diff options
-rw-r--r-- | API.txt | 14 | ||||
-rw-r--r-- | VERSION | 3 | ||||
-rw-r--r-- | install/share/60basev3.ldif | 4 | ||||
-rw-r--r-- | ipalib/parameters.py | 2 | ||||
-rw-r--r-- | ipalib/plugins/permission.py | 144 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/test_old_permission_plugin.py | 5 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 696 |
7 files changed, 780 insertions, 88 deletions
@@ -2322,13 +2322,12 @@ output: Output('result', <type 'bool'>, None) output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('value', <type 'unicode'>, None) command: permission_add -args: 1,19,3 +args: 1,18,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('attrs', attribute=False, cli_name='attrs', multivalue=True, required=False) option: Str('filter', attribute=False, cli_name='filter', multivalue=True, required=False) -option: Str('ipapermallowedattr', attribute=True, cli_name='attrs', multivalue=True, required=False) option: StrEnum('ipapermbindruletype', attribute=True, autofill=True, cli_name='bindtype', default=u'permission', multivalue=False, required=True, values=(u'permission', u'all', u'anonymous')) option: DNOrURL('ipapermlocation', alwaysask=True, attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=False, required=False) option: StrEnum('ipapermright', attribute=True, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) @@ -2378,14 +2377,16 @@ output: Output('result', <type 'dict'>, None) output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('value', <type 'unicode'>, None) command: permission_find -args: 1,21,4 +args: 1,23,4 arg: Str('criteria?', noextrawhitespace=False) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, query=True, required=False) option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=False) option: Str('filter', attribute=False, autofill=False, cli_name='filter', multivalue=True, query=True, required=False) -option: Str('ipapermallowedattr', attribute=True, autofill=False, cli_name='attrs', multivalue=True, query=True, required=False) option: StrEnum('ipapermbindruletype', attribute=True, autofill=False, cli_name='bindtype', default=u'permission', multivalue=False, query=True, required=False, values=(u'permission', u'all', u'anonymous')) +option: Str('ipapermdefaultattr', attribute=True, autofill=False, cli_name='defaultattrs', multivalue=True, query=True, required=False) +option: Str('ipapermexcludedattr', attribute=True, autofill=False, cli_name='excludedattrs', multivalue=True, query=True, required=False) +option: Str('ipapermincludedattr', attribute=True, autofill=False, cli_name='includedattrs', multivalue=True, query=True, required=False) option: DNOrURL('ipapermlocation', attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=True, required=False) option: StrEnum('ipapermright', attribute=True, autofill=False, cli_name='permissions', multivalue=True, query=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) option: DNParam('ipapermtarget', attribute=True, autofill=False, cli_name='target', multivalue=False, query=True, required=False) @@ -2406,15 +2407,16 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('truncated', <type 'bool'>, None) command: permission_mod -args: 1,22,3 +args: 1,23,3 arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True) option: Str('addattr*', cli_name='addattr', exclude='webui') option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, required=False) option: Str('delattr*', cli_name='delattr', exclude='webui') option: Str('filter', attribute=False, autofill=False, cli_name='filter', multivalue=True, required=False) -option: Str('ipapermallowedattr', attribute=True, autofill=False, cli_name='attrs', multivalue=True, required=False) option: StrEnum('ipapermbindruletype', attribute=True, autofill=False, cli_name='bindtype', default=u'permission', multivalue=False, required=False, values=(u'permission', u'all', u'anonymous')) +option: Str('ipapermexcludedattr', attribute=True, autofill=False, cli_name='excludedattrs', multivalue=True, required=False) +option: Str('ipapermincludedattr', attribute=True, autofill=False, cli_name='includedattrs', multivalue=True, required=False) option: DNOrURL('ipapermlocation', attribute=True, autofill=False, cli_name='subtree', multivalue=False, required=False) option: StrEnum('ipapermright', attribute=True, autofill=False, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all')) option: DNParam('ipapermtarget', attribute=True, autofill=False, cli_name='target', multivalue=False, required=False) @@ -89,4 +89,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=72 +IPA_API_VERSION_MINOR=73 +# Last change: pviktori - Managed permissions diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif index 331e9d291..d7cd390d2 100644 --- a/install/share/60basev3.ldif +++ b/install/share/60basev3.ldif @@ -39,7 +39,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DE attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3') attributeTypes: (2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.42 NAME 'ipaPermDefaultAttr' DESC 'IPA permission default attribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) -attributeTypes: (2.16.840.1.113730.3.8.11.43 NAME 'ipaPermAllowedAttr' DESC 'IPA permission explicitly allowed attribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) +attributeTypes: (2.16.840.1.113730.3.8.11.43 NAME 'ipaPermIncludedAttr' DESC 'IPA permission explicitly included attribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.44 NAME 'ipaPermExcludedAttr' DESC 'IPA permission explicitly excluded attribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.45 NAME 'ipaPermBindRuleType' DESC 'IPA permission bind rule type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' ) attributeTypes: (2.16.840.1.113730.3.8.11.46 NAME 'ipaPermLocation' DESC 'Location of IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v3' ) @@ -63,4 +63,4 @@ objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDran objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' ) objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3') objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' ) -objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermAllowedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v3' ) +objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v3' ) diff --git a/ipalib/parameters.py b/ipalib/parameters.py index 757c18565..b4fb3402d 100644 --- a/ipalib/parameters.py +++ b/ipalib/parameters.py @@ -353,6 +353,8 @@ class Param(ReadOnly): can be unspecified (unchanged) but cannot be deleted. * optional_create: do not require the parameter for crud.Create based commands + * allow_mod_for_managed_permission: permission-mod allows changing + the parameter for managed permissions - hint: this attribute is currently not used - alwaysask: when enabled, CLI asks for parameter value even when the parameter is not `required` diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py index 875a9f5b1..d003bcabb 100644 --- a/ipalib/plugins/permission.py +++ b/ipalib/plugins/permission.py @@ -79,6 +79,15 @@ Setting one of these options will set the corresponding attribute(s). 3. targetgroup: grant access to modify a specific group (such as granting the rights to manage group membership); sets target. """) + _(""" +Managed permissions +""") + _(""" +Permissions that come with IPA by default can be so-called "managed" +permissions. These have a default set of attributes they apply to, +but the administrator can add/remove individual attributes to/from the set. +""") + _(""" +Deleting or renaming a managed permission, as well as changing its target, +is not allowed. +""") + _(""" EXAMPLES: """) + _(""" Add a permission that grants the creation of users: @@ -95,12 +104,11 @@ VALID_OBJECT_TYPES = (u'user', u'group', u'host', u'service', u'hostgroup', _DEPRECATED_OPTION_ALIASES = { 'permissions': 'ipapermright', - 'attrs': 'ipapermallowedattr', 'filter': 'ipapermtargetfilter', 'subtree': 'ipapermlocation', } -KNOWN_FLAGS = {'SYSTEM', 'V2'} +KNOWN_FLAGS = {'SYSTEM', 'V2', 'MANAGED'} output_params = ( Str('aci', @@ -139,7 +147,7 @@ class permission(baseldap.LDAPObject): object_class = ['groupofnames', 'ipapermission', 'ipapermissionv2'] default_attributes = ['cn', 'member', 'memberof', 'memberindirect', 'ipapermissiontype', 'objectclass', - 'ipapermdefaultattr', 'ipapermallowedattr', 'ipapermexcludedattr', + 'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr', 'ipapermbindruletype', 'ipapermlocation', 'ipapermright', 'ipapermtargetfilter', 'ipapermtarget' ] @@ -169,10 +177,29 @@ class permission(baseldap.LDAPObject): values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'), ), - Str('ipapermallowedattr*', - cli_name='attrs', - label=_('Attributes'), - doc=_('Attributes to which the permission applies'), + Str('attrs*', + label=_('Effective attributes'), + doc=_('All attributes to which the permission applies'), + flags={'virtual_attribute', 'allow_mod_for_managed_permission'}, + ), + Str('ipapermincludedattr*', + cli_name='includedattrs', + label=_('Included attributes'), + doc=_('User-specified attributes to which the permission applies'), + flags={'no_create', 'allow_mod_for_managed_permission'}, + ), + Str('ipapermexcludedattr*', + cli_name='excludedattrs', + label=_('Excluded attributes'), + doc=_('User-specified attributes to which the permission ' + 'explicitly does not apply'), + flags={'no_create', 'allow_mod_for_managed_permission'}, + ), + Str('ipapermdefaultattr*', + cli_name='defaultattrs', + label=_('Default attributes'), + doc=_('Attributes to which the permission applies by default'), + flags={'no_create', 'no_update'}, ), StrEnum( 'ipapermbindruletype', @@ -182,6 +209,7 @@ class permission(baseldap.LDAPObject): autofill=True, values=(u'permission', u'all', u'anonymous'), default=u'permission', + flags={'allow_mod_for_managed_permission'}, ), DNOrURL( 'ipapermlocation?', @@ -301,6 +329,12 @@ class permission(baseldap.LDAPObject): rights['type'] = ''.join(sorted(type_rights, key=rights['ipapermtarget'].index)) + if 'ipapermincludedattr' in rights: + rights['attrs'] = ''.join(sorted( + set(rights['ipapermincludedattr']) & + set(rights.get('ipapermexcludedattr', '')), + key=rights['ipapermincludedattr'].index)) + if not client_has_capability(options['version'], 'permissions2'): for old_name, new_name in _DEPRECATED_OPTION_ALIASES.items(): if new_name in entry: @@ -319,6 +353,14 @@ class permission(baseldap.LDAPObject): raise else: entry.single_value['aci'] = acistring + else: + effective_attrs = self.get_effective_attrs(entry) + if effective_attrs: + entry['attrs'] = effective_attrs + if (not options.get('all') and + not entry.get('ipapermexcludedattr') and + not entry.get('ipapermdefaultattr')): + entry.pop('ipapermincludedattr', None) if not client_has_capability(options['version'], 'permissions2'): # Legacy clients expect some attributes as a single value @@ -337,6 +379,12 @@ class permission(baseldap.LDAPObject): new_filter.append(flt[1:-1]) entry['filter'] = new_filter + def get_effective_attrs(self, entry): + attrs = set(entry.get('ipapermdefaultattr', ())) + attrs.update(entry.get('ipapermincludedattr', ())) + attrs.difference_update(entry.get('ipapermexcludedattr', ())) + return sorted(attrs) + def make_aci(self, entry): """Make an ACI string from the given permission entry""" @@ -344,7 +392,7 @@ class permission(baseldap.LDAPObject): name = entry.single_value['cn'] # targetattr - attrs = entry.get('ipapermallowedattr', []) + attrs = self.get_effective_attrs(entry) if attrs: aci_parts.append("(targetattr = \"%s\")" % ' || '.join(attrs)) @@ -502,9 +550,6 @@ class permission(baseldap.LDAPObject): aci = ACI(acistring) - if 'targetattr' in aci.target: - target_entry['ipapermallowedattr'] = ( - aci.target['targetattr']['expression']) if 'target' in aci.target: target_entry.single_value['ipapermtarget'] = DN(strip_ldap_prefix( aci.target['target']['expression'])) @@ -519,7 +564,7 @@ class permission(baseldap.LDAPObject): target_entry.single_value['ipapermbindruletype'] = u'permission' target_entry['ipapermright'] = aci.permissions if 'targetattr' in aci.target: - target_entry['ipapermallowedattr'] = [ + target_entry['ipapermincludedattr'] = [ unicode(a) for a in aci.target['targetattr']['expression']] if not output_only: @@ -655,7 +700,8 @@ class permission(baseldap.LDAPObject): # Ensure there's something in the ACI's filter needed_attrs = ( - 'ipapermtarget', 'ipapermtargetfilter', 'ipapermallowedattr') + 'ipapermtarget', 'ipapermtargetfilter', + 'ipapermincludedattr', 'ipapermexcludedattr', 'ipapermdefaultattr') if not any(entry.single_value.get(a) for a in needed_attrs): raise errors.ValidationError( name='target', @@ -717,6 +763,14 @@ class permission_add(baseldap.LDAPCreate): if not entry.get('ipapermlocation'): entry.setdefault('ipapermlocation', [api.env.basedn]) + if 'attrs' in options: + if 'ipapermincludedattr' in options: + raise errors.ValidationError( + name='attrs', + error=_('attrs and included attributes are ' + 'mutually exclusive')) + entry['ipapermincludedattr'] = list(options.pop('attrs') or ()) + self.obj.validate_permission(entry) return dn @@ -748,6 +802,9 @@ class permission_del(baseldap.LDAPDelete): if not options.get('force'): self.obj.reject_system(entry) + if entry.get('ipapermdefaultattr'): + raise errors.ACIError( + info=_('cannot delete managed permissions')) try: self.obj.remove_aci(entry) @@ -783,6 +840,38 @@ class permission_mod(baseldap.LDAPUpdate): self.obj.reject_system(old_entry) self.obj.upgrade_permission(old_entry) + if 'MANAGED' in old_entry.get('ipapermissiontype', ()): + for option_name in sorted(options): + if option_name == 'rename': + raise errors.ValidationError( + name=option_name, + error=_('cannot rename managed permissions')) + option = self.options[option_name] + allow_mod = 'allow_mod_for_managed_permission' in option.flags + if option.attribute and not allow_mod: + raise errors.ValidationError( + name=option_name, + error=_('not modifiable on managed permissions')) + else: + if options.get('ipapermexcludedattr'): + # prevent setting excluded attributes on normal permissions + # (but do allow deleting them all) + raise errors.ValidationError( + name='ipapermexcludedattr', + error=_('only available on managed permissions')) + + if 'attrs' in options: + if any(a in options for a in ('ipapermincludedattr', + 'ipapermexcludedattr')): + raise errors.ValidationError( + name='attrs', + error=_('attrs and included/excluded attributes are ' + 'mutually exclusive')) + attrs = set(options.pop('attrs') or ()) + defaults = set(old_entry.get('ipapermdefaultattr', ())) + entry['ipapermincludedattr'] = list(attrs - defaults) + entry['ipapermexcludedattr'] = list(defaults - attrs) + # Check setting bindtype for an assigned permission if options.get('ipapermbindruletype') and old_entry.get('member'): raise errors.ValidationError( @@ -866,7 +955,36 @@ class permission_find(baseldap.LDAPSearch): self.obj.preprocess_options(options) return super(permission_find, self).execute(*keys, **options) + def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, + *args, **options): + if 'attrs' in options and 'ipapermincludedattr' in options: + raise errors.ValidationError( + name='attrs', + error=_('attrs and included/excluded attributes are ' + 'mutually exclusive')) + + if options.get('attrs'): + # Effective attributes: + # each attr must be in either default or included, + # but not in excluded + filters = ldap.combine_filters( + [filters] + [ + '(&' + '(|' + '(ipapermdefaultattr=%(attr)s)' + '(ipapermincludedattr=%(attr)s))' + '(!(ipapermexcludedattr=%(attr)s)))' % {'attr': attr} + for attr in options['attrs'] + ], + ldap.MATCH_ALL, + ) + + return filters, base_dn, scope + def post_callback(self, ldap, entries, truncated, *args, **options): + if 'attrs' in options: + options['ipapermincludedattr'] = options['attrs'] + attribute_options = [o for o in options if (o in self.options and self.options[o].attribute)] diff --git a/ipatests/test_xmlrpc/test_old_permission_plugin.py b/ipatests/test_xmlrpc/test_old_permission_plugin.py index d23b49f93..a681ef31e 100644 --- a/ipatests/test_xmlrpc/test_old_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_old_permission_plugin.py @@ -67,7 +67,8 @@ permission3_attributelevelrights = { 'type': u'rscwo', 'nsaccountlock': u'rscwo', 'description': u'rscwo', - 'ipapermallowedattr': u'rscwo', + 'attrs': u'rscwo', + 'ipapermincludedattr': u'rscwo', 'ipapermbindruletype': u'rscwo', 'ipapermdefaultattr': u'rscwo', 'ipapermexcludedattr': u'rscwo', @@ -1093,6 +1094,7 @@ class test_old_permission(Declarative): objectclass=objectclasses.permission, type=u'user', attrs=(u'cn',), + ipapermincludedattr=[u'cn'], permissions=[u'write'], attributelevelrights=permission3_attributelevelrights, ipapermbindruletype=[u'permission'], @@ -1115,6 +1117,7 @@ class test_old_permission(Declarative): objectclass=objectclasses.permission, type=u'user', attrs=(u'cn',u'uid'), + ipapermincludedattr=[u'cn', u'uid'], permissions=[u'write'], attributelevelrights=permission3_attributelevelrights, ipapermbindruletype=[u'permission'], diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index 6564cbc9b..ad5074c81 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -24,12 +24,22 @@ Test the `ipalib/plugins/permission.py` module. import os +import nose + from ipalib import api, errors from ipatests.test_xmlrpc import objectclasses from xmlrpc_test import Declarative from ipapython.dn import DN import inspect +try: + from ipaserver.plugins.ldap2 import ldap2 +except ImportError: + have_ldap2 = False +else: + import krbV + have_ldap2 = True + permission1 = u'testperm' permission1_dn = DN(('cn',permission1), api.env.container_permission,api.env.basedn) @@ -62,7 +72,7 @@ permission3_attributelevelrights = { 'aci': u'rscwo', 'ipapermlocation': u'rscwo', 'o': u'rscwo', - 'ipapermallowedattr': u'rscwo', + 'ipapermincludedattr': u'rscwo', 'ipapermdefaultattr': u'rscwo', 'ipapermexcludedattr': u'rscwo', 'owner': u'rscwo', @@ -76,6 +86,7 @@ permission3_attributelevelrights = { 'ipapermtarget': u'rscwo', 'type': u'rscwo', 'targetgroup': u'rscwo', + 'attrs': u'rscwo', } privilege1 = u'testpriv1' @@ -175,7 +186,7 @@ class test_permission_negative(Declarative): command=( 'permission_add', [permission1], dict( type=u'user', - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ) ), expected=errors.RequirementError(name='ipapermright'), @@ -214,7 +225,7 @@ class test_permission_negative(Declarative): 'permission_add', [permission1], dict( type=u'user', ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ) ), expected=dict( @@ -226,7 +237,7 @@ class test_permission_negative(Declarative): objectclass=objectclasses.permission, type=[u'user'], ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], @@ -249,7 +260,7 @@ class test_permission_negative(Declarative): desc='Try to remove type from %r' % permission1, command=( 'permission_mod', [permission1], dict( - ipapermallowedattr=None, + attrs=None, type=None, ) ), @@ -263,7 +274,7 @@ class test_permission_negative(Declarative): desc='Try to remove target and memberof from %r' % permission1, command=( 'permission_mod', [permission1], dict( - ipapermallowedattr=None, + attrs=None, ipapermtarget=None, ) ), @@ -283,6 +294,18 @@ class test_permission_negative(Declarative): error='May only contain letters, numbers, -, _, ., and space'), ), + dict( + desc='Try setting ipapermexcludedattr on %r' % permission1, + command=( + 'permission_mod', [permission1], dict( + ipapermexcludedattr=[u'cn'], + ) + ), + expected=errors.ValidationError( + name='ipapermexcludedattr', + error='only available on managed permissions'), + ), + ] @@ -305,7 +328,7 @@ class test_permission(Declarative): 'permission_add', [permission1], dict( type=u'user', ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ) ), expected=dict( @@ -317,7 +340,7 @@ class test_permission(Declarative): objectclass=objectclasses.permission, type=[u'user'], ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], @@ -340,7 +363,7 @@ class test_permission(Declarative): 'permission_add', [permission1], dict( type=u'user', ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ), ), expected=errors.DuplicateEntry( @@ -402,7 +425,7 @@ class test_permission(Declarative): 'member_privilege': [privilege1], 'type': [u'user'], 'ipapermright': [u'write'], - 'ipapermallowedattr': [u'sn'], + 'attrs': [u'sn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -423,7 +446,7 @@ class test_permission(Declarative): 'cn': [permission1], 'objectclass': objectclasses.permission, 'member': [privilege1_dn], - 'ipapermallowedattr': [u'sn'], + 'ipapermincludedattr': [u'sn'], 'ipapermbindruletype': [u'permission'], 'ipapermright': [u'write'], 'ipapermissiontype': [u'SYSTEM', u'V2'], @@ -456,7 +479,7 @@ class test_permission(Declarative): 'member_privilege': [privilege1], 'type': [u'user'], 'ipapermright': [u'write'], - 'ipapermallowedattr': [u'sn'], + 'attrs': [u'sn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -482,7 +505,7 @@ class test_permission(Declarative): 'member_privilege': [privilege1], 'type': [u'user'], 'ipapermright': [u'write'], - 'ipapermallowedattr': [u'sn'], + 'attrs': [u'sn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -520,7 +543,7 @@ class test_permission(Declarative): 'member_privilege': [privilege1], 'type': [u'user'], 'ipapermright': [u'write'], - 'ipapermallowedattr': [u'sn'], + 'attrs': [u'sn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -544,7 +567,7 @@ class test_permission(Declarative): 'cn': [permission1], 'objectclass': objectclasses.permission, 'member': [privilege1_dn], - 'ipapermallowedattr': [u'sn'], + 'ipapermincludedattr': [u'sn'], 'ipapermbindruletype': [u'permission'], 'ipapermright': [u'write'], 'ipapermissiontype': [u'SYSTEM', u'V2'], @@ -571,7 +594,7 @@ class test_permission(Declarative): ipapermright=u'write', setattr=u'owner=cn=test', addattr=u'owner=cn=test2', - ipapermallowedattr=[u'cn'], + attrs=[u'cn'], ) ), expected=dict( @@ -584,7 +607,7 @@ class test_permission(Declarative): type=[u'user'], ipapermright=[u'write'], owner=[u'cn=test', u'cn=test2'], - ipapermallowedattr=[u'cn'], + attrs=[u'cn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], @@ -617,7 +640,7 @@ class test_permission(Declarative): 'member_privilege': [privilege1], 'type': [u'user'], 'ipapermright': [u'write'], - 'ipapermallowedattr': [u'sn'], + 'attrs': [u'sn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -629,7 +652,7 @@ class test_permission(Declarative): 'objectclass': objectclasses.permission, 'type': [u'user'], 'ipapermright': [u'write'], - 'ipapermallowedattr': [u'cn'], + 'attrs': [u'cn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -664,7 +687,7 @@ class test_permission(Declarative): dict( desc='Search by ACI attribute with --pkey-only', command=('permission_find', [], {'pkey_only': True, - 'ipapermallowedattr': [u'krbminpwdlife']}), + 'attrs': [u'krbminpwdlife']}), expected=dict( count=1, truncated=False, @@ -714,7 +737,7 @@ class test_permission(Declarative): 'member_privilege': [privilege1], 'type': [u'user'], 'ipapermright': [u'write'], - 'ipapermallowedattr': [u'sn'], + 'attrs': [u'sn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -739,7 +762,7 @@ class test_permission(Declarative): 'objectclass': objectclasses.permission, 'type': [u'user'], 'ipapermright': [u'write'], - 'ipapermallowedattr': [u'sn'], + 'attrs': [u'sn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -752,7 +775,7 @@ class test_permission(Declarative): 'objectclass': objectclasses.permission, 'type': [u'user'], 'ipapermright': [u'write'], - 'ipapermallowedattr': [u'cn'], + 'attrs': [u'cn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -769,7 +792,7 @@ class test_permission(Declarative): # to change. dict( desc='Search for permissions by attr with a limit of 1 (truncated)', - command=('permission_find', [], dict(ipapermallowedattr=u'ipaenabledflag', + command=('permission_find', [], dict(attrs=u'ipaenabledflag', sizelimit=1)), expected=dict( count=1, @@ -784,8 +807,13 @@ class test_permission(Declarative): 'member_privilege': [u'HBAC Administrator'], 'memberindirect_role': [u'IT Security Specialist'], 'ipapermright' : [u'write'], - 'ipapermallowedattr': [u'servicecategory', u'sourcehostcategory', u'cn', u'description', u'ipaenabledflag', u'accesstime', u'usercategory', u'hostcategory', u'accessruletype', u'sourcehost'], - 'ipapermtarget': [DN(('ipauniqueid', '*'), ('cn', 'hbac'), api.env.basedn)], + 'attrs': [u'servicecategory', u'sourcehostcategory', + u'cn', u'description', u'ipaenabledflag', + u'accesstime', u'usercategory', + u'hostcategory', u'accessruletype', + u'sourcehost'], + 'ipapermtarget': [DN(('ipauniqueid', '*'), + ('cn', 'hbac'), api.env.basedn)], 'ipapermbindruletype': [u'permission'], 'ipapermlocation': [api.env.basedn], }, @@ -793,7 +821,6 @@ class test_permission(Declarative): ), ), - dict( desc='Update %r' % permission1, command=( @@ -816,7 +843,7 @@ class test_permission(Declarative): ipapermright=[u'read'], memberof=[u'ipausers'], owner=[u'cn=other-test', u'cn=other-test2'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers', groups_dn)], ipapermbindruletype=[u'permission'], @@ -851,7 +878,7 @@ class test_permission(Declarative): 'type': [u'user'], 'ipapermright': [u'read'], 'memberof': [u'ipausers'], - 'ipapermallowedattr': [u'sn'], + 'attrs': [u'sn'], 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers', groups_dn)], 'ipapermbindruletype': [u'permission'], @@ -900,7 +927,7 @@ class test_permission(Declarative): 'type': [u'user'], 'ipapermright': [u'read'], 'memberof': [u'ipausers'], - 'ipapermallowedattr': [u'sn'], + 'attrs': [u'sn'], 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers', groups_dn)], 'ipapermbindruletype': [u'permission'], @@ -930,7 +957,7 @@ class test_permission(Declarative): 'type': [u'user'], 'ipapermright': [u'all'], 'memberof': [u'ipausers'], - 'ipapermallowedattr': [u'sn'], + 'attrs': [u'sn'], 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers', groups_dn)], 'ipapermbindruletype': [u'permission'], @@ -971,7 +998,7 @@ class test_permission(Declarative): 'type': [u'user'], 'ipapermright': [u'write'], 'memberof': [u'ipausers'], - 'ipapermallowedattr': [u'sn'], + 'attrs': [u'sn'], 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers', groups_dn)], 'ipapermbindruletype': [u'permission'], @@ -1011,7 +1038,7 @@ class test_permission(Declarative): ipapermlocation=[users_dn], ipapermright=[u'write'], memberof=[u'ipausers'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers', groups_dn)], ipapermbindruletype=[u'permission'], @@ -1043,7 +1070,7 @@ class test_permission(Declarative): 'cn': [permission2], 'objectclass': objectclasses.permission, 'ipapermright': [u'write'], - 'ipapermallowedattr': [u'cn'], + 'attrs': [u'cn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermtarget': [DN(('uid', '*'), users_dn)], @@ -1077,7 +1104,7 @@ class test_permission(Declarative): 'ipapermlocation': [users_dn], 'ipapermright':[u'write'], 'memberof':[u'ipausers'], - 'ipapermallowedattr': [u'sn'], + 'attrs': [u'sn'], 'ipapermtargetfilter': [u'(memberOf=%s)' % DN( 'cn=ipausers', groups_dn)], 'ipapermbindruletype': [u'permission'], @@ -1111,7 +1138,7 @@ class test_permission(Declarative): 'cn': [u'Add user to default group'], 'objectclass': objectclasses.permission, 'member_privilege': [u'User Administrators'], - 'ipapermallowedattr': [u'member'], + 'attrs': [u'member'], 'targetgroup': [u'ipausers'], 'memberindirect_role': [u'User Administrator'], 'ipapermright': [u'write'], @@ -1202,7 +1229,7 @@ class test_permission(Declarative): 'permission_add', [permission1], dict( memberof=u'nonexisting', ipapermright=u'write', - ipapermallowedattr=[u'cn'], + attrs=[u'cn'], ) ), expected=errors.NotFound(reason=u'nonexisting: group not found'), @@ -1215,7 +1242,7 @@ class test_permission(Declarative): memberof=u'editors', ipapermright=u'write', type=u'user', - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ) ), expected=dict( @@ -1228,7 +1255,7 @@ class test_permission(Declarative): memberof=[u'editors'], ipapermright=[u'write'], type=[u'user'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'editors'), groups_dn)], ipapermbindruletype=[u'permission'], @@ -1272,7 +1299,7 @@ class test_permission(Declarative): memberof=[u'admins'], ipapermright=[u'write'], type=[u'user'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn)], ipapermbindruletype=[u'permission'], @@ -1308,7 +1335,7 @@ class test_permission(Declarative): objectclass=objectclasses.permission, ipapermright=[u'write'], type=[u'user'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], @@ -1343,7 +1370,7 @@ class test_permission(Declarative): 'permission_add', [permission1], dict( targetgroup=u'editors', ipapermright=u'write', - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ) ), expected=dict( @@ -1355,7 +1382,7 @@ class test_permission(Declarative): objectclass=objectclasses.permission, targetgroup=[u'editors'], ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermtarget=[DN(('cn', 'editors'), groups_dn)], ipapermissiontype=[u'SYSTEM', u'V2'], @@ -1378,7 +1405,7 @@ class test_permission(Declarative): 'permission_add', [permission3], dict( type=u'user', ipapermright=u'write', - ipapermallowedattr=[u'cn'] + attrs=[u'cn'] ) ), expected=dict( @@ -1390,7 +1417,7 @@ class test_permission(Declarative): objectclass=objectclasses.permission, type=[u'user'], ipapermright=[u'write'], - ipapermallowedattr=(u'cn',), + attrs=(u'cn',), ipapermbindruletype=[u'permission'], ipapermtarget=[DN(('uid', '*'), users_dn)], ipapermissiontype=[u'SYSTEM', u'V2'], @@ -1418,7 +1445,8 @@ class test_permission(Declarative): cn=[permission3], objectclass=objectclasses.permission, type=[u'user'], - ipapermallowedattr=(u'cn',), + attrs=[u'cn'], + ipapermincludedattr=[u'cn'], ipapermright=[u'write'], attributelevelrights=permission3_attributelevelrights, ipapermbindruletype=[u'permission'], @@ -1433,7 +1461,7 @@ class test_permission(Declarative): desc='Modify %r with --all --rights' % permission3, command=('permission_mod', [permission3], { 'all': True, 'rights': True, - 'ipapermallowedattr': [u'cn', u'uid']}), + 'attrs': [u'cn', u'uid']}), expected=dict( value=permission3, summary=u'Modified permission "%s"' % permission3, @@ -1442,7 +1470,8 @@ class test_permission(Declarative): cn=[permission3], objectclass=objectclasses.permission, type=[u'user'], - ipapermallowedattr=(u'cn',u'uid'), + attrs=[u'cn', u'uid'], + ipapermincludedattr=[u'cn', u'uid'], ipapermright=[u'write'], attributelevelrights=permission3_attributelevelrights, ipapermbindruletype=[u'permission'], @@ -1503,7 +1532,7 @@ class test_permission_rollback(Declarative): 'cn': [permission1], 'objectclass': objectclasses.permission, 'ipapermright': [u'write'], - 'ipapermallowedattr': [u'sn'], + 'attrs': [u'sn'], 'ipapermbindruletype': [u'permission'], 'ipapermissiontype': [u'SYSTEM', u'V2'], 'ipapermlocation': [users_dn], @@ -1531,7 +1560,7 @@ class test_permission_rollback(Declarative): ipapermlocation=users_dn, ipapermtarget=DN('uid=admin', users_dn), ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ) ), expected=dict( @@ -1542,7 +1571,7 @@ class test_permission_rollback(Declarative): cn=[permission1], objectclass=objectclasses.permission, ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], @@ -1600,7 +1629,7 @@ class test_permission_sync_attributes(Declarative): 'permission_add', [permission1], dict( ipapermlocation=users_dn, ipapermright=u'write', - ipapermallowedattr=u'sn', + attrs=u'sn', ipapermtargetfilter=u'(memberOf=%s)' % DN(('cn', 'admins'), groups_dn), ipapermtarget=DN(('uid', '*'), users_dn), @@ -1615,7 +1644,7 @@ class test_permission_sync_attributes(Declarative): objectclass=objectclasses.permission, type=[u'user'], ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], @@ -1651,7 +1680,7 @@ class test_permission_sync_attributes(Declarative): cn=[permission1], objectclass=objectclasses.permission, ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermtarget=[DN(('uid', '*'), users_dn)], @@ -1688,7 +1717,7 @@ class test_permission_sync_attributes(Declarative): objectclass=objectclasses.permission, type=[u'user'], ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], @@ -1724,7 +1753,7 @@ class test_permission_sync_attributes(Declarative): cn=[permission1], objectclass=objectclasses.permission, ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], @@ -1758,7 +1787,7 @@ class test_permission_sync_attributes(Declarative): cn=[permission1], objectclass=objectclasses.permission, ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], @@ -1789,7 +1818,7 @@ class test_permission_sync_attributes(Declarative): objectclass=objectclasses.permission, type=[u'group'], ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[groups_dn], @@ -1821,7 +1850,7 @@ class test_permission_sync_attributes(Declarative): cn=[permission1], objectclass=objectclasses.permission, ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermtarget=[DN('cn=editors', groups_dn)], @@ -1854,7 +1883,7 @@ class test_permission_sync_nice(Declarative): 'permission_add', [permission1], dict( type=u'user', ipapermright=u'write', - ipapermallowedattr=u'sn', + attrs=u'sn', memberof=u'admins', ) ), @@ -1867,7 +1896,7 @@ class test_permission_sync_nice(Declarative): objectclass=objectclasses.permission, type=[u'user'], ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[users_dn], @@ -1903,7 +1932,7 @@ class test_permission_sync_nice(Declarative): cn=[permission1], objectclass=objectclasses.permission, ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), @@ -1937,7 +1966,7 @@ class test_permission_sync_nice(Declarative): cn=[permission1], objectclass=objectclasses.permission, ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[api.env.basedn], @@ -1968,7 +1997,7 @@ class test_permission_sync_nice(Declarative): objectclass=objectclasses.permission, type=[u'group'], ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermlocation=[groups_dn], @@ -2000,7 +2029,7 @@ class test_permission_sync_nice(Declarative): cn=[permission1], objectclass=objectclasses.permission, ipapermright=[u'write'], - ipapermallowedattr=[u'sn'], + attrs=[u'sn'], ipapermbindruletype=[u'permission'], ipapermissiontype=[u'SYSTEM', u'V2'], ipapermtarget=[DN('cn=editors', groups_dn)], @@ -2422,3 +2451,540 @@ class test_permission_bindtype(Declarative): 'assigned to a privilege') ), ] + + +class test_managed_permissions(Declarative): + cleanup_commands = [ + ('permission_del', [permission1], {'force': True}), + ('permission_del', [permission2], {'force': True}), + ] + + @classmethod + def setUpClass(cls): + super(test_managed_permissions, cls).setUpClass() + + if not have_ldap2: + raise nose.SkipTest('server plugin not available') + + def add_managed_permission(self): + """Add a managed permission and the corresponding ACI""" + ldap = ldap2(shared_instance=False) + ldap.connect(ccache=krbV.default_context().default_ccache()) + + result = api.Command.permission_add(permission1, type=u'user', + ipapermright=u'write', + attrs=[u'cn']) + + # TODO: This hack relies on the permission internals. + # Change as necessary. + + # Add permission DN + entry = ldap.get_entry(permission1_dn) + entry['ipapermdefaultattr'] = ['l', 'o', 'cn'] + ldap.update_entry(entry) + + # Update the ACI via the API + result = api.Command.permission_mod(permission1, + attrs=[u'l', u'o', u'cn']) + + # Set the permission type to MANAGED + entry = ldap.get_entry(permission1_dn) + entry['ipapermissiontype'].append('MANAGED') + ldap.update_entry(entry) + + tests = [ + add_managed_permission, + + dict( + desc='Show pre-created %r' % permission1, + command=('permission_show', [permission1], {'all': True}), + expected=dict( + value=permission1, + summary=None, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'permission'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + attrs=[u'l', u'o', u'cn'], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetattr = "cn || l || o")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + ] + [ + # Verify that most permission attributes can't be changed + dict( + desc='Try to modify %s in %r' % (attr_name, permission1), + command=('permission_mod', [permission1], + {attr_name: value}), + expected=errors.ValidationError( + name=err_attr or attr_name, + error='not modifiable on managed permissions'), + ) + for attr_name, err_attr, value in ( + ('ipapermlocation', None, users_dn), + ('ipapermright', None, u'compare'), + ('ipapermtarget', None, users_dn), + ('ipapermtargetfilter', None, u'(ou=engineering)'), + + ('memberof', 'ipapermtargetfilter', u'admins'), + ('targetgroup', 'ipapermtarget', u'admins'), + ('type', 'ipapermlocation', u'group'), + ) + ] + [ + + dict( + desc='Try to rename %r' % permission1, + command=('permission_mod', [permission1], + {'rename': permission2}), + expected=errors.ValidationError( + name='rename', + error='cannot rename managed permissions'), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetattr = "cn || l || o")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Modify included and excluded attrs in %r' % permission1, + command=('permission_mod', [permission1], + {'ipapermincludedattr': [u'dc'], + 'ipapermexcludedattr': [u'cn'], + 'all': True}), + expected=dict( + value=permission1, + summary=u'Modified permission "testperm"', + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'permission'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + attrs=[u'l', u'o', u'dc'], + ipapermincludedattr=[u'dc'], + ipapermexcludedattr=[u'cn'], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetattr = "dc || l || o")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Modify included attrs in %r' % permission1, + command=('permission_mod', [permission1], + {'ipapermincludedattr': [u'cn', u'sn'], + 'all': True}), + expected=dict( + value=permission1, + summary=u'Modified permission "testperm"', + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'permission'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + attrs=[u'l', u'o', u'sn'], + ipapermincludedattr=[u'cn', u'sn'], + ipapermexcludedattr=[u'cn'], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetattr = "l || o || sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Add ineffective included attr to %r' % permission1, + command=('permission_mod', [permission1], + {'ipapermincludedattr': [u'cn', u'sn', u'o'], + 'all': True}), + expected=dict( + value=permission1, + summary=u'Modified permission "testperm"', + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'permission'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + attrs=[u'l', u'o', u'sn'], + ipapermincludedattr=[u'cn', u'sn', u'o'], + ipapermexcludedattr=[u'cn'], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetattr = "l || o || sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Modify excluded attrs in %r' % permission1, + command=('permission_mod', [permission1], + {'ipapermexcludedattr': [u'cn', u'sn'], + 'all': True}), + expected=dict( + value=permission1, + summary=u'Modified permission "testperm"', + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'permission'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + attrs=[u'l', u'o'], + ipapermincludedattr=[u'cn', u'sn', u'o'], + ipapermexcludedattr=[u'cn', u'sn'], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetattr = "l || o")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + + dict( + desc='Modify bind rule in %r' % permission1, + command=('permission_mod', [permission1], + {'ipapermbindruletype': u'all'}), + expected=dict( + value=permission1, + summary=u'Modified permission "testperm"', + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'all'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + attrs=[u'l', u'o'], + ipapermincludedattr=[u'cn', u'sn', u'o'], + ipapermexcludedattr=[u'cn', u'sn'], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetattr = "l || o")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) userdn = "ldap:///all";)', + ), + + dict( + desc='Show %r with no options' % permission1, + command=('permission_show', [permission1], {}), + expected=dict( + value=permission1, + summary=None, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'all'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + attrs=[u'l', u'o'], + ipapermincludedattr=[u'cn', u'sn', u'o'], + ipapermexcludedattr=[u'cn', u'sn'], + ), + ), + ), + + dict( + desc='Show %r with --all' % permission1, + command=('permission_show', [permission1], {'all': True}), + expected=dict( + value=permission1, + summary=None, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'all'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + attrs=[u'l', u'o'], + ipapermincludedattr=[u'cn', u'sn', u'o'], + ipapermexcludedattr=[u'cn', u'sn'], + ), + ), + ), + + dict( + desc='Show %r with --raw' % permission1, + command=('permission_show', [permission1], {'raw': True}), + expected=dict( + value=permission1, + summary=None, + result=dict( + dn=permission1_dn, + cn=[permission1], + aci=['(targetattr = "l || o")' + '(target = "ldap:///%(tdn)s")' + '(version 3.0;acl "permission:%(name)s";' + 'allow (write) userdn = "ldap:///all";)' % + {'tdn': DN(('uid', '*'), users_dn), + 'name': permission1}], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + ipapermright=[u'write'], + ipapermbindruletype=[u'all'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + ipapermincludedattr=[u'cn', u'sn', u'o'], + ipapermexcludedattr=[u'cn', u'sn'], + ), + ), + ), + + dict( + desc='Modify attrs of %r to normalize' % permission1, + command=('permission_mod', [permission1], + {'attrs': [u'l', u'o']}), + expected=dict( + value=permission1, + summary=u'Modified permission "testperm"', + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'all'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + attrs=[u'l', u'o'], + ipapermexcludedattr=[u'cn'], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetattr = "l || o")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) userdn = "ldap:///all";)', + ), + + dict( + desc='Modify attrs of %r to add sn' % permission1, + command=('permission_mod', [permission1], + {'attrs': [u'l', u'o', u'sn']}), + expected=dict( + value=permission1, + summary=u'Modified permission "testperm"', + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'all'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + attrs=[u'l', u'o', u'sn'], + ipapermincludedattr=[u'sn'], + ipapermexcludedattr=[u'cn'], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetattr = "l || o || sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) userdn = "ldap:///all";)', + ), + + dict( + desc='Search for %r using all its --attrs' % permission1, + command=('permission_find', [permission1], + {'cn': permission1, 'attrs': [u'l', u'o', u'sn']}), + expected=dict( + count=1, + truncated=False, + summary=u'1 permission matched', + result=[dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'all'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + attrs=[u'l', u'o', u'sn'], + ipapermincludedattr=[u'sn'], + ipapermexcludedattr=[u'cn'], + )], + ), + ), + + dict( + desc='Search for %r using some --attrs' % permission1, + command=('permission_find', [permission1], + {'cn': permission1, 'attrs': [u'l', u'sn']}), + expected=dict( + count=1, + truncated=False, + summary=u'1 permission matched', + result=[dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'all'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + attrs=[u'l', u'o', u'sn'], + ipapermincludedattr=[u'sn'], + ipapermexcludedattr=[u'cn'], + )], + ), + ), + + dict( + desc='Search for %r using excluded --attrs' % permission1, + command=('permission_find', [permission1], + {'cn': permission1, 'attrs': [u'sn', u'cn']}), + expected=dict( + count=0, + truncated=False, + summary=u'0 permissions matched', + result=[], + ), + ), + + dict( + desc='Modify attrs of %r to allow cn again' % permission1, + command=('permission_mod', [permission1], + {'attrs': [u'l', u'o', u'sn', u'cn']}), + expected=dict( + value=permission1, + summary=u'Modified permission "testperm"', + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'all'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermdefaultattr=[u'l', u'o', u'cn'], + attrs=[u'l', u'o', u'sn', u'cn'], + ipapermincludedattr=[u'sn'], + ), + ), + ), + + verify_permission_aci( + permission1, users_dn, + '(targetattr = "cn || l || o || sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) userdn = "ldap:///all";)', + ), + + dict( + desc='Try to delete %r' % permission1, + command=('permission_del', [permission1], {}), + expected=errors.ACIError( + info='cannot delete managed permissions'), + ), + + dict( + desc='Delete %r with --force' % permission1, + command=('permission_del', [permission1], {'force': True}), + expected=dict( + result=dict(failed=u''), + value=permission1, + summary=u'Deleted permission "%s"' % permission1, + ), + ), + ] |