freeipa.git/tests/test_xmlrpc, branch platform-master FreeIPA project Suppress managed netgroups from showing as memberof hostgroups. 2011-08-31T12:34:52+00:00 Rob Crittenden rcritten@redhat.com 2011-08-30T22:38:22+00:00 ca1ca17cb61516dff6933b1b0381b32e1e38d44c By design these managed netgroups are not supposed to show unless you specifically want to see them. https://fedorahosted.org/freeipa/ticket/1738 
By design these managed netgroups are not supposed to show unless you
specifically want to see them.

https://fedorahosted.org/freeipa/ticket/1738
34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin 2011-08-31T07:49:43+00:00 Jr Aquino jr.aquino@citrix.com 2011-08-31T00:48:15+00:00 d05ace8fba6ea4a61c1070d5e5687aaa5d2aee2b Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272 
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember

https://fedorahosted.org/freeipa/ticket/1272
Add netgroup as possible memberOf for hostgroups 2011-08-30T01:29:16+00:00 Rob Crittenden rcritten@redhat.com 2011-08-30T18:08:34+00:00 e52f6528736f311e06c188e5b4858b6fc0ec16f0 https://fedorahosted.org/freeipa/ticket/1563 
https://fedorahosted.org/freeipa/ticket/1563
Fix sudo help and summaries 2011-08-30T01:26:23+00:00 Martin Kosek mkosek@redhat.com 2011-08-30T15:10:27+00:00 327d67fe8db30655315a8616f0c1c5da491910e0 1) Add sudorule docstring headline 2) Fix naming inconsistency in Sudo plugins help and summaries, especially capitalization of Sudo objects - Sudo Rule, Sudo Command and Sudo Command Group 3) Add missing summaries for sudorule-add-option and sudorule-remove-option. To keep backward compatibility with older clients, just print the missing summary with output_for_cli(), don't expand Output. https://fedorahosted.org/freeipa/ticket/1595 https://fedorahosted.org/freeipa/ticket/1596 
1) Add sudorule docstring headline

2) Fix naming inconsistency in Sudo plugins help and summaries,
   especially capitalization of Sudo objects - Sudo Rule, Sudo
   Command and Sudo Command Group

3) Add missing summaries for sudorule-add-option and
   sudorule-remove-option. To keep backward compatibility with
   older clients, just print the missing summary with
   output_for_cli(), don't expand Output.

https://fedorahosted.org/freeipa/ticket/1595
https://fedorahosted.org/freeipa/ticket/1596
Add external source hosts to HBAC. 2011-08-29T21:14:28+00:00 Rob Crittenden rcritten@redhat.com 2011-08-17T15:49:49+00:00 3b9da8e276d7fee693471053e6922ddbc14388a8 When adding/removing source hosts if the host isn't found in IPA it is considered external. The attribute externalhost is used to store external hosts. ticket https://fedorahosted.org/freeipa/ticket/1574 
When adding/removing source hosts if the host isn't found in IPA it is
considered external. The attribute externalhost is used to store
external hosts.

ticket https://fedorahosted.org/freeipa/ticket/1574
Retrieve password/keytab state when modifying a host. 2011-08-25T16:38:38+00:00 Rob Crittenden rcritten@redhat.com 2011-08-25T13:24:47+00:00 6dfd7c8242c564faae9f74a86cdc12e7f58d08ca ticket https://fedorahosted.org/freeipa/ticket/1714 
ticket https://fedorahosted.org/freeipa/ticket/1714
Change the way has_keytab is determined, also check for password. 2011-08-24T12:12:01+00:00 Rob Crittenden rcritten@redhat.com 2011-08-22T20:24:07+00:00 109b79a7acf871b28e5b4cce2fd3b119f0fdd249 We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538 
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.

This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.

When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).

This adds has_keytab/has_password to the user, host and service plugins.

ticket https://fedorahosted.org/freeipa/ticket/1538
Fix automountkey-mod 2011-08-19T00:35:12+00:00 Martin Kosek mkosek@redhat.com 2011-08-01T14:41:28+00:00 d28f1c3b7cca50166444c7110e914f1efd4f779a Fix automountkey-mod so that automountkey attribute is correctly updated. Add this test case to the unit tests. Make automountkey required for automountkey-mod, otherwise it would cause internal server error. Make --newinfo optional so that automountkey may be just renamed without changing its info attribute. https://fedorahosted.org/freeipa/ticket/1528 
Fix automountkey-mod so that automountkey attribute is correctly
updated. Add this test case to the unit tests.

Make automountkey required for automountkey-mod, otherwise it would
cause internal server error.

Make --newinfo optional so that automountkey may be just renamed
without changing its info attribute.

https://fedorahosted.org/freeipa/ticket/1528
ticket 1600 - convert unittests to use DN objects 2011-08-17T03:52:26+00:00 John Dennis jdennis@redhat.com 2011-08-10T01:21:56+00:00 2673782aec632e84e89e8963b59cca8f62dafd47 We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision. 
We have a larger goal of replacing all DN creation via string
formatting/concatenation with DN object operations because string
operations are not a safe way to form a DN nor to compare a DN. This
work needs to be broken into smaller chunks for easier review and
testing.

Addressing the unit tests first makes sense because we don't want to
be modifying both the core code and the tests used to verify the core
code simultaneously. If we modify the unittests first with existing
core code and no regressions are found then we can move on to
modifying parts of the core code with the belief the unittests can
validate the changes in the core code. Also by doing the unittests
first we also help to validate the DN objects are working correctly
(although they do have an extensive unittest).

The fundamental changes are:

* replace string substitution & concatenation with DN object
  constructor

* when comparing dn's the comparision is done after promotion
  to a DN object, then two DN objects are compared

* when a list of string dn's are to be compared a new list is
  formed where each string dn is replaced by a DN object

* because the unittest framework accepts a complex data structure of
  expected values where dn's are represeted as strings the unittest
  needs to express the expected value of a dn as a callable object
  (e.g. a lambda expression) which promotes the dn string to a DN
  object in order to do the comparision.
Add hbactest command. https://fedorahosted.org/freeipa/ticket/386 2011-07-28T22:01:44+00:00 Alexander Bokovoy abokovoy@redhat.com 2011-07-22T13:30:44+00:00 dd296eec13e3b436b0c608fdddd53089ed5c78e5 HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output. 
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

 Test user coming from source host to a service on a named host against
 existing enabled rules.

 ipa hbactest --user= --srchost= --host= --service=
              [--rules=rules-list] [--nodetail] [--enabled] [--disabled]

 --user, --srchost, --host, and --service are mandatory, others are optional.

 If --rules is specified simulate enabling of the specified rules and test
 the login of the user using only these rules.

 If --enabled is specified, all enabled HBAC rules will be added to simulation

 If --disabled is specified, all disabled HBAC rules will be added to simulation

 If --nodetail is specified, do not return information about rules matched/not matched.

 If both --rules and --enabled are specified, apply simulation to --rules _and_
 all IPA enabled rules.

 If no --rules specified, simulation is run against all IPA enabled rules.

EXAMPLES:

    1. Use all enabled HBAC rules in IPA database to simulate:
    $ ipa  hbactest --user=a1a --srchost=foo --host=bar --service=ssh
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    2. Disable detailed summary of how rules were applied:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
    --------------------
    Access granted: True
    --------------------

    3. Test explicitly specified HBAC rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: myrule

    4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    5. Test all disabled HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: new-rule

    6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule

    7. Test all (enabled and disabled) HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      notmatched: new-rule
      matched: allow_all

Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.

Specifying them through --rules option explicitly enables them only in
simulation run.

Specifying non-existing rules will not grant access and report non-existing
rules in output.