summaryrefslogtreecommitdiffstats
path: root/ipatests/test_xmlrpc
diff options
context:
space:
mode:
authorPetr Viktorin <pviktori@redhat.com>2013-11-29 12:57:30 +0100
committerMartin Kosek <mkosek@redhat.com>2013-12-13 15:08:52 +0100
commitf47669a5b969a512756a39f451f04ed9c95ce3ab (patch)
treeecdaf467d67ecfd1c3dbd1d7c423e8243235db95 /ipatests/test_xmlrpc
parentd7ee87cfa1e288fe18dc2dbeb2d691753048f4db (diff)
downloadfreeipa-f47669a5b969a512756a39f451f04ed9c95ce3ab.tar.gz
freeipa-f47669a5b969a512756a39f451f04ed9c95ce3ab.tar.xz
freeipa-f47669a5b969a512756a39f451f04ed9c95ce3ab.zip
Verify ACIs are added correctly in tests
To double-check the ACIs are correct, this uses different code than the new permission plugin: the aci_show command. A new option, location, is added to the command to support these checks.
Diffstat (limited to 'ipatests/test_xmlrpc')
-rw-r--r--ipatests/test_xmlrpc/test_permission_plugin.py259
1 files changed, 258 insertions, 1 deletions
diff --git a/ipatests/test_xmlrpc/test_permission_plugin.py b/ipatests/test_xmlrpc/test_permission_plugin.py
index 3931c0a85..82436b3bb 100644
--- a/ipatests/test_xmlrpc/test_permission_plugin.py
+++ b/ipatests/test_xmlrpc/test_permission_plugin.py
@@ -22,10 +22,13 @@
Test the `ipalib/plugins/permission.py` module.
"""
+import os
+
from ipalib import api, errors
from ipatests.test_xmlrpc import objectclasses
from xmlrpc_test import Declarative
from ipapython.dn import DN
+import inspect
permission1 = u'testperm'
permission1_dn = DN(('cn',permission1),
@@ -86,6 +89,44 @@ users_dn = DN(api.env.container_user, api.env.basedn)
groups_dn = DN(api.env.container_group, api.env.basedn)
+def verify_permission_aci(name, dn, acistring):
+ """Return test dict that verifies the ACI at the given location"""
+ return dict(
+ desc="Verify ACI of %s #(%s)" % (name, lineinfo(2)),
+ command=('aci_show', [name], dict(
+ aciprefix=u'permission', location=dn, raw=True)),
+ expected=dict(
+ result=dict(aci=acistring),
+ summary=None,
+ value=name,
+ ),
+ )
+
+
+def verify_permission_aci_missing(name, dn):
+ """Return test dict that checks the ACI at the given location is missing"""
+ return dict(
+ desc="Verify ACI of %s is missing #(%s)" % (name, lineinfo(2)),
+ command=('aci_show', [name], dict(
+ aciprefix=u'permission', location=dn, raw=True)),
+ expected=errors.NotFound(
+ reason='ACI with name "%s" not found' % name),
+ )
+
+
+def lineinfo(level):
+ """Return "filename:lineno" for `level`-th caller"""
+ # Declarative tests hide tracebacks.
+ # Including this info in the test name makes it possible
+ # to locate failing tests.
+ frame = inspect.currentframe()
+ for i in range(level):
+ frame = frame.f_back
+ lineno = frame.f_lineno
+ filename = os.path.basename(frame.f_code.co_filename)
+ return '%s:%s' % (filename, lineno)
+
+
class test_permission_negative(Declarative):
"""Make sure invalid operations fail"""
@@ -101,7 +142,6 @@ class test_permission_negative(Declarative):
reason=u'%s: permission not found' % permission1),
),
-
dict(
desc='Try to update non-existent %r' % permission1,
command=('permission_mod', [permission1], dict(ipapermright=u'all')),
@@ -152,6 +192,8 @@ class test_permission_negative(Declarative):
'(e.g. target, targetfilter, attrs)'),
),
+ verify_permission_aci_missing(permission1, api.env.basedn),
+
dict(
desc='Try to create invalid %r' % invalid_permission1,
command=('permission_add', [invalid_permission1], dict(
@@ -162,6 +204,8 @@ class test_permission_negative(Declarative):
error='May only contain letters, numbers, -, _, ., and space'),
),
+ verify_permission_aci_missing(permission1, users_dn),
+
dict(
desc='Create %r so we can try breaking it' % permission1,
command=(
@@ -280,6 +324,13 @@ class test_permission(Declarative):
),
),
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
dict(
desc='Try to create duplicate %r' % permission1,
@@ -540,6 +591,14 @@ class test_permission(Declarative):
),
),
+ verify_permission_aci(
+ permission2, users_dn,
+ '(targetattr = "cn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission2 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission2_dn,
+ ),
+
dict(
desc='Search for %r' % permission1,
@@ -766,6 +825,15 @@ class test_permission(Declarative):
),
),
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (read) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Retrieve %r to verify update' % permission1,
@@ -871,6 +939,17 @@ class test_permission(Declarative):
),
),
+ verify_permission_aci_missing(permission1, users_dn),
+
+ verify_permission_aci(
+ permission1_renamed, users_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1_renamed +
+ 'allow (all) groupdn = "ldap:///%s";)' % permission1_renamed_dn,
+ ),
+
dict(
desc='Rename %r to permission %r' % (permission1_renamed,
@@ -901,6 +980,17 @@ class test_permission(Declarative):
),
),
+ verify_permission_aci_missing(permission1_renamed, users_dn),
+
+ verify_permission_aci(
+ permission1_renamed_ucase, users_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1_renamed_ucase +
+ 'allow (write) groupdn = "ldap:///%s";)' %
+ permission1_renamed_ucase_dn,
+ ),
dict(
desc='Change %r to a subtree type' % permission1_renamed_ucase,
@@ -928,6 +1018,15 @@ class test_permission(Declarative):
),
),
+ verify_permission_aci(
+ permission1_renamed_ucase, users_dn,
+ '(targetattr = "sn")' +
+ '(targetfilter = "(memberOf=%s)")' % DN('cn=ipausers', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1_renamed_ucase +
+ 'allow (write) groupdn = "ldap:///%s";)' %
+ permission1_renamed_ucase_dn,
+ ),
+
dict(
desc='Reset --subtree of %r' % permission2,
command=(
@@ -951,6 +1050,14 @@ class test_permission(Declarative):
),
),
+ verify_permission_aci(
+ permission2, api.env.basedn,
+ '(targetattr = "cn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission2 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission2_dn,
+ ),
+
dict(
desc='Search for %r using --subtree' % permission1,
command=('permission_find', [],
@@ -1027,6 +1134,7 @@ class test_permission(Declarative):
)
),
+ verify_permission_aci_missing(permission1_renamed_ucase, users_dn),
dict(
desc='Try to delete non-existent %r' % permission1,
@@ -1062,6 +1170,7 @@ class test_permission(Declarative):
)
),
+ verify_permission_aci_missing(permission2, users_dn),
dict(
desc='Search for %r' % permission1,
@@ -1128,6 +1237,15 @@ class test_permission(Declarative):
),
),
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(targetfilter = "(memberOf=%s)")' % DN('cn=editors', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Try to update non-existent memberof of %r' % permission1,
command=('permission_mod', [permission1], dict(
@@ -1163,6 +1281,15 @@ class test_permission(Declarative):
),
),
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Unset memberof of permission %r' % permission1,
command=(
@@ -1188,6 +1315,13 @@ class test_permission(Declarative):
),
),
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
dict(
desc='Delete %r' % permission1,
@@ -1199,6 +1333,7 @@ class test_permission(Declarative):
)
),
+ verify_permission_aci_missing(permission1, users_dn),
dict(
desc='Create targetgroup permission %r' % permission1,
@@ -1227,6 +1362,14 @@ class test_permission(Declarative):
),
),
+ verify_permission_aci(
+ permission1, api.env.basedn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN('cn=editors', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Create %r' % permission3,
command=(
@@ -1254,6 +1397,14 @@ class test_permission(Declarative):
),
),
+ verify_permission_aci(
+ permission3, users_dn,
+ '(targetattr = "cn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission3 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission3_dn,
+ ),
+
dict(
desc='Retrieve %r with --all --rights' % permission3,
command=('permission_show', [permission3], {'all' : True, 'rights' : True}),
@@ -1300,6 +1451,14 @@ class test_permission(Declarative):
),
),
+ verify_permission_aci(
+ permission3, users_dn,
+ '(targetattr = "cn || uid")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(version 3.0;acl "permission:%s";' % permission3 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission3_dn,
+ ),
+
dict(
desc='Try to modify %r with invalid targetfilter' % permission1,
command=('permission_mod', [permission1],
@@ -1351,6 +1510,15 @@ class test_permission_sync_attributes(Declarative):
),
),
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Unset location on %r, verify type is gone' % permission1,
command=(
@@ -1378,6 +1546,15 @@ class test_permission_sync_attributes(Declarative):
),
),
+ verify_permission_aci(
+ permission1, api.env.basedn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Reset location on %r' % permission1,
command=(
@@ -1406,6 +1583,15 @@ class test_permission_sync_attributes(Declarative):
),
),
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Unset target on %r, verify type is gone' % permission1,
command=(
@@ -1432,6 +1618,14 @@ class test_permission_sync_attributes(Declarative):
),
),
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "sn")' +
+ '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Unset targetfilter on %r, verify memberof is gone' % permission1,
command=(
@@ -1455,6 +1649,13 @@ class test_permission_sync_attributes(Declarative):
),
),
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "sn")' +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Set type of %r to group' % permission1,
command=(
@@ -1480,6 +1681,14 @@ class test_permission_sync_attributes(Declarative):
),
),
+ verify_permission_aci(
+ permission1, groups_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('cn', '*'), groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Set target on %r, verify targetgroup is set' % permission1,
command=(
@@ -1504,6 +1713,14 @@ class test_permission_sync_attributes(Declarative):
),
),
),
+
+ verify_permission_aci(
+ permission1, groups_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
]
@@ -1545,6 +1762,15 @@ class test_permission_sync_nice(Declarative):
),
),
+ verify_permission_aci(
+ permission1, users_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('uid', '*'), users_dn) +
+ '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Unset type on %r, verify target & location are gone' % permission1,
command=(
@@ -1571,6 +1797,14 @@ class test_permission_sync_nice(Declarative):
),
),
+ verify_permission_aci(
+ permission1, api.env.basedn,
+ '(targetattr = "sn")' +
+ '(targetfilter = "(memberOf=%s)")' % DN('cn=admins', groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Unset memberof on %r, verify targetfilter is gone' % permission1,
command=(
@@ -1594,6 +1828,13 @@ class test_permission_sync_nice(Declarative):
),
),
+ verify_permission_aci(
+ permission1, api.env.basedn,
+ '(targetattr = "sn")' +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Set type of %r to group' % permission1,
command=(
@@ -1619,6 +1860,14 @@ class test_permission_sync_nice(Declarative):
),
),
+ verify_permission_aci(
+ permission1, groups_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('cn', '*'), groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
+
dict(
desc='Set targetgroup on %r, verify target is set' % permission1,
command=(
@@ -1643,6 +1892,14 @@ class test_permission_sync_nice(Declarative):
),
),
),
+
+ verify_permission_aci(
+ permission1, groups_dn,
+ '(targetattr = "sn")' +
+ '(target = "ldap:///%s")' % DN(('cn', 'editors'), groups_dn) +
+ '(version 3.0;acl "permission:%s";' % permission1 +
+ 'allow (write) groupdn = "ldap:///%s";)' % permission1_dn,
+ ),
]