From d7c60205a6232f52eec80126a649b1319ed77974 Mon Sep 17 00:00:00 2001
From: Jr Aquino <jr.aquino@citrix.com>
Date: Tue, 31 May 2011 14:52:35 -0700
Subject: Add sudorule and hbacrule to memberof and indirectmemberof attributes

Add Add tests for users, groups, hosts and hostgroups to verify membership

Update API to version 2.3

https://fedorahosted.org/freeipa/ticket/1170
---
 API.txt                                   | 24 ++++++++++++++++----
 VERSION                                   |  2 +-
 ipalib/plugins/group.py                   |  5 +++--
 ipalib/plugins/host.py                    |  5 +++--
 ipalib/plugins/hostgroup.py               |  4 ++--
 ipalib/plugins/user.py                    |  4 ++--
 tests/test_xmlrpc/test_hbac_plugin.py     | 37 ++++++++++++++++++++++++++++++-
 tests/test_xmlrpc/test_sudorule_plugin.py | 37 ++++++++++++++++++++++++++++++-
 8 files changed, 103 insertions(+), 15 deletions(-)

diff --git a/API.txt b/API.txt
index 67245c568..f1db5ec4f 100644
--- a/API.txt
+++ b/API.txt
@@ -904,7 +904,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
 output: Output('result', <type 'bool'>, 'True means the operation was successful')
 output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
 command: group_find
-args: 1,19,4
+args: 1,23,4
 arg: Str('criteria?')
 option: Str('cn', attribute=True, autofill=False, cli_name='group_name', label=Gettext('Group name', domain='ipa', localedir=None), maxlength=255, multivalue=False, normalizer=<lambda>, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False, query=True, required=False)
@@ -925,6 +925,10 @@ option: List('in_netgroup?', cli_name='in_netgroups', label='netgroup', multival
 option: List('not_in_netgroup?', cli_name='not_in_netgroups', label='netgroup', multivalue=True)
 option: List('in_role?', cli_name='in_roles', label='role', multivalue=True)
 option: List('not_in_role?', cli_name='not_in_roles', label='role', multivalue=True)
+option: List('in_hbacrule?', cli_name='in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('not_in_hbacrule?', cli_name='not_in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('in_sudorule?', cli_name='in_sudorules', label='Sudo Rule', multivalue=True)
+option: List('not_in_sudorule?', cli_name='not_in_sudorules', label='Sudo Rule', multivalue=True)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly description of action performed')
 output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
 output: Output('count', <type 'int'>, 'Number of entries returned')
@@ -1313,7 +1317,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
 output: Output('result', <type 'bool'>, 'True means the operation was successful')
 output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
 command: host_find
-args: 1,23,4
+args: 1,27,4
 arg: Str('criteria?')
 option: Str('fqdn', validate_host, attribute=True, autofill=False, cli_name='hostname', label=Gettext('Host name', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False, query=True, required=False)
@@ -1334,6 +1338,10 @@ option: List('in_netgroup?', cli_name='in_netgroups', label='netgroup', multival
 option: List('not_in_netgroup?', cli_name='not_in_netgroups', label='netgroup', multivalue=True)
 option: List('in_role?', cli_name='in_roles', label='role', multivalue=True)
 option: List('not_in_role?', cli_name='not_in_roles', label='role', multivalue=True)
+option: List('in_hbacrule?', cli_name='in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('not_in_hbacrule?', cli_name='not_in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('in_sudorule?', cli_name='in_sudorules', label='Sudo Rule', multivalue=True)
+option: List('not_in_sudorule?', cli_name='not_in_sudorules', label='Sudo Rule', multivalue=True)
 option: List('enroll_by_user?', cli_name='enroll_by_users', label='user', multivalue=True)
 option: List('not_enroll_by_user?', cli_name='not_enroll_by_users', label='user', multivalue=True)
 option: List('man_by_host?', cli_name='man_by_hosts', label='host', multivalue=True)
@@ -1415,7 +1423,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
 output: Output('result', <type 'dict'>, 'list of deletions that failed')
 output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
 command: hostgroup_find
-args: 1,13,4
+args: 1,17,4
 arg: Str('criteria?')
 option: Str('cn', attribute=True, autofill=False, cli_name='hostgroup_name', label=Gettext('Host-group', domain='ipa', localedir=None), multivalue=False, normalizer=<lambda>, primary_key=True, query=True, required=False)
 option: Str('description', attribute=True, autofill=False, cli_name='desc', label=Gettext('Description', domain='ipa', localedir=None), multivalue=False, query=True, required=False)
@@ -1430,6 +1438,10 @@ option: List('hostgroup?', cli_name='hostgroups', label='hostgroup', multivalue=
 option: List('no_hostgroup?', cli_name='no_hostgroups', label='hostgroup', multivalue=True)
 option: List('in_hostgroup?', cli_name='in_hostgroups', label='hostgroup', multivalue=True)
 option: List('not_in_hostgroup?', cli_name='not_in_hostgroups', label='hostgroup', multivalue=True)
+option: List('in_hbacrule?', cli_name='in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('not_in_hbacrule?', cli_name='not_in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('in_sudorule?', cli_name='in_sudorules', label='Sudo Rule', multivalue=True)
+option: List('not_in_sudorule?', cli_name='not_in_sudorules', label='Sudo Rule', multivalue=True)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly description of action performed')
 output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
 output: Output('count', <type 'int'>, 'Number of entries returned')
@@ -2580,7 +2592,7 @@ output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly
 output: Output('result', <type 'bool'>, 'True means the operation was successful')
 output: Output('value', <type 'unicode'>, "The primary_key value of the entry, e.g. 'jdoe' for a user")
 command: user_find
-args: 1,38,4
+args: 1,42,4
 arg: Str('criteria?')
 option: Str('uid', attribute=True, autofill=False, cli_name='login', default_from=DefaultFrom(<lambda>, 'givenname', 'sn'), label=Gettext('User login', domain='ipa', localedir=None), maxlength=255, multivalue=False, normalizer=<lambda>, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', pattern_errmsg='may only include letters, numbers, _, -, . and $', primary_key=True, query=True, required=False)
 option: Str('givenname', attribute=True, autofill=False, cli_name='first', label=Gettext('First name', domain='ipa', localedir=None), multivalue=False, query=True, required=False)
@@ -2620,6 +2632,10 @@ option: List('in_netgroup?', cli_name='in_netgroups', label='netgroup', multival
 option: List('not_in_netgroup?', cli_name='not_in_netgroups', label='netgroup', multivalue=True)
 option: List('in_role?', cli_name='in_roles', label='role', multivalue=True)
 option: List('not_in_role?', cli_name='not_in_roles', label='role', multivalue=True)
+option: List('in_hbacrule?', cli_name='in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('not_in_hbacrule?', cli_name='not_in_hbacrules', label='HBAC rule', multivalue=True)
+option: List('in_sudorule?', cli_name='in_sudorules', label='Sudo Rule', multivalue=True)
+option: List('not_in_sudorule?', cli_name='not_in_sudorules', label='Sudo Rule', multivalue=True)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), 'User-friendly description of action performed')
 output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list of LDAP entries', domain='ipa', localedir=None))
 output: Output('count', <type 'int'>, 'Number of entries returned')
diff --git a/VERSION b/VERSION
index 44de4f5f5..762c7e53a 100644
--- a/VERSION
+++ b/VERSION
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=2
+IPA_API_VERSION_MINOR=3
diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
index d4d0715c5..163a6f5da 100644
--- a/ipalib/plugins/group.py
+++ b/ipalib/plugins/group.py
@@ -90,9 +90,10 @@ class group(LDAPObject):
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'member': ['user', 'group'],
-        'memberof': ['group', 'netgroup', 'role',],
+        'memberof': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'],
         'memberindirect': ['user', 'group', 'netgroup', 'role'],
-        'memberofindirect': ['group', 'netgroup', 'role'],
+        'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule',
+        'sudorule'],
     }
     rdnattr = 'cn'
 
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 4947986f6..a602df4d1 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -214,9 +214,10 @@ class host(LDAPObject):
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'enrolledby': ['user'],
-        'memberof': ['hostgroup', 'netgroup', 'role'],
+        'memberof': ['hostgroup', 'netgroup', 'role', 'hbacrule', 'sudorule'],
         'managedby': ['host'],
-        'memberofindirect': ['hostgroup', 'netgroup', 'role'],
+        'memberofindirect': ['hostgroup', 'netgroup', 'role', 'hbacrule',
+        'sudorule'],
     }
     bindable = True
     relationships = {
diff --git a/ipalib/plugins/hostgroup.py b/ipalib/plugins/hostgroup.py
index 715523440..4ffc2217e 100644
--- a/ipalib/plugins/hostgroup.py
+++ b/ipalib/plugins/hostgroup.py
@@ -65,9 +65,9 @@ class hostgroup(LDAPObject):
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
         'member': ['host', 'hostgroup'],
-        'memberof': ['hostgroup'],
+        'memberof': ['hostgroup', 'hbacrule', 'sudorule'],
         'memberindirect': ['host', 'hostgroup'],
-        'memberofindirect': ['host', 'hostgroup'],
+        'memberofindirect': ['host', 'hostgroup', 'hbacrule', 'sudorule'],
     }
 
     label = _('Host Groups')
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index c4d875a2d..6111d1632 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -99,8 +99,8 @@ class user(LDAPObject):
     ]
     uuid_attribute = 'ipauniqueid'
     attribute_members = {
-        'memberof': ['group', 'netgroup', 'role'],
-        'memberofindirect': ['group', 'netgroup', 'role'],
+        'memberof': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'],
+        'memberofindirect': ['group', 'netgroup', 'role', 'hbacrule', 'sudorule'],
     }
     rdnattr = 'uid'
     bindable = True
diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py
index 504565477..b2345cc4a 100644
--- a/tests/test_xmlrpc/test_hbac_plugin.py
+++ b/tests/test_xmlrpc/test_hbac_plugin.py
@@ -24,7 +24,6 @@ from xmlrpc_test import XMLRPC_test, assert_attr_equal
 from ipalib import api
 from ipalib import errors
 
-
 class test_hbac(XMLRPC_test):
     """
     Test the `hbacrule` plugin.
@@ -179,6 +178,24 @@ class test_hbac(XMLRPC_test):
         assert_attr_equal(entry, 'memberuser_user', self.test_user)
         assert_attr_equal(entry, 'memberuser_group', self.test_group)
 
+    def test_9_a_show_user(self):
+        """
+        Test showing a user to verify HBAC rule membership
+        `xmlrpc.user_show`.
+        """
+        ret = api.Command['user_show'](self.test_user, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_HBAC rule', self.rule_name)
+
+    def test_9_b_show_group(self):
+        """
+        Test showing a group to verify HBAC rule membership
+        `xmlrpc.group_show`.
+        """
+        ret = api.Command['group_show'](self.test_group, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_HBAC rule', self.rule_name)
+
     def test_9_hbacrule_remove_user(self):
         """
         Test removing user and group from HBAC rule using `xmlrpc.hbacrule_remove_user'.
@@ -215,6 +232,24 @@ class test_hbac(XMLRPC_test):
         assert_attr_equal(entry, 'memberhost_host', self.test_host)
         assert_attr_equal(entry, 'memberhost_hostgroup', self.test_hostgroup)
 
+    def test_a_hbacrule_show_host(self):
+        """
+        Test showing host to verify HBAC rule membership
+        `xmlrpc.host_show`.
+        """
+        ret = api.Command['host_show'](self.test_host, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_HBAC rule', self.rule_name)
+
+    def test_a_hbacrule_show_hostgroup(self):
+        """
+        Test showing hostgroup to verify HBAC rule membership
+        `xmlrpc.hostgroup_show`.
+        """
+        ret = api.Command['hostgroup_show'](self.test_hostgroup, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_HBAC rule', self.rule_name)
+
     def test_b_hbacrule_remove_host(self):
         """
         Test removing host and hostgroup from HBAC rule using `xmlrpc.hbacrule_remove_host`.
diff --git a/tests/test_xmlrpc/test_sudorule_plugin.py b/tests/test_xmlrpc/test_sudorule_plugin.py
index 4c3ba5a21..3de1adce0 100644
--- a/tests/test_xmlrpc/test_sudorule_plugin.py
+++ b/tests/test_xmlrpc/test_sudorule_plugin.py
@@ -25,7 +25,6 @@ from xmlrpc_test import XMLRPC_test, assert_attr_equal
 from ipalib import api
 from ipalib import errors
 
-
 class test_sudorule(XMLRPC_test):
     """
     Test the `sudorule` plugin.
@@ -155,6 +154,24 @@ class test_sudorule(XMLRPC_test):
         assert_attr_equal(entry, 'memberuser_user', self.test_user)
         assert_attr_equal(entry, 'memberuser_group', self.test_group)
 
+    def test_9_a_show_user(self):
+        """
+        Test showing a user to verify Sudo rule membership
+        `xmlrpc.user_show`.
+        """
+        ret = api.Command['user_show'](self.test_user, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_Sudo Rule', self.rule_name)
+
+    def test_9_b_show_group(self):
+        """
+        Test showing a group to verify Sudo rule membership
+        `xmlrpc.group_show`.
+        """
+        ret = api.Command['group_show'](self.test_group, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_Sudo Rule', self.rule_name)
+
     def test_9_sudorule_remove_user(self):
         """
         Test removing user and group from Sudo rule using
@@ -359,6 +376,24 @@ class test_sudorule(XMLRPC_test):
         assert_attr_equal(entry, 'memberhost_host', self.test_host)
         assert_attr_equal(entry, 'memberhost_hostgroup', self.test_hostgroup)
 
+    def test_a_sudorule_show_host(self):
+        """
+        Test showing host to verify Sudo rule membership
+        `xmlrpc.host_show`.
+        """
+        ret = api.Command['host_show'](self.test_host, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_Sudo Rule', self.rule_name)
+
+    def test_a_sudorule_show_hostgroup(self):
+        """
+        Test showing hostgroup to verify Sudo rule membership
+        `xmlrpc.hostgroup_show`.
+        """
+        ret = api.Command['hostgroup_show'](self.test_hostgroup, all=True)
+        entry = ret['result']
+        assert_attr_equal(entry, 'memberof_Sudo Rule', self.rule_name)
+
     def test_b_sudorule_remove_host(self):
         """
         Test removing host and hostgroup from Sudo rule using
-- 
cgit