mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 16:31:08 -06:00
b216701d9a
Commands like ipa group-add-member-manager now show permission errors on failed operations. Fixes: https://pagure.io/freeipa/issue/8122 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
215 lines
7.2 KiB
Python
215 lines
7.2 KiB
Python
#
|
|
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
|
|
#
|
|
"""Tests for member manager feature
|
|
"""
|
|
from ipatests.test_integration.base import IntegrationTest
|
|
from ipatests.pytest_ipa.integration import tasks
|
|
|
|
|
|
PASSWORD = "DummyPassword123"
|
|
# direct member manager
|
|
USER_MM = "mmuser"
|
|
# indirect member manager through group membership
|
|
USER_INDIRECT = "indirect_mmuser"
|
|
GROUP_INDIRECT = "group_indirect"
|
|
|
|
USER1 = "testuser1"
|
|
USER2 = "testuser2"
|
|
GROUP1 = "testgroup1"
|
|
GROUP2 = "testgroup2"
|
|
HOSTGROUP1 = "testhostgroup1"
|
|
|
|
|
|
class TestMemberManager(IntegrationTest):
|
|
"""Tests for member manager feature for groups and hostgroups
|
|
"""
|
|
topology = "line"
|
|
|
|
@classmethod
|
|
def install(cls, mh):
|
|
super(TestMemberManager, cls).install(mh)
|
|
master = cls.master
|
|
|
|
tasks.create_active_user(master, USER_MM, PASSWORD)
|
|
tasks.create_active_user(master, USER_INDIRECT, PASSWORD)
|
|
tasks.create_active_user(master, USER1, PASSWORD)
|
|
|
|
tasks.kinit_admin(master)
|
|
tasks.group_add(master, GROUP_INDIRECT)
|
|
master.run_command([
|
|
'ipa', 'group-add-member', GROUP_INDIRECT, '--users', USER_INDIRECT
|
|
])
|
|
|
|
tasks.user_add(master, USER2)
|
|
tasks.group_add(master, GROUP1)
|
|
tasks.group_add(master, GROUP2)
|
|
master.run_command(['ipa', 'hostgroup-add', HOSTGROUP1])
|
|
|
|
# make mmuser a member manager for group and hostgroup
|
|
master.run_command([
|
|
'ipa', 'group-add-member-manager', GROUP1,
|
|
'--users', USER_MM
|
|
])
|
|
master.run_command([
|
|
'ipa', 'hostgroup-add-member-manager', HOSTGROUP1,
|
|
'--users', USER_MM
|
|
])
|
|
# make indirect group member manager for group and hostgroup
|
|
master.run_command([
|
|
'ipa', 'group-add-member-manager', GROUP1,
|
|
'--groups', GROUP_INDIRECT
|
|
])
|
|
master.run_command([
|
|
'ipa', 'hostgroup-add-member-manager', HOSTGROUP1,
|
|
'--groups', GROUP_INDIRECT
|
|
])
|
|
tasks.kdestroy_all(master)
|
|
|
|
def test_show_member_manager(self):
|
|
master = self.master
|
|
tasks.kinit_admin(master)
|
|
|
|
result = master.run_command(['ipa', 'group-show', GROUP1])
|
|
out = result.stdout_text
|
|
assert f"Membership managed by groups: {GROUP_INDIRECT}" in out
|
|
assert f"Membership managed by users: {USER_MM}" in out
|
|
|
|
result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1])
|
|
out = result.stdout_text
|
|
assert f"Membership managed by groups: {GROUP_INDIRECT}" in out
|
|
assert f"Membership managed by users: {USER_MM}" in out
|
|
|
|
tasks.kdestroy_all(master)
|
|
|
|
def test_find_by_member_manager(self):
|
|
master = self.master
|
|
tasks.kinit_admin(master)
|
|
|
|
result = master.run_command([
|
|
'ipa', 'group-find', '--membermanager-users', USER_MM
|
|
])
|
|
assert GROUP1 in result.stdout_text
|
|
|
|
result = master.run_command([
|
|
'ipa', 'group-find', '--membermanager-groups', GROUP_INDIRECT
|
|
])
|
|
assert GROUP1 in result.stdout_text
|
|
|
|
result = master.run_command(
|
|
[
|
|
'ipa', 'group-find', '--membermanager-users', USER1
|
|
],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode == 1
|
|
assert "0 groups matched" in result.stdout_text
|
|
|
|
result = master.run_command([
|
|
'ipa', 'hostgroup-find', '--membermanager-users', USER_MM
|
|
])
|
|
assert HOSTGROUP1 in result.stdout_text
|
|
|
|
result = master.run_command([
|
|
'ipa', 'hostgroup-find', '--membermanager-groups', GROUP_INDIRECT
|
|
])
|
|
assert HOSTGROUP1 in result.stdout_text
|
|
|
|
result = master.run_command(
|
|
[
|
|
'ipa', 'hostgroup-find', '--membermanager-users', USER1
|
|
],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode == 1
|
|
assert "0 hostgroups matched" in result.stdout_text
|
|
|
|
def test_group_member_manager_user(self):
|
|
master = self.master
|
|
# mmuser: add user1 to group
|
|
tasks.kinit_as_user(master, USER_MM, PASSWORD)
|
|
master.run_command([
|
|
'ipa', 'group-add-member', GROUP1, '--users', USER1
|
|
])
|
|
result = master.run_command(['ipa', 'group-show', GROUP1])
|
|
assert USER1 in result.stdout_text
|
|
|
|
# indirect: add user2 to group
|
|
tasks.kinit_as_user(master, USER_INDIRECT, PASSWORD)
|
|
master.run_command([
|
|
'ipa', 'group-add-member', GROUP1, '--users', USER2
|
|
])
|
|
# verify
|
|
master.run_command(['ipa', 'group-show', GROUP1])
|
|
result = master.run_command(['ipa', 'group-show', GROUP1])
|
|
assert USER2 in result.stdout_text
|
|
|
|
def test_group_member_manager_group(self):
|
|
master = self.master
|
|
# mmuser: add group2 to group
|
|
tasks.kinit_as_user(master, USER_MM, PASSWORD)
|
|
master.run_command([
|
|
'ipa', 'group-add-member', GROUP1, '--groups', GROUP2
|
|
])
|
|
result = master.run_command(['ipa', 'group-show', GROUP1])
|
|
assert GROUP2 in result.stdout_text
|
|
|
|
def test_group_member_manager_nopermission(self):
|
|
master = self.master
|
|
tasks.kinit_as_user(master, USER1, PASSWORD)
|
|
result = master.run_command(
|
|
[
|
|
'ipa', 'group-add-member-manager', GROUP1, '--users', USER1
|
|
],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode != 0
|
|
expected = (
|
|
f"member user: {USER1}: Insufficient access: Insufficient "
|
|
"'write' privilege to the 'memberManager' attribute of entry"
|
|
)
|
|
assert expected in result.stdout_text
|
|
|
|
def test_hostgroup_member_manager_user(self):
|
|
master = self.master
|
|
# mmuser: add a host to host group
|
|
tasks.kinit_as_user(master, USER_MM, PASSWORD)
|
|
master.run_command([
|
|
'ipa', 'hostgroup-add-member', HOSTGROUP1,
|
|
'--hosts', master.hostname
|
|
])
|
|
result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1])
|
|
assert master.hostname in result.stdout_text
|
|
master.run_command([
|
|
'ipa', 'hostgroup-remove-member', HOSTGROUP1,
|
|
'--hosts', master.hostname
|
|
])
|
|
result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1])
|
|
assert master.hostname not in result.stdout_text
|
|
|
|
# indirect:
|
|
tasks.kinit_as_user(master, USER_INDIRECT, PASSWORD)
|
|
master.run_command([
|
|
'ipa', 'hostgroup-add-member', HOSTGROUP1,
|
|
'--hosts', master.hostname
|
|
])
|
|
result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1])
|
|
assert master.hostname in result.stdout_text
|
|
|
|
def test_hostgroup_member_manager_nopermission(self):
|
|
master = self.master
|
|
tasks.kinit_as_user(master, USER1, PASSWORD)
|
|
result = master.run_command(
|
|
[
|
|
'ipa', 'hostgroup-add-member-manager', HOSTGROUP1,
|
|
'--users', USER1
|
|
],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode != 0
|
|
expected = (
|
|
f"member user: {USER1}: Insufficient access: Insufficient "
|
|
"'write' privilege to the 'memberManager' attribute of entry"
|
|
)
|
|
assert expected in result.stdout_text
|