diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-01-06 15:51:20 +0100 |
|---|---|---|
| committer | Petr Viktorin <pviktori@redhat.com> | 2014-02-20 13:11:41 +0100 |
| commit | e951f1841674fc57a867b9a36eea9d82ca31ad38 (patch) | |
| tree | 8440123b7ee6e93d78af7aa4037ee6a8bc005c4d /ipatests/test_xmlrpc/test_old_permission_plugin.py | |
| parent | 0824d12c95d840b1787743e8316b0bc0f7ba5284 (diff) | |
| download | freeipa-e951f1841674fc57a867b9a36eea9d82ca31ad38.tar.gz freeipa-e951f1841674fc57a867b9a36eea9d82ca31ad38.tar.xz freeipa-e951f1841674fc57a867b9a36eea9d82ca31ad38.zip | |
permissions: Use multivalued targetfilter
Change the target filter to be multivalued.
Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.
Update tests
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipatests/test_xmlrpc/test_old_permission_plugin.py')
| -rw-r--r-- | ipatests/test_xmlrpc/test_old_permission_plugin.py | 76 |
1 files changed, 39 insertions, 37 deletions
diff --git a/ipatests/test_xmlrpc/test_old_permission_plugin.py b/ipatests/test_xmlrpc/test_old_permission_plugin.py index a681ef31e..72c218208 100644 --- a/ipatests/test_xmlrpc/test_old_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_old_permission_plugin.py @@ -155,7 +155,7 @@ class test_old_permission(Declarative): permissions=[u'write'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], + filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -231,7 +231,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -249,13 +249,16 @@ class test_old_permission(Declarative): 'cn': [permission1], 'objectclass': objectclasses.permission, 'member': [privilege1_dn], - 'aci': u'(target = "ldap:///%s")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \ - (DN(('uid', '*'), ('cn', 'users'), ('cn', 'accounts'), api.env.basedn), - DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn)), + 'aci': (u'(targetfilter = "(objectclass=posixaccount)")'+ + u'(version 3.0;acl "permission:testperm";' + + u'allow (write) ' + + u'groupdn = "ldap:///%s";)' % DN( + ('cn', 'testperm'), ('cn', 'permissions'), + ('cn', 'pbac'), api.env.basedn)), 'ipapermright': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], 'ipapermlocation': [users_dn], }, ), @@ -279,7 +282,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -304,7 +307,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -341,7 +344,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -362,13 +365,12 @@ class test_old_permission(Declarative): 'cn': [permission1], 'objectclass': objectclasses.permission, 'member': [privilege1_dn], - 'aci': u'(target = "ldap:///%s")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \ - (DN(('uid', '*'), ('cn', 'users'), ('cn', 'accounts'), api.env.basedn), - DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn)), + 'aci': u'(targetfilter = "(objectclass=posixaccount)")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \ + DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn), 'ipapermright': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'ipapermtargetfilter': [u'(objectclass=posixaccount)'], 'ipapermlocation': [users_dn], }, ], @@ -398,7 +400,7 @@ class test_old_permission(Declarative): owner=[u'cn=test', u'cn=test2'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], + filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -422,7 +424,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, { @@ -433,7 +435,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -517,7 +519,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -542,7 +544,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, { @@ -553,7 +555,7 @@ class test_old_permission(Declarative): 'permissions': [u'write'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], + 'filter': [u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ], @@ -616,8 +618,8 @@ class test_old_permission(Declarative): owner=[u'cn=other-test', u'cn=other-test2'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], - filter=[u'memberOf=%s' % DN('cn=ipausers', groups_dn)], + filter=[u'memberOf=%s' % DN('cn=ipausers', groups_dn), + u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -640,8 +642,8 @@ class test_old_permission(Declarative): 'memberof': u'ipausers', 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], - 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn)], + 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn), + u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -687,8 +689,8 @@ class test_old_permission(Declarative): 'memberof': u'ipausers', 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], - 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn)], + 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn), + u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -715,8 +717,8 @@ class test_old_permission(Declarative): 'memberof': u'ipausers', 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], - 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn)], + 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn), + u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -743,8 +745,8 @@ class test_old_permission(Declarative): 'memberof': u'ipausers', 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'V2', u'SYSTEM'], - 'ipapermtarget': [DN('uid=*', users_dn)], - 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn)], + 'filter': [u'memberOf=%s' % DN('cn=ipausers', groups_dn), + u'objectclass=posixaccount'], 'subtree': u'ldap:///%s' % users_dn, }, ), @@ -944,8 +946,8 @@ class test_old_permission(Declarative): type=u'user', ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], - filter=[u'memberOf=%s' % DN('cn=editors', groups_dn)], + filter=[u'memberOf=%s' % DN('cn=editors', groups_dn), + u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -977,8 +979,8 @@ class test_old_permission(Declarative): type=u'user', ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], - filter=[u'memberOf=%s' % DN('cn=admins', groups_dn)], + filter=[u'memberOf=%s' % DN('cn=admins', groups_dn), + u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -1002,7 +1004,7 @@ class test_old_permission(Declarative): type=u'user', ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], + filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -1076,7 +1078,7 @@ class test_old_permission(Declarative): attrs=(u'cn',), ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], + filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -1099,7 +1101,7 @@ class test_old_permission(Declarative): attributelevelrights=permission3_attributelevelrights, ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], + filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), @@ -1122,7 +1124,7 @@ class test_old_permission(Declarative): attributelevelrights=permission3_attributelevelrights, ipapermbindruletype=[u'permission'], ipapermissiontype=[u'V2', u'SYSTEM'], - ipapermtarget=[DN('uid=*', users_dn)], + filter=[u'objectclass=posixaccount'], subtree=u'ldap:///%s' % users_dn, ), ), |