summaryrefslogtreecommitdiffstats
path: root/ipatests/test_xmlrpc/test_permission_plugin.py
diff options
context:
space:
mode:
Diffstat (limited to 'ipatests/test_xmlrpc/test_permission_plugin.py')
-rw-r--r--ipatests/test_xmlrpc/test_permission_plugin.py696
1 files changed, 631 insertions, 65 deletions
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py
index 6564cbc9b..ad5074c81 100644
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -24,12 +24,22 @@ Test the `ipalib/plugins/permission.py` module.
import os
+import nose
+
from ipalib import api, errors
from ipatests.test_xmlrpc import objectclasses
from xmlrpc_test import Declarative
from ipapython.dn import DN
import inspect
+try:
+ from ipaserver.plugins.ldap2 import ldap2
+except ImportError:
+ have_ldap2 = False
+else:
+ import krbV
+ have_ldap2 = True
+
permission1 = u'testperm'
permission1_dn = DN(('cn',permission1),
api.env.container_permission,api.env.basedn)
@@ -62,7 +72,7 @@ permission3_attributelevelrights = {
'aci': u'rscwo',
'ipapermlocation': u'rscwo',
'o': u'rscwo',
- 'ipapermallowedattr': u'rscwo',
+ 'ipapermincludedattr': u'rscwo',
'ipapermdefaultattr': u'rscwo',
'ipapermexcludedattr': u'rscwo',
'owner': u'rscwo',
@@ -76,6 +86,7 @@ permission3_attributelevelrights = {
'ipapermtarget': u'rscwo',
'type': u'rscwo',
'targetgroup': u'rscwo',
+ 'attrs': u'rscwo',
}
privilege1 = u'testpriv1'
@@ -175,7 +186,7 @@ class test_permission_negative(Declarative):
command=(
'permission_add', [permission1], dict(
type=u'user',
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=errors.RequirementError(name='ipapermright'),
@@ -214,7 +225,7 @@ class test_permission_negative(Declarative):
'permission_add', [permission1], dict(
type=u'user',
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -226,7 +237,7 @@ class test_permission_negative(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -249,7 +260,7 @@ class test_permission_negative(Declarative):
desc='Try to remove type from %r' % permission1,
command=(
'permission_mod', [permission1], dict(
- ipapermallowedattr=None,
+ attrs=None,
type=None,
)
),
@@ -263,7 +274,7 @@ class test_permission_negative(Declarative):
desc='Try to remove target and memberof from %r' % permission1,
command=(
'permission_mod', [permission1], dict(
- ipapermallowedattr=None,
+ attrs=None,
ipapermtarget=None,
)
),
@@ -283,6 +294,18 @@ class test_permission_negative(Declarative):
error='May only contain letters, numbers, -, _, ., and space'),
),
+ dict(
+ desc='Try setting ipapermexcludedattr on %r' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ ipapermexcludedattr=[u'cn'],
+ )
+ ),
+ expected=errors.ValidationError(
+ name='ipapermexcludedattr',
+ error='only available on managed permissions'),
+ ),
+
]
@@ -305,7 +328,7 @@ class test_permission(Declarative):
'permission_add', [permission1], dict(
type=u'user',
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -317,7 +340,7 @@ class test_permission(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -340,7 +363,7 @@ class test_permission(Declarative):
'permission_add', [permission1], dict(
type=u'user',
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
),
),
expected=errors.DuplicateEntry(
@@ -402,7 +425,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -423,7 +446,7 @@ class test_permission(Declarative):
'cn': [permission1],
'objectclass': objectclasses.permission,
'member': [privilege1_dn],
- 'ipapermallowedattr': [u'sn'],
+ 'ipapermincludedattr': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermright': [u'write'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
@@ -456,7 +479,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -482,7 +505,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -520,7 +543,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -544,7 +567,7 @@ class test_permission(Declarative):
'cn': [permission1],
'objectclass': objectclasses.permission,
'member': [privilege1_dn],
- 'ipapermallowedattr': [u'sn'],
+ 'ipapermincludedattr': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermright': [u'write'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
@@ -571,7 +594,7 @@ class test_permission(Declarative):
ipapermright=u'write',
setattr=u'owner=cn=test',
addattr=u'owner=cn=test2',
- ipapermallowedattr=[u'cn'],
+ attrs=[u'cn'],
)
),
expected=dict(
@@ -584,7 +607,7 @@ class test_permission(Declarative):
type=[u'user'],
ipapermright=[u'write'],
owner=[u'cn=test', u'cn=test2'],
- ipapermallowedattr=[u'cn'],
+ attrs=[u'cn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -617,7 +640,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -629,7 +652,7 @@ class test_permission(Declarative):
'objectclass': objectclasses.permission,
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'cn'],
+ 'attrs': [u'cn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -664,7 +687,7 @@ class test_permission(Declarative):
dict(
desc='Search by ACI attribute with --pkey-only',
command=('permission_find', [], {'pkey_only': True,
- 'ipapermallowedattr': [u'krbminpwdlife']}),
+ 'attrs': [u'krbminpwdlife']}),
expected=dict(
count=1,
truncated=False,
@@ -714,7 +737,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -739,7 +762,7 @@ class test_permission(Declarative):
'objectclass': objectclasses.permission,
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -752,7 +775,7 @@ class test_permission(Declarative):
'objectclass': objectclasses.permission,
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'cn'],
+ 'attrs': [u'cn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -769,7 +792,7 @@ class test_permission(Declarative):
# to change.
dict(
desc='Search for permissions by attr with a limit of 1 (truncated)',
- command=('permission_find', [], dict(ipapermallowedattr=u'ipaenabledflag',
+ command=('permission_find', [], dict(attrs=u'ipaenabledflag',
sizelimit=1)),
expected=dict(
count=1,
@@ -784,8 +807,13 @@ class test_permission(Declarative):
'member_privilege': [u'HBAC Administrator'],
'memberindirect_role': [u'IT Security Specialist'],
'ipapermright' : [u'write'],
- 'ipapermallowedattr': [u'servicecategory', u'sourcehostcategory', u'cn', u'description', u'ipaenabledflag', u'accesstime', u'usercategory', u'hostcategory', u'accessruletype', u'sourcehost'],
- 'ipapermtarget': [DN(('ipauniqueid', '*'), ('cn', 'hbac'), api.env.basedn)],
+ 'attrs': [u'servicecategory', u'sourcehostcategory',
+ u'cn', u'description', u'ipaenabledflag',
+ u'accesstime', u'usercategory',
+ u'hostcategory', u'accessruletype',
+ u'sourcehost'],
+ 'ipapermtarget': [DN(('ipauniqueid', '*'),
+ ('cn', 'hbac'), api.env.basedn)],
'ipapermbindruletype': [u'permission'],
'ipapermlocation': [api.env.basedn],
},
@@ -793,7 +821,6 @@ class test_permission(Declarative):
),
),
-
dict(
desc='Update %r' % permission1,
command=(
@@ -816,7 +843,7 @@ class test_permission(Declarative):
ipapermright=[u'read'],
memberof=[u'ipausers'],
owner=[u'cn=other-test', u'cn=other-test2'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
ipapermbindruletype=[u'permission'],
@@ -851,7 +878,7 @@ class test_permission(Declarative):
'type': [u'user'],
'ipapermright': [u'read'],
'memberof': [u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -900,7 +927,7 @@ class test_permission(Declarative):
'type': [u'user'],
'ipapermright': [u'read'],
'memberof': [u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -930,7 +957,7 @@ class test_permission(Declarative):
'type': [u'user'],
'ipapermright': [u'all'],
'memberof': [u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -971,7 +998,7 @@ class test_permission(Declarative):
'type': [u'user'],
'ipapermright': [u'write'],
'memberof': [u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -1011,7 +1038,7 @@ class test_permission(Declarative):
ipapermlocation=[users_dn],
ipapermright=[u'write'],
memberof=[u'ipausers'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
ipapermbindruletype=[u'permission'],
@@ -1043,7 +1070,7 @@ class test_permission(Declarative):
'cn': [permission2],
'objectclass': objectclasses.permission,
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'cn'],
+ 'attrs': [u'cn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
@@ -1077,7 +1104,7 @@ class test_permission(Declarative):
'ipapermlocation': [users_dn],
'ipapermright':[u'write'],
'memberof':[u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN(
'cn=ipausers', groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -1111,7 +1138,7 @@ class test_permission(Declarative):
'cn': [u'Add user to default group'],
'objectclass': objectclasses.permission,
'member_privilege': [u'User Administrators'],
- 'ipapermallowedattr': [u'member'],
+ 'attrs': [u'member'],
'targetgroup': [u'ipausers'],
'memberindirect_role': [u'User Administrator'],
'ipapermright': [u'write'],
@@ -1202,7 +1229,7 @@ class test_permission(Declarative):
'permission_add', [permission1], dict(
memberof=u'nonexisting',
ipapermright=u'write',
- ipapermallowedattr=[u'cn'],
+ attrs=[u'cn'],
)
),
expected=errors.NotFound(reason=u'nonexisting: group not found'),
@@ -1215,7 +1242,7 @@ class test_permission(Declarative):
memberof=u'editors',
ipapermright=u'write',
type=u'user',
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -1228,7 +1255,7 @@ class test_permission(Declarative):
memberof=[u'editors'],
ipapermright=[u'write'],
type=[u'user'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'editors'),
groups_dn)],
ipapermbindruletype=[u'permission'],
@@ -1272,7 +1299,7 @@ class test_permission(Declarative):
memberof=[u'admins'],
ipapermright=[u'write'],
type=[u'user'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn)],
ipapermbindruletype=[u'permission'],
@@ -1308,7 +1335,7 @@ class test_permission(Declarative):
objectclass=objectclasses.permission,
ipapermright=[u'write'],
type=[u'user'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1343,7 +1370,7 @@ class test_permission(Declarative):
'permission_add', [permission1], dict(
targetgroup=u'editors',
ipapermright=u'write',
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -1355,7 +1382,7 @@ class test_permission(Declarative):
objectclass=objectclasses.permission,
targetgroup=[u'editors'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermtarget=[DN(('cn', 'editors'), groups_dn)],
ipapermissiontype=[u'SYSTEM', u'V2'],
@@ -1378,7 +1405,7 @@ class test_permission(Declarative):
'permission_add', [permission3], dict(
type=u'user',
ipapermright=u'write',
- ipapermallowedattr=[u'cn']
+ attrs=[u'cn']
)
),
expected=dict(
@@ -1390,7 +1417,7 @@ class test_permission(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=(u'cn',),
+ attrs=(u'cn',),
ipapermbindruletype=[u'permission'],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermissiontype=[u'SYSTEM', u'V2'],
@@ -1418,7 +1445,8 @@ class test_permission(Declarative):
cn=[permission3],
objectclass=objectclasses.permission,
type=[u'user'],
- ipapermallowedattr=(u'cn',),
+ attrs=[u'cn'],
+ ipapermincludedattr=[u'cn'],
ipapermright=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
@@ -1433,7 +1461,7 @@ class test_permission(Declarative):
desc='Modify %r with --all --rights' % permission3,
command=('permission_mod', [permission3], {
'all': True, 'rights': True,
- 'ipapermallowedattr': [u'cn', u'uid']}),
+ 'attrs': [u'cn', u'uid']}),
expected=dict(
value=permission3,
summary=u'Modified permission "%s"' % permission3,
@@ -1442,7 +1470,8 @@ class test_permission(Declarative):
cn=[permission3],
objectclass=objectclasses.permission,
type=[u'user'],
- ipapermallowedattr=(u'cn',u'uid'),
+ attrs=[u'cn', u'uid'],
+ ipapermincludedattr=[u'cn', u'uid'],
ipapermright=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
@@ -1503,7 +1532,7 @@ class test_permission_rollback(Declarative):
'cn': [permission1],
'objectclass': objectclasses.permission,
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -1531,7 +1560,7 @@ class test_permission_rollback(Declarative):
ipapermlocation=users_dn,
ipapermtarget=DN('uid=admin', users_dn),
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -1542,7 +1571,7 @@ class test_permission_rollback(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1600,7 +1629,7 @@ class test_permission_sync_attributes(Declarative):
'permission_add', [permission1], dict(
ipapermlocation=users_dn,
ipapermright=u'write',
- ipapermallowedattr=u'sn',
+ attrs=u'sn',
ipapermtargetfilter=u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn),
ipapermtarget=DN(('uid', '*'), users_dn),
@@ -1615,7 +1644,7 @@ class test_permission_sync_attributes(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1651,7 +1680,7 @@ class test_permission_sync_attributes(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN(('uid', '*'), users_dn)],
@@ -1688,7 +1717,7 @@ class test_permission_sync_attributes(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1724,7 +1753,7 @@ class test_permission_sync_attributes(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1758,7 +1787,7 @@ class test_permission_sync_attributes(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1789,7 +1818,7 @@ class test_permission_sync_attributes(Declarative):
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[groups_dn],
@@ -1821,7 +1850,7 @@ class test_permission_sync_attributes(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN('cn=editors', groups_dn)],
@@ -1854,7 +1883,7 @@ class test_permission_sync_nice(Declarative):
'permission_add', [permission1], dict(
type=u'user',
ipapermright=u'write',
- ipapermallowedattr=u'sn',
+ attrs=u'sn',
memberof=u'admins',
)
),
@@ -1867,7 +1896,7 @@ class test_permission_sync_nice(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1903,7 +1932,7 @@ class test_permission_sync_nice(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
@@ -1937,7 +1966,7 @@ class test_permission_sync_nice(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[api.env.basedn],
@@ -1968,7 +1997,7 @@ class test_permission_sync_nice(Declarative):
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[groups_dn],
@@ -2000,7 +2029,7 @@ class test_permission_sync_nice(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN('cn=editors', groups_dn)],
@@ -2422,3 +2451,540 @@ class test_permission_bindtype(Declarative):
'assigned to a privilege')
),
]
+
+
+class test_managed_permissions(Declarative):
+ cleanup_commands = [
+ ('permission_del', [permission1], {'force': True}),
+ ('permission_del', [permission2], {'force': True}),
+ ]
+
+ @classmethod
+ def setUpClass(cls):
+ super(test_managed_permissions, cls).setUpClass()
+
+ if not have_ldap2:
+ raise nose.SkipTest('server plugin not available')
+
+ def add_managed_permission(self):
+ """Add a managed permission and the corresponding ACI"""
+ ldap = ldap2(shared_instance=False)
+ ldap.connect(ccache=krbV.default_context().default_ccache())
+
+ result = api.Command.permission_add(permission1, type=u'user',
+ ipapermright=u'write',
+ attrs=[u'cn'])
+
+ # TODO: This hack relies on the permission internals.
+ # Change as necessary.
+
+ # Add permission DN
+ entry = ldap.get_entry(permission1_dn)
+ entry['ipapermdefaultattr'] = ['l', 'o', 'cn']
+ ldap.update_entry(entry)
+
+ # Update the ACI via the API
+ result = api.Command.permission_mod(permission1,
+ attrs=[u'l', u'o', u'cn'])
+
+ # Set the permission type to MANAGED
+ entry = ldap.get_entry(permission1_dn)
+ entry['ipapermissiontype'].append('MANAGED')
+ ldap.update_entry(entry)
+
+ tests = [
+ add_managed_permission,
+
+ dict(
+ desc='Show pre-created %r' % permission1,
+ command=('permission_show', [permission1], {'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=None,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "cn || l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ ] + [
+ # Verify that most permission attributes can't be changed
+ dict(
+ desc='Try to modify %s in %r' % (attr_name, permission1),
+ command=('permission_mod', [permission1],
+ {attr_name: value}),
+ expected=errors.ValidationError(
+ name=err_attr or attr_name,
+ error='not modifiable on managed permissions'),
+ )
+ for attr_name, err_attr, value in (
+ ('ipapermlocation', None, users_dn),
+ ('ipapermright', None, u'compare'),
+ ('ipapermtarget', None, users_dn),
+ ('ipapermtargetfilter', None, u'(ou=engineering)'),
+
+ ('memberof', 'ipapermtargetfilter', u'admins'),
+ ('targetgroup', 'ipapermtarget', u'admins'),
+ ('type', 'ipapermlocation', u'group'),
+ )
+ ] + [
+
+ dict(
+ desc='Try to rename %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'rename': permission2}),
+ expected=errors.ValidationError(
+ name='rename',
+ error='cannot rename managed permissions'),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "cn || l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Modify included and excluded attrs in %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermincludedattr': [u'dc'],
+ 'ipapermexcludedattr': [u'cn'],
+ 'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'dc'],
+ ipapermincludedattr=[u'dc'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "dc || l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Modify included attrs in %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermincludedattr': [u'cn', u'sn'],
+ 'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'cn', u'sn'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o || sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Add ineffective included attr to %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermincludedattr': [u'cn', u'sn', u'o'],
+ 'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o || sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Modify excluded attrs in %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermexcludedattr': [u'cn', u'sn'],
+ 'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Modify bind rule in %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermbindruletype': u'all'}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) userdn = "ldap:///all";)',
+ ),
+
+ dict(
+ desc='Show %r with no options' % permission1,
+ command=('permission_show', [permission1], {}),
+ expected=dict(
+ value=permission1,
+ summary=None,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Show %r with --all' % permission1,
+ command=('permission_show', [permission1], {'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=None,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Show %r with --raw' % permission1,
+ command=('permission_show', [permission1], {'raw': True}),
+ expected=dict(
+ value=permission1,
+ summary=None,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ aci=['(targetattr = "l || o")'
+ '(target = "ldap:///%(tdn)s")'
+ '(version 3.0;acl "permission:%(name)s";'
+ 'allow (write) userdn = "ldap:///all";)' %
+ {'tdn': DN(('uid', '*'), users_dn),
+ 'name': permission1}],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Modify attrs of %r to normalize' % permission1,
+ command=('permission_mod', [permission1],
+ {'attrs': [u'l', u'o']}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) userdn = "ldap:///all";)',
+ ),
+
+ dict(
+ desc='Modify attrs of %r to add sn' % permission1,
+ command=('permission_mod', [permission1],
+ {'attrs': [u'l', u'o', u'sn']}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'sn'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o || sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) userdn = "ldap:///all";)',
+ ),
+
+ dict(
+ desc='Search for %r using all its --attrs' % permission1,
+ command=('permission_find', [permission1],
+ {'cn': permission1, 'attrs': [u'l', u'o', u'sn']}),
+ expected=dict(
+ count=1,
+ truncated=False,
+ summary=u'1 permission matched',
+ result=[dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'sn'],
+ ipapermexcludedattr=[u'cn'],
+ )],
+ ),
+ ),
+
+ dict(
+ desc='Search for %r using some --attrs' % permission1,
+ command=('permission_find', [permission1],
+ {'cn': permission1, 'attrs': [u'l', u'sn']}),
+ expected=dict(
+ count=1,
+ truncated=False,
+ summary=u'1 permission matched',
+ result=[dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'sn'],
+ ipapermexcludedattr=[u'cn'],
+ )],
+ ),
+ ),
+
+ dict(
+ desc='Search for %r using excluded --attrs' % permission1,
+ command=('permission_find', [permission1],
+ {'cn': permission1, 'attrs': [u'sn', u'cn']}),
+ expected=dict(
+ count=0,
+ truncated=False,
+ summary=u'0 permissions matched',
+ result=[],
+ ),
+ ),
+
+ dict(
+ desc='Modify attrs of %r to allow cn again' % permission1,
+ command=('permission_mod', [permission1],
+ {'attrs': [u'l', u'o', u'sn', u'cn']}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn', u'cn'],
+ ipapermincludedattr=[u'sn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "cn || l || o || sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) userdn = "ldap:///all";)',
+ ),
+
+ dict(
+ desc='Try to delete %r' % permission1,
+ command=('permission_del', [permission1], {}),
+ expected=errors.ACIError(
+ info='cannot delete managed permissions'),
+ ),
+
+ dict(
+ desc='Delete %r with --force' % permission1,
+ command=('permission_del', [permission1], {'force': True}),
+ expected=dict(
+ result=dict(failed=u''),
+ value=permission1,
+ summary=u'Deleted permission "%s"' % permission1,
+ ),
+ ),
+ ]
generated by cgit (git 2.34.1) at 2024-06-05 00:22:03 +0000