summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--API.txt14
-rw-r--r--VERSION3
-rw-r--r--install/share/60basev3.ldif4
-rw-r--r--ipalib/parameters.py2
-rw-r--r--ipalib/plugins/permission.py144
-rw-r--r--ipatests/test_xmlrpc/test_old_permission_plugin.py5
-rw-r--r--ipatests/test_xmlrpc/test_permission_plugin.py696
7 files changed, 780 insertions, 88 deletions
diff --git a/API.txt b/API.txt
index a6c3aed8..343ede41 100644
--- a/API.txt
+++ b/API.txt
@@ -2322,13 +2322,12 @@ output: Output('result', <type 'bool'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: permission_add
-args: 1,19,3
+args: 1,18,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', attribute=False, cli_name='attrs', multivalue=True, required=False)
option: Str('filter', attribute=False, cli_name='filter', multivalue=True, required=False)
-option: Str('ipapermallowedattr', attribute=True, cli_name='attrs', multivalue=True, required=False)
option: StrEnum('ipapermbindruletype', attribute=True, autofill=True, cli_name='bindtype', default=u'permission', multivalue=False, required=True, values=(u'permission', u'all', u'anonymous'))
option: DNOrURL('ipapermlocation', alwaysask=True, attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=False, required=False)
option: StrEnum('ipapermright', attribute=True, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
@@ -2378,14 +2377,16 @@ output: Output('result', <type 'dict'>, None)
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('value', <type 'unicode'>, None)
command: permission_find
-args: 1,21,4
+args: 1,23,4
arg: Str('criteria?', noextrawhitespace=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, query=True, required=False)
option: Str('cn', attribute=True, autofill=False, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=False)
option: Str('filter', attribute=False, autofill=False, cli_name='filter', multivalue=True, query=True, required=False)
-option: Str('ipapermallowedattr', attribute=True, autofill=False, cli_name='attrs', multivalue=True, query=True, required=False)
option: StrEnum('ipapermbindruletype', attribute=True, autofill=False, cli_name='bindtype', default=u'permission', multivalue=False, query=True, required=False, values=(u'permission', u'all', u'anonymous'))
+option: Str('ipapermdefaultattr', attribute=True, autofill=False, cli_name='defaultattrs', multivalue=True, query=True, required=False)
+option: Str('ipapermexcludedattr', attribute=True, autofill=False, cli_name='excludedattrs', multivalue=True, query=True, required=False)
+option: Str('ipapermincludedattr', attribute=True, autofill=False, cli_name='includedattrs', multivalue=True, query=True, required=False)
option: DNOrURL('ipapermlocation', attribute=True, autofill=False, cli_name='subtree', multivalue=False, query=True, required=False)
option: StrEnum('ipapermright', attribute=True, autofill=False, cli_name='permissions', multivalue=True, query=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
option: DNParam('ipapermtarget', attribute=True, autofill=False, cli_name='target', multivalue=False, query=True, required=False)
@@ -2406,15 +2407,16 @@ output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A list
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
output: Output('truncated', <type 'bool'>, None)
command: permission_mod
-args: 1,22,3
+args: 1,23,3
arg: Str('cn', attribute=True, cli_name='name', multivalue=False, pattern='^[-_ a-zA-Z0-9.]+$', primary_key=True, query=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Str('attrs', attribute=False, autofill=False, cli_name='attrs', multivalue=True, required=False)
option: Str('delattr*', cli_name='delattr', exclude='webui')
option: Str('filter', attribute=False, autofill=False, cli_name='filter', multivalue=True, required=False)
-option: Str('ipapermallowedattr', attribute=True, autofill=False, cli_name='attrs', multivalue=True, required=False)
option: StrEnum('ipapermbindruletype', attribute=True, autofill=False, cli_name='bindtype', default=u'permission', multivalue=False, required=False, values=(u'permission', u'all', u'anonymous'))
+option: Str('ipapermexcludedattr', attribute=True, autofill=False, cli_name='excludedattrs', multivalue=True, required=False)
+option: Str('ipapermincludedattr', attribute=True, autofill=False, cli_name='includedattrs', multivalue=True, required=False)
option: DNOrURL('ipapermlocation', attribute=True, autofill=False, cli_name='subtree', multivalue=False, required=False)
option: StrEnum('ipapermright', attribute=True, autofill=False, cli_name='permissions', multivalue=True, required=False, values=(u'read', u'search', u'compare', u'write', u'add', u'delete', u'all'))
option: DNParam('ipapermtarget', attribute=True, autofill=False, cli_name='target', multivalue=False, required=False)
diff --git a/VERSION b/VERSION
index 5ce16b52..9cb9d71a 100644
--- a/VERSION
+++ b/VERSION
@@ -89,4 +89,5 @@ IPA_DATA_VERSION=20100614120000
# #
########################################################
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=72
+IPA_API_VERSION_MINOR=73
+# Last change: pviktori - Managed permissions
diff --git a/install/share/60basev3.ldif b/install/share/60basev3.ldif
index 331e9d29..d7cd390d 100644
--- a/install/share/60basev3.ldif
+++ b/install/share/60basev3.ldif
@@ -39,7 +39,7 @@ attributeTypes: (2.16.840.1.113730.3.8.11.39 NAME 'ipaNTSIDBlacklistOutgoing' DE
attributeTypes: (2.16.840.1.113730.3.8.11.40 NAME 'ipaUserAuthType' DESC 'Allowed authentication methods' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3')
attributeTypes: (2.16.840.1.113730.3.8.11.41 NAME 'ipaRangeType' DESC 'Range type' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.42 NAME 'ipaPermDefaultAttr' DESC 'IPA permission default attribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
-attributeTypes: (2.16.840.1.113730.3.8.11.43 NAME 'ipaPermAllowedAttr' DESC 'IPA permission explicitly allowed attribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
+attributeTypes: (2.16.840.1.113730.3.8.11.43 NAME 'ipaPermIncludedAttr' DESC 'IPA permission explicitly included attribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.44 NAME 'ipaPermExcludedAttr' DESC 'IPA permission explicitly excluded attribute' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.45 NAME 'ipaPermBindRuleType' DESC 'IPA permission bind rule type' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA v3' )
attributeTypes: (2.16.840.1.113730.3.8.11.46 NAME 'ipaPermLocation' DESC 'Location of IPA permission ACI' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN 'IPA v3' )
@@ -63,4 +63,4 @@ objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDran
objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' )
-objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermAllowedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget ) X-ORIGIN 'IPA v3' )
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 757c1856..b4fb3402 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -353,6 +353,8 @@ class Param(ReadOnly):
can be unspecified (unchanged) but cannot be deleted.
* optional_create: do not require the parameter for crud.Create
based commands
+ * allow_mod_for_managed_permission: permission-mod allows changing
+ the parameter for managed permissions
- hint: this attribute is currently not used
- alwaysask: when enabled, CLI asks for parameter value even when the
parameter is not `required`
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 875a9f5b..d003bcab 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -79,6 +79,15 @@ Setting one of these options will set the corresponding attribute(s).
3. targetgroup: grant access to modify a specific group (such as granting
the rights to manage group membership); sets target.
""") + _("""
+Managed permissions
+""") + _("""
+Permissions that come with IPA by default can be so-called "managed"
+permissions. These have a default set of attributes they apply to,
+but the administrator can add/remove individual attributes to/from the set.
+""") + _("""
+Deleting or renaming a managed permission, as well as changing its target,
+is not allowed.
+""") + _("""
EXAMPLES:
""") + _("""
Add a permission that grants the creation of users:
@@ -95,12 +104,11 @@ VALID_OBJECT_TYPES = (u'user', u'group', u'host', u'service', u'hostgroup',
_DEPRECATED_OPTION_ALIASES = {
'permissions': 'ipapermright',
- 'attrs': 'ipapermallowedattr',
'filter': 'ipapermtargetfilter',
'subtree': 'ipapermlocation',
}
-KNOWN_FLAGS = {'SYSTEM', 'V2'}
+KNOWN_FLAGS = {'SYSTEM', 'V2', 'MANAGED'}
output_params = (
Str('aci',
@@ -139,7 +147,7 @@ class permission(baseldap.LDAPObject):
object_class = ['groupofnames', 'ipapermission', 'ipapermissionv2']
default_attributes = ['cn', 'member', 'memberof',
'memberindirect', 'ipapermissiontype', 'objectclass',
- 'ipapermdefaultattr', 'ipapermallowedattr', 'ipapermexcludedattr',
+ 'ipapermdefaultattr', 'ipapermincludedattr', 'ipapermexcludedattr',
'ipapermbindruletype', 'ipapermlocation', 'ipapermright',
'ipapermtargetfilter', 'ipapermtarget'
]
@@ -169,10 +177,29 @@ class permission(baseldap.LDAPObject):
values=(u'read', u'search', u'compare',
u'write', u'add', u'delete', u'all'),
),
- Str('ipapermallowedattr*',
- cli_name='attrs',
- label=_('Attributes'),
- doc=_('Attributes to which the permission applies'),
+ Str('attrs*',
+ label=_('Effective attributes'),
+ doc=_('All attributes to which the permission applies'),
+ flags={'virtual_attribute', 'allow_mod_for_managed_permission'},
+ ),
+ Str('ipapermincludedattr*',
+ cli_name='includedattrs',
+ label=_('Included attributes'),
+ doc=_('User-specified attributes to which the permission applies'),
+ flags={'no_create', 'allow_mod_for_managed_permission'},
+ ),
+ Str('ipapermexcludedattr*',
+ cli_name='excludedattrs',
+ label=_('Excluded attributes'),
+ doc=_('User-specified attributes to which the permission '
+ 'explicitly does not apply'),
+ flags={'no_create', 'allow_mod_for_managed_permission'},
+ ),
+ Str('ipapermdefaultattr*',
+ cli_name='defaultattrs',
+ label=_('Default attributes'),
+ doc=_('Attributes to which the permission applies by default'),
+ flags={'no_create', 'no_update'},
),
StrEnum(
'ipapermbindruletype',
@@ -182,6 +209,7 @@ class permission(baseldap.LDAPObject):
autofill=True,
values=(u'permission', u'all', u'anonymous'),
default=u'permission',
+ flags={'allow_mod_for_managed_permission'},
),
DNOrURL(
'ipapermlocation?',
@@ -301,6 +329,12 @@ class permission(baseldap.LDAPObject):
rights['type'] = ''.join(sorted(type_rights,
key=rights['ipapermtarget'].index))
+ if 'ipapermincludedattr' in rights:
+ rights['attrs'] = ''.join(sorted(
+ set(rights['ipapermincludedattr']) &
+ set(rights.get('ipapermexcludedattr', '')),
+ key=rights['ipapermincludedattr'].index))
+
if not client_has_capability(options['version'], 'permissions2'):
for old_name, new_name in _DEPRECATED_OPTION_ALIASES.items():
if new_name in entry:
@@ -319,6 +353,14 @@ class permission(baseldap.LDAPObject):
raise
else:
entry.single_value['aci'] = acistring
+ else:
+ effective_attrs = self.get_effective_attrs(entry)
+ if effective_attrs:
+ entry['attrs'] = effective_attrs
+ if (not options.get('all') and
+ not entry.get('ipapermexcludedattr') and
+ not entry.get('ipapermdefaultattr')):
+ entry.pop('ipapermincludedattr', None)
if not client_has_capability(options['version'], 'permissions2'):
# Legacy clients expect some attributes as a single value
@@ -337,6 +379,12 @@ class permission(baseldap.LDAPObject):
new_filter.append(flt[1:-1])
entry['filter'] = new_filter
+ def get_effective_attrs(self, entry):
+ attrs = set(entry.get('ipapermdefaultattr', ()))
+ attrs.update(entry.get('ipapermincludedattr', ()))
+ attrs.difference_update(entry.get('ipapermexcludedattr', ()))
+ return sorted(attrs)
+
def make_aci(self, entry):
"""Make an ACI string from the given permission entry"""
@@ -344,7 +392,7 @@ class permission(baseldap.LDAPObject):
name = entry.single_value['cn']
# targetattr
- attrs = entry.get('ipapermallowedattr', [])
+ attrs = self.get_effective_attrs(entry)
if attrs:
aci_parts.append("(targetattr = \"%s\")" % ' || '.join(attrs))
@@ -502,9 +550,6 @@ class permission(baseldap.LDAPObject):
aci = ACI(acistring)
- if 'targetattr' in aci.target:
- target_entry['ipapermallowedattr'] = (
- aci.target['targetattr']['expression'])
if 'target' in aci.target:
target_entry.single_value['ipapermtarget'] = DN(strip_ldap_prefix(
aci.target['target']['expression']))
@@ -519,7 +564,7 @@ class permission(baseldap.LDAPObject):
target_entry.single_value['ipapermbindruletype'] = u'permission'
target_entry['ipapermright'] = aci.permissions
if 'targetattr' in aci.target:
- target_entry['ipapermallowedattr'] = [
+ target_entry['ipapermincludedattr'] = [
unicode(a) for a in aci.target['targetattr']['expression']]
if not output_only:
@@ -655,7 +700,8 @@ class permission(baseldap.LDAPObject):
# Ensure there's something in the ACI's filter
needed_attrs = (
- 'ipapermtarget', 'ipapermtargetfilter', 'ipapermallowedattr')
+ 'ipapermtarget', 'ipapermtargetfilter',
+ 'ipapermincludedattr', 'ipapermexcludedattr', 'ipapermdefaultattr')
if not any(entry.single_value.get(a) for a in needed_attrs):
raise errors.ValidationError(
name='target',
@@ -717,6 +763,14 @@ class permission_add(baseldap.LDAPCreate):
if not entry.get('ipapermlocation'):
entry.setdefault('ipapermlocation', [api.env.basedn])
+ if 'attrs' in options:
+ if 'ipapermincludedattr' in options:
+ raise errors.ValidationError(
+ name='attrs',
+ error=_('attrs and included attributes are '
+ 'mutually exclusive'))
+ entry['ipapermincludedattr'] = list(options.pop('attrs') or ())
+
self.obj.validate_permission(entry)
return dn
@@ -748,6 +802,9 @@ class permission_del(baseldap.LDAPDelete):
if not options.get('force'):
self.obj.reject_system(entry)
+ if entry.get('ipapermdefaultattr'):
+ raise errors.ACIError(
+ info=_('cannot delete managed permissions'))
try:
self.obj.remove_aci(entry)
@@ -783,6 +840,38 @@ class permission_mod(baseldap.LDAPUpdate):
self.obj.reject_system(old_entry)
self.obj.upgrade_permission(old_entry)
+ if 'MANAGED' in old_entry.get('ipapermissiontype', ()):
+ for option_name in sorted(options):
+ if option_name == 'rename':
+ raise errors.ValidationError(
+ name=option_name,
+ error=_('cannot rename managed permissions'))
+ option = self.options[option_name]
+ allow_mod = 'allow_mod_for_managed_permission' in option.flags
+ if option.attribute and not allow_mod:
+ raise errors.ValidationError(
+ name=option_name,
+ error=_('not modifiable on managed permissions'))
+ else:
+ if options.get('ipapermexcludedattr'):
+ # prevent setting excluded attributes on normal permissions
+ # (but do allow deleting them all)
+ raise errors.ValidationError(
+ name='ipapermexcludedattr',
+ error=_('only available on managed permissions'))
+
+ if 'attrs' in options:
+ if any(a in options for a in ('ipapermincludedattr',
+ 'ipapermexcludedattr')):
+ raise errors.ValidationError(
+ name='attrs',
+ error=_('attrs and included/excluded attributes are '
+ 'mutually exclusive'))
+ attrs = set(options.pop('attrs') or ())
+ defaults = set(old_entry.get('ipapermdefaultattr', ()))
+ entry['ipapermincludedattr'] = list(attrs - defaults)
+ entry['ipapermexcludedattr'] = list(defaults - attrs)
+
# Check setting bindtype for an assigned permission
if options.get('ipapermbindruletype') and old_entry.get('member'):
raise errors.ValidationError(
@@ -866,7 +955,36 @@ class permission_find(baseldap.LDAPSearch):
self.obj.preprocess_options(options)
return super(permission_find, self).execute(*keys, **options)
+ def pre_callback(self, ldap, filters, attrs_list, base_dn, scope,
+ *args, **options):
+ if 'attrs' in options and 'ipapermincludedattr' in options:
+ raise errors.ValidationError(
+ name='attrs',
+ error=_('attrs and included/excluded attributes are '
+ 'mutually exclusive'))
+
+ if options.get('attrs'):
+ # Effective attributes:
+ # each attr must be in either default or included,
+ # but not in excluded
+ filters = ldap.combine_filters(
+ [filters] + [
+ '(&'
+ '(|'
+ '(ipapermdefaultattr=%(attr)s)'
+ '(ipapermincludedattr=%(attr)s))'
+ '(!(ipapermexcludedattr=%(attr)s)))' % {'attr': attr}
+ for attr in options['attrs']
+ ],
+ ldap.MATCH_ALL,
+ )
+
+ return filters, base_dn, scope
+
def post_callback(self, ldap, entries, truncated, *args, **options):
+ if 'attrs' in options:
+ options['ipapermincludedattr'] = options['attrs']
+
attribute_options = [o for o in options
if (o in self.options and
self.options[o].attribute)]
diff --git a/ipatests/test_xmlrpc/test_old_permission_plugin.py b/ipatests/test_xmlrpc/test_old_permission_plugin.py
index d23b49f9..a681ef31 100644
--- a/ipatests/test_xmlrpc/test_old_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_old_permission_plugin.py
@@ -67,7 +67,8 @@ permission3_attributelevelrights = {
'type': u'rscwo',
'nsaccountlock': u'rscwo',
'description': u'rscwo',
- 'ipapermallowedattr': u'rscwo',
+ 'attrs': u'rscwo',
+ 'ipapermincludedattr': u'rscwo',
'ipapermbindruletype': u'rscwo',
'ipapermdefaultattr': u'rscwo',
'ipapermexcludedattr': u'rscwo',
@@ -1093,6 +1094,7 @@ class test_old_permission(Declarative):
objectclass=objectclasses.permission,
type=u'user',
attrs=(u'cn',),
+ ipapermincludedattr=[u'cn'],
permissions=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
@@ -1115,6 +1117,7 @@ class test_old_permission(Declarative):
objectclass=objectclasses.permission,
type=u'user',
attrs=(u'cn',u'uid'),
+ ipapermincludedattr=[u'cn', u'uid'],
permissions=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py
index 6564cbc9..ad5074c8 100644
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -24,12 +24,22 @@ Test the `ipalib/plugins/permission.py` module.
import os
+import nose
+
from ipalib import api, errors
from ipatests.test_xmlrpc import objectclasses
from xmlrpc_test import Declarative
from ipapython.dn import DN
import inspect
+try:
+ from ipaserver.plugins.ldap2 import ldap2
+except ImportError:
+ have_ldap2 = False
+else:
+ import krbV
+ have_ldap2 = True
+
permission1 = u'testperm'
permission1_dn = DN(('cn',permission1),
api.env.container_permission,api.env.basedn)
@@ -62,7 +72,7 @@ permission3_attributelevelrights = {
'aci': u'rscwo',
'ipapermlocation': u'rscwo',
'o': u'rscwo',
- 'ipapermallowedattr': u'rscwo',
+ 'ipapermincludedattr': u'rscwo',
'ipapermdefaultattr': u'rscwo',
'ipapermexcludedattr': u'rscwo',
'owner': u'rscwo',
@@ -76,6 +86,7 @@ permission3_attributelevelrights = {
'ipapermtarget': u'rscwo',
'type': u'rscwo',
'targetgroup': u'rscwo',
+ 'attrs': u'rscwo',
}
privilege1 = u'testpriv1'
@@ -175,7 +186,7 @@ class test_permission_negative(Declarative):
command=(
'permission_add', [permission1], dict(
type=u'user',
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=errors.RequirementError(name='ipapermright'),
@@ -214,7 +225,7 @@ class test_permission_negative(Declarative):
'permission_add', [permission1], dict(
type=u'user',
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -226,7 +237,7 @@ class test_permission_negative(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -249,7 +260,7 @@ class test_permission_negative(Declarative):
desc='Try to remove type from %r' % permission1,
command=(
'permission_mod', [permission1], dict(
- ipapermallowedattr=None,
+ attrs=None,
type=None,
)
),
@@ -263,7 +274,7 @@ class test_permission_negative(Declarative):
desc='Try to remove target and memberof from %r' % permission1,
command=(
'permission_mod', [permission1], dict(
- ipapermallowedattr=None,
+ attrs=None,
ipapermtarget=None,
)
),
@@ -283,6 +294,18 @@ class test_permission_negative(Declarative):
error='May only contain letters, numbers, -, _, ., and space'),
),
+ dict(
+ desc='Try setting ipapermexcludedattr on %r' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ ipapermexcludedattr=[u'cn'],
+ )
+ ),
+ expected=errors.ValidationError(
+ name='ipapermexcludedattr',
+ error='only available on managed permissions'),
+ ),
+
]
@@ -305,7 +328,7 @@ class test_permission(Declarative):
'permission_add', [permission1], dict(
type=u'user',
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -317,7 +340,7 @@ class test_permission(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -340,7 +363,7 @@ class test_permission(Declarative):
'permission_add', [permission1], dict(
type=u'user',
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
),
),
expected=errors.DuplicateEntry(
@@ -402,7 +425,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -423,7 +446,7 @@ class test_permission(Declarative):
'cn': [permission1],
'objectclass': objectclasses.permission,
'member': [privilege1_dn],
- 'ipapermallowedattr': [u'sn'],
+ 'ipapermincludedattr': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermright': [u'write'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
@@ -456,7 +479,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -482,7 +505,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -520,7 +543,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -544,7 +567,7 @@ class test_permission(Declarative):
'cn': [permission1],
'objectclass': objectclasses.permission,
'member': [privilege1_dn],
- 'ipapermallowedattr': [u'sn'],
+ 'ipapermincludedattr': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermright': [u'write'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
@@ -571,7 +594,7 @@ class test_permission(Declarative):
ipapermright=u'write',
setattr=u'owner=cn=test',
addattr=u'owner=cn=test2',
- ipapermallowedattr=[u'cn'],
+ attrs=[u'cn'],
)
),
expected=dict(
@@ -584,7 +607,7 @@ class test_permission(Declarative):
type=[u'user'],
ipapermright=[u'write'],
owner=[u'cn=test', u'cn=test2'],
- ipapermallowedattr=[u'cn'],
+ attrs=[u'cn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -617,7 +640,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -629,7 +652,7 @@ class test_permission(Declarative):
'objectclass': objectclasses.permission,
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'cn'],
+ 'attrs': [u'cn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -664,7 +687,7 @@ class test_permission(Declarative):
dict(
desc='Search by ACI attribute with --pkey-only',
command=('permission_find', [], {'pkey_only': True,
- 'ipapermallowedattr': [u'krbminpwdlife']}),
+ 'attrs': [u'krbminpwdlife']}),
expected=dict(
count=1,
truncated=False,
@@ -714,7 +737,7 @@ class test_permission(Declarative):
'member_privilege': [privilege1],
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -739,7 +762,7 @@ class test_permission(Declarative):
'objectclass': objectclasses.permission,
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -752,7 +775,7 @@ class test_permission(Declarative):
'objectclass': objectclasses.permission,
'type': [u'user'],
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'cn'],
+ 'attrs': [u'cn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -769,7 +792,7 @@ class test_permission(Declarative):
# to change.
dict(
desc='Search for permissions by attr with a limit of 1 (truncated)',
- command=('permission_find', [], dict(ipapermallowedattr=u'ipaenabledflag',
+ command=('permission_find', [], dict(attrs=u'ipaenabledflag',
sizelimit=1)),
expected=dict(
count=1,
@@ -784,8 +807,13 @@ class test_permission(Declarative):
'member_privilege': [u'HBAC Administrator'],
'memberindirect_role': [u'IT Security Specialist'],
'ipapermright' : [u'write'],
- 'ipapermallowedattr': [u'servicecategory', u'sourcehostcategory', u'cn', u'description', u'ipaenabledflag', u'accesstime', u'usercategory', u'hostcategory', u'accessruletype', u'sourcehost'],
- 'ipapermtarget': [DN(('ipauniqueid', '*'), ('cn', 'hbac'), api.env.basedn)],
+ 'attrs': [u'servicecategory', u'sourcehostcategory',
+ u'cn', u'description', u'ipaenabledflag',
+ u'accesstime', u'usercategory',
+ u'hostcategory', u'accessruletype',
+ u'sourcehost'],
+ 'ipapermtarget': [DN(('ipauniqueid', '*'),
+ ('cn', 'hbac'), api.env.basedn)],
'ipapermbindruletype': [u'permission'],
'ipapermlocation': [api.env.basedn],
},
@@ -793,7 +821,6 @@ class test_permission(Declarative):
),
),
-
dict(
desc='Update %r' % permission1,
command=(
@@ -816,7 +843,7 @@ class test_permission(Declarative):
ipapermright=[u'read'],
memberof=[u'ipausers'],
owner=[u'cn=other-test', u'cn=other-test2'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
ipapermbindruletype=[u'permission'],
@@ -851,7 +878,7 @@ class test_permission(Declarative):
'type': [u'user'],
'ipapermright': [u'read'],
'memberof': [u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -900,7 +927,7 @@ class test_permission(Declarative):
'type': [u'user'],
'ipapermright': [u'read'],
'memberof': [u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -930,7 +957,7 @@ class test_permission(Declarative):
'type': [u'user'],
'ipapermright': [u'all'],
'memberof': [u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -971,7 +998,7 @@ class test_permission(Declarative):
'type': [u'user'],
'ipapermright': [u'write'],
'memberof': [u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -1011,7 +1038,7 @@ class test_permission(Declarative):
ipapermlocation=[users_dn],
ipapermright=[u'write'],
memberof=[u'ipausers'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers',
groups_dn)],
ipapermbindruletype=[u'permission'],
@@ -1043,7 +1070,7 @@ class test_permission(Declarative):
'cn': [permission2],
'objectclass': objectclasses.permission,
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'cn'],
+ 'attrs': [u'cn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermtarget': [DN(('uid', '*'), users_dn)],
@@ -1077,7 +1104,7 @@ class test_permission(Declarative):
'ipapermlocation': [users_dn],
'ipapermright':[u'write'],
'memberof':[u'ipausers'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermtargetfilter': [u'(memberOf=%s)' % DN(
'cn=ipausers', groups_dn)],
'ipapermbindruletype': [u'permission'],
@@ -1111,7 +1138,7 @@ class test_permission(Declarative):
'cn': [u'Add user to default group'],
'objectclass': objectclasses.permission,
'member_privilege': [u'User Administrators'],
- 'ipapermallowedattr': [u'member'],
+ 'attrs': [u'member'],
'targetgroup': [u'ipausers'],
'memberindirect_role': [u'User Administrator'],
'ipapermright': [u'write'],
@@ -1202,7 +1229,7 @@ class test_permission(Declarative):
'permission_add', [permission1], dict(
memberof=u'nonexisting',
ipapermright=u'write',
- ipapermallowedattr=[u'cn'],
+ attrs=[u'cn'],
)
),
expected=errors.NotFound(reason=u'nonexisting: group not found'),
@@ -1215,7 +1242,7 @@ class test_permission(Declarative):
memberof=u'editors',
ipapermright=u'write',
type=u'user',
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -1228,7 +1255,7 @@ class test_permission(Declarative):
memberof=[u'editors'],
ipapermright=[u'write'],
type=[u'user'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'editors'),
groups_dn)],
ipapermbindruletype=[u'permission'],
@@ -1272,7 +1299,7 @@ class test_permission(Declarative):
memberof=[u'admins'],
ipapermright=[u'write'],
type=[u'user'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn)],
ipapermbindruletype=[u'permission'],
@@ -1308,7 +1335,7 @@ class test_permission(Declarative):
objectclass=objectclasses.permission,
ipapermright=[u'write'],
type=[u'user'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1343,7 +1370,7 @@ class test_permission(Declarative):
'permission_add', [permission1], dict(
targetgroup=u'editors',
ipapermright=u'write',
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -1355,7 +1382,7 @@ class test_permission(Declarative):
objectclass=objectclasses.permission,
targetgroup=[u'editors'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermtarget=[DN(('cn', 'editors'), groups_dn)],
ipapermissiontype=[u'SYSTEM', u'V2'],
@@ -1378,7 +1405,7 @@ class test_permission(Declarative):
'permission_add', [permission3], dict(
type=u'user',
ipapermright=u'write',
- ipapermallowedattr=[u'cn']
+ attrs=[u'cn']
)
),
expected=dict(
@@ -1390,7 +1417,7 @@ class test_permission(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=(u'cn',),
+ attrs=(u'cn',),
ipapermbindruletype=[u'permission'],
ipapermtarget=[DN(('uid', '*'), users_dn)],
ipapermissiontype=[u'SYSTEM', u'V2'],
@@ -1418,7 +1445,8 @@ class test_permission(Declarative):
cn=[permission3],
objectclass=objectclasses.permission,
type=[u'user'],
- ipapermallowedattr=(u'cn',),
+ attrs=[u'cn'],
+ ipapermincludedattr=[u'cn'],
ipapermright=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
@@ -1433,7 +1461,7 @@ class test_permission(Declarative):
desc='Modify %r with --all --rights' % permission3,
command=('permission_mod', [permission3], {
'all': True, 'rights': True,
- 'ipapermallowedattr': [u'cn', u'uid']}),
+ 'attrs': [u'cn', u'uid']}),
expected=dict(
value=permission3,
summary=u'Modified permission "%s"' % permission3,
@@ -1442,7 +1470,8 @@ class test_permission(Declarative):
cn=[permission3],
objectclass=objectclasses.permission,
type=[u'user'],
- ipapermallowedattr=(u'cn',u'uid'),
+ attrs=[u'cn', u'uid'],
+ ipapermincludedattr=[u'cn', u'uid'],
ipapermright=[u'write'],
attributelevelrights=permission3_attributelevelrights,
ipapermbindruletype=[u'permission'],
@@ -1503,7 +1532,7 @@ class test_permission_rollback(Declarative):
'cn': [permission1],
'objectclass': objectclasses.permission,
'ipapermright': [u'write'],
- 'ipapermallowedattr': [u'sn'],
+ 'attrs': [u'sn'],
'ipapermbindruletype': [u'permission'],
'ipapermissiontype': [u'SYSTEM', u'V2'],
'ipapermlocation': [users_dn],
@@ -1531,7 +1560,7 @@ class test_permission_rollback(Declarative):
ipapermlocation=users_dn,
ipapermtarget=DN('uid=admin', users_dn),
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
)
),
expected=dict(
@@ -1542,7 +1571,7 @@ class test_permission_rollback(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1600,7 +1629,7 @@ class test_permission_sync_attributes(Declarative):
'permission_add', [permission1], dict(
ipapermlocation=users_dn,
ipapermright=u'write',
- ipapermallowedattr=u'sn',
+ attrs=u'sn',
ipapermtargetfilter=u'(memberOf=%s)' % DN(('cn', 'admins'),
groups_dn),
ipapermtarget=DN(('uid', '*'), users_dn),
@@ -1615,7 +1644,7 @@ class test_permission_sync_attributes(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1651,7 +1680,7 @@ class test_permission_sync_attributes(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN(('uid', '*'), users_dn)],
@@ -1688,7 +1717,7 @@ class test_permission_sync_attributes(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1724,7 +1753,7 @@ class test_permission_sync_attributes(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1758,7 +1787,7 @@ class test_permission_sync_attributes(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1789,7 +1818,7 @@ class test_permission_sync_attributes(Declarative):
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[groups_dn],
@@ -1821,7 +1850,7 @@ class test_permission_sync_attributes(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN('cn=editors', groups_dn)],
@@ -1854,7 +1883,7 @@ class test_permission_sync_nice(Declarative):
'permission_add', [permission1], dict(
type=u'user',
ipapermright=u'write',
- ipapermallowedattr=u'sn',
+ attrs=u'sn',
memberof=u'admins',
)
),
@@ -1867,7 +1896,7 @@ class test_permission_sync_nice(Declarative):
objectclass=objectclasses.permission,
type=[u'user'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[users_dn],
@@ -1903,7 +1932,7 @@ class test_permission_sync_nice(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
@@ -1937,7 +1966,7 @@ class test_permission_sync_nice(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[api.env.basedn],
@@ -1968,7 +1997,7 @@ class test_permission_sync_nice(Declarative):
objectclass=objectclasses.permission,
type=[u'group'],
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermlocation=[groups_dn],
@@ -2000,7 +2029,7 @@ class test_permission_sync_nice(Declarative):
cn=[permission1],
objectclass=objectclasses.permission,
ipapermright=[u'write'],
- ipapermallowedattr=[u'sn'],
+ attrs=[u'sn'],
ipapermbindruletype=[u'permission'],
ipapermissiontype=[u'SYSTEM', u'V2'],
ipapermtarget=[DN('cn=editors', groups_dn)],
@@ -2422,3 +2451,540 @@ class test_permission_bindtype(Declarative):
'assigned to a privilege')
),
]
+
+
+class test_managed_permissions(Declarative):
+ cleanup_commands = [
+ ('permission_del', [permission1], {'force': True}),
+ ('permission_del', [permission2], {'force': True}),
+ ]
+
+ @classmethod
+ def setUpClass(cls):
+ super(test_managed_permissions, cls).setUpClass()
+
+ if not have_ldap2:
+ raise nose.SkipTest('server plugin not available')
+
+ def add_managed_permission(self):
+ """Add a managed permission and the corresponding ACI"""
+ ldap = ldap2(shared_instance=False)
+ ldap.connect(ccache=krbV.default_context().default_ccache())
+
+ result = api.Command.permission_add(permission1, type=u'user',
+ ipapermright=u'write',
+ attrs=[u'cn'])
+
+ # TODO: This hack relies on the permission internals.
+ # Change as necessary.
+
+ # Add permission DN
+ entry = ldap.get_entry(permission1_dn)
+ entry['ipapermdefaultattr'] = ['l', 'o', 'cn']
+ ldap.update_entry(entry)
+
+ # Update the ACI via the API
+ result = api.Command.permission_mod(permission1,
+ attrs=[u'l', u'o', u'cn'])
+
+ # Set the permission type to MANAGED
+ entry = ldap.get_entry(permission1_dn)
+ entry['ipapermissiontype'].append('MANAGED')
+ ldap.update_entry(entry)
+
+ tests = [
+ add_managed_permission,
+
+ dict(
+ desc='Show pre-created %r' % permission1,
+ command=('permission_show', [permission1], {'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=None,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "cn || l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ ] + [
+ # Verify that most permission attributes can't be changed
+ dict(
+ desc='Try to modify %s in %r' % (attr_name, permission1),
+ command=('permission_mod', [permission1],
+ {attr_name: value}),
+ expected=errors.ValidationError(
+ name=err_attr or attr_name,
+ error='not modifiable on managed permissions'),
+ )
+ for attr_name, err_attr, value in (
+ ('ipapermlocation', None, users_dn),
+ ('ipapermright', None, u'compare'),
+ ('ipapermtarget', None, users_dn),
+ ('ipapermtargetfilter', None, u'(ou=engineering)'),
+
+ ('memberof', 'ipapermtargetfilter', u'admins'),
+ ('targetgroup', 'ipapermtarget', u'admins'),
+ ('type', 'ipapermlocation', u'group'),
+ )
+ ] + [
+
+ dict(
+ desc='Try to rename %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'rename': permission2}),
+ expected=errors.ValidationError(
+ name='rename',
+ error='cannot rename managed permissions'),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "cn || l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Modify included and excluded attrs in %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermincludedattr': [u'dc'],
+ 'ipapermexcludedattr': [u'cn'],
+ 'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'dc'],
+ ipapermincludedattr=[u'dc'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "dc || l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Modify included attrs in %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermincludedattr': [u'cn', u'sn'],
+ 'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'cn', u'sn'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o || sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Add ineffective included attr to %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermincludedattr': [u'cn', u'sn', u'o'],
+ 'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o || sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Modify excluded attrs in %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermexcludedattr': [u'cn', u'sn'],
+ 'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
+ dict(
+ desc='Modify bind rule in %r' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermbindruletype': u'all'}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) userdn = "ldap:///all";)',
+ ),
+
+ dict(
+ desc='Show %r with no options' % permission1,
+ command=('permission_show', [permission1], {}),
+ expected=dict(
+ value=permission1,
+ summary=None,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Show %r with --all' % permission1,
+ command=('permission_show', [permission1], {'all': True}),
+ expected=dict(
+ value=permission1,
+ summary=None,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Show %r with --raw' % permission1,
+ command=('permission_show', [permission1], {'raw': True}),
+ expected=dict(
+ value=permission1,
+ summary=None,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ aci=['(targetattr = "l || o")'
+ '(target = "ldap:///%(tdn)s")'
+ '(version 3.0;acl "permission:%(name)s";'
+ 'allow (write) userdn = "ldap:///all";)' %
+ {'tdn': DN(('uid', '*'), users_dn),
+ 'name': permission1}],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ ipapermincludedattr=[u'cn', u'sn', u'o'],
+ ipapermexcludedattr=[u'cn', u'sn'],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Modify attrs of %r to normalize' % permission1,
+ command=('permission_mod', [permission1],
+ {'attrs': [u'l', u'o']}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) userdn = "ldap:///all";)',
+ ),
+
+ dict(
+ desc='Modify attrs of %r to add sn' % permission1,
+ command=('permission_mod', [permission1],
+ {'attrs': [u'l', u'o', u'sn']}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'sn'],
+ ipapermexcludedattr=[u'cn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "l || o || sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) userdn = "ldap:///all";)',
+ ),
+
+ dict(
+ desc='Search for %r using all its --attrs' % permission1,
+ command=('permission_find', [permission1],
+ {'cn': permission1, 'attrs': [u'l', u'o', u'sn']}),
+ expected=dict(
+ count=1,
+ truncated=False,
+ summary=u'1 permission matched',
+ result=[dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'sn'],
+ ipapermexcludedattr=[u'cn'],
+ )],
+ ),
+ ),
+
+ dict(
+ desc='Search for %r using some --attrs' % permission1,
+ command=('permission_find', [permission1],
+ {'cn': permission1, 'attrs': [u'l', u'sn']}),
+ expected=dict(
+ count=1,
+ truncated=False,
+ summary=u'1 permission matched',
+ result=[dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn'],
+ ipapermincludedattr=[u'sn'],
+ ipapermexcludedattr=[u'cn'],
+ )],
+ ),
+ ),
+
+ dict(
+ desc='Search for %r using excluded --attrs' % permission1,
+ command=('permission_find', [permission1],
+ {'cn': permission1, 'attrs': [u'sn', u'cn']}),
+ expected=dict(
+ count=0,
+ truncated=False,
+ summary=u'0 permissions matched',
+ result=[],
+ ),
+ ),
+
+ dict(
+ desc='Modify attrs of %r to allow cn again' % permission1,
+ command=('permission_mod', [permission1],
+ {'attrs': [u'l', u'o', u'sn', u'cn']}),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "testperm"',
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermissiontype=[u'SYSTEM', u'V2', u'MANAGED'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'all'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermdefaultattr=[u'l', u'o', u'cn'],
+ attrs=[u'l', u'o', u'sn', u'cn'],
+ ipapermincludedattr=[u'sn'],
+ ),
+ ),
+ ),
+
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "cn || l || o || sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) userdn = "ldap:///all";)',
+ ),
+
+ dict(
+ desc='Try to delete %r' % permission1,
+ command=('permission_del', [permission1], {}),
+ expected=errors.ACIError(
+ info='cannot delete managed permissions'),
+ ),
+
+ dict(
+ desc='Delete %r with --force' % permission1,
+ command=('permission_del', [permission1], {'force': True}),
+ expected=dict(
+ result=dict(failed=u''),
+ value=permission1,
+ summary=u'Deleted permission "%s"' % permission1,
+ ),
+ ),
+ ]
generated by cgit (git 2.34.1) at 2024-05-05 15:52:16 +0000