summaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* Add managedby to Host entriesRob Crittenden2010-11-194-3/+113
| | | | | | This will allow others to provision on behalf of the host. ticket 280
* Revoke a host's certificate (if any) when it is deleted or disabled.Rob Crittenden2010-11-192-2/+29
| | | | | | | | | Disable any services when its host is disabled. This also adds displaying the certificate attributes (subject, etc) a bit more universal and centralized in a single function. ticket 297
* Revert tests code to use the old uuid format.Simo Sorce2010-11-151-2/+2
|
* user-enable/disable improvementsRob Crittenden2010-11-041-0/+10
| | | | | | | | | | | | | Always display the account enable/disable status. Don't ignore the exceptions when a user is already enabled or disabled. Fix the exception error messages to use the right terminology. In baseldap when retrieving all attributes include the default attributes in case they include some operational attributes. ticket 392
* Output ACI's broken out into attributes rather than a single text fieldRob Crittenden2010-11-041-17/+79
| | | | | | Also add validation to the List parameter type. ticket 357
* Added fixes to adjust for sudocmd attribute for sudocmds. Added fix for ↵Jr Aquino2010-11-032-14/+14
| | | | sudorule to allow for cmdCategory all Added fixes for xmlrpc tests to reflect sudocmd changes.
* Use kerberos password policy.Rob Crittenden2010-11-012-7/+8
| | | | | | | | | | | | | | | | | | | | | | | This lets the KDC count password failures and can lock out accounts for a period of time. This only works for KDC >= 1.8. There currently is no way to unlock a locked account across a replica. MIT Kerberos 1.9 is adding support for doing so. Once that is available unlock will be added. The concept of a "global" password policy has changed. When we were managing the policy using the IPA password plugin it was smart enough to search up the tree looking for a policy. The KDC is not so smart and relies on the krbpwdpolicyreference to find the policy. For this reason every user entry requires this attribute. I've created a new global_policy entry to store the default password policy. All users point at this now. The group policy works the same and can override this setting. As a result the special "GLOBAL" name has been replaced with global_policy. This policy works like any other and is the default if a name is not provided on the command-line. ticket 51
* Implement nested netgroups and include summaries for the commands.Rob Crittenden2010-10-293-367/+1052
| | | | | | | Replace the existing netgroup test cases with Declarative tests. This triples the number of tests we were doing. ticket 209
* Return reason for failure when updating group membership fails.Rob Crittenden2010-10-283-12/+22
| | | | | | | | | | | We used to return a list of dns that failed to be added. We now return a list of tuples instead. The tuple looks like (dn, reason) where reason is the exception that was returned. Also made the label we use for failures to be singular instead of plural since we now print them out individually instead of as comma-separated. ticket 270
* Don't allow managed groups to have group password policy.Rob Crittenden2010-10-281-1/+12
| | | | | | | UPG cannot have members and we use memberOf in class of service to determine which policy to apply. ticket 160
* Remove group nesting from the HBAC service groupsRob Crittenden2010-10-281-2/+0
| | | | ticket 389
* Use context to decide which name to return on RequirementsErrorsRob Crittenden2010-10-282-11/+19
| | | | | | | | | | | | | | When a Requirement fails we throw an exception including the name of the field that is missing. To make the command-line friendlier we have a cli_name defined which may or may not match the LDAP attribute. This can be confusing if you are using ipalib directly because the attribute name missing may not match what is actually required (desc vs description is a good example). If you use the context 'cli' then it will throw exceptions using cli_name. If you use any other context it will use the name of the attribute. ticket 187
* Populate indirect members when showing a group object.Rob Crittenden2010-10-283-6/+356
| | | | | | | | | | | | | | | This is done by creating a new attribute, memberindirect, to hold this indirect membership. The new function get_members() can return all members or just indirect or direct. We are only using it to retrieve indirect members currently. This also: * Moves all member display attributes into baseldap.py to reduce duplication * Adds netgroup nesting * Use a unique object name in hbacsvc and hbacsvcgroup ticket 296
* Allow RDN changes for users, groups, rolegroups and taskgroups.Rob Crittenden2010-10-285-0/+172
| | | | | | | | | | | | To do a change right now you have to perform a setattr like: ipa user-mod --setattr uid=newuser olduser The RDN change is performed before the rest of the mods. If the RDN change is the only change done then the EmptyModlist that update_entry() throws is ignored. ticket 323
* UUIDs: remove uuid python plugin and let DS always autogenerateSimo Sorce2010-10-281-1/+1
| | | | merge in remove uuid
* Fix two failing tests.Rob Crittenden2010-10-221-0/+9
| | | | | | The first test is a mismatch in the sample output of an exception. The second test adds certificate information output to the service plugin.
* Add flag to group-find to only search on private groups.Pavel Zuna2010-10-202-4/+82
| | | | ticket #251
* Fix _merge_from_file testRob Crittenden2010-10-181-1/+1
|
* Accept an incoming certificate as either DER or base64 in the service plugin.Rob Crittenden2010-10-081-5/+8
| | | | | | | | | | | | | The plugin required a base64-encoded certificate and always decoded it before processing. This doesn't work with the UI because the json module decodes binary values already. Try to detect if the incoming value is base64-encoded and decode if necessary. Finally, try to pull the cert apart to validate it. This will tell us for sure that the data is a certificate, regardless of the format it came in as. ticket 348
* If an HBAC category is 'all' don't allow individual objects to be added.Rob Crittenden2010-10-081-2/+73
| | | | | | | | Basically, make 'all' mutually exclusive. This makes debugging lots easier. If say usercat='all' there is no point adding specific users to the rule because it will always apply to everyone. ticket 164
* Rename user-lock and user-unlock to user-enable user-disable.Pavel Zuna2010-10-061-6/+6
| | | | Ticket #165
* Added modifications to the sudorule plugin to reflect the schema update.Jr Aquino2010-10-051-35/+77
|
* Fix a couple of test cases broken by the POSIX group change.Rob Crittenden2010-10-042-2/+4
| | | | They were made as non-POSIX originally, keep them that way.
* Groups are now created as POSIX by default.Rob Crittenden2010-10-011-7/+13
| | | | ticket 241
* Fix LDAP client backend failing test caseRob Crittenden2010-10-011-1/+3
|
* Add plugins for Sudo Commands, Command Groups and RulesJr Aquino2010-09-274-0/+1006
|
* Add some tests for using the ldap2 Backend.Rob Crittenden2010-09-241-0/+118
| | | | | | Fix a logic problem in ldap2:get_schema() for determining if it can fetch the schema or not. Normally we only want to do this for servers but if you pass in your own connection it will use that.
* Fix the ipa-ldap-updater tests.Rob Crittenden2010-09-101-2/+1
| | | | | | We dropped the schema for ipaContainer so use nsContainer instead. ticket 121
* Use global time and size limit values when searching.Rob Crittenden2010-08-191-0/+25
| | | | | | Add test to verify that limit is honored and truncated flag set. ticket #48
* Add support for ldap:///self bind rulesRob Crittenden2010-08-191-0/+37
| | | | | | | This is added mainly so the self service rules can be updated without resorting to ldapmodify. ticket 80
* Enable a host to retrieve a keytab for all its services.Rob Crittenden2010-08-162-92/+287
| | | | | | | | | | | | | | | | | | | | | | | | Using the host service principal one should be able to retrieve a keytab for other services for the host using ipa-getkeytab. This required a number of changes: - allow hosts in the service's managedby to write krbPrincipalKey - automatically add the host to managedby when a service is created - fix ipa-getkeytab to return the entire prinicpal and not just the first data element. It was returning "host" from the service tgt and not host/ipa.example.com - fix the display of the managedby attribute in the service plugin This led to a number of changes in the service unit tests. I took the opportunity to switch to the Declarative scheme and tripled the number of tests we were doing. This shed some light on a few bugs in the plugin: - if a service had a bad usercertificate it was impossible to delete the service. I made it a bit more flexible. - I added a summary for the mod and find commands - has_keytab wasn't being set in the find output ticket 68
* Add support for client failover to the ipa command-line.Rob Crittenden2010-08-162-3/+3
| | | | | | | | | | | | This adds a new global option to the ipa command, -f/--no-fallback. If this is included then just the server configured in /etc/ipa/default.conf is used. Otherwise that is tried first then all servers in DNS with the ldap SRV record are tried. Create a new Local() Command class for local-only commands. The help command is one of these. It shouldn't need a remote connection to execute. ticket #15
* Allow decoupling of user-private groups.Rob Crittenden2010-08-101-0/+78
| | | | | | | | | | | To do this we need to break the link manually on both sides, the user and the group. We also have to verify in advance that the user performing this is allowed to do both. Otherwise the user could be decoupled but not the group leaving it in a quasi broken state that only ldapmodify could fix. ticket 75
* Fix user tests to handle managed entriesRob Crittenden2010-08-101-1/+2
| | | | | We now enable managed entries by default and need to account for it in the expected output.
* Check to see if the command is available before running command tests.Rob Crittenden2010-08-062-2/+12
|
* Fix RPC tests. The method comes back as a unicode from xmlrpclib.Rob Crittenden2010-08-061-2/+2
|
* Add optional error message to pattern validatorRob Crittenden2010-08-062-0/+36
| | | | | | | | | The pattern validator by default displays the pattern that is being matched against. This isn't helpful, particularly for very hairy patterns. This adds a new parameter, pattern_errmsg, that is displayed on errors if set. ticket #11
* Skip the i18n test if the test language has not been builtRob Crittenden2010-08-061-0/+6
|
* Require that hosts be resolvable in DNS. Use --force to ignore warnings.Rob Crittenden2010-08-067-17/+53
| | | | | | | | | | | | | This also requires a resolvable hostname on services as well. I want people to think long and hard about adding things that aren't resolvable. The cert plugin can automatically create services on the user's behalf when issuing a cert. It will always set the force flag to True. We use a lot of made-up host names in the test system, all of which require the force flag now. ticket #25
* Fix replacing a certificate in a service.Rob Crittenden2010-08-061-3/+28
| | | | | | | | | | | | When a service has a certificate and the CA backend doesn't support revocation (like selfsign) then we simply drop the old certificate in preparation for adding a new one. We weren't setting the usercertificate attribute to None so there was nothing to do in ldap_update(). Added a test case for this situation to ensure that re-issuing a certificate works. ticket #88
* Add framework for other command-line tests, starting with ipa-getkeytab.Rob Crittenden2010-08-062-0/+210
|
* Fix this test to work from source tree rootRob Crittenden2010-08-061-2/+2
| | | | | | | | It would work if you ran the test from its location in tests/test_ipalib but this isn't the most common method. If you want to run it individually you can do: $ ./make-test tests/test_ipalib/test_text.py
* Drop our own PKCS#10 ASN.1 decoder and use the one from python-nssRob Crittenden2010-07-295-51/+83
| | | | | | | | | | | | | | | This patch: - bumps up the minimum version of python-nss - will initialize NSS with nodb if a CSR is loaded and it isn't already init'd - will shutdown NSS if initialized in the RPC subsystem so we use right db - updated and added a few more tests Relying more on NSS introduces a bit of a problem. For NSS to work you need to have initialized a database (either a real one or no_db). But once you've initialized one and want to use another you have to close down the first one. I've added some code to nsslib.py to do just that. This could potentially have some bad side-effects at some point, it works ok now.
* Add some basic tests for ipalib/x509Rob Crittenden2010-07-291-0/+139
|
* This patch removes the existing UI functionality, as a prep for adding the ↵Adam Young2010-07-292-45/+0
| | | | Javascript based ui.
* Fix netgroup plugin to use correct member attribute names.Rob Crittenden2010-07-151-39/+107
| | | | | | | | | When the netgroup plugin was rebased it ended up using the member attribute for its memberships and not memberuser/memberhost. I also fixed this same attribute problem in the tests and tried to beef them up a little. If nis/schema compat are enabled it will try to compare the generated triplets with a known-good value.
* Add API to delete a service principal key, service-disable.Rob Crittenden2010-07-133-0/+6
| | | | | | | | | | | | I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable. This also adds a new variable, has_keytab, to service/host_show output. This flag tells us whether there is a krbprincipalkey.
* Add test to ensure that a certificate we issue is actually stored properly.Rob Crittenden2010-07-131-2/+32
|
* Change expected aci summary from Updated to Modify in test casesRob Crittenden2010-07-061-4/+4
|
* Fix aci_mod command. It should handle more complex operations now.Rob Crittenden2010-06-241-56/+201
| | | | | | | | | | | The problem was trying to operate directly on the ACI itself. I introduced a new function, _aci_to_kw(), that converts an ACI into a set of keywords. We can take these keywords, like those passed in when an ACI is created, to merge in any changes and then re-create the ACI. I also switched the ACI tests to be declarative and added a lot more cases around the modify operation.