diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2010-12-17 16:57:28 -0500 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2010-12-17 18:04:37 -0500 |
| commit | 34534a026f39e5c5c139d23ab70db72009789e5b (patch) | |
| tree | 7e64d9a94bd2a6c5ac54e54f46e600b539727212 | |
| parent | 7035ffe49ca8456a1efc155c9cb22ec01a881ba2 (diff) | |
| download | freeipa-34534a026f39e5c5c139d23ab70db72009789e5b.tar.gz freeipa-34534a026f39e5c5c139d23ab70db72009789e5b.tar.xz freeipa-34534a026f39e5c5c139d23ab70db72009789e5b.zip | |
Don't use camel-case LDAP attributes in ACI and don't clear enrolledBy
We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.
There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.
ticket 597
| -rw-r--r-- | install/share/default-aci.ldif | 6 | ||||
| -rw-r--r-- | install/share/delegation.ldif | 35 | ||||
| -rw-r--r-- | ipalib/plugins/delegation.py | 1 | ||||
| -rw-r--r-- | ipalib/plugins/host.py | 1 | ||||
| -rw-r--r-- | ipalib/plugins/permission.py | 1 | ||||
| -rw-r--r-- | ipalib/plugins/selfservice.py | 1 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_delegation_plugin.py | 12 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_selfservice_plugin.py | 12 |
8 files changed, 34 insertions, 35 deletions
diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif index d725cd5c1..d0dfa23d7 100644 --- a/install/share/default-aci.ldif +++ b/install/share/default-aci.ldif @@ -5,7 +5,7 @@ changetype: modify add: aci aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";) aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) -aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) +aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";) aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";) @@ -16,7 +16,7 @@ aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife | dn: cn=users,cn=accounts,$SUFFIX changetype: modify add: aci -aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";) +aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeeType || businesscategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";) dn: cn=etc,$SUFFIX changetype: modify @@ -54,7 +54,7 @@ aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts c dn: cn=computers,cn=accounts,$SUFFIX changetype: modify add: aci -aci: (targetattr="userCertificate || krbLastPwdChange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";) +aci: (targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";) # Define which hosts can edit other hosts # The managedby attribute stores the DN of hosts that are allowed to manage diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index d87b6c260..235f59bf2 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -493,10 +493,10 @@ dn: $SUFFIX changetype: modify add: aci aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=accounts,$SUFFIX";) -aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";) +aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";) aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";) # Group administration @@ -508,7 +508,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFI aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";) # We need objectclass and gidnumber in modify so a non-posix group can be # promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached. -aci: (targetattr = "cn || description || gidnumber || objectclass || mepManagedBy || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";) # Host administration @@ -536,7 +536,7 @@ changetype: modify add: aci aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=accounts,$SUFFIX";) aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=accounts,$SUFFIX";) -aci: (targetattr = "userCertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX";) # Delegation administration @@ -574,21 +574,14 @@ aci: (targetattr = "memberhost || externalhost || memberuser || member")(target dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";) # Service keytab admin dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";) - -# Allow enrolledBy to be removed when a host is not enrolled - -dn: $SUFFIX -changetype: modify -add: aci -aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetattr = "enrolledBy")(targetfilter="(!(krblastpwdchange=*))")(targattrfilters="del=enrolledby:(enrolledBy=*)")(version 3.0;acl "Allow enrolledBy to be removed when a host is not enrolled"; allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "krblrincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";) # Add the ACI needed to do host enrollment. When this occurs we # set the krbPrincipalName, add krbPrincipalAux to objectClass and @@ -597,7 +590,7 @@ aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(targetattr = " dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "enrolledBy || objectClass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX";) # Replica administration @@ -621,7 +614,7 @@ aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3 dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "usercertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX")(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX";) dn: $SUFFIX changetype: modify @@ -654,7 +647,7 @@ member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectClass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX";) # Request Certificate virtual op dn: cn=request certificate,cn=virtual operations,$SUFFIX @@ -674,7 +667,7 @@ member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=accounts,$SUFFIX";) # Request Certificate from different host virtual op dn: cn=request certificate different host,cn=virtual operations,$SUFFIX @@ -694,7 +687,7 @@ member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX";) # Certificate Status virtual op dn: cn=certificate status,cn=virtual operations,$SUFFIX @@ -714,7 +707,7 @@ member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX";) # Revoke Certificate virtual op dn: cn=revoke certificate,cn=virtual operations,$SUFFIX @@ -734,7 +727,7 @@ member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectClass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX";) # Certificate Remove Hold virtual op dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX @@ -754,4 +747,4 @@ member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX dn: $SUFFIX changetype: modify add: aci -aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX";) +aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX";) diff --git a/ipalib/plugins/delegation.py b/ipalib/plugins/delegation.py index b9fc7f146..c233784d1 100644 --- a/ipalib/plugins/delegation.py +++ b/ipalib/plugins/delegation.py @@ -108,6 +108,7 @@ class delegation(Object): cli_name='attrs', label=_('Attributes'), doc=_('Comma-separated list of attributes'), + normalizer=lambda value: value.lower(), ), Str('memberof', cli_name='membergroup', diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 22cd424ed..91aa65154 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -686,7 +686,6 @@ class host_disable(LDAPQuery): if 'krblastpwdchange' in entry_attrs: ldap.remove_principal_key(dn) - api.Command['host_mod'](fqdn=keys[-1], setattr=u'enrolledby=') done_work = True if not done_work: diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 058a2cd3e..3734ae2c2 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -115,6 +115,7 @@ class permission(LDAPObject): cli_name='attrs', label=_('Attributes'), doc=_('Comma-separated list of attributes'), + normalizer=lambda value: value.lower(), ), StrEnum('type?', cli_name='type', diff --git a/ipalib/plugins/selfservice.py b/ipalib/plugins/selfservice.py index 63c40f681..cedcf9b0d 100644 --- a/ipalib/plugins/selfservice.py +++ b/ipalib/plugins/selfservice.py @@ -89,6 +89,7 @@ class selfservice(Object): cli_name='attrs', label=_('Attributes'), doc=_('Comma-separated list of attributes'), + normalizer=lambda value: value.lower(), ), ) diff --git a/tests/test_xmlrpc/test_delegation_plugin.py b/tests/test_xmlrpc/test_delegation_plugin.py index ded6d4f0c..a4520f430 100644 --- a/tests/test_xmlrpc/test_delegation_plugin.py +++ b/tests/test_xmlrpc/test_delegation_plugin.py @@ -69,6 +69,8 @@ class test_delegation(Declarative): ), + # Note that we add postalCode but expect postalcode. This tests + # the attrs normalizer. dict( desc='Create %r' % delegation1, command=( @@ -83,7 +85,7 @@ class test_delegation(Declarative): value=delegation1, summary=u'Added delegation "%s"' % delegation1, result=dict( - attrs=[u'street', u'c', u'l', u'st', u'postalCode'], + attrs=[u'street', u'c', u'l', u'st', u'postalcode'], permissions=[u'write'], aciname=delegation1, group=u'editors', @@ -115,7 +117,7 @@ class test_delegation(Declarative): value=delegation1, summary=None, result={ - 'attrs': [u'street', u'c', u'l', u'st', u'postalCode'], + 'attrs': [u'street', u'c', u'l', u'st', u'postalcode'], 'permissions': [u'write'], 'aciname': delegation1, 'group': u'editors', @@ -135,7 +137,7 @@ class test_delegation(Declarative): summary=u'1 delegation matched', result=[ { - 'attrs': [u'street', u'c', u'l', u'st', u'postalCode'], + 'attrs': [u'street', u'c', u'l', u'st', u'postalcode'], 'permissions': [u'write'], 'aciname': delegation1, 'group': u'editors', @@ -156,7 +158,7 @@ class test_delegation(Declarative): value=delegation1, summary=u'Modified delegation "%s"' % delegation1, result=dict( - attrs=[u'street', u'c', u'l', u'st', u'postalCode'], + attrs=[u'street', u'c', u'l', u'st', u'postalcode'], permissions=[u'read'], aciname=delegation1, group=u'editors', @@ -174,7 +176,7 @@ class test_delegation(Declarative): value=delegation1, summary=None, result={ - 'attrs': [u'street', u'c', u'l', u'st', u'postalCode'], + 'attrs': [u'street', u'c', u'l', u'st', u'postalcode'], 'permissions': [u'read'], 'aciname': delegation1, 'group': u'editors', diff --git a/tests/test_xmlrpc/test_selfservice_plugin.py b/tests/test_xmlrpc/test_selfservice_plugin.py index 897bd0da4..30b5d7644 100644 --- a/tests/test_xmlrpc/test_selfservice_plugin.py +++ b/tests/test_xmlrpc/test_selfservice_plugin.py @@ -68,6 +68,8 @@ class test_selfservice(Declarative): ), + # Note that we add postalCode but expect postalcode. This tests + # the attrs normalizer. dict( desc='Create %r' % selfservice1, command=( @@ -80,7 +82,7 @@ class test_selfservice(Declarative): value=selfservice1, summary=u'Added selfservice "%s"' % selfservice1, result=dict( - attrs=[u'street', u'c', u'l', u'st', u'postalCode'], + attrs=[u'street', u'c', u'l', u'st', u'postalcode'], permissions=[u'write'], selfaci=True, aciname=selfservice1, @@ -108,7 +110,7 @@ class test_selfservice(Declarative): value=selfservice1, summary=None, result={ - 'attrs': [u'street', u'c', u'l', u'st', u'postalCode'], + 'attrs': [u'street', u'c', u'l', u'st', u'postalcode'], 'permissions': [u'write'], 'selfaci': True, 'aciname': selfservice1, @@ -126,7 +128,7 @@ class test_selfservice(Declarative): summary=u'1 selfservice matched', result=[ { - 'attrs': [u'street', u'c', u'l', u'st', u'postalCode'], + 'attrs': [u'street', u'c', u'l', u'st', u'postalcode'], 'permissions': [u'write'], 'selfaci': True, 'aciname': selfservice1, @@ -145,7 +147,7 @@ class test_selfservice(Declarative): value=selfservice1, summary=u'Modified selfservice "%s"' % selfservice1, result=dict( - attrs=[u'street', u'c', u'l', u'st', u'postalCode'], + attrs=[u'street', u'c', u'l', u'st', u'postalcode'], permissions=[u'read'], selfaci=True, aciname=selfservice1, @@ -161,7 +163,7 @@ class test_selfservice(Declarative): value=selfservice1, summary=None, result={ - 'attrs': [u'street', u'c', u'l', u'st', u'postalCode'], + 'attrs': [u'street', u'c', u'l', u'st', u'postalcode'], 'permissions': [u'read'], 'selfaci': True, 'aciname': selfservice1, |