summaryrefslogtreecommitdiffstats
path: root/tests/test_xmlrpc/test_user_plugin.py
Commit message (Collapse)AuthorAgeFilesLines
* Change the way has_keytab is determined, also check for password.Rob Crittenden2011-08-241-0/+30
| | | | | | | | | | | | | | | | | | | | We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
* ticket 1600 - convert unittests to use DN objectsJohn Dennis2011-08-161-24/+67
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
* Optionally wait for 389-ds postop plugins to completeRob Crittenden2011-07-191-1/+13
| | | | | | | | | | | Add a new command that lets you wait for an attribute to appear in a value. Using this you can do things like wait for a managed entry to be created, adding a new objectclass to the parent entry. This is controlled by a new booleon option, wait_for_attr, defaulting to False. https://fedorahosted.org/freeipa/ticket/1144
* Convert nsaccountlock to always work as bool towards Python codeAlexander Bokovoy2011-07-131-11/+11
| | | | | | | | https://fedorahosted.org/freeipa/ticket/1259 Python code will see nsaccountlock as bool. JavaScript code will also see it as bool. This allows native boolean operations with the lock field. Passes both CLI and WebUI tests.
* Add UID, GID and e-mail to the user default attributes.Rob Crittenden2011-06-081-0/+16
| | | | ticket https://fedorahosted.org/freeipa/ticket/1265
* Add option to limit the attributes allowed in an entry.Rob Crittenden2011-05-271-0/+20
| | | | | | | | | | | | | | | | Kerberos ticket policy can update policy in a user entry. This allowed set/addattr to be used to modify attributes outside of the ticket policy perview, also bypassing all validation/normalization. Likewise the ticket policy was updatable by the user plugin bypassing all validation. Add two new LDAPObject values to control this behavior: limit_object_classes: only attributes in these are allowed disallow_object_classes: attributes in these are disallowed By default both of these lists are empty so are skipped. ticket 744
* Modify the default attributes shown in user-find to match the UI design.Rob Crittenden2011-04-221-5/+9
| | | | | | | | | | | | | | | This change means the UI can stop using the --all option and have to retrieve significantly less information from the server. It also speeds up user-find as it doesn't have to calculate membership. This adds a new baseclass parameter, search_display_attributes, which can provide a separate list from default_attributes just for find commands. The UI will need to be changed to switch from using cn to using givenname and sn. ticket 1136
* Convert manager from userid to dn for storage and back for displaying.Rob Crittenden2011-04-221-0/+27
| | | | ticket 1151
* postalCode should be a string not an integer.Rob Crittenden2011-04-051-1/+2
| | | | | | | | | | | | postalCode is defined as an Int. This means you can't define one that has a leading zero nor can you have dashes, letters, etc. This changes the data type on the server. It will still accept an int value if provided and convert it into a string. Bump the API version to 2.1. ticket 1150
* Change default gecos from uid to first and last name.Rob Crittenden2011-04-051-5/+5
| | | | ticket 1146
* Fixed parameter for user city.Endi S. Dewata2011-02-181-2/+2
| | | | | | | Previously the user's city parameter is defined to use the 'locality' attribute. This was a problem because the attribute would be returned as 'l' by the directory server causing a mismatch. Now the parameter has been changed to use the 'l' attribute.
* Convert json strings to unicode when they are unmarshalled.Rob Crittenden2011-02-111-2/+2
| | | | | | | | | This patch removes some individual work-arounds of converting strings to unicode, they only masked the problem. String values are not passed to the validator or normalizers so things like adding the realm automatically to services weren't happening. ticket 941
* Use correct LDAP attributes for city and state.Rob Crittenden2011-02-021-0/+45
| | | | | | Also add a unit test for address. Ticket 889
* Display the entries that failed when deleting with --continue.Rob Crittenden2011-01-101-2/+4
| | | | | | | | | | | | We collected the failures but didn't report it back. This changes the API of most delete commands so rather than returning a boolean it returns a dict with the only current key as failed. This also adds a new parameter flag, suppress_empty. This will try to not print values that are empty if included. This makes the output of the delete commands a bit prettier. ticket 687
* Change FreeIPA license to GPLv3+Jakub Hrozek2010-12-201-5/+5
| | | | | | | | | | The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
* Fix a slew of tests.Rob Crittenden2010-12-171-0/+12
| | | | | | | - Skip the DNS tests if DNS isn't configured - Add new attributes to user entries (displayname, cn and initials) - Make the nsaccountlock value consistent - Fix the cert subject for cert tests
* Check for existence of the group when adding a user.Rob Crittenden2010-12-131-0/+31
| | | | | | | | | | | | | The Managed Entries plugin will allow a user to be added even if a group of the same name exists. This would leave the user without a private group. We need to check for both the user and the group so we can do 1 of 3 things: - throw an error that the group exists (but not the user) - throw an error that the user exists (and the group) - allow the uesr to be added ticket 567
* Re-implement access control using an updated model.Rob Crittenden2010-12-011-4/+0
| | | | | | | | | | | | | | | | | | | The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
* user-enable/disable improvementsRob Crittenden2010-11-041-0/+10
| | | | | | | | | | | | | Always display the account enable/disable status. Don't ignore the exceptions when a user is already enabled or disabled. Fix the exception error messages to use the right terminology. In baseldap when retrieving all attributes include the default attributes in case they include some operational attributes. ticket 392
* Use kerberos password policy.Rob Crittenden2010-11-011-5/+6
| | | | | | | | | | | | | | | | | | | | | | | This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
* Allow RDN changes for users, groups, rolegroups and taskgroups.Rob Crittenden2010-10-281-0/+51
| | | | | | | | | | | | To do a change right now you have to perform a setattr like: ipa user-mod --setattr uid=newuser olduser The RDN change is performed before the rest of the mods. If the RDN change is the only change done then the EmptyModlist that update_entry() throws is ignored. ticket 323
* Add flag to group-find to only search on private groups.Pavel Zuna2010-10-201-3/+62
| | | | ticket #251
* Rename user-lock and user-unlock to user-enable user-disable.Pavel Zuna2010-10-061-6/+6
| | | | Ticket #165
* Use global time and size limit values when searching.Rob Crittenden2010-08-191-0/+25
| | | | | | Add test to verify that limit is honored and truncated flag set. ticket #48
* Fix user tests to handle managed entriesRob Crittenden2010-08-101-1/+2
| | | | | We now enable managed entries by default and need to account for it in the expected output.
* Add optional error message to pattern validatorRob Crittenden2010-08-061-0/+19
| | | | | | | | | The pattern validator by default displays the pattern that is being matched against. This isn't helpful, particularly for very hairy patterns. This adds a new parameter, pattern_errmsg, that is displayed on errors if set. ticket #11
* Fix unicode failures in Env tests and dn failures in XML-RPC testsRob Crittenden2010-02-261-4/+4
|
* Use the Output tuple to determine the order of outputRob Crittenden2010-02-151-5/+16
| | | | | | | | | | | | | | The attributes displayed is now dependant upon their definition in a Param. This enhances that, giving some level of control over how the result is displayed to the user. This also fixes displaying group membership, including failures of adding/removing entries. All tests pass now though there is still one problem. We need to return the dn as well. Once that is fixed we just need to comment out all the dn entries in the tests and they should once again pass.
* Remove hardcoded domain, example.comRob Crittenden2009-12-181-3/+3
|
* Fuzzy feelingsJason Gerard DeRose2009-12-171-108/+115
|
* host and hostgroup summary messages, declarative tests; fix tests for 'dn'Jason Gerard DeRose2009-12-161-3/+1
|
* Take 2: Extensible return values and validation; steps toward a single ↵Jason Gerard DeRose2009-12-101-123/+263
| | | | output_for_cli(); enable more webUI stuff
* Add a new objectclass, ipaObject, that will add a UUID to many IPA objectsRob Crittenden2009-08-101-0/+1
| | | | | | | | | ipaObject is defined as an auxiliary objectclass so it is up to the plugin author to ensure that the objectclass is included an a UUID generated. ipaUniqueId is a MUST attribute so if you include the objectclass you must ensure that the uuid is generated. This also fixes up some unrelated unit test failures.
* Add unit tests for new plugins.Pavel Zuna2009-07-021-0/+145
|
* Remove unit tests for old plugins.Pavel Zuna2009-07-021-146/+0
|
* Rename errors2.py to errors.py. Modify all affected files.Pavel Zuna2009-04-231-3/+3
|
* Fix remaining issues with XML-RPC test casesRob Crittenden2009-02-041-2/+2
| | | | | | Tied the make-test script into the test target of the top-level Makefile Added code to xmlrpc_test.py so that it configures the API if it isn't already done which enables individual tests to be executed.
* Fixed some of the test_xmlrpc unit testsJason Gerard DeRose2009-02-031-8/+8
|
* Applied Rob's errors patchRob Crittenden2009-02-031-2/+2
|
* Mostly got the test_xmlrpc/ tests working againJason Gerard DeRose2009-02-031-4/+0
|
* Finished reworked cli.CLI class into cli.cli pluginJason Gerard DeRose2009-02-031-1/+0
|
* Add some negative testing to the user and group plugin testsRob Crittenden2009-01-191-0/+9
|
* Skip tests if the remote XML-RPC server is not responding.Rob Crittenden2008-11-031-1/+2
|
* Initial tests for user, group and service plugin APIRob Crittenden2008-11-031-0/+141
generated by cgit (git 2.34.1) at 2024-05-12 22:19:59 +0000