summaryrefslogtreecommitdiffstats
path: root/ipatests
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2014-03-26 17:11:23 +0100
committerMartin Kosek <mkosek@redhat.com>2014-04-16 16:10:43 +0200
commitb53f2d28fdc64a99c16b6e9434911da0058c9f58 (patch)
tree99246fddf88c45774e9eccbcf9d8ab91187dcf57 /ipatests
parent6b0c6bf34435859a21936ad69d3eb984c27f9d8d (diff)
downloadfreeipa-b53f2d28fdc64a99c16b6e9434911da0058c9f58.tar.gz
freeipa-b53f2d28fdc64a99c16b6e9434911da0058c9f58.tar.xz
freeipa-b53f2d28fdc64a99c16b6e9434911da0058c9f58.zip
Add managed read permissions to krbtpolicy
Unlike other objects, the ticket policy is stored in different subtrees: global policy in cn=kerberos and per-user policy in cn=users,cn=accounts. Add two permissions, one for each location. Also, modify tests so that adding new permissions in cn=users doesn't cause failures. Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Diffstat (limited to 'ipatests')
-rw-r--r--ipatests/test_xmlrpc/test_permission_plugin.py39
1 files changed, 36 insertions, 3 deletions
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py
index d593dd986..54e8d57dd 100644
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -100,6 +100,7 @@ users_dn = DN(api.env.container_user, api.env.basedn)
groups_dn = DN(api.env.container_group, api.env.basedn)
etc_dn = DN('cn=etc', api.env.basedn)
nonexistent_dn = DN('cn=does not exist', api.env.basedn)
+admin_dn = DN('uid=admin', users_dn)
def verify_permission_aci(name, dn, acistring):
@@ -1117,9 +1118,42 @@ class test_permission(Declarative):
),
dict(
+ desc='Change subtree of %r to admin' % permission1_renamed_ucase,
+ command=(
+ 'permission_mod', [permission1_renamed_ucase],
+ dict(ipapermlocation=admin_dn)
+ ),
+ expected=dict(
+ value=permission1_renamed_ucase,
+ summary=u'Modified permission "%s"' % permission1_renamed_ucase,
+ result=dict(
+ dn=permission1_renamed_ucase_dn,
+ cn=[permission1_renamed_ucase],
+ objectclass=objectclasses.permission,
+ member_privilege=[privilege1],
+ ipapermlocation=[admin_dn],
+ ipapermright=[u'write'],
+ memberof=[u'ipausers'],
+ attrs=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1_renamed_ucase, admin_dn,
+ '(targetattr = "sn")' +
+ '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1_renamed_ucase +
+ 'allow (write) groupdn = "ldap:///%s";)' %
+ permission1_renamed_ucase_dn,
+ ),
+
+ dict(
desc='Search for %r using --subtree' % permission1_renamed_ucase,
command=('permission_find', [],
- {'ipapermlocation': u'ldap:///%s' % users_dn}),
+ {'ipapermlocation': u'ldap:///%s' % admin_dn}),
expected=dict(
count=1,
truncated=False,
@@ -1130,13 +1164,12 @@ class test_permission(Declarative):
'cn':[permission1_renamed_ucase],
'objectclass': objectclasses.permission,
'member_privilege':[privilege1],
- 'ipapermlocation': [users_dn],
+ 'ipapermlocation': [admin_dn],
'ipapermright':[u'write'],
'memberof':[u'ipausers'],
'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
- 'ipapermlocation': [users_dn],
},
],
),