diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-01-13 11:34:04 -0500 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-01-18 10:02:50 +0100 |
| commit | 2c1f21a14bf9d47ab484d13f5947a059ccc1d041 (patch) | |
| tree | 39c8ab3f1477d4b6df916bf25eef080483526a11 /tests/test_xmlrpc/test_sudorule_plugin.py | |
| parent | c9c72d1b1a48a0c34afc1c4d0ca9aa842d537c9e (diff) | |
| download | freeipa-2c1f21a14bf9d47ab484d13f5947a059ccc1d041.tar.gz freeipa-2c1f21a14bf9d47ab484d13f5947a059ccc1d041.tar.xz freeipa-2c1f21a14bf9d47ab484d13f5947a059ccc1d041.zip | |
In sudo when the category is all do not allow members, and vice versa.
This is what we already do in the HBAC plugin, this ports it to Sudo.
If a category (user, host, etc) is u'all' then we don't allow individual
members be added. Conversely if there are members we don't allow the
category be set to u'all'.
https://fedorahosted.org/freeipa/ticket/1440
Diffstat (limited to 'tests/test_xmlrpc/test_sudorule_plugin.py')
| -rw-r--r-- | tests/test_xmlrpc/test_sudorule_plugin.py | 98 |
1 files changed, 95 insertions, 3 deletions
diff --git a/tests/test_xmlrpc/test_sudorule_plugin.py b/tests/test_xmlrpc/test_sudorule_plugin.py index 88e31c72c..07d23c3d2 100644 --- a/tests/test_xmlrpc/test_sudorule_plugin.py +++ b/tests/test_xmlrpc/test_sudorule_plugin.py @@ -47,7 +47,7 @@ class test_sudorule(XMLRPC_test): test_denycommand = u'/usr/bin/testdenysudocmd1' test_runasuser = u'manager' test_runasgroup = u'manager' - test_catagory = u'all' + test_category = u'all' test_option = u'authenticate' def test_0_sudorule_add(self): @@ -520,7 +520,99 @@ class test_sudorule(XMLRPC_test): assert 'memberdenycmd_sudocmd' not in entry assert 'memberdenycmd_sudocmdgroup' not in entry - def test_c_sudorule_clear_testing_data(self): + def test_c_sudorule_exclusiveuser(self): + """ + Test adding a user to an Sudo rule when usercat='all' + """ + api.Command['sudorule_mod'](self.rule_name, usercategory=u'all') + try: + api.Command['sudorule_add_user'](self.rule_name, users='admin') + except errors.MutuallyExclusiveError: + pass + api.Command['sudorule_mod'](self.rule_name, usercategory=u'') + + def test_d_sudorule_exclusiveuser(self): + """ + Test setting usercat='all' in an Sudo rule when there are users + """ + api.Command['sudorule_add_user'](self.rule_name, users='admin') + try: + api.Command['sudorule_mod'](self.rule_name, usercategory=u'all') + except errors.MutuallyExclusiveError: + pass + finally: + api.Command['sudorule_remove_user'](self.rule_name, users='admin') + + def test_e_sudorule_exclusivehost(self): + """ + Test adding a host to an Sudo rule when hostcat='all' + """ + api.Command['sudorule_mod'](self.rule_name, hostcategory=u'all') + try: + api.Command['sudorule_add_host'](self.rule_name, host=self.test_host) + except errors.MutuallyExclusiveError: + pass + api.Command['sudorule_mod'](self.rule_name, hostcategory=u'') + + def test_f_sudorule_exclusivehost(self): + """ + Test setting hostcat='all' in an Sudo rule when there are hosts + """ + api.Command['sudorule_add_host'](self.rule_name, host=self.test_host) + try: + api.Command['sudorule_mod'](self.rule_name, hostcategory=u'all') + except errors.MutuallyExclusiveError: + pass + finally: + api.Command['sudorule_remove_host'](self.rule_name, host=self.test_host) + + def test_g_sudorule_exclusivecommand(self): + """ + Test adding a command to an Sudo rule when cmdcategory='all' + """ + api.Command['sudorule_mod'](self.rule_name, cmdcategory=u'all') + try: + api.Command['sudorule_add_allow_command'](self.rule_name, sudocmd=self.test_command) + except errors.MutuallyExclusiveError: + pass + api.Command['sudorule_mod'](self.rule_name, cmdcategory=u'') + + def test_h_sudorule_exclusivecommand(self): + """ + Test setting cmdcategory='all' in an Sudo rule when there are commands + """ + api.Command['sudorule_add_allow_command'](self.rule_name, sudocmd=self.test_command) + try: + api.Command['sudorule_mod'](self.rule_name, cmdcategory=u'all') + except errors.MutuallyExclusiveError: + pass + finally: + api.Command['sudorule_remove_allow_command'](self.rule_name, sudocmd=self.test_command) + + def test_i_sudorule_exclusiverunas(self): + """ + Test adding a runasuser to an Sudo rule when ipasudorunasusercategory='all' + """ + api.Command['sudorule_mod'](self.rule_name, ipasudorunasusercategory=u'all') + try: + api.Command['sudorule_add_runasuser'](self.rule_name, sudocmd=self.test_user) + except errors.MutuallyExclusiveError: + pass + api.Command['sudorule_mod'](self.rule_name, ipasudorunasusercategory=u'') + + def test_j_sudorule_exclusiverunas(self): + """ + Test setting ipasudorunasusercategory='all' in an Sudo rule when there are runas users + """ + api.Command['sudorule_add_runasuser'](self.rule_name, user=self.test_user) + try: + api.Command['sudorule_mod'](self.rule_name, ipasudorunasusercategory=u'all') + except errors.MutuallyExclusiveError: + pass + finally: + api.Command['sudorule_remove_runasuser'](self.rule_name, user=self.test_command) + + def test_k_sudorule_clear_testing_data(self): """ Clear data for Sudo rule plugin testing. """ @@ -534,7 +626,7 @@ class test_sudorule(XMLRPC_test): api.Command['sudocmdgroup_del'](self.test_sudodenycmdgroup) - def test_f_sudorule_del(self): + def test_l_sudorule_del(self): """ Test deleting a Sudo rule using `xmlrpc.sudorule_del`. """ |