diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-06-27 13:10:10 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-06-28 15:21:21 +0200 |
| commit | 52f69aaa8ab4d633bbeb96799bf96e8a715d0ae0 (patch) | |
| tree | b5c8661fbf84e32854184b6f378090849767489d /tests | |
| parent | 302d5afe8b16464a26fd9e477b06b71c3b215cf2 (diff) | |
| download | freeipa-52f69aaa8ab4d633bbeb96799bf96e8a715d0ae0.tar.gz freeipa-52f69aaa8ab4d633bbeb96799bf96e8a715d0ae0.tar.xz freeipa-52f69aaa8ab4d633bbeb96799bf96e8a715d0ae0.zip | |
Per-domain DNS record permissions
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.
Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute
Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.
2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
* dnszone-add-permission: Add per-zone permission
* dnszone-remove-permission: Remove per-zone permission
https://fedorahosted.org/freeipa/ticket/2511
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/test_xmlrpc/objectclasses.py | 11 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_dns_plugin.py | 115 |
2 files changed, 109 insertions, 17 deletions
diff --git a/tests/test_xmlrpc/objectclasses.py b/tests/test_xmlrpc/objectclasses.py index a036b34de..4bb2b3510 100644 --- a/tests/test_xmlrpc/objectclasses.py +++ b/tests/test_xmlrpc/objectclasses.py @@ -141,3 +141,14 @@ hbacrule = [ u'ipaassociation', u'ipahbacrule', ] + +dnszone = [ + u'top', + u'idnsrecord', + u'idnszone', +] + +dnsrecord = [ + u'top', + u'idnsrecord', +] diff --git a/tests/test_xmlrpc/test_dns_plugin.py b/tests/test_xmlrpc/test_dns_plugin.py index ab1d4f0be..d121b2f0f 100644 --- a/tests/test_xmlrpc/test_dns_plugin.py +++ b/tests/test_xmlrpc/test_dns_plugin.py @@ -31,6 +31,9 @@ dnszone1_dn = DN(('idnsname',dnszone1),('cn','dns'),api.env.basedn) dnszone1_mname = u'ns1.%s.' % dnszone1 dnszone1_mname_dn = DN(('idnsname','ns1'), dnszone1_dn) dnszone1_rname = u'root.%s.' % dnszone1 +dnszone1_permission = u'Manage DNS zone %s' % dnszone1 +dnszone1_permission_dn = DN(('cn',dnszone1_permission), + api.env.container_permission,api.env.basedn) dnszone2 = u'dnszone2.test' dnszone2_dn = DN(('idnsname',dnszone2),('cn','dns'),api.env.basedn) dnszone2_mname = u'ns1.%s.' % dnszone2 @@ -76,7 +79,8 @@ class test_dns(Declarative): 'idnsforwardpolicy' : None, 'idnsallowsyncptr' : None, 'idnszonerefresh' : None, - }) + }), + ('permission_del', [dnszone1_permission], {'force': True}), ] tests = [ @@ -151,7 +155,7 @@ class test_dns(Declarative): % dict(realm=api.env.realm)], 'idnsallowtransfer': [u'none;'], 'idnsallowquery': [u'any;'], - 'objectclass': [u'top', u'idnsrecord', u'idnszone'], + 'objectclass': objectclasses.dnszone, }, }, ), @@ -212,7 +216,7 @@ class test_dns(Declarative): % dict(realm=api.env.realm)], 'idnsallowtransfer': [u'none;'], 'idnsallowquery': [u'any;'], - 'objectclass': [u'top', u'idnsrecord', u'idnszone'], + 'objectclass': objectclasses.dnszone, }, }, ), @@ -305,7 +309,7 @@ class test_dns(Declarative): % dict(realm=api.env.realm, zone=revdnszone1)], 'idnsallowtransfer': [u'none;'], 'idnsallowquery': [u'any;'], - 'objectclass': [u'top', u'idnsrecord', u'idnszone'], + 'objectclass': objectclasses.dnszone, }, }, ), @@ -503,7 +507,7 @@ class test_dns(Declarative): 'result': { 'dn': unicode(dnsres1_dn), 'idnsname': [dnsres1], - 'objectclass': [u'top', u'idnsrecord'], + 'objectclass': objectclasses.dnsrecord, 'arecord': [u'127.0.0.1'], }, }, @@ -548,7 +552,7 @@ class test_dns(Declarative): 'dn': unicode(dnsres1_dn), 'idnsname': [dnsres1], 'arecord': [u'127.0.0.1', u'10.10.0.1'], - 'objectclass': [u'top', u'idnsrecord'], + 'objectclass': objectclasses.dnsrecord, }, }, ), @@ -626,7 +630,7 @@ class test_dns(Declarative): 'value': u'@', 'summary': None, 'result': { - 'objectclass': [u'top', u'idnsrecord', u'idnszone'], + 'objectclass': objectclasses.dnszone, 'dn': unicode(dnszone1_dn), 'idnsname': [u'@'], 'mxrecord': [u"0 %s" % dnszone1_mname], @@ -674,7 +678,7 @@ class test_dns(Declarative): 'value': u'_foo._tcp', 'summary': None, 'result': { - 'objectclass': [u'top', u'idnsrecord'], + 'objectclass': objectclasses.dnsrecord, 'dn': unicode(DN(('idnsname', u'_foo._tcp'), dnszone1_dn)), 'idnsname': [u'_foo._tcp'], 'srvrecord': [u"0 100 1234 %s" % dnszone1_mname], @@ -731,7 +735,7 @@ class test_dns(Declarative): 'value': u'@', 'summary': None, 'result': { - 'objectclass': [u'top', u'idnsrecord', u'idnszone'], + 'objectclass': objectclasses.dnszone, 'dn': unicode(dnszone1_dn), 'idnsname': [u'@'], 'mxrecord': [u"0 %s" % dnszone1_mname], @@ -756,7 +760,7 @@ class test_dns(Declarative): 'value': dnsres1, 'summary': None, 'result': { - 'objectclass': [u'top', u'idnsrecord'], + 'objectclass': objectclasses.dnsrecord, 'dn': unicode(dnsres1_dn), 'idnsname': [dnsres1], 'arecord': [u'10.10.0.1'], @@ -780,7 +784,7 @@ class test_dns(Declarative): 'value': dnsres1, 'summary': None, 'result': { - 'objectclass': [u'top', u'idnsrecord'], + 'objectclass': objectclasses.dnsrecord, 'dn': unicode(dnsres1_dn), 'idnsname': [dnsres1], 'arecord': [u'10.10.0.1'], @@ -797,7 +801,7 @@ class test_dns(Declarative): 'value': dnsres1, 'summary': None, 'result': { - 'objectclass': [u'top', u'idnsrecord'], + 'objectclass': objectclasses.dnsrecord, 'dn': unicode(dnsres1_dn), 'idnsname': [dnsres1], 'arecord': [u'10.10.0.1'], @@ -817,7 +821,7 @@ class test_dns(Declarative): 'value': dnsres1, 'summary': None, 'result': { - 'objectclass': [u'top', u'idnsrecord'], + 'objectclass': objectclasses.dnsrecord, 'dn': unicode(dnsres1_dn), 'idnsname': [dnsres1], 'arecord': [u'10.10.0.1'], @@ -849,7 +853,7 @@ class test_dns(Declarative): 'value': dnsres1, 'summary': None, 'result': { - 'objectclass': [u'top', u'idnsrecord'], + 'objectclass': objectclasses.dnsrecord, 'dn': unicode(dnsres1_dn), 'idnsname': [dnsres1], 'arecord': [u'10.10.0.1'], @@ -943,7 +947,7 @@ class test_dns(Declarative): % dict(realm=api.env.realm, zone=revdnszone1)], 'idnsallowtransfer': [u'none;'], 'idnsallowquery': [u'any;'], - 'objectclass': [u'top', u'idnsrecord', u'idnszone'], + 'objectclass': objectclasses.dnszone, }, }, ), @@ -964,7 +968,7 @@ class test_dns(Declarative): 'value': dnsrev1, 'summary': None, 'result': { - 'objectclass': [u'top', u'idnsrecord'], + 'objectclass': objectclasses.dnsrecord, 'dn': unicode(dnsrev1_dn), 'idnsname': [dnsrev1], 'ptrrecord': [u'foo-1.example.com.'], @@ -1072,7 +1076,7 @@ class test_dns(Declarative): 'result': { 'dn': unicode(dnsres1_dn), 'idnsname': [dnsres1], - 'objectclass': [u'top', u'idnsrecord'], + 'objectclass': objectclasses.dnsrecord, 'arecord': [u'80.142.15.81'], }, }, @@ -1095,6 +1099,83 @@ class test_dns(Declarative): dict( + desc='Try to add per-zone permission for unknown zone', + command=('dnszone_add_permission', [u'does.not.exist'], {}), + expected=errors.NotFound(reason=u'does.not.exist: DNS zone not found') + ), + + + dict( + desc='Add per-zone permission for zone %r' % dnszone1, + command=( + 'dnszone_add_permission', [dnszone1], {} + ), + expected=dict( + result=True, + value=dnszone1_permission, + summary=u'Added system permission "%s"' % dnszone1_permission, + ), + ), + + + dict( + desc='Try to add duplicate per-zone permission for zone %r' % dnszone1, + command=( + 'dnszone_add_permission', [dnszone1], {} + ), + expected=errors.DuplicateEntry(message=u'permission with name ' + '"%s" already exists' % dnszone1_permission) + ), + + + dict( + desc='Make sure the permission was created %r' % dnszone1, + command=( + 'permission_show', [dnszone1_permission], {} + ), + expected=dict( + value=dnszone1_permission, + summary=None, + result={ + 'dn': lambda x: DN(x) == dnszone1_permission_dn, + 'cn': [dnszone1_permission], + 'ipapermissiontype': [u'SYSTEM'], + }, + ), + ), + + + dict( + desc='Try to remove per-zone permission for unknown zone', + command=('dnszone_remove_permission', [u'does.not.exist'], {}), + expected=errors.NotFound(reason=u'does.not.exist: DNS zone not found') + ), + + + dict( + desc='Remove per-zone permission for zone %r' % dnszone1, + command=( + 'dnszone_remove_permission', [dnszone1], {} + ), + expected=dict( + result=True, + value=dnszone1_permission, + summary=u'Removed system permission "%s"' % dnszone1_permission, + ), + ), + + + dict( + desc='Make sure the permission for zone %r was deleted' % dnszone1, + command=( + 'permission_show', [dnszone1_permission], {} + ), + expected=errors.NotFound(reason=u'%s: permission not found' + % dnszone1_permission) + ), + + + dict( desc='Delete zone %r' % dnszone1, command=('dnszone_del', [dnszone1], {}), expected={ |