected=dict(
result=True,
value=user1,
summary=u'Enabled user account "%s"' % user1,
),
),
dict(
desc='Assert user "%s" is enabled' % user1,
command=('user_find', [user1], {}),
expected=dict(
result=[get_user_result(user1, u'Test', u'User1', 'find')],
summary=u'1 user matched',
count=1,
truncated=False,
),
),
dict(
desc='Disable "%s" using setattr' % user1,
command=('user_mod', [user1], dict(setattr=u'nsaccountlock=True')),
expected=dict(
result=get_user_result(user1, u'Test', u'User1', 'mod',
nsaccountlock=True),
value=user1,
summary=u'Modified user "%s"' % user1,
),
),
dict(
desc='Enable "%s" using setattr' % user1,
command=('user_mod', [user1], dict(setattr=u'nsaccountlock=False')),
expected=dict(
result=get_user_result(user1, u'Test', u'User1', 'mod'),
value=user1,
summary=u'Modified user "%s"' % user1,
),
),
dict(
desc='Disable "%s" using user_mod' % user1,
command=('user_mod', [user1], dict(nsaccountlock=True)),
expected=dict(
result=get_user_result(user1, u'Test', u'User1', 'mod',
nsaccountlock=True),
value=user1,
summary=u'Modified user "%s"' % user1,
),
),
dict(
desc='Enable "%s" using user_mod' % user1,
command=('user_mod', [user1], dict(nsaccountlock=False)),
expected=dict(
result=get_user_result(user1, u'Test', u'User1', 'mod'),
value=user1,
summary=u'Modified user "%s"' % user1,
),
),
dict(
desc='Try setting virtual attribute on "%s" using setattr' % user1,
command=('user_mod', [user1], dict(setattr=u'random=xyz123')),
expected=errors.ObjectclassViolation(
info='attribute "random" not allowed'),
),
dict(
desc='Update "%s"' % user1,
command=(
'user_mod', [user1], dict(givenname=u'Finkle')
),
expected=dict(
result=get_user_result(user1, u'Finkle', u'User1', 'mod'),
summary=u'Modified user "%s"' % user1,
value=user1,
),
),
dict(
desc='Try updating the krb ticket policy of "%s"' % user1,
command=(
'user_mod', [user1], dict(setattr=u'krbmaxticketlife=88000')
),
expected=errors.ObjectclassViolation(
info=u'attribute "krbmaxticketlife" not allowed'),
),
dict(
desc='Retrieve "%s" to verify update' % user1,
command=('user_show', [user1], {}),
expected=dict(
result=get_user_result(user1, u'Finkle', u'User1', 'show'),
summary=None,
value=user1,
),
),
dict(
desc='Rename "%s"' % user1,
command=('user_mod', [user1],
dict(setattr=u'uid=%s' % renameduser1)),
expected=dict(
result=get_user_result(
renameduser1, u'Finkle', u'User1', 'mod',
mail=[u'%s@%s' % (user1, api.env.domain)],
homedirectory=[u'/home/%s' % user1]),
summary=u'Modified user "%s"' % user1,
value=user1,
),
),
dict(
desc='Rename "%s" to same value' % renameduser1,
command=('user_mod', [renameduser1],
dict(setattr=u'uid=%s' % renameduser1)),
expected=errors.EmptyModlist(),
),
dict(
desc='Rename "%s" to same value, check that other modifications '
'are performed' % renameduser1,
command=('user_mod', [renameduser1],
dict(setattr=u'uid=%s' % renameduser1,
loginshell=u'/bin/bash')),
expected=dict(
result=get_user_result(
renameduser1, u'Finkle', u'User1', 'mod',
mail=[u'%s@%s' % (user1, api.env.domain)],
homedirectory=[u'/home/%s' % user1],
loginshell=[u'/bin/bash']),
summary=u'Modified user "%s"' % renameduser1,
value=renameduser1,
),
),
dict(
desc='Rename back "%s"' % renameduser1,
command=('user_mod', [renameduser1],
dict(setattr=u'uid=%s' % user1, loginshell=u'/bin/sh')),
expected=dict(
result=get_user_result(user1, u'Finkle', u'User1', 'mod'),
summary=u'Modified user "%s"' % renameduser1,
value=renameduser1,
),
),
dict(
desc='Delete "%s"' % user1,
command=('user_del', [user1], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % user1,
value=[user1],
),
),
dict(
desc='Try to delete non-existent "%s"' % user1,
command=('user_del', [user1], {}),
expected=errors.NotFound(reason=u'tuser1: user not found'),
),
dict(
desc='Create user "%s" with krb ticket policy' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
setattr=u'krbmaxticketlife=88000')
),
expected=errors.ObjectclassViolation(
info='attribute "krbmaxticketlife" not allowed'),
),
dict(
desc='Create "%s" with SSH public key' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
ipasshpubkey=[sshpubkey])
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(
user1, u'Test', u'User1', 'add',
objectclass=add_oc(objectclasses.user, u'ipantuserattrs'),
ipasshpubkey=[sshpubkey],
sshpubkeyfp=[sshpubkeyfp],
),
),
extra_check = upg_check,
),
dict(
desc='Add an illegal SSH public key to "%r"' % user1,
command=('user_mod', [user1],
dict(ipasshpubkey=[u"anal nathrach orth' bhais's bethad "
"do che'l de'nmha"])),
expected=errors.ValidationError(name='sshpubkey',
error=u'invalid SSH public key'),
),
dict(
desc='Delete "%s"' % user1,
command=('user_del', [user1], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % user1,
value=[user1],
),
),
dict(
desc='Create "%s"' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1')
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(user1, u'Test', u'User1', 'add'),
),
extra_check = upg_check,
),
dict(
desc='Create "%s"' % user2,
command=(
'user_add', [user2], dict(givenname=u'Test', sn=u'User2')
),
expected=dict(
value=user2,
summary=u'Added user "%s"' % user2,
result=get_user_result(user2, u'Test', u'User2', 'add'),
),
extra_check = upg_check,
),
dict(
desc='Make non-existent "%s" the manager of "%s"' % (renameduser1,
user2),
command=('user_mod', [user2], dict(manager=renameduser1)),
expected=errors.NotFound(
reason=u'manager %s not found' % renameduser1),
),
dict(
desc='Make "%s" the manager of "%s"' % (user1, user2),
command=('user_mod', [user2], dict(manager=user1)),
expected=dict(
result=get_user_result(user2, u'Test', u'User2', 'mod',
manager=[user1]),
summary=u'Modified user "%s"' % user2,
value=user2,
),
),
dict(
desc='Search for "%s" with manager "%s"' % (user2, user1),
command=(
'user_find', [user2], {'manager': user1}
),
expected=dict(
result=[get_user_result(user2, u'Test', u'User2', 'find',
manager=[user1])],
summary=u'1 user matched',
count=1,
truncated=False,
),
),
dict(
desc='Delete "%s" and "%s" at the same time' % (user1, user2),
command=('user_del', [user1, user2], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "tuser1,tuser2"',
value=[user1, user2],
),
),
dict(
desc='Try to retrieve non-existent "%s"' % user1,
command=('user_show', [user1], {}),
expected=errors.NotFound(reason=u'%s: user not found' % user1),
),
dict(
desc='Try to update non-existent "%s"' % user1,
command=('user_mod', [user1], dict(givenname=u'Foo')),
expected=errors.NotFound(reason=u'%s: user not found' % user1),
),
dict(
desc='Test an invalid login name "%s"' % invaliduser1,
command=('user_add', [invaliduser1], dict(givenname=u'Test',
sn=u'User1')),
expected=errors.ValidationError(name='login',
error=u'may only include letters, numbers, _, -, . and $'),
),
dict(
desc='Test a login name that is too long "%s"' % invaliduser2,
command=('user_add', [invaliduser2],
dict(givenname=u'Test', sn=u'User1')),
expected=errors.ValidationError(name='login',
error='can be at most 32 characters'),
),
# The assumption on these next 4 tests is that if we don't get a
# validation error then the request was processed normally.
dict(
desc='Test that validation is disabled on deletes',
command=('user_del', [invaliduser1], {}),
expected=errors.NotFound(
reason=u'%s: user not found' % invaliduser1),
),
dict(
desc='Test that validation is disabled on show',
command=('user_show', [invaliduser1], {}),
expected=errors.NotFound(
reason=u'%s: user not found' % invaliduser1),
),
dict(
desc='Test that validation is disabled on find',
command=('user_find', [invaliduser1], {}),
expected=dict(
count=0,
truncated=False,
summary=u'0 users matched',
result=[],
),
),
dict(
desc='Try to rename to invalid username "%s"' % user1,
command=('user_mod', [user1], dict(rename=invaliduser1)),
expected=errors.ValidationError(name='rename',
error=u'may only include letters, numbers, _, -, . and $'),
),
dict(
desc='Try to rename to a username that is too long "%s"' % user1,
command=('user_mod', [user1], dict(rename=invaliduser2)),
expected=errors.ValidationError(name='login',
error='can be at most 32 characters'),
),
dict(
desc='Create "%s"' % group1,
command=(
'group_add', [group1], dict(description=u'Test desc')
),
expected=dict(
value=group1,
summary=u'Added group "%s"' % group1,
result=dict(
cn=[group1],
description=[u'Test desc'],
gidnumber=[fuzzy_digits],
objectclass=objectclasses.group + [u'posixgroup'],
ipauniqueid=[fuzzy_uuid],
dn=get_group_dn(group1),
),
),
),
dict(
desc='Try to user "%s" where the managed group exists' % group1,
command=(
'user_add', [group1], dict(givenname=u'Test', sn=u'User1')
),
expected=errors.ManagedGroupExistsError(group=group1)
),
dict(
desc='Create "%s" with a full address' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
street=u'123 Maple Rd', l=u'Anytown', st=u'MD',
telephonenumber=u'410-555-1212', postalcode=u'01234-5678')
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(
user1, u'Test', u'User1', 'add',
street=[u'123 Maple Rd'], l=[u'Anytown'], st=[u'MD'],
telephonenumber=[u'410-555-1212'],
postalcode=[u'01234-5678'],
),
),
),
dict(
desc='Delete "%s"' % user1,
command=('user_del', [user1], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % user1,
value=[user1],
),
),
dict(
desc='Create "%s" with random password' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
random=True)
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(
user1, u'Test', u'User1', 'add',
randompassword=fuzzy_password,
has_keytab=True, has_password=True,
krbextradata=[fuzzy_string],
krbpasswordexpiration=[fuzzy_dergeneralizedtime],
krblastpwdchange=[fuzzy_dergeneralizedtime]
),
),
),
dict(
desc='Delete "%s"' % user1,
command=('user_del', [user1], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % user1,
value=[user1],
),
),
dict(
desc='Create "%s"' % user2,
command=(
'user_add', [user2], dict(givenname=u'Test', sn=u'User2')
),
expected=dict(
value=user2,
summary=u'Added user "%s"' % user2,
result=get_user_result(user2, u'Test', u'User2', 'add'),
),
),
dict(
desc='Modify "%s" with random password' % user2,
command=(
'user_mod', [user2], dict(random=True)
),
expected=dict(
result=get_user_result(
user2, u'Test', u'User2', 'mod',
randompassword=fuzzy_password,
has_keytab=True, has_password=True,
),
summary=u'Modified user "%s"' % user2,
value=user2,
),
),
dict(
desc='Delete "%s"' % user2,
command=('user_del', [user2], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % user2,
value=[user2],
),
),
dict(
desc='Create user "%s" with upper-case principal' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
krbprincipalname=user1.upper())
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(user1, u'Test', u'User1', 'add'),
),
),
dict(
desc='Create user "%s" with bad realm in principal' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
krbprincipalname='%s@NOTFOUND.ORG' % user1)
),
expected=errors.RealmMismatch()
),
dict(
desc='Create user "%s" with malformed principal' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
krbprincipalname='%s@BAD@NOTFOUND.ORG' % user1)
),
expected=errors.MalformedUserPrincipal(
principal='%s@BAD@NOTFOUND.ORG' % user1),
),
dict(
desc='Delete "%s"' % user1,
command=('user_del', [user1], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % user1,
value=[user1],
),
),
dict(
desc='Change default home directory',
command=(
'config_mod', [], dict(ipahomesrootdir=u'/other-home'),
),
expected=lambda x, output: x is None,
),
dict(
desc=('Create user "%s" with different default '
'home directory' % user1),
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1')
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(user1, u'Test', u'User1', 'add',
homedirectory=[u'/other-home/tuser1']),
),
),
dict(
desc='Reset default home directory',
command=(
'config_mod', [], dict(ipahomesrootdir=u'/home'),
),
expected=lambda x, output: x is None,
),
dict(
desc='Delete "%s"' % user1,
command=('user_del', [user1], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % user1,
value=[user1],
),
),
dict(
desc='Change default login shell',
command=(
'config_mod', [],
dict(ipadefaultloginshell=u'/usr/bin/ipython'),
),
expected=lambda x, output: x is None,
),
dict(
desc='Create user "%s" with different default login shell' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1')
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(user1, u'Test', u'User1', 'add',
loginshell=[u'/usr/bin/ipython']),
),
),
dict(
desc='Reset default login shell',
command=(
'config_mod', [], dict(ipadefaultloginshell=u'/bin/sh'),
),
expected=lambda x, output: x is None,
),
dict(
desc='Delete "%s"' % user1,
command=('user_del', [user1], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % user1,
value=[user1],
),
),
dict(
desc='Create "%s" without UPG' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
noprivate=True)
),
expected=errors.NotFound(
reason='Default group for new users is not POSIX'),
),
dict(
desc='Create "%s" without UPG with GID explicitly set' % user2,
command=(
'user_add', [user2], dict(givenname=u'Test', sn=u'User2',
noprivate=True, gidnumber=1000)
),
expected=dict(
value=user2,
summary=u'Added user "%s"' % user2,
result=get_user_result(
user2, u'Test', u'User2', 'add',
objectclass=add_oc(objectclasses.user_base,
u'ipantuserattrs'),
gidnumber=[u'1000'],
description=[],
omit=['mepmanagedentry'],
),
),
),
dict(
desc='Delete "%s"' % user2,
command=('user_del', [user2], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % user2,
value=[user2],
),
),
dict(
desc='Change default user group',
command=(
'config_mod', [], dict(ipadefaultprimarygroup=group1),
),
expected=lambda x, output: x is None,
),
dict(
desc='Create "%s" without UPG' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1',
noprivate=True)
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(
user1, u'Test', u'User1', 'add',
objectclass=add_oc(objectclasses.user_base,
u'ipantuserattrs'),
description=[],
memberof_group=[group1],
omit=['mepmanagedentry'],
),
),
extra_check = not_upg_check,
),
dict(
desc='Create "%s" without UPG with GID explicitly set' % user2,
command=(
'user_add', [user2], dict(givenname=u'Test', sn=u'User2',
noprivate=True, gidnumber=1000)
),
expected=dict(
value=user2,
summary=u'Added user "%s"' % user2,
result=get_user_result(
user2, u'Test', u'User2', 'add',
objectclass=add_oc(objectclasses.user_base,
u'ipantuserattrs'),
description=[],
gidnumber=[u'1000'],
memberof_group=[group1],
omit=['mepmanagedentry'],
),
),
),
dict(
desc='Set %r as manager of %r' % (user1, user2),
command=(
'user_mod', [user2], dict(manager=user1)
),
expected=dict(
result=get_user_result(user2, u'Test', u'User2', 'mod',
gidnumber=[u'1000'],
memberof_group=[group1],
manager=[user1]),
summary=u'Modified user "%s"' % user2,
value=user2,
),
),
dict(
desc='Rename "%s"' % user1,
command=('user_mod', [user1], dict(rename=renameduser1)),
expected=dict(
result=get_user_result(
renameduser1, u'Test', u'User1', 'mod',
homedirectory=[u'/home/%s' % user1],
mail=[u'%s@%s' % (user1, api.env.domain)],
memberof_group=[group1],
),
summary=u'Modified user "%s"' % user1,
value=user1,
),
),
dict(
desc='Retrieve %r and check that manager is renamed' % user2,
command=(
'user_show', [user2], {'all': True}
),
expected=dict(
result=get_user_result(
user2, u'Test', u'User2', 'show-all',
gidnumber=[u'1000'],
memberof_group=[group1],
manager=[renameduser1],
objectclass=add_oc(objectclasses.user_base,
u'ipantuserattrs'),
omit=['mepmanagedentry'],
),
value=user2,
summary=None,
),
),
dict(
desc='Delete %r' % renameduser1,
command=('user_del', [renameduser1], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % renameduser1,
value=[renameduser1],
),
),
dict(
desc='Retrieve %r and check that manager is gone' % user2,
command=(
'user_show', [user2], {'all': True}
),
expected=dict(
result=get_user_result(
user2, u'Test', u'User2', 'show-all',
gidnumber=[u'1000'],
memberof_group=[group1],
objectclass=add_oc(objectclasses.user_base,
u'ipantuserattrs'),
omit=['mepmanagedentry'],
),
value=user2,
summary=None,
),
),
dict(
desc='Reset default user group',
command=(
'config_mod', [], dict(ipadefaultprimarygroup=u'ipausers'),
),
expected=lambda x, output: x is None,
),
dict(
desc='Try to remove the original admin user "%s"' % admin1,
command=('user_del', [admin1], {}),
expected=errors.LastMemberError(key=admin1, label=u'group',
container=admins_group),
),
dict(
desc='Try to disable the original admin user "%s"' % admin1,
command=('user_disable', [admin1], {}),
expected=errors.LastMemberError(key=admin1, label=u'group',
container=admins_group),
),
dict(
desc='Create 2nd admin user "%s"' % admin2,
command=(
'user_add', [admin2], dict(givenname=u'Second', sn=u'Admin')
),
expected=dict(
value=admin2,
summary=u'Added user "%s"' % admin2,
result=get_user_result(admin2, u'Second', u'Admin', 'add'),
),
),
dict(
desc='Add "%s" to the admins group "%s"' % (admin2, admins_group),
command=('group_add_member', [admins_group], dict(user=admin2)),
expected=dict(
completed=1,
failed=dict(
member=dict(
group=tuple(),
user=tuple(),
),
),
result={
'dn': get_group_dn(admins_group),
'member_user': [admin1, admin2],
'gidnumber': [fuzzy_digits],
'cn': [admins_group],
'description': [u'Account administrators group'],
},
),
),
dict(
desc=('Retrieve admins group "%s" to verify membership is '
'"%s","%s"' % (admins_group, admin1, admin2)),
command=('group_show', [admins_group], {}),
expected=dict(
value=admins_group,
result=dict(
cn=[admins_group],
gidnumber=[fuzzy_digits],
description=[u'Account administrators group'],
dn=get_group_dn(admins_group),
member_user=[admin1, admin2],
),
summary=None,
),
),
dict(
desc=('Disable 2nd admin user "%s", admins group "%s" should also '
'contain enabled "%s"' % (admin2, admins_group, admin1)),
command=(
'user_disable', [admin2], {}
),
expected=dict(
result=True,
value=admin2,
summary=u'Disabled user account "%s"' % admin2,
),
),
dict(
desc='Assert 2nd admin user "%s" is disabled' % admin2,
command=('user_find', [admin2], {}),
expected=dict(
result=[lambda d: d['nsaccountlock'] is True],
summary=u'1 user matched',
count=1,
truncated=False,
),
),
dict(
desc='Try to disable the origin admin user "%s"' % admin1,
command=('user_disable', [admin1], {}),
expected=errors.LastMemberError(key=admin1, label=u'group',
container=admins_group),
),
dict(
desc='Try to remove the original admin user "%s"' % admin1,
command=('user_del', [admin1], {}),
expected=errors.LastMemberError(key=admin1, label=u'group',
container=admins_group),
),
dict(
desc='Delete 2nd admin "%s"' % admin2,
command=('user_del', [admin2], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % admin2,
value=[admin2],
),
),
dict(
desc=('Retrieve admins group "%s" to verify membership is "%s"'
% (admins_group, admin1)),
command=('group_show', [admins_group], {}),
expected=dict(
value=admins_group,
result=dict(
cn=[admins_group],
gidnumber=[fuzzy_digits],
description=[u'Account administrators group'],
dn=get_group_dn(admins_group),
member_user=[admin1],
),
summary=None,
),
),
dict(
desc='Assert original admin user "%s" is enabled' % admin1,
command=('user_find', [admin1], {}),
expected=dict(
result=[lambda d: d['nsaccountlock'] is False],
summary=u'1 user matched',
count=1,
truncated=False,
),
),
dict(
desc='Try to remove the original admin user "%s"' % admin1,
command=('user_del', [admin1], {}),
expected=errors.LastMemberError(key=admin1, label=u'group',
container=admins_group),
),
dict(
desc='Try to disable the original admin user "%s"' % admin1,
command=('user_disable', [admin1], {}),
expected=errors.LastMemberError(key=admin1, label=u'group',
container=admins_group),
),
dict(
desc='Set default automember group for groups as ipausers',
command=(
'automember_default_group_set', [], dict(
type=u'group',
automemberdefaultgroup=u'ipausers'
)
),
expected=dict(
result=dict(
cn=[u'Group'],
automemberdefaultgroup=[DN(('cn', 'ipausers'),
('cn', 'groups'),
('cn', 'accounts'),
api.env.basedn)],
),
value=u'group',
summary=u'Set default (fallback) group for automember "group"',
),
),
dict(
desc='Delete "%s"' % user2,
command=('user_del', [user2], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % user2,
value=[user2],
),
),
dict(
desc='Create %r' % user2,
command=(
'user_add', [user2], dict(givenname=u'Test', sn=u'User2')
),
expected=dict(
value=user2,
summary=u'Added user "tuser2"',
result=get_user_result(user2, u'Test', u'User2', 'add'),
),
),
dict(
desc='Create "%s" with UID 999' % user1,
command=(
'user_add', [user1], dict(
givenname=u'Test', sn=u'User1', uidnumber=999)
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(user1, u'Test', u'User1', 'add',
uidnumber=[u'999'],
gidnumber=[u'999']),
),
extra_check = upg_check,
),
dict(
desc='Delete "%s"' % user1,
command=('user_del', [user1], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % user1,
value=[user1],
),
),
dict(
desc='Create "%s" with old DNA_MAGIC uid 999' % user1,
command=(
'user_add', [user1], dict(
givenname=u'Test', sn=u'User1', uidnumber=999,
version=u'2.49')
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(
user1, u'Test', u'User1', 'add',
uidnumber=[lambda v: int(v) != 999],
gidnumber=[lambda v: int(v) != 999],
),
),
extra_check = upg_check,
),
dict(
desc='Set ipauserauthtype for "%s"' % user1,
command=('user_mod', [user1], dict(ipauserauthtype=u'password')),
expected=dict(
result=get_user_result(user1, u'Test', u'User1', 'mod',
ipauserauthtype=[u'password'],
),
value=user1,
summary='Modified user "%s"' % user1,
),
),
dict(
desc='Retrieve "%s" to verify ipauserauthtype' % user1,
command=('user_show', [user1], {}),
expected=dict(
result=get_user_result(user1, u'Test', u'User1', 'show',
ipauserauthtype=[u'password'],
),
value=user1,
summary=None,
),
),
dict(
desc='Unset ipauserauthtype for "%s"' % user1,
command=('user_mod', [user1], dict(ipauserauthtype=None)),
expected=dict(
result=get_user_result(user1, u'Test', u'User1', 'mod'),
value=user1,
summary='Modified user "%s"' % user1,
),
),
dict(
desc='Query status of "%s"' % user1,
command=('user_status', [user1], {}),
expected=dict(
count=1,
result=[
dict(
dn=get_user_dn(user1),
krblastfailedauth=[u'N/A'],
krblastsuccessfulauth=[u'N/A'],
krbloginfailedcount=u'0',
now=isodate_re.match,
server=api.env.host,
),
],
summary=u'Account disabled: False',
truncated=False,
),
),
dict(
desc='Test an invalid preferredlanguage "%s"' % invalidlanguage1,
command=('user_mod', [user1],
dict(preferredlanguage=invalidlanguage1)),
expected=errors.ValidationError(name='preferredlanguage',
error=(u'must match RFC 2068 - 14.4, e.g., '
'"da, en-gb;q=0.8, en;q=0.7"')),
),
dict(
desc='Test an invalid preferredlanguage "%s"' % invalidlanguage2,
command=('user_mod', [user1],
dict(preferredlanguage=invalidlanguage2)),
expected=errors.ValidationError(name='preferredlanguage',
error=(u'must match RFC 2068 - 14.4, e.g., '
'"da, en-gb;q=0.8, en;q=0.7"')),
),
dict(
desc='Test an invalid preferredlanguage "%s"' % invalidlanguage3,
command=('user_mod', [user1],
dict(preferredlanguage=invalidlanguage3)),
expected=errors.ValidationError(name='preferredlanguage',
error=(u'must match RFC 2068 - 14.4, e.g., '
'"da, en-gb;q=0.8, en;q=0.7"')),
),
dict(
desc='Test an invalid preferredlanguage "%s"' % invalidlanguage4,
command=('user_mod', [user1],
dict(preferredlanguage=invalidlanguage4)),
expected=errors.ValidationError(name='preferredlanguage',
error=(u'must match RFC 2068 - 14.4, e.g., '
'"da, en-gb;q=0.8, en;q=0.7"')),
),
dict(
desc='Test an invalid preferredlanguage "%s"' % invalidlanguage5,
command=('user_mod', [user1],
dict(preferredlanguage=invalidlanguage5)),
expected=errors.ValidationError(name='preferredlanguage',
error=(u'must match RFC 2068 - 14.4, e.g., '
'"da, en-gb;q=0.8, en;q=0.7"')),
),
dict(
desc='Set preferredlanguage "%s"' % validlanguage1,
command=('user_mod', [user1],
dict(preferredlanguage=validlanguage1)),
expected=dict(
result=get_user_result(user1, u'Test', u'User1', 'mod',
preferredlanguage=[validlanguage1],
),
value=user1,
summary='Modified user "%s"' % user1,
),
),
dict(
desc='Set preferredlanguage "%s"' % validlanguage2,
command=('user_mod', [user1],
dict(preferredlanguage=validlanguage2)),
expected=dict(
result=get_user_result(user1, u'Test', u'User1', 'mod',
preferredlanguage=[validlanguage2],
),
value=user1,
summary='Modified user "%s"' % user1,
),
),
dict(
desc='Set principal expiration "%s"' % principal_expiration_string,
command=('user_mod', [user1],
dict(krbprincipalexpiration=principal_expiration_string)),
expected=dict(
result=get_user_result(user1, u'Test', u'User1', 'mod',
krbprincipalexpiration=[principal_expiration_date],
),
value=user1,
summary='Modified user "%s"' % user1,
),
),
dict(
desc='Set principal expiration "%s"' % invalid_expiration_string,
command=('user_mod', [user1],
dict(krbprincipalexpiration=invalid_expiration_string)),
expected=errors.ConversionError(name='principal_expiration',
error=(u'does not match any of accepted formats: '
'%Y%m%d%H%M%SZ, %Y-%m-%dT%H:%M:%SZ, %Y-%m-%dT%H:%MZ, '
'%Y-%m-%dZ, %Y-%m-%d %H:%M:%SZ, %Y-%m-%d %H:%MZ')
),
),
]
class test_denied_bind_with_expired_principal(XMLRPC_test):
password = u'random'
@classmethod
def setUpClass(cls):
super(test_denied_bind_with_expired_principal, cls).setUpClass()
cls.connection = ldap.initialize('ldap://{host}'
.format(host=api.env.host))
def test_1_bind_as_test_user(self):
self.failsafe_add(
api.Object.user,
user1,
givenname=u'Test',
sn=u'User1',
userpassword=self.password,
krbprincipalexpiration=principal_expiration_string
)
self.connection.simple_bind_s(str(get_user_dn(user1)), self.password)
def test_2_bind_as_expired_test_user(self):
api.Command['user_mod'](
user1,
krbprincipalexpiration=expired_expiration_string)
raises(ldap.UNWILLING_TO_PERFORM,
self.connection.simple_bind_s,
str(get_user_dn(user1)), self.password)
def test_3_bind_as_renewed_test_user(self):
api.Command['user_mod'](
user1,
krbprincipalexpiration=principal_expiration_string)
self.connection.simple_bind_s(str(get_user_dn(user1)), self.password)