diff options
author | Martin Kosek <mkosek@redhat.com> | 2012-09-12 10:00:35 +0200 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-09-16 17:59:27 -0400 |
commit | c0630950a170cc9c0fa68256ff606589641bc812 (patch) | |
tree | 734019961cacc670b5ebed080b9624a5e6299641 /tests/test_xmlrpc/test_hbac_plugin.py | |
parent | 2ecfe571faf9291eab7ffacea2a1e94d5be0d689 (diff) | |
download | freeipa-c0630950a170cc9c0fa68256ff606589641bc812.tar.gz freeipa-c0630950a170cc9c0fa68256ff606589641bc812.tar.xz freeipa-c0630950a170cc9c0fa68256ff606589641bc812.zip |
Expand Referential Integrity checks
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.
Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.
As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. Thus, the following
indexes are added:
* manager (pres index only)
* secretary (pres index only)
* memberHost
* memberUser
* sourcehost
* memberservice
* managedby
* memberallowcmd
* memberdenycmd
* ipasudorunas
* ipasudorunasgroup
Referential Integrity plugin is updated to enforce RI for all these
attributes. Unit tests covering RI checks for all these attributes
were added as well.
Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.
https://fedorahosted.org/freeipa/ticket/2866
Diffstat (limited to 'tests/test_xmlrpc/test_hbac_plugin.py')
-rw-r--r-- | tests/test_xmlrpc/test_hbac_plugin.py | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/tests/test_xmlrpc/test_hbac_plugin.py b/tests/test_xmlrpc/test_hbac_plugin.py index 5ecb9014d..22c9b74e9 100644 --- a/tests/test_xmlrpc/test_hbac_plugin.py +++ b/tests/test_xmlrpc/test_hbac_plugin.py @@ -547,6 +547,23 @@ class test_hbac(XMLRPC_test): accessruletype=u'deny', ) + def test_n_hbacrule_links(self): + """ + Test adding various links to HBAC rule + """ + api.Command['hbacrule_add_sourcehost']( + self.rule_name, host=self.test_host, hostgroup=self.test_hostgroup + ) + api.Command['hbacrule_add_service']( + self.rule_name, hbacsvc=self.test_service + ) + + entry = api.Command['hbacrule_show'](self.rule_name)['result'] + assert_attr_equal(entry, 'cn', self.rule_name) + assert_attr_equal(entry, 'sourcehost_host', self.test_host) + assert_attr_equal(entry, 'sourcehost_hostgroup', self.test_hostgroup) + assert_attr_equal(entry, 'memberservice_hbacsvc', self.test_service) + def test_y_hbacrule_zap_testing_data(self): """ Clear data for HBAC plugin testing. @@ -561,6 +578,16 @@ class test_hbac(XMLRPC_test): api.Command['hostgroup_del'](self.test_sourcehostgroup) api.Command['hbacsvc_del'](self.test_service) + def test_k_2_sudorule_referential_integrity(self): + """ + Test that links in HBAC rule were removed by referential integrity plugin + """ + entry = api.Command['hbacrule_show'](self.rule_name)['result'] + assert_attr_equal(entry, 'cn', self.rule_name) + assert 'sourcehost_host' not in entry + assert 'sourcehost_hostgroup' not in entry + assert 'memberservice_hbacsvc' not in entry + def test_z_hbacrule_del(self): """ Test deleting a HBAC rule using `xmlrpc.hbacrule_del`. |