summaryrefslogtreecommitdiffstats
path: root/tests
Commit message (Collapse)AuthorAgeFilesLines
* Suppress managed netgroups from showing as memberof hostgroups.Rob Crittenden2011-08-314-24/+1
| | | | | | | By design these managed netgroups are not supposed to show unless you specifically want to see them. https://fedorahosted.org/freeipa/ticket/1738
* Sort lists so order is predictable and tests pass as expected.Rob Crittenden2011-08-312-5/+7
| | | | Related to https://fedorahosted.org/freeipa/ticket/1272
* 34 Create FreeIPA CLI Plugin for the 389 Auto Membership pluginJr Aquino2011-08-312-0/+1079
| | | | | | | | | | | | Added new container in etc to hold the automembership configs. Modified constants to point to the new container Modified dsinstance to create the container Created automember.py to add the new commands Added xmlrpc test to verify functionality Added minor fix to user.py for constant behavior between memberof and automember https://fedorahosted.org/freeipa/ticket/1272
* Add netgroup as possible memberOf for hostgroupsRob Crittenden2011-08-293-0/+13
| | | | https://fedorahosted.org/freeipa/ticket/1563
* Fix sudo help and summariesMartin Kosek2011-08-292-15/+15
| | | | | | | | | | | | | | | | 1) Add sudorule docstring headline 2) Fix naming inconsistency in Sudo plugins help and summaries, especially capitalization of Sudo objects - Sudo Rule, Sudo Command and Sudo Command Group 3) Add missing summaries for sudorule-add-option and sudorule-remove-option. To keep backward compatibility with older clients, just print the missing summary with output_for_cli(), don't expand Output. https://fedorahosted.org/freeipa/ticket/1595 https://fedorahosted.org/freeipa/ticket/1596
* Add external source hosts to HBAC.Rob Crittenden2011-08-291-1/+68
| | | | | | | | When adding/removing source hosts if the host isn't found in IPA it is considered external. The attribute externalhost is used to store external hosts. ticket https://fedorahosted.org/freeipa/ticket/1574
* Retrieve password/keytab state when modifying a host.Rob Crittenden2011-08-251-0/+2
| | | | ticket https://fedorahosted.org/freeipa/ticket/1714
* Change the way has_keytab is determined, also check for password.Rob Crittenden2011-08-2410-3/+112
| | | | | | | | | | | | | | | | | | | | We need an indicator to see if a keytab has been set on host and service entries. We also need a way to know if a one-time password is set on a host. This adds an ACI that grants search on userPassword and krbPrincipalKey so we can do an existence search on them. This way we can tell if the attribute is set and create a fake attribute accordingly. When a userPassword is set on a host a keytab is generated against that password so we always set has_keytab to False if a password exists. This is fine because when keytab gets generated for the host the password is removed (hence one-time). This adds has_keytab/has_password to the user, host and service plugins. ticket https://fedorahosted.org/freeipa/ticket/1538
* Fix automountkey-modMartin Kosek2011-08-181-2/+5
| | | | | | | | | | | | | Fix automountkey-mod so that automountkey attribute is correctly updated. Add this test case to the unit tests. Make automountkey required for automountkey-mod, otherwise it would cause internal server error. Make --newinfo optional so that automountkey may be just renamed without changing its info attribute. https://fedorahosted.org/freeipa/ticket/1528
* ticket 1600 - convert unittests to use DN objectsJohn Dennis2011-08-1621-326/+577
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have a larger goal of replacing all DN creation via string formatting/concatenation with DN object operations because string operations are not a safe way to form a DN nor to compare a DN. This work needs to be broken into smaller chunks for easier review and testing. Addressing the unit tests first makes sense because we don't want to be modifying both the core code and the tests used to verify the core code simultaneously. If we modify the unittests first with existing core code and no regressions are found then we can move on to modifying parts of the core code with the belief the unittests can validate the changes in the core code. Also by doing the unittests first we also help to validate the DN objects are working correctly (although they do have an extensive unittest). The fundamental changes are: * replace string substitution & concatenation with DN object constructor * when comparing dn's the comparision is done after promotion to a DN object, then two DN objects are compared * when a list of string dn's are to be compared a new list is formed where each string dn is replaced by a DN object * because the unittest framework accepts a complex data structure of expected values where dn's are represeted as strings the unittest needs to express the expected value of a dn as a callable object (e.g. a lambda expression) which promotes the dn string to a DN object in order to do the comparision.
* ticket 1569 - Test DN object non-latin Unicode supportJohn Dennis2011-08-161-0/+94
| | | | | | | | | | | | | | | | | | | | | The DN unittest was lacking a test for i18n. The unittest was updated to store "Hello" in Arabic with both utf-8 and unicode and verify the values could be properly retrieved and converted to dn string syntax. During the testing a few problems were discovered and corrected. * passing in utf-8 caused an ASCII decode error becuase of Python's silly default encoding of ASCII. The fix was to explictly use the utf-8 codec. * there were a couple of places where encode/decode were not called correctly. * the internal attr and value members of the AVA class were renamed to explicitly show they are stored as unicode. Of course the unittest was updated as well.
* ticket 1568 - DN objects should support the insert methodJohn Dennis2011-08-161-0/+9
| | | | Add dn.insert() and update unittest
* Add hbactest command. https://fedorahosted.org/freeipa/ticket/386Alexander Bokovoy2011-07-281-0/+206
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | HBAC rules control who can access what services on what hosts and from where. You can use HBAC to control which users or groups on a source host can access a service, or group of services, on a target host. Since applying HBAC rules implies use of a production environment, this plugin aims to provide simulation of HBAC rules evaluation without having access to the production environment. Test user coming from source host to a service on a named host against existing enabled rules. ipa hbactest --user= --srchost= --host= --service= [--rules=rules-list] [--nodetail] [--enabled] [--disabled] --user, --srchost, --host, and --service are mandatory, others are optional. If --rules is specified simulate enabling of the specified rules and test the login of the user using only these rules. If --enabled is specified, all enabled HBAC rules will be added to simulation If --disabled is specified, all disabled HBAC rules will be added to simulation If --nodetail is specified, do not return information about rules matched/not matched. If both --rules and --enabled are specified, apply simulation to --rules _and_ all IPA enabled rules. If no --rules specified, simulation is run against all IPA enabled rules. EXAMPLES: 1. Use all enabled HBAC rules in IPA database to simulate: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 2. Disable detailed summary of how rules were applied: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail -------------------- Access granted: True -------------------- 3. Test explicitly specified HBAC rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: myrule 4. Use all enabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule matched: allow_all 5. Test all disabled HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled --------------------- Access granted: False --------------------- notmatched: new-rule 6. Test all disabled HBAC rules in IPA database + explicitly specified rules: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled --------------------- Access granted: False --------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule 7. Test all (enabled and disabled) HBAC rules in IPA database: $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled -------------------- Access granted: True -------------------- notmatched: my-second-rule notmatched: my-third-rule notmatched: myrule notmatched: new-rule matched: allow_all Only rules existing in IPA database are tested. They may be in enabled or disabled disabled state. Specifying them through --rules option explicitly enables them only in simulation run. Specifying non-existing rules will not grant access and report non-existing rules in output.
* Fix message in test case for checking minimum valuesRob Crittenden2011-07-281-1/+1
|
* Make AVA, RDN & DN comparison case insensitive. No need for lowercase ↵John Dennis2011-07-271-37/+52
| | | | | | | | | | | | | | | | | | | | | | | | | | normalization. Replace deepcopy with constructor (i.e. type call) Can now "clone" with configuration changes by passing object of the same type to it's constructor, e.g. dn1 = DN(('cn', 'foo')) dn2 = DN(dn1) dn2 = DN(dn1, first_key_match=False) Remove pairwise grouping for RDN's. Had previously removed it for DN's, left it in for RDN's because it seemed to make sense because of the way RDN's work but consistency is a higher goal. Add keyword constructor parameters to pass configuration options. Make first_key_match a configuration keyword. Updated documentation. Updated unit test. FWIW, I noticed the unittest is now running 2x faster, not sure why, removal of deepcopy? Anyway, hard to argue with performance doubling.
* Fix invalid issuer in unit testsMartin Kosek2011-07-273-6/+9
| | | | | | | Fix several test failures when issuer does not match the one generated by make-testcert (CN=Certificate Authority,O=<realm>). https://fedorahosted.org/freeipa/ticket/1527
* Don't leave dangling map if adding an indirect map failsRob Crittenden2011-07-271-0/+11
| | | | | | | | When using the add_indirect helper we create a new map and then add a key for it all in one step. If adding the key fails for any reason be sure to remove the map we added. https://fedorahosted.org/freeipa/ticket/1520
* Hide the HBAC access type attribute now that deny is deprecated.Rob Crittenden2011-07-211-1/+0
| | | | | | | It won't appear in the UI/CLI but is still available via XML-RPC. allow is the default and deny will be rejected. https://fedorahosted.org/freeipa/ticket/1495
* Ticket 1485 - DN pairwise groupingJohn Dennis2011-07-212-69/+117
| | | | | | | | | | | | | | | | | | | | | The pairwise grouping used to form RDN's and AVA's proved to be confusing in practice, this patch removes that functionality thus requiring programmers to explicitly pair attr,value using a tuple or list. In addition it was discovered additional functionality was needed to support some DN operations in freeipa. DN objects now support startswith(), endswith() and the "in" membership test. These functions and operators will accept either a DN or RDN. The unittest was modified to remove the pairwise tests and add new explicit tests. The unittest was augmented to test the new functionality. In addition the unittest was cleaned up a bit to use common utilty functions for improved readabilty and robustness. The documentation was updated. fix test_role_plugin use of DN to avoid pairwise grouping
* Set a default minimum value for class Int, handle long values better.Rob Crittenden2011-07-191-3/+3
| | | | | | | Allow a long to get as far as the min/max constraints where we can compare it to min/max int values and reject with a proper error message. https://fedorahosted.org/freeipa/ticket/1494
* With the external user/group management fixed, correct the unit tests.Rob Crittenden2011-07-201-3/+3
| | | | | The unit tests were incorrectly expecting the removed data back when removing external users.
* Optionally wait for 389-ds postop plugins to completeRob Crittenden2011-07-199-3/+53
| | | | | | | | | | | Add a new command that lets you wait for an attribute to appear in a value. Using this you can do things like wait for a managed entry to be created, adding a new objectclass to the parent entry. This is controlled by a new booleon option, wait_for_attr, defaulting to False. https://fedorahosted.org/freeipa/ticket/1144
* Fix failing tests due to object name changesRob Crittenden2011-07-172-8/+8
| | | | | Some object names had spaces in them which was bad, update the tests to reflect the new names.
* Add new dnszone-find testMartin Kosek2011-07-181-0/+82
| | | | | | | | Implement a test for new dnszone-find option --forward-only. Fix example for reverse zone (zone was not fully qualified and DNS plugin would forbid adding PTR records). https://fedorahosted.org/freeipa/ticket/1473
* Add ability to specify DNS reverse zone name by IP network address.Jan Cholasta2011-07-151-0/+27
| | | | | | | In order for this to work, chaining of parameters through default_from is made possible. ticket 1474
* Remove the ability to create new HBAC deny rules.Rob Crittenden2011-07-141-0/+25
| | | | | | | | | | New rules will all be allow type. Existing rules cannot be changed to deny. The type attribute now defaults to allow with autofill so it won't be prompted in interactive mode in the cli. https://fedorahosted.org/freeipa/ticket/1432
* Convert nsaccountlock to always work as bool towards Python codeAlexander Bokovoy2011-07-133-24/+24
| | | | | | | | https://fedorahosted.org/freeipa/ticket/1259 Python code will see nsaccountlock as bool. JavaScript code will also see it as bool. This allows native boolean operations with the lock field. Passes both CLI and WebUI tests.
* Add DNS record modification commandMartin Kosek2011-07-121-2/+46
| | | | | | | | | | | | | | | | | The DNS record plugin does not support modification of a record. One can only add A type addresses to a DNS record or remove the current ones. To actually change a DNS record value it has to be removed and then added with a desired value. This patch adds a new DNS plugin command "dnsrecord-mod" which enables user to: - modify a DNS record value (note than DNS record can hold multiple values and those will be overwritten) - remove a DNS record when an empty value is passed New tests for this new command have been added to the CLI test suite. https://fedorahosted.org/freeipa/ticket/1137
* Fix test failure in updater when adding values to a single-value attrRob Crittenden2011-07-112-1/+2
| | | | | | | The ipaldap.py code was updated to consider the schema when making changes and does a REPLACE on single-value attributes. So when you do an add in an update it will effectively replace the value instead of ignoring it.
* find_entry_by_attr() should fail if multiple entries are foundRob Crittenden2011-07-111-0/+35
| | | | | | | | | | It will only ever return one entry so if more than one are found then we raise an exception. This is most easily seen in the host plugin where we search on the server shortname which can be the same across sub-domains (e.g. foo.example.com & foo.lab.example.com). https://fedorahosted.org/freeipa/ticket/1388
* Let the framework be able to override the hostname.Rob Crittenden2011-06-231-1/+0
| | | | | | | | | | | | | | | | | | The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
* Update test_role_plugin test to include a comma in a privilegeJohn Dennis2011-06-221-6/+10
| | | | | | | | | | | | | | | | | | | | | | Introduce a comma into a privilege name to assure we can handle commas. Commas must be escaped for some parameters, add escape_comma() utility and invoke it for the necessary parameters. Utilize a DN object to properly construct a DN and most importantly to allow equality testing beween the DN we expect and the one returned. This is necessary because a DN can be encoded according to different encoding syntaxes all of which are valid. DN objects always decode from their input. DN objects can test for equality between DN's without being affected by DN encoding. Add a equality callback for the dn in the expected dict. When the test framework tests for equality between the expected value and the returned value it will call back into a function we provide which will convert the returned dn into a DN object. An equality test is then performed between two DN objects. This is the only way to properly compare two dn's.
* assert_deepequal supports callback for equality testingJohn Dennis2011-06-221-1/+10
|
* Module for DN objects plus unit testJohn Dennis2011-06-221-0/+919
|
* Require an imported certificate's issuer to match our issuer.Rob Crittenden2011-06-163-35/+60
| | | | | | | | | | The goal is to not import foreign certificates. This caused a bunch of tests to fail because we had a hardcoded server certificate. Instead a developer will need to run make-testcert to create a server certificate generated by the local CA to test against. ticket 1134
* Raise DuplicateEntry Error when adding a duplicate sudo optionJr Aquino2011-06-161-3/+2
| | | | | | | | | | | | https://fedorahosted.org/freeipa/ticket/1276 https://fedorahosted.org/freeipa/ticket/1277 https://fedorahosted.org/freeipa/ticket/1308 Added new Exception: AttrValueNotFound Fixed XML Test for Sudorule remove_option 1276 (Raise AttrValueNotFound when trying to remove a non-existent option from Sudo rule) 1277 (Raise DuplicateEntry Error when adding a duplicate sudo option) 1308 (Make sudooption a required option for sudorule_remove_option)
* Add a list of managed hostsMartin Kosek2011-06-151-0/+2
| | | | | | | | Enhance Host plugin to provide not only "Managed By" list but also a list of managed hosts. The new list is generated only when --all option is passed. https://fedorahosted.org/freeipa/ticket/993
* Fix indirect member calculationRob Crittenden2011-06-141-38/+255
| | | | | | | | | | | | | | | | | Indirect membership is calculated by looking at each member and pulling all the memberof out of it. What was missing was doing nested searches on any members in that member group. So if group2 was a member of group1 and group3 was a member of group2 we would miss group3 as being an indirect member of group1. I updated the nesting test to do deeper nested testing. I confirmed that this test failed with the old code and works with the new. This also prevents duplicate indirect users and looping on circular membership. ticket https://fedorahosted.org/freeipa/ticket/1273
* Add UID, GID and e-mail to the user default attributes.Rob Crittenden2011-06-087-2/+58
| | | | ticket https://fedorahosted.org/freeipa/ticket/1265
* Add sudorule and hbacrule to memberof and indirectmemberof attributesJr Aquino2011-06-062-2/+72
| | | | | | | | Add Add tests for users, groups, hosts and hostgroups to verify membership Update API to version 2.3 https://fedorahosted.org/freeipa/ticket/1170
* Do stricter checking of IP addressed passed to server install.Jan Cholasta2011-05-301-0/+9
| | | | ticket 1213
* Parse netmasks in IP addresses passed to server install.Jan Cholasta2011-05-302-0/+78
| | | | ticket 1212
* Add option to limit the attributes allowed in an entry.Rob Crittenden2011-05-272-0/+158
| | | | | | | | | | | | | | | | Kerberos ticket policy can update policy in a user entry. This allowed set/addattr to be used to modify attributes outside of the ticket policy perview, also bypassing all validation/normalization. Likewise the ticket policy was updatable by the user plugin bypassing all validation. Add two new LDAPObject values to control this behavior: limit_object_classes: only attributes in these are allowed disallow_object_classes: attributes in these are disallowed By default both of these lists are empty so are skipped. ticket 744
* A new flag to disable creation of UPGMartin Kosek2011-05-251-0/+44
| | | | | | | | Automatic creation may of User Private Groups (UPG) may not be wanted at all times. This patch adds a new flag --noprivate to ipa user-add command to disable it. https://fedorahosted.org/freeipa/ticket/1131
* Modify the default attributes shown in user-find to match the UI design.Rob Crittenden2011-04-221-5/+9
| | | | | | | | | | | | | | | This change means the UI can stop using the --all option and have to retrieve significantly less information from the server. It also speeds up user-find as it doesn't have to calculate membership. This adds a new baseclass parameter, search_display_attributes, which can provide a separate list from default_attributes just for find commands. The UI will need to be changed to switch from using cn to using givenname and sn. ticket 1136
* Convert manager from userid to dn for storage and back for displaying.Rob Crittenden2011-04-221-0/+27
| | | | ticket 1151
* Sort entries returned by *-find by the primary key (if any).Rob Crittenden2011-04-132-8/+8
| | | | | | | | Do a server-side sort if there is a primary key. Fix a couple of tests that were failing due to the new sorting. ticket 794
* postalCode should be a string not an integer.Rob Crittenden2011-04-051-1/+2
| | | | | | | | | | | | postalCode is defined as an Int. This means you can't define one that has a leading zero nor can you have dashes, letters, etc. This changes the data type on the server. It will still accept an int value if provided and convert it into a string. Bump the API version to 2.1. ticket 1150
* Change default gecos from uid to first and last name.Rob Crittenden2011-04-056-12/+12
| | | | ticket 1146
* Replace only if old and new have nothing in commonRob Crittenden2011-03-031-0/+204
| | | | | | | Jakub did the initial diagnosis of this, I added a fix for removing the last entry when removing members and a test case. ticket 1000