diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-03-26 17:11:23 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-04-16 16:10:43 +0200 |
commit | b53f2d28fdc64a99c16b6e9434911da0058c9f58 (patch) | |
tree | 99246fddf88c45774e9eccbcf9d8ab91187dcf57 /ipatests | |
parent | 6b0c6bf34435859a21936ad69d3eb984c27f9d8d (diff) | |
download | freeipa-b53f2d28fdc64a99c16b6e9434911da0058c9f58.tar.gz freeipa-b53f2d28fdc64a99c16b6e9434911da0058c9f58.tar.xz freeipa-b53f2d28fdc64a99c16b6e9434911da0058c9f58.zip |
Add managed read permissions to krbtpolicy
Unlike other objects, the ticket policy is stored in different
subtrees: global policy in cn=kerberos and per-user policy in
cn=users,cn=accounts.
Add two permissions, one for each location.
Also, modify tests so that adding new permissions in cn=users
doesn't cause failures.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Diffstat (limited to 'ipatests')
-rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 39 |
1 files changed, 36 insertions, 3 deletions
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index d593dd986..54e8d57dd 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -100,6 +100,7 @@ users_dn = DN(api.env.container_user, api.env.basedn) groups_dn = DN(api.env.container_group, api.env.basedn) etc_dn = DN('cn=etc', api.env.basedn) nonexistent_dn = DN('cn=does not exist', api.env.basedn) +admin_dn = DN('uid=admin', users_dn) def verify_permission_aci(name, dn, acistring): @@ -1117,9 +1118,42 @@ class test_permission(Declarative): ), dict( + desc='Change subtree of %r to admin' % permission1_renamed_ucase, + command=( + 'permission_mod', [permission1_renamed_ucase], + dict(ipapermlocation=admin_dn) + ), + expected=dict( + value=permission1_renamed_ucase, + summary=u'Modified permission "%s"' % permission1_renamed_ucase, + result=dict( + dn=permission1_renamed_ucase_dn, + cn=[permission1_renamed_ucase], + objectclass=objectclasses.permission, + member_privilege=[privilege1], + ipapermlocation=[admin_dn], + ipapermright=[u'write'], + memberof=[u'ipausers'], + attrs=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ), + ), + ), + + verify_permission_aci( + permission1_renamed_ucase, admin_dn, + '(targetattr = "sn")' + + '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1_renamed_ucase + + 'allow (write) groupdn = "ldap:///%s";)' % + permission1_renamed_ucase_dn, + ), + + dict( desc='Search for %r using --subtree' % permission1_renamed_ucase, command=('permission_find', [], - {'ipapermlocation': u'ldap:///%s' % users_dn}), + {'ipapermlocation': u'ldap:///%s' % admin_dn}), expected=dict( count=1, truncated=False, @@ -1130,13 +1164,12 @@ class test_permission(Declarative): 'cn':[permission1_renamed_ucase], 'objectclass': objectclasses.permission, 'member_privilege':[privilege1], - 'ipapermlocation': [users_dn], + 'ipapermlocation': [admin_dn], 'ipapermright':[u'write'], 'memberof':[u'ipausers'], 'attrs': [u'sn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], - 'ipapermlocation': [users_dn], }, ], ), |