sudorule: Allow unsetting sudoorder

After setting sudoorder, you are unable to unset it, since the
check for uniqueness of order of sudorules is applied incorrectly.

Fix the behaviour and cover it in the test suite.

https://fedorahosted.org/freeipa/ticket/4360

Reviewed-By: Martin Kosek <mkosek@redhat.com>

2 files changed, 6 insertions, 1 deletions

diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
index 9c2e7c51e..04ca97eff 100644
--- a/ipalib/plugins/sudorule.py
+++ b/ipalib/plugins/sudorule.py
@@ -310,10 +310,11 @@ class sudorule(LDAPObject):
     )
 
     def check_order_uniqueness(self, *keys, **options):
-        if 'sudoorder' in options:
+        if options.get('sudoorder') is not None:
             entries = self.methods.find(
                 sudoorder=options['sudoorder']
             )['result']
+
             if len(entries) > 0:
                 rule_name = entries[0]['cn'][0]
                 raise errors.ValidationError(
diff --git a/ipatests/test_xmlrpc/test_sudorule_plugin.py b/ipatests/test_xmlrpc/test_sudorule_plugin.py
index 7dc3cb1e4..052578666 100644
--- a/ipatests/test_xmlrpc/test_sudorule_plugin.py
+++ b/ipatests/test_xmlrpc/test_sudorule_plugin.py
@@ -769,6 +769,10 @@ class test_sudorule(XMLRPC_test):
         with assert_raises(errors.ValidationError):
             api.Command['sudorule_mod'](self.rule_name, sudoorder=0)
 
+        # Try unsetting sudoorder from both rules
+        api.Command['sudorule_mod'](self.rule_name, sudoorder=None)
+        api.Command['sudorule_mod'](self.rule_name2, sudoorder=None)
+
 
     def test_m_sudorule_del(self):
         """