permission plugin: Auto-add operational atttributes to read permissions

The attributes entryusn, createtimestamp, and modifytimestamp should be readable whenever thir entry is, i.e. when we allow reading the objectclass. Automatically add them to every read permission that includes objectclass. https://fedorahosted.org/freeipa/ticket/4534 Reviewed-By: Martin Kosek <mkosek@redhat.com>
author: Petr Viktorin <pviktori@redhat.com> 2014-09-12 09:59:52 +0200
committer: Petr Viktorin <pviktori@redhat.com> 2014-09-12 18:21:23 +0200
commit: e3e032392c4f38c0c3e221534f75c89d3e7fcc23 (patch)
tree: 914acd97d3574969dfd4d0d306dbe679f8e57b5d /ipatests/test_xmlrpc/test_permission_plugin.py
parent: c6baecec1ec866d77f9a476d01c7931fce6d95da (diff)
download: freeipa-e3e032392c4f38c0c3e221534f75c89d3e7fcc23.tar.gz
freeipa-e3e032392c4f38c0c3e221534f75c89d3e7fcc23.tar.xz
freeipa-e3e032392c4f38c0c3e221534f75c89d3e7fcc23.zip
1 files changed, 44 insertions, 0 deletions
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py
index e5c828670..bb772050b 100644
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -4018,3 +4018,47 @@ class test_permission_in_accounts(Declarative):
 
         verify_permission_aci_missing(permission1, api.env.basedn),
     ]
+
+
+class test_autoadd_operational_attrs(Declarative):
+    """Test that read access to operational attributes is automatically added
+    """
+    cleanup_commands = [
+        ('permission_del', [permission1], {'force': True}),
+    ]
+
+    tests = [
+        dict(
+            desc='Create %r' % permission1,
+            command=(
+                'permission_add', [permission1], dict(
+                    ipapermlocation=DN('cn=accounts', api.env.basedn),
+                    ipapermright=u'read',
+                    attrs=[u'ObjectClass'],
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Added permission "%s"' % permission1,
+                result=dict(
+                    dn=permission1_dn,
+                    cn=[permission1],
+                    objectclass=objectclasses.permission,
+                    attrs=[u'ObjectClass', u'entryusn', u'createtimestamp',
+                           u'modifytimestamp'],
+                    ipapermright=[u'read'],
+                    ipapermbindruletype=[u'permission'],
+                    ipapermissiontype=[u'SYSTEM', u'V2'],
+                    ipapermlocation=[DN('cn=accounts', api.env.basedn)],
+                ),
+            ),
+        ),
+
+        verify_permission_aci(
+            permission1, DN('cn=accounts', api.env.basedn),
+            '(targetattr = "ObjectClass || createtimestamp || entryusn || ' +
+                'modifytimestamp")' +
+            '(version 3.0;acl "permission:%s";' % permission1 +
+            'allow (read) groupdn = "ldap:///%s";)' % permission1_dn,
+        ),
+    ]
author	Petr Viktorin <pviktori@redhat.com>	2014-09-12 09:59:52 +0200
committer	Petr Viktorin <pviktori@redhat.com>	2014-09-12 18:21:23 +0200
commit	e3e032392c4f38c0c3e221534f75c89d3e7fcc23 (patch)
tree	914acd97d3574969dfd4d0d306dbe679f8e57b5d /ipatests/test_xmlrpc/test_permission_plugin.py
parent	c6baecec1ec866d77f9a476d01c7931fce6d95da (diff)
download	freeipa-e3e032392c4f38c0c3e221534f75c89d3e7fcc23.tar.gz freeipa-e3e032392c4f38c0c3e221534f75c89d3e7fcc23.tar.xz freeipa-e3e032392c4f38c0c3e221534f75c89d3e7fcc23.zip