diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2014-03-07 16:29:47 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-03-14 10:14:05 +0100 |
| commit | 64cc4d81cce2143f13b9ddad946473d58bc42b36 (patch) | |
| tree | 53ed3b455174b413938626a91ae742f611be7818 /ipatests/test_xmlrpc | |
| parent | 9f1c3d06bdb2f6bc0df5749bb994bc2ba9b630f9 (diff) | |
| download | freeipa-64cc4d81cce2143f13b9ddad946473d58bc42b36.tar.gz freeipa-64cc4d81cce2143f13b9ddad946473d58bc42b36.tar.xz freeipa-64cc4d81cce2143f13b9ddad946473d58bc42b36.zip | |
permission plugin: Do not change extra target filters by "views"
Previously, setting/deleting the "--type" virtual attribute removed
all (objectclass=...) target filters.
Change so that only the filter associated with --type is removed.
The same change applies to --memberof: only filters associated
with the option are removed when --memberof is (un-)set.
Follow-up to https://fedorahosted.org/freeipa/ticket/4216
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipatests/test_xmlrpc')
| -rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 165 |
1 files changed, 165 insertions, 0 deletions
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index e9a892675..678f9f918 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -2424,6 +2424,171 @@ class test_permission_targetfilter(Declarative): ) ] + [ + dict( + desc='Set extra objectclass filter on %r' % permission1, + command=( + 'permission_mod', [permission1], dict( + extratargetfilter=[u'(cn=*)', u'(objectclass=top)'], + all=True, + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'user'], + ipapermright=[u'write'], + attrs=[u'sn'], + ipapermincludedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + memberof=[u'admins'], + extratargetfilter=[u'(cn=*)', u'(objectclass=top)'], + ipapermtargetfilter=[ + u'(cn=*)', + u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), + u'(objectclass=posixaccount)', + u'(objectclass=top)'], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetattr = "sn")' + + '(targetfilter = "(&' + + '(cn=*)' + + '(memberOf=%s)' % DN('cn=admins', groups_dn) + + '(objectclass=posixaccount)' + + '(objectclass=top)' + + ')")' + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn + ), + + dict( + desc='Unset type on %r to verify extra objectclass filter stays' % permission1, + command=( + 'permission_mod', [permission1], dict( + type=None, + all=True, + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermright=[u'write'], + attrs=[u'sn'], + ipapermincludedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[api.env.basedn], + memberof=[u'admins'], + extratargetfilter=[u'(cn=*)', u'(objectclass=top)'], + ipapermtargetfilter=[ + u'(cn=*)', + u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), + u'(objectclass=top)'], + ), + ), + ), + + verify_permission_aci( + permission1, api.env.basedn, + '(targetattr = "sn")' + + '(targetfilter = "(&' + + '(cn=*)' + + '(memberOf=%s)' % DN('cn=admins', groups_dn) + + '(objectclass=top)' + + ')")' + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn + ), + + dict( + desc='Set wildcard memberof filter on %r' % permission1, + command=( + 'permission_mod', [permission1], dict( + extratargetfilter=u'(memberof=*)', + all=True, + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermright=[u'write'], + attrs=[u'sn'], + ipapermincludedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[api.env.basedn], + memberof=[u'admins'], + extratargetfilter=[u'(memberof=*)'], + ipapermtargetfilter=[ + u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), + u'(memberof=*)'], + ), + ), + ), + + verify_permission_aci( + permission1, api.env.basedn, + '(targetattr = "sn")' + + '(targetfilter = "(&' + + '(memberOf=%s)' % DN('cn=admins', groups_dn) + + '(memberof=*)' + + ')")' + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn + ), + + dict( + desc='Remove --memberof on %r to verify wildcard is still there' % permission1, + command=( + 'permission_mod', [permission1], dict( + memberof=[], + all=True, + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermright=[u'write'], + attrs=[u'sn'], + ipapermincludedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[api.env.basedn], + extratargetfilter=[u'(memberof=*)'], + ipapermtargetfilter=[u'(memberof=*)'], + ), + ), + ), + + verify_permission_aci( + permission1, api.env.basedn, + '(targetattr = "sn")' + + '(targetfilter = "(memberof=*)")' + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn + ), + ] |