diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-01-10 18:12:55 +0100 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-02-20 13:11:42 +0100 |
commit | 0f1e13761993cdc77a573a68686723fa816ce5a9 (patch) | |
tree | de5ed1fa9977b67487da79f0fee6050fdce2cd74 /ipatests | |
parent | 78b657b02d2918fb26e0969e096f7eb15dbf830c (diff) | |
download | freeipa-0f1e13761993cdc77a573a68686723fa816ce5a9.tar.gz freeipa-0f1e13761993cdc77a573a68686723fa816ce5a9.tar.xz freeipa-0f1e13761993cdc77a573a68686723fa816ce5a9.zip |
Add tests for multivalued filters
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipatests')
-rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 216 |
1 files changed, 216 insertions, 0 deletions
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index 69660d4d3..4903bfae3 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -3005,3 +3005,219 @@ class test_managed_permissions(Declarative): ), ), ] + + +class test_permission_filters(Declarative): + """Test multi-valued filters, type, memberof""" + cleanup_commands = [ + ('permission_del', [permission1], {'force': True}), + ] + + tests = [ + dict( + desc='Create %r with many filters' % permission1, + command=( + 'permission_add', [permission1], dict( + type=u'user', + memberof=u'ipausers', + ipapermright=u'write', + ipapermtargetfilter=[ + u'(objectclass=top)', + u'(memberof=%s)' % DN(('cn', 'admins'), groups_dn), + ] + ) + ), + expected=dict( + value=permission1, + summary=u'Added permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'user'], + memberof=[u'admins', u'ipausers'], + ipapermright=[u'write'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtargetfilter=[ + u'(objectclass=posixaccount)', + u'(objectclass=top)', + u'(memberOf=%s)' % DN(('cn', 'ipausers'), groups_dn), + u'(memberof=%s)' % DN(('cn', 'admins'), groups_dn), + ], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetfilter = "(&' + '(memberOf=%s)' % DN(('cn', 'ipausers'), groups_dn) + + '(memberof=%s)' % DN(('cn', 'admins'), groups_dn) + + '(objectclass=posixaccount)(objectclass=top)' + + ')")' + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Remove type from %r while setting other filters' % permission1, + command=( + 'permission_mod', [permission1], + dict( + type=None, + memberof=u'ipausers', + ipapermtargetfilter=[ + u'(objectclass=ipauser)', + u'(memberof=%s)' % DN(('cn', 'admins'), groups_dn), + ], + ), + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + memberof=[u'admins', u'ipausers'], + ipapermright=[u'write'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[api.env.basedn], + ipapermtargetfilter=[ + u'(objectclass=ipauser)', + u'(memberOf=%s)' % DN(('cn', 'ipausers'), groups_dn), + u'(memberof=%s)' % DN(('cn', 'admins'), groups_dn), + ], + ), + ), + ), + + verify_permission_aci( + permission1, api.env.basedn, + '(targetfilter = "(&' + '(memberOf=%s)' % DN(('cn', 'ipausers'), groups_dn) + + '(memberof=%s)' % DN(('cn', 'admins'), groups_dn) + + '(objectclass=ipauser)' + + ')")' + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Remove memberof from %r while adding a filter' % permission1, + command=( + 'permission_mod', [permission1], + dict( + memberof=None, + addattr=u'ipapermtargetfilter=(cn=xyz)', + ), + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermright=[u'write'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[api.env.basedn], + ipapermtargetfilter=[ + u'(cn=xyz)', + u'(objectclass=ipauser)', + ], + ), + ), + ), + + verify_permission_aci( + permission1, api.env.basedn, + '(targetfilter = "(&' + '(cn=xyz)' + + '(objectclass=ipauser)' + + ')")' + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Set memberof, type and filter on %r at once' % permission1, + command=( + 'permission_mod', [permission1], + dict( + type=u'user', + memberof=u'admins', + ipapermtargetfilter=u'(uid=abc)', + ), + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'user'], + memberof=[u'admins'], + ipapermright=[u'write'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtargetfilter=[ + u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), + u'(objectclass=posixaccount)', + u'(uid=abc)', + ], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetfilter = "(&' + u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn) + + '(objectclass=posixaccount)' + + '(uid=abc)' + + ')")' + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Remove memberof & type from %r at once' % permission1, + command=( + 'permission_mod', [permission1], + dict( + type=None, + memberof=None, + ), + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermright=[u'write'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[api.env.basedn], + ipapermtargetfilter=[ + u'(uid=abc)', + ], + ), + ), + ), + + verify_permission_aci( + permission1, api.env.basedn, + '(targetfilter = "(uid=abc)")' + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + ] |