summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Vobornik <pvoborni@redhat.com>2014-10-03 13:00:57 +0200
committerPetr Vobornik <pvoborni@redhat.com>2014-10-03 13:08:26 +0200
commit2aa5774ce4fac0c51865282f915d19c5da3f884b (patch)
tree97a2b338e72b06841dcd90f7651da38084e5a509
parent6a92535720750893f3920114da401148de9101ba (diff)
downloadfreeipa-keytab-4419-2.tar.gz
freeipa-keytab-4419-2.tar.xz
freeipa-keytab-4419-2.zip
-rw-r--r--ipatests/test_xmlrpc/test_service_plugin.py247
1 files changed, 247 insertions, 0 deletions
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index c29c94d86..9ae4020b6 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -27,6 +27,8 @@ from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_iss
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex
from ipatests.test_xmlrpc import objectclasses
from ipatests.test_xmlrpc.testcert import get_testcert
+from ipatests.test_xmlrpc.test_user_plugin import (
+ get_user_result, get_user_dn, get_group_dn)
import base64
from ipapython.dn import DN
@@ -46,6 +48,12 @@ role1_dn = DN(('cn', role1), api.env.container_rolegroup, api.env.basedn)
badservercert = 'MIICbzCCAdigAwIBAgICA/4wDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeSVBBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDgwOTE1MDIyN1oXDTIwMDgwOTE1MDIyN1owKTEMMAoGA1UEChMDSVBBMRkwFwYDVQQDExBwdW1hLmdyZXlvYWsuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwYbfEOQPgGenPn9vt1JFKvWm/Je3y2tawGWA3LXDuqfFJyYtZ8ib3TcBUOnLk9WK5g2qCwHaNlei7bj8ggIfr5hegAVe10cun+wYErjnYo7hsHYd+57VZezeipWrXu+7NoNd4+c4A5lk4A/xJay9j3bYx2oOM8BEox4xWYoWge1ljPrc5JK46f0X7AGW4F2VhnKPnf8rwSuzI1U8VGjutyM9TWNy3m9KMWeScjyG/ggIpOjUDMV7HkJL0Di61lznR9jXubpiEC7gWGbTp84eGl/Nn9bgK1AwHfJ2lHwfoY4uiL7ge1gyP6EvuUlHoBzdb7pekiX28iePjW3iEG9IawIDAQABoyIwIDARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgUgMA0GCSqGSIb3DQEBBQUAA4GBACRESLemRV9BPxfEgbALuxH5oE8jQm8WZ3pm2pALbpDlAd9wQc3yVf6RtkfVthyDnM18bg7IhxKpd77/p3H8eCnS8w5MLVRda6ktUC6tGhFTS4QKAf0WyDGTcIgkXbeDw0OPAoNHivoXbIXIIRxlw/XgaSaMzJQDBG8iROsN4kCv'
+user1 = u'tuser1'
+user2 = u'tuser2'
+group1 = u'group1'
+group1_dn = get_group_dn(group1)
+group2 = u'group2'
+group2_dn = get_group_dn(group2)
class test_service(Declarative):
@@ -752,3 +760,242 @@ class test_service_in_role(Declarative):
),
),
]
+
+
+class test_service_allowed_to(Declarative):
+ cleanup_commands = [
+ ('user_del', [user1], {}),
+ ('user_del', [user2], {}),
+ ('group_del', [group1], {}),
+ ('group_del', [group2], {}),
+ ('host_del', [fqdn1], {}),
+ ('service_del', [service1], {}),
+ ]
+
+ tests = [
+ # prepare entries
+ dict(
+ desc='Create %r' % user1,
+ command=(
+ 'user_add', [], dict(givenname=u'Test', sn=u'User1')
+ ),
+ expected=dict(
+ value=user1,
+ summary=u'Added user "%s"' % user1,
+ result=get_user_result(user1, u'Test', u'User1', 'add'),
+ ),
+ ),
+ dict(
+ desc='Create %r' % user2,
+ command=(
+ 'user_add', [], dict(givenname=u'Test', sn=u'User2')
+ ),
+ expected=dict(
+ value=user2,
+ summary=u'Added user "%s"' % user2,
+ result=get_user_result(user2, u'Test', u'User2', 'add'),
+ ),
+ ),
+ dict(
+ desc='Create group: %r' % group1,
+ command=(
+ 'group_add', [group1], dict()
+ ),
+ expected=dict(
+ value=group1,
+ summary=u'Added group "%s"' % group1,
+ result=dict(
+ cn=[group1],
+ objectclass=objectclasses.group + [u'posixgroup'],
+ ipauniqueid=[fuzzy_uuid],
+ gidnumber=[fuzzy_digits],
+ dn=group1_dn
+ ),
+ ),
+ ),
+ dict(
+ desc='Create group: %r' % group2,
+ command=(
+ 'group_add', [group2], dict()
+ ),
+ expected=dict(
+ value=group2,
+ summary=u'Added group "%s"' % group2,
+ result=dict(
+ cn=[group2],
+ objectclass=objectclasses.group + [u'posixgroup'],
+ ipauniqueid=[fuzzy_uuid],
+ gidnumber=[fuzzy_digits],
+ dn=group2_dn
+ ),
+ ),
+ ),
+ dict(
+ desc='Create %r' % fqdn1,
+ command=(
+ 'host_add', [fqdn1],
+ dict(
+ description=u'Test host 1',
+ l=u'Undisclosed location 1',
+ force=True,
+ ),
+ ),
+ expected=dict(
+ value=fqdn1,
+ summary=u'Added host "%s"' % fqdn1,
+ result=dict(
+ dn=host1dn,
+ fqdn=[fqdn1],
+ description=[u'Test host 1'],
+ l=[u'Undisclosed location 1'],
+ krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
+ objectclass=objectclasses.host,
+ ipauniqueid=[fuzzy_uuid],
+ managedby_host=[u'%s' % fqdn1],
+ has_keytab=False,
+ has_password=False,
+ ),
+ ),
+ ),
+ dict(
+ desc='Create %r' % service1,
+ command=('service_add', [service1_no_realm], dict(force=True)),
+ expected=dict(
+ value=service1,
+ summary=u'Added service "%s"' % service1,
+ result=dict(
+ dn=service1dn,
+ krbprincipalname=[service1],
+ objectclass=objectclasses.service,
+ ipauniqueid=[fuzzy_uuid],
+ managedby_host=[fqdn1],
+ ),
+ ),
+ ),
+
+ # verify
+ dict(
+ desc='Allow %r to a retrieve keytab of %r' % (user1, service1),
+ command=('service_add_retrieve_keytab', [service1],
+ dict(user=user1)),
+ expected=dict(
+ failed=dict(
+ member=dict(
+ group=[],
+ user=[],
+ ),
+ ),
+ completed=1,
+ result=dict(
+ dn=service1dn,
+ ipaallowedtoperform_read_keys_user=[user1],
+ krbprincipalname=[service1],
+ managedby_host=[fqdn1],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Test duplicate - service_add_retrieve_keytab - user',
+ command=('service_add_retrieve_keytab', [service1],
+ dict(user=user1)),
+ expected=dict(
+ failed=dict(
+ member=dict(
+ group=[],
+ user=[[user1, "This entry is already a member"]],
+ ),
+ ),
+ completed=1,
+ result=dict(
+ dn=service1dn,
+ ipaallowedtoperform_read_keys_user=[user1],
+ krbprincipalname=[service1],
+ managedby_host=[fqdn1],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Allow %r, %r to a retrieve keytab of %r' % (
+ group1, group2, service1),
+ command=('service_add_retrieve_keytab', [service1],
+ dict(group=[group1, group2])),
+ expected=dict(
+ failed=dict(
+ member=dict(
+ group=[],
+ user=[],
+ ),
+ ),
+ completed=1,
+ result=dict(
+ dn=service1dn,
+ ipaallowedtoperform_read_keys_user=[user1],
+ ipaallowedtoperform_read_keys_group=[group1, group2],
+ krbprincipalname=[service1],
+ managedby_host=[fqdn1],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Test invalid removal of retrieve keytab',
+ command=('service_remove_retrieve_keytab', [service1],
+ dict(user=[user2])),
+ expected=dict(
+ failed=dict(
+ member=dict(
+ group=[],
+ user=[[user1, "This entry is not a member"]],
+ ),
+ ),
+ completed=1,
+ result=dict(
+ dn=service1dn,
+ ipaallowedtoperform_read_keys_user=[user1],
+ ipaallowedtoperform_read_keys_group=[group1, group2],
+ krbprincipalname=[service1],
+ managedby_host=[fqdn1],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Verify presence of ipaallowedtoperform in show output',
+ command=('service_show', [service1_no_realm], {}),
+ expected=dict(
+ value=service1,
+ summary=None,
+ result=dict(
+ dn=service1dn,
+ ipaallowedtoperform_read_keys_user=[user1],
+ ipaallowedtoperform_read_keys_group=[group1, group2],
+ krbprincipalname=[service1],
+ managedby_host=[fqdn1],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Verify presence of ipaallowedtoperform in mod output',
+ command=(
+ 'service_mod', [service1_no_realm],
+ dict(ipakrbokasdelegate=True)),
+ expected=dict(
+ value=service1,
+ summary=None,
+ result=dict(
+ dn=service1dn,
+ ipaallowedtoperform_read_keys_user=[user1],
+ ipaallowedtoperform_read_keys_group=[group1, group2],
+ ipakrbokasdelegate=True,
+ krbprincipalname=[service1],
+ krbticketflags=["1048704"],
+ managedby_host=[fqdn1],
+ ),
+ ),
+ ),
+
+
+ ]