IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-26 08:51:50 -06:00
Code Issues Packages Projects Releases Wiki Activity
a620ac0f6f
freeipa/ipatests/test_ipalib/test_aci.py
Rob Crittenden 036d51d514
Handle subyptes in ACIs 
While enabling console output in the server installation the
"Allow trust agents to retrieve keytab keys for cross realm
principals" ACI was throwing an unparseable error because
it has a subkey which broke parsing (the extra semi-colon):

userattr="ipaAllowedToPerform;read_keys#GROUPDN";

The regular expression pattern needed to be updated to handle
this case.

Related: https://pagure.io/freeipa/issue/6760

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-20 08:38:03 +02:00

177 lines
9.3 KiB
Python
Raw Blame History

# Authors:
# Rob Crittenden <rcritten@redhat.com>
# Petr Viktorin <pviktori@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Test the `ipalib.aci` module.
"""
from __future__ import print_function
from ipalib.aci import ACI
import pytest
pytestmark = pytest.mark.tier0
def check_aci_parsing(source, expected):
a = ACI(source)
print('ACI was: ', a)
print('Expected:', expected)
assert str(ACI(source)) == expected
def test_aci_parsing_1():
check_aci_parsing('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)',
'(targetattr = "title")(targetfilter = "(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn = "ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)')
def test_aci_parsing_1_with_aci_keyword():
check_aci_parsing('(targetattr="title")(targetfilter="(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;aci "foobar";allow (write) groupdn="ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)',
'(targetattr = "title")(targetfilter = "(memberOf=cn=bar,cn=groups,cn=accounts ,dc=example,dc=com)")(version 3.0;acl "foobar";allow (write) groupdn = "ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com";)')
def test_aci_parsing_2():
check_aci_parsing('(target="ldap:///uid=bjensen,dc=example,dc=com")(targetattr=*) (version 3.0;acl "aci1";allow (write) userdn="ldap:///self";)',
'(target = "ldap:///uid=bjensen,dc=example,dc=com")(targetattr = "*")(version 3.0;acl "aci1";allow (write) userdn = "ldap:///self";)')
def test_aci_parsing_3():
check_aci_parsing(' (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)',
'(targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";)')
def test_aci_parsing_4():
check_aci_parsing('(target="ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user";allow (add) groupdn="ldap:///cn=add_user,cn=taskgroups,dc=example,dc=com";)',
'(target = "ldap:///uid=*,cn=users,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user";allow (add) groupdn = "ldap:///cn=add_user,cn=taskgroups,dc=example,dc=com";)')
def test_aci_parsing_5():
check_aci_parsing('(targetattr=member)(target="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)',
'(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(targetattr = "member")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)')
def test_aci_parsing_6():
check_aci_parsing('(targetattr!=member)(targe="ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn="ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)',
'(targe = "ldap:///cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com")(targetattr != "member")(version 3.0;acl "add_user_to_default_group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=taskgroups,dc=example,dc=com";)')
def test_aci_parsing_7():
check_aci_parsing('(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "change_password"; allow (write) groupdn = "ldap:///cn=change_password,cn=taskgroups,dc=example,dc=com";)',
'(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "change_password";allow (write) groupdn = "ldap:///cn=change_password,cn=taskgroups,dc=example,dc=com";)')
def make_test_aci():
a = ACI()
a.name ="foo"
a.set_target_attr(['title','givenname'], "!=")
a.set_bindrule_keyword("groupdn")
a.set_bindrule_operator("=")
a.set_bindrule_expression("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"")
a.permissions = ['read','write','add']
return a
def test_aci_equality():
a = make_test_aci()
print(a)
b = ACI()
b.name ="foo"
b.set_target_attr(['givenname','title'], "!=")
b.set_bindrule_keyword("groupdn")
b.set_bindrule_operator("=")
b.set_bindrule_expression("\"ldap:///cn=foo,cn=groups,cn=accounts,dc=example,dc=com\"")
b.permissions = ['add','read','write']
print(b)
assert a.isequal(b)
assert a == b
assert not a != b # pylint: disable=unneeded-not
def check_aci_inequality(b):
a = make_test_aci()
print(a)
print(b)
assert not a.isequal(b)
assert not a == b
assert a != b
def test_aci_inequality_targetattr_expression():
b = make_test_aci()
b.set_target_attr(['givenname'], "!=")
check_aci_inequality(b)
def test_aci_inequality_targetattr_op():
b = make_test_aci()
b.set_target_attr(['givenname', 'title'], "=")
check_aci_inequality(b)
def test_aci_inequality_targetfilter():
b = make_test_aci()
b.set_target_filter('(objectclass=*)', "=")
check_aci_inequality(b)
def test_aci_inequality_target():
b = make_test_aci()
b.set_target("ldap:///cn=bar,cn=groups,cn=accounts,dc=example,dc=com", "=")
check_aci_inequality(b)
def test_aci_inequality_bindrule_keyword():
b = make_test_aci()
b.set_bindrule_keyword("userdn")
check_aci_inequality(b)
def test_aci_inequality_bindrule_op():
b = make_test_aci()
b.set_bindrule_operator("!=")
check_aci_inequality(b)
def test_aci_inequality_bindrule_expression():
b = make_test_aci()
b.set_bindrule_expression("\"ldap:///cn=bar,cn=groups,cn=accounts,dc=example,dc=com\"")
check_aci_inequality(b)
def test_aci_inequality_permissions():
b = make_test_aci()
b.permissions = ['read', 'search', 'compare']
check_aci_inequality(b)
def test_aci_parsing_8():
check_aci_parsing('(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)',
'(targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0;acl "Enable Anonymous access";allow (read,search,compare) userdn = "ldap:///anyone";)')
def test_aci_parsing_9():
check_aci_parsing('(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Account Admins can manage Users and Groups"; allow (add, delete, read, write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)',
'(targetattr != "aci || userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(targetfilter = "(|(objectClass=person)(objectClass=krbPrincipalAux)(objectClass=posixAccount)(objectClass=groupOfNames)(objectClass=posixGroup))")(version 3.0;acl "Account Admins can manage Users and Groups";allow (add,delete,read,write) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,dc=greyoak,dc=com";)')
def test_aci_parsing_10():
"""test subtypes"""
check_aci_parsing('(targetattr="ipaProtectedOperation;read_keys")'
'(version 3.0; acl "Allow trust agents to retrieve '
'keytab keys for cross realm principals"; allow(read) '
'userattr="ipaAllowedToPerform;read_keys#GROUPDN";)',
'(targetattr = "ipaProtectedOperation;read || keys")'
'(version 3.0;acl "Allow trust agents to retrieve '
'keytab keys for cross realm principals";allow (read) '
'userattr = "ipaAllowedToPerform;read_keys#GROUPDN";)')
Reference in New Issue View Git Blame Copy Permalink