freeipa.git/tests, branch gssapi-delegate

Add hbactest command. https://fedorahosted.org/freeipa/ticket/386

2011-07-28T22:01:44+00:00

HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

Test user coming from source host to a service on a named host against
existing enabled rules.

ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]

--user, --srchost, --host, and --service are mandatory, others are optional.

If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.

If --enabled is specified, all enabled HBAC rules will be added to simulation

If --disabled is specified, all disabled HBAC rules will be added to simulation

If --nodetail is specified, do not return information about rules matched/not matched.

If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.

If no --rules specified, simulation is run against all IPA enabled rules.

EXAMPLES:

1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all

2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------

3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule

4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all

5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule

6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule

7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all

Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.

Specifying them through --rules option explicitly enables them only in
simulation run.

Specifying non-existing rules will not grant access and report non-existing
rules in output.

Fix message in test case for checking minimum values

2011-07-28T06:03:56+00:00

Make AVA, RDN & DN comparison case insensitive. No need for lowercase normalization.

2011-07-28T00:58:48+00:00

Replace deepcopy with constructor (i.e. type call)
Can now "clone" with configuration changes by passing object
of the same type to it's constructor, e.g.
dn1 = DN(('cn', 'foo'))
dn2 = DN(dn1)
dn2 = DN(dn1, first_key_match=False)

Remove pairwise grouping for RDN's. Had previously removed it
for DN's, left it in for RDN's because it seemed to make sense
because of the way RDN's work but consistency is a higher goal.

Add keyword constructor parameters to pass configuration options.

Make first_key_match a configuration keyword.

Updated documentation.

Updated unit test.

FWIW, I noticed the unittest is now running 2x faster, not sure why,
removal of deepcopy? Anyway, hard to argue with performance doubling.

Fix invalid issuer in unit tests

2011-07-28T00:56:16+00:00

Fix several test failures when issuer does not match the one
generated by make-testcert (CN=Certificate Authority,O=).

https://fedorahosted.org/freeipa/ticket/1527

Don't leave dangling map if adding an indirect map fails

2011-07-27T04:02:28+00:00

When using the add_indirect helper we create a new map and then add a key
for it all in one step. If adding the key fails for any reason be sure to
remove the map we added.

https://fedorahosted.org/freeipa/ticket/1520

Hide the HBAC access type attribute now that deny is deprecated.

2011-07-21T05:11:45+00:00

It won't appear in the UI/CLI but is still available via XML-RPC.
allow is the default and deny will be rejected.

https://fedorahosted.org/freeipa/ticket/1495

Ticket 1485 - DN pairwise grouping

2011-07-21T04:29:38+00:00

The pairwise grouping used to form RDN's and AVA's proved to be
confusing in practice, this patch removes that functionality thus
requiring programmers to explicitly pair attr,value using a tuple or
list.

In addition it was discovered additional functionality was needed to
support some DN operations in freeipa. DN objects now support
startswith(), endswith() and the "in" membership test. These functions
and operators will accept either a DN or RDN.

The unittest was modified to remove the pairwise tests and add new
explicit tests. The unittest was augmented to test the new
functionality. In addition the unittest was cleaned up a bit to use
common utilty functions for improved readabilty and robustness.

The documentation was updated.

fix test_role_plugin use of DN to avoid pairwise grouping

Set a default minimum value for class Int, handle long values better.

2011-07-20T00:32:00+00:00

Allow a long to get as far as the min/max constraints where we can
compare it to min/max int values and reject with a proper error message.

https://fedorahosted.org/freeipa/ticket/1494

With the external user/group management fixed, correct the unit tests.

2011-07-20T15:27:42+00:00

The unit tests were incorrectly expecting the removed data back when
removing external users.

Optionally wait for 389-ds postop plugins to complete

2011-07-19T11:06:16+00:00

Add a new command that lets you wait for an attribute to appear in
a value. Using this you can do things like wait for a managed entry
to be created, adding a new objectclass to the parent entry.

This is controlled by a new booleon option, wait_for_attr, defaulting
to False.

https://fedorahosted.org/freeipa/ticket/1144