IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-28 18:01:23 -06:00
Code Issues Packages Projects Releases Wiki Activity
bdc80fe372
freeipa/tests/test_xmlrpc/test_krbtpolicy.py
Rob Crittenden 109b79a7ac Change the way has_keytab is determined, also check for password. 
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.

This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.

When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).

This adds has_keytab/has_password to the user, host and service plugins.

ticket https://fedorahosted.org/freeipa/ticket/1538
2011-08-24 14:12:01 +02:00

154 lines
4.7 KiB
Python
Raw Blame History

# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2011 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
Test kerberos ticket policy
"""
from ipalib import api, errors
from tests.test_xmlrpc import objectclasses
from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid
from ipalib.dn import *
user1 = u'tuser1'
class test_krbtpolicy(Declarative):
cleanup_commands = [
('user_del', [user1], {}),
]
tests = [
dict(
desc='Reset global policy',
command=(
'krbtpolicy_reset', [], {}
),
expected=dict(
value=u'',
summary=None,
result=dict(
krbmaxticketlife=[u'86400'],
krbmaxrenewableage=[u'604800'],
),
),
),
dict(
desc='Show global policy',
command=(
'krbtpolicy_show', [], {}
),
expected=dict(
value=u'',
summary=None,
result=dict(
dn=lambda x: DN(x) == \
DN(('cn',api.env.domain),('cn','kerberos'),
api.env.basedn),
krbmaxticketlife=[u'86400'],
krbmaxrenewableage=[u'604800'],
),
),
),
dict(
desc='Update global policy',
command=(
'krbtpolicy_mod', [], dict(krbmaxticketlife=3600)
),
expected=dict(
value=u'',
summary=None,
result=dict(
krbmaxticketlife=[u'3600'],
krbmaxrenewableage=[u'604800'],
),
),
),
dict(
desc='Create %r' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1')
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=dict(
gecos=[u'Test User1'],
givenname=[u'Test'],
homedirectory=[u'/home/tuser1'],
krbprincipalname=[u'tuser1@' + api.env.realm],
loginshell=[u'/bin/sh'],
objectclass=objectclasses.user,
sn=[u'User1'],
uid=[user1],
uidnumber=[fuzzy_digits],
gidnumber=[fuzzy_digits],
displayname=[u'Test User1'],
cn=[u'Test User1'],
initials=[u'TU'],
ipauniqueid=[fuzzy_uuid],
krbpwdpolicyreference=lambda x: [DN(i) for i in x] == \
[DN(('cn','global_policy'),('cn',api.env.realm),
('cn','kerberos'),api.env.basedn)],
mepmanagedentry=lambda x: [DN(i) for i in x] == \
[DN(('cn',user1),('cn','groups'),('cn','accounts'),
api.env.basedn)],
memberof_group=[u'ipausers'],
has_keytab=False,
has_password=False,
dn=lambda x: DN(x) == \
DN(('uid',user1),('cn','users'),('cn','accounts'),
api.env.basedn)
),
),
),
dict(
desc='Update user ticket policy',
command=(
'krbtpolicy_mod', [user1], dict(krbmaxticketlife=3600)
),
expected=dict(
value=user1,
summary=None,
result=dict(
krbmaxticketlife=[u'3600'],
),
),
),
dict(
desc='Try updating other user attribute',
command=(
'krbtpolicy_mod', [user1], dict(setattr=u'givenname=Pete')
),
expected=errors.ObjectclassViolation(info='attribute "givenname" not allowed'),
),
]
Reference in New Issue View Git Blame Copy Permalink