New plugin to handle role groups

Role groups will be part of the ACI system. It will let one create broad
categories of permissions. Things like: helpdesk, user admin, group admin,
whatever.

3 files changed, 233 insertions, 0 deletions

diff --git a/install/updates/rolegroup.update b/install/updates/rolegroup.update
new file mode 100644
index 000000000..ef8cd7890
--- /dev/null
+++ b/install/updates/rolegroup.update
@@ -0,0 +1,5 @@
+# Add the rolegroup container
+
+dn: cn=rolegroups,cn=accounts,$SUFFIX
+add:objectClass: nsContainer
+add:cn: rolegroups
diff --git a/ipalib/plugins/rolegroup.py b/ipalib/plugins/rolegroup.py
new file mode 100644
index 000000000..c843c0988
--- /dev/null
+++ b/ipalib/plugins/rolegroup.py
@@ -0,0 +1,85 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2009  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+"""
+Frontend plugins for rolegroups.
+"""
+
+from ipalib import api
+from ipalib.plugins.basegroup import *
+
+display_attributes = ['cn','description', 'member', 'memberof']
+container_rolegroup = "cn=rolegroups,cn=accounts"
+
+class rolegroup(BaseGroup):
+    """
+    rolegroup object.
+    """
+    container=container_rolegroup
+
+api.register(rolegroup)
+
+
+class rolegroup_add(basegroup_add):
+    'Add a new rolegroup.'
+
+api.register(rolegroup_add)
+
+
+class rolegroup_del(basegroup_del):
+    'Delete an existing rolegroup.'
+    container = container_rolegroup
+
+api.register(rolegroup_del)
+
+
+class rolegroup_mod(basegroup_mod):
+    'Edit an existing rolegroup.'
+    container = container_rolegroup
+
+api.register(rolegroup_mod)
+
+
+class rolegroup_find(basegroup_find):
+    'Search the groups.'
+    container = container_rolegroup
+
+api.register(rolegroup_find)
+
+
+class rolegroup_show(basegroup_show):
+    'Examine an existing rolegroup.'
+    default_attributes = display_attributes
+    container = container_rolegroup
+
+api.register(rolegroup_show)
+
+
+class rolegroup_add_member(basegroup_add_member):
+    'Add a member to a rolegroup.'
+    container = container_rolegroup
+
+api.register(rolegroup_add_member)
+
+
+class rolegroup_remove_member(basegroup_remove_member):
+    'Remove a member from a rolegroup.'
+    container = container_rolegroup
+
+api.register(rolegroup_remove_member)
diff --git a/tests/test_xmlrpc/test_rolegroup_plugin.py b/tests/test_xmlrpc/test_rolegroup_plugin.py
new file mode 100644
index 000000000..0912736cb
--- /dev/null
+++ b/tests/test_xmlrpc/test_rolegroup_plugin.py
@@ -0,0 +1,143 @@
+# Authors:
+#   Rob Crittenden <rcritten@redhat.com>
+#
+# Copyright (C) 2009  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+"""
+Test the `ipalib/plugins/rolegroup` module.
+"""
+
+import sys
+from xmlrpc_test import XMLRPC_test
+from ipalib import api
+from ipalib import errors2
+
+
+class test_Rolegroup(XMLRPC_test):
+    """
+    Test the `rolegroup` plugin.
+    """
+    cn=u'testgroup'
+    description=u'Test role group'
+    kw={'cn': cn, 'description': description}
+
+    rolegroup_cn = u'ipatestgroup'
+    rolegroup_description = u'Test group for rolegroups'
+
+    def test_add(self):
+        """
+        Test the `xmlrpc.rolegroup_add` method.
+        """
+        res = api.Command['rolegroup_add'](**self.kw)
+        assert res
+        assert res.get('description','') == self.description
+        assert res.get('cn','') == self.cn
+
+    def test_addrolegroup(self):
+        """
+        Add a group to test add/remove member.
+        """
+        kw={'cn': self.rolegroup_cn, 'description': self.rolegroup_description}
+        res = api.Command['group_add'](**kw)
+        assert res
+        assert res.get('description','') == self.rolegroup_description
+        assert res.get('cn','') == self.rolegroup_cn
+
+    def test_addrolegroupmember(self):
+        """
+        Test the `xmlrpc.rolegroup_add_member` method.
+        """
+        kw={}
+        kw['groups'] = self.rolegroup_cn
+        res = api.Command['rolegroup_add_member'](self.cn, **kw)
+        assert res == tuple()
+
+    def test_doshow(self):
+        """
+        Test the `xmlrpc.rolegroup_show` method.
+        """
+        res = api.Command['rolegroup_show'](self.cn)
+        assert res
+        assert res.get('description','') == self.description
+        assert res.get('cn','') == self.cn
+        assert res.get('member','').startswith('cn=%s' % self.rolegroup_cn)
+
+    def test_find(self):
+        """
+        Test the `xmlrpc.rolegroup_find` method.
+        """
+        res = api.Command['rolegroup_find'](self.cn)
+        assert res
+        assert len(res) == 2, res
+        assert res[1].get('description','') == self.description
+        assert res[1].get('cn','') == self.cn
+        assert res[1].get('member','').startswith('cn=%s' % self.rolegroup_cn)
+
+    def test_mod(self):
+        """
+        Test the `xmlrpc.rolegroup_mod` method.
+        """
+        newdesc=u'Updated role group'
+        modkw={'cn': self.cn, 'description': newdesc}
+        res = api.Command['rolegroup_mod'](**modkw)
+        assert res
+        assert res.get('description','') == newdesc
+
+        # Ok, double-check that it was changed
+        res = api.Command['rolegroup_show'](self.cn)
+        assert res
+        assert res.get('description','') == newdesc
+        assert res.get('cn','') == self.cn
+
+    def test_member_remove(self):
+        """
+        Test the `xmlrpc.rolegroup_remove_member` method.
+        """
+        kw={}
+        kw['roles'] = self.rolegroup_cn
+        res = api.Command['rolegroup_remove_member'](self.cn, **kw)
+        assert res == tuple()
+
+    def test_remove(self):
+        """
+        Test the `xmlrpc.rolegroup_del` method.
+        """
+        res = api.Command['rolegroup_del'](self.cn)
+        assert res == True
+
+        # Verify that it is gone
+        try:
+            res = api.Command['rolegroup_show'](self.cn)
+        except errors2.NotFound:
+            pass
+        else:
+            assert False
+
+    def test_removerole(self):
+        """
+        Remove the group we created for member testing
+        """
+        res = api.Command['group_del'](self.rolegroup_cn)
+        assert res == True
+
+        # Verify that it is gone
+        try:
+            res = api.Command['group_show'](self.rolegroup_cn)
+        except errors2.NotFound:
+            pass
+        else:
+            assert False