diff options
| -rw-r--r-- | ipalib/plugins/baseldap.py | 36 | ||||
| -rw-r--r-- | ipalib/plugins/krbtpolicy.py | 1 | ||||
| -rw-r--r-- | ipalib/plugins/user.py | 2 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_krbtpolicy.py | 138 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_user_plugin.py | 20 |
5 files changed, 197 insertions, 0 deletions
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 43533c8c9..f07fb2774 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -253,6 +253,8 @@ class LDAPObject(Object): # If an objectclass is possible but not default in an entry. Needed for # collecting attributes for ACI UI. possible_objectclasses = [] + limit_object_classes = [] # Only attributes in these are allowed + disallow_object_classes = [] # Disallow attributes in these search_attributes = [] search_attributes_config = None default_attributes = [] @@ -438,6 +440,36 @@ def _check_empty_attrs(params, entry_attrs): raise errors.RequirementError(name=a) +def _check_limit_object_class(attributes, attrs, allow_only): + """ + If the set of objectclasses is limited enforce that only those + are updated in entry_attrs (plus dn) + + allow_only tells us what mode to check in: + + If True then we enforce that the attributes must be in the list of + allowed. + + If False then those attributes are not allowed. + """ + if len(attributes[0]) == 0 and len(attributes[1]) == 0: + return + limitattrs = deepcopy(attrs) + # Go through the MUST first + for (oid, attr) in attributes[0].iteritems(): + if attr.names[0].lower() in limitattrs: + if not allow_only: + raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=attr.names[0].lower())) + limitattrs.remove(attr.names[0].lower()) + # And now the MAY + for (oid, attr) in attributes[1].iteritems(): + if attr.names[0].lower() in limitattrs: + if not allow_only: + raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=attr.names[0].lower())) + limitattrs.remove(attr.names[0].lower()) + if len(limitattrs) > 0 and allow_only: + raise errors.ObjectclassViolation(info='attribute "%(attribute)s" not allowed' % dict(attribute=limitattrs[0])) + class CallbackInterface(Method): """ Callback registration interface @@ -568,6 +600,8 @@ class LDAPCreate(CallbackInterface, crud.Create): ) _check_single_value_attrs(self.params, entry_attrs) + _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.limit_object_classes), entry_attrs.keys(), allow_only=True) + _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.disallow_object_classes), entry_attrs.keys(), allow_only=False) try: ldap.add_entry(dn, entry_attrs, normalize=self.obj.normalize_dn) @@ -848,6 +882,8 @@ class LDAPUpdate(LDAPQuery, crud.Update): _check_single_value_attrs(self.params, entry_attrs) _check_empty_attrs(self.obj.params, entry_attrs) + _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.limit_object_classes), entry_attrs.keys(), allow_only=True) + _check_limit_object_class(self.api.Backend.ldap2.schema.attribute_types(self.obj.disallow_object_classes), entry_attrs.keys(), allow_only=False) rdnupdate = False try: diff --git a/ipalib/plugins/krbtpolicy.py b/ipalib/plugins/krbtpolicy.py index c9d86ea65..4347f4146 100644 --- a/ipalib/plugins/krbtpolicy.py +++ b/ipalib/plugins/krbtpolicy.py @@ -74,6 +74,7 @@ class krbtpolicy(LDAPObject): container_dn = 'cn=%s,cn=kerberos' % api.env.realm object_name = 'kerberos ticket policy settings' default_attributes = ['krbmaxticketlife', 'krbmaxrenewableage'] + limit_object_classes = ['krbticketpolicyaux'] label=_('Kerberos Ticket Policy') diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py index fa47cae8e..c4d875a2d 100644 --- a/ipalib/plugins/user.py +++ b/ipalib/plugins/user.py @@ -62,6 +62,7 @@ from ipalib.plugins.baseldap import * from ipalib import _, ngettext from ipalib.request import context from time import gmtime, strftime +import copy NO_UPG_MAGIC = '__no_upg__' @@ -84,6 +85,7 @@ class user(LDAPObject): object_class = ['posixaccount'] object_class_config = 'ipauserobjectclasses' possible_objectclasses = ['meporiginentry'] + disallow_object_classes = ['krbticketpolicyaux'] search_attributes_config = 'ipausersearchfields' default_attributes = [ 'uid', 'givenname', 'sn', 'homedirectory', 'loginshell', 'ou', diff --git a/tests/test_xmlrpc/test_krbtpolicy.py b/tests/test_xmlrpc/test_krbtpolicy.py new file mode 100644 index 000000000..9005f346a --- /dev/null +++ b/tests/test_xmlrpc/test_krbtpolicy.py @@ -0,0 +1,138 @@ +# Authors: +# Rob Crittenden <rcritten@redhat.com> +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +""" +Test kerberos ticket policy +""" + +from ipalib import api, errors +from tests.test_xmlrpc import objectclasses +from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid + +user1 = u'tuser1' + +class test_krbtpolicy(Declarative): + cleanup_commands = [ + ('user_del', [user1], {}), + ] + + tests = [ + + + dict( + desc='Reset global policy', + command=( + 'krbtpolicy_reset', [], {} + ), + expected=dict( + value=u'', + summary=None, + result=dict( + krbmaxticketlife=[u'86400'], + krbmaxrenewableage=[u'604800'], + ), + ), + ), + + + dict( + desc='Show global policy', + command=( + 'krbtpolicy_show', [], {} + ), + expected=dict( + value=u'', + summary=None, + result=dict( + dn=u'cn=%s,cn=kerberos,%s' % (api.env.domain, api.env.basedn), + krbmaxticketlife=[u'86400'], + krbmaxrenewableage=[u'604800'], + ), + ), + ), + + + dict( + desc='Update global policy', + command=( + 'krbtpolicy_mod', [], dict(krbmaxticketlife=3600) + ), + expected=dict( + value=u'', + summary=None, + result=dict( + krbmaxticketlife=[u'3600'], + krbmaxrenewableage=[u'604800'], + ), + ), + ), + + + dict( + desc='Create %r' % user1, + command=( + 'user_add', [user1], dict(givenname=u'Test', sn=u'User1') + ), + expected=dict( + value=user1, + summary=u'Added user "%s"' % user1, + result=dict( + gecos=[u'Test User1'], + givenname=[u'Test'], + homedirectory=[u'/home/tuser1'], + krbprincipalname=[u'tuser1@' + api.env.realm], + loginshell=[u'/bin/sh'], + objectclass=objectclasses.user, + sn=[u'User1'], + uid=[user1], + uidnumber=[fuzzy_digits], + displayname=[u'Test User1'], + cn=[u'Test User1'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], + dn=u'uid=%s,cn=users,cn=accounts,%s' % (user1, api.env.basedn) + ), + ), + ), + + + dict( + desc='Update user ticket policy', + command=( + 'krbtpolicy_mod', [user1], dict(krbmaxticketlife=3600) + ), + expected=dict( + value=user1, + summary=None, + result=dict( + krbmaxticketlife=[u'3600'], + ), + ), + ), + + + dict( + desc='Try updating other user attribute', + command=( + 'krbtpolicy_mod', [user1], dict(setattr=u'givenname=Pete') + ), + expected=errors.ObjectclassViolation(info='attribute "givenname" not allowed'), + ), + + + ] diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py index 597b3b9ba..0be4148a8 100644 --- a/tests/test_xmlrpc/test_user_plugin.py +++ b/tests/test_xmlrpc/test_user_plugin.py @@ -305,6 +305,15 @@ class test_user(Declarative): dict( + desc='Try updating the krb ticket policy of %r' % user1, + command=( + 'user_mod', [user1], dict(setattr=u'krbmaxticketlife=88000') + ), + expected=errors.ObjectclassViolation(info='attribute "krbmaxticketlife" not allowed'), + ), + + + dict( desc='Retrieve %r to verify update' % user1, command=('user_show', [user1], {}), expected=dict( @@ -389,6 +398,17 @@ class test_user(Declarative): dict( + desc='Create user %r with krb ticket policy' % user1, + command=( + 'user_add', [user1], dict(givenname=u'Test', sn=u'User1', + setattr=u'krbmaxticketlife=88000') + ), + expected=errors.ObjectclassViolation(info='attribute "krbmaxticketlife" not allowed'), + ), + + + + dict( desc='Create %r' % user1, command=( 'user_add', [user1], dict(givenname=u'Test', sn=u'User1') |