mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 00:31:56 -06:00
4acd9fe9f7
Testing if manager whose rights defined by the group membership is able to add group members, after upgrade of ipa server. Using ACI modification to demonstrate unability before upgrading ipa server. Related: https://pagure.io/freeipa/issue/9286 Also added some generally helpful functions to tasks.py Signed-off-by: Erik Belko <ebelko@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com> Reviewed-By: Michal Polovka <mpolovka@redhat.com>
296 lines
10 KiB
Python
296 lines
10 KiB
Python
#
|
|
# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
|
|
#
|
|
"""Tests for member manager feature
|
|
"""
|
|
from ipatests.test_integration.base import IntegrationTest
|
|
from ipatests.pytest_ipa.integration import tasks
|
|
|
|
|
|
PASSWORD = "DummyPassword123"
|
|
# direct member manager
|
|
USER_MM = "mmuser"
|
|
# indirect member manager through group membership
|
|
USER_INDIRECT = "indirect_mmuser"
|
|
GROUP_INDIRECT = "group_indirect"
|
|
|
|
USER1 = "testuser1"
|
|
USER2 = "testuser2"
|
|
GROUP1 = "testgroup1"
|
|
GROUP2 = "testgroup2"
|
|
HOSTGROUP1 = "testhostgroup1"
|
|
|
|
|
|
class TestMemberManager(IntegrationTest):
|
|
"""Tests for member manager feature for groups and hostgroups
|
|
"""
|
|
topology = "line"
|
|
|
|
@classmethod
|
|
def install(cls, mh):
|
|
super(TestMemberManager, cls).install(mh)
|
|
master = cls.master
|
|
|
|
tasks.create_active_user(master, USER_MM, PASSWORD)
|
|
tasks.create_active_user(master, USER_INDIRECT, PASSWORD)
|
|
tasks.create_active_user(master, USER1, PASSWORD)
|
|
|
|
tasks.kinit_admin(master)
|
|
tasks.group_add(master, GROUP_INDIRECT)
|
|
master.run_command([
|
|
'ipa', 'group-add-member', GROUP_INDIRECT, '--users', USER_INDIRECT
|
|
])
|
|
|
|
tasks.user_add(master, USER2)
|
|
tasks.group_add(master, GROUP1)
|
|
tasks.group_add(master, GROUP2)
|
|
master.run_command(['ipa', 'hostgroup-add', HOSTGROUP1])
|
|
|
|
# make mmuser a member manager for group and hostgroup
|
|
master.run_command([
|
|
'ipa', 'group-add-member-manager', GROUP1,
|
|
'--users', USER_MM
|
|
])
|
|
master.run_command([
|
|
'ipa', 'hostgroup-add-member-manager', HOSTGROUP1,
|
|
'--users', USER_MM
|
|
])
|
|
# make indirect group member manager for group and hostgroup
|
|
master.run_command([
|
|
'ipa', 'group-add-member-manager', GROUP1,
|
|
'--groups', GROUP_INDIRECT
|
|
])
|
|
master.run_command([
|
|
'ipa', 'hostgroup-add-member-manager', HOSTGROUP1,
|
|
'--groups', GROUP_INDIRECT
|
|
])
|
|
tasks.kdestroy_all(master)
|
|
|
|
def test_show_member_manager(self):
|
|
master = self.master
|
|
tasks.kinit_admin(master)
|
|
|
|
result = master.run_command(['ipa', 'group-show', GROUP1])
|
|
out = result.stdout_text
|
|
assert f"Membership managed by groups: {GROUP_INDIRECT}" in out
|
|
assert f"Membership managed by users: {USER_MM}" in out
|
|
|
|
result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1])
|
|
out = result.stdout_text
|
|
assert f"Membership managed by groups: {GROUP_INDIRECT}" in out
|
|
assert f"Membership managed by users: {USER_MM}" in out
|
|
|
|
tasks.kdestroy_all(master)
|
|
|
|
def test_find_by_member_manager(self):
|
|
master = self.master
|
|
tasks.kinit_admin(master)
|
|
|
|
result = master.run_command([
|
|
'ipa', 'group-find', '--membermanager-users', USER_MM
|
|
])
|
|
assert GROUP1 in result.stdout_text
|
|
|
|
result = master.run_command([
|
|
'ipa', 'group-find', '--membermanager-groups', GROUP_INDIRECT
|
|
])
|
|
assert GROUP1 in result.stdout_text
|
|
|
|
result = master.run_command(
|
|
[
|
|
'ipa', 'group-find', '--membermanager-users', USER1
|
|
],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode == 1
|
|
assert "0 groups matched" in result.stdout_text
|
|
|
|
result = master.run_command([
|
|
'ipa', 'hostgroup-find', '--membermanager-users', USER_MM
|
|
])
|
|
assert HOSTGROUP1 in result.stdout_text
|
|
|
|
result = master.run_command([
|
|
'ipa', 'hostgroup-find', '--membermanager-groups', GROUP_INDIRECT
|
|
])
|
|
assert HOSTGROUP1 in result.stdout_text
|
|
|
|
result = master.run_command(
|
|
[
|
|
'ipa', 'hostgroup-find', '--membermanager-users', USER1
|
|
],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode == 1
|
|
assert "0 hostgroups matched" in result.stdout_text
|
|
|
|
def test_group_member_manager_user(self):
|
|
master = self.master
|
|
# mmuser: add user1 to group
|
|
tasks.kinit_as_user(master, USER_MM, PASSWORD)
|
|
master.run_command([
|
|
'ipa', 'group-add-member', GROUP1, '--users', USER1
|
|
])
|
|
result = master.run_command(['ipa', 'group-show', GROUP1])
|
|
assert USER1 in result.stdout_text
|
|
|
|
# indirect: add user2 to group
|
|
tasks.kinit_as_user(master, USER_INDIRECT, PASSWORD)
|
|
master.run_command([
|
|
'ipa', 'group-add-member', GROUP1, '--users', USER2
|
|
])
|
|
# verify
|
|
master.run_command(['ipa', 'group-show', GROUP1])
|
|
result = master.run_command(['ipa', 'group-show', GROUP1])
|
|
assert USER2 in result.stdout_text
|
|
|
|
def test_group_member_manager_group(self):
|
|
master = self.master
|
|
# mmuser: add group2 to group
|
|
tasks.kinit_as_user(master, USER_MM, PASSWORD)
|
|
master.run_command([
|
|
'ipa', 'group-add-member', GROUP1, '--groups', GROUP2
|
|
])
|
|
result = master.run_command(['ipa', 'group-show', GROUP1])
|
|
assert GROUP2 in result.stdout_text
|
|
|
|
def test_group_member_manager_nopermission(self):
|
|
master = self.master
|
|
tasks.kinit_as_user(master, USER1, PASSWORD)
|
|
result = master.run_command(
|
|
[
|
|
'ipa', 'group-add-member-manager', GROUP1, '--users', USER1
|
|
],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode != 0
|
|
expected = (
|
|
f"member user: {USER1}: Insufficient access: Insufficient "
|
|
"'write' privilege to the 'memberManager' attribute of entry"
|
|
)
|
|
assert expected in result.stdout_text
|
|
|
|
def test_hostgroup_member_manager_user(self):
|
|
master = self.master
|
|
# mmuser: add a host to host group
|
|
tasks.kinit_as_user(master, USER_MM, PASSWORD)
|
|
master.run_command([
|
|
'ipa', 'hostgroup-add-member', HOSTGROUP1,
|
|
'--hosts', master.hostname
|
|
])
|
|
result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1])
|
|
assert master.hostname in result.stdout_text
|
|
master.run_command([
|
|
'ipa', 'hostgroup-remove-member', HOSTGROUP1,
|
|
'--hosts', master.hostname
|
|
])
|
|
result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1])
|
|
assert master.hostname not in result.stdout_text
|
|
|
|
# indirect:
|
|
tasks.kinit_as_user(master, USER_INDIRECT, PASSWORD)
|
|
master.run_command([
|
|
'ipa', 'hostgroup-add-member', HOSTGROUP1,
|
|
'--hosts', master.hostname
|
|
])
|
|
result = master.run_command(['ipa', 'hostgroup-show', HOSTGROUP1])
|
|
assert master.hostname in result.stdout_text
|
|
|
|
def test_hostgroup_member_manager_nopermission(self):
|
|
master = self.master
|
|
tasks.kinit_as_user(master, USER1, PASSWORD)
|
|
result = master.run_command(
|
|
[
|
|
'ipa', 'hostgroup-add-member-manager', HOSTGROUP1,
|
|
'--users', USER1
|
|
],
|
|
raiseonerr=False
|
|
)
|
|
assert result.returncode != 0
|
|
expected = (
|
|
f"member user: {USER1}: Insufficient access: Insufficient "
|
|
"'write' privilege to the 'memberManager' attribute of entry"
|
|
)
|
|
assert expected in result.stdout_text
|
|
|
|
@tasks.pytest.fixture
|
|
def prepare_mbr_manager_upgrade(self):
|
|
user = "idmuser"
|
|
password = "Secret123"
|
|
group1 = "role-groupmanager"
|
|
group2 = "role-usergroup-A"
|
|
|
|
master = self.master
|
|
|
|
tasks.kinit_admin(master)
|
|
tasks.group_add(master, group1)
|
|
tasks.group_add(master, group2)
|
|
tasks.create_active_user(master, user, password)
|
|
|
|
tasks.kinit_admin(master)
|
|
tasks.group_add_member(master, group1, user)
|
|
master.run_command(["ipa", "group-add-member-manager", "--groups",
|
|
group1, group2])
|
|
|
|
yield user, password, group2
|
|
|
|
# cleanup
|
|
tasks.kinit_admin(master)
|
|
tasks.user_del(master, user)
|
|
tasks.group_del(master, group1)
|
|
tasks.group_del(master, group2)
|
|
|
|
def test_member_manager_upgrade_scenario(self, prepare_mbr_manager_upgrade):
|
|
"""
|
|
Testing if manager whose rights defined by the group membership
|
|
is able to add group members, after upgrade of ipa server.
|
|
Using ACI modification to demonstrate unability before upgrading
|
|
ipa server.
|
|
|
|
Related: https://pagure.io/freeipa/issue/9286
|
|
"""
|
|
user, password, group2 = prepare_mbr_manager_upgrade
|
|
|
|
master = self.master
|
|
|
|
base_dn = self.master.domain.basedn
|
|
aci_hostgroup = (
|
|
'(targetattr = "member")(targetfilter = '
|
|
'"(objectclass=ipaHostGroup)")'
|
|
'(version 3.0; acl "Allow member managers '
|
|
'to modify members of host groups"; allow (write) userattr = '
|
|
'"memberManager#USERDN" or userattr = "memberManager#GROUPDN";)'
|
|
)
|
|
aci_usergroup = (
|
|
'(targetattr = "member")(targetfilter = '
|
|
'"(objectclass=ipaUserGroup)")'
|
|
'(version 3.0; acl "Allow member managers '
|
|
'to modify members of user groups"; allow (write) userattr = '
|
|
'"memberManager#USERDN" or userattr = "memberManager#GROUPDN";)'
|
|
)
|
|
ldif_entry = tasks.textwrap.dedent(
|
|
"""
|
|
dn: cn=hostgroups,cn=accounts,{base_dn}
|
|
changetype: modify
|
|
delete: aci
|
|
aci: {aci_hostgroup}
|
|
|
|
dn: cn=groups,cn=accounts,{base_dn}
|
|
changetype: modify
|
|
delete: aci
|
|
aci: {aci_usergroup}
|
|
""").format(base_dn=base_dn,
|
|
aci_hostgroup=aci_hostgroup,
|
|
aci_usergroup=aci_usergroup)
|
|
tasks.ldapmodify_dm(master, ldif_entry)
|
|
|
|
tasks.kinit_as_user(master, user, password)
|
|
# in this point this command should fail
|
|
result = tasks.group_add_member(master, group2, "admin",
|
|
raiseonerr=False)
|
|
assert result.returncode == 1
|
|
assert "Insufficient access" in result.stdout_text
|
|
|
|
master.run_command(['ipa-server-upgrade'])
|
|
tasks.group_add_member(master, group2, "admin")
|