diff options
| author | Martin Kosek <mkosek@redhat.com> | 2012-09-05 12:28:42 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-09-06 20:32:07 +0200 |
| commit | ac6cc479ed87cc4c99da89964dd537cb3fb68c4e (patch) | |
| tree | 82b2e67f7530a14add37a45d1fe0476a18121034 /tests/test_xmlrpc | |
| parent | 835c7859c5c31807b9f46cf79462459238571f5e (diff) | |
| download | freeipa.git-ac6cc479ed87cc4c99da89964dd537cb3fb68c4e.tar.gz freeipa.git-ac6cc479ed87cc4c99da89964dd537cb3fb68c4e.tar.xz freeipa.git-ac6cc479ed87cc4c99da89964dd537cb3fb68c4e.zip | |
Add range safety check for range_mod and range_del
range_mod and range_del command could easily create objects with
ID which is suddenly out of specified range. This could cause issues
in trust scenarios where range objects are used for computation of
remote IDs.
Add validator for both commands to check if there is any object with
ID in the range which would become out-of-range as a pre_callback.
Also add unit tests testing this new validator.
https://fedorahosted.org/freeipa/ticket/2919
Diffstat (limited to 'tests/test_xmlrpc')
| -rw-r--r-- | tests/test_xmlrpc/test_range_plugin.py | 151 |
1 files changed, 144 insertions, 7 deletions
diff --git a/tests/test_xmlrpc/test_range_plugin.py b/tests/test_xmlrpc/test_range_plugin.py index ea4bc2b2..4b7aa089 100644 --- a/tests/test_xmlrpc/test_range_plugin.py +++ b/tests/test_xmlrpc/test_range_plugin.py @@ -23,21 +23,31 @@ Test the `ipalib/plugins/range.py` module, and XML-RPC in general. from ipalib import api, errors, _ from tests.util import assert_equal, Fuzzy -from xmlrpc_test import Declarative +from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid +from tests.test_xmlrpc import objectclasses from ipapython.dn import * testrange1 = u't-range-1' +testrange1_base_id = 900000 +testrange1_size = 99999 + +user1=u'tuser1' +user1_uid = 900000 +group1=u'group1' +group1_gid = 900100 class test_range(Declarative): cleanup_commands = [ ('range_del', [testrange1], {}), + ('user_del', [user1], {}), + ('group_del', [group1], {}), ] tests = [ dict( desc='Create range %r' % (testrange1), command=('range_add', [testrange1], - dict(ipabaseid=900000, ipaidrangesize=99999, + dict(ipabaseid=testrange1_base_id, ipaidrangesize=testrange1_size, ipabaserid=1000, ipasecondarybaserid=20000)), expected=dict( result=dict( @@ -45,10 +55,10 @@ class test_range(Declarative): api.env.basedn), cn=[testrange1], objectclass=[u'ipaIDrange', u'ipadomainidrange'], - ipabaseid=[u'900000'], + ipabaseid=[unicode(testrange1_base_id)], ipabaserid=[u'1000'], ipasecondarybaserid=[u'20000'], - ipaidrangesize=[u'99999'], + ipaidrangesize=[unicode(testrange1_size)], iparangetype=[u'local domain range'], ), value=testrange1, @@ -64,10 +74,10 @@ class test_range(Declarative): dn=DN(('cn',testrange1),('cn','ranges'),('cn','etc'), api.env.basedn), cn=[testrange1], - ipabaseid=[u'900000'], + ipabaseid=[unicode(testrange1_base_id)], ipabaserid=[u'1000'], ipasecondarybaserid=[u'20000'], - ipaidrangesize=[u'99999'], + ipaidrangesize=[unicode(testrange1_size)], iparangetype=[u'local domain range'], ), value=testrange1, @@ -77,12 +87,97 @@ class test_range(Declarative): dict( + desc='Create user %r in range %r' % (user1, testrange1), + command=( + 'user_add', [user1], dict(givenname=u'Test', sn=u'User1', + uidnumber=user1_uid) + ), + expected=dict( + value=user1, + summary=u'Added user "%s"' % user1, + result=dict( + gecos=[u'Test User1'], + givenname=[u'Test'], + homedirectory=[u'/home/tuser1'], + krbprincipalname=[u'tuser1@' + api.env.realm], + loginshell=[u'/bin/sh'], + objectclass=objectclasses.user, + sn=[u'User1'], + uid=[user1], + uidnumber=[unicode(user1_uid)], + gidnumber=[unicode(user1_uid)], + displayname=[u'Test User1'], + cn=[u'Test User1'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], + krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), + ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'), + api.env.basedn)], + memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, + dn=DN(('uid',user1),('cn','users'),('cn','accounts'), api.env.basedn) + ), + ), + ), + + + dict( + desc='Create group %r in range %r' % (group1, testrange1), + command=( + 'group_add', [group1], dict(description=u'Test desc 1', + gidnumber=group1_gid) + ), + expected=dict( + value=group1, + summary=u'Added group "%s"' % group1, + result=dict( + cn=[group1], + description=[u'Test desc 1'], + gidnumber=[unicode(group1_gid)], + objectclass=objectclasses.group + [u'posixgroup'], + ipauniqueid=[fuzzy_uuid], + dn=DN(('cn',group1),('cn','groups'),('cn','accounts'), api.env.basedn), + ), + ), + ), + + + dict( + desc='Try to modify range %r to get out bounds object #1' % (testrange1), + command=('range_mod', [testrange1], dict(ipabaseid=90001)), + expected=errors.ValidationError(name='ipabaseid,ipaidrangesize', + error=u'range modification leaving objects with ID out of the' + u' defined range is not allowed'), + ), + + + dict( + desc='Try to modify range %r to get out bounds object #2' % (testrange1), + command=('range_mod', [testrange1], dict(ipaidrangesize=100)), + expected=errors.ValidationError(name='ipabaseid,ipaidrangesize', + error=u'range modification leaving objects with ID out of the' + u' defined range is not allowed'), + ), + + + dict( + desc='Try to modify range %r to get out bounds object #3' % (testrange1), + command=('range_mod', [testrange1], dict(ipabaseid=100, ipaidrangesize=100)), + expected=errors.ValidationError(name='ipabaseid,ipaidrangesize', + error=u'range modification leaving objects with ID out of the' + u' defined range is not allowed'), + ), + + + dict( desc='Modify range %r' % (testrange1), command=('range_mod', [testrange1], dict(ipaidrangesize=90000)), expected=dict( result=dict( cn=[testrange1], - ipabaseid=[u'900000'], + ipabaseid=[unicode(testrange1_base_id)], ipabaserid=[u'1000'], ipasecondarybaserid=[u'20000'], ipaidrangesize=[u'90000'], @@ -93,4 +188,46 @@ class test_range(Declarative): ), ), + + dict( + desc='Try to delete range %r with active IDs inside it' % testrange1, + command=('range_del', [testrange1], {}), + expected=errors.ValidationError(name='ipabaseid,ipaidrangesize', + error=u'range modification leaving objects with ID out of the' + u' defined range is not allowed'), + ), + + + dict( + desc='Delete user %r' % user1, + command=('user_del', [user1], {}), + expected=dict( + result=dict(failed=u''), + value=user1, + summary=u'Deleted user "%s"' % user1, + ), + ), + + + dict( + desc='Delete group %r' % group1, + command=('group_del', [group1], {}), + expected=dict( + result=dict(failed=u''), + value=group1, + summary=u'Deleted group "%s"' % group1, + ), + ), + + + dict( + desc='Delete range %r' % testrange1, + command=('range_del', [testrange1], {}), + expected=dict( + result=dict(failed=u''), + value=testrange1, + summary=u'Deleted ID range "%s"' % testrange1, + ), + ), + ] |