mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
dc73813b8a
An ACI with rights of read, write, search and/or compare without attributes to apply the rights to is effectively a no-op. Allow the ACI to be created but include a warning. Ignore the add and delete rights. While they make no sense in the context of the other rights we should still warn that they are a no-op with no attributes. Use the existing make_aci() object method to create the message and update the add/mod callers to capture and add the message to the result if one is provided. When updating an existing ACI the effective attributes will not be included so fall back to the attributes in the resulting permission. Prior to checking for rights and attributes convert any deprecated names for older clients into the newer values needed by make_aci This is exercised by existing xmlrpc permission tests that create such permissions without attributes. https://pagure.io/freeipa/issue/9188 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
1473 lines
54 KiB
Python
1473 lines
54 KiB
Python
# Authors:
|
|
# Rob Crittenden <rcritten@redhat.com>
|
|
# Pavel Zuna <pzuna@redhat.com>
|
|
#
|
|
# Copyright (C) 2010 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
"""
|
|
Test the `ipaserver/plugins/permission.py` module with old API.
|
|
|
|
This ensures basic backwards compatibility for code before
|
|
http://www.freeipa.org/page/V3/Permissions_V2
|
|
"""
|
|
|
|
from ipalib import api, errors
|
|
from ipatests.test_xmlrpc import objectclasses
|
|
from ipatests.test_xmlrpc.xmlrpc_test import Declarative
|
|
from ipapython.dn import DN
|
|
import pytest
|
|
|
|
permission1 = u'testperm'
|
|
permission1_dn = DN(('cn',permission1),
|
|
api.env.container_permission,api.env.basedn)
|
|
|
|
|
|
permission1_renamed = u'testperm1_rn'
|
|
permission1_renamed_dn = DN(('cn',permission1_renamed),
|
|
api.env.container_permission,api.env.basedn)
|
|
|
|
permission1_renamed_ucase = u'Testperm_RN'
|
|
permission1_renamed_ucase_dn = DN(('cn',permission1_renamed_ucase),
|
|
api.env.container_permission,api.env.basedn)
|
|
|
|
|
|
permission2 = u'testperm2'
|
|
permission2_dn = DN(('cn',permission2),
|
|
api.env.container_permission,api.env.basedn)
|
|
|
|
permission3 = u'testperm3'
|
|
permission3_dn = DN(('cn',permission3),
|
|
api.env.container_permission,api.env.basedn)
|
|
permission3_attributelevelrights = {
|
|
'member': u'rscwo',
|
|
'seealso': u'rscwo',
|
|
'ipapermissiontype': u'rscwo',
|
|
'cn': u'rscwo',
|
|
'businesscategory': u'rscwo',
|
|
'objectclass': u'rscwo',
|
|
'memberof': u'rscwo',
|
|
'aci': u'rscwo',
|
|
'o': u'rscwo',
|
|
'owner': u'rscwo',
|
|
'ou': u'rscwo',
|
|
'targetgroup': u'rscwo',
|
|
'type': u'rscwo',
|
|
'nsaccountlock': u'rscwo',
|
|
'description': u'rscwo',
|
|
'attrs': u'rscwo',
|
|
'ipapermincludedattr': u'rscwo',
|
|
'ipapermbindruletype': u'rscwo',
|
|
'ipapermdefaultattr': u'rscwo',
|
|
'ipapermexcludedattr': u'rscwo',
|
|
'subtree': u'rscwo', # old
|
|
'permissions': u'rscwo', # old
|
|
'ipapermtarget': u'rscwo',
|
|
'ipapermtargetfilter': u'rscwo',
|
|
'ipapermtargetto': u'rscwo',
|
|
'ipapermtargetfrom': u'rscwo',
|
|
}
|
|
|
|
privilege1 = u'testpriv1'
|
|
privilege1_dn = DN(('cn',privilege1),
|
|
api.env.container_privilege,api.env.basedn)
|
|
|
|
invalid_permission1 = u'bad;perm'
|
|
|
|
users_dn = DN(api.env.container_user, api.env.basedn)
|
|
groups_dn = DN(api.env.container_group, api.env.basedn)
|
|
hbac_dn = DN(api.env.container_hbac, api.env.basedn)
|
|
|
|
|
|
@pytest.mark.tier1
|
|
class test_old_permission(Declarative):
|
|
default_version = u'2.65'
|
|
|
|
cleanup_commands = [
|
|
('permission_del', [permission1], {}),
|
|
('permission_del', [permission2], {}),
|
|
('permission_del', [permission3], {}),
|
|
('privilege_del', [privilege1], {}),
|
|
]
|
|
|
|
tests = [
|
|
|
|
dict(
|
|
desc='Try to retrieve non-existent %r' % permission1,
|
|
command=('permission_show', [permission1], {}),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: permission not found' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to update non-existent %r' % permission1,
|
|
command=('permission_mod', [permission1], dict(permissions=u'all')),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: permission not found' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to delete non-existent %r' % permission1,
|
|
command=('permission_del', [permission1], {}),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: permission not found' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for non-existent %r' % permission1,
|
|
command=('permission_find', [permission1], {}),
|
|
expected=dict(
|
|
count=0,
|
|
truncated=False,
|
|
summary=u'0 permissions matched',
|
|
result=[],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Create %r' % permission1,
|
|
command=(
|
|
'permission_add', [permission1], dict(
|
|
type=u'user',
|
|
permissions=u'write',
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=u'Added permission "%s"' % permission1,
|
|
messages=(
|
|
{
|
|
'message': ('The permission has write rights but no '
|
|
'attributes are set.'),
|
|
'code': 13032,
|
|
'type': 'warning',
|
|
'name': 'MissingTargetAttributesinPermission',
|
|
'data': {
|
|
'right': 'write',
|
|
}
|
|
},
|
|
),
|
|
result=dict(
|
|
dn=permission1_dn,
|
|
cn=[permission1],
|
|
objectclass=objectclasses.permission,
|
|
type=u'user',
|
|
permissions=[u'write'],
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to create duplicate %r' % permission1,
|
|
command=(
|
|
'permission_add', [permission1], dict(
|
|
type=u'user',
|
|
permissions=u'write',
|
|
),
|
|
),
|
|
expected=errors.DuplicateEntry(
|
|
message='permission with name "%s" already exists' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Create %r' % privilege1,
|
|
command=('privilege_add', [privilege1],
|
|
dict(description=u'privilege desc. 1')
|
|
),
|
|
expected=dict(
|
|
value=privilege1,
|
|
summary=u'Added privilege "%s"' % privilege1,
|
|
result=dict(
|
|
dn=privilege1_dn,
|
|
cn=[privilege1],
|
|
description=[u'privilege desc. 1'],
|
|
objectclass=objectclasses.privilege,
|
|
),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Add permission %r to privilege %r' % (permission1, privilege1),
|
|
command=('privilege_add_permission', [privilege1],
|
|
dict(permission=permission1)
|
|
),
|
|
expected=dict(
|
|
completed=1,
|
|
failed=dict(
|
|
member=dict(
|
|
permission=[],
|
|
),
|
|
),
|
|
result={
|
|
'dn': privilege1_dn,
|
|
'cn': [privilege1],
|
|
'description': [u'privilege desc. 1'],
|
|
'memberof_permission': [permission1],
|
|
}
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Retrieve %r' % permission1,
|
|
command=('permission_show', [permission1], {}),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=None,
|
|
result={
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Retrieve %r with --raw' % permission1,
|
|
command=('permission_show', [permission1], {'raw' : True}),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=None,
|
|
result={
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member': [privilege1_dn],
|
|
'aci': [u'(targetfilter = "(objectclass=posixaccount)")'+
|
|
u'(version 3.0;acl "permission:testperm";' +
|
|
u'allow (write) ' +
|
|
u'groupdn = "ldap:///%s";)' % DN(
|
|
('cn', 'testperm'), ('cn', 'permissions'),
|
|
('cn', 'pbac'), api.env.basedn)],
|
|
'ipapermright': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
|
|
'ipapermlocation': [users_dn],
|
|
},
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with members' % permission1,
|
|
command=('permission_find', [permission1], {'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r' % permission1,
|
|
command=('permission_find', [permission1], {}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r using --name with members' % permission1,
|
|
command=('permission_find', [], {
|
|
'cn': permission1, 'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r using --name' % permission1,
|
|
command=('permission_find', [], {'cn': permission1}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for non-existence permission using --name',
|
|
command=('permission_find', [], {'cn': u'notfound'}),
|
|
expected=dict(
|
|
count=0,
|
|
truncated=False,
|
|
summary=u'0 permissions matched',
|
|
result=[],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with members' % privilege1,
|
|
command=('permission_find', [privilege1], {'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r' % privilege1,
|
|
command=('permission_find', [privilege1], {}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with --raw with members' % permission1,
|
|
command=('permission_find', [permission1], {
|
|
'raw': True, 'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member': [privilege1_dn],
|
|
'aci': [u'(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \
|
|
DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn)],
|
|
'ipapermright': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
|
|
'ipapermlocation': [users_dn],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with --raw' % permission1,
|
|
command=('permission_find', [permission1], {'raw': True}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'aci': [
|
|
u'(targetfilter = "(objectclass=posixaccount)")'
|
|
u'(version 3.0;acl "permission:testperm";'
|
|
u'allow (write) groupdn = "ldap:///%s";)' %
|
|
DN(
|
|
('cn', 'testperm'), ('cn', 'permissions'),
|
|
('cn', 'pbac'), api.env.basedn
|
|
)
|
|
],
|
|
'ipapermright': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'ipapermtargetfilter': [u'(objectclass=posixaccount)'],
|
|
'ipapermlocation': [users_dn],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Create %r' % permission2,
|
|
command=(
|
|
'permission_add', [permission2], dict(
|
|
type=u'user',
|
|
permissions=u'write',
|
|
setattr=u'owner=cn=test',
|
|
addattr=u'owner=cn=test2',
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission2,
|
|
summary=u'Added permission "%s"' % permission2,
|
|
messages=(
|
|
{
|
|
'message': ('The permission has write rights but no '
|
|
'attributes are set.'),
|
|
'code': 13032,
|
|
'type': 'warning',
|
|
'name': 'MissingTargetAttributesinPermission',
|
|
'data': {
|
|
'right': 'write',
|
|
}
|
|
},
|
|
),
|
|
result=dict(
|
|
dn=permission2_dn,
|
|
cn=[permission2],
|
|
objectclass=objectclasses.permission,
|
|
type=u'user',
|
|
permissions=[u'write'],
|
|
owner=[u'cn=test', u'cn=test2'],
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with members' % permission1,
|
|
command=('permission_find', [permission1], {'no_members': False}),
|
|
expected=dict(
|
|
count=2,
|
|
truncated=False,
|
|
summary=u'2 permissions matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
{
|
|
'dn': permission2_dn,
|
|
'cn': [permission2],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r' % permission1,
|
|
command=('permission_find', [permission1], {}),
|
|
expected=dict(
|
|
count=2,
|
|
truncated=False,
|
|
summary=u'2 permissions matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
{
|
|
'dn': permission2_dn,
|
|
'cn': [permission2],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with --pkey-only' % permission1,
|
|
command=('permission_find', [permission1], {'pkey_only' : True}),
|
|
expected=dict(
|
|
count=2,
|
|
truncated=False,
|
|
summary=u'2 permissions matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
},
|
|
{
|
|
'dn': permission2_dn,
|
|
'cn': [permission2],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search by ACI attribute with --pkey-only',
|
|
command=('permission_find', [], {'pkey_only': True,
|
|
'attrs': [u'krbminpwdlife']}),
|
|
expected=dict(
|
|
count=2,
|
|
truncated=False,
|
|
summary=u'2 permissions matched',
|
|
result=[
|
|
{
|
|
'dn': DN(('cn', 'System: Modify Group Password Policy'),
|
|
api.env.container_permission, api.env.basedn),
|
|
'cn': [u'System: Modify Group Password Policy'],
|
|
},
|
|
{
|
|
'dn': DN(('cn', 'System: Read Group Password Policy'),
|
|
api.env.container_permission, api.env.basedn),
|
|
'cn': [u'System: Read Group Password Policy'],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with members' % privilege1,
|
|
command=('privilege_find', [privilege1], {'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 privilege matched',
|
|
result=[
|
|
{
|
|
'dn': privilege1_dn,
|
|
'cn': [privilege1],
|
|
'description': [u'privilege desc. 1'],
|
|
'memberof_permission': [permission1],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r' % privilege1,
|
|
command=('privilege_find', [privilege1], {}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 privilege matched',
|
|
result=[
|
|
{
|
|
'dn': privilege1_dn,
|
|
'cn': [privilege1],
|
|
'description': [u'privilege desc. 1'],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc=('Search for %r with a limit of 1 (truncated) with members' %
|
|
permission1),
|
|
command=('permission_find', [permission1], dict(
|
|
sizelimit=1, no_members=False)),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=True,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
messages=({
|
|
'message': (u'Search result has been truncated: '
|
|
u'Configured size limit exceeded'),
|
|
'code': 13017,
|
|
'type': u'warning',
|
|
'name': u'SearchResultTruncated',
|
|
'data': {
|
|
'reason': u"Configured size limit exceeded"
|
|
}
|
|
},),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with a limit of 1 (truncated)' % permission1,
|
|
command=('permission_find', [permission1], dict(sizelimit=1)),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=True,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
messages=({
|
|
'message': (u'Search result has been truncated: '
|
|
u'Configured size limit exceeded'),
|
|
'code': 13017,
|
|
'type': u'warning',
|
|
'name': u'SearchResultTruncated',
|
|
'data': {
|
|
'reason': u"Configured size limit exceeded"
|
|
}
|
|
},),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r with a limit of 2' % permission1,
|
|
command=('permission_find', [permission1], dict(sizelimit=2)),
|
|
expected=dict(
|
|
count=2,
|
|
truncated=False,
|
|
summary=u'2 permissions matched',
|
|
result=[
|
|
{
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
{
|
|
'dn': permission2_dn,
|
|
'cn': [permission2],
|
|
'objectclass': objectclasses.permission,
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
# This tests setting truncated to True in the post_callback of
|
|
# permission_find(). The return order in LDAP is not guaranteed
|
|
# so do not check the actual entry.
|
|
dict(
|
|
desc='Search for permissions by attr with a limit of 1 (truncated)',
|
|
command=('permission_find', [u'Modify'],
|
|
dict(attrs=u'ipaenabledflag', sizelimit=1)),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=True,
|
|
summary=u'1 permission matched',
|
|
result=[lambda res:
|
|
DN(res['dn']).endswith(DN(api.env.container_permission,
|
|
api.env.basedn)) and
|
|
'ipapermission' in res['objectclass']],
|
|
messages=({
|
|
'message': (u'Search result has been truncated: '
|
|
u'Configured size limit exceeded'),
|
|
'code': 13017,
|
|
'type': u'warning',
|
|
'name': u'SearchResultTruncated',
|
|
'data': {
|
|
'reason': u"Configured size limit exceeded"
|
|
}
|
|
},),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Update %r' % permission1,
|
|
command=(
|
|
'permission_mod', [permission1], dict(
|
|
permissions=u'read',
|
|
memberof=u'ipausers',
|
|
setattr=u'owner=cn=other-test',
|
|
addattr=u'owner=cn=other-test2',
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=u'Modified permission "%s"' % permission1,
|
|
messages=(
|
|
{
|
|
'message': ('The permission has read rights but no '
|
|
'attributes are set.'),
|
|
'code': 13032,
|
|
'type': 'warning',
|
|
'name': 'MissingTargetAttributesinPermission',
|
|
'data': {
|
|
'right': 'read',
|
|
}
|
|
},
|
|
),
|
|
result=dict(
|
|
dn=permission1_dn,
|
|
cn=[permission1],
|
|
objectclass=objectclasses.permission,
|
|
member_privilege=[privilege1],
|
|
type=u'user',
|
|
permissions=[u'read'],
|
|
memberof=u'ipausers',
|
|
owner=[u'cn=other-test', u'cn=other-test2'],
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Retrieve %r to verify update' % permission1,
|
|
command=('permission_show', [permission1], {}),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=None,
|
|
result={
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'read'],
|
|
'memberof': u'ipausers',
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
),
|
|
),
|
|
|
|
|
|
|
|
dict(
|
|
desc='Try to rename %r to existing permission %r' % (permission1,
|
|
permission2),
|
|
command=(
|
|
'permission_mod', [permission1], dict(rename=permission2,
|
|
permissions=u'all',)
|
|
),
|
|
expected=errors.DuplicateEntry(),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to rename %r to empty name' % (permission1),
|
|
command=(
|
|
'permission_mod', [permission1], dict(rename=u'',
|
|
permissions=u'all',)
|
|
),
|
|
expected=errors.ValidationError(name='rename',
|
|
error=u'New name can not be empty'),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Check integrity of original permission %r' % permission1,
|
|
command=('permission_show', [permission1], {}),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=None,
|
|
result={
|
|
'dn': permission1_dn,
|
|
'cn': [permission1],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'read'],
|
|
'memberof': u'ipausers',
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Rename %r to permission %r' % (permission1,
|
|
permission1_renamed),
|
|
command=(
|
|
'permission_mod', [permission1], dict(rename=permission1_renamed,
|
|
permissions= u'all',)
|
|
),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=u'Modified permission "%s"' % permission1,
|
|
result={
|
|
'dn': permission1_renamed_dn,
|
|
'cn': [permission1_renamed],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'all'],
|
|
'memberof': u'ipausers',
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Rename %r to permission %r' % (permission1_renamed,
|
|
permission1_renamed_ucase),
|
|
command=(
|
|
'permission_mod', [permission1_renamed], dict(rename=permission1_renamed_ucase,
|
|
permissions= u'write',)
|
|
),
|
|
expected=dict(
|
|
value=permission1_renamed,
|
|
summary=u'Modified permission "%s"' % permission1_renamed,
|
|
messages=(
|
|
{
|
|
'message': ('The permission has write rights but no '
|
|
'attributes are set.'),
|
|
'code': 13032,
|
|
'type': 'warning',
|
|
'name': 'MissingTargetAttributesinPermission',
|
|
'data': {
|
|
'right': 'write',
|
|
}
|
|
},
|
|
),
|
|
result={
|
|
'dn': permission1_renamed_ucase_dn,
|
|
'cn': [permission1_renamed_ucase],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [privilege1],
|
|
'type': u'user',
|
|
'permissions': [u'write'],
|
|
'memberof': u'ipausers',
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
'subtree': u'ldap:///%s' % users_dn,
|
|
},
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Change %r to a subtree type' % permission1_renamed_ucase,
|
|
command=(
|
|
'permission_mod', [permission1_renamed_ucase],
|
|
dict(subtree=u'ldap:///%s' % DN(('cn', 'accounts'), api.env.basedn),
|
|
type=None)
|
|
),
|
|
expected=dict(
|
|
value=permission1_renamed_ucase,
|
|
summary=u'Modified permission "%s"' % permission1_renamed_ucase,
|
|
messages=(
|
|
{
|
|
'message': ('The permission has write rights but no '
|
|
'attributes are set.'),
|
|
'code': 13032,
|
|
'type': 'warning',
|
|
'name': 'MissingTargetAttributesinPermission',
|
|
'data': {
|
|
'right': 'write',
|
|
}
|
|
},
|
|
),
|
|
result=dict(
|
|
dn=permission1_renamed_ucase_dn,
|
|
cn=[permission1_renamed_ucase],
|
|
objectclass=objectclasses.permission,
|
|
member_privilege=[privilege1],
|
|
subtree=u'ldap:///%s' % DN(('cn', 'accounts'), api.env.basedn),
|
|
permissions=[u'write'],
|
|
memberof=u'ipausers',
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r using --subtree with members' % permission1,
|
|
command=('permission_find', [], {
|
|
'subtree': u'ldap:///%s' % DN(
|
|
('cn', 'accounts'), api.env.basedn),
|
|
'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn':permission1_renamed_ucase_dn,
|
|
'cn':[permission1_renamed_ucase],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege':[privilege1],
|
|
'subtree':u'ldap:///%s' % DN(('cn', 'accounts'), api.env.basedn),
|
|
'permissions':[u'write'],
|
|
'memberof':u'ipausers',
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r using --subtree' % permission1,
|
|
command=('permission_find', [], {
|
|
'subtree': u'ldap:///%s' % DN(
|
|
('cn', 'accounts'), api.env.basedn)}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn':permission1_renamed_ucase_dn,
|
|
'cn':[permission1_renamed_ucase],
|
|
'objectclass': objectclasses.permission,
|
|
'subtree':u'ldap:///%s' % DN(
|
|
('cn', 'accounts'), api.env.basedn),
|
|
'permissions':[u'write'],
|
|
'memberof':u'ipausers',
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermissiontype': [u'V2', u'SYSTEM'],
|
|
},
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search using nonexistent --subtree',
|
|
command=('permission_find', [], {'subtree': u'ldap:///foo=bar'}),
|
|
expected=dict(
|
|
count=0,
|
|
truncated=False,
|
|
summary=u'0 permissions matched',
|
|
result=[],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search using --targetgroup with members',
|
|
command=('permission_find', [], {
|
|
'targetgroup': u'ipausers', 'no_members': False}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': DN(('cn', 'System: Add User to default group'),
|
|
api.env.container_permission, api.env.basedn),
|
|
'cn': [u'System: Add User to default group'],
|
|
'objectclass': objectclasses.permission,
|
|
'member_privilege': [u'User Administrators'],
|
|
'attrs': [u'member'],
|
|
'targetgroup': u'ipausers',
|
|
'memberindirect_role': [u'User Administrator'],
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermtarget': [DN('cn=ipausers', groups_dn)],
|
|
'subtree': u'ldap:///%s' % groups_dn,
|
|
'ipapermdefaultattr': [u'member'],
|
|
'ipapermissiontype': [u'V2', u'MANAGED', u'SYSTEM'],
|
|
}
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search using --targetgroup',
|
|
command=('permission_find', [], {'targetgroup': u'ipausers'}),
|
|
expected=dict(
|
|
count=1,
|
|
truncated=False,
|
|
summary=u'1 permission matched',
|
|
result=[
|
|
{
|
|
'dn': DN(('cn', 'System: Add User to default group'),
|
|
api.env.container_permission, api.env.basedn),
|
|
'cn': [u'System: Add User to default group'],
|
|
'objectclass': objectclasses.permission,
|
|
'attrs': [u'member'],
|
|
'targetgroup': u'ipausers',
|
|
'permissions': [u'write'],
|
|
'ipapermbindruletype': [u'permission'],
|
|
'ipapermtarget': [DN('cn=ipausers', groups_dn)],
|
|
'subtree': u'ldap:///%s' % groups_dn,
|
|
'ipapermdefaultattr': [u'member'],
|
|
'ipapermissiontype': [u'V2', u'MANAGED', u'SYSTEM'],
|
|
}
|
|
],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Delete %r' % permission1_renamed_ucase,
|
|
command=('permission_del', [permission1_renamed_ucase], {}),
|
|
expected=dict(
|
|
result=dict(failed=u''),
|
|
value=permission1_renamed_ucase,
|
|
summary=u'Deleted permission "%s"' % permission1_renamed_ucase,
|
|
)
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to delete non-existent %r' % permission1,
|
|
command=('permission_del', [permission1], {}),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: permission not found' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to retrieve non-existent %r' % permission1,
|
|
command=('permission_show', [permission1], {}),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: permission not found' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Try to update non-existent %r' % permission1,
|
|
command=('permission_mod', [permission1], dict(rename=u'Foo')),
|
|
expected=errors.NotFound(
|
|
reason=u'%s: permission not found' % permission1),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Delete %r' % permission2,
|
|
command=('permission_del', [permission2], {}),
|
|
expected=dict(
|
|
result=dict(failed=u''),
|
|
value=permission2,
|
|
summary=u'Deleted permission "%s"' % permission2,
|
|
)
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Search for %r' % permission1,
|
|
command=('permission_find', [permission1], {}),
|
|
expected=dict(
|
|
count=0,
|
|
truncated=False,
|
|
summary=u'0 permissions matched',
|
|
result=[],
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Delete %r' % privilege1,
|
|
command=('privilege_del', [privilege1], {}),
|
|
expected=dict(
|
|
result=dict(failed=u''),
|
|
value=privilege1,
|
|
summary=u'Deleted privilege "%s"' % privilege1,
|
|
)
|
|
),
|
|
|
|
dict(
|
|
desc='Try to create permission %r with non-existing memberof' % permission1,
|
|
command=(
|
|
'permission_add', [permission1], dict(
|
|
memberof=u'nonexisting',
|
|
permissions=u'write',
|
|
)
|
|
),
|
|
expected=errors.NotFound(reason=u'nonexisting: group not found'),
|
|
),
|
|
|
|
dict(
|
|
desc='Create memberof permission %r' % permission1,
|
|
command=(
|
|
'permission_add', [permission1], dict(
|
|
memberof=u'editors',
|
|
permissions=u'write',
|
|
type=u'user',
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=u'Added permission "%s"' % permission1,
|
|
messages=(
|
|
{
|
|
'message': ('The permission has write rights but no '
|
|
'attributes are set.'),
|
|
'code': 13032,
|
|
'type': 'warning',
|
|
'name': 'MissingTargetAttributesinPermission',
|
|
'data': {
|
|
'right': 'write',
|
|
}
|
|
},
|
|
),
|
|
result=dict(
|
|
dn=permission1_dn,
|
|
cn=[permission1],
|
|
objectclass=objectclasses.permission,
|
|
memberof=u'editors',
|
|
permissions=[u'write'],
|
|
type=u'user',
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
dict(
|
|
desc='Try to update non-existent memberof of %r' % permission1,
|
|
command=('permission_mod', [permission1], dict(
|
|
memberof=u'nonexisting')),
|
|
expected=errors.NotFound(reason=u'nonexisting: group not found'),
|
|
),
|
|
|
|
dict(
|
|
desc='Update memberof permission %r' % permission1,
|
|
command=(
|
|
'permission_mod', [permission1], dict(
|
|
memberof=u'admins',
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=u'Modified permission "%s"' % permission1,
|
|
messages=(
|
|
{
|
|
'message': ('The permission has write rights but no '
|
|
'attributes are set.'),
|
|
'code': 13032,
|
|
'type': 'warning',
|
|
'name': 'MissingTargetAttributesinPermission',
|
|
'data': {
|
|
'right': 'write',
|
|
}
|
|
},
|
|
),
|
|
result=dict(
|
|
dn=permission1_dn,
|
|
cn=[permission1],
|
|
objectclass=objectclasses.permission,
|
|
memberof=u'admins',
|
|
permissions=[u'write'],
|
|
type=u'user',
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
dict(
|
|
desc='Unset memberof of permission %r' % permission1,
|
|
command=(
|
|
'permission_mod', [permission1], dict(
|
|
memberof=None,
|
|
)
|
|
),
|
|
expected=dict(
|
|
summary=u'Modified permission "%s"' % permission1,
|
|
messages=(
|
|
{
|
|
'message': ('The permission has write rights but no '
|
|
'attributes are set.'),
|
|
'code': 13032,
|
|
'type': 'warning',
|
|
'name': 'MissingTargetAttributesinPermission',
|
|
'data': {
|
|
'right': 'write',
|
|
}
|
|
},
|
|
),
|
|
value=permission1,
|
|
result=dict(
|
|
dn=permission1_dn,
|
|
cn=[permission1],
|
|
objectclass=objectclasses.permission,
|
|
permissions=[u'write'],
|
|
type=u'user',
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Delete %r' % permission1,
|
|
command=('permission_del', [permission1], {}),
|
|
expected=dict(
|
|
result=dict(failed=u''),
|
|
value=permission1,
|
|
summary=u'Deleted permission "%s"' % permission1,
|
|
)
|
|
),
|
|
|
|
|
|
dict(
|
|
desc='Create targetgroup permission %r' % permission1,
|
|
command=(
|
|
'permission_add', [permission1], dict(
|
|
targetgroup=u'editors',
|
|
permissions=u'write',
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission1,
|
|
summary=u'Added permission "%s"' % permission1,
|
|
messages=(
|
|
{
|
|
'message': ('The permission has write rights but no '
|
|
'attributes are set.'),
|
|
'code': 13032,
|
|
'type': 'warning',
|
|
'name': 'MissingTargetAttributesinPermission',
|
|
'data': {
|
|
'right': 'write',
|
|
}
|
|
},
|
|
),
|
|
result=dict(
|
|
dn=permission1_dn,
|
|
cn=[permission1],
|
|
objectclass=objectclasses.permission,
|
|
targetgroup=u'editors',
|
|
permissions=[u'write'],
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
ipapermtarget=[DN('cn=editors', groups_dn)],
|
|
subtree=u'ldap:///%s' % api.env.basedn,
|
|
),
|
|
),
|
|
),
|
|
|
|
dict(
|
|
desc='Try to create invalid %r' % invalid_permission1,
|
|
command=('permission_add', [invalid_permission1], dict(
|
|
type=u'user',
|
|
permissions=u'write',
|
|
)),
|
|
expected=errors.ValidationError(name='name',
|
|
error='May only contain letters, numbers, -, _, ., and space'),
|
|
),
|
|
|
|
dict(
|
|
desc='Create %r' % permission3,
|
|
command=(
|
|
'permission_add', [permission3], dict(
|
|
type=u'user',
|
|
permissions=u'write',
|
|
attrs=[u'cn']
|
|
)
|
|
),
|
|
expected=dict(
|
|
value=permission3,
|
|
summary=u'Added permission "%s"' % permission3,
|
|
result=dict(
|
|
dn=permission3_dn,
|
|
cn=[permission3],
|
|
objectclass=objectclasses.permission,
|
|
type=u'user',
|
|
permissions=[u'write'],
|
|
attrs=(u'cn',),
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
dict(
|
|
desc='Retrieve %r with --all --rights' % permission3,
|
|
command=('permission_show', [permission3], {'all' : True, 'rights' : True}),
|
|
expected=dict(
|
|
value=permission3,
|
|
summary=None,
|
|
result=dict(
|
|
dn=permission3_dn,
|
|
cn=[permission3],
|
|
objectclass=objectclasses.permission,
|
|
type=u'user',
|
|
attrs=(u'cn',),
|
|
ipapermincludedattr=[u'cn'],
|
|
permissions=[u'write'],
|
|
attributelevelrights=permission3_attributelevelrights,
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
|
|
dict(
|
|
desc='Modify %r with --all -rights' % permission3,
|
|
command=('permission_mod', [permission3], {'all' : True, 'rights': True, 'attrs':[u'cn',u'uid']}),
|
|
expected=dict(
|
|
value=permission3,
|
|
summary=u'Modified permission "%s"' % permission3,
|
|
result=dict(
|
|
dn=permission3_dn,
|
|
cn=[permission3],
|
|
objectclass=objectclasses.permission,
|
|
type=u'user',
|
|
attrs=(u'cn',u'uid'),
|
|
ipapermincludedattr=[u'cn', u'uid'],
|
|
permissions=[u'write'],
|
|
attributelevelrights=permission3_attributelevelrights,
|
|
ipapermbindruletype=[u'permission'],
|
|
ipapermissiontype=[u'V2', u'SYSTEM'],
|
|
ipapermtargetfilter=[u'(objectclass=posixaccount)'],
|
|
subtree=u'ldap:///%s' % users_dn,
|
|
),
|
|
),
|
|
),
|
|
]
|