summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2013-09-13 16:08:22 +0200
committerPetr Viktorin <pviktori@redhat.com>2014-02-12 17:11:17 +0100
commit3db08227e8c760c688b8886e0b3b072e9b6dd94d (patch)
tree225e3ea4f648e17500488ef5fea709554995a2a1
parenteb14f99ece71170758399c16bee5b07a866f3775 (diff)
downloadfreeipa.git-3db08227e8c760c688b8886e0b3b072e9b6dd94d.tar.gz
freeipa.git-3db08227e8c760c688b8886e0b3b072e9b6dd94d.tar.xz
freeipa.git-3db08227e8c760c688b8886e0b3b072e9b6dd94d.zip
Add support for managed permissions
This adds support for managed permissions. The attribute list of these is computed from the "default" (modifiable only internally), "allowed", and "excluded" lists. This makes it possible to cleanly merge updated IPA defaults and user changes on upgrades. The default managed permissions are to be added in a future patch. For now they can only be created manually (see test_managed_permissions). Tests included. Part of the work for: https://fedorahosted.org/freeipa/ticket/4033 Design: http://www.freeipa.org/page/V3/Managed_Read_permissions Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat
-rw-r--r--API.txt14
-rw-r--r--VERSION3
-rw-r--r--install/share/60basev3.ldif4
-rw-r--r--ipalib/parameters.py2
-rw-r--r--ipalib/plugins/permission.py144
-rw-r--r--ipatests/test_xmlrpc/test_old_permission_plugin.py5
-rw-r--r--ipatests/test_xmlrpc/test_permission_plugin.py696
7 files changed, 780 insertions, 88 deletions
diff --git a/API.txt b/API.txt
index a6c3aed8..343ede41 100644
--- a/API.txt
+++ b/API.txt
@@ -2322,13 +2322,12 @@ output: Output('result', <type 'bool'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: permission_add
-args: 1,19,3
+args: 1,18,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', attribute=False, cli_name='attrs', multivalue=True, required=False)
option: Str('filter', attribute=False, cli_name='filter', multivalue=True, required=False)
-option: Str('ipapermallowedattr', attribute=True, cli_name='attrs', multivalue=True, required=False)
option: StrEnum('ipapermbindruletype', attribute=True, autofill=True, cli_name='bindtype', default=u'permission', multivalue=False, required=True, values=(u'permission', u'all', u'anonymous'))
option: DNOrURL('ipapermlocation', alwaysask=True, attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=False, required=False)
option: StrEnum('ipapermright', attribute=True, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
@@ -2378,14 +2377,16 @@ output: Output('result', <type 'dict'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: permission_find
-args: 1,21,4
+args: 1,23,4
arg: Str('criteria?', noextrawhitespace=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, query=True, required=False)
option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=False)
option: Str('filter', attribute=False, autofill=False, cli_name='filter', multivalue=True, query=True, required=False)
-option: Str('ipapermallowedattr', attribute=True, autofill=False, cli_name='attrs', multivalue=True, query=True, required=False)
option: StrEnum('ipapermbindruletype', attribute=True, autofill=False, cli_name='bindtype', default=u'permission', multivalue=False, query=True, required=False, values=(u'permission', u'all', u'anonymous'))
+option: Str('ipapermdefaultattr', attribute=True, autofill=False, cli_name='defaultattrs', multivalue=True, query=True, required=False)
+option: Str('ipapermexcludedattr', attribute=True, autofill=False, cli_name='excludedattrs', multivalue=True, query=True, required=False)
+option: Str('ipapermincludedattr', attribute=True, autofill=False, cli_name='includedattrs', multivalue=True, query=True, required=False)
option: DNOrURL('ipapermlocation', attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=True, required=False)
option: StrEnum('ipapermright', attribute=True, autofill=False, cli_name='permissions', multivalue=True, query=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
option: DNParam('ipapermtarget', attribute=True, autofill=False, cli_name='target', multivalue=False, query=True, required=False)
@@ -2406,15 +2407,16 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('truncated', <type 'bool'>, None)
command: permission_mod
-args: 1,22,3
+args: 1,23,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, required=False)
option: Str('delattr*', cli_name='delattr', exclude='webui')
option: Str('filter', attribute=False, autofill=False, cli_name='filter', multivalue=True, required=False)
-option: Str('ipapermallowedattr', attribute=True, autofill=False, cli_name='attrs', multivalue=True, required=False)
option: StrEnum('ipapermbindruletype', attribute=True, autofill=False, cli_name='bindtype', default=u'permission', multivalue=False, required=False, values=(u'permission', u'all', u'anonymous'))
+option: Str('ipapermexcludedattr', attribute=True, autofill=False, cli_name='excludedattrs', multivalue=True, required=False)
+option: Str('ipapermincludedattr', attribute=True, autofill=False, cli_name='includedattrs', multivalue=True, required=False)
option: DNOrURL('ipapermlocation', attribute=True, autofill=False, cli_name='subtree', multivalue=False, required=False)
option: StrEnum('ipapermright', attribute=True, autofill=False, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
option: DNParam('ipapermtarget', attribute=True, autofill=False, cli_name='target', multivalue=False, required=False)
diff --git a/VERSION b/VERSION
index 5ce16b52..9cb9d71a 100644
--- a/VERSION
+++ b/VERSION
@@ -89,4 +89,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=72
+IPA_API_VERSION_MINOR=73
+# Last change: pviktori - Managed permissions
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 331e9d29..d7cd390d 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -39,7 +39,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DE
attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
attributeTypes: (2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.42 NAME 'ipaPermDefaultAttr' DESC 'IPA permission default attribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
-attributeTypes: (2.16.840.1.113730.3.8.11.43 NAME 'ipaPermAllowedAttr' DESC 'IPA permission explicitly allowed attribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
+attributeTypes: (2.16.840.1.113730.3.8.11.43 NAME 'ipaPermIncludedAttr' DESC 'IPA permission explicitly included attribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.44 NAME 'ipaPermExcludedAttr' DESC 'IPA permission explicitly excluded attribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.45 NAME 'ipaPermBindRuleType' DESC 'IPA permission bind rule type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.46 NAME 'ipaPermLocation' DESC 'Location of IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v3' )
@@ -63,4 +63,4 @@ objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDran
objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' )
-objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermAllowedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v3' )
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 757c1856..b4fb3402 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -353,6 +353,8 @@ class Param(ReadOnly):
can be unspecified (unchanged) but cannot be deleted.
* optional_create: do not require the parameter for crud.Create
based commands
+ * allow_mod_for_managed_permission: permission-mod allows changing
+ the parameter for managed permissions
- hint: this attribute is currently not used
- alwaysask: when enabled, CLI asks for parameter value even when the
parameter is not `required`
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 875a9f5b..d003bcab 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -79,6 +79,15 @@ Setting one of these options will set the corresponding attribute(s).
3. targetgroup: grant access to modify a specific group (such as granting
the rights to manage group membership); sets target.
""") + _("""
+Managed permissions
+""") + _("""
+Permissions that come with IPA by default can be so-called "managed"
+permissions. These have a default set of attributes they apply to,
+but the administrator can add/remove individual attributes to/from the set.
+""") + _("""
+Deleting or renaming a managed permission, as well as changing its target,
+is not allowed.
+""") + _("""
EXAMPLES:
""") + _("""
Add a permission that grants the creation of users:
@@ -95,12 +104,11 @@ VALID_OBJECT_TYPES = (u'user', u'group', u'host', u'service', u'hostgroup',
_DEPRECATED_OPTION_ALIASES = {
'permissions': 'ipapermright',
- 'attrs': 'ipapermallowedattr',
'filter': 'ipapermtargetfilter',
'subtree': 'ipapermlocation',
}
-KNOWN_FLAGS = {'SYSTEM', 'V2'}
+KNOWN_FLAGS = {'SYSTEM', 'V2', 'MANAGED'}
output_params = (
Str('aci',
@@ -139,7 +147,7 @@ class permission(baseldap.LDAPObject):
object_class = ['groupofnames', 'ipapermission', 'ipapermissionv2']
default_attributes = ['cn', 'member', 'memberof',
'memberindirect', 'ipapermissiontype', 'objectclass',
- 'ipapermdefaultattr', 'ipapermallowedattr', 'ipapermexcludedattr',
+ 'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr',
'ipapermbindruletype', 'ipapermlocation', 'ipapermright',
'ipapermtargetfilter', 'ipapermtarget'
]
@@ -169,10 +177,29 @@ class permission(baseldap.LDAPObject):
values=(u'read', u'search', u'compare',
u'write', u'add', u'delete', u'all'),
),
- Str('ipapermallowedattr*',
- cli_name='attrs',
- label=_('Attributes'),
- doc=_('Attributes to which the permission applies'),
+ Str('attrs*',
+ label=_('Effective attributes'),
+ doc=_('All attributes to which the permission applies'),
+ flags={'virtual_attribute', 'allow_mod_for_managed_permission'},
+ ),
+ Str('ipapermincludedattr*',
+ cli_name='includedattrs',
+ label=_('Included attributes'),
+ doc=_('User-specified attributes to which the permission applies'),
+ flags={'no_create', 'allow_mod_for_managed_permission'},
+ ),
+ Str('ipapermexcludedattr*',
+ cli_name='excludedattrs',
+ label=_('Excluded attributes'),
+ doc=_('User-specified attributes to which the permission '
+ 'explicitly does not apply'),
+ flags={'no_create', 'allow_mod_for_managed_permission'},
+ ),
+ Str('ipapermdefaultattr*',
+ cli_name='defaultattrs',
+ label=_('Default attributes'),
+ doc=_('Attributes to which the permission applies by default'),
+ flags={'no_create', 'no_update'},
),
StrEnum(
'ipapermbindruletype',
@@ -182,6 +209,7 @@ class permission(baseldap.LDAPObject):
autofill=True,
values=(u'permission', u'all', u'anonymous'),
default=u'permission',
+ flags={'allow_mod_for_managed_permission'},
),
DNOrURL(
'ipapermlocation?',
@@ -301,6 +329,12 @@ class permission(baseldap.LDAPObject):
rights['type'] = ''.join(sorted(type_rights,
key=rights['ipapermtarget'].index))
+ if 'ipapermincludedattr' in rights:
+ rights['attrs'] = ''.join(sorted(
+ set(rights['ipapermincludedattr']) &
+ set(rights.get('ipapermexcludedattr', '')),
+ key=rights['ipapermincludedattr'].index))
+
if not client_has_capability(options['version'], 'permissions2'):
for old_name, new_name in _DEPRECATED_OPTION_ALIASES.items():
if new_name in entry:
@@ -319,6 +353,14 @@ class permission(baseldap.LDAPObject):
raise
else:
entry.single_value['aci'] = acistring
+ else:
+ effective_attrs = self.get_effective_attrs(entry)
+ if effective_attrs:
+ entry['attrs'] = effective_attrs
+ if (not options.get('all') and
+ not entry.get('ipapermexcludedattr') and
+ not entry.get('ipapermdefaultattr')):
+ entry.pop('ipapermincludedattr', None)
if not client_has_capability(options['version'], 'permissions2'):
# Legacy clients expect some attributes as a single value
@@ -337,6 +379,12 @@ class permission(baseldap.LDAPObject):
new_filter.append(flt[1:-1])
entry['filter'] = new_filter
+ def get_effective_attrs(self, entry):
+ attrs = set(entry.get('ipapermdefaultattr', ()))
+ attrs.update(entry.get('ipapermincludedattr', ()))
+ attrs.difference_update(entry.get('ipapermexcludedattr', ()))
+ return sorted(attrs)
+
def make_aci(self, entry):
"""Make an ACI string from the given permission entry"""
@@ -344,7 +392,7 @@ class permission(baseldap.LDAPObject):
name = entry.single_value['cn']
# targetattr
- attrs = entry.get('ipapermallowedattr', [])
+ attrs = self.get_effective_attrs(entry)
if attrs:
aci_parts.append("(targetattr = \"%s\")" % ' || '.join(attrs))
@@ -502,9 +550,6 @@ class permission(baseldap.LDAPObject):
aci = ACI(acistring)
- if 'targetattr' in aci.target:
- target_entry['ipapermallowedattr'] = (
- aci.target['targetattr']['expression'])
if 'target' in aci.target:
target_entry.single_value['ipapermtarget'] = DN(strip_ldap_prefix(
aci.target['target']['expression']))
@@ -519,7 +564,7 @@ class permission(baseldap.LDAPObject):
target_entry.single_value['ipapermbindruletype'] = u'permission'
target_entry['ipapermright'] = aci.permissions
if 'targetattr' in aci.target:
- target_entry['ipapermallowedattr'] = [
+ target_entry['ipapermincludedattr'] = [
unicode(a) for a in aci.target['targetattr']['expression']]
if not output_only:
@@ -655,7 +700,8 @@ class permission(baseldap.LDAPObject):
# Ensure there's something in the ACI's filter
needed_attrs = (
- 'ipapermtarget', 'ipapermtargetfilter', 'ipapermallowedattr')
+ 'ipapermtarget', 'ipapermtargetfilter',
+ 'ipapermincludedattr', 'ipapermexcludedattr', 'ipapermdefaultattr')
if not any(entry.single_value.get(a) for a in needed_attrs):
raise errors.ValidationError(
name='target',
@@ -717,6 +763,14 @@ class permission_add(baseldap.LDAPCreate):
if not entry.get('ipapermlocation'):
entry.setdefault('ipapermlocation', [api.env.basedn])
+ if 'attrs' in options:
+ if 'ipapermincludedattr' in options:
+ raise errors.ValidationError(
+ name='attrs',
+ error=_('attrs and included attributes are '
+ 'mutually exclusive'))
+ entry['ipapermincludedattr'] = list(options.pop('attrs') or ())
+
self.obj.validate_permission(entry)
return dn
@@ -748,6 +802,9 @@ class permission_del(baseldap.LDAPDelete):
if not options.get('force'):
self.obj.reject_system(entry)
+ if entry.get('ipapermdefaultattr'):
+ raise errors.ACIError(
+ info=_('cannot delete managed permissions'))
try:
self.obj.remove_aci(entry)
@@ -783,6 +840,38 @@ class permission_mod(baseldap.LDAPUpdate):
self.obj.reject_system(old_entry)
self.obj.upgrade_permission(old_entry)
+ if 'MANAGED' in old_entry.get('ipapermissiontype', ()):
+ for option_name in sorted(options):
+ if option_name == 'rename':
+ raise errors.ValidationError(
+ name=option_name,
+ error=_('cannot rename managed permissions'))
+ option = self.options[option_name]
+ allow_mod = 'allow_mod_for_managed_permission' in option.flags
+ if option.attribute and not allow_mod:
+ raise errors.ValidationError(
+ name=option_name,
+ error=_('not modifiable on managed permissions'))
+ else:
+ if options.get('ipapermexcludedattr'):
+ # prevent setting excluded attributes on normal permissions
+ # (but do allow deleting them all)
+ raise errors.ValidationError(
+ name='ipapermexcludedattr',
+ error=_('only available on managed permissions'))
+
+ if 'attrs' in options:
+ if any(a in options for a in ('ipapermincludedattr',
+ 'ipapermexcludedattr')):
+ raise errors.ValidationError(
+ name='attrs',
+ error=_('attrs and included/excluded attributes are '
+ 'mutually exclusive'))
+ attrs = set(options.pop('attrs') or ())
+ defaults = set(old_entry.get('ipapermdefaultattr', ()))
+ entry['ipapermincludedattr'] = list(attrs - defaults)
+ entry['ipapermexcludedattr'] = list(defaults - attrs)
+
# Check setting bindtype for an assigned permission
if options.get('ipapermbindruletype') and old_entry.get('member'):
raise errors.ValidationError(
@@ -866,7 +955,36 @@ class permission_find(baseldap.LDAPSearch):
self.obj.preprocess_options(options)
return super(permission_find, self).execute(*keys, **options)
+ def pre_callback(self, ldap, filters, attrs_list, base_dn, scope,
+ *args, **options):
+ if 'attrs' in options and 'ipapermincludedattr' in options:
+ raise errors.ValidationError(
+ name='attrs',
+ error=_('attrs and included/excluded attributes are '
+ 'mutually exclusive'))
+
+ if options.get('attrs'):
+ # Effective attributes:
+ # each attr must be in either default or included,
+ # but not in excluded
+ filters = ldap.combine_filters(
+ [filters] + [
+ '(&'
+ '(|'
+ '(ipapermdefaultattr=%(attr)s)'
+ '(ipapermincludedattr=%(attr)s))'
+ '(!(ipapermexcludedattr=%(attr)s)))' % {'attr': attr}
+ for attr in options['attrs']
+ ],
+ ldap.MATCH_ALL,
+ )
+
+ return filters, base_dn, scope
+
def post_callback(self, ldap, entries, truncated, *args, **options):
+ if 'attrs' in options:
+ options['ipapermincludedattr'] = options['attrs']
+
attribute_options = [o for o in options
if (o in self.options and
self.options[o].attribute)]
diff --git a/ipatests/test_xmlrpc/test_old_permission_plugin.py b/ipatests/test_xmlrpc/test_old_permission_plugin.py
index d23b49f9..a681ef31 100644
--- a/ipatests/test_xmlrpc/test_old_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_old_permission_plugin.py
@@ -67,7 +67,8 @@ permission3_attributelevelrights = {
'type': u'rscwo',
'nsaccountlock': u'rscwo',
'description': u'rscwo',
- 'ipapermallowedattr': u'rscwo',
+ 'attrs': u'rscwo',
+ 'ipapermincludedattr': u'rscwo',
'ipapermbindruletype': u'rscwo',
'ipapermdefaultattr': u'rscwo',
'ipapermexcludedattr': u'rscwo',
@@ -1093,6 +1094,7 @@ class test_old_permission(Declarative):
objectclass=objectclasses.permission,
type=u'user',
attrs=(u'cn',),
+ ipapermincludedattr=[u'cn'],
permissions=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
@@ -1115,6 +1117,7 @@ class test_old_permission(Declarative):
objectclass=objectclasses.permission,
type=u'user',
attrs=(u'cn',u'uid'),
+ ipapermincludedattr=[u'cn', u'uid'],
permissions=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py
index 6564cbc9..ad5074c8 100644
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -24,12 +24,22 @@ Test the `ipalib/plugins/permission.py` module.
import os
+import nose
+
from ipalib import api, errors
from ipatests.test_xmlrpc import objectclasses
from xmlrpc_test import Declarative
from ipapython.dn import DN
import inspect
+try:
+ from ipaserver.plugins.ldap2 import ldap2
+except ImportError:
+ have_ldap2 = False
+else:
+ import krbV
+ have_ldap2 = True
+
permission1 = u'testperm'
permission1_dn = DN(('cn',permission1),
api.env.container_permission,api.env.basedn)
@@ -62,7 +72,7 @@ permission3_attributelevelrights = {
'aci': u'rscwo',
'ipapermlocation': u'rscwo',
'o': u'rscwo',
- 'ipapermallowedattr': u'rscwo',
+ 'ipapermincludedattr': u'rscwo',
'ipapermdefaultattr': u'rscwo',
'ipapermexcludedattr': u'rscwo',
'owner': u'rscwo',
@@ -76,6 +86,7 @@ permission3_attributelevelrights = {
'ipapermtarget': u'rscwo',
'type': u'rscwo',
'targetgroup': u'rscwo',
+ 'attrs': u'rscwo',
}
privilege1 = u'testpriv1'
@@ -175,7 +186,7 @@ class test_permission_negative(Declarative):
command=(
'permission_add', [permission1], dict(
type=u'user',
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=errors.RequirementError(name='ipapermright'),
@@ -214,7 +225,7 @@ class test_permission_negative(Declarative):
'permission_add', [permission1], dict(
type=u'user',
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -226,7 +237,7 @@ class test_permission_negative(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -249,7 +260,7 @@ class test_permission_negative(Declarative):
desc='Try to remove type from %r' % permission1,
command=(
'permission_mod', [permission1], dict(
- ipapermallowedattr=None,
+ attrs=None,
type=None,
)
),
@@ -263,7 +274,7 @@ class test_permission_negative(Declarative):
desc='Try to remove target and memberof from %r' % permission1,
command=(
'permission_mod', [permission1], dict(
- ipapermallowedattr=None,
+ attrs=None,
ipapermtarget=None,
)
),
@@ -283,6 +294,18 @@ class test_permission_negative(Declarative):
error='May only contain letters, numbers, -, _, ., and space'),
),
+ dict(
+ desc='Try setting ipapermexcludedattr on %r' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ ipapermexcludedattr=[u'cn'],
+ )
+ ),
+ expected=errors.ValidationError(
+ name='ipapermexcludedattr',
+ error='only available on managed permissions'),
+ ),
+
]
@@ -305,7 +328,7 @@ class test_permission(Declarative):
'permission_add', [permission1], dict(
type=u'user',
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -317,7 +340,7 @@ class test_permission(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -340,7 +363,7 @@ class test_permission(Declarative):
'permission_add', [permission1], dict(
type=u'user',
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
),
),
expected=errors.DuplicateEntry(
@@ -402,7 +425,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -423,7 +446,7 @@ class test_permission(Declarative):
'cn': [permission1],
'objectclass': objectclasses.permission,
'member': [privilege1_dn],
- 'ipapermallowedattr': [u'sn'],
+ 'ipapermincludedattr': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermright': [u'write'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
@@ -456,7 +479,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -482,7 +505,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -520,7 +543,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -544,7 +567,7 @@ class test_permission(Declarative):
'cn': [permission1],
'objectclass': objectclasses.permission,
'member': [privilege1_dn],
- 'ipapermallowedattr': [u'sn'],
+ 'ipapermincludedattr': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermright': [u'write'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
@@ -571,7 +594,7 @@ class test_permission(Declarative):
ipapermright=u'write',
setattr=u'owner=cn=test',
addattr=u'owner=cn=test2',
- ipapermallowedattr=[u'cn'],
+ attrs=[u'cn'],
)
),
expected=dict(
@@ -584,7 +607,7 @@ class test_permission(Declarative):
type=[u'user'],
ipapermright=[u'write'],
owner=[u'cn=test', u'cn=test2'],
- ipapermallowedattr=[u'cn'],
+ attrs=[u'cn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -617,7 +640,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -629,7 +652,7 @@ class test_permission(Declarative):
'objectclass': objectclasses.permission,
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'cn'],
+ 'attrs': [u'cn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -664,7 +687,7 @@ class test_permission(Declarative):
dict(
desc='Search by ACI attribute with --pkey-only',
command=('permission_find', [], {'pkey_only': True,
- 'ipapermallowedattr': [u'krbminpwdlife']}),
+ 'attrs': [u'krbminpwdlife']}),
expected=dict(
count=1,
truncated=False,
@@ -714,7 +737,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -739,7 +762,7 @@ class test_permission(Declarative):
'objectclass': objectclasses.permission,
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -752,7 +775,7 @@ class test_permission(Declarative):
'objectclass': objectclasses.permission,
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'cn'],
+ 'attrs': [u'cn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -769,7 +792,7 @@ class test_permission(Declarative):
# to change.
dict(
desc='Search for permissions by attr with a limit of 1 (truncated)',
- command=('permission_find', [], dict(ipapermallowedattr=u'ipaenabledflag',
+ command=('permission_find', [], dict(attrs=u'ipaenabledflag',
sizelimit=1)),
expected=dict(
count=1,
@@ -784,8 +807,13 @@ class test_permission(Declarative):
'member_privilege': [u'HBAC Administrator'],
'memberindirect_role': [u'IT Security Specialist'],
'ipapermright' : [u'write'],
- 'ipapermallowedattr': [u'servicecategory', u'sourcehostcategory', u'cn', u'description', u'ipaenabledflag', u'accesstime', u'usercategory', u'hostcategory', u'accessruletype', u'sourcehost'],
- 'ipapermtarget': [DN(('ipauniqueid', '*'), ('cn', 'hbac'), api.env.basedn)],
+ 'attrs': [u'servicecategory', u'sourcehostcategory',
+ u'cn', u'description', u'ipaenabledflag',
+ u'accesstime', u'usercategory',
+ u'hostcategory', u'accessruletype',
+ u'sourcehost'],
+ 'ipapermtarget': [DN(('ipauniqueid', '*'),
+ ('cn', 'hbac'), api.env.basedn)],
'ipapermbindruletype': [u'permission'],
'ipapermlocation': [api.env.basedn],
},
@@ -793,7 +821,6 @@ class test_permission(Declarative):
),
),
-
dict(
desc='Update %r' % permission1,
command=(
@@ -816,7 +843,7 @@ class test_permission(Declarative):
ipapermright=[u'read'],
memberof=[u'ipausers'],
owner=[u'cn=other-test', u'cn=other-test2'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
ipapermbindruletype=[u'permission'],
@@ -851,7 +878,7 @@ class test_permission(Declarative):
'type': [u'user'],
'ipapermright': [u'read'],
'memberof': [u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -900,7 +927,7 @@ class test_permission(Declarative):
'type': [u'user'],
'ipapermright': [u'read'],
'memberof': [u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -930,7 +957,7 @@ class test_permission(Declarative):
'type': [u'user'],
'ipapermright': [u'all'],
'memberof': [u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -971,7 +998,7 @@ class test_permission(Declarative):
'type': [u'user'],
'ipapermright': [u'write'],
'memberof': [u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -1011,7 +1038,7 @@ class test_permission(Declarative):
ipapermlocation=[users_dn],
ipapermright=[u'write'],
memberof=[u'ipausers'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
ipapermbindruletype=[u'permission'],
@@ -1043,7 +1070,7 @@ class test_permission(Declarative):
'cn': [permission2],
'objectclass': objectclasses.permission,
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'cn'],
+ 'attrs': [u'cn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
@@ -1077,7 +1104,7 @@ class test_permission(Declarative):
'ipapermlocation': [users_dn],
'ipapermright':[u'write'],
'memberof':[u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN(
'cn=ipausers', groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -1111,7 +1138,7 @@ class test_permission(Declarative):
'cn': [u'Add user to default group'],
'objectclass': objectclasses.permission,
'member_privilege': [u'User Administrators'],
- 'ipapermallowedattr': [u'member'],
+ 'attrs': [u'member'],
'targetgroup': [u'ipausers'],
'memberindirect_role': [u'User Administrator'],
'ipapermright': [u'write'],
@@ -1202,7 +1229,7 @@ class test_permission(Declarative):
'permission_add', [permission1], dict(
memberof=u'nonexisting',
ipapermright=u'write',
- ipapermallowedattr=[u'cn'],
+ attrs=[u'cn'],
)
),
expected=errors.NotFound(reason=u'nonexisting: group not found'),
@@ -1215,7 +1242,7 @@ class test_permission(Declarative):
memberof=u'editors',
ipapermright=u'write',
type=u'user',
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -1228,7 +1255,7 @@ class test_permission(Declarative):
memberof=[u'editors'],
ipapermright=[u'write'],
type=[u'user'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'editors'),
groups_dn)],
ipapermbindruletype=[u'permission'],
@@ -1272,7 +1299,7 @@ class test_permission(Declarative):
memberof=[u'admins'],
ipapermright=[u'write'],
type=[u'user'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn)],
ipapermbindruletype=[u'permission'],
@@ -1308,7 +1335,7 @@ class test_permission(Declarative):
objectclass=objectclasses.permission,
ipapermright=[u'write'],
type=[u'user'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1343,7 +1370,7 @@ class test_permission(Declarative):
'permission_add', [permission1], dict(
targetgroup=u'editors',
ipapermright=u'write',
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -1355,7 +1382,7 @@ class test_permission(Declarative):
objectclass=objectclasses.permission,
targetgroup=[u'editors'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermtarget=[DN(('cn', 'editors'), groups_dn)],
ipapermissiontype=[u'SYSTEM', u'V2'],
@@ -1378,7 +1405,7 @@ class test_permission(Declarative):
'permission_add', [permission3], dict(
type=u'user',
ipapermright=u'write',
- ipapermallowedattr=[u'cn']
+ attrs=[u'cn']
)
),
expected=dict(
@@ -1390,7 +1417,7 @@ class test_permission(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=(u'cn',),
+ attrs=(u'cn',),
ipapermbindruletype=[u'permission'],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermissiontype=[u'SYSTEM', u'V2'],
@@ -1418,7 +1445,8 @@ class test_permission(Declarative):
cn=[permission3],
objectclass=objectclasses.permission,
type=[u'user'],
- ipapermallowedattr=(u'cn',),
+ attrs=[u'cn'],
+ ipapermincludedattr=[u'cn'],
ipapermright=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
@@ -1433,7 +1461,7 @@ class test_permission(Declarative):
desc='Modify %r with --all --rights' % permission3,
command=('permission_mod', [permission3], {
'all': True, 'rights': True,
- 'ipapermallowedattr': [u'cn', u'uid']}),
+ 'attrs': [u'cn', u'uid']}),
expected=dict(
value=permission3,
summary=u'Modified permission "%s"' % permission3,
@@ -1442,7 +1470,8 @@ class test_permission(Declarative):
cn=[permission3],
objectclass=objectclasses.permission,
type=[u'user'],
- ipapermallowedattr=(u'cn',u'uid'),
+ attrs=[u'cn', u'uid'],
+ ipapermincludedattr=[u'cn', u'uid'],
ipapermright=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
@@ -1503,7 +1532,7 @@ class test_permission_rollback(Declarative):
'cn': [permission1],
'objectclass': objectclasses.permission,
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -1531,7 +1560,7 @@ class test_permission_rollback(Declarative):
ipapermlocation=users_dn,
ipapermtarget=DN('uid=admin', users_dn),
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -1542,7 +1571,7 @@ class test_permission_rollback(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1600,7 +1629,7 @@ class test_permission_sync_attributes(Declarative):
'permission_add', [permission1], dict(
ipapermlocation=users_dn,
ipapermright=u'write',
- ipapermallowedattr=u'sn',
+ attrs=u'sn',
ipapermtargetfilter=u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn),
ipapermtarget=DN(('uid', '*'), users_dn),
@@ -1615,7 +1644,7 @@ class test_permission_sync_attributes(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1651,7 +1680,7 @@ class test_permission_sync_attributes(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN(('uid', '*'), users_dn)],
@@ -1688,7 +1717,7 @@ class test_permission_sync_attributes(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1724,7 +1753,7 @@ class test_permission_sync_attributes(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1758,7 +1787,7 @@ class test_permission_sync_attributes(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1789,7 +1818,7 @@ class test_permission_sync_attributes(Declarative):
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[groups_dn],
@@ -1821,7 +1850,7 @@ class test_permission_sync_attributes(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN('cn=editors', groups_dn)],
@@ -1854,7 +1883,7 @@ class test_permission_sync_nice(Declarative):
'permission_add', [permission1], dict(
type=u'user',
ipapermright=u'write',
- ipapermallowedattr=u'sn',
+ attrs=u'sn',
memberof=u'admins',
)
),
@@ -1867,7 +1896,7 @@ class test_permission_sync_nice(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1903,7 +1932,7 @@ class test_permission_sync_nice(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
@@ -1937,7 +1966,7 @@ class test_permission_sync_nice(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[api.env.basedn],
@@ -1968,7 +1997,7 @@ class test_permission_sync_nice(Declarative):
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[groups_dn],
@@ -2000,7 +2029,7 @@ class test_permission_sync_nice(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN('cn=editors', groups_dn)],
@@ -2422,3 +2451,540 @@ class test_permission_bindtype(Declarative):
'assigned to a privilege')
),
]
+
+
+class test_managed_permissions(Declarative):
+ cleanup_commands = [
+ ('permission_del', [permission1], {'force': True}),
+ ('permission_del', [permission2], {'force': True}),
+ ]
+
+ @classmethod
+ def setUpClass(cls):
+ super(test_managed_permissions, cls).setUpClass()
+
+ if not have_ldap2:
+ raise nose.SkipTest('server plugin not available')
+
+ def add_managed_permission(self):
+ """Add a managed permission and the corresponding ACI"""
+ ldap = ldap2(shared_instance=False)
+ ldap.connect(ccache=krbV.default_context().default_ccache())
+
+ result = api.Command.permission_add(permission1, type=u'user',
+ ipapermright=u'write',
+ attrs=[u'cn'])
+
+ # TODO: This hack relies on the permission internals.
+ # Change as necessary.
+
+ # Add permission DN
+ entry = ldap.get_entry(permission1_dn)
+ entry['ipapermdefaultattr'] = ['l', 'o', 'cn']
+ ldap.update_entry(entry)
+
+ # Update the ACI via the API
+ result = api.Command.permission_mod(permission1,
+ attrs=[u'l', u'o', u'cn'])
+
+ # Set the permission type to MANAGED
+ entry = ldap.get_entry(permission1_dn)
+ entry['ipapermissiontype'].append('MANAGED')
+ ldap.update_entry(entry)
+
+ tests = [
+ add_managed_permission,
+
+ dict(
+ desc='Show pre-created %r' % permission1,
+ command=('permission_show', [permission1], {'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=None,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "cn || l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ ] + [
+ # Verify that most permission attributes can't be changed
+ dict(
+ desc='Try to modify %s in %r' % (attr_name, permission1),
+ command=('permission_mod', [permission1],
+ {attr_name: value}),
+ expected=errors.ValidationError(
+ name=err_attr or attr_name,
+ error='not modifiable on managed permissions'),
+ )
+ for attr_name, err_attr, value in (
+ ('ipapermlocation', None, users_dn),
+ ('ipapermright', None, u'compare'),
+ ('ipapermtarget', None, users_dn),
+ ('ipapermtargetfilter', None, u'(ou=engineering)'),
+
+ ('memberof', 'ipapermtargetfilter', u'admins'),
+ ('targetgroup', 'ipapermtarget', u'admins'),
+ ('type', 'ipapermlocation', u'group'),
+ )
+ ] + [
+
+ dict(
+ desc='Try to rename %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'rename': permission2}),
+ expected=errors.ValidationError(
+ name='rename',
+ error='cannot rename managed permissions'),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "cn || l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Modify included and excluded attrs in %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermincludedattr': [u'dc'],
+ 'ipapermexcludedattr': [u'cn'],
+ 'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'dc'],
+ ipapermincludedattr=[u'dc'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "dc || l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Modify included attrs in %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermincludedattr': [u'cn', u'sn'],
+ 'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'cn', u'sn'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o || sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Add ineffective included attr to %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermincludedattr': [u'cn', u'sn', u'o'],
+ 'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o || sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Modify excluded attrs in %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermexcludedattr': [u'cn', u'sn'],
+ 'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Modify bind rule in %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermbindruletype': u'all'}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) userdn = "ldap:///all";)',
+ ),
+
+ dict(
+ desc='Show %r with no options' % permission1,
+ command=('permission_show', [permission1], {}),
+ expected=dict(
+ value=permission1,
+ summary=None,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Show %r with --all' % permission1,
+ command=('permission_show', [permission1], {'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=None,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Show %r with --raw' % permission1,
+ command=('permission_show', [permission1], {'raw': True}),
+ expected=dict(
+ value=permission1,
+ summary=None,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ aci=['(targetattr = "l || o")'
+ '(target = "ldap:///%(tdn)s")'
+ '(version 3.0;acl "permission:%(name)s";'
+ 'allow (write) userdn = "ldap:///all";)' %
+ {'tdn': DN(('uid', '*'), users_dn),
+ 'name': permission1}],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Modify attrs of %r to normalize' % permission1,
+ command=('permission_mod', [permission1],
+ {'attrs': [u'l', u'o']}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) userdn = "ldap:///all";)',
+ ),
+
+ dict(
+ desc='Modify attrs of %r to add sn' % permission1,
+ command=('permission_mod', [permission1],
+ {'attrs': [u'l', u'o', u'sn']}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'sn'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o || sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) userdn = "ldap:///all";)',
+ ),
+
+ dict(
+ desc='Search for %r using all its --attrs' % permission1,
+ command=('permission_find', [permission1],
+ {'cn': permission1, 'attrs': [u'l', u'o', u'sn']}),
+ expected=dict(
+ count=1,
+ truncated=False,
+ summary=u'1 permission matched',
+ result=[dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'sn'],
+ ipapermexcludedattr=[u'cn'],
+ )],
+ ),
+ ),
+
+ dict(
+ desc='Search for %r using some --attrs' % permission1,
+ command=('permission_find', [permission1],
+ {'cn': permission1, 'attrs': [u'l', u'sn']}),
+ expected=dict(
+ count=1,
+ truncated=False,
+ summary=u'1 permission matched',
+ result=[dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'sn'],
+ ipapermexcludedattr=[u'cn'],
+ )],
+ ),
+ ),
+
+ dict(
+ desc='Search for %r using excluded --attrs' % permission1,
+ command=('permission_find', [permission1],
+ {'cn': permission1, 'attrs': [u'sn', u'cn']}),
+ expected=dict(
+ count=0,
+ truncated=False,
+ summary=u'0 permissions matched',
+ result=[],
+ ),
+ ),
+
+ dict(
+ desc='Modify attrs of %r to allow cn again' % permission1,
+ command=('permission_mod', [permission1],
+ {'attrs': [u'l', u'o', u'sn', u'cn']}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn', u'cn'],
+ ipapermincludedattr=[u'sn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "cn || l || o || sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) userdn = "ldap:///all";)',
+ ),
+
+ dict(
+ desc='Try to delete %r' % permission1,
+ command=('permission_del', [permission1], {}),
+ expected=errors.ACIError(
+ info='cannot delete managed permissions'),
+ ),
+
+ dict(
+ desc='Delete %r with --force' % permission1,
+ command=('permission_del', [permission1], {'force': True}),
+ expected=dict(
+ result=dict(failed=u''),
+ value=permission1,
+ summary=u'Deleted permission "%s"' % permission1,
+ ),
+ ),
+ ]
generated by cgit (git 2.34.1) at 2024-04-26 02:37:46 +0000