Disallow setattr on no_update/no_create params

Make --{set,add,del}attr fail on parameters with the no_update/no_create
flag for the respective command.

For attributes that can be modified, but we just don't want to display
in the CLI, use the 'no_option' flag. These are "locking" attributes
(ipaenabledflag, nsaccountlock) and externalhost.

Document the 'no_option' flag. Add some tests.

https://fedorahosted.org/freeipa/ticket/2580

2 files changed, 69 insertions, 1 deletions

diff --git a/tests/test_xmlrpc/test_attr.py b/tests/test_xmlrpc/test_attr.py
index 5916ebd2d..248d21570 100644
--- a/tests/test_xmlrpc/test_attr.py
+++ b/tests/test_xmlrpc/test_attr.py
@@ -471,7 +471,8 @@ class test_attr(Declarative):
             command=(
                 'config_mod', [], dict(addattr=u'ipacertificatesubjectbase=0=DOMAIN.COM')
             ),
-            expected=errors.OnlyOneValueAllowed(attr='ipacertificatesubjectbase'),
+            expected=errors.ValidationError(name='ipacertificatesubjectbase',
+                error='attribute is not configurable'),
         ),
 
         dict(
diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py
index 537768107..4b2be5c32 100644
--- a/tests/test_xmlrpc/test_user_plugin.py
+++ b/tests/test_xmlrpc/test_user_plugin.py
@@ -344,6 +344,16 @@ class test_user(Declarative):
             ),
         ),
 
+        dict(
+            desc='Assert user is disabled',
+            command=('user_find', [user1], {}),
+            expected=dict(
+                result=[lambda d: d['nsaccountlock'] == True],
+                summary=u'1 user matched',
+                count=1,
+                truncated=False,
+            ),
+        ),
 
         dict(
             desc='Enable %r'  % user1,
@@ -357,6 +367,63 @@ class test_user(Declarative):
             ),
         ),
 
+        dict(
+            desc='Assert user is enabled',
+            command=('user_find', [user1], {}),
+            expected=dict(
+                result=[lambda d: d['nsaccountlock'] == False],
+                summary=u'1 user matched',
+                count=1,
+                truncated=False,
+            ),
+        ),
+
+        dict(
+            desc='Disable %r using setattr' % user1,
+            command=('user_mod', [user1], dict(setattr=u'nsaccountlock=True')),
+            expected=dict(
+                result=lambda d: d['nsaccountlock'] == True,
+                value=user1,
+                summary=u'Modified user "tuser1"',
+            ),
+        ),
+
+        dict(
+            desc='Enable %r using setattr' % user1,
+            command=('user_mod', [user1], dict(setattr=u'nsaccountlock=False')),
+            expected=dict(
+                result=lambda d: d['nsaccountlock'] == False,
+                value=user1,
+                summary=u'Modified user "tuser1"',
+            ),
+        ),
+
+        dict(
+            desc='Disable %r using user_mod' % user1,
+            command=('user_mod', [user1], dict(nsaccountlock=True)),
+            expected=dict(
+                result=lambda d: d['nsaccountlock'] == True,
+                value=user1,
+                summary=u'Modified user "tuser1"',
+            ),
+        ),
+
+        dict(
+            desc='Enable %r using user_mod' % user1,
+            command=('user_mod', [user1], dict(nsaccountlock=False)),
+            expected=dict(
+                result=lambda d: d['nsaccountlock'] == False,
+                value=user1,
+                summary=u'Modified user "tuser1"',
+            ),
+        ),
+
+        dict(
+            desc='Try setting virtual attribute on %r using setattr' % user1,
+            command=('user_mod', [user1], dict(setattr=u'random=xyz123')),
+            expected=errors.ObjectclassViolation(
+                info='attribute "random" not allowed'),
+        ),
 
         dict(
             desc='Update %r' % user1,