diff options
| author | Florence Blanc-Renaud <flo@redhat.com> | 2018-11-07 17:02:31 +0100 |
|---|---|---|
| committer | Christian Heimes <cheimes@redhat.com> | 2018-11-13 12:40:44 +0100 |
| commit | da4c12c3e6ac978afc1a365c3aed87eae5832a96 (patch) | |
| tree | 9a5c65302a38bf3acf8aecf78a8927ff05f819d2 | |
| parent | 5d603fce5d87a39c0a12bbed880a286b00128f34 (diff) | |
| download | freeipa-da4c12c3e6ac978afc1a365c3aed87eae5832a96.tar.gz freeipa-da4c12c3e6ac978afc1a365c3aed87eae5832a96.tar.xz freeipa-da4c12c3e6ac978afc1a365c3aed87eae5832a96.zip | |
ipatests: add integration test for "Read radius servers" perm
Add a new integration test for the following scenario:
- create a user with the "User Administrator" role
- as this user, create a user with a --radius=<radius_proxy_server>
This scenario was previously failing because ipa user-add --radius
requires read access to the radius server entries, and there was no
permission granting this access.
Related to https://pagure.io/freeipa/issue/7570
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
| -rw-r--r-- | ipatests/test_integration/test_user_permissions.py | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py index 38e72fd9d..13a0c983a 100644 --- a/ipatests/test_integration/test_user_permissions.py +++ b/ipatests/test_integration/test_user_permissions.py @@ -98,6 +98,49 @@ class TestUserPermissions(IntegrationTest): result = self.master.run_command(['ipa', 'stageuser-show', stageuser]) assert 'Kerberos keys available: True' in result.stdout_text + def test_user_add_withradius(self): + """ + Test that a user with User Administrator role can call + ipa user-add --radius myradius + to create a user with an assigned Radius Proxy Server. + + This is a test case for issue 7570 + """ + # kinit admin + tasks.kinit_admin(self.master) + + # Create a radius proxy server + radiusproxy = 'myradius' + secret = 'Secret123' + radius_secret_confirmation = "%s\n%s\n" % (secret, secret) + self.master.run_command( + ['ipa', 'radiusproxy-add', radiusproxy, + '--server', 'radius.example.com', '--secret'], + stdin_text=radius_secret_confirmation) + + # Create a user with 'User Administrator' role + altuser = 'specialuser' + password = 'SpecialUser123' + password_confirmation = "%s\n%s\n" % (password, password) + self.master.run_command( + ['ipa', 'user-add', altuser, '--first', altuser, '--last', altuser, + '--password'], + stdin_text=password_confirmation) + self.master.run_command( + ['ipa', 'role-add-member', "User Administrator", + '--user', altuser]) + + # kinit as altuser to initialize the password + altuser_kinit = "%s\n%s\n%s\n" % (password, password, password) + self.master.run_command(['kinit', altuser], stdin_text=altuser_kinit) + # call ipa user-add with --radius=... + # this call requires read access to radius proxy servers + self.master.run_command( + ['ipa', 'user-add', '--first', 'test', '--last', 'test', + '--user-auth-type', 'radius', '--radius-username', 'testradius', + 'testradius', '--radius', radiusproxy]) + + class TestInstallClientNoAdmin(IntegrationTest): num_clients = 1 |