From fdef2e1bd80d688467aeb8ac425e9010bf00c530 Mon Sep 17 00:00:00 2001
From: Petr Viktorin <pviktori@redhat.com>
Date: Mon, 30 Jun 2014 20:56:23 +0200
Subject: permission plugin: Ignore unparseable ACIs

When manipulating a permission for an entry that has an ACI
that the parser cannot process, skip this ACI instead of
failing.

Add a test that manipulates permission in cn=accounts,
where there are complex ipaAllowedOperation-based ACIs.

Workaround for: https://fedorahosted.org/freeipa/ticket/4376

Reviewed-By: Martin Kosek <mkosek@redhat.com>
---
 ipatests/test_xmlrpc/test_permission_plugin.py | 52 ++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

(limited to 'ipatests/test_xmlrpc')

diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py
index 46e0f1f0e..bf902c367 100644
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -3966,3 +3966,55 @@ class test_permission_filters(Declarative):
             'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
         ),
     ]
+
+
+class test_permission_in_accounts(Declarative):
+    """Test managing a permission in cn=accounts"""
+
+    tests = [
+        dict(
+            desc='Create %r in cn=accounts' % permission1,
+            command=(
+                'permission_add', [permission1], dict(
+                    ipapermlocation=DN('cn=accounts', api.env.basedn),
+                    ipapermright=u'add',
+                    attrs=[u'cn'],
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Added permission "%s"' % permission1,
+                result=dict(
+                    dn=permission1_dn,
+                    cn=[permission1],
+                    objectclass=objectclasses.permission,
+                    attrs=[u'cn'],
+                    ipapermright=[u'add'],
+                    ipapermbindruletype=[u'permission'],
+                    ipapermissiontype=[u'SYSTEM', u'V2'],
+                    ipapermlocation=[DN('cn=accounts', api.env.basedn)],
+                ),
+            ),
+        ),
+
+        verify_permission_aci(
+            permission1, DN('cn=accounts', api.env.basedn),
+            '(targetattr = "cn")' +
+            '(version 3.0;acl "permission:%s";' % permission1 +
+            'allow (add) groupdn = "ldap:///%s";)' % permission1_dn,
+        ),
+
+        dict(
+            desc='Delete %r' % permission1,
+            command=(
+                'permission_del', [permission1], {}
+            ),
+            expected=dict(
+                result=dict(failed=[]),
+                value=[permission1],
+                summary=u'Deleted permission "%s"' % permission1,
+            )
+        ),
+
+        verify_permission_aci_missing(permission1, api.env.basedn),
+    ]
-- 
cgit