From 6ce44c4f058f07b7ebc5903644f76dcd8d56b7b4 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Fri, 12 Sep 2014 09:59:52 +0200
Subject: permission plugin: Auto-add operational atttributes to read
 permissions

The attributes entryusn, createtimestamp, and modifytimestamp
should be readable whenever thir entry is, i.e. when we allow reading
the objectclass.
Automatically add them to every read permission that includes objectclass.

https://fedorahosted.org/freeipa/ticket/4534

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 ipatests/test_xmlrpc/test_permission_plugin.py   | 44 ++++++++++++++++++++++++
 ipatests/test_xmlrpc/test_realmdomains_plugin.py |  3 +-
 2 files changed, 46 insertions(+), 1 deletion(-)

(limited to 'ipatests/test_xmlrpc')

diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py
index e5c828670..bb772050b 100644
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -4018,3 +4018,47 @@ class test_permission_in_accounts(Declarative):
 
         verify_permission_aci_missing(permission1, api.env.basedn),
     ]
+
+
+class test_autoadd_operational_attrs(Declarative):
+    """Test that read access to operational attributes is automatically added
+    """
+    cleanup_commands = [
+        ('permission_del', [permission1], {'force': True}),
+    ]
+
+    tests = [
+        dict(
+            desc='Create %r' % permission1,
+            command=(
+                'permission_add', [permission1], dict(
+                    ipapermlocation=DN('cn=accounts', api.env.basedn),
+                    ipapermright=u'read',
+                    attrs=[u'ObjectClass'],
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Added permission "%s"' % permission1,
+                result=dict(
+                    dn=permission1_dn,
+                    cn=[permission1],
+                    objectclass=objectclasses.permission,
+                    attrs=[u'ObjectClass', u'entryusn', u'createtimestamp',
+                           u'modifytimestamp'],
+                    ipapermright=[u'read'],
+                    ipapermbindruletype=[u'permission'],
+                    ipapermissiontype=[u'SYSTEM', u'V2'],
+                    ipapermlocation=[DN('cn=accounts', api.env.basedn)],
+                ),
+            ),
+        ),
+
+        verify_permission_aci(
+            permission1, DN('cn=accounts', api.env.basedn),
+            '(targetattr = "ObjectClass || createtimestamp || entryusn || ' +
+                'modifytimestamp")' +
+            '(version 3.0;acl "permission:%s";' % permission1 +
+            'allow (read) groupdn = "ldap:///%s";)' % permission1_dn,
+        ),
+    ]
diff --git a/ipatests/test_xmlrpc/test_realmdomains_plugin.py b/ipatests/test_xmlrpc/test_realmdomains_plugin.py
index a2dc39b74..fc04e2ae5 100644
--- a/ipatests/test_xmlrpc/test_realmdomains_plugin.py
+++ b/ipatests/test_xmlrpc/test_realmdomains_plugin.py
@@ -66,7 +66,8 @@ class test_realmdomains(Declarative):
                     objectclass=objectclasses.realmdomains,
                     aci=[
                         u'(targetattr = "associateddomain || cn || '
-                            u'objectclass")'
+                            u'createtimestamp || entryusn || '
+                            u'modifytimestamp || objectclass")'
                         u'(targetfilter = "(objectclass=domainrelatedobject)")'
                         u'(version 3.0;acl '
                             u'"permission:System: Read Realm Domains";'
-- 
cgit