Add trusconfig-show and trustconfig-mod commands

Global trust configuration is generated ipa-adtrust-install script
is run. Add convenience commands to show auto-generated options
like SID or GUID or options chosen by user (NetBIOS). Most of these
options are not modifiable via trustconfig-mod command as it would
break current trusts.

Unit test file covering these new commands was added.

https://fedorahosted.org/freeipa/ticket/3333

2 files changed, 169 insertions, 0 deletions

diff --git a/tests/test_xmlrpc/test_trust_plugin.py b/tests/test_xmlrpc/test_trust_plugin.py
new file mode 100644
index 000000000..7627be748
--- /dev/null
+++ b/tests/test_xmlrpc/test_trust_plugin.py
@@ -0,0 +1,159 @@
+# Authors:
+#   Martin Kosek <mkosek@redhat.com>
+#
+# Copyright (C) 2010  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+"""
+Test the `ipalib/plugins/trust.py` module.
+"""
+
+import nose
+from ipalib import api, errors
+from ipapython.dn import DN
+from tests.test_xmlrpc import objectclasses
+from xmlrpc_test import (Declarative, fuzzy_guid, fuzzy_domain_sid, fuzzy_string,
+        fuzzy_uuid, fuzzy_digits)
+
+
+trustconfig_ad_config = DN(('cn', api.env.domain),
+        api.env.container_cifsdomains, api.env.basedn)
+testgroup = u'adtestgroup'
+testgroup_dn = DN(('cn', testgroup), api.env.container_group, api.env.basedn)
+
+default_group = u'Default SMB Group'
+default_group_dn = DN(('cn', default_group), api.env.container_group, api.env.basedn)
+
+class test_trustconfig(Declarative):
+
+    @classmethod
+    def setUpClass(cls):
+        super(test_trustconfig, cls).setUpClass()
+        if not api.Backend.xmlclient.isconnected():
+            api.Backend.xmlclient.connect(fallback=False)
+        try:
+           api.Command['trustconfig_show'](trust_type=u'ad')
+        except errors.NotFound:
+            raise nose.SkipTest('Trusts are not configured')
+
+    cleanup_commands = [
+        ('group_del', [testgroup], {}),
+        ('trustconfig_mod', [], {'trust_type': u'ad',
+            'ipantfallbackprimarygroup': default_group}),
+    ]
+
+    tests = [
+
+        dict(
+            desc='Retrieve trust configuration for AD domains',
+            command=('trustconfig_show', [], {'trust_type': u'ad'}),
+            expected={
+                'value': u'ad',
+                'summary': None,
+                'result': {
+                    'dn': trustconfig_ad_config,
+                    'cn': [api.env.domain],
+                    'ipantdomainguid': [fuzzy_guid],
+                    'ipantfallbackprimarygroup': [default_group],
+                    'ipantflatname': [fuzzy_string],
+                    'ipantsecurityidentifier': [fuzzy_domain_sid]
+                },
+            },
+        ),
+
+        dict(
+            desc='Retrieve trust configuration for AD domains with --raw',
+            command=('trustconfig_show', [], {'trust_type': u'ad', 'raw': True}),
+            expected={
+                'value': u'ad',
+                'summary': None,
+                'result': {
+                    'dn': trustconfig_ad_config,
+                    'cn': [api.env.domain],
+                    'ipantdomainguid': [fuzzy_guid],
+                    'ipantfallbackprimarygroup': [default_group_dn],
+                    'ipantflatname': [fuzzy_string],
+                    'ipantsecurityidentifier': [fuzzy_domain_sid]
+                },
+            },
+        ),
+
+        dict(
+            desc='Create auxiliary group %r' % testgroup,
+            command=(
+                'group_add', [testgroup], dict(description=u'Test group')
+            ),
+            expected=dict(
+                value=testgroup,
+                summary=u'Added group "%s"' % testgroup,
+                result=dict(
+                    cn=[testgroup],
+                    description=[u'Test group'],
+                    gidnumber=[fuzzy_digits],
+                    objectclass=objectclasses.group + [u'posixgroup'],
+                    ipauniqueid=[fuzzy_uuid],
+                    dn=testgroup_dn,
+                ),
+            ),
+        ),
+
+        dict(
+            desc='Try to change primary fallback group to nonexistent group',
+            command=('trustconfig_mod', [],
+                {'trust_type': u'ad', 'ipantfallbackprimarygroup': u'doesnotexist'}),
+            expected=errors.NotFound(reason=u'%s: group not found' % 'doesnotexist')
+        ),
+
+        dict(
+            desc='Try to change primary fallback group to nonexistent group DN',
+            command=('trustconfig_mod', [], {'trust_type': u'ad',
+                'ipantfallbackprimarygroup': u'cn=doesnotexist,dc=test'}),
+            expected=errors.NotFound(reason=u'%s: group not found' % 'cn=doesnotexist,dc=test')
+        ),
+
+        dict(
+            desc='Change primary fallback group to "%s"' % testgroup,
+            command=('trustconfig_mod', [], {'trust_type': u'ad',
+                'ipantfallbackprimarygroup': testgroup}),
+            expected={
+                'value': u'ad',
+                'summary': u'Modified "ad" trust configuration',
+                'result': {
+                    'cn': [api.env.domain],
+                    'ipantdomainguid': [fuzzy_guid],
+                    'ipantfallbackprimarygroup': [testgroup],
+                    'ipantflatname': [fuzzy_string],
+                    'ipantsecurityidentifier': [fuzzy_domain_sid]
+                },
+            },
+        ),
+
+        dict(
+            desc='Change primary fallback group back to "%s" using DN' % default_group,
+            command=('trustconfig_mod', [], {'trust_type': u'ad',
+                 'ipantfallbackprimarygroup': unicode(default_group_dn)}),
+            expected={
+                'value': u'ad',
+                'summary': u'Modified "ad" trust configuration',
+                'result': {
+                    'cn': [api.env.domain],
+                    'ipantdomainguid': [fuzzy_guid],
+                    'ipantfallbackprimarygroup': [default_group],
+                    'ipantflatname': [fuzzy_string],
+                    'ipantsecurityidentifier': [fuzzy_domain_sid]
+                },
+            },
+        ),
+    ]
diff --git a/tests/test_xmlrpc/xmlrpc_test.py b/tests/test_xmlrpc/xmlrpc_test.py
index 7c32be0db..610fa97c5 100644
--- a/tests/test_xmlrpc/xmlrpc_test.py
+++ b/tests/test_xmlrpc/xmlrpc_test.py
@@ -40,6 +40,16 @@ fuzzy_uuid = Fuzzy(
     '^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$'
 )
 
+# Matches trusted domain GUID, like u'463bf2be-3456-4a57-979e-120304f2a0eb'
+fuzzy_guid = fuzzy_uuid
+
+# Matches SID of a trusted domain
+# SID syntax: http://msdn.microsoft.com/en-us/library/ff632068.aspx
+_sid_identifier_authority = '(0x[0-9a-f]{1,12}|[0-9]{1,10})'
+fuzzy_domain_sid = Fuzzy(
+    '^S-1-5-21-%(idauth)s-%(idauth)s-%(idauth)s$' % dict(idauth=_sid_identifier_authority)
+)
+
 # Matches netgroup dn. Note (?i) at the beginning of the regexp is the ingnore case flag
 fuzzy_netgroupdn = Fuzzy(
     '(?i)ipauniqueid=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12},cn=ng,cn=alt,%s' % api.env.basedn