diff options
author | Petr Viktorin <pviktori@redhat.com> | 2013-11-13 16:31:58 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2013-12-13 15:08:52 +0100 |
commit | d7ee87cfa1e288fe18dc2dbeb2d691753048f4db (patch) | |
tree | 10f41a5a3a82011428f170fe725bafdce77845d7 /ipatests/test_xmlrpc | |
parent | 445634d6ac39669cc007871861e19e15ae22c12d (diff) | |
download | freeipa-d7ee87cfa1e288fe18dc2dbeb2d691753048f4db.tar.gz freeipa-d7ee87cfa1e288fe18dc2dbeb2d691753048f4db.tar.xz freeipa-d7ee87cfa1e288fe18dc2dbeb2d691753048f4db.zip |
Rewrite the Permission plugin
Ticket: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Permissions_V2
Diffstat (limited to 'ipatests/test_xmlrpc')
-rw-r--r-- | ipatests/test_xmlrpc/objectclasses.py | 6 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/test_dns_plugin.py | 1 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/test_permission_plugin.py | 1020 | ||||
-rw-r--r-- | ipatests/test_xmlrpc/test_privilege_plugin.py | 26 |
4 files changed, 911 insertions, 142 deletions
diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py index 089ee69a3..363e1c7c3 100644 --- a/ipatests/test_xmlrpc/objectclasses.py +++ b/ipatests/test_xmlrpc/objectclasses.py @@ -77,12 +77,16 @@ role = [ u'top', ] -permission = [ +system_permission = [ u'groupofnames', u'ipapermission', u'top' ] +permission = system_permission + [ + u'ipapermissionv2', +] + privilege = [ u'nestedgroup', u'groupofnames', diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py index 81e8e4ed2..8dbdec6ba 100644 --- a/ipatests/test_xmlrpc/test_dns_plugin.py +++ b/ipatests/test_xmlrpc/test_dns_plugin.py @@ -1361,6 +1361,7 @@ class test_dns(Declarative): result={ 'dn': dnszone1_permission_dn, 'cn': [dnszone1_permission], + 'objectclass': objectclasses.system_permission, 'ipapermissiontype': [u'SYSTEM'], }, ), diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py index a3913a858..3931c0a85 100644 --- a/ipatests/test_xmlrpc/test_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_permission_plugin.py @@ -24,7 +24,7 @@ Test the `ipalib/plugins/permission.py` module. from ipalib import api, errors from ipatests.test_xmlrpc import objectclasses -from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid +from xmlrpc_test import Declarative from ipapython.dn import DN permission1 = u'testperm' @@ -57,18 +57,22 @@ permission3_attributelevelrights = { 'objectclass': u'rscwo', 'memberof': u'rscwo', 'aci': u'rscwo', - 'subtree': u'rscwo', + 'ipapermlocation': u'rscwo', 'o': u'rscwo', - 'filter': u'rscwo', - 'attrs': u'rscwo', + 'ipapermallowedattr': u'rscwo', + 'ipapermdefaultattr': u'rscwo', + 'ipapermexcludedattr': u'rscwo', 'owner': u'rscwo', - 'group': u'rscwo', 'ou': u'rscwo', - 'targetgroup': u'rscwo', - 'type': u'rscwo', - 'permissions': u'rscwo', + 'ipapermright': u'rscwo', 'nsaccountlock': u'rscwo', 'description': u'rscwo', + 'ipapermtargetfilter': u'rscwo', + 'ipapermbindruletype': u'rscwo', + 'ipapermlocation': u'rscwo', + 'ipapermtarget': u'rscwo', + 'type': u'rscwo', + 'targetgroup': u'rscwo', } privilege1 = u'testpriv1' @@ -78,19 +82,18 @@ privilege1_dn = DN(('cn',privilege1), invalid_permission1 = u'bad;perm' -class test_permission(Declarative): +users_dn = DN(api.env.container_user, api.env.basedn) +groups_dn = DN(api.env.container_group, api.env.basedn) + + +class test_permission_negative(Declarative): + """Make sure invalid operations fail""" cleanup_commands = [ ('permission_del', [permission1], {'force': True}), - ('permission_del', [permission2], {'force': True}), - ('permission_del', [permission3], {'force': True}), - ('permission_del', [permission1_renamed], {'force': True}), - ('permission_del', [permission1_renamed_ucase], {'force': True}), - ('privilege_del', [privilege1], {}), ] tests = [ - dict( desc='Try to retrieve non-existent %r' % permission1, command=('permission_show', [permission1], {}), @@ -101,7 +104,7 @@ class test_permission(Declarative): dict( desc='Try to update non-existent %r' % permission1, - command=('permission_mod', [permission1], dict(permissions=u'all')), + command=('permission_mod', [permission1], dict(ipapermright=u'all')), expected=errors.NotFound( reason=u'%s: permission not found' % permission1), ), @@ -114,7 +117,6 @@ class test_permission(Declarative): reason=u'%s: permission not found' % permission1), ), - dict( desc='Search for non-existent %r' % permission1, command=('permission_find', [permission1], {}), @@ -126,13 +128,47 @@ class test_permission(Declarative): ), ), + dict( + desc='Try creating %r with no ipapermright' % permission1, + command=( + 'permission_add', [permission1], dict( + type=u'user', + ipapermallowedattr=[u'sn'], + ) + ), + expected=errors.RequirementError(name='ipapermright'), + ), dict( - desc='Create %r' % permission1, + desc='Try creating %r with no target option' % permission1, command=( 'permission_add', [permission1], dict( + ipapermright=u'write', + ) + ), + expected=errors.ValidationError( + name='target', + error='there must be at least one target entry specifier ' + '(e.g. target, targetfilter, attrs)'), + ), + + dict( + desc='Try to create invalid %r' % invalid_permission1, + command=('permission_add', [invalid_permission1], dict( type=u'user', - permissions=u'write', + ipapermright=u'write', + )), + expected=errors.ValidationError(name='name', + error='May only contain letters, numbers, -, _, ., and space'), + ), + + dict( + desc='Create %r so we can try breaking it' % permission1, + command=( + 'permission_add', [permission1], dict( + type=u'user', + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], ) ), expected=dict( @@ -142,8 +178,104 @@ class test_permission(Declarative): dn=permission1_dn, cn=[permission1], objectclass=objectclasses.permission, + type=[u'user'], + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ), + ), + ), + + dict( + desc='Try remove ipapermright from %r' % permission1, + command=( + 'permission_mod', [permission1], dict( + ipapermright=None, + ) + ), + expected=errors.RequirementError(name='ipapermright'), + ), + + dict( + desc='Try to remove type from %r' % permission1, + command=( + 'permission_mod', [permission1], dict( + ipapermallowedattr=None, + type=None, + ) + ), + expected=errors.ValidationError( + name='target', + error='there must be at least one target entry specifier ' + '(e.g. target, targetfilter, attrs)'), + ), + + dict( + desc='Try to remove target and memberof from %r' % permission1, + command=( + 'permission_mod', [permission1], dict( + ipapermallowedattr=None, + ipapermtarget=None, + ) + ), + expected=errors.ValidationError( + name='target', + error='there must be at least one target entry specifier ' + '(e.g. target, targetfilter, attrs)'), + ), + + dict( + desc='Try to rename %r to invalid invalid %r' % ( + permission1, invalid_permission1), + command=('permission_mod', [permission1], dict( + rename=invalid_permission1, + )), + expected=errors.ValidationError(name='rename', + error='May only contain letters, numbers, -, _, ., and space'), + ), + + ] + + +class test_permission(Declarative): + """Misc. tests for the permission plugin""" + cleanup_commands = [ + ('permission_del', [permission1], {'force': True}), + ('permission_del', [permission2], {'force': True}), + ('permission_del', [permission3], {'force': True}), + ('permission_del', [permission1_renamed], {'force': True}), + ('permission_del', [permission1_renamed_ucase], {'force': True}), + ('privilege_del', [privilege1], {}), + ] + + tests = [ + + dict( + desc='Create %r' % permission1, + command=( + 'permission_add', [permission1], dict( type=u'user', - permissions=[u'write'], + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ) + ), + expected=dict( + value=permission1, + summary=u'Added permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'user'], + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], ), ), ), @@ -154,10 +286,12 @@ class test_permission(Declarative): command=( 'permission_add', [permission1], dict( type=u'user', - permissions=u'write', + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], ), ), - expected=errors.DuplicateEntry(), + expected=errors.DuplicateEntry( + message='permission with name "%s" already exists' % permission1), ), @@ -211,9 +345,15 @@ class test_permission(Declarative): result={ 'dn': permission1_dn, 'cn': [permission1], + 'objectclass': objectclasses.permission, 'member_privilege': [privilege1], - 'type': u'user', - 'permissions': [u'write'], + 'type': [u'user'], + 'ipapermright': [u'write'], + 'ipapermallowedattr': [u'sn'], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ), ), @@ -221,17 +361,28 @@ class test_permission(Declarative): dict( desc='Retrieve %r with --raw' % permission1, - command=('permission_show', [permission1], {'raw' : True}), + command=('permission_show', [permission1], {'raw': True}), expected=dict( value=permission1, summary=None, result={ 'dn': permission1_dn, 'cn': [permission1], + 'objectclass': objectclasses.permission, 'member': [privilege1_dn], - 'aci': u'(target = "ldap:///%s")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \ - (DN(('uid', '*'), ('cn', 'users'), ('cn', 'accounts'), api.env.basedn), - DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn)) + 'ipapermallowedattr': [u'sn'], + 'ipapermbindruletype': [u'permission'], + 'ipapermright': [u'write'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'aci': ['(targetattr = "sn")' + '(target = "ldap:///%(tdn)s")' + '(version 3.0;acl "permission:%(name)s";' + 'allow (write) groupdn = "ldap:///%(pdn)s";)' % + {'tdn': DN(('uid', '*'), users_dn), + 'name': permission1, + 'pdn': permission1_dn}], }, ), ), @@ -248,9 +399,15 @@ class test_permission(Declarative): { 'dn': permission1_dn, 'cn': [permission1], + 'objectclass': objectclasses.permission, 'member_privilege': [privilege1], - 'type': u'user', - 'permissions': [u'write'], + 'type': [u'user'], + 'ipapermright': [u'write'], + 'ipapermallowedattr': [u'sn'], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ], ), @@ -268,9 +425,15 @@ class test_permission(Declarative): { 'dn': permission1_dn, 'cn': [permission1], + 'objectclass': objectclasses.permission, 'member_privilege': [privilege1], - 'type': u'user', - 'permissions': [u'write'], + 'type': [u'user'], + 'ipapermright': [u'write'], + 'ipapermallowedattr': [u'sn'], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ], ), @@ -278,7 +441,7 @@ class test_permission(Declarative): dict( - desc='Search for non-existence permission using --name', + desc='Search for non-existent permission using --name', command=('permission_find', [], {'cn': u'notfound'}), expected=dict( count=0, @@ -300,9 +463,15 @@ class test_permission(Declarative): { 'dn': permission1_dn, 'cn': [permission1], + 'objectclass': objectclasses.permission, 'member_privilege': [privilege1], - 'type': u'user', - 'permissions': [u'write'], + 'type': [u'user'], + 'ipapermright': [u'write'], + 'ipapermallowedattr': [u'sn'], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ], ), @@ -311,7 +480,7 @@ class test_permission(Declarative): dict( desc='Search for %r with --raw' % permission1, - command=('permission_find', [permission1], {'raw' : True}), + command=('permission_find', [permission1], {'raw': True}), expected=dict( count=1, truncated=False, @@ -320,10 +489,21 @@ class test_permission(Declarative): { 'dn': permission1_dn, 'cn': [permission1], + 'objectclass': objectclasses.permission, 'member': [privilege1_dn], - 'aci': u'(target = "ldap:///%s")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \ - (DN(('uid', '*'), ('cn', 'users'), ('cn', 'accounts'), api.env.basedn), - DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn)), + 'ipapermallowedattr': [u'sn'], + 'ipapermbindruletype': [u'permission'], + 'ipapermright': [u'write'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'aci': ['(targetattr = "sn")' + '(target = "ldap:///%(tdn)s")' + '(version 3.0;acl "permission:%(name)s";' + 'allow (write) groupdn = "ldap:///%(pdn)s";)' % + {'tdn': DN(('uid', '*'), users_dn), + 'name': permission1, + 'pdn': permission1_dn}], }, ], ), @@ -335,9 +515,10 @@ class test_permission(Declarative): command=( 'permission_add', [permission2], dict( type=u'user', - permissions=u'write', + ipapermright=u'write', setattr=u'owner=cn=test', addattr=u'owner=cn=test2', + ipapermallowedattr=[u'cn'], ) ), expected=dict( @@ -347,9 +528,14 @@ class test_permission(Declarative): dn=permission2_dn, cn=[permission2], objectclass=objectclasses.permission, - type=u'user', - permissions=[u'write'], + type=[u'user'], + ipapermright=[u'write'], owner=[u'cn=test', u'cn=test2'], + ipapermallowedattr=[u'cn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], ), ), ), @@ -366,15 +552,27 @@ class test_permission(Declarative): { 'dn': permission1_dn, 'cn': [permission1], + 'objectclass': objectclasses.permission, 'member_privilege': [privilege1], - 'type': u'user', - 'permissions': [u'write'], + 'type': [u'user'], + 'ipapermright': [u'write'], + 'ipapermallowedattr': [u'sn'], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, { 'dn': permission2_dn, 'cn': [permission2], - 'type': u'user', - 'permissions': [u'write'], + 'objectclass': objectclasses.permission, + 'type': [u'user'], + 'ipapermright': [u'write'], + 'ipapermallowedattr': [u'cn'], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ], ), @@ -405,7 +603,7 @@ class test_permission(Declarative): dict( desc='Search by ACI attribute with --pkey-only', command=('permission_find', [], {'pkey_only': True, - 'attrs': [u'krbminpwdlife']}), + 'ipapermallowedattr': [u'krbminpwdlife']}), expected=dict( count=1, truncated=False, @@ -451,9 +649,15 @@ class test_permission(Declarative): { 'dn': permission1_dn, 'cn': [permission1], + 'objectclass': objectclasses.permission, 'member_privilege': [privilege1], - 'type': u'user', - 'permissions': [u'write'], + 'type': [u'user'], + 'ipapermright': [u'write'], + 'ipapermallowedattr': [u'sn'], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ], ), @@ -471,15 +675,27 @@ class test_permission(Declarative): { 'dn': permission1_dn, 'cn': [permission1], + 'objectclass': objectclasses.permission, + 'type': [u'user'], + 'ipapermright': [u'write'], + 'ipapermallowedattr': [u'sn'], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], 'member_privilege': [privilege1], - 'type': u'user', - 'permissions': [u'write'], }, { 'dn': permission2_dn, 'cn': [permission2], - 'type': u'user', - 'permissions': [u'write'], + 'objectclass': objectclasses.permission, + 'type': [u'user'], + 'ipapermright': [u'write'], + 'ipapermallowedattr': [u'cn'], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ], ), @@ -492,7 +708,7 @@ class test_permission(Declarative): # to change. dict( desc='Search for permissions by attr with a limit of 1 (truncated)', - command=('permission_find', [], dict(attrs=u'ipaenabledflag', + command=('permission_find', [], dict(ipapermallowedattr=u'ipaenabledflag', sizelimit=1)), expected=dict( count=1, @@ -503,11 +719,14 @@ class test_permission(Declarative): 'dn': DN(('cn', 'Modify HBAC rule'), api.env.container_permission, api.env.basedn), 'cn': [u'Modify HBAC rule'], + 'objectclass': objectclasses.permission, 'member_privilege': [u'HBAC Administrator'], 'memberindirect_role': [u'IT Security Specialist'], - 'permissions' : [u'write'], - 'attrs': [u'servicecategory', u'sourcehostcategory', u'cn', u'description', u'ipaenabledflag', u'accesstime', u'usercategory', u'hostcategory', u'accessruletype', u'sourcehost'], - 'subtree' : u'ldap:///%s' % DN(('ipauniqueid', '*'), ('cn', 'hbac'), api.env.basedn), + 'ipapermright' : [u'write'], + 'ipapermallowedattr': [u'servicecategory', u'sourcehostcategory', u'cn', u'description', u'ipaenabledflag', u'accesstime', u'usercategory', u'hostcategory', u'accessruletype', u'sourcehost'], + 'ipapermtarget': [DN(('ipauniqueid', '*'), ('cn', 'hbac'), api.env.basedn)], + 'ipapermbindruletype': [u'permission'], + 'ipapermlocation': [api.env.basedn], }, ], ), @@ -518,7 +737,7 @@ class test_permission(Declarative): desc='Update %r' % permission1, command=( 'permission_mod', [permission1], dict( - permissions=u'read', + ipapermright=u'read', memberof=u'ipausers', setattr=u'owner=cn=other-test', addattr=u'owner=cn=other-test2', @@ -530,11 +749,19 @@ class test_permission(Declarative): result=dict( dn=permission1_dn, cn=[permission1], + objectclass=objectclasses.permission, member_privilege=[privilege1], - type=u'user', - permissions=[u'read'], - memberof=u'ipausers', + type=[u'user'], + ipapermright=[u'read'], + memberof=[u'ipausers'], owner=[u'cn=other-test', u'cn=other-test2'], + ipapermallowedattr=[u'sn'], + ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers', + groups_dn)], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], ), ), ), @@ -549,10 +776,18 @@ class test_permission(Declarative): result={ 'dn': permission1_dn, 'cn': [permission1], + 'objectclass': objectclasses.permission, 'member_privilege': [privilege1], - 'type': u'user', - 'permissions': [u'read'], - 'memberof': u'ipausers', + 'type': [u'user'], + 'ipapermright': [u'read'], + 'memberof': [u'ipausers'], + 'ipapermallowedattr': [u'sn'], + 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers', + groups_dn)], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ), ), @@ -564,7 +799,7 @@ class test_permission(Declarative): permission2), command=( 'permission_mod', [permission1], dict(rename=permission2, - permissions=u'all',) + ipapermright=u'all',) ), expected=errors.DuplicateEntry(), ), @@ -574,7 +809,7 @@ class test_permission(Declarative): desc='Try to rename %r to empty name' % (permission1), command=( 'permission_mod', [permission1], dict(rename=u'', - permissions=u'all',) + ipapermright=u'all',) ), expected=errors.ValidationError(name='rename', error=u'New name can not be empty'), @@ -590,10 +825,18 @@ class test_permission(Declarative): result={ 'dn': permission1_dn, 'cn': [permission1], + 'objectclass': objectclasses.permission, 'member_privilege': [privilege1], - 'type': u'user', - 'permissions': [u'read'], - 'memberof': u'ipausers', + 'type': [u'user'], + 'ipapermright': [u'read'], + 'memberof': [u'ipausers'], + 'ipapermallowedattr': [u'sn'], + 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers', + groups_dn)], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ), ), @@ -604,7 +847,7 @@ class test_permission(Declarative): permission1_renamed), command=( 'permission_mod', [permission1], dict(rename=permission1_renamed, - permissions= u'all',) + ipapermright= u'all',) ), expected=dict( value=permission1, @@ -612,10 +855,18 @@ class test_permission(Declarative): result={ 'dn': permission1_renamed_dn, 'cn': [permission1_renamed], + 'objectclass': objectclasses.permission, 'member_privilege': [privilege1], - 'type': u'user', - 'permissions': [u'all'], - 'memberof': u'ipausers', + 'type': [u'user'], + 'ipapermright': [u'all'], + 'memberof': [u'ipausers'], + 'ipapermallowedattr': [u'sn'], + 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers', + groups_dn)], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ), ), @@ -626,7 +877,7 @@ class test_permission(Declarative): permission1_renamed_ucase), command=( 'permission_mod', [permission1_renamed], dict(rename=permission1_renamed_ucase, - permissions= u'write',) + ipapermright= u'write',) ), expected=dict( value=permission1_renamed, @@ -634,10 +885,18 @@ class test_permission(Declarative): result={ 'dn': permission1_renamed_ucase_dn, 'cn': [permission1_renamed_ucase], + 'objectclass': objectclasses.permission, 'member_privilege': [privilege1], - 'type': u'user', - 'permissions': [u'write'], - 'memberof': u'ipausers', + 'type': [u'user'], + 'ipapermright': [u'write'], + 'memberof': [u'ipausers'], + 'ipapermallowedattr': [u'sn'], + 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers', + groups_dn)], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], }, ), ), @@ -647,8 +906,7 @@ class test_permission(Declarative): desc='Change %r to a subtree type' % permission1_renamed_ucase, command=( 'permission_mod', [permission1_renamed_ucase], - dict(subtree=u'ldap:///%s' % DN(('cn', '*'), ('cn', 'test'), ('cn', 'accounts'), api.env.basedn), - type=None) + dict(ipapermlocation=users_dn, type=None) ), expected=dict( value=permission1_renamed_ucase, @@ -656,19 +914,47 @@ class test_permission(Declarative): result=dict( dn=permission1_renamed_ucase_dn, cn=[permission1_renamed_ucase], + objectclass=objectclasses.permission, member_privilege=[privilege1], - subtree=u'ldap:///%s' % DN(('cn', '*'), ('cn', 'test'), ('cn', 'accounts'), api.env.basedn), - permissions=[u'write'], - memberof=u'ipausers', + ipapermlocation=[users_dn], + ipapermright=[u'write'], + memberof=[u'ipausers'], + ipapermallowedattr=[u'sn'], + ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers', + groups_dn)], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], ), ), ), + dict( + desc='Reset --subtree of %r' % permission2, + command=( + 'permission_mod', [permission2], + dict(ipapermlocation=api.env.basedn) + ), + expected=dict( + value=permission2, + summary=u'Modified permission "%s"' % permission2, + result={ + 'dn': permission2_dn, + 'cn': [permission2], + 'objectclass': objectclasses.permission, + 'ipapermright': [u'write'], + 'ipapermallowedattr': [u'cn'], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermtarget': [DN(('uid', '*'), users_dn)], + 'ipapermlocation': [api.env.basedn], + }, + ), + ), dict( desc='Search for %r using --subtree' % permission1, command=('permission_find', [], - {'subtree': u'ldap:///%s' % DN(('cn', '*'), ('cn', 'test'), ('cn', 'accounts'), api.env.basedn)}), + {'ipapermlocation': u'ldap:///%s' % users_dn}), expected=dict( count=1, truncated=False, @@ -677,10 +963,17 @@ class test_permission(Declarative): { 'dn':permission1_renamed_ucase_dn, 'cn':[permission1_renamed_ucase], + 'objectclass': objectclasses.permission, 'member_privilege':[privilege1], - 'subtree':u'ldap:///%s' % DN(('cn', '*'), ('cn', 'test'), ('cn', 'accounts'), api.env.basedn), - 'permissions':[u'write'], - 'memberof':u'ipausers', + 'ipapermlocation': [users_dn], + 'ipapermright':[u'write'], + 'memberof':[u'ipausers'], + 'ipapermallowedattr': [u'sn'], + 'ipapermtargetfilter': [u'(memberOf=%s)' % DN( + 'cn=ipausers', groups_dn)], + 'ipapermbindruletype': [u'permission'], + 'ipapermissiontype': [u'SYSTEM', u'V2'], + 'ipapermlocation': [users_dn], }, ], ), @@ -689,13 +982,9 @@ class test_permission(Declarative): dict( desc='Search using nonexistent --subtree', - command=('permission_find', [], {'subtree': u'foo'}), - expected=dict( - count=0, - truncated=False, - summary=u'0 permissions matched', - result=[], - ), + command=('permission_find', [], {'ipapermlocation': u'foo'}), + expected=errors.ConversionError( + name='subtree', error='malformed RDN string = "foo"'), ), @@ -711,11 +1000,17 @@ class test_permission(Declarative): 'dn': DN(('cn','Add user to default group'), api.env.container_permission, api.env.basedn), 'cn': [u'Add user to default group'], + 'objectclass': objectclasses.permission, 'member_privilege': [u'User Administrators'], - 'attrs': [u'member'], - 'targetgroup': u'ipausers', + 'ipapermallowedattr': [u'member'], + 'targetgroup': [u'ipausers'], 'memberindirect_role': [u'User Administrator'], - 'permissions': [u'write'] + 'ipapermright': [u'write'], + 'ipapermbindruletype': [u'permission'], + 'ipapermtarget': [DN( + 'cn=ipausers', api.env.container_group, + api.env.basedn)], + 'ipapermlocation': [api.env.basedn], } ], ), @@ -795,7 +1090,8 @@ class test_permission(Declarative): command=( 'permission_add', [permission1], dict( memberof=u'nonexisting', - permissions=u'write', + ipapermright=u'write', + ipapermallowedattr=[u'cn'], ) ), expected=errors.NotFound(reason=u'nonexisting: group not found'), @@ -806,8 +1102,9 @@ class test_permission(Declarative): command=( 'permission_add', [permission1], dict( memberof=u'editors', - permissions=u'write', + ipapermright=u'write', type=u'user', + ipapermallowedattr=[u'sn'], ) ), expected=dict( @@ -817,9 +1114,16 @@ class test_permission(Declarative): dn=permission1_dn, cn=[permission1], objectclass=objectclasses.permission, - memberof=u'editors', - permissions=[u'write'], - type=u'user', + memberof=[u'editors'], + ipapermright=[u'write'], + type=[u'user'], + ipapermallowedattr=[u'sn'], + ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'editors'), + groups_dn)], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], ), ), ), @@ -844,9 +1148,17 @@ class test_permission(Declarative): result=dict( dn=permission1_dn, cn=[permission1], - memberof=u'admins', - permissions=[u'write'], - type=u'user', + objectclass=objectclasses.permission, + memberof=[u'admins'], + ipapermright=[u'write'], + type=[u'user'], + ipapermallowedattr=[u'sn'], + ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), + groups_dn)], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], ), ), ), @@ -864,8 +1176,14 @@ class test_permission(Declarative): result=dict( dn=permission1_dn, cn=[permission1], - permissions=[u'write'], - type=u'user', + objectclass=objectclasses.permission, + ipapermright=[u'write'], + type=[u'user'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], ), ), ), @@ -887,7 +1205,8 @@ class test_permission(Declarative): command=( 'permission_add', [permission1], dict( targetgroup=u'editors', - permissions=u'write', + ipapermright=u'write', + ipapermallowedattr=[u'sn'], ) ), expected=dict( @@ -897,29 +1216,24 @@ class test_permission(Declarative): dn=permission1_dn, cn=[permission1], objectclass=objectclasses.permission, - targetgroup=u'editors', - permissions=[u'write'], + targetgroup=[u'editors'], + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermtarget=[DN(('cn', 'editors'), groups_dn)], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[api.env.basedn], ), ), ), dict( - desc='Try to create invalid %r' % invalid_permission1, - command=('permission_add', [invalid_permission1], dict( - type=u'user', - permissions=u'write', - )), - expected=errors.ValidationError(name='name', - error='May only contain letters, numbers, -, _, and space'), - ), - - dict( desc='Create %r' % permission3, command=( 'permission_add', [permission3], dict( type=u'user', - permissions=u'write', - attrs=[u'cn'] + ipapermright=u'write', + ipapermallowedattr=[u'cn'] ) ), expected=dict( @@ -929,9 +1243,13 @@ class test_permission(Declarative): dn=permission3_dn, cn=[permission3], objectclass=objectclasses.permission, - type=u'user', - permissions=[u'write'], - attrs=(u'cn',), + type=[u'user'], + ipapermright=[u'write'], + ipapermallowedattr=(u'cn',), + ipapermbindruletype=[u'permission'], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], ), ), ), @@ -946,17 +1264,23 @@ class test_permission(Declarative): dn=permission3_dn, cn=[permission3], objectclass=objectclasses.permission, - type=u'user', - attrs=(u'cn',), - permissions=[u'write'], - attributelevelrights=permission3_attributelevelrights + type=[u'user'], + ipapermallowedattr=(u'cn',), + ipapermright=[u'write'], + attributelevelrights=permission3_attributelevelrights, + ipapermbindruletype=[u'permission'], + ipapermtarget=[DN(('uid', '*'),users_dn)], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], ), ), ), dict( - desc='Modify %r with --all -rights' % permission3, - command=('permission_mod', [permission3], {'all' : True, 'rights': True, 'attrs':[u'cn',u'uid']}), + desc='Modify %r with --all --rights' % permission3, + command=('permission_mod', [permission3], { + 'all': True, 'rights': True, + 'ipapermallowedattr': [u'cn', u'uid']}), expected=dict( value=permission3, summary=u'Modified permission "%s"' % permission3, @@ -964,11 +1288,441 @@ class test_permission(Declarative): dn=permission3_dn, cn=[permission3], objectclass=objectclasses.permission, - type=u'user', - attrs=(u'cn',u'uid'), - permissions=[u'write'], + type=[u'user'], + ipapermallowedattr=(u'cn',u'uid'), + ipapermright=[u'write'], attributelevelrights=permission3_attributelevelrights, + ipapermbindruletype=[u'permission'], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ), + ), + ), + + dict( + desc='Try to modify %r with invalid targetfilter' % permission1, + command=('permission_mod', [permission1], + {'ipapermtargetfilter': u"ceci n'est pas un filtre"}), + expected=errors.ValidationError( + name='ipapermtargetfilter', + error='Bad search filter'), + ), + ] + + +class test_permission_sync_attributes(Declarative): + """Test the effects of setting permission attributes""" + cleanup_commands = [ + ('permission_del', [permission1], {'force': True}), + ] + + tests = [ + dict( + desc='Create %r' % permission1, + command=( + 'permission_add', [permission1], dict( + ipapermlocation=users_dn, + ipapermright=u'write', + ipapermallowedattr=u'sn', + ipapermtargetfilter=u'(memberOf=%s)' % DN(('cn', 'admins'), + groups_dn), + ipapermtarget=DN(('uid', '*'), users_dn), + ) + ), + expected=dict( + value=permission1, + summary=u'Added permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'user'], + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), + groups_dn)], + memberof=[u'admins'], + ), + ), + ), + + dict( + desc='Unset location on %r, verify type is gone' % permission1, + command=( + 'permission_mod', [permission1], dict( + ipapermlocation=None, + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), + groups_dn)], + memberof=[u'admins'], + ipapermlocation=[api.env.basedn], + ), + ), + ), + + dict( + desc='Reset location on %r' % permission1, + command=( + 'permission_mod', [permission1], dict( + ipapermlocation=users_dn, + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'user'], + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), + groups_dn)], + memberof=[u'admins'], + ), + ), + ), + + dict( + desc='Unset target on %r, verify type is gone' % permission1, + command=( + 'permission_mod', [permission1], dict( + ipapermtarget=None, + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), + groups_dn)], + memberof=[u'admins'], ), ), ), + + dict( + desc='Unset targetfilter on %r, verify memberof is gone' % permission1, + command=( + 'permission_mod', [permission1], dict( + ipapermtargetfilter=None, + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ), + ), + ), + + dict( + desc='Set type of %r to group' % permission1, + command=( + 'permission_mod', [permission1], dict( + type=u'group', + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'group'], + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[groups_dn], + ipapermtarget=[DN(('cn', '*'), groups_dn)], + ), + ), + ), + + dict( + desc='Set target on %r, verify targetgroup is set' % permission1, + command=( + 'permission_mod', [permission1], dict( + ipapermtarget=DN('cn=editors', groups_dn), + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermtarget=[DN('cn=editors', groups_dn)], + ipapermlocation=[groups_dn], + targetgroup=[u'editors'], + ), + ), + ), + ] + + +class test_permission_sync_nice(Declarative): + """Test the effects of setting convenience options on permissions""" + cleanup_commands = [ + ('permission_del', [permission1], {'force': True}), + ] + + tests = [ + dict( + desc='Create %r' % permission1, + command=( + 'permission_add', [permission1], dict( + type=u'user', + ipapermright=u'write', + ipapermallowedattr=u'sn', + memberof=u'admins', + ) + ), + expected=dict( + value=permission1, + summary=u'Added permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'user'], + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtarget=[DN(('uid', '*'), users_dn)], + ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), + groups_dn)], + memberof=[u'admins'], + ), + ), + ), + + dict( + desc='Unset type on %r, verify target & location are gone' % permission1, + command=( + 'permission_mod', [permission1], dict( + type=None, + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'), + groups_dn)], + memberof=[u'admins'], + ipapermlocation=[api.env.basedn], + ), + ), + ), + + dict( + desc='Unset memberof on %r, verify targetfilter is gone' % permission1, + command=( + 'permission_mod', [permission1], dict( + memberof=None, + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[api.env.basedn], + ), + ), + ), + + dict( + desc='Set type of %r to group' % permission1, + command=( + 'permission_mod', [permission1], dict( + type=u'group', + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + type=[u'group'], + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[groups_dn], + ipapermtarget=[DN(('cn', '*'), groups_dn)], + ), + ), + ), + + dict( + desc='Set targetgroup on %r, verify target is set' % permission1, + command=( + 'permission_mod', [permission1], dict( + targetgroup=u'editors', + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.permission, + ipapermright=[u'write'], + ipapermallowedattr=[u'sn'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermtarget=[DN('cn=editors', groups_dn)], + ipapermlocation=[groups_dn], + targetgroup=[u'editors'], + ), + ), + ), + ] + + +def _make_permission_flag_tests(flags, expected_message): + return [ + + dict( + desc='Create %r with flags %s' % (permission1, flags), + command=( + 'permission_add_noaci', [permission1], dict( + ipapermissiontype=flags, + ) + ), + expected=dict( + value=permission1, + summary=u'Added permission "%s"' % permission1, + result=dict( + dn=permission1_dn, + cn=[permission1], + objectclass=objectclasses.system_permission, + ipapermissiontype=flags, + ), + ), + ), + + dict( + desc='Try to modify %r' % permission1, + command=('permission_mod', [permission1], {'type': u'user'}), + expected=errors.ACIError(info=expected_message), + ), + + dict( + desc='Try to delete %r' % permission1, + command=('permission_del', [permission1], {}), + expected=errors.ACIError(info=expected_message), + ), + + dict( + desc='Delete %r with --force' % permission1, + command=('permission_del', [permission1], {'force': True}), + expected=dict( + result=dict(failed=u''), + value=permission1, + summary=u'Deleted permission "%s"' % permission1, + ), + ), + ] + + +class test_permission_flags(Declarative): + """Test that permission flags are handled correctly""" + cleanup_commands = [ + ('permission_del', [permission1], {'force': True}), + ] + + tests = ( + _make_permission_flag_tests( + [u'SYSTEM'], + 'A SYSTEM permission may not be modified or removed') + + _make_permission_flag_tests( + [u'??'], + 'Permission with unknown flag ?? may not be modified or removed') + + _make_permission_flag_tests( + [u'SYSTEM', u'??'], + 'Permission with unknown flag ?? may not be modified or removed')) + + +class test_permission_legacy(Declarative): + """Tests for non-upgraded permissions""" + + tests = [ + dict( + desc='Search for all permissions in $SUFFIX', + command=('permission_find', [], + {'ipapermlocation': api.env.basedn}), + expected=dict( + count=lambda n: n > 50, + truncated=False, + summary=lambda s: True, + result=lambda s: True, + ), + ), ] diff --git a/ipatests/test_xmlrpc/test_privilege_plugin.py b/ipatests/test_xmlrpc/test_privilege_plugin.py index 741590dd0..b76c87c71 100644 --- a/ipatests/test_xmlrpc/test_privilege_plugin.py +++ b/ipatests/test_xmlrpc/test_privilege_plugin.py @@ -38,6 +38,8 @@ privilege1 = u'testpriv1' privilege1_dn = DN(('cn',privilege1), api.env.container_privilege,api.env.basedn) +users_dn = DN(api.env.container_user, api.env.basedn) + class test_privilege(Declarative): @@ -89,8 +91,8 @@ class test_privilege(Declarative): desc='Create %r' % permission1, command=( 'permission_add', [permission1], dict( - type=u'user', - permissions=[u'add', u'delete'], + type=u'user', + ipapermright=[u'add', u'delete'], ) ), expected=dict( @@ -100,8 +102,12 @@ class test_privilege(Declarative): dn=permission1_dn, cn=[permission1], objectclass=objectclasses.permission, - type=u'user', - permissions=[u'add', u'delete'], + type=[u'user'], + ipapermright=[u'add', u'delete'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtarget=[DN('uid=*', users_dn)], ), ), ), @@ -206,8 +212,8 @@ class test_privilege(Declarative): desc='Create %r' % permission2, command=( 'permission_add', [permission2], dict( - type=u'user', - permissions=u'write', + type=u'user', + ipapermright=u'write', ) ), expected=dict( @@ -217,8 +223,12 @@ class test_privilege(Declarative): dn=permission2_dn, cn=[permission2], objectclass=objectclasses.permission, - type=u'user', - permissions=[u'write'], + type=[u'user'], + ipapermright=[u'write'], + ipapermbindruletype=[u'permission'], + ipapermissiontype=[u'SYSTEM', u'V2'], + ipapermlocation=[users_dn], + ipapermtarget=[DN('uid=*', users_dn)], ), ), ), |