Defer conversion and validation until after --{add,del,set}attr are handled

--addattr & friends that modified attributes known to Python sometimes
used converted and validated Python values instead of LDAP strings.
This caused a problem for --delattr, which searched for a converted
integer in a list of raw strings (ticket 2407).
With this patch we work on raw strings, converting only when done.

Deferring validation ensures the end result is valid, so proper errors
are raised instead of failing later (ticket 2405).

Tests included.

Replaces previous fix for:
https://fedorahosted.org/freeipa/ticket/2418

Fixes:
https://fedorahosted.org/freeipa/ticket/2405
https://fedorahosted.org/freeipa/ticket/2407
https://fedorahosted.org/freeipa/ticket/2408

1 files changed, 113 insertions, 0 deletions

diff --git a/tests/test_xmlrpc/test_attr.py b/tests/test_xmlrpc/test_attr.py
index ef239709d..e6872a67a 100644
--- a/tests/test_xmlrpc/test_attr.py
+++ b/tests/test_xmlrpc/test_attr.py
@@ -402,4 +402,117 @@ class test_attr(Declarative):
             ),
         ),
 
+        dict(
+            desc='Lock %r using setattr' % user1,
+            command=(
+                'user_mod', [user1], dict(setattr=u'nsaccountlock=TrUe')
+            ),
+            expected=dict(
+                result=dict(
+                    givenname=[u'Finkle'],
+                    homedirectory=[u'/home/tuser1'],
+                    loginshell=[u'/bin/sh'],
+                    sn=[u'User1'],
+                    uid=[user1],
+                    uidnumber=[fuzzy_digits],
+                    gidnumber=[fuzzy_digits],
+                    mail=[u'test@example.com', u'test2@example.com'],
+                    memberof_group=[u'ipausers'],
+                    telephonenumber=[u'202-888-9833'],
+                    nsaccountlock=True,
+                    has_keytab=False,
+                    has_password=False,
+                ),
+                summary=u'Modified user "tuser1"',
+                value=user1,
+            ),
+        ),
+
+        dict(
+            desc='Unlock %r using addattr&delattr' % user1,
+            command=(
+                'user_mod', [user1], dict(
+                    addattr=u'nsaccountlock=FaLsE',
+                    delattr=u'nsaccountlock=True')
+            ),
+            expected=dict(
+                result=dict(
+                    givenname=[u'Finkle'],
+                    homedirectory=[u'/home/tuser1'],
+                    loginshell=[u'/bin/sh'],
+                    sn=[u'User1'],
+                    uid=[user1],
+                    uidnumber=[fuzzy_digits],
+                    gidnumber=[fuzzy_digits],
+                    mail=[u'test@example.com', u'test2@example.com'],
+                    memberof_group=[u'ipausers'],
+                    telephonenumber=[u'202-888-9833'],
+                    nsaccountlock=False,
+                    has_keytab=False,
+                    has_password=False,
+                ),
+                summary=u'Modified user "tuser1"',
+                value=user1,
+            ),
+        ),
+
+        dict(
+            desc='Try adding a new group search fields config entry',
+            command=(
+                'config_mod', [], dict(addattr=u'ipagroupsearchfields=newattr')
+            ),
+            expected=errors.OnlyOneValueAllowed(attr='ipagroupsearchfields'),
+        ),
+
+        dict(
+            desc='Try adding a new cert subject base config entry',
+            command=(
+                'config_mod', [], dict(addattr=u'ipacertificatesubjectbase=0=DOMAIN.COM')
+            ),
+            expected=errors.OnlyOneValueAllowed(attr='ipacertificatesubjectbase'),
+        ),
+
+        dict(
+            desc='Try deleting a required config entry',
+            command=(
+                'config_mod', [], dict(delattr=u'ipasearchrecordslimit=100')
+            ),
+            expected=errors.RequirementError(name='ipasearchrecordslimit'),
+        ),
+
+        dict(
+            desc='Try setting nonexistent attribute',
+            command=('config_mod', [], dict(setattr=u'invalid_attr=false')),
+            expected=errors.ObjectclassViolation(
+                info='attribute "invalid_attr" not allowed'),
+        ),
+
+        dict(
+            desc='Try setting out-of-range krbpwdmaxfailure',
+            command=('pwpolicy_mod', [], dict(setattr=u'krbpwdmaxfailure=-1')),
+            expected=errors.ValidationError(name='krbpwdmaxfailure',
+                error='must be at least 0'),
+        ),
+
+        dict(
+            desc='Try setting out-of-range maxfail',
+            command=('pwpolicy_mod', [], dict(krbpwdmaxfailure=u'-1')),
+            expected=errors.ValidationError(name='maxfail',
+                error='must be at least 0'),
+        ),
+
+        dict(
+            desc='Try setting non-numeric krbpwdmaxfailure',
+            command=('pwpolicy_mod', [], dict(setattr=u'krbpwdmaxfailure=abc')),
+            expected=errors.ConversionError(name='krbpwdmaxfailure',
+                error='must be an integer'),
+        ),
+
+        dict(
+            desc='Try setting non-numeric maxfail',
+            command=('pwpolicy_mod', [], dict(krbpwdmaxfailure=u'abc')),
+            expected=errors.ConversionError(name='maxfail',
+                error='must be an integer'),
+        ),
+
     ]