diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-09-12 09:59:52 +0200 |
---|---|---|
committer | Petr Viktorin <pviktori@redhat.com> | 2014-09-12 18:21:23 +0200 |
commit | e3e032392c4f38c0c3e221534f75c89d3e7fcc23 (patch) | |
tree | 914acd97d3574969dfd4d0d306dbe679f8e57b5d /ipatests | |
parent | c6baecec1ec866d77f9a476d01c7931fce6d95da (diff) | |
download | freeipa-e3e032392c4f38c0c3e221534f75c89d3e7fcc23.tar.gz freeipa-e3e032392c4f38c0c3e221534f75c89d3e7fcc23.tar.xz freeipa-e3e032392c4f38c0c3e221534f75c89d3e7fcc23.zip |
permission plugin: Auto-add operational atttributes to read permissions
The attributes entryusn, createtimestamp, and modifytimestamp
should be readable whenever thir entry is, i.e. when we allow reading
the objectclass.
Automatically add them to every read permission that includes objectclass.
https://fedorahosted.org/freeipa/ticket/4534
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'ipatests')
-rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 44 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/test_realmdomains_plugin.py | 3 |
2 files changed, 46 insertions, 1 deletions
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index e5c828670..bb772050b 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -4018,3 +4018,47 @@ class test_permission_in_accounts(Declarative): verify_permission_aci_missing(permission1, api.env.basedn), ] + + +class test_autoadd_operational_attrs(Declarative): + """Test that read access to operational attributes is automatically added + """ + cleanup_commands = [ + ('permission_del', [permission1], {'force': True}), + ] + + tests = [ + dict( + desc='Create %r' % permission1, + command=( + 'permission_add', [permission1], dict( + ipapermlocation=DN('cn=accounts', api.env.basedn), + ipapermright=u'read', + attrs=[u'ObjectClass'], + ) + ), + expected=dict( + value=permission1, + summary=u'Added permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + attrs=[u'ObjectClass', u'entryusn', u'createtimestamp', + u'modifytimestamp'], + ipapermright=[u'read'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[DN('cn=accounts', api.env.basedn)], + ), + ), + ), + + verify_permission_aci( + permission1, DN('cn=accounts', api.env.basedn), + '(targetattr = "ObjectClass || createtimestamp || entryusn || ' + + 'modifytimestamp")' + + '(version 3.0;acl "permission:%s";' % permission1 + + 'allow (read) groupdn = "ldap:///%s";)' % permission1_dn, + ), + ] diff --git a/ipatests/test_xmlrpc/test_realmdomains_plugin.py b/ipatests/test_xmlrpc/test_realmdomains_plugin.py index a2dc39b74..fc04e2ae5 100644 --- a/ipatests/test_xmlrpc/test_realmdomains_plugin.py +++ b/ipatests/test_xmlrpc/test_realmdomains_plugin.py @@ -66,7 +66,8 @@ class test_realmdomains(Declarative): objectclass=objectclasses.realmdomains, aci=[ u'(targetattr = "associateddomain || cn || ' - u'objectclass")' + u'createtimestamp || entryusn || ' + u'modifytimestamp || objectclass")' u'(targetfilter = "(objectclass=domainrelatedobject)")' u'(version 3.0;acl ' u'"permission:System: Read Realm Domains";' |