diff options
| author | Petr Viktorin <pviktori@redhat.com> | 2013-11-29 12:57:30 +0100 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2013-12-13 15:08:52 +0100 |
| commit | f47669a5b969a512756a39f451f04ed9c95ce3ab (patch) | |
| tree | ecdaf467d67ecfd1c3dbd1d7c423e8243235db95 | |
| parent | d7ee87cfa1e288fe18dc2dbeb2d691753048f4db (diff) | |
| download | freeipa-f47669a5b969a512756a39f451f04ed9c95ce3ab.tar.gz freeipa-f47669a5b969a512756a39f451f04ed9c95ce3ab.tar.xz freeipa-f47669a5b969a512756a39f451f04ed9c95ce3ab.zip | |
Verify ACIs are added correctly in tests
To double-check the ACIs are correct, this uses different code
than the new permission plugin: the aci_show command.
A new option, location, is added to the command to support
these checks.
| -rw-r--r-- | API.txt | 3 | ||||
| -rw-r--r-- | ipalib/plugins/aci.py | 14 | ||||
| -rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 259 |
3 files changed, 270 insertions, 6 deletions
@@ -92,10 +92,11 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None) output: Output('value', <type 'unicode'>, None) command: aci_show -args: 1,4,3 +args: 1,5,3 arg: Str('aciname', attribute=True, cli_name='name', multivalue=False, primary_key=True, query=True, required=True) option: StrEnum('aciprefix', cli_name='prefix', values=(u'permission', u'delegation', u'selfservice', u'none')) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') +option: DNParam('location?') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('version?', exclude='webui') output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index 328effcb..a4c38665 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -120,8 +120,8 @@ targetattr REPLACES the current attributes, it does not add to them. from copy import deepcopy from ipalib import api, crud, errors -from ipalib import Object, Command -from ipalib import Flag, Int, Str, StrEnum +from ipalib import Object +from ipalib import Flag, Str, StrEnum, DNParam from ipalib.aci import ACI from ipalib import output from ipalib import _, ngettext @@ -892,7 +892,12 @@ class aci_show(crud.Retrieve): ), ) - takes_options = (_prefix_option,) + takes_options = ( + _prefix_option, + DNParam('location?', + label=_('Location of the ACI'), + ) + ) def execute(self, aciname, **kw): """ @@ -905,7 +910,8 @@ class aci_show(crud.Retrieve): """ ldap = self.api.Backend.ldap2 - entry = ldap.get_entry(self.api.env.basedn, ['aci']) + dn = kw.get('location', self.api.env.basedn) + entry = ldap.get_entry(dn, ['aci']) acis = _convert_strings_to_acis(entry.get('aci', [])) diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index 3931c0a8..82436b3b 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -22,10 +22,13 @@ Test the `ipalib/plugins/permission.py` module. """ +import os + from ipalib import api, errors from ipatests.test_xmlrpc import objectclasses from xmlrpc_test import Declarative from ipapython.dn import DN +import inspect permission1 = u'testperm' permission1_dn = DN(('cn',permission1), @@ -86,6 +89,44 @@ users_dn = DN(api.env.container_user, api.env.basedn) groups_dn = DN(api.env.container_group, api.env.basedn) +def verify_permission_aci(name, dn, acistring): + """Return test dict that verifies the ACI at the given location""" + return dict( + desc="Verify ACI of %s #(%s)" % (name, lineinfo(2)), + command=('aci_show', [name], dict( + aciprefix=u'permission', location=dn, raw=True)), + expected=dict( + result=dict(aci=acistring), + summary=None, + value=name, + ), + ) + + +def verify_permission_aci_missing(name, dn): + """Return test dict that checks the ACI at the given location is missing""" + return dict( + desc="Verify ACI of %s is missing #(%s)" % (name, lineinfo(2)), + command=('aci_show', [name], dict( + aciprefix=u'permission', location=dn, raw=True)), + expected=errors.NotFound( + reason='ACI with name "%s" not found' % name), + ) + + +def lineinfo(level): + """Return "filename:lineno" for `level`-th caller""" + # Declarative tests hide tracebacks. + # Including this info in the test name makes it possible + # to locate failing tests. + frame = inspect.currentframe() + for i in range(level): + frame = frame.f_back + lineno = frame.f_lineno + filename = os.path.basename(frame.f_code.co_filename) + return '%s:%s' % (filename, lineno) + + class test_permission_negative(Declarative): """Make sure invalid operations fail""" @@ -101,7 +142,6 @@ class test_permission_negative(Declarative): reason=u'%s: permission not found' % permission1), ), - dict( desc='Try to update non-existent %r' % permission1, command=('permission_mod', [permission1], dict(ipapermright=u'all')), @@ -152,6 +192,8 @@ class test_permission_negative(Declarative): '(e.g. target, targetfilter, attrs)'), ), + verify_permission_aci_missing(permission1, api.env.basedn), + dict( desc='Try to create invalid %r' % invalid_permission1, command=('permission_add', [invalid_permission1], dict( @@ -162,6 +204,8 @@ class test_permission_negative(Declarative): error='May only contain letters, numbers, -, _, ., and space'), ), + verify_permission_aci_missing(permission1, users_dn), + dict( desc='Create %r so we can try breaking it' % permission1, command=( @@ -280,6 +324,13 @@ class test_permission(Declarative): ), ), + verify_permission_aci( + permission1, users_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), dict( desc='Try to create duplicate %r' % permission1, @@ -540,6 +591,14 @@ class test_permission(Declarative): ), ), + verify_permission_aci( + permission2, users_dn, + '(targetattr = "cn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission2 + + 'allow (write) groupdn = "ldap:///%s";)' % permission2_dn, + ), + dict( desc='Search for %r' % permission1, @@ -766,6 +825,15 @@ class test_permission(Declarative): ), ), + verify_permission_aci( + permission1, users_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (read) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Retrieve %r to verify update' % permission1, @@ -871,6 +939,17 @@ class test_permission(Declarative): ), ), + verify_permission_aci_missing(permission1, users_dn), + + verify_permission_aci( + permission1_renamed, users_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1_renamed + + 'allow (all) groupdn = "ldap:///%s";)' % permission1_renamed_dn, + ), + dict( desc='Rename %r to permission %r' % (permission1_renamed, @@ -901,6 +980,17 @@ class test_permission(Declarative): ), ), + verify_permission_aci_missing(permission1_renamed, users_dn), + + verify_permission_aci( + permission1_renamed_ucase, users_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1_renamed_ucase + + 'allow (write) groupdn = "ldap:///%s";)' % + permission1_renamed_ucase_dn, + ), dict( desc='Change %r to a subtree type' % permission1_renamed_ucase, @@ -928,6 +1018,15 @@ class test_permission(Declarative): ), ), + verify_permission_aci( + permission1_renamed_ucase, users_dn, + '(targetattr = "sn")' + + '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1_renamed_ucase + + 'allow (write) groupdn = "ldap:///%s";)' % + permission1_renamed_ucase_dn, + ), + dict( desc='Reset --subtree of %r' % permission2, command=( @@ -951,6 +1050,14 @@ class test_permission(Declarative): ), ), + verify_permission_aci( + permission2, api.env.basedn, + '(targetattr = "cn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission2 + + 'allow (write) groupdn = "ldap:///%s";)' % permission2_dn, + ), + dict( desc='Search for %r using --subtree' % permission1, command=('permission_find', [], @@ -1027,6 +1134,7 @@ class test_permission(Declarative): ) ), + verify_permission_aci_missing(permission1_renamed_ucase, users_dn), dict( desc='Try to delete non-existent %r' % permission1, @@ -1062,6 +1170,7 @@ class test_permission(Declarative): ) ), + verify_permission_aci_missing(permission2, users_dn), dict( desc='Search for %r' % permission1, @@ -1128,6 +1237,15 @@ class test_permission(Declarative): ), ), + verify_permission_aci( + permission1, users_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(memberOf=%s)")' % DN('cn=editors', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Try to update non-existent memberof of %r' % permission1, command=('permission_mod', [permission1], dict( @@ -1163,6 +1281,15 @@ class test_permission(Declarative): ), ), + verify_permission_aci( + permission1, users_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Unset memberof of permission %r' % permission1, command=( @@ -1188,6 +1315,13 @@ class test_permission(Declarative): ), ), + verify_permission_aci( + permission1, users_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), dict( desc='Delete %r' % permission1, @@ -1199,6 +1333,7 @@ class test_permission(Declarative): ) ), + verify_permission_aci_missing(permission1, users_dn), dict( desc='Create targetgroup permission %r' % permission1, @@ -1227,6 +1362,14 @@ class test_permission(Declarative): ), ), + verify_permission_aci( + permission1, api.env.basedn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN('cn=editors', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Create %r' % permission3, command=( @@ -1254,6 +1397,14 @@ class test_permission(Declarative): ), ), + verify_permission_aci( + permission3, users_dn, + '(targetattr = "cn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission3 + + 'allow (write) groupdn = "ldap:///%s";)' % permission3_dn, + ), + dict( desc='Retrieve %r with --all --rights' % permission3, command=('permission_show', [permission3], {'all' : True, 'rights' : True}), @@ -1300,6 +1451,14 @@ class test_permission(Declarative): ), ), + verify_permission_aci( + permission3, users_dn, + '(targetattr = "cn || uid")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(version 3.0;acl "permission:%s";' % permission3 + + 'allow (write) groupdn = "ldap:///%s";)' % permission3_dn, + ), + dict( desc='Try to modify %r with invalid targetfilter' % permission1, command=('permission_mod', [permission1], @@ -1351,6 +1510,15 @@ class test_permission_sync_attributes(Declarative): ), ), + verify_permission_aci( + permission1, users_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Unset location on %r, verify type is gone' % permission1, command=( @@ -1378,6 +1546,15 @@ class test_permission_sync_attributes(Declarative): ), ), + verify_permission_aci( + permission1, api.env.basedn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Reset location on %r' % permission1, command=( @@ -1406,6 +1583,15 @@ class test_permission_sync_attributes(Declarative): ), ), + verify_permission_aci( + permission1, users_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Unset target on %r, verify type is gone' % permission1, command=( @@ -1432,6 +1618,14 @@ class test_permission_sync_attributes(Declarative): ), ), + verify_permission_aci( + permission1, users_dn, + '(targetattr = "sn")' + + '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Unset targetfilter on %r, verify memberof is gone' % permission1, command=( @@ -1455,6 +1649,13 @@ class test_permission_sync_attributes(Declarative): ), ), + verify_permission_aci( + permission1, users_dn, + '(targetattr = "sn")' + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Set type of %r to group' % permission1, command=( @@ -1480,6 +1681,14 @@ class test_permission_sync_attributes(Declarative): ), ), + verify_permission_aci( + permission1, groups_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('cn', '*'), groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Set target on %r, verify targetgroup is set' % permission1, command=( @@ -1504,6 +1713,14 @@ class test_permission_sync_attributes(Declarative): ), ), ), + + verify_permission_aci( + permission1, groups_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), ] @@ -1545,6 +1762,15 @@ class test_permission_sync_nice(Declarative): ), ), + verify_permission_aci( + permission1, users_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) + + '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Unset type on %r, verify target & location are gone' % permission1, command=( @@ -1571,6 +1797,14 @@ class test_permission_sync_nice(Declarative): ), ), + verify_permission_aci( + permission1, api.env.basedn, + '(targetattr = "sn")' + + '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Unset memberof on %r, verify targetfilter is gone' % permission1, command=( @@ -1594,6 +1828,13 @@ class test_permission_sync_nice(Declarative): ), ), + verify_permission_aci( + permission1, api.env.basedn, + '(targetattr = "sn")' + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Set type of %r to group' % permission1, command=( @@ -1619,6 +1860,14 @@ class test_permission_sync_nice(Declarative): ), ), + verify_permission_aci( + permission1, groups_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('cn', '*'), groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), + dict( desc='Set targetgroup on %r, verify target is set' % permission1, command=( @@ -1643,6 +1892,14 @@ class test_permission_sync_nice(Declarative): ), ), ), + + verify_permission_aci( + permission1, groups_dn, + '(targetattr = "sn")' + + '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn, + ), ] |