summaryrefslogtreecommitdiffstats
path: root/ipatests/test_xmlrpc
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2013-11-13 16:31:58 +0100
committerMartin Kosek <mkosek@redhat.com>2013-12-13 15:08:52 +0100
commitd7ee87cfa1e288fe18dc2dbeb2d691753048f4db (patch)
tree10f41a5a3a82011428f170fe725bafdce77845d7 /ipatests/test_xmlrpc
parent445634d6ac39669cc007871861e19e15ae22c12d (diff)
downloadfreeipa-d7ee87cfa1e288fe18dc2dbeb2d691753048f4db.tar.gz
freeipa-d7ee87cfa1e288fe18dc2dbeb2d691753048f4db.tar.xz
freeipa-d7ee87cfa1e288fe18dc2dbeb2d691753048f4db.zip
Rewrite the Permission plugin
Ticket: https://fedorahosted.org/freeipa/ticket/3566 Design: http://www.freeipa.org/page/V3/Permissions_V2
Diffstat (limited to 'ipatests/test_xmlrpc')
-rw-r--r--ipatests/test_xmlrpc/objectclasses.py6
-rw-r--r--ipatests/test_xmlrpc/test_dns_plugin.py1
-rw-r--r--ipatests/test_xmlrpc/test_permission_plugin.py1020
-rw-r--r--ipatests/test_xmlrpc/test_privilege_plugin.py26
4 files changed, 911 insertions, 142 deletions
diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 089ee69a3..363e1c7c3 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -77,12 +77,16 @@ role = [
u'top',
]
-permission = [
+system_permission = [
u'groupofnames',
u'ipapermission',
u'top'
]
+permission = system_permission + [
+ u'ipapermissionv2',
+]
+
privilege = [
u'nestedgroup',
u'groupofnames',
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 81e8e4ed2..8dbdec6ba 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -1361,6 +1361,7 @@ class test_dns(Declarative):
result={
'dn': dnszone1_permission_dn,
'cn': [dnszone1_permission],
+ 'objectclass': objectclasses.system_permission,
'ipapermissiontype': [u'SYSTEM'],
},
),
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py
index a3913a858..3931c0a85 100644
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -24,7 +24,7 @@ Test the `ipalib/plugins/permission.py` module.
from ipalib import api, errors
from ipatests.test_xmlrpc import objectclasses
-from xmlrpc_test import Declarative, fuzzy_digits, fuzzy_uuid
+from xmlrpc_test import Declarative
from ipapython.dn import DN
permission1 = u'testperm'
@@ -57,18 +57,22 @@ permission3_attributelevelrights = {
'objectclass': u'rscwo',
'memberof': u'rscwo',
'aci': u'rscwo',
- 'subtree': u'rscwo',
+ 'ipapermlocation': u'rscwo',
'o': u'rscwo',
- 'filter': u'rscwo',
- 'attrs': u'rscwo',
+ 'ipapermallowedattr': u'rscwo',
+ 'ipapermdefaultattr': u'rscwo',
+ 'ipapermexcludedattr': u'rscwo',
'owner': u'rscwo',
- 'group': u'rscwo',
'ou': u'rscwo',
- 'targetgroup': u'rscwo',
- 'type': u'rscwo',
- 'permissions': u'rscwo',
+ 'ipapermright': u'rscwo',
'nsaccountlock': u'rscwo',
'description': u'rscwo',
+ 'ipapermtargetfilter': u'rscwo',
+ 'ipapermbindruletype': u'rscwo',
+ 'ipapermlocation': u'rscwo',
+ 'ipapermtarget': u'rscwo',
+ 'type': u'rscwo',
+ 'targetgroup': u'rscwo',
}
privilege1 = u'testpriv1'
@@ -78,19 +82,18 @@ privilege1_dn = DN(('cn',privilege1),
invalid_permission1 = u'bad;perm'
-class test_permission(Declarative):
+users_dn = DN(api.env.container_user, api.env.basedn)
+groups_dn = DN(api.env.container_group, api.env.basedn)
+
+
+class test_permission_negative(Declarative):
+ """Make sure invalid operations fail"""
cleanup_commands = [
('permission_del', [permission1], {'force': True}),
- ('permission_del', [permission2], {'force': True}),
- ('permission_del', [permission3], {'force': True}),
- ('permission_del', [permission1_renamed], {'force': True}),
- ('permission_del', [permission1_renamed_ucase], {'force': True}),
- ('privilege_del', [privilege1], {}),
]
tests = [
-
dict(
desc='Try to retrieve non-existent %r' % permission1,
command=('permission_show', [permission1], {}),
@@ -101,7 +104,7 @@ class test_permission(Declarative):
dict(
desc='Try to update non-existent %r' % permission1,
- command=('permission_mod', [permission1], dict(permissions=u'all')),
+ command=('permission_mod', [permission1], dict(ipapermright=u'all')),
expected=errors.NotFound(
reason=u'%s: permission not found' % permission1),
),
@@ -114,7 +117,6 @@ class test_permission(Declarative):
reason=u'%s: permission not found' % permission1),
),
-
dict(
desc='Search for non-existent %r' % permission1,
command=('permission_find', [permission1], {}),
@@ -126,13 +128,47 @@ class test_permission(Declarative):
),
),
+ dict(
+ desc='Try creating %r with no ipapermright' % permission1,
+ command=(
+ 'permission_add', [permission1], dict(
+ type=u'user',
+ ipapermallowedattr=[u'sn'],
+ )
+ ),
+ expected=errors.RequirementError(name='ipapermright'),
+ ),
dict(
- desc='Create %r' % permission1,
+ desc='Try creating %r with no target option' % permission1,
command=(
'permission_add', [permission1], dict(
+ ipapermright=u'write',
+ )
+ ),
+ expected=errors.ValidationError(
+ name='target',
+ error='there must be at least one target entry specifier '
+ '(e.g. target, targetfilter, attrs)'),
+ ),
+
+ dict(
+ desc='Try to create invalid %r' % invalid_permission1,
+ command=('permission_add', [invalid_permission1], dict(
type=u'user',
- permissions=u'write',
+ ipapermright=u'write',
+ )),
+ expected=errors.ValidationError(name='name',
+ error='May only contain letters, numbers, -, _, ., and space'),
+ ),
+
+ dict(
+ desc='Create %r so we can try breaking it' % permission1,
+ command=(
+ 'permission_add', [permission1], dict(
+ type=u'user',
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
)
),
expected=dict(
@@ -142,8 +178,104 @@ class test_permission(Declarative):
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Try remove ipapermright from %r' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ ipapermright=None,
+ )
+ ),
+ expected=errors.RequirementError(name='ipapermright'),
+ ),
+
+ dict(
+ desc='Try to remove type from %r' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ ipapermallowedattr=None,
+ type=None,
+ )
+ ),
+ expected=errors.ValidationError(
+ name='target',
+ error='there must be at least one target entry specifier '
+ '(e.g. target, targetfilter, attrs)'),
+ ),
+
+ dict(
+ desc='Try to remove target and memberof from %r' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ ipapermallowedattr=None,
+ ipapermtarget=None,
+ )
+ ),
+ expected=errors.ValidationError(
+ name='target',
+ error='there must be at least one target entry specifier '
+ '(e.g. target, targetfilter, attrs)'),
+ ),
+
+ dict(
+ desc='Try to rename %r to invalid invalid %r' % (
+ permission1, invalid_permission1),
+ command=('permission_mod', [permission1], dict(
+ rename=invalid_permission1,
+ )),
+ expected=errors.ValidationError(name='rename',
+ error='May only contain letters, numbers, -, _, ., and space'),
+ ),
+
+ ]
+
+
+class test_permission(Declarative):
+ """Misc. tests for the permission plugin"""
+ cleanup_commands = [
+ ('permission_del', [permission1], {'force': True}),
+ ('permission_del', [permission2], {'force': True}),
+ ('permission_del', [permission3], {'force': True}),
+ ('permission_del', [permission1_renamed], {'force': True}),
+ ('permission_del', [permission1_renamed_ucase], {'force': True}),
+ ('privilege_del', [privilege1], {}),
+ ]
+
+ tests = [
+
+ dict(
+ desc='Create %r' % permission1,
+ command=(
+ 'permission_add', [permission1], dict(
type=u'user',
- permissions=[u'write'],
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Added permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
),
),
),
@@ -154,10 +286,12 @@ class test_permission(Declarative):
command=(
'permission_add', [permission1], dict(
type=u'user',
- permissions=u'write',
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
),
),
- expected=errors.DuplicateEntry(),
+ expected=errors.DuplicateEntry(
+ message='permission with name "%s" already exists' % permission1),
),
@@ -211,9 +345,15 @@ class test_permission(Declarative):
result={
'dn': permission1_dn,
'cn': [permission1],
+ 'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
- 'type': u'user',
- 'permissions': [u'write'],
+ 'type': [u'user'],
+ 'ipapermright': [u'write'],
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
),
),
@@ -221,17 +361,28 @@ class test_permission(Declarative):
dict(
desc='Retrieve %r with --raw' % permission1,
- command=('permission_show', [permission1], {'raw' : True}),
+ command=('permission_show', [permission1], {'raw': True}),
expected=dict(
value=permission1,
summary=None,
result={
'dn': permission1_dn,
'cn': [permission1],
+ 'objectclass': objectclasses.permission,
'member': [privilege1_dn],
- 'aci': u'(target = "ldap:///%s")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \
- (DN(('uid', '*'), ('cn', 'users'), ('cn', 'accounts'), api.env.basedn),
- DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn))
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermright': [u'write'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
+ 'aci': ['(targetattr = "sn")'
+ '(target = "ldap:///%(tdn)s")'
+ '(version 3.0;acl "permission:%(name)s";'
+ 'allow (write) groupdn = "ldap:///%(pdn)s";)' %
+ {'tdn': DN(('uid', '*'), users_dn),
+ 'name': permission1,
+ 'pdn': permission1_dn}],
},
),
),
@@ -248,9 +399,15 @@ class test_permission(Declarative):
{
'dn': permission1_dn,
'cn': [permission1],
+ 'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
- 'type': u'user',
- 'permissions': [u'write'],
+ 'type': [u'user'],
+ 'ipapermright': [u'write'],
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
],
),
@@ -268,9 +425,15 @@ class test_permission(Declarative):
{
'dn': permission1_dn,
'cn': [permission1],
+ 'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
- 'type': u'user',
- 'permissions': [u'write'],
+ 'type': [u'user'],
+ 'ipapermright': [u'write'],
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
],
),
@@ -278,7 +441,7 @@ class test_permission(Declarative):
dict(
- desc='Search for non-existence permission using --name',
+ desc='Search for non-existent permission using --name',
command=('permission_find', [], {'cn': u'notfound'}),
expected=dict(
count=0,
@@ -300,9 +463,15 @@ class test_permission(Declarative):
{
'dn': permission1_dn,
'cn': [permission1],
+ 'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
- 'type': u'user',
- 'permissions': [u'write'],
+ 'type': [u'user'],
+ 'ipapermright': [u'write'],
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
],
),
@@ -311,7 +480,7 @@ class test_permission(Declarative):
dict(
desc='Search for %r with --raw' % permission1,
- command=('permission_find', [permission1], {'raw' : True}),
+ command=('permission_find', [permission1], {'raw': True}),
expected=dict(
count=1,
truncated=False,
@@ -320,10 +489,21 @@ class test_permission(Declarative):
{
'dn': permission1_dn,
'cn': [permission1],
+ 'objectclass': objectclasses.permission,
'member': [privilege1_dn],
- 'aci': u'(target = "ldap:///%s")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///%s";)' % \
- (DN(('uid', '*'), ('cn', 'users'), ('cn', 'accounts'), api.env.basedn),
- DN(('cn', 'testperm'), ('cn', 'permissions'), ('cn', 'pbac'), api.env.basedn)),
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermright': [u'write'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
+ 'aci': ['(targetattr = "sn")'
+ '(target = "ldap:///%(tdn)s")'
+ '(version 3.0;acl "permission:%(name)s";'
+ 'allow (write) groupdn = "ldap:///%(pdn)s";)' %
+ {'tdn': DN(('uid', '*'), users_dn),
+ 'name': permission1,
+ 'pdn': permission1_dn}],
},
],
),
@@ -335,9 +515,10 @@ class test_permission(Declarative):
command=(
'permission_add', [permission2], dict(
type=u'user',
- permissions=u'write',
+ ipapermright=u'write',
setattr=u'owner=cn=test',
addattr=u'owner=cn=test2',
+ ipapermallowedattr=[u'cn'],
)
),
expected=dict(
@@ -347,9 +528,14 @@ class test_permission(Declarative):
dn=permission2_dn,
cn=[permission2],
objectclass=objectclasses.permission,
- type=u'user',
- permissions=[u'write'],
+ type=[u'user'],
+ ipapermright=[u'write'],
owner=[u'cn=test', u'cn=test2'],
+ ipapermallowedattr=[u'cn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
),
),
),
@@ -366,15 +552,27 @@ class test_permission(Declarative):
{
'dn': permission1_dn,
'cn': [permission1],
+ 'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
- 'type': u'user',
- 'permissions': [u'write'],
+ 'type': [u'user'],
+ 'ipapermright': [u'write'],
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
{
'dn': permission2_dn,
'cn': [permission2],
- 'type': u'user',
- 'permissions': [u'write'],
+ 'objectclass': objectclasses.permission,
+ 'type': [u'user'],
+ 'ipapermright': [u'write'],
+ 'ipapermallowedattr': [u'cn'],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
],
),
@@ -405,7 +603,7 @@ class test_permission(Declarative):
dict(
desc='Search by ACI attribute with --pkey-only',
command=('permission_find', [], {'pkey_only': True,
- 'attrs': [u'krbminpwdlife']}),
+ 'ipapermallowedattr': [u'krbminpwdlife']}),
expected=dict(
count=1,
truncated=False,
@@ -451,9 +649,15 @@ class test_permission(Declarative):
{
'dn': permission1_dn,
'cn': [permission1],
+ 'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
- 'type': u'user',
- 'permissions': [u'write'],
+ 'type': [u'user'],
+ 'ipapermright': [u'write'],
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
],
),
@@ -471,15 +675,27 @@ class test_permission(Declarative):
{
'dn': permission1_dn,
'cn': [permission1],
+ 'objectclass': objectclasses.permission,
+ 'type': [u'user'],
+ 'ipapermright': [u'write'],
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
'member_privilege': [privilege1],
- 'type': u'user',
- 'permissions': [u'write'],
},
{
'dn': permission2_dn,
'cn': [permission2],
- 'type': u'user',
- 'permissions': [u'write'],
+ 'objectclass': objectclasses.permission,
+ 'type': [u'user'],
+ 'ipapermright': [u'write'],
+ 'ipapermallowedattr': [u'cn'],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
],
),
@@ -492,7 +708,7 @@ class test_permission(Declarative):
# to change.
dict(
desc='Search for permissions by attr with a limit of 1 (truncated)',
- command=('permission_find', [], dict(attrs=u'ipaenabledflag',
+ command=('permission_find', [], dict(ipapermallowedattr=u'ipaenabledflag',
sizelimit=1)),
expected=dict(
count=1,
@@ -503,11 +719,14 @@ class test_permission(Declarative):
'dn': DN(('cn', 'Modify HBAC rule'),
api.env.container_permission, api.env.basedn),
'cn': [u'Modify HBAC rule'],
+ 'objectclass': objectclasses.permission,
'member_privilege': [u'HBAC Administrator'],
'memberindirect_role': [u'IT Security Specialist'],
- 'permissions' : [u'write'],
- 'attrs': [u'servicecategory', u'sourcehostcategory', u'cn', u'description', u'ipaenabledflag', u'accesstime', u'usercategory', u'hostcategory', u'accessruletype', u'sourcehost'],
- 'subtree' : u'ldap:///%s' % DN(('ipauniqueid', '*'), ('cn', 'hbac'), api.env.basedn),
+ 'ipapermright' : [u'write'],
+ 'ipapermallowedattr': [u'servicecategory', u'sourcehostcategory', u'cn', u'description', u'ipaenabledflag', u'accesstime', u'usercategory', u'hostcategory', u'accessruletype', u'sourcehost'],
+ 'ipapermtarget': [DN(('ipauniqueid', '*'), ('cn', 'hbac'), api.env.basedn)],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermlocation': [api.env.basedn],
},
],
),
@@ -518,7 +737,7 @@ class test_permission(Declarative):
desc='Update %r' % permission1,
command=(
'permission_mod', [permission1], dict(
- permissions=u'read',
+ ipapermright=u'read',
memberof=u'ipausers',
setattr=u'owner=cn=other-test',
addattr=u'owner=cn=other-test2',
@@ -530,11 +749,19 @@ class test_permission(Declarative):
result=dict(
dn=permission1_dn,
cn=[permission1],
+ objectclass=objectclasses.permission,
member_privilege=[privilege1],
- type=u'user',
- permissions=[u'read'],
- memberof=u'ipausers',
+ type=[u'user'],
+ ipapermright=[u'read'],
+ memberof=[u'ipausers'],
owner=[u'cn=other-test', u'cn=other-test2'],
+ ipapermallowedattr=[u'sn'],
+ ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers',
+ groups_dn)],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
),
),
),
@@ -549,10 +776,18 @@ class test_permission(Declarative):
result={
'dn': permission1_dn,
'cn': [permission1],
+ 'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
- 'type': u'user',
- 'permissions': [u'read'],
- 'memberof': u'ipausers',
+ 'type': [u'user'],
+ 'ipapermright': [u'read'],
+ 'memberof': [u'ipausers'],
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
+ groups_dn)],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
),
),
@@ -564,7 +799,7 @@ class test_permission(Declarative):
permission2),
command=(
'permission_mod', [permission1], dict(rename=permission2,
- permissions=u'all',)
+ ipapermright=u'all',)
),
expected=errors.DuplicateEntry(),
),
@@ -574,7 +809,7 @@ class test_permission(Declarative):
desc='Try to rename %r to empty name' % (permission1),
command=(
'permission_mod', [permission1], dict(rename=u'',
- permissions=u'all',)
+ ipapermright=u'all',)
),
expected=errors.ValidationError(name='rename',
error=u'New name can not be empty'),
@@ -590,10 +825,18 @@ class test_permission(Declarative):
result={
'dn': permission1_dn,
'cn': [permission1],
+ 'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
- 'type': u'user',
- 'permissions': [u'read'],
- 'memberof': u'ipausers',
+ 'type': [u'user'],
+ 'ipapermright': [u'read'],
+ 'memberof': [u'ipausers'],
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
+ groups_dn)],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
),
),
@@ -604,7 +847,7 @@ class test_permission(Declarative):
permission1_renamed),
command=(
'permission_mod', [permission1], dict(rename=permission1_renamed,
- permissions= u'all',)
+ ipapermright= u'all',)
),
expected=dict(
value=permission1,
@@ -612,10 +855,18 @@ class test_permission(Declarative):
result={
'dn': permission1_renamed_dn,
'cn': [permission1_renamed],
+ 'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
- 'type': u'user',
- 'permissions': [u'all'],
- 'memberof': u'ipausers',
+ 'type': [u'user'],
+ 'ipapermright': [u'all'],
+ 'memberof': [u'ipausers'],
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
+ groups_dn)],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
),
),
@@ -626,7 +877,7 @@ class test_permission(Declarative):
permission1_renamed_ucase),
command=(
'permission_mod', [permission1_renamed], dict(rename=permission1_renamed_ucase,
- permissions= u'write',)
+ ipapermright= u'write',)
),
expected=dict(
value=permission1_renamed,
@@ -634,10 +885,18 @@ class test_permission(Declarative):
result={
'dn': permission1_renamed_ucase_dn,
'cn': [permission1_renamed_ucase],
+ 'objectclass': objectclasses.permission,
'member_privilege': [privilege1],
- 'type': u'user',
- 'permissions': [u'write'],
- 'memberof': u'ipausers',
+ 'type': [u'user'],
+ 'ipapermright': [u'write'],
+ 'memberof': [u'ipausers'],
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermtargetfilter': [u'(memberOf=%s)' % DN('cn=ipausers',
+ groups_dn)],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
},
),
),
@@ -647,8 +906,7 @@ class test_permission(Declarative):
desc='Change %r to a subtree type' % permission1_renamed_ucase,
command=(
'permission_mod', [permission1_renamed_ucase],
- dict(subtree=u'ldap:///%s' % DN(('cn', '*'), ('cn', 'test'), ('cn', 'accounts'), api.env.basedn),
- type=None)
+ dict(ipapermlocation=users_dn, type=None)
),
expected=dict(
value=permission1_renamed_ucase,
@@ -656,19 +914,47 @@ class test_permission(Declarative):
result=dict(
dn=permission1_renamed_ucase_dn,
cn=[permission1_renamed_ucase],
+ objectclass=objectclasses.permission,
member_privilege=[privilege1],
- subtree=u'ldap:///%s' % DN(('cn', '*'), ('cn', 'test'), ('cn', 'accounts'), api.env.basedn),
- permissions=[u'write'],
- memberof=u'ipausers',
+ ipapermlocation=[users_dn],
+ ipapermright=[u'write'],
+ memberof=[u'ipausers'],
+ ipapermallowedattr=[u'sn'],
+ ipapermtargetfilter=[u'(memberOf=%s)' % DN('cn=ipausers',
+ groups_dn)],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
),
),
),
+ dict(
+ desc='Reset --subtree of %r' % permission2,
+ command=(
+ 'permission_mod', [permission2],
+ dict(ipapermlocation=api.env.basedn)
+ ),
+ expected=dict(
+ value=permission2,
+ summary=u'Modified permission "%s"' % permission2,
+ result={
+ 'dn': permission2_dn,
+ 'cn': [permission2],
+ 'objectclass': objectclasses.permission,
+ 'ipapermright': [u'write'],
+ 'ipapermallowedattr': [u'cn'],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermtarget': [DN(('uid', '*'), users_dn)],
+ 'ipapermlocation': [api.env.basedn],
+ },
+ ),
+ ),
dict(
desc='Search for %r using --subtree' % permission1,
command=('permission_find', [],
- {'subtree': u'ldap:///%s' % DN(('cn', '*'), ('cn', 'test'), ('cn', 'accounts'), api.env.basedn)}),
+ {'ipapermlocation': u'ldap:///%s' % users_dn}),
expected=dict(
count=1,
truncated=False,
@@ -677,10 +963,17 @@ class test_permission(Declarative):
{
'dn':permission1_renamed_ucase_dn,
'cn':[permission1_renamed_ucase],
+ 'objectclass': objectclasses.permission,
'member_privilege':[privilege1],
- 'subtree':u'ldap:///%s' % DN(('cn', '*'), ('cn', 'test'), ('cn', 'accounts'), api.env.basedn),
- 'permissions':[u'write'],
- 'memberof':u'ipausers',
+ 'ipapermlocation': [users_dn],
+ 'ipapermright':[u'write'],
+ 'memberof':[u'ipausers'],
+ 'ipapermallowedattr': [u'sn'],
+ 'ipapermtargetfilter': [u'(memberOf=%s)' % DN(
+ 'cn=ipausers', groups_dn)],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermissiontype': [u'SYSTEM', u'V2'],
+ 'ipapermlocation': [users_dn],
},
],
),
@@ -689,13 +982,9 @@ class test_permission(Declarative):
dict(
desc='Search using nonexistent --subtree',
- command=('permission_find', [], {'subtree': u'foo'}),
- expected=dict(
- count=0,
- truncated=False,
- summary=u'0 permissions matched',
- result=[],
- ),
+ command=('permission_find', [], {'ipapermlocation': u'foo'}),
+ expected=errors.ConversionError(
+ name='subtree', error='malformed RDN string = "foo"'),
),
@@ -711,11 +1000,17 @@ class test_permission(Declarative):
'dn': DN(('cn','Add user to default group'),
api.env.container_permission, api.env.basedn),
'cn': [u'Add user to default group'],
+ 'objectclass': objectclasses.permission,
'member_privilege': [u'User Administrators'],
- 'attrs': [u'member'],
- 'targetgroup': u'ipausers',
+ 'ipapermallowedattr': [u'member'],
+ 'targetgroup': [u'ipausers'],
'memberindirect_role': [u'User Administrator'],
- 'permissions': [u'write']
+ 'ipapermright': [u'write'],
+ 'ipapermbindruletype': [u'permission'],
+ 'ipapermtarget': [DN(
+ 'cn=ipausers', api.env.container_group,
+ api.env.basedn)],
+ 'ipapermlocation': [api.env.basedn],
}
],
),
@@ -795,7 +1090,8 @@ class test_permission(Declarative):
command=(
'permission_add', [permission1], dict(
memberof=u'nonexisting',
- permissions=u'write',
+ ipapermright=u'write',
+ ipapermallowedattr=[u'cn'],
)
),
expected=errors.NotFound(reason=u'nonexisting: group not found'),
@@ -806,8 +1102,9 @@ class test_permission(Declarative):
command=(
'permission_add', [permission1], dict(
memberof=u'editors',
- permissions=u'write',
+ ipapermright=u'write',
type=u'user',
+ ipapermallowedattr=[u'sn'],
)
),
expected=dict(
@@ -817,9 +1114,16 @@ class test_permission(Declarative):
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
- memberof=u'editors',
- permissions=[u'write'],
- type=u'user',
+ memberof=[u'editors'],
+ ipapermright=[u'write'],
+ type=[u'user'],
+ ipapermallowedattr=[u'sn'],
+ ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'editors'),
+ groups_dn)],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
),
),
),
@@ -844,9 +1148,17 @@ class test_permission(Declarative):
result=dict(
dn=permission1_dn,
cn=[permission1],
- memberof=u'admins',
- permissions=[u'write'],
- type=u'user',
+ objectclass=objectclasses.permission,
+ memberof=[u'admins'],
+ ipapermright=[u'write'],
+ type=[u'user'],
+ ipapermallowedattr=[u'sn'],
+ ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
+ groups_dn)],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
),
),
),
@@ -864,8 +1176,14 @@ class test_permission(Declarative):
result=dict(
dn=permission1_dn,
cn=[permission1],
- permissions=[u'write'],
- type=u'user',
+ objectclass=objectclasses.permission,
+ ipapermright=[u'write'],
+ type=[u'user'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
),
),
),
@@ -887,7 +1205,8 @@ class test_permission(Declarative):
command=(
'permission_add', [permission1], dict(
targetgroup=u'editors',
- permissions=u'write',
+ ipapermright=u'write',
+ ipapermallowedattr=[u'sn'],
)
),
expected=dict(
@@ -897,29 +1216,24 @@ class test_permission(Declarative):
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
- targetgroup=u'editors',
- permissions=[u'write'],
+ targetgroup=[u'editors'],
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermtarget=[DN(('cn', 'editors'), groups_dn)],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[api.env.basedn],
),
),
),
dict(
- desc='Try to create invalid %r' % invalid_permission1,
- command=('permission_add', [invalid_permission1], dict(
- type=u'user',
- permissions=u'write',
- )),
- expected=errors.ValidationError(name='name',
- error='May only contain letters, numbers, -, _, and space'),
- ),
-
- dict(
desc='Create %r' % permission3,
command=(
'permission_add', [permission3], dict(
type=u'user',
- permissions=u'write',
- attrs=[u'cn']
+ ipapermright=u'write',
+ ipapermallowedattr=[u'cn']
)
),
expected=dict(
@@ -929,9 +1243,13 @@ class test_permission(Declarative):
dn=permission3_dn,
cn=[permission3],
objectclass=objectclasses.permission,
- type=u'user',
- permissions=[u'write'],
- attrs=(u'cn',),
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermallowedattr=(u'cn',),
+ ipapermbindruletype=[u'permission'],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
),
),
),
@@ -946,17 +1264,23 @@ class test_permission(Declarative):
dn=permission3_dn,
cn=[permission3],
objectclass=objectclasses.permission,
- type=u'user',
- attrs=(u'cn',),
- permissions=[u'write'],
- attributelevelrights=permission3_attributelevelrights
+ type=[u'user'],
+ ipapermallowedattr=(u'cn',),
+ ipapermright=[u'write'],
+ attributelevelrights=permission3_attributelevelrights,
+ ipapermbindruletype=[u'permission'],
+ ipapermtarget=[DN(('uid', '*'),users_dn)],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
),
),
),
dict(
- desc='Modify %r with --all -rights' % permission3,
- command=('permission_mod', [permission3], {'all' : True, 'rights': True, 'attrs':[u'cn',u'uid']}),
+ desc='Modify %r with --all --rights' % permission3,
+ command=('permission_mod', [permission3], {
+ 'all': True, 'rights': True,
+ 'ipapermallowedattr': [u'cn', u'uid']}),
expected=dict(
value=permission3,
summary=u'Modified permission "%s"' % permission3,
@@ -964,11 +1288,441 @@ class test_permission(Declarative):
dn=permission3_dn,
cn=[permission3],
objectclass=objectclasses.permission,
- type=u'user',
- attrs=(u'cn',u'uid'),
- permissions=[u'write'],
+ type=[u'user'],
+ ipapermallowedattr=(u'cn',u'uid'),
+ ipapermright=[u'write'],
attributelevelrights=permission3_attributelevelrights,
+ ipapermbindruletype=[u'permission'],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Try to modify %r with invalid targetfilter' % permission1,
+ command=('permission_mod', [permission1],
+ {'ipapermtargetfilter': u"ceci n'est pas un filtre"}),
+ expected=errors.ValidationError(
+ name='ipapermtargetfilter',
+ error='Bad search filter'),
+ ),
+ ]
+
+
+class test_permission_sync_attributes(Declarative):
+ """Test the effects of setting permission attributes"""
+ cleanup_commands = [
+ ('permission_del', [permission1], {'force': True}),
+ ]
+
+ tests = [
+ dict(
+ desc='Create %r' % permission1,
+ command=(
+ 'permission_add', [permission1], dict(
+ ipapermlocation=users_dn,
+ ipapermright=u'write',
+ ipapermallowedattr=u'sn',
+ ipapermtargetfilter=u'(memberOf=%s)' % DN(('cn', 'admins'),
+ groups_dn),
+ ipapermtarget=DN(('uid', '*'), users_dn),
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Added permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
+ groups_dn)],
+ memberof=[u'admins'],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Unset location on %r, verify type is gone' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ ipapermlocation=None,
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
+ groups_dn)],
+ memberof=[u'admins'],
+ ipapermlocation=[api.env.basedn],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Reset location on %r' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ ipapermlocation=users_dn,
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
+ groups_dn)],
+ memberof=[u'admins'],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Unset target on %r, verify type is gone' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ ipapermtarget=None,
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
+ groups_dn)],
+ memberof=[u'admins'],
),
),
),
+
+ dict(
+ desc='Unset targetfilter on %r, verify memberof is gone' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ ipapermtargetfilter=None,
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Set type of %r to group' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ type=u'group',
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ type=[u'group'],
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[groups_dn],
+ ipapermtarget=[DN(('cn', '*'), groups_dn)],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Set target on %r, verify targetgroup is set' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ ipapermtarget=DN('cn=editors', groups_dn),
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermtarget=[DN('cn=editors', groups_dn)],
+ ipapermlocation=[groups_dn],
+ targetgroup=[u'editors'],
+ ),
+ ),
+ ),
+ ]
+
+
+class test_permission_sync_nice(Declarative):
+ """Test the effects of setting convenience options on permissions"""
+ cleanup_commands = [
+ ('permission_del', [permission1], {'force': True}),
+ ]
+
+ tests = [
+ dict(
+ desc='Create %r' % permission1,
+ command=(
+ 'permission_add', [permission1], dict(
+ type=u'user',
+ ipapermright=u'write',
+ ipapermallowedattr=u'sn',
+ memberof=u'admins',
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Added permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN(('uid', '*'), users_dn)],
+ ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
+ groups_dn)],
+ memberof=[u'admins'],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Unset type on %r, verify target & location are gone' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ type=None,
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermtargetfilter=[u'(memberOf=%s)' % DN(('cn', 'admins'),
+ groups_dn)],
+ memberof=[u'admins'],
+ ipapermlocation=[api.env.basedn],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Unset memberof on %r, verify targetfilter is gone' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ memberof=None,
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[api.env.basedn],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Set type of %r to group' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ type=u'group',
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ type=[u'group'],
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[groups_dn],
+ ipapermtarget=[DN(('cn', '*'), groups_dn)],
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Set targetgroup on %r, verify target is set' % permission1,
+ command=(
+ 'permission_mod', [permission1], dict(
+ targetgroup=u'editors',
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Modified permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.permission,
+ ipapermright=[u'write'],
+ ipapermallowedattr=[u'sn'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermtarget=[DN('cn=editors', groups_dn)],
+ ipapermlocation=[groups_dn],
+ targetgroup=[u'editors'],
+ ),
+ ),
+ ),
+ ]
+
+
+def _make_permission_flag_tests(flags, expected_message):
+ return [
+
+ dict(
+ desc='Create %r with flags %s' % (permission1, flags),
+ command=(
+ 'permission_add_noaci', [permission1], dict(
+ ipapermissiontype=flags,
+ )
+ ),
+ expected=dict(
+ value=permission1,
+ summary=u'Added permission "%s"' % permission1,
+ result=dict(
+ dn=permission1_dn,
+ cn=[permission1],
+ objectclass=objectclasses.system_permission,
+ ipapermissiontype=flags,
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Try to modify %r' % permission1,
+ command=('permission_mod', [permission1], {'type': u'user'}),
+ expected=errors.ACIError(info=expected_message),
+ ),
+
+ dict(
+ desc='Try to delete %r' % permission1,
+ command=('permission_del', [permission1], {}),
+ expected=errors.ACIError(info=expected_message),
+ ),
+
+ dict(
+ desc='Delete %r with --force' % permission1,
+ command=('permission_del', [permission1], {'force': True}),
+ expected=dict(
+ result=dict(failed=u''),
+ value=permission1,
+ summary=u'Deleted permission "%s"' % permission1,
+ ),
+ ),
+ ]
+
+
+class test_permission_flags(Declarative):
+ """Test that permission flags are handled correctly"""
+ cleanup_commands = [
+ ('permission_del', [permission1], {'force': True}),
+ ]
+
+ tests = (
+ _make_permission_flag_tests(
+ [u'SYSTEM'],
+ 'A SYSTEM permission may not be modified or removed') +
+ _make_permission_flag_tests(
+ [u'??'],
+ 'Permission with unknown flag ?? may not be modified or removed') +
+ _make_permission_flag_tests(
+ [u'SYSTEM', u'??'],
+ 'Permission with unknown flag ?? may not be modified or removed'))
+
+
+class test_permission_legacy(Declarative):
+ """Tests for non-upgraded permissions"""
+
+ tests = [
+ dict(
+ desc='Search for all permissions in $SUFFIX',
+ command=('permission_find', [],
+ {'ipapermlocation': api.env.basedn}),
+ expected=dict(
+ count=lambda n: n > 50,
+ truncated=False,
+ summary=lambda s: True,
+ result=lambda s: True,
+ ),
+ ),
]
diff --git a/ipatests/test_xmlrpc/test_privilege_plugin.py b/ipatests/test_xmlrpc/test_privilege_plugin.py
index 741590dd0..b76c87c71 100644
--- a/ipatests/test_xmlrpc/test_privilege_plugin.py
+++ b/ipatests/test_xmlrpc/test_privilege_plugin.py
@@ -38,6 +38,8 @@ privilege1 = u'testpriv1'
privilege1_dn = DN(('cn',privilege1),
api.env.container_privilege,api.env.basedn)
+users_dn = DN(api.env.container_user, api.env.basedn)
+
class test_privilege(Declarative):
@@ -89,8 +91,8 @@ class test_privilege(Declarative):
desc='Create %r' % permission1,
command=(
'permission_add', [permission1], dict(
- type=u'user',
- permissions=[u'add', u'delete'],
+ type=u'user',
+ ipapermright=[u'add', u'delete'],
)
),
expected=dict(
@@ -100,8 +102,12 @@ class test_privilege(Declarative):
dn=permission1_dn,
cn=[permission1],
objectclass=objectclasses.permission,
- type=u'user',
- permissions=[u'add', u'delete'],
+ type=[u'user'],
+ ipapermright=[u'add', u'delete'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN('uid=*', users_dn)],
),
),
),
@@ -206,8 +212,8 @@ class test_privilege(Declarative):
desc='Create %r' % permission2,
command=(
'permission_add', [permission2], dict(
- type=u'user',
- permissions=u'write',
+ type=u'user',
+ ipapermright=u'write',
)
),
expected=dict(
@@ -217,8 +223,12 @@ class test_privilege(Declarative):
dn=permission2_dn,
cn=[permission2],
objectclass=objectclasses.permission,
- type=u'user',
- permissions=[u'write'],
+ type=[u'user'],
+ ipapermright=[u'write'],
+ ipapermbindruletype=[u'permission'],
+ ipapermissiontype=[u'SYSTEM', u'V2'],
+ ipapermlocation=[users_dn],
+ ipapermtarget=[DN('uid=*', users_dn)],
),
),
),
generated by cgit (git 2.34.1) at 2024-05-21 12:35:47 +0000