diff options
author | Rob Crittenden <rcritten@redhat.com> | 2015-05-14 13:08:58 +0000 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-06-03 09:47:40 +0000 |
commit | a92328452dced34d6d6df7ad6fe585563bb909f6 (patch) | |
tree | 19d7455b17463f411e0f0ac7cbb94517cb6bc214 /ipatests | |
parent | 7f7c247bb5a4b0030d531f4f14c156162e808212 (diff) | |
download | freeipa-a92328452dced34d6d6df7ad6fe585563bb909f6.tar.gz freeipa-a92328452dced34d6d6df7ad6fe585563bb909f6.tar.xz freeipa-a92328452dced34d6d6df7ad6fe585563bb909f6.zip |
Add plugin to manage service constraint delegations
Service Constraints are the delegation model used by
ipa-kdb to grant service A to obtain a TGT for a user
against service B.
https://fedorahosted.org/freeipa/ticket/3644
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipatests')
-rw-r--r-- | ipatests/test_xmlrpc/objectclasses.py | 11 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/test_servicedelegation_plugin.py | 591 |
2 files changed, 602 insertions, 0 deletions
diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py index 9a69cf3fd..a5c1b4c50 100644 --- a/ipatests/test_xmlrpc/objectclasses.py +++ b/ipatests/test_xmlrpc/objectclasses.py @@ -201,3 +201,14 @@ idoverridegroup = [ u'top', u'ipaGroupOverride', ] + +servicedelegationrule = [ + u'top', + u'groupofprincipals', + u'ipakrb5delegationacl', +] + +servicedelegationtarget = [ + u'top', + u'groupofprincipals', +] diff --git a/ipatests/test_xmlrpc/test_servicedelegation_plugin.py b/ipatests/test_xmlrpc/test_servicedelegation_plugin.py new file mode 100644 index 000000000..6ad441d16 --- /dev/null +++ b/ipatests/test_xmlrpc/test_servicedelegation_plugin.py @@ -0,0 +1,591 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# +""" +Test the `ipalib/plugins/serviceconstraint.py` module. +""" + +from ipalib import api, errors +from ipatests.test_xmlrpc import objectclasses +from xmlrpc_test import Declarative +from ipapython.dn import DN + +rule1 = u'test1' +rule2 = u'test rule two' +target1 = u'test1-targets' +target2 = u'test2-targets' +princ1 = u'HTTP/%s@%s' % (api.env.host, api.env.realm) +princ2 = u'ldap/%s@%s' % (api.env.host, api.env.realm) + + +def get_servicedelegation_dn(cn): + return DN(('cn', cn), api.env.container_s4u2proxy, api.env.basedn) + + +class test_servicedelegation(Declarative): + cleanup_commands = [ + ('servicedelegationrule_del', [rule1], {}), + ('servicedelegationrule_del', [rule2], {}), + ('servicedelegationtarget_del', [target1], {}), + ('servicedelegationtarget_del', [target2], {}), + ] + + tests = [ + + ################ + # create rule1: + dict( + desc='Try to retrieve non-existent %r' % rule1, + command=('servicedelegationrule_show', [rule1], {}), + expected=errors.NotFound( + reason=u'%s: service delegation rule not found' % rule1 + ), + ), + + + dict( + desc='Try to delete non-existent %r' % rule1, + command=('servicedelegationrule_del', [rule1], {}), + expected=errors.NotFound( + reason=u'%s: service delegation rule not found' % rule1 + ), + ), + + + dict( + desc='Create %r' % rule1, + command=( + 'servicedelegationrule_add', [rule1], {} + ), + expected=dict( + value=rule1, + summary=u'Added service delegation rule "%s"' % rule1, + result=dict( + cn=[rule1], + objectclass=objectclasses.servicedelegationrule, + dn=get_servicedelegation_dn(rule1), + ), + ), + ), + + + dict( + desc='Try to create duplicate %r' % rule1, + command=( + 'servicedelegationrule_add', [rule1], {} + ), + expected=errors.DuplicateEntry( + message=u'service delegation rule with name "%s" ' + 'already exists' % rule1), + ), + + + dict( + desc='Retrieve %r' % rule1, + command=('servicedelegationrule_show', [rule1], {}), + expected=dict( + value=rule1, + summary=None, + result=dict( + cn=[rule1], + dn=get_servicedelegation_dn(rule1), + ), + ), + ), + + + dict( + desc='Search for %r' % rule1, + command=('servicedelegationrule_find', [], dict(cn=rule1)), + expected=dict( + count=1, + truncated=False, + result=[ + dict( + dn=get_servicedelegation_dn(rule1), + cn=[rule1], + ), + ], + summary=u'1 service delegation rule matched', + ), + ), + + + + ################ + # create rule2: + dict( + desc='Create %r' % rule2, + command=( + 'servicedelegationrule_add', [rule2], {} + ), + expected=dict( + value=rule2, + summary=u'Added service delegation rule "%s"' % rule2, + result=dict( + cn=[rule2], + objectclass=objectclasses.servicedelegationrule, + dn=get_servicedelegation_dn(rule2), + ), + ), + ), + + + dict( + desc='Search for all rules', + command=('servicedelegationrule_find', [], {}), + expected=dict( + summary=u'3 service delegation rules matched', + count=3, + truncated=False, + result=[ + { + 'dn': get_servicedelegation_dn(u'ipa-http-delegation'), + 'cn': [u'ipa-http-delegation'], + 'memberprincipal': [princ1], + 'ipaallowedtarget_servicedelegationtarget': + [u'ipa-ldap-delegation-targets', + u'ipa-cifs-delegation-targets'] + }, + dict( + dn=get_servicedelegation_dn(rule2), + cn=[rule2], + ), + dict( + dn=get_servicedelegation_dn(rule1), + cn=[rule1], + ), + ], + ), + ), + + + dict( + desc='Create target %r' % target1, + command=( + 'servicedelegationtarget_add', [target1], {} + ), + expected=dict( + value=target1, + summary=u'Added service delegation target "%s"' % target1, + result=dict( + cn=[target1], + objectclass=objectclasses.servicedelegationtarget, + dn=get_servicedelegation_dn(target1), + ), + ), + ), + + + dict( + desc='Create target %r' % target2, + command=( + 'servicedelegationtarget_add', [target2], {} + ), + expected=dict( + value=target2, + summary=u'Added service delegation target "%s"' % target2, + result=dict( + cn=[target2], + objectclass=objectclasses.servicedelegationtarget, + dn=get_servicedelegation_dn(target2), + ), + ), + ), + + + dict( + desc='Search for all targets', + command=('servicedelegationtarget_find', [], {}), + expected=dict( + summary=u'4 service delegation targets matched', + count=4, + truncated=False, + result=[ + { + 'dn': get_servicedelegation_dn( + u'ipa-cifs-delegation-targets'), + 'cn': [u'ipa-cifs-delegation-targets'], + }, + { + 'dn': get_servicedelegation_dn( + u'ipa-ldap-delegation-targets' + ), + 'cn': [u'ipa-ldap-delegation-targets'], + 'memberprincipal': [princ2], + }, + dict( + dn=get_servicedelegation_dn(target1), + cn=[target1], + ), + dict( + dn=get_servicedelegation_dn(target2), + cn=[target2], + ), + ], + ), + ), + + + ############### + # member stuff: + dict( + desc='Add member %r to %r' % (target1, rule1), + command=( + 'servicedelegationrule_add_target', [rule1], + dict(servicedelegationtarget=target1) + ), + expected=dict( + completed=1, + failed=dict( + ipaallowedtarget=dict( + servicedelegationtarget=tuple(), + ), + ), + result={ + 'dn': get_servicedelegation_dn(rule1), + 'ipaallowedtarget_servicedelegationtarget': (target1,), + 'cn': [rule1], + }, + ), + ), + + + dict( + desc='Add duplicate target %r to %r' % (target1, rule1), + command=( + 'servicedelegationrule_add_target', [rule1], + dict(servicedelegationtarget=target1) + ), + expected=dict( + completed=0, + failed=dict( + ipaallowedtarget=dict( + servicedelegationtarget=[ + [target1, u'This entry is already a member'] + ], + ), + ), + result={ + 'dn': get_servicedelegation_dn(rule1), + 'ipaallowedtarget_servicedelegationtarget': (target1,), + 'cn': [rule1], + }, + ), + ), + + + dict( + desc='Add non-existent target %r to %r' % (u'notfound', rule1), + command=( + 'servicedelegationrule_add_target', [rule1], + dict(servicedelegationtarget=u'notfound') + ), + expected=dict( + completed=0, + failed=dict( + ipaallowedtarget=dict( + servicedelegationtarget=[ + [u'notfound', u'no such entry'] + ], + ), + ), + result={ + 'dn': get_servicedelegation_dn(rule1), + 'ipaallowedtarget_servicedelegationtarget': (target1,), + 'cn': [rule1], + }, + ), + ), + + + dict( + desc='Remove a target %r from %r' % (target1, rule1), + command=( + 'servicedelegationrule_remove_target', [rule1], + dict(servicedelegationtarget=target1) + ), + expected=dict( + completed=1, + failed=dict( + ipaallowedtarget=dict( + servicedelegationtarget=tuple(), + ), + ), + result={ + 'dn': get_servicedelegation_dn(rule1), + 'cn': [rule1], + }, + ), + ), + + + dict( + desc='Remove non-existent target %r from %r' % ( + u'notfound', rule1 + ), + command=( + 'servicedelegationrule_remove_target', [rule1], + dict(servicedelegationtarget=u'notfound') + ), + expected=dict( + completed=0, + failed=dict( + ipaallowedtarget=dict( + servicedelegationtarget=[ + [u'notfound', u'This entry is not a member'] + ], + ), + ), + result={ + 'dn': get_servicedelegation_dn(rule1), + 'cn': [rule1], + }, + ), + ), + + + ############### + # memberprincipal member stuff: + dict( + desc='Add memberprinc %r to %r' % (princ1, rule1), + command=( + 'servicedelegationrule_add_member', [rule1], + dict(principal=princ1) + ), + expected=dict( + completed=1, + failed=dict( + failed_memberprincipal=dict( + memberprincipal=tuple(), + ), + ), + result={ + 'dn': get_servicedelegation_dn(rule1), + 'memberprincipal': (princ1,), + 'cn': [rule1], + }, + ), + ), + + + dict( + desc='Add duplicate member %r to %r' % (princ1, rule1), + command=( + 'servicedelegationrule_add_member', [rule1], + dict(principal=princ1) + ), + expected=dict( + completed=0, + failed=dict( + failed_memberprincipal=dict( + memberprincipal=[ + [princ1, u'This entry is already a member'] + ], + ), + ), + result={ + 'dn': get_servicedelegation_dn(rule1), + 'memberprincipal': (princ1,), + 'cn': [rule1], + }, + ), + ), + + + dict( + desc='Add non-existent member %r to %r' % ( + u'HTTP/notfound', rule1 + ), + command=( + 'servicedelegationrule_add_member', [rule1], + dict(principal=u'HTTP/notfound@%s' % api.env.realm) + ), + expected=dict( + completed=0, + failed=dict( + failed_memberprincipal=dict( + memberprincipal=[ + [u'HTTP/notfound@%s' % api.env.realm, + u'no such entry'] + ], + ), + ), + result={ + 'dn': get_servicedelegation_dn(rule1), + 'memberprincipal': (princ1,), + 'cn': [rule1], + }, + ), + ), + + + dict( + desc='Remove a member %r from %r' % (princ1, rule1), + command=( + 'servicedelegationrule_remove_member', [rule1], + dict(principal=princ1) + ), + expected=dict( + completed=1, + failed=dict( + failed_memberprincipal=dict( + memberprincipal=tuple(), + ), + ), + result={ + 'dn': get_servicedelegation_dn(rule1), + 'memberprincipal': [], + 'cn': [rule1], + }, + ), + ), + + + dict( + desc='Remove non-existent member %r from %r' % ( + u'HTTP/notfound', rule1 + ), + command=( + 'servicedelegationrule_remove_member', [rule1], + dict(principal=u'HTTP/notfound@%s' % api.env.realm) + ), + expected=dict( + completed=0, + failed=dict( + failed_memberprincipal=dict( + memberprincipal=[ + [u'HTTP/notfound@%s' % api.env.realm, + u'This entry is not a member'] + ], + ), + ), + result={ + 'dn': get_servicedelegation_dn(rule1), + 'cn': [rule1], + }, + ), + ), + + + dict( + desc='Add memberprinc %r to %r' % (princ1, target1), + command=( + 'servicedelegationtarget_add_member', [target1], + dict(principal=princ1) + ), + expected=dict( + completed=1, + failed=dict( + failed_memberprincipal=dict( + memberprincipal=tuple(), + ), + ), + result={ + 'dn': get_servicedelegation_dn(target1), + 'memberprincipal': (princ1,), + 'cn': [target1], + }, + ), + ), + + + dict( + desc='Add duplicate member %r to %r' % (princ1, target1), + command=( + 'servicedelegationtarget_add_member', [target1], + dict(principal=princ1) + ), + expected=dict( + completed=0, + failed=dict( + failed_memberprincipal=dict( + memberprincipal=[ + [princ1, u'This entry is already a member'] + ], + ), + ), + result={ + 'dn': get_servicedelegation_dn(target1), + 'memberprincipal': (princ1,), + 'cn': [target1], + }, + ), + ), + + + dict( + desc='Add non-existent member %r to %r' % ( + u'HTTP/notfound', target1 + ), + command=( + 'servicedelegationtarget_add_member', [target1], + dict(principal=u'HTTP/notfound@%s' % api.env.realm) + ), + expected=dict( + completed=0, + failed=dict( + failed_memberprincipal=dict( + memberprincipal=[ + [u'HTTP/notfound@%s' % api.env.realm, + u'no such entry'] + ], + ), + ), + result={ + 'dn': get_servicedelegation_dn(target1), + 'memberprincipal': (princ1,), + 'cn': [target1], + }, + ), + ), + + + dict( + desc='Remove a member %r from %r' % (princ1, target1), + command=( + 'servicedelegationtarget_remove_member', [target1], + dict(principal=princ1) + ), + expected=dict( + completed=1, + failed=dict( + failed_memberprincipal=dict( + memberprincipal=tuple(), + ), + ), + result={ + 'dn': get_servicedelegation_dn(target1), + 'memberprincipal': [], + 'cn': [target1], + }, + ), + ), + + + dict( + desc='Remove non-existent member %r from %r' % ( + u'HTTP/notfound', target1 + ), + command=( + 'servicedelegationtarget_remove_member', [target1], + dict(principal=u'HTTP/notfound@%s' % api.env.realm) + ), + expected=dict( + completed=0, + failed=dict( + failed_memberprincipal=dict( + memberprincipal=[ + [u'HTTP/notfound@%s' % api.env.realm, + u'This entry is not a member'] + ], + ), + ), + result={ + 'dn': get_servicedelegation_dn(target1), + 'cn': [target1], + }, + ), + ), + + ] |