diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-06-12 12:01:26 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-06-23 10:54:43 +0200 |
commit | ac8539bd344f2309f74efc6b42bddb3a925ff20f (patch) | |
tree | 42ff24c96d15c102699500d1fbef61d0a0f925ae /ipatests | |
parent | 02b5074d84ad42cb6ffc2abd7a84fbff62747470 (diff) | |
download | freeipa-ac8539bd344f2309f74efc6b42bddb3a925ff20f.tar.gz freeipa-ac8539bd344f2309f74efc6b42bddb3a925ff20f.tar.xz freeipa-ac8539bd344f2309f74efc6b42bddb3a925ff20f.zip |
Add posixgroup to groups' permission object filter
Private groups don't have the 'ipausergroup' objectclass.
Add posixgroup to the objectclass filters to make
"--type group" permissions apply to all groups.
https://fedorahosted.org/freeipa/ticket/4372
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipatests')
-rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 106 |
1 files changed, 102 insertions, 4 deletions
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index feffc2eb1..ed2032b33 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -102,6 +102,8 @@ etc_dn = DN('cn=etc', api.env.basedn) nonexistent_dn = DN('cn=does not exist', api.env.basedn) admin_dn = DN('uid=admin', users_dn) +group_filter = u'(|(objectclass=ipausergroup)(objectclass=posixgroup))' + def verify_permission_aci(name, dn, acistring): """Return test dict that verifies the ACI at the given location""" @@ -1927,7 +1929,7 @@ class test_permission_sync_attributes(Declarative): verify_permission_aci( permission1, groups_dn, '(targetattr = "sn")' + - '(targetfilter = "(objectclass=ipausergroup)")' + '(targetfilter = "%s")' % group_filter + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -1962,7 +1964,103 @@ class test_permission_sync_attributes(Declarative): permission1, groups_dn, '(targetattr = "sn")' + '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) + - '(targetfilter = "(objectclass=ipausergroup)")' + '(targetfilter = "%s")' % group_filter + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Set extra targetfilter on %r' % permission1, + command=( + 'permission_mod', [permission1], dict( + extratargetfilter=u'(cn=blabla)', + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'group'], + ipapermright=[u'write'], + attrs=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermtarget=[DN('cn=editors', groups_dn)], + ipapermlocation=[groups_dn], + targetgroup=[u'editors'], + extratargetfilter=[u'(cn=blabla)'], + ), + ), + ), + + verify_permission_aci( + permission1, groups_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) + + '(targetfilter = "(&(cn=blabla)%s)")' % group_filter + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Retrieve %r with --all' % permission1, + command=( + 'permission_show', [permission1], dict(all=True) + ), + expected=dict( + value=permission1, + summary=None, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'group'], + ipapermright=[u'write'], + attrs=[u'sn'], + ipapermincludedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermtarget=[DN('cn=editors', groups_dn)], + ipapermlocation=[groups_dn], + targetgroup=[u'editors'], + extratargetfilter=[u'(cn=blabla)'], + ipapermtargetfilter=[u'(cn=blabla)', group_filter], + ), + ), + ), + + dict( + desc='Set type of %r back to user' % permission1, + command=( + 'permission_mod', [permission1], dict( + type=u'user', ipapermtarget=None, + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'user'], + ipapermright=[u'write'], + attrs=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + extratargetfilter=[u'(cn=blabla)'], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetattr = "sn")' + + '(targetfilter = "(&(cn=blabla)(objectclass=posixaccount))")' + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -2102,7 +2200,7 @@ class test_permission_sync_nice(Declarative): verify_permission_aci( permission1, groups_dn, '(targetattr = "sn")' + - '(targetfilter = "(objectclass=ipausergroup)")' + + '(targetfilter = "%s")' % group_filter + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), @@ -2137,7 +2235,7 @@ class test_permission_sync_nice(Declarative): permission1, groups_dn, '(targetattr = "sn")' + '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) + - '(targetfilter = "(objectclass=ipausergroup)")' + + '(targetfilter = "%s")' % group_filter + '(version 3.0;acl "permission:%s";' % permission1 + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, ), |