1 files changed, 82 insertions, 0 deletions

diff --git a/ipatests/test_integration/test_service_permissions.py b/ipatests/test_integration/test_service_permissions.py
new file mode 100644
index 000000000..3d4a50d32
--- /dev/null
+++ b/ipatests/test_integration/test_service_permissions.py
@@ -0,0 +1,82 @@
+# Authors:
+#   Petr Viktorin <pviktori@redhat.com>
+#
+# Copyright (C) 2014  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import os
+
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration import tasks
+
+
+class TestServicePermissions(IntegrationTest):
+    topology = 'star'
+
+    def test_service_as_user_admin(self):
+        """Test that a service in User Administrator role can manage users"""
+
+        service_name = 'testservice/%s@%s' % (self.master.hostname,
+                                              self.master.domain.realm)
+        keytab_file = os.path.join(self.master.config.test_dir,
+                                   'testservice_keytab')
+
+        # Prepare a service
+
+        self.master.run_command(['ipa', 'service-add', service_name])
+
+        self.master.run_command(['ipa-getkeytab',
+                                 '-p', service_name,
+                                 '-k', keytab_file,
+                                 '-s', self.master.hostname])
+
+        # Check that the service cannot add a user
+
+        self.master.run_command(['kdestroy'])
+        self.master.run_command(['kinit', '-k', service_name,
+                                 '-t', keytab_file])
+
+        result = self.master.run_command(['ipa', 'role-add-member',
+                                          'User Administrator',
+                                          '--service', service_name],
+                                         raiseonerr=False)
+        assert result.returncode > 0
+
+        # Add service to User Administrator role
+
+        self.master.run_command(['kdestroy'])
+        tasks.kinit_admin(self.master)
+
+        self.master.run_command(['ipa', 'role-add-member',
+                                 'User Administrator',
+                                 '--service', service_name])
+
+        # Check that the service now can add a user
+
+        self.master.run_command(['kdestroy'])
+        self.master.run_command(['kinit', '-k', service_name,
+                                 '-t', keytab_file])
+
+        self.master.run_command(['ipa', 'user-add', 'tuser',
+                                 '--first', 'a', '--last', 'b', '--random'])
+
+        # Clean up
+
+        self.master.run_command(['kdestroy'])
+        tasks.kinit_admin(self.master)
+
+        self.master.run_command(['ipa', 'service-del', service_name])
+        self.master.run_command(['ipa', 'user-del', 'tuser'])