Expand Referential Integrity checks

Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. Thus, the following indexes are added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin is updated to enforce RI for all these attributes. Unit tests covering RI checks for all these attributes were added as well. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866
author: Martin Kosek <mkosek@redhat.com> 2012-09-12 10:00:35 +0200
committer: Rob Crittenden <rcritten@redhat.com> 2012-09-16 17:59:27 -0400
commit: c0630950a170cc9c0fa68256ff606589641bc812 (patch)
tree: 734019961cacc670b5ebed080b9624a5e6299641 /tests/test_xmlrpc/test_sudorule_plugin.py
parent: 2ecfe571faf9291eab7ffacea2a1e94d5be0d689 (diff)
download: freeipa-c0630950a170cc9c0fa68256ff606589641bc812.tar.gz
freeipa-c0630950a170cc9c0fa68256ff606589641bc812.tar.xz
freeipa-c0630950a170cc9c0fa68256ff606589641bc812.zip
1 files changed, 41 insertions, 2 deletions
diff --git a/tests/test_xmlrpc/test_sudorule_plugin.py b/tests/test_xmlrpc/test_sudorule_plugin.py
index f0e6cd34f..9b44065af 100644
--- a/tests/test_xmlrpc/test_sudorule_plugin.py
+++ b/tests/test_xmlrpc/test_sudorule_plugin.py
@@ -674,7 +674,7 @@ class test_sudorule(XMLRPC_test):
             api.Command['sudorule_mod'](self.rule_name, ipasudorunasusercategory=u'')
 
     @raises(errors.MutuallyExclusiveError)
-    def test_j_sudorule_exclusiverunas(self):
+    def test_j_1_sudorule_exclusiverunas(self):
         """
         Test setting ipasudorunasusercategory='all' in an Sudo rule when there are runas users
         """
@@ -684,7 +684,32 @@ class test_sudorule(XMLRPC_test):
         finally:
             api.Command['sudorule_remove_runasuser'](self.rule_name, user=self.test_command)
 
-    def test_k_sudorule_clear_testing_data(self):
+    def test_j_2_sudorule_referential_integrity(self):
+        """
+        Test adding various links to Sudo rule
+        """
+        api.Command['sudorule_add_user'](self.rule_name, user=self.test_user)
+        api.Command['sudorule_add_runasuser'](self.rule_name, user=self.test_runasuser,
+                                              group=self.test_group)
+        api.Command['sudorule_add_runasgroup'](self.rule_name, group=self.test_group)
+        api.Command['sudorule_add_host'](self.rule_name, host=self.test_host)
+        api.Command['sudorule_add_allow_command'](self.rule_name,
+                                                  sudocmd=self.test_command)
+        api.Command['sudorule_add_deny_command'](self.rule_name,
+                                                 sudocmdgroup=self.test_sudodenycmdgroup)
+        entry = api.Command['sudorule_show'](self.rule_name)['result']
+        assert_attr_equal(entry, 'cn', self.rule_name)
+        assert_attr_equal(entry, 'memberuser_user', self.test_user)
+        assert_attr_equal(entry, 'memberallowcmd_sudocmd', self.test_command)
+        assert_attr_equal(entry, 'memberdenycmd_sudocmdgroup',
+            self.test_sudodenycmdgroup)
+        assert_attr_equal(entry, 'memberhost_host', self.test_host)
+        assert_attr_equal(entry, 'ipasudorunas_user', self.test_runasuser)
+        assert_attr_equal(entry, 'ipasudorunas_group', self.test_group)
+        assert_attr_equal(entry, 'ipasudorunasgroup_group', self.test_group)
+
+
+    def test_k_1_sudorule_clear_testing_data(self):
         """
         Clear data for Sudo rule plugin testing.
         """
@@ -697,6 +722,20 @@ class test_sudorule(XMLRPC_test):
         api.Command['sudocmdgroup_del'](self.test_sudoallowcmdgroup)
         api.Command['sudocmdgroup_del'](self.test_sudodenycmdgroup)
 
+    def test_k_2_sudorule_referential_integrity(self):
+        """
+        Test that links in Sudo rule were removed by referential integrity plugin
+        """
+        entry = api.Command['sudorule_show'](self.rule_name)['result']
+        assert_attr_equal(entry, 'cn', self.rule_name)
+        assert 'memberuser_user' not in entry
+        assert 'memberallowcmd_sudocmd' not in entry
+        assert 'memberdenycmd_sudocmdgroup' not in entry
+        assert 'memberhost_host' not in entry
+        assert 'ipasudorunas_user' not in entry
+        assert 'ipasudorunas_group' not in entry
+        assert 'ipasudorunasgroup_group' not in entry
+
     def test_l_sudorule_order(self):
         """
         Test that order uniqueness is maintained
author	Martin Kosek <mkosek@redhat.com>	2012-09-12 10:00:35 +0200
committer	Rob Crittenden <rcritten@redhat.com>	2012-09-16 17:59:27 -0400
commit	c0630950a170cc9c0fa68256ff606589641bc812 (patch)
tree	734019961cacc670b5ebed080b9624a5e6299641 /tests/test_xmlrpc/test_sudorule_plugin.py
parent	2ecfe571faf9291eab7ffacea2a1e94d5be0d689 (diff)
download	freeipa-c0630950a170cc9c0fa68256ff606589641bc812.tar.gz freeipa-c0630950a170cc9c0fa68256ff606589641bc812.tar.xz freeipa-c0630950a170cc9c0fa68256ff606589641bc812.zip