class test_selinuxusermap(Declarative): cleanup_commands = [ ('selinuxusermap_del', [rule1], {}), ('group_del', [group1], {}), ('user_del', [user1], {}), ('host_del', [host1], {}), ('hbacrule_del', [hbacrule1], {}), ('hbacrule_del', [hbacrule2], {}), ] tests = [ dict( desc='Try to retrieve non-existent %r' % rule1, command=('selinuxusermap_show', [rule1], {}), expected=errors.NotFound( reason=u'%s: SELinux User Map rule not found' % rule1), ), dict( desc='Try to update non-existent %r' % rule1, command=('selinuxusermap_mod', [rule1], dict(description=u'Foo')), expected=errors.NotFound( reason=u'%s: SELinux User Map rule not found' % rule1), ), dict( desc='Try to delete non-existent %r' % rule1, command=('selinuxusermap_del', [rule1], {}), expected=errors.NotFound( reason=u'%s: SELinux User Map rule not found' % rule1), ), dict( desc='Create rule %r' % rule1, command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1) ), expected=dict( value=rule1, summary=u'Added SELinux User Map "%s"' % rule1, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser1], objectclass=objectclasses.selinuxusermap, ipauniqueid=[fuzzy_uuid], ipaenabledflag=[u'TRUE'], dn=fuzzy_selinuxusermapdn, ), ), ), dict( desc='Try to create duplicate %r' % rule1, command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1) ), expected=errors.DuplicateEntry(message=u'SELinux User Map rule ' + u'with name "%s" already exists' % rule1), ), dict( desc='Retrieve rule %r' % rule1, command=('selinuxusermap_show', [rule1], {}), expected=dict( value=rule1, summary=None, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser1], ipaenabledflag=[u'TRUE'], dn=fuzzy_selinuxusermapdn, ), ), ), dict( desc='Update rule %r' % rule1, command=( 'selinuxusermap_mod', [rule1], dict(ipaselinuxuser=selinuxuser2) ), expected=dict( result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser2], ipaenabledflag=[u'TRUE'], ), summary=u'Modified SELinux User Map "%s"' % rule1, value=rule1, ), ), dict( desc='Retrieve %r to verify update' % rule1, command=('selinuxusermap_show', [rule1], {}), expected=dict( value=rule1, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser2], ipaenabledflag=[u'TRUE'], dn=fuzzy_selinuxusermapdn, ), summary=None, ), ), dict( desc='Search for rule %r' % rule1, command=('selinuxusermap_find', [], dict(cn=rule1)), expected=dict( count=1, truncated=False, result=[ dict( cn=[rule1], ipaselinuxuser=[selinuxuser2], ipaenabledflag=[u'TRUE'], dn=fuzzy_selinuxusermapdn, ), ], summary=u'1 SELinux User Map matched', ), ), ############### # Create additional entries needed for testing dict( desc='Create %r' % user1, command=( 'user_add', [], dict(givenname=u'Test', sn=u'User1') ), expected=dict( value=user1, summary=u'Added user "%s"' % user1, result=get_user_result(user1, u'Test', u'User1', 'add'), ), ), dict( desc='Create group %r' % group1, command=( 'group_add', [group1], dict(description=u'Test desc 1') ), expected=dict( value=group1, summary=u'Added group "%s"' % group1, result=dict( cn=[group1], description=[u'Test desc 1'], gidnumber=[fuzzy_digits], objectclass=objectclasses.group + [u'posixgroup'], ipauniqueid=[fuzzy_uuid], dn=DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), ), ), ), dict( desc='Add member %r to %r' % (user1, group1), command=( 'group_add_member', [group1], dict(user=user1) ), expected=dict( completed=1, failed=dict( member=dict( group=tuple(), user=tuple(), ), ), result={ 'dn': DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), 'member_user': (user1,), 'gidnumber': [fuzzy_digits], 'cn': [group1], 'description': [u'Test desc 1'], }, ), ), dict( desc='Create host %r' % host1, command=('host_add', [host1], dict( description=u'Test host 1', l=u'Undisclosed location 1', force=True, ), ), expected=dict( value=host1, summary=u'Added host "%s"' % host1, result=dict( dn=hostdn1, fqdn=[host1], description=[u'Test host 1'], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (host1, api.env.realm)], krbcanonicalname=[u'host/%s@%s' % (host1, api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[host1], has_keytab=False, has_password=False, ), ), ), dict( desc='Create HBAC rule %r' % hbacrule1, command=( 'hbacrule_add', [hbacrule1], {} ), expected=dict( value=hbacrule1, summary=u'Added HBAC rule "%s"' % hbacrule1, result=dict( cn=[hbacrule1], objectclass=objectclasses.hbacrule, ipauniqueid=[fuzzy_uuid], accessruletype=[u'allow'], ipaenabledflag=[u'TRUE'], dn=fuzzy_hbacruledn, ), ), ), dict( desc='Create HBAC rule %r' % hbacrule2, command=( 'hbacrule_add', [hbacrule2], {} ), expected=dict( value=hbacrule2, summary=u'Added HBAC rule "%s"' % hbacrule2, result=dict( cn=[hbacrule2], objectclass=objectclasses.hbacrule, ipauniqueid=[fuzzy_uuid], accessruletype=[u'allow'], ipaenabledflag=[u'TRUE'], dn=fuzzy_hbacruledn, ), ), ), ############### # Fill out rule with members and/or pointers to HBAC rules dict( desc='Add user to %r' % rule1, command=('selinuxusermap_add_user', [rule1], dict(user=user1)), expected=dict( failed=dict(memberuser=dict(group=[], user=[])), completed=1, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser2], ipaenabledflag=[u'TRUE'], memberuser_user=[user1], dn=fuzzy_selinuxusermapdn, ), ) ), dict( desc='Add non-existent user to %r' % rule1, command=('selinuxusermap_add_user', [rule1], dict(user=u'notfound')), expected=dict( failed=dict( memberuser=dict(group=[], user=[(u'notfound', u'no such entry')]) ), completed=0, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser2], ipaenabledflag=[u'TRUE'], memberuser_user=[user1], dn=fuzzy_selinuxusermapdn, ), ) ), dict( desc='Remove user from %r' % rule1, command=('selinuxusermap_remove_user', [rule1], dict(user=user1)), expected=dict( failed=dict(memberuser=dict(group=[], user=[])), completed=1, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser2], ipaenabledflag=[u'TRUE'], dn=fuzzy_selinuxusermapdn, ), ) ), dict( desc='Remove non-existent user to %r' % rule1, command=('selinuxusermap_remove_user', [rule1], dict(user=u'notfound')), expected=dict( failed=dict( memberuser=dict(group=[], user=[(u'notfound', u'This entry is not a member')] ) ), completed=0, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser2], ipaenabledflag=[u'TRUE'], dn=fuzzy_selinuxusermapdn, ), ) ), dict( desc='Add group to %r' % rule1, command=('selinuxusermap_add_user', [rule1], dict(group=group1)), expected=dict( failed=dict(memberuser=dict(group=[], user=[])), completed=1, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser2], ipaenabledflag=[u'TRUE'], memberuser_group=[group1], dn=fuzzy_selinuxusermapdn, ), ) ), dict( desc='Add host to %r' % rule1, command=('selinuxusermap_add_host', [rule1], dict(host=host1)), expected=dict( failed=dict(memberhost=dict(hostgroup=[], host=[])), completed=1, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser2], ipaenabledflag=[u'TRUE'], memberhost_host=[host1], memberuser_group=[group1], dn=fuzzy_selinuxusermapdn, ), ) ), ############### # Test enabling and disabling dict( desc='Disable %r' % rule1, command=('selinuxusermap_disable', [rule1], {}), expected=dict( result=True, value=rule1, summary=u'Disabled SELinux User Map "%s"' % rule1, ) ), dict( desc='Disable %r again' % rule1, command=('selinuxusermap_disable', [rule1], {}), expected=errors.AlreadyInactive(), ), dict( desc='Enable %r' % rule1, command=('selinuxusermap_enable', [rule1], {}), expected=dict( result=True, value=rule1, summary=u'Enabled SELinux User Map "%s"' % rule1, ) ), dict( desc='Re-enable %r again' % rule1, command=('selinuxusermap_enable', [rule1], {}), expected=errors.AlreadyActive(), ), # Point to an HBAC Rule dict( desc='Add an HBAC rule to %r that has other members' % rule1, command=( 'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1) ), expected=errors.MutuallyExclusiveError( reason=u'HBAC rule and local members cannot both be set'), ), dict( desc='Remove host from %r' % rule1, command=('selinuxusermap_remove_host', [rule1], dict(host=host1)), expected=dict( failed=dict(memberhost=dict(hostgroup=[], host=[])), completed=1, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser2], ipaenabledflag=[u'TRUE'], memberuser_group=[group1], dn=fuzzy_selinuxusermapdn, ), ) ), dict( desc='Remove group from %r' % rule1, command=('selinuxusermap_remove_user', [rule1], dict(group=group1)), expected=dict( failed=dict(memberuser=dict(group=[], user=[])), completed=1, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser2], ipaenabledflag=[u'TRUE'], dn=fuzzy_selinuxusermapdn, ), ) ), dict( desc='Add non-existent HBAC rule to %r' % rule1, command=( 'selinuxusermap_mod', [rule1], dict(seealso=u'notfound') ), expected=errors.NotFound( reason=u'HBAC rule notfound not found'), ), dict( desc='Add an HBAC rule to %r' % rule1, command=( 'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1) ), expected=dict( result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser2], ipaenabledflag=[u'TRUE'], seealso=hbacrule1, ), summary=u'Modified SELinux User Map "%s"' % rule1, value=rule1, ), ), dict( desc='Add user to %r that has HBAC' % rule1, command=('selinuxusermap_add_user', [rule1], dict(user=user1)), expected=errors.MutuallyExclusiveError( reason=u'HBAC rule and local members cannot both be set'), ), dict( desc='Add host to %r that has HBAC' % rule1, command=('selinuxusermap_add_host', [rule1], dict(host=host1)), expected=errors.MutuallyExclusiveError( reason=u'HBAC rule and local members cannot both be set'), ), dict( desc='Try to delete HBAC rule pointed to by %r' % rule1, command=('hbacrule_del', [hbacrule1], {}), expected=errors.DependentEntry(key=hbacrule1, label=u'SELinux User Map', dependent=rule1) ), # This tests selinuxusermap-find --hbacrule=<foo> returns an # exact match dict( desc='Try to delete similarly named HBAC rule %r' % hbacrule2, command=('hbacrule_del', [hbacrule2], {}), expected=dict( result=dict(failed=[]), value=[hbacrule2], summary=u'Deleted HBAC rule "%s"' % hbacrule2, ) ), # Test clean up dict( desc='Delete %r' % rule1, command=('selinuxusermap_del', [rule1], {}), expected=dict( result=dict(failed=[]), value=[rule1], summary=u'Deleted SELinux User Map "%s"' % rule1, ) ), dict( desc='Try to delete non-existent %r' % rule1, command=('selinuxusermap_del', [rule1], {}), expected=errors.NotFound( reason=u'%s: SELinux User Map rule not found' % rule1), ), # Some negative tests dict( desc='Create rule with unknown user %r' % rule1, command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'notfound:s0:c0') ), expected=errors.NotFound(reason=u'SELinux user notfound:s0:c0 ' + u'not found in ordering list (in config)'), ), dict( desc='Create rule with invalid user bad+user', command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'bad+user') ), expected=errors.ValidationError( name='selinuxuser', error=u'Invalid SELinux user name, only a-Z, _ ' 'and . are allowed' ), ), dict( desc='Create rule with invalid MCS xguest_u:s999', command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'xguest_u:s999') ), expected=errors.ValidationError(name='selinuxuser', error=u'Invalid MLS value, must match s[0-15](-s[0-15])'), ), dict( desc='Create rule with invalid MLS xguest_u:s0:p88', command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'xguest_u:s0:p88') ), expected=errors.ValidationError(name='selinuxuser', error=u'Invalid MCS value, must match c[0-1023].c[0-1023] ' + u'and/or c[0-1023]-c[0-c0123]'), ), dict( desc='Create rule with invalid MLS xguest_u:s0:c0.c1028', command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'xguest_u:s0-s0:c0.c1028') ), expected=errors.ValidationError(name='selinuxuser', error=u'Invalid MCS value, must match c[0-1023].c[0-1023] ' + u'and/or c[0-1023]-c[0-c0123]'), ), dict( desc='Create rule with invalid user via setattr', command=( 'selinuxusermap_mod', [rule1], dict(setattr=u'ipaselinuxuser=deny') ), expected=errors.ValidationError(name='ipaselinuxuser', error=u'Invalid MLS value, must match s[0-15](-s[0-15])'), ), dict( desc='Create rule with both --hbacrule and --usercat set', command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1, seealso=hbacrule1, usercategory=u'all') ), expected=errors.MutuallyExclusiveError( reason=u'HBAC rule and local members cannot both be set'), ), dict( desc='Create rule with both --hbacrule and --hostcat set', command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1, seealso=hbacrule1, hostcategory=u'all') ), expected=errors.MutuallyExclusiveError( reason=u'HBAC rule and local members cannot both be set'), ), dict( desc='Create rule with both --hbacrule ' 'and --usercat set via setattr', command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1, seealso=hbacrule1, setattr=u'usercategory=all') ), expected=errors.MutuallyExclusiveError( reason=u'HBAC rule and local members cannot both be set'), ), dict( desc='Create rule with both --hbacrule ' 'and --hostcat set via setattr', command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1, seealso=hbacrule1, setattr=u'hostcategory=all') ), expected=errors.MutuallyExclusiveError( reason=u'HBAC rule and local members cannot both be set'), ), dict( desc='Create rule %r with --hbacrule' % rule1, command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1, seealso=hbacrule1) ), expected=dict( value=rule1, summary=u'Added SELinux User Map "%s"' % rule1, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser1], objectclass=objectclasses.selinuxusermap, ipauniqueid=[fuzzy_uuid], ipaenabledflag=[u'TRUE'], dn=fuzzy_selinuxusermapdn, seealso=hbacrule1 ), ), ), dict( desc='Add an --usercat to %r that has HBAC set' % rule1, command=( 'selinuxusermap_mod', [rule1], dict(usercategory=u'all') ), expected=errors.MutuallyExclusiveError( reason=u'HBAC rule and local members cannot both be set'), ), dict( desc='Add an --hostcat to %r that has HBAC set' % rule1, command=( 'selinuxusermap_mod', [rule1], dict(hostcategory=u'all') ), expected=errors.MutuallyExclusiveError( reason=u'HBAC rule and local members cannot both be set'), ), dict( desc='Add an usercat via setattr to %r that has HBAC set' % rule1, command=( 'selinuxusermap_mod', [rule1], dict(setattr=u'usercategory=all') ), expected=errors.MutuallyExclusiveError( reason=u'HBAC rule and local members cannot both be set'), ), dict( desc='Add an hostcat via setattr to %r that has HBAC set' % rule1, command=( 'selinuxusermap_mod', [rule1], dict(setattr=u'hostcategory=all') ), expected=errors.MutuallyExclusiveError( reason=u'HBAC rule and local members cannot both be set'), ), dict( desc='Delete %r' % rule1, command=('selinuxusermap_del', [rule1], {}), expected=dict( result=dict(failed=[]), value=[rule1], summary=u'Deleted SELinux User Map "%s"' % rule1, ) ), dict( desc='Create rule %r with usercat and hostcat set' % rule1, command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1, usercategory=u'all', hostcategory=u'all') ), expected=dict( value=rule1, summary=u'Added SELinux User Map "%s"' % rule1, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser1], objectclass=objectclasses.selinuxusermap, ipauniqueid=[fuzzy_uuid], ipaenabledflag=[u'TRUE'], dn=fuzzy_selinuxusermapdn, usercategory=[u'all'], hostcategory=[u'all'] ), ), ), dict( desc='Add HBAC rule to %r that has usercat and hostcat' % rule1, command=( 'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1) ), expected=errors.MutuallyExclusiveError( reason=u'HBAC rule and local members cannot both be set'), ), dict( desc='Delete %r' % rule1, command=('selinuxusermap_del', [rule1], {}), expected=dict( result=dict(failed=[]), value=[rule1], summary=u'Deleted SELinux User Map "%s"' % rule1, ) ), dict( desc='Create rule %r' % rule1, command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1) ), expected=dict( value=rule1, summary=u'Added SELinux User Map "%s"' % rule1, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser1], objectclass=objectclasses.selinuxusermap, ipauniqueid=[fuzzy_uuid], ipaenabledflag=[u'TRUE'], dn=fuzzy_selinuxusermapdn, ), ), ), dict( desc='Add HBAC rule, hostcat and usercat to %r' % rule1, command=( 'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1, usercategory=u'all', hostcategory=u'all') ), expected=errors.MutuallyExclusiveError( reason=u'HBAC rule and local members cannot both be set'), ), dict( desc='Delete %r' % rule1, command=('selinuxusermap_del', [rule1], {}), expected=dict( result=dict(failed=[]), value=[rule1], summary=u'Deleted SELinux User Map "%s"' % rule1, ) ), dict( desc='Create rule %r with ' '--setattr=seealso=<allow_all rule DN>' % rule1, command=( 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1, setattr=u'seealso=%s' % allow_all_rule_dn) ), expected=dict( value=rule1, summary=u'Added SELinux User Map "%s"' % rule1, result=dict( cn=[rule1], ipaselinuxuser=[selinuxuser1], objectclass=objectclasses.selinuxusermap, ipauniqueid=[fuzzy_uuid], ipaenabledflag=[u'TRUE'], dn=fuzzy_selinuxusermapdn, seealso=u'allow_all', ), ), ), dict( desc='Delete %r' % rule1, command=('selinuxusermap_del', [rule1], {}), expected=dict( result=dict(failed=[]), value=[rule1], summary=u'Deleted SELinux User Map "%s"' % rule1, ) ), ]
class test_krbtpolicy(Declarative): cleanup_commands = [ ('user_del', [user1], {}), ('krbtpolicy_reset', [], {}), ] tests = [ dict( desc='Reset global policy', command=('krbtpolicy_reset', [], {}), expected=dict( value=None, summary=None, result=dict( krbmaxticketlife=[u'86400'], krbmaxrenewableage=[u'604800'], ), ), ), dict( desc='Show global policy', command=('krbtpolicy_show', [], {}), expected=dict( value=None, summary=None, result=dict( dn=DN(('cn', api.env.domain), ('cn', 'kerberos'), api.env.basedn), krbmaxticketlife=[u'86400'], krbmaxrenewableage=[u'604800'], ), ), ), dict( desc='Update global policy', command=('krbtpolicy_mod', [], dict(krbmaxticketlife=3600)), expected=dict( value=None, summary=None, result=dict( krbmaxticketlife=[u'3600'], krbmaxrenewableage=[u'604800'], ), ), ), dict( desc='Create %r' % user1, command=('user_add', [user1], dict(givenname=u'Test', sn=u'User1')), expected=dict( value=user1, summary=u'Added user "%s"' % user1, result=get_user_result(user1, u'Test', u'User1', 'add'), ), ), dict( desc='Update user ticket policy', command=('krbtpolicy_mod', [user1], dict(krbmaxticketlife=3600)), expected=dict( value=user1, summary=None, result=dict(krbmaxticketlife=[u'3600'], ), ), ), dict( desc='Update user ticket policy for auth indicator pkinit', command=('krbtpolicy_mod', [user1], dict(krbauthindmaxticketlife_pkinit=3800)), expected=dict( value=user1, summary=None, result=dict( krbmaxticketlife=[u'3600'], krbauthindmaxticketlife_pkinit=[u'3800'], ), ), ), dict( desc='Update user ticket policy for auth indicator otp', command=('krbtpolicy_mod', [user1], dict(krbauthindmaxticketlife_otp=3700)), expected=dict( value=user1, summary=None, result=dict( krbmaxticketlife=[u'3600'], krbauthindmaxticketlife_pkinit=[u'3800'], krbauthindmaxticketlife_otp=[u'3700'], ), ), ), dict( desc='Update user ticket policy for auth indicator radius', command=('krbtpolicy_mod', [user1], dict(krbauthindmaxticketlife_radius=1)), expected=dict( value=user1, summary=None, result=dict( krbmaxticketlife=[u'3600'], krbauthindmaxticketlife_otp=[u'3700'], krbauthindmaxticketlife_pkinit=[u'3800'], krbauthindmaxticketlife_radius=[u'1'], ), ), ), dict( desc='Update user ticket policy for auth indicator hardened', command=('krbtpolicy_mod', [user1], dict(krbauthindmaxticketlife_hardened=2147483647)), expected=dict( value=user1, summary=None, result=dict( krbmaxticketlife=[u'3600'], krbauthindmaxticketlife_otp=[u'3700'], krbauthindmaxticketlife_pkinit=[u'3800'], krbauthindmaxticketlife_radius=[u'1'], krbauthindmaxticketlife_hardened=[u'2147483647'], ), ), ), dict( desc='Update maxrenew user ticket policy for ' 'auth indicator hardened', command=('krbtpolicy_mod', [user1], dict(krbauthindmaxrenewableage_hardened=2147483647)), expected=dict( value=user1, summary=None, result=dict( krbmaxticketlife=[u'3600'], krbauthindmaxticketlife_otp=[u'3700'], krbauthindmaxticketlife_pkinit=[u'3800'], krbauthindmaxticketlife_radius=[u'1'], krbauthindmaxticketlife_hardened=[u'2147483647'], krbauthindmaxrenewableage_hardened=[u'2147483647'], ), ), ), dict( desc='Update maxrenew user ticket policy for ' 'auth indicator otp', command=('krbtpolicy_mod', [user1], dict(krbauthindmaxrenewableage_otp=3700)), expected=dict( value=user1, summary=None, result=dict( krbmaxticketlife=[u'3600'], krbauthindmaxticketlife_otp=[u'3700'], krbauthindmaxticketlife_pkinit=[u'3800'], krbauthindmaxticketlife_radius=[u'1'], krbauthindmaxticketlife_hardened=[u'2147483647'], krbauthindmaxrenewableage_hardened=[u'2147483647'], krbauthindmaxrenewableage_otp=[u'3700'], ), ), ), dict( desc='Update maxrenew user ticket policy for ' 'auth indicator radius', command=('krbtpolicy_mod', [user1], dict(krbauthindmaxrenewableage_radius=1)), expected=dict( value=user1, summary=None, result=dict( krbmaxticketlife=[u'3600'], krbauthindmaxticketlife_otp=[u'3700'], krbauthindmaxticketlife_pkinit=[u'3800'], krbauthindmaxticketlife_radius=[u'1'], krbauthindmaxticketlife_hardened=[u'2147483647'], krbauthindmaxrenewableage_hardened=[u'2147483647'], krbauthindmaxrenewableage_otp=[u'3700'], krbauthindmaxrenewableage_radius=[u'1'], ), ), ), dict( desc='Update maxrenew user ticket policy for ' 'auth indicator pkinit', command=('krbtpolicy_mod', [user1], dict(krbauthindmaxrenewableage_pkinit=3800)), expected=dict( value=user1, summary=None, result=dict( krbmaxticketlife=[u'3600'], krbauthindmaxticketlife_otp=[u'3700'], krbauthindmaxticketlife_pkinit=[u'3800'], krbauthindmaxticketlife_radius=[u'1'], krbauthindmaxticketlife_hardened=[u'2147483647'], krbauthindmaxrenewableage_hardened=[u'2147483647'], krbauthindmaxrenewableage_otp=[u'3700'], krbauthindmaxrenewableage_radius=[u'1'], krbauthindmaxrenewableage_pkinit=[u'3800'], ), ), ), dict( desc='Try updating other user attribute', command=('krbtpolicy_mod', [user1], dict(setattr=u'givenname=Pete')), expected=errors.ObjectclassViolation( info='attribute "givenname" not allowed'), ), ] for (value, error) in invalid_values: for (param, param_name) in parameters: tests.append( create_dict(desc='Try updating invalid {0} with {1}'.format( param_name, value), param=param, param_name=param_name, value=value, error=error))
class test_raduisproxy(Declarative): cleanup_commands = [ ('radiusproxy_del', [radius1], {}), ('user_del', [user1], {}), ] tests = [ dict( desc='Try to retrieve non-existent %r' % radius1, command=('radiusproxy_show', [radius1], {}), expected=errors.NotFound( reason=u'%s: RADIUS proxy server not found' % radius1), ), dict( desc='Try to update non-existent %r' % radius1, command=('radiusproxy_mod', [radius1], {}), expected=errors.NotFound( reason=_('%s: RADIUS proxy server not found') % radius1), ), dict( desc='Try to delete non-existent %r' % radius1, command=('radiusproxy_del', [radius1], {}), expected=errors.NotFound( reason=_('%s: RADIUS proxy server not found') % radius1), ), dict( desc='Try to add multiple radius proxy server %r' % radius1, command=('radiusproxy_add', [radius1], dict( ipatokenradiusserver=radius1_fqdn, addattr=u'ipatokenradiusserver=radius1_fqdn', ipatokenradiussecret=password1, ), ), expected=errors.OnlyOneValueAllowed(attr='ipatokenradiusserver') ), dict( desc='Create %r' % radius1, command=('radiusproxy_add', [radius1], dict( ipatokenradiusserver=radius1_fqdn, ipatokenradiussecret=password1, ), ), expected=dict( value=radius1, summary=u'Added RADIUS proxy server "%s"' % radius1, result=dict( cn=[radius1], dn=radius1_dn, ipatokenradiussecret=[password1_bytes], ipatokenradiusserver=[radius1_fqdn], objectclass=objectclasses.radiusproxy, ), ), ), dict( desc='Try to create duplicate %r' % radius1, command=('radiusproxy_add', [radius1], dict( ipatokenradiusserver=radius1_fqdn, ipatokenradiussecret=password1, ), ), expected=errors.DuplicateEntry(message=_('RADIUS proxy server ' 'with name "%s" already exists') % radius1), ), dict( desc='Retrieve %r' % radius1, command=('radiusproxy_show', [radius1], {}), expected=dict( value=radius1, summary=None, result=dict( cn=[radius1], dn=radius1_dn, ipatokenradiusserver=[radius1_fqdn], ), ), ), dict( desc='Retrieve %r with all=True' % radius1, command=('radiusproxy_show', [radius1], dict(all=True)), expected=dict( value=radius1, summary=None, result=dict( cn=[radius1], dn=radius1_dn, ipatokenradiussecret=[password1_bytes], ipatokenradiusserver=[radius1_fqdn], objectclass=objectclasses.radiusproxy, ), ), ), ] + [ dict( desc='Set timeout of %s to %s (valid)' % (radius1, num), command=('radiusproxy_mod', [radius1], dict(ipatokenradiustimeout=num)), expected=dict( value=radius1, summary=u'Modified RADIUS proxy server "%s"' % radius1, result=dict( cn=[radius1], ipatokenradiusserver=[radius1_fqdn], ipatokenradiustimeout=[unicode(num)], ), ), ) for num in (1, 100) ] + [ dict( desc='Set timeout of %s to 0 (invalid)' % radius1, command=('radiusproxy_mod', [radius1], dict(ipatokenradiustimeout=0)), expected=errors.ValidationError( name='timeout', error=_('must be at least 1')), ), dict( desc='Unset timeout of %s' % radius1, command=('radiusproxy_mod', [radius1], dict(ipatokenradiustimeout=None)), expected=dict( value=radius1, summary=u'Modified RADIUS proxy server "%s"' % radius1, result=dict( cn=[radius1], ipatokenradiusserver=[radius1_fqdn], ), ), ), ] + [ dict( desc='Set retries of %s to %s (valid)' % (radius1, num), command=('radiusproxy_mod', [radius1], dict(ipatokenradiusretries=num)), expected=dict( value=radius1, summary=u'Modified RADIUS proxy server "%s"' % radius1, result=dict( cn=[radius1], ipatokenradiusserver=[radius1_fqdn], ipatokenradiusretries=[unicode(num)], ), ), ) for num in (0, 4, 10) ] + [ dict( desc='Set retries of %s to %s (invalid)' % (radius1, num), command=('radiusproxy_mod', [radius1], dict(ipatokenradiusretries=num)), expected=errors.ValidationError( name='retries', error=reason), ) for num, reason in ((-1, 'must be at least 0'), (11, 'can be at most 10'), (100, 'can be at most 10')) ] + [ dict( desc='Unset retries of %s' % radius1, command=('radiusproxy_mod', [radius1], dict(ipatokenradiusretries=None)), expected=dict( value=radius1, summary=u'Modified RADIUS proxy server "%s"' % radius1, result=dict( cn=[radius1], ipatokenradiusserver=[radius1_fqdn], ), ), ), ] + [ dict( desc='Set server string of %s to %s (valid)' % (radius1, fqdn), command=('radiusproxy_mod', [radius1], dict(ipatokenradiusserver=fqdn)), expected=dict( value=radius1, summary=u'Modified RADIUS proxy server "%s"' % radius1, result=dict( cn=[radius1], ipatokenradiusserver=[fqdn], ), ), ) for fqdn in (radius1_fqdn + u':12345', radius1_fqdn) ] + [ dict( desc='Set server string of %s to %s (invalid)' % (radius1, fqdn), command=('radiusproxy_mod', [radius1], dict(ipatokenradiusserver=fqdn)), expected=errors.ValidationError(name='ipatokenradiusserver', error=error), ) for fqdn, error in ( (radius1_fqdn + u':0x5a', 'invalid port number'), (radius1_fqdn + u':1:2:3', "only letters, numbers, '_', '-' are allowed. DNS label may not " "start or end with '-'"), (u'bogus', 'not fully qualified'), ) ] + [ dict( desc='Try to unset server string of %s' % radius1, command=('radiusproxy_mod', [radius1], dict(ipatokenradiusserver=None)), expected=errors.RequirementError(name='server'), ), dict( desc='Set userattr of %s to %s (valid)' % (radius1, u'cn'), command=('radiusproxy_mod', [radius1], dict(ipatokenusermapattribute=u'cn')), expected=dict( value=radius1, summary=u'Modified RADIUS proxy server "%s"' % radius1, result=dict( cn=[radius1], ipatokenradiusserver=[radius1_fqdn], ipatokenusermapattribute=[u'cn'], ), ), ), dict( desc='Set userattr of %s to %s (invalid)' % (radius1, u'$%^&*'), command=('radiusproxy_mod', [radius1], dict(ipatokenusermapattribute=u'$%^&*')), expected=errors.ValidationError(name='ipatokenusermapattribute', error=u'invalid attribute name'), ), dict( desc='Unset userattr of %s' % radius1, command=('radiusproxy_mod', [radius1], dict(ipatokenusermapattribute=None)), expected=dict( value=radius1, summary=u'Modified RADIUS proxy server "%s"' % radius1, result=dict( cn=[radius1], ipatokenradiusserver=[radius1_fqdn], ), ), ), dict( desc='Set desc of %s' % radius1, command=('radiusproxy_mod', [radius1], dict(description=u'a virtual radius server')), expected=dict( value=radius1, summary=u'Modified RADIUS proxy server "%s"' % radius1, result=dict( cn=[radius1], ipatokenradiusserver=[radius1_fqdn], description=[u'a virtual radius server'], ), ), ), dict( desc='Unset desc of %s' % radius1, command=('radiusproxy_mod', [radius1], dict(description=None)), expected=dict( value=radius1, summary=u'Modified RADIUS proxy server "%s"' % radius1, result=dict( cn=[radius1], ipatokenradiusserver=[radius1_fqdn], ), ), ), dict( desc='Create "%s"' % user1, command=( 'user_add', [user1], dict(givenname=u'Test', sn=u'User1') ), expected=dict( value=user1, summary=u'Added user "%s"' % user1, result=get_user_result(user1, u'Test', u'User1', 'add'), ), ), dict( desc='Set radiusconfiglink of %r' % user1, command=('user_mod', [user1], dict(ipatokenradiusconfiglink=radius1,)), expected=dict( result=get_user_result(user1, u'Test', u'User1', 'mod', ipatokenradiusconfiglink=[radius1]), value=user1, summary='Modified user "%s"' % user1, ), ), dict( desc='Retrieve %r to verify %s is output' % (radius1, user1), command=('radiusproxy_show', [radius1], {}), expected=dict( value=radius1, summary=None, result=dict( cn=[radius1], dn=radius1_dn, ipatokenradiusserver=[radius1_fqdn], ), ), ), dict( desc='Retrieve %r to verify %s is output' % (user1, radius1), command=('user_show', [user1], {}), expected=dict( value=user1, summary=None, result=get_user_result(user1, u'Test', u'User1', 'show', ipatokenradiusconfiglink=[radius1]), ), ), dict( desc='Delete %r' % radius1, command=('radiusproxy_del', [radius1], {}), expected=dict( value=[radius1], summary=u'Deleted RADIUS proxy server "%s"' % radius1, result=dict(failed=[]), ), ), dict( desc='Retrieve %s to verify link is deleted' % user1, command=('user_show', [user1], {}), expected=dict( value=user1, summary=None, result=get_user_result(user1, u'Test', u'User1', 'show'), ), ), ]
class test_netgroup(Declarative): """ Test the `netgroup` plugin. """ cleanup_commands = [ ('netgroup_del', [netgroup1], {}), ('netgroup_del', [netgroup2], {}), ('host_del', [host1], {}), ('hostgroup_del', [hostgroup1], {}), ('user_del', [user1], {}), ('user_del', [user2], {}), ('group_del', [group1], {}), ] tests=[ dict( desc='Try to retrieve non-existent %r' % netgroup1, command=('netgroup_show', [netgroup1], {}), expected=errors.NotFound( reason=u'%s: netgroup not found' % netgroup1), ), dict( desc='Try to update non-existent %r' % netgroup1, command=('netgroup_mod', [netgroup1], dict(description=u'Updated hostgroup 1') ), expected=errors.NotFound( reason=u'%s: netgroup not found' % netgroup1), ), dict( desc='Try to delete non-existent %r' % netgroup1, command=('netgroup_del', [netgroup1], {}), expected=errors.NotFound( reason=u'%s: netgroup not found' % netgroup1), ), dict( desc='Test an invalid netgroup name %r' % invalidnetgroup1, command=('netgroup_add', [invalidnetgroup1], dict(description=u'Test')), expected=errors.ValidationError(name='name', error=u'may only include letters, numbers, _, -, and .'), ), dict( desc='Test an invalid nisdomain1 name %r' % invalidnisdomain1, command=('netgroup_add', [netgroup1], dict(description=u'Test',nisdomainname=invalidnisdomain1)), expected=errors.ValidationError(name='nisdomain', error='may only include letters, numbers, _, -, and .'), ), dict( desc='Test an invalid nisdomain2 name %r' % invalidnisdomain2, command=('netgroup_add', [netgroup1], dict(description=u'Test',nisdomainname=invalidnisdomain2)), expected=errors.ValidationError(name='nisdomain', error='may only include letters, numbers, _, -, and .'), ), dict( desc='Create %r' % netgroup1, command=('netgroup_add', [netgroup1], dict(description=u'Test netgroup 1') ), expected=dict( value=netgroup1, summary=u'Added netgroup "%s"' % netgroup1, result=dict( dn=fuzzy_netgroupdn, cn=[netgroup1], objectclass=objectclasses.netgroup, description=[u'Test netgroup 1'], nisdomainname=['%s' % api.env.domain], ipauniqueid=[fuzzy_uuid], ), ), ), dict( desc='Create %r' % netgroup2, command=('netgroup_add', [netgroup2], dict(description=u'Test netgroup 2') ), expected=dict( value=netgroup2, summary=u'Added netgroup "%s"' % netgroup2, result=dict( dn=fuzzy_netgroupdn, cn=[netgroup2], objectclass=objectclasses.netgroup, description=[u'Test netgroup 2'], nisdomainname=['%s' % api.env.domain], ipauniqueid=[fuzzy_uuid], ), ), ), dict( desc='Create netgroup with name containing only one letter: %r' % netgroup_single, command=('netgroup_add', [netgroup_single], dict(description=u'Test netgroup_single') ), expected=dict( value=netgroup_single, summary=u'Added netgroup "%s"' % netgroup_single, result=dict( dn=fuzzy_netgroupdn, cn=[netgroup_single], objectclass=objectclasses.netgroup, description=[u'Test netgroup_single'], nisdomainname=['%s' % api.env.domain], ipauniqueid=[fuzzy_uuid], ), ), ), dict( desc='Delete %r' % netgroup_single, command=('netgroup_del', [netgroup_single], {}), expected=dict( value=[netgroup_single], summary=u'Deleted netgroup "%s"' % netgroup_single, result=dict(failed=[]), ), ), dict( desc='Try to create duplicate %r' % netgroup1, command=('netgroup_add', [netgroup1], dict(description=u'Test netgroup 1') ), expected=errors.DuplicateEntry( message=u'netgroup with name "%s" already exists' % netgroup1), ), dict( desc='Create host %r' % host1, command=('host_add', [host1], dict( description=u'Test host 1', l=u'Undisclosed location 1', force=True, ), ), expected=dict( value=host1, summary=u'Added host "%s"' % host1, result=dict( dn=host_dn1, fqdn=[host1], description=[u'Test host 1'], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (host1, api.env.realm)], krbcanonicalname=[u'host/%s@%s' % (host1, api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[host1], has_keytab=False, has_password=False, ), ), ), dict( desc='Create %r' % hostgroup1, command=('hostgroup_add', [hostgroup1], dict(description=u'Test hostgroup 1') ), expected=dict( value=hostgroup1, summary=u'Added hostgroup "%s"' % hostgroup1, result=dict( dn=hostgroup_dn1, cn=[hostgroup1], objectclass=objectclasses.hostgroup, description=[u'Test hostgroup 1'], mepmanagedentry=[DN(('cn',hostgroup1),('cn','ng'),('cn','alt'), api.env.basedn)], ipauniqueid=[fuzzy_uuid], ), ), ), dict( desc='Create %r' % user1, command=( 'user_add', [user1], dict(givenname=u'Test', sn=u'User1') ), expected=dict( value=user1, summary=u'Added user "%s"' % user1, result=get_user_result(user1, u'Test', u'User1', 'add'), ), ), dict( desc='Create %r' % user2, command=( 'user_add', [user2], dict(givenname=u'Test', sn=u'User2') ), expected=dict( value=user2, summary=u'Added user "%s"' % user2, result=get_user_result(user2, u'Test', u'User2', 'add'), ), ), dict( desc='Create %r' % group1, command=( 'group_add', [group1], dict(description=u'Test desc 1') ), expected=dict( value=group1, summary=u'Added group "%s"' % group1, result=dict( cn=[group1], description=[u'Test desc 1'], gidnumber=[fuzzy_digits], objectclass=objectclasses.group + [u'posixgroup'], ipauniqueid=[fuzzy_uuid], dn=DN(('cn',group1),('cn','groups'),('cn','accounts'), api.env.basedn), ), ), ), dict( desc='Add user %r to group %r' % (user2, group1), command=( 'group_add_member', [group1], dict(user=user2) ), expected=dict( completed=1, failed=dict( member=dict( group=tuple(), user=tuple(), service=tuple(), ), ), result={ 'dn': DN(('cn',group1),('cn','groups'),('cn','accounts'), api.env.basedn), 'member_user': (user2,), 'gidnumber': [fuzzy_digits], 'cn': [group1], 'description': [u'Test desc 1'], }, ), ), dict( desc='Add invalid host %r to netgroup %r' % (invalidhost, netgroup1), command=('netgroup_add_member', [netgroup1], dict(host=invalidhost)), expected=errors.ValidationError(name='host', error=u"only letters, numbers, '_', '-' are allowed. " + u"DNS label may not start or end with '-'"), ), dict( desc='Add host %r to netgroup %r' % (host1, netgroup1), command=( 'netgroup_add_member', [netgroup1], dict(host=host1) ), expected=dict( completed=1, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], }, ), ), dict( desc='Add hostgroup %r to netgroup %r' % (hostgroup1, netgroup1), command=( 'netgroup_add_member', [netgroup1], dict(hostgroup=hostgroup1) ), expected=dict( completed=1, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], }, ), ), dict( desc='Search for netgroups using no_user with members', command=('netgroup_find', [], dict( no_user=user1, no_members=False)), expected=dict( count=2, truncated=False, summary=u'2 netgroups matched', result=[ { 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], }, { 'dn': fuzzy_netgroupdn, 'cn': [netgroup2], 'description': [u'Test netgroup 2'], 'nisdomainname': [u'%s' % api.env.domain], }, ], ), ), dict( desc='Search for netgroups using no_user', command=('netgroup_find', [], dict(no_user=user1)), expected=dict( count=2, truncated=False, summary=u'2 netgroups matched', result=[ { 'dn': fuzzy_netgroupdn, 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], }, { 'dn': fuzzy_netgroupdn, 'cn': [netgroup2], 'description': [u'Test netgroup 2'], 'nisdomainname': [u'%s' % api.env.domain], }, ], ), ), dict( desc="Check %r doesn't match when searching for %s" % (netgroup1, user1), command=('netgroup_find', [], dict(user=user1)), expected=dict( count=0, truncated=False, summary=u'0 netgroups matched', result=[], ), ), dict( desc='Add user %r to netgroup %r' % (user1, netgroup1), command=( 'netgroup_add_member', [netgroup1], dict(user=user1) ), expected=dict( completed=1, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], }, ), ), dict( desc="Check %r doesn't match when searching for no %s" % (netgroup1, user1), command=('netgroup_find', [], dict(no_user=user1)), expected=dict( count=1, truncated=False, summary=u'1 netgroup matched', result=[ { 'dn': fuzzy_netgroupdn, 'cn': [netgroup2], 'description': [u'Test netgroup 2'], 'nisdomainname': [u'%s' % api.env.domain], }, ], ), ), dict( desc='Add group %r to netgroup %r' % (group1, netgroup1), command=( 'netgroup_add_member', [netgroup1], dict(group=group1) ), expected=dict( completed=1, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], }, ), ), dict( desc='Add netgroup %r to netgroup %r' % (netgroup2, netgroup1), command=( 'netgroup_add_member', [netgroup1], dict(netgroup=netgroup2) ), expected=dict( completed=1, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], }, ), ), dict( desc='Add non-existent netgroup to netgroup %r' % (netgroup1), command=( 'netgroup_add_member', [netgroup1], dict(netgroup=u'notfound') ), expected=dict( completed=0, failed=dict( member=dict( netgroup=[(u'notfound', u'no such entry')], ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], }, ), ), dict( desc='Add duplicate user %r to netgroup %r' % (user1, netgroup1), command=( 'netgroup_add_member', [netgroup1], dict(user=user1) ), expected=dict( completed=0, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=[('%s' % user1, u'This entry is already a member')], ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], }, ), ), dict( desc='Add duplicate group %r to netgroup %r' % (group1, netgroup1), command=( 'netgroup_add_member', [netgroup1], dict(group=group1) ), expected=dict( completed=0, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=[('%s' % group1, u'This entry is already a member')], user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], }, ), ), dict( desc='Add duplicate host %r to netgroup %r' % (host1, netgroup1), command=( 'netgroup_add_member', [netgroup1], dict(host=host1) ), expected=dict( completed=0, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=[('%s' % host1, u'This entry is already a member')], ), ), result={ 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], }, ), ), dict( desc='Add duplicate hostgroup %r to netgroup %r' % (hostgroup1, netgroup1), command=( 'netgroup_add_member', [netgroup1], dict(hostgroup=hostgroup1) ), expected=dict( completed=0, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=[('%s' % hostgroup1, u'This entry is already a member')], host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], }, ), ), dict( desc='Add unknown host %r to netgroup %r' % (unknown_host, netgroup1), command=( 'netgroup_add_member', [netgroup1], dict(host=unknown_host) ), expected=dict( completed=1, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ), ), dict( desc='Add invalid host %r to netgroup %r using setattr' % (invalidhost, netgroup1), command=( 'netgroup_mod', [netgroup1], dict(setattr='externalhost=%s' % invalidhost) ), expected=errors.ValidationError(name='externalhost', error=u"only letters, numbers, '_', '-' are allowed. " + u"DNS label may not start or end with '-'"), ), dict( desc='Add unknown host %r to netgroup %r using addattr' % (unknown_host2, netgroup1), command=( 'netgroup_mod', [netgroup1], dict(addattr='externalhost=%s' % unknown_host2) ), expected=dict( value=u'netgroup1', summary=u'Modified netgroup "netgroup1"', result={ 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host, unknown_host2], }, ) ), dict( desc='Remove unknown host %r from netgroup %r using delattr' % (unknown_host2, netgroup1), command=( 'netgroup_mod', [netgroup1], dict(delattr='externalhost=%s' % unknown_host2) ), expected=dict( value=u'netgroup1', summary=u'Modified netgroup "netgroup1"', result={ 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ) ), dict( desc='Retrieve %r' % netgroup1, command=('netgroup_show', [netgroup1], {}), expected=dict( value=netgroup1, summary=None, result={ 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ), ), dict( desc='Search for %r with members' % netgroup1, command=('netgroup_find', [], dict( cn=netgroup1, no_members=False)), expected=dict( count=1, truncated=False, summary=u'1 netgroup matched', result=[ { 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ], ), ), dict( desc='Search for %r' % netgroup1, command=('netgroup_find', [], dict(cn=netgroup1)), expected=dict( count=1, truncated=False, summary=u'1 netgroup matched', result=[ { 'dn': fuzzy_netgroupdn, 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ], ), ), dict( desc='Search for %r using user with members' % netgroup1, command=('netgroup_find', [], dict( user=user1, no_members=False)), expected=dict( count=1, truncated=False, summary=u'1 netgroup matched', result=[ { 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ], ), ), dict( desc='Search for %r using user' % netgroup1, command=('netgroup_find', [], dict(user=user1)), expected=dict( count=1, truncated=False, summary=u'1 netgroup matched', result=[ { 'dn': fuzzy_netgroupdn, 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ], ), ), dict( desc=('Search for all netgroups using empty member user with ' 'members'), command=('netgroup_find', [], dict(user=None, no_members=False)), expected=dict( count=2, truncated=False, summary=u'2 netgroups matched', result=[ { 'dn': fuzzy_netgroupdn, 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, { 'dn': fuzzy_netgroupdn, 'memberof_netgroup': (netgroup1,), 'cn': [netgroup2], 'description': [u'Test netgroup 2'], 'nisdomainname': [u'%s' % api.env.domain], }, ], ), ), dict( desc='Search for all netgroups using empty member user', command=('netgroup_find', [], dict(user=None)), expected=dict( count=2, truncated=False, summary=u'2 netgroups matched', result=[ { 'dn': fuzzy_netgroupdn, 'cn': [netgroup1], 'description': [u'Test netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, { 'dn': fuzzy_netgroupdn, 'cn': [netgroup2], 'description': [u'Test netgroup 2'], 'nisdomainname': [u'%s' % api.env.domain], }, ], ), ), dict( desc='Update %r' % netgroup1, command=('netgroup_mod', [netgroup1], dict(description=u'Updated netgroup 1') ), expected=dict( value=netgroup1, summary=u'Modified netgroup "%s"' % netgroup1, result={ 'memberhost_host': (host1,), 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Updated netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ), ), dict( desc='Remove host %r from netgroup %r' % (host1, netgroup1), command=( 'netgroup_remove_member', [netgroup1], dict(host=host1) ), expected=dict( completed=1, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'memberhost_hostgroup': (hostgroup1,), 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Updated netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ), ), dict( desc='Remove hostgroup %r from netgroup %r' % (hostgroup1, netgroup1), command=( 'netgroup_remove_member', [netgroup1], dict(hostgroup=hostgroup1) ), expected=dict( completed=1, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'memberuser_user': (user1,), 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Updated netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ), ), dict( desc='Remove user %r from netgroup %r' % (user1, netgroup1), command=( 'netgroup_remove_member', [netgroup1], dict(user=user1) ), expected=dict( completed=1, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'memberuser_group': (group1,), 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Updated netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ), ), dict( desc='Remove group %r from netgroup %r' % (group1, netgroup1), command=( 'netgroup_remove_member', [netgroup1], dict(group=group1) ), expected=dict( completed=1, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'member_netgroup': (netgroup2,), 'cn': [netgroup1], 'description': [u'Updated netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ), ), dict( desc='Remove netgroup %r from netgroup %r' % (netgroup2, netgroup1), command=( 'netgroup_remove_member', [netgroup1], dict(netgroup=netgroup2) ), expected=dict( completed=1, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'cn': [netgroup1], 'description': [u'Updated netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ), ), dict( desc='Remove host %r from netgroup %r again' % (host1, netgroup1), command=( 'netgroup_remove_member', [netgroup1], dict(host=host1) ), expected=dict( completed=0, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=[('%s' % host1, u'This entry is not a member')] ), ), result={ 'dn': fuzzy_netgroupdn, 'cn': [netgroup1], 'description': [u'Updated netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ), ), dict( desc='Remove hostgroup %r from netgroup %r again' % (hostgroup1, netgroup1), command=( 'netgroup_remove_member', [netgroup1], dict(hostgroup=hostgroup1) ), expected=dict( completed=0, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=[('%s' % hostgroup1, u'This entry is not a member')], host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'cn': [netgroup1], 'description': [u'Updated netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ), ), dict( desc='Remove user %r from netgroup %r again' % (user1, netgroup1), command=( 'netgroup_remove_member', [netgroup1], dict(user=user1) ), expected=dict( completed=0, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group=tuple(), user=[('%s' % user1, u'This entry is not a member')], ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'cn': [netgroup1], 'description': [u'Updated netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ), ), dict( desc='Remove group %r from netgroup %r again' % (group1, netgroup1), command=( 'netgroup_remove_member', [netgroup1], dict(group=group1) ), expected=dict( completed=0, failed=dict( member=dict( netgroup=tuple(), ), memberuser=dict( group= [('%s' % group1, u'This entry is not a member')], user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'cn': [netgroup1], 'description': [u'Updated netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ), ), dict( desc='Remove netgroup %r from netgroup %r again' % (netgroup2, netgroup1), command=( 'netgroup_remove_member', [netgroup1], dict(netgroup=netgroup2) ), expected=dict( completed=0, failed=dict( member=dict( netgroup=[('%s' % netgroup2, u'This entry is not a member')], ), memberuser=dict( group=tuple(), user=tuple(), ), memberhost=dict( hostgroup=tuple(), host=tuple(), ), ), result={ 'dn': fuzzy_netgroupdn, 'cn': [netgroup1], 'description': [u'Updated netgroup 1'], 'nisdomainname': [u'%s' % api.env.domain], 'externalhost': [unknown_host], }, ), ), dict( desc='Delete %r' % netgroup1, command=('netgroup_del', [netgroup1], {}), expected=dict( value=[netgroup1], summary=u'Deleted netgroup "%s"' % netgroup1, result=dict(failed=[]), ), ), ]
class test_range(Declarative): mockldap = None @pytest.fixture(autouse=True, scope="class") def range_setup(self, request, declarative_setup): cls = request.cls def fin(): cls.mockldap = MockLDAP() cls.mockldap.del_entry(domain2_dn) cls.mockldap.del_entry(domain3_dn) cls.mockldap.del_entry(domain4_dn) cls.mockldap.del_entry(domain5_dn) cls.mockldap.del_entry(domain6_dn) cls.mockldap.del_entry(domain7_dn) cls.mockldap.del_entry(domain1range1_dn) cls.mockldap.del_entry(domain2range1_dn) cls.mockldap.del_entry(domain2range2_dn) cls.mockldap.del_entry(domain3range1_dn) cls.mockldap.del_entry(domain3range2_dn) cls.mockldap.del_entry(domain4range1_dn) cls.mockldap.del_entry(domain5range1_dn) cls.mockldap.del_entry(domain5range2_dn) cls.mockldap.del_entry(domain6range1_dn) cls.mockldap.del_entry(domain7range1_dn) cls.mockldap.del_entry(trust_container_dn) cls.mockldap.del_entry(trust_local_dn) cls.mockldap.del_entry(smb_cont_dn) cls.mockldap.unbind() fin() cls.mockldap = MockLDAP() cls.mockldap.add_entry(trust_container_dn, trust_container_add) cls.mockldap.add_entry(smb_cont_dn, smb_cont_add) cls.mockldap.add_entry(trust_local_dn, trust_local_add) cls.mockldap.add_entry(domain2_dn, domain2_add) cls.mockldap.add_entry(domain3_dn, domain3_add) cls.mockldap.add_entry(domain4_dn, domain4_add) cls.mockldap.add_entry(domain5_dn, domain5_add) cls.mockldap.add_entry(domain6_dn, domain6_add) cls.mockldap.add_entry(domain7_dn, domain7_add) cls.mockldap.add_entry(domain1range1_dn, domain1range1_add) cls.mockldap.add_entry(domain2range1_dn, domain2range1_add) cls.mockldap.add_entry(domain2range2_dn, domain2range2_add) cls.mockldap.add_entry(domain3range1_dn, domain3range1_add) cls.mockldap.add_entry(domain3range2_dn, domain3range2_add) cls.mockldap.add_entry(domain4range1_dn, domain4range1_add) cls.mockldap.add_entry(domain5range1_dn, domain5range1_add) cls.mockldap.add_entry(domain5range2_dn, domain5range2_add) cls.mockldap.add_entry(domain6range1_dn, domain6range1_add) cls.mockldap.unbind() request.addfinalizer(fin) cleanup_commands = [ ('idrange_del', [ testrange1, testrange2, testrange3, testrange4, testrange5, testrange6, testrange7, testrange8, testrange9 ], { 'continue': True }), ('user_del', [user1], {}), ('group_del', [group1], {}), ] # Basic tests. tests = [ dict( desc='Create ID range %r' % (testrange1), command=('idrange_add', [testrange1], dict(ipabaseid=testrange1_base_id, ipaidrangesize=testrange1_size, ipabaserid=testrange1_base_rid, ipasecondarybaserid=testrange1_secondary_base_rid)), expected=dict( result=dict( dn=DN(('cn', testrange1), ('cn', 'ranges'), ('cn', 'etc'), api.env.basedn), cn=[testrange1], objectclass=[u'ipaIDrange', u'ipadomainidrange'], ipabaseid=[unicode(testrange1_base_id)], ipabaserid=[unicode(testrange1_base_rid)], ipasecondarybaserid=[ unicode(testrange1_secondary_base_rid) ], ipaidrangesize=[unicode(testrange1_size)], iparangetyperaw=[u'ipa-local'], iparangetype=[u'local domain range'], ), value=testrange1, summary=u'Added ID range "%s"' % (testrange1), ), ), dict( desc='Retrieve ID range %r' % (testrange1), command=('idrange_show', [testrange1], dict()), expected=dict( result=dict( dn=DN(('cn', testrange1), ('cn', 'ranges'), ('cn', 'etc'), api.env.basedn), cn=[testrange1], ipabaseid=[unicode(testrange1_base_id)], ipabaserid=[unicode(testrange1_base_rid)], ipasecondarybaserid=[ unicode(testrange1_secondary_base_rid) ], ipaidrangesize=[unicode(testrange1_size)], iparangetyperaw=[u'ipa-local'], iparangetype=[u'local domain range'], ), value=testrange1, summary=None, ), ), # Checks for modifications leaving objects outside of the range. dict( desc='Create user %r in ID range %r' % (user1, testrange1), command=('user_add', [user1], dict(givenname=u'Test', sn=u'User1', uidnumber=user1_uid)), expected=dict( value=user1, summary=u'Added user "%s"' % user1, result=get_user_result( user1, u'Test', u'User1', 'add', uidnumber=[unicode(user1_uid)], gidnumber=[unicode(user1_uid)], ), ), ), dict( desc='Create group %r in ID range %r' % (group1, testrange1), command=('group_add', [group1], dict(description=u'Test desc 1', gidnumber=group1_gid)), expected=dict( value=group1, summary=u'Added group "%s"' % group1, result=dict( cn=[group1], description=[u'Test desc 1'], gidnumber=[unicode(group1_gid)], objectclass=objectclasses.group + [u'posixgroup'], ipauniqueid=[fuzzy_uuid], dn=DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), ), ), ), dict( desc='Try to modify ID range %r to get out bounds object #1' % (testrange1), command=('idrange_mod', [testrange1], dict(ipabaseid=user1_uid + 1)), expected=errors.ExecutionError(message=IPA_LOCAL_RANGE_MOD_ERR), ), dict( desc='Try to modify ID range %r to get out bounds object #2' % (testrange1), command=('idrange_mod', [testrange1], dict(ipaidrangesize=100)), expected=errors.ExecutionError(message=IPA_LOCAL_RANGE_MOD_ERR), ), dict( desc='Try to modify ID range %r to get out bounds object #3' % (testrange1), command=('idrange_mod', [testrange1], dict(ipabaseid=100, ipaidrangesize=100)), expected=errors.ExecutionError(message=IPA_LOCAL_RANGE_MOD_ERR), ), dict(desc='Modify ID range %r' % (testrange1), command=('idrange_mod', [testrange1], dict(ipaidrangesize=90000)), expected=errors.ExecutionError(message=IPA_LOCAL_RANGE_MOD_ERR)), dict( desc='Try to delete ID range %r with active IDs inside it' % testrange1, command=('idrange_del', [testrange1], {}), expected=errors.ValidationError( name='ipabaseid,ipaidrangesize', error=u'range modification leaving objects with ID out of the' u' defined range is not allowed'), ), dict( desc='Delete user %r' % user1, command=('user_del', [user1], {}), expected=dict( result=dict(failed=[]), value=[user1], summary=u'Deleted user "%s"' % user1, ), ), dict( desc='Delete group %r' % group1, command=('group_del', [group1], {}), expected=dict( result=dict(failed=[]), value=[group1], summary=u'Deleted group "%s"' % group1, ), ), # Framework validation: mod local idrange with auto-private-groups # is prohibited dict(desc=('Try to modify local range %r with --auto-private-groups' % (testrange1)), command=('idrange_mod', [testrange1], dict(ipaautoprivategroups='true')), expected=errors.ExecutionError(message=IPA_LOCAL_RANGE_MOD_ERR)), dict( desc='Delete ID range %r' % testrange1, command=('idrange_del', [testrange1], {}), expected=dict( result=dict(failed=[]), value=[testrange1], summary=u'Deleted ID range "%s"' % testrange1, ), ), # Tests for overlapping local ranges. dict( desc='Create ID range %r' % (testrange2), command=('idrange_add', [testrange2], dict(ipabaseid=testrange2_base_id, ipaidrangesize=testrange2_size, ipabaserid=testrange2_base_rid, ipasecondarybaserid=testrange2_secondary_base_rid)), expected=dict( result=dict( dn=DN(('cn', testrange2), ('cn', 'ranges'), ('cn', 'etc'), api.env.basedn), cn=[testrange2], objectclass=[u'ipaIDrange', u'ipadomainidrange'], ipabaseid=[unicode(testrange2_base_id)], ipabaserid=[unicode(testrange2_base_rid)], ipasecondarybaserid=[ unicode(testrange2_secondary_base_rid) ], ipaidrangesize=[unicode(testrange2_size)], iparangetyperaw=[u'ipa-local'], iparangetype=[u'local domain range'], ), value=testrange2, summary=u'Added ID range "%s"' % (testrange2), ), ), dict( desc= 'Try to modify ID range %r so that its rid ranges are overlapping themselves' % (testrange2), command=('idrange_mod', [testrange2], dict(ipabaserid=(testrange2_secondary_base_rid))), expected=errors.ExecutionError(message=IPA_LOCAL_RANGE_MOD_ERR), ), dict( desc='Try to create ID range %r with overlapping rid range' % (testrange3), command=('idrange_add', [testrange3], dict(ipabaseid=testrange3_base_id, ipaidrangesize=testrange3_size, ipabaserid=testrange3_base_rid, ipasecondarybaserid=testrange3_secondary_base_rid)), expected=errors.DatabaseError( desc='Constraint violation', info= 'New primary rid range overlaps with existing primary rid range.' ), ), dict( desc= 'Try to create ID range %r with overlapping secondary rid range' % (testrange4), command=('idrange_add', [testrange4], dict(ipabaseid=testrange4_base_id, ipaidrangesize=testrange4_size, ipabaserid=testrange4_base_rid, ipasecondarybaserid=testrange4_secondary_base_rid)), expected=errors.DatabaseError( desc='Constraint violation', info= 'New secondary rid range overlaps with existing secondary rid range.' ), ), dict( desc= 'Try to create ID range %r with primary range overlapping secondary rid range' % (testrange5), command=('idrange_add', [testrange5], dict(ipabaseid=testrange5_base_id, ipaidrangesize=testrange5_size, ipabaserid=testrange5_base_rid, ipasecondarybaserid=testrange5_secondary_base_rid)), expected=errors.DatabaseError( desc='Constraint violation', info= 'New primary rid range overlaps with existing secondary rid range.' ), ), dict( desc='Try to create ID range %r with overlapping id range' % (testrange6), command=('idrange_add', [testrange6], dict(ipabaseid=testrange6_base_id, ipaidrangesize=testrange6_size, ipabaserid=testrange6_base_rid, ipasecondarybaserid=testrange6_secondary_base_rid)), expected=errors.DatabaseError( desc='Constraint violation', info='New base range overlaps with existing base range.'), ), dict( desc= 'Try to create ID range %r with rid ranges overlapping themselves' % (testrange7), command=('idrange_add', [testrange7], dict(ipabaseid=testrange7_base_id, ipaidrangesize=testrange7_size, ipabaserid=testrange7_base_rid, ipasecondarybaserid=testrange7_secondary_base_rid)), expected=errors.ValidationError( name='ID Range setup', error='Primary RID range and secondary RID range cannot overlap' ), ), dict( desc='Delete ID range %r' % testrange2, command=('idrange_del', [testrange2], {}), expected=dict( result=dict(failed=[]), value=[testrange2], summary=u'Deleted ID range "%s"' % testrange2, ), ), # Testing framework validation: --dom-sid/--dom-name and secondary RID # base cannot be used together dict( desc='Create ID range %r' % (testrange8), command=('idrange_add', [testrange8], dict(ipabaseid=testrange8_base_id, ipaidrangesize=testrange8_size, ipabaserid=testrange8_base_rid, ipasecondarybaserid=testrange8_secondary_base_rid, ipanttrusteddomainsid=domain1_sid)), expected=errors.ValidationError( name='ID Range setup', error='Options dom-sid/dom-name and ' 'secondary-rid-base cannot be used together'), ), # Testing framework validation: --auto-private-groups is prohibited # with ipa-local range dict( desc='Local ID range %r with auto-private-groups' % (testrange8), command=('idrange_add', [testrange8], dict(ipabaseid=testrange8_base_id, ipaidrangesize=testrange8_size, ipaautoprivategroups='true')), expected=errors.ValidationError( name='ID Range setup', error='IPA Range type must be one of ipa-ad-trust ' 'or ipa-ad-trust-posix when ' 'auto-private-groups is specified'), ), # Testing framework validation: --rid-base is prohibited with ipa-ad-posix dict( desc='Try to create ipa-ad-trust-posix ID range %r with base RID' % (domain7range1), command=('idrange_add', [domain7range1], dict(ipabaseid=domain7range1_base_id, ipaidrangesize=domain7range1_size, ipabaserid=domain7range1_base_rid, iparangetype=domain7range1_type, ipanttrusteddomainsid=domain7_sid)), expected=errors.ValidationError( name='ID Range setup', error='Option rid-base must not be used when IPA range ' 'type is ipa-ad-trust-posix'), ), # Testing framework validation: --auto-private-groups can only be # one of true, false, hybrid dict( desc=('Create ID range %r with bogus --auto-private-groups' % (domain7range1)), command=('idrange_add', [domain7range1], dict(ipabaseid=domain7range1_base_id, ipaidrangesize=domain7range1_size, iparangetype=domain7range1_type, ipanttrusteddomainsid=domain7_sid, ipaautoprivategroups='bogus')), expected=errors.ValidationError( name='auto_private_groups', error="must be one of 'true', 'false', 'hybrid'"), ), dict( desc='Create ID range %r' % (domain7range1), command=('idrange_add', [domain7range1], dict(ipabaseid=domain7range1_base_id, ipaidrangesize=domain7range1_size, iparangetype=domain7range1_type, ipanttrusteddomainsid=domain7_sid)), expected=dict( result=dict( dn=unicode(domain7range1_dn), cn=[domain7range1], objectclass=[u'ipaIDrange', u'ipatrustedaddomainrange'], ipabaseid=[unicode(domain7range1_base_id)], ipaidrangesize=[unicode(domain7range1_size)], ipanttrusteddomainsid=[unicode(domain7_sid)], iparangetyperaw=[u'ipa-ad-trust-posix'], iparangetype=[ u'Active Directory trust range with POSIX attributes' ], ), value=unicode(domain7range1), summary=u'Added ID range "%s"' % (domain7range1), ), ), dict( desc='Try to modify ipa-ad-trust-posix ID range %r with base RID' % (domain7range1), command=('idrange_mod', [domain7range1], dict(ipabaserid=domain7range1_base_rid)), expected=errors.ValidationError( name='ID Range setup', error='Option rid-base must not be used when IPA range ' 'type is ipa-ad-trust-posix'), ), # Testing prohibition of deletion of ranges belonging to active # trusted domains. dict( desc='Delete non-active AD trusted range %r' % domain1range1, command=('idrange_del', [domain1range1], {}), expected=dict( result=dict(failed=[]), value=[domain1range1], summary=u'Deleted ID range "%s"' % domain1range1, ), ), dict( desc='Try to delete active AD trusted range %r' % domain2range1, command=('idrange_del', [domain2range1], {}), expected=errors.DependentEntry(label='Active Trust domain', key=domain2range1, dependent=domain2), ), # Testing base range overlaps for ranges of different types and # different domains # - Base range overlaps # 1. ipa-ad-trust-posix type ranges from the same forest can overlap # on base ranges, use domain3range1 and domain3range2 dict( desc=('Modify ipa-ad-trust-posix range %r to overlap on base range' ' with posix range from the same domain' % (domain3range2)), command=('idrange_mod', [domain3range2], dict(ipabaseid=domain3range1_base_id)), expected=dict( messages=(messages.ServiceRestartRequired( service=services.knownservices['sssd'].systemd_name, server=domain3range2).to_dict(), ), result=dict( cn=[domain3range2], ipabaseid=[unicode(domain3range1_base_id)], ipaidrangesize=[unicode(domain3range2_size)], ipanttrusteddomainsid=[unicode(domain3_sid)], iparangetyperaw=[u'ipa-ad-trust-posix'], iparangetype=[ u'Active Directory trust range with POSIX ' 'attributes' ], ), value=domain3range2, summary=u'Modified ID range "%s"' % (domain3range2), ), ), # 2. ipa-ad-trust-posix type ranges from different forests cannot # overlap on base ranges, use domain3range1 and domain4range1 dict( desc=('Modify ipa-ad-trust-posix range %r to overlap on base range' ' with posix range from different domain' % (domain3range1)), command=('idrange_mod', [domain3range1], dict(ipabaseid=domain4range1_base_id)), expected=errors.DatabaseError( desc='Constraint violation', info='New base range overlaps with existing base range.'), ), # 3. ipa-ad-trust ranges from same forest cannot overlap on base ranges, # use domain5range1 and domain5range2 dict( desc=('Modify ipa-ad-trust range %r to overlap on base range' ' with posix range from the same domain' % (domain5range1)), command=('idrange_mod', [domain5range1], dict(ipabaseid=domain5range2_base_id)), expected=errors.DatabaseError( desc='Constraint violation', info='New base range overlaps with existing base range.'), ), # 4. ipa-ad-trust ranges from different forests cannot overlap on base # ranges, use domain5range1 and domain6range1 dict( desc=('Modify ipa-ad-trust range %r to overlap on base range' ' with posix range from different domain' % (domain5range1)), command=('idrange_mod', [domain5range1], dict(ipabaseid=domain6range1_base_id)), expected=errors.DatabaseError( desc='Constraint violation', info='New base range overlaps with existing base range.'), ), # - RID range overlaps # 1. Overlaps on base RID ranges are allowed for ranges from different # domains, use domain2range1 and domain5range1 dict( desc=('Modify ipa-ad-trust range %r to overlap on base RID' ' range with nonposix range from different domain' % (domain2range1)), command=('idrange_mod', [domain2range1], dict(ipabaserid=domain5range1_base_rid)), expected=dict( messages=(messages.ServiceRestartRequired( service=services.knownservices['sssd'].systemd_name, server=domain2range1).to_dict(), ), result=dict( cn=[domain2range1], ipabaseid=[unicode(domain2range1_base_id)], ipabaserid=[unicode(domain5range1_base_rid)], ipaidrangesize=[unicode(domain2range1_size)], ipanttrusteddomainsid=[unicode(domain2_sid)], iparangetyperaw=[u'ipa-ad-trust'], iparangetype=[u'Active Directory domain range'], ), value=domain2range1, summary=u'Modified ID range "%s"' % (domain2range1), ), ), # 2. ipa-ad-trust ranges from the same forest cannot overlap on base # RID ranges, use domain5range1 and domain5range2 dict( desc=('Modify ipa-ad-trust range %r to overlap on base RID range' ' with range from the same domain' % (domain2range1)), command=('idrange_mod', [domain2range1], dict(ipabaserid=domain2range2_base_rid)), expected=errors.DatabaseError( desc='Constraint violation', info='New primary rid range overlaps with existing primary rid ' 'range.'), ), dict( desc=('Modify ipa-ad-trust range %r with --auto-private-groups=' 'true' % (domain2range1)), command=('idrange_mod', [domain2range1], dict(ipaautoprivategroups='true')), expected=dict( messages=(messages.ServiceRestartRequired( service=services.knownservices['sssd'].systemd_name, server=domain2range1).to_dict(), ), result=dict( cn=[domain2range1], ipabaseid=[unicode(domain2range1_base_id)], ipabaserid=[unicode(domain5range1_base_rid)], ipaidrangesize=[unicode(domain2range1_size)], ipanttrusteddomainsid=[unicode(domain2_sid)], iparangetyperaw=[u'ipa-ad-trust'], ipaautoprivategroups=[u'true'], iparangetype=[u'Active Directory domain range'], ), value=domain2range1, summary=u'Modified ID range "%s"' % (domain2range1), ), ), dict( desc=('Modify ipa-ad-trust range %r with --auto-private-groups=' 'false' % (domain2range1)), command=('idrange_mod', [domain2range1], dict(ipaautoprivategroups='false')), expected=dict( messages=(messages.ServiceRestartRequired( service=services.knownservices['sssd'].systemd_name, server=domain2range1).to_dict(), ), result=dict( cn=[domain2range1], ipabaseid=[unicode(domain2range1_base_id)], ipabaserid=[unicode(domain5range1_base_rid)], ipaidrangesize=[unicode(domain2range1_size)], ipanttrusteddomainsid=[unicode(domain2_sid)], iparangetyperaw=[u'ipa-ad-trust'], ipaautoprivategroups=[u'false'], iparangetype=[u'Active Directory domain range'], ), value=domain2range1, summary=u'Modified ID range "%s"' % (domain2range1), ), ), dict( desc=('Modify ipa-ad-trust range %r with --auto-private-groups=' 'hybrid' % (domain2range1)), command=('idrange_mod', [domain2range1], dict(ipaautoprivategroups='hybrid')), expected=dict( messages=(messages.ServiceRestartRequired( service=services.knownservices['sssd'].systemd_name, server=domain2range1).to_dict(), ), result=dict( cn=[domain2range1], ipabaseid=[unicode(domain2range1_base_id)], ipabaserid=[unicode(domain5range1_base_rid)], ipaidrangesize=[unicode(domain2range1_size)], ipanttrusteddomainsid=[unicode(domain2_sid)], iparangetyperaw=[u'ipa-ad-trust'], ipaautoprivategroups=[u'hybrid'], iparangetype=[u'Active Directory domain range'], ), value=domain2range1, summary=u'Modified ID range "%s"' % (domain2range1), ), ), dict( desc=('Modify ipa-ad-trust range %r with --auto-private-groups=' '<empty>' % (domain2range1)), command=('idrange_mod', [domain2range1], dict(ipaautoprivategroups='')), expected=dict( messages=(messages.ServiceRestartRequired( service=services.knownservices['sssd'].systemd_name, server=domain2range1).to_dict(), ), result=dict( cn=[domain2range1], ipabaseid=[unicode(domain2range1_base_id)], ipabaserid=[unicode(domain5range1_base_rid)], ipaidrangesize=[unicode(domain2range1_size)], ipanttrusteddomainsid=[unicode(domain2_sid)], iparangetyperaw=[u'ipa-ad-trust'], iparangetype=[u'Active Directory domain range'], ), value=domain2range1, summary=u'Modified ID range "%s"' % (domain2range1), ), ), # Test for bug 6404 # if dom-name is empty, add should not fail dict( desc='Create ID range %r' % (testrange9), command=('idrange_add', [testrange9], dict(ipanttrusteddomainname=None, ipabaseid=testrange9_base_id, ipaidrangesize=testrange9_size, ipabaserid=testrange9_base_rid, ipasecondarybaserid=testrange9_secondary_base_rid)), expected=dict( result=dict( dn=DN(('cn', testrange9), ('cn', 'ranges'), ('cn', 'etc'), api.env.basedn), cn=[testrange9], objectclass=[u'ipaIDrange', u'ipadomainidrange'], ipabaseid=[unicode(testrange9_base_id)], ipabaserid=[unicode(testrange9_base_rid)], ipasecondarybaserid=[ unicode(testrange9_secondary_base_rid) ], ipaidrangesize=[unicode(testrange9_size)], iparangetyperaw=[u'ipa-local'], iparangetype=[u'local domain range'], ), value=testrange9, summary=u'Added ID range "%s"' % (testrange9), ), ), dict( desc='Delete ID range %r' % testrange9, command=('idrange_del', [testrange9], {}), expected=dict( result=dict(failed=[]), value=[testrange9], summary=u'Deleted ID range "%s"' % testrange9, ), ), ]
class test_service_allowed_to(Declarative): cleanup_commands = [ ('user_del', [user1], {}), ('user_del', [user2], {}), ('group_del', [group1], {}), ('group_del', [group2], {}), ('host_del', [fqdn1], {}), ('service_del', [service1], {}), ('hostgroup_del', [hostgroup1], {}), ] tests = [ # prepare entries dict( desc='Create %r' % user1, command=('user_add', [], dict(givenname=u'Test', sn=u'User1')), expected=dict( value=user1, summary=u'Added user "%s"' % user1, result=get_user_result(user1, u'Test', u'User1', 'add'), ), ), dict( desc='Create %r' % user2, command=('user_add', [], dict(givenname=u'Test', sn=u'User2')), expected=dict( value=user2, summary=u'Added user "%s"' % user2, result=get_user_result(user2, u'Test', u'User2', 'add'), ), ), dict( desc='Create group: %r' % group1, command=('group_add', [group1], dict()), expected=dict( value=group1, summary=u'Added group "%s"' % group1, result=dict(cn=[group1], objectclass=objectclasses.group + [u'posixgroup'], ipauniqueid=[fuzzy_uuid], gidnumber=[fuzzy_digits], dn=group1_dn), ), ), dict( desc='Create group: %r' % group2, command=('group_add', [group2], dict()), expected=dict( value=group2, summary=u'Added group "%s"' % group2, result=dict(cn=[group2], objectclass=objectclasses.group + [u'posixgroup'], ipauniqueid=[fuzzy_uuid], gidnumber=[fuzzy_digits], dn=group2_dn), ), ), dict( desc='Create %r' % fqdn1, command=( 'host_add', [fqdn1], dict( description=u'Test host 1', l=u'Undisclosed location 1', force=True, ), ), expected=dict( value=fqdn1, summary=u'Added host "%s"' % fqdn1, result=dict( dn=host1dn, fqdn=[fqdn1], description=[u'Test host 1'], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[u'%s' % fqdn1], has_keytab=False, has_password=False, ), ), ), dict( desc='Create %r' % hostgroup1, command=('hostgroup_add', [hostgroup1], dict(description=u'Test hostgroup 1')), expected=dict( value=hostgroup1, summary=u'Added hostgroup "testhostgroup1"', result=dict( dn=hostgroup1_dn, cn=[hostgroup1], objectclass=objectclasses.hostgroup, description=[u'Test hostgroup 1'], ipauniqueid=[fuzzy_uuid], mepmanagedentry=[ DN(('cn', hostgroup1), ('cn', 'ng'), ('cn', 'alt'), api.env.basedn) ], ), ), ), dict( desc='Create %r' % service1, command=('service_add', [service1_no_realm], dict(force=True)), expected=dict( value=service1, summary=u'Added service "%s"' % service1, result=dict( dn=service1dn, krbprincipalname=[service1], objectclass=objectclasses.service, ipauniqueid=[fuzzy_uuid], managedby_host=[fqdn1], ), ), ), # verify dict( desc='Allow %r to a retrieve keytab of %r' % (user1, service1), command=('service_allow_retrieve_keytab', [service1], dict(user=user1)), expected=dict( failed=dict(ipaallowedtoperform_read_keys=dict( group=[], host=[], hostgroup=[], user=[], ), ), completed=1, result=dict( dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Duplicate add: user %r' % (user1), command=('service_allow_retrieve_keytab', [service1], dict(user=user1)), expected=dict( failed=dict(ipaallowedtoperform_read_keys=dict( group=[], host=[], hostgroup=[], user=[[user1, u'This entry is already a member']], ), ), completed=0, result=dict( dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Allow %r, %r, %r to a retrieve keytab of %r' % (group1, group2, fqdn1, service1), command=('service_allow_retrieve_keytab', [service1], dict(group=[group1, group2], host=[fqdn1], hostgroup=[hostgroup1])), expected=dict( failed=dict(ipaallowedtoperform_read_keys=dict( group=[], host=[], hostgroup=[], user=[], ), ), completed=4, result=dict( dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1, group2], ipaallowedtoperform_read_keys_host=[fqdn1], ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Invalid removal of retrieve keytab %r' % (user2), command=('service_disallow_retrieve_keytab', [service1], dict(user=[user2])), expected=dict( failed=dict(ipaallowedtoperform_read_keys=dict( group=[], host=[], hostgroup=[], user=[[user2, u'This entry is not a member']], ), ), completed=0, result=dict( dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1, group2], ipaallowedtoperform_read_keys_host=[fqdn1], ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Removal of retrieve keytab %r' % (group2), command=('service_disallow_retrieve_keytab', [service1], dict(group=[group2])), expected=dict( failed=dict(ipaallowedtoperform_read_keys=dict( group=[], host=[], hostgroup=[], user=[], ), ), completed=1, result=dict( dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], ipaallowedtoperform_read_keys_host=[fqdn1], ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Allow %r, %r, %r to a create keytab of %r' % (group1, user1, fqdn1, service1), command=('service_allow_create_keytab', [service1], dict(group=[group1, group2], user=[user1], host=[fqdn1], hostgroup=[hostgroup1])), expected=dict( failed=dict(ipaallowedtoperform_write_keys=dict( group=[], host=[], hostgroup=[], user=[], ), ), completed=5, result=dict( dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], ipaallowedtoperform_read_keys_host=[fqdn1], ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1, group2], ipaallowedtoperform_write_keys_host=[fqdn1], ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Duplicate add: %r, %r' % (user1, group1), command=('service_allow_create_keytab', [service1], dict(group=[group1], user=[user1], host=[fqdn1], hostgroup=[hostgroup1])), expected=dict( failed=dict(ipaallowedtoperform_write_keys=dict( group=[[group1, u'This entry is already a member']], host=[[fqdn1, u'This entry is already a member']], user=[[user1, u'This entry is already a member']], hostgroup=[[hostgroup1, u'This entry is already a member']], ), ), completed=0, result=dict( dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], ipaallowedtoperform_read_keys_host=[fqdn1], ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1, group2], ipaallowedtoperform_write_keys_host=[fqdn1], ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Invalid removal of create keytab %r' % (user2), command=('service_disallow_create_keytab', [service1], dict(user=[user2])), expected=dict( failed=dict(ipaallowedtoperform_write_keys=dict( group=[], host=[], hostgroup=[], user=[[user2, u'This entry is not a member']], ), ), completed=0, result=dict( dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], ipaallowedtoperform_read_keys_host=[fqdn1], ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1, group2], ipaallowedtoperform_write_keys_host=[fqdn1], ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Removal of create keytab %r' % (group2), command=('service_disallow_create_keytab', [service1], dict(group=[group2])), expected=dict( failed=dict(ipaallowedtoperform_write_keys=dict( group=[], host=[], hostgroup=[], user=[], ), ), completed=1, result=dict( dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], ipaallowedtoperform_read_keys_host=[fqdn1], ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1], ipaallowedtoperform_write_keys_host=[fqdn1], ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Presence of ipaallowedtoperform in show output', command=('service_show', [service1_no_realm], {}), expected=dict( value=service1, summary=None, result=dict( dn=service1dn, has_keytab=False, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], ipaallowedtoperform_read_keys_host=[fqdn1], ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1], ipaallowedtoperform_write_keys_host=[fqdn1], ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), ), ), dict( desc='Presence of ipaallowedtoperform in mod output', command=('service_mod', [service1_no_realm], dict(ipakrbokasdelegate=True)), expected=dict( value=service1, summary=u'Modified service "%s"' % service1, result=dict( ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], ipaallowedtoperform_read_keys_host=[fqdn1], ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1], ipaallowedtoperform_write_keys_host=[fqdn1], ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], ipakrbokasdelegate=True, krbprincipalname=[service1], krbticketflags=[u'1048704'], managedby_host=[fqdn1], ), ), ), ]
class test_krbtpolicy(Declarative): cleanup_commands = [ ('user_del', [user1], {}), ('krbtpolicy_reset', [], {}), ] tests = [ dict( desc='Reset global policy', command=('krbtpolicy_reset', [], {}), expected=dict( value=None, summary=None, result=dict( krbmaxticketlife=[u'86400'], krbmaxrenewableage=[u'604800'], ), ), ), dict( desc='Show global policy', command=('krbtpolicy_show', [], {}), expected=dict( value=None, summary=None, result=dict( dn=DN(('cn', api.env.domain), ('cn', 'kerberos'), api.env.basedn), krbmaxticketlife=[u'86400'], krbmaxrenewableage=[u'604800'], ), ), ), dict( desc='Update global policy', command=('krbtpolicy_mod', [], dict(krbmaxticketlife=3600)), expected=dict( value=None, summary=None, result=dict( krbmaxticketlife=[u'3600'], krbmaxrenewableage=[u'604800'], ), ), ), dict( desc='Create %r' % user1, command=('user_add', [user1], dict(givenname=u'Test', sn=u'User1')), expected=dict( value=user1, summary=u'Added user "%s"' % user1, result=get_user_result(user1, u'Test', u'User1', 'add'), ), ), dict( desc='Update user ticket policy', command=('krbtpolicy_mod', [user1], dict(krbmaxticketlife=3600)), expected=dict( value=user1, summary=None, result=dict(krbmaxticketlife=[u'3600'], ), ), ), dict( desc='Try updating other user attribute', command=('krbtpolicy_mod', [user1], dict(setattr=u'givenname=Pete')), expected=errors.ObjectclassViolation( info='attribute "givenname" not allowed'), ), ]
class test_nesting(Declarative): cleanup_commands = [ ('group_del', [group1], {}), ('group_del', [group2], {}), ('group_del', [group3], {}), ('group_del', [group4], {}), ('user_del', [user1], {}), ('user_del', [user2], {}), ('user_del', [user3], {}), ('user_del', [user4], {}), ('host_del', [fqdn1], {}), ('hostgroup_del', [hostgroup1], {}), ('hostgroup_del', [hostgroup2], {}), ] tests = [ ################ # create group1: dict( desc='Create %r' % group1, command=('group_add', [group1], dict(description=u'Test desc 1')), expected=dict( value=group1, summary=u'Added group "testgroup1"', result=dict( cn=[group1], description=[u'Test desc 1'], objectclass=objectclasses.group + [u'posixgroup'], ipauniqueid=[fuzzy_uuid], gidnumber=[fuzzy_digits], dn=DN(('cn', 'testgroup1'), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), ), ), ), ################ # create group2: dict( desc='Create %r' % group2, command=('group_add', [group2], dict(description=u'Test desc 2')), expected=dict( value=group2, summary=u'Added group "testgroup2"', result=dict( cn=[group2], description=[u'Test desc 2'], gidnumber=[fuzzy_digits], objectclass=objectclasses.group + [u'posixgroup'], ipauniqueid=[fuzzy_uuid], dn=DN(('cn', 'testgroup2'), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), ), ), ), dict( desc='Create %r' % group3, command=('group_add', [group3], dict(description=u'Test desc 3')), expected=dict( value=group3, summary=u'Added group "testgroup3"', result=dict( cn=[group3], description=[u'Test desc 3'], gidnumber=[fuzzy_digits], objectclass=objectclasses.group + [u'posixgroup'], ipauniqueid=[fuzzy_uuid], dn=DN(('cn', 'testgroup3'), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), ), ), ), dict( desc='Create %r' % group4, command=('group_add', [group4], dict(description=u'Test desc 4')), expected=dict( value=group4, summary=u'Added group "testgroup4"', result=dict( cn=[group4], description=[u'Test desc 4'], gidnumber=[fuzzy_digits], objectclass=objectclasses.group + [u'posixgroup'], ipauniqueid=[fuzzy_uuid], dn=DN(('cn', 'testgroup4'), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), ), ), ), dict( desc='Create %r' % user1, command=('user_add', [user1], dict(givenname=u'Test', sn=u'User1')), expected=dict( value=user1, summary=u'Added user "%s"' % user1, result=get_user_result(user1, u'Test', u'User1', 'add'), ), ), dict( desc='Create %r' % user2, command=('user_add', [user2], dict(givenname=u'Test', sn=u'User2')), expected=dict( value=user2, summary=u'Added user "%s"' % user2, result=get_user_result(user2, u'Test', u'User2', 'add'), ), ), dict( desc='Create %r' % user3, command=('user_add', [user3], dict(givenname=u'Test', sn=u'User3')), expected=dict( value=user3, summary=u'Added user "%s"' % user3, result=get_user_result(user3, u'Test', u'User3', 'add'), ), ), dict( desc='Create %r' % user4, command=('user_add', [user4], dict(givenname=u'Test', sn=u'User4')), expected=dict( value=user4, summary=u'Added user "%s"' % user4, result=get_user_result(user4, u'Test', u'User4', 'add'), ), ), ############### # member stuff # # Create 4 groups and 4 users and set the following membership: # # g1: # no direct memberships # # g2: # memberof: g1 # member: user1, user2 # # g3: # memberof: g1 # member: user3, g4 # # g4: # memberof: g3 # member: user1, user4 # # So when we do a show it looks like: # # g1: # member groups: g2, g3 # indirect member group: g4 # indirect member users: user1, user2, tuser3, tuser4 # # g2: # member of group: g1 # member users: tuser1, tuser2 # # g3: # member users: tuser3 # member groups: g4 # member of groups: g1 # indirect member users: tuser4 # # g4: # member users: tuser1, tuser4 # member of groups: g3 # indirect member of groups: g1 # # Note that tuser1 is an indirect member of g1 both through # g2 and g4. It should appear just once in the list. dict( desc='Add a group member %r to %r' % (group2, group1), command=('group_add_member', [group1], dict(group=group2)), expected=dict( completed=1, failed=dict(member=dict( group=tuple(), user=tuple(), ), ), result={ 'dn': DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), 'member_group': (group2, ), 'gidnumber': [fuzzy_digits], 'cn': [group1], 'description': [u'Test desc 1'], }, ), ), dict( desc='Add a group member %r to %r' % (group3, group1), command=('group_add_member', [group1], dict(group=group3)), expected=dict( completed=1, failed=dict(member=dict( group=tuple(), user=tuple(), ), ), result={ 'dn': DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), 'member_group': [ group2, group3, ], 'gidnumber': [fuzzy_digits], 'cn': [group1], 'description': [u'Test desc 1'], }, ), ), dict( desc='Add a user member %r to %r' % (user1, group2), command=('group_add_member', [group2], dict(user=user1)), expected=dict( completed=1, failed=dict(member=dict( group=tuple(), user=tuple(), ), ), result={ 'dn': DN(('cn', group2), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), 'member_user': (u'tuser1', ), 'memberof_group': (u'testgroup1', ), 'gidnumber': [fuzzy_digits], 'cn': [group2], 'description': [u'Test desc 2'], }, ), ), dict( desc='Add a user member %r to %r' % (user2, group2), command=('group_add_member', [group2], dict(user=user2)), expected=dict( completed=1, failed=dict(member=dict( group=tuple(), user=tuple(), ), ), result={ 'dn': DN(('cn', group2), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), 'member_user': [user1, user2], 'memberof_group': [group1], 'gidnumber': [fuzzy_digits], 'cn': [group2], 'description': [u'Test desc 2'], }, ), ), dict( desc='Add a user member %r to %r' % (user3, group3), command=('group_add_member', [group3], dict(user=user3)), expected=dict( completed=1, failed=dict(member=dict( group=tuple(), user=tuple(), ), ), result={ 'dn': DN(('cn', group3), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), 'member_user': [user3], 'memberof_group': [group1], 'gidnumber': [fuzzy_digits], 'cn': [group3], 'description': [u'Test desc 3'], }, ), ), dict( desc='Add a group member %r to %r' % (group4, group3), command=('group_add_member', [group3], dict(group=group4)), expected=dict( completed=1, failed=dict(member=dict( group=tuple(), user=tuple(), ), ), result={ 'dn': DN(('cn', group3), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), 'member_user': [user3], 'memberof_group': [group1], 'member_group': [group4], 'gidnumber': [fuzzy_digits], 'cn': [group3], 'description': [u'Test desc 3'], }, ), ), dict( desc='Add a user member %r to %r' % (user1, group4), command=('group_add_member', [group4], dict(user=user1)), expected=dict( completed=1, failed=dict(member=dict( group=tuple(), user=tuple(), ), ), result={ 'dn': DN(('cn', group4), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), 'member_user': [user1], 'memberof_group': [group3], 'memberofindirect_group': [group1], 'gidnumber': [fuzzy_digits], 'cn': [group4], 'description': [u'Test desc 4'], }, ), ), dict( desc='Add a user member %r to %r' % (user4, group4), command=('group_add_member', [group4], dict(user=user4)), expected=dict( completed=1, failed=dict(member=dict( group=tuple(), user=tuple(), ), ), result={ 'dn': DN(('cn', group4), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), 'member_user': [user1, user4], 'memberof_group': [group3], 'memberofindirect_group': [group1], 'gidnumber': [fuzzy_digits], 'cn': [group4], 'description': [u'Test desc 4'], }, ), ), dict( desc='Retrieve group %r' % group1, command=('group_show', [group1], {}), expected=dict( value=group1, summary=None, result=dict( cn=[group1], description=[u'Test desc 1'], gidnumber=[fuzzy_digits], memberindirect_group=[group4], member_group=[group2, group3], memberindirect_user=[user1, user2, user3, user4], dn=DN(('cn', 'testgroup1'), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), ), ), ), dict( desc='Retrieve group %r' % group2, command=('group_show', [group2], {}), expected=dict( value=group2, summary=None, result=dict( cn=[group2], description=[u'Test desc 2'], gidnumber=[fuzzy_digits], memberof_group=[group1], member_user=[user1, user2], dn=DN(('cn', 'testgroup2'), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), ), ), ), dict( desc='Retrieve group %r' % group3, command=('group_show', [group3], {}), expected=dict( value=group3, summary=None, result=dict( cn=[group3], description=[u'Test desc 3'], gidnumber=[fuzzy_digits], memberof_group=[group1], member_user=[user3], member_group=[group4], memberindirect_user=[user1, user4], dn=DN(('cn', 'testgroup3'), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), ), ), ), dict( desc='Retrieve group %r' % group4, command=('group_show', [group4], {}), expected=dict( value=group4, summary=None, result=dict( cn=[group4], description=[u'Test desc 4'], gidnumber=[fuzzy_digits], memberof_group=[group3], member_user=[user1, user4], memberofindirect_group=[group1], dn=DN(('cn', 'testgroup4'), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), ), ), ), # Now do something similar with hosts and hostgroups dict( desc='Create host %r' % fqdn1, command=( 'host_add', [fqdn1], dict( description=u'Test host 1', l=u'Undisclosed location 1', force=True, ), ), expected=dict( value=fqdn1, summary=u'Added host "%s"' % fqdn1, result=dict( dn=host_dn1, fqdn=[fqdn1], description=[u'Test host 1'], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], objectclass=objectclasses.host, ipauniqueid=[fuzzy_uuid], managedby_host=[fqdn1], has_keytab=False, has_password=False, ), ), ), dict( desc='Create %r' % hostgroup1, command=('hostgroup_add', [hostgroup1], dict(description=u'Test hostgroup 1')), expected=dict( value=hostgroup1, summary=u'Added hostgroup "testhostgroup1"', result=dict( dn=hgdn1, cn=[hostgroup1], objectclass=objectclasses.hostgroup, description=[u'Test hostgroup 1'], ipauniqueid=[fuzzy_uuid], mepmanagedentry=[ DN(('cn', hostgroup1), ('cn', 'ng'), ('cn', 'alt'), api.env.basedn) ], ), ), ), dict( desc='Create %r' % hostgroup2, command=('hostgroup_add', [hostgroup2], dict(description=u'Test hostgroup 2')), expected=dict( value=hostgroup2, summary=u'Added hostgroup "testhostgroup2"', result=dict( dn=hgdn2, cn=[hostgroup2], objectclass=objectclasses.hostgroup, description=[u'Test hostgroup 2'], ipauniqueid=[fuzzy_uuid], mepmanagedentry=[ DN(('cn', hostgroup2), ('cn', 'ng'), ('cn', 'alt'), api.env.basedn) ], ), ), ), dict( desc=u'Add host %r to %r' % (fqdn1, hostgroup2), command=('hostgroup_add_member', [hostgroup2], dict(host=fqdn1)), expected=dict( completed=1, failed=dict(member=dict( host=tuple(), hostgroup=tuple(), ), ), result={ 'dn': hgdn2, 'cn': [hostgroup2], 'description': [u'Test hostgroup 2'], 'member_host': [fqdn1], }, ), ), dict( desc=u'Add hostgroup %r to %r' % (hostgroup2, hostgroup1), command=('hostgroup_add_member', [hostgroup1], dict(hostgroup=hostgroup2)), expected=dict( completed=1, failed=dict(member=dict( host=tuple(), hostgroup=tuple(), ), ), result={ 'dn': hgdn1, 'cn': [hostgroup1], 'description': [u'Test hostgroup 1'], 'member_hostgroup': [hostgroup2], 'memberindirect_host': [fqdn1], }, ), ), dict( desc='Retrieve %r' % hostgroup1, command=('hostgroup_show', [hostgroup1], {}), expected=dict( value=hostgroup1, summary=None, result={ 'dn': hgdn1, 'memberindirect_host': [u'testhost1.%s' % api.env.domain], 'member_hostgroup': [hostgroup2], 'cn': [hostgroup1], 'description': [u'Test hostgroup 1'], }, ), ), dict( desc='Retrieve %r' % fqdn1, command=('host_show', [fqdn1], {}), expected=dict( value=fqdn1, summary=None, result=dict( dn=host_dn1, fqdn=[fqdn1], description=[u'Test host 1'], l=[u'Undisclosed location 1'], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], has_keytab=False, has_password=False, managedby_host=[fqdn1], memberof_hostgroup=[u'testhostgroup2'], memberofindirect_hostgroup=[u'testhostgroup1'], ), ), ), ]
class test_attr(Declarative): cleanup_commands = [ ('user_del', [user1], {}), ] tests = [ dict( desc='Try to add user %r with single-value attribute set via ' 'option and --addattr' % user1, command=('user_add', [user1], dict(givenname=u'Test', sn=u'User1', addattr=u'sn=User2')), expected=errors.OnlyOneValueAllowed(attr='sn'), ), dict( desc='Create %r' % user1, command=('user_add', [user1], dict(givenname=u'Test', sn=u'User1', setattr=None)), expected=dict( value=user1, summary=u'Added user "tuser1"', result=get_user_result(user1, u'Test', u'User1', 'add'), ), ), dict( desc='Change givenname, add mail %r' % user1, command=('user_mod', [user1], dict(setattr=(u'givenname=Finkle', u'[email protected]'))), expected=dict( result=get_user_result( user1, u'Finkle', u'User1', 'mod', mail=[u'*****@*****.**'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Add another mail %r' % user1, command=('user_mod', [user1], dict(addattr=u'[email protected]')), expected=dict( result=get_user_result( user1, u'Finkle', u'User1', 'mod', mail=[u'*****@*****.**', u'*****@*****.**'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Add two phone numbers at once %r' % user1, command=('user_mod', [user1], dict(setattr=u'telephoneNumber=410-555-1212', addattr=u'telephoneNumber=301-555-1212')), expected=dict( result=get_user_result( user1, u'Finkle', u'User1', 'mod', mail=[u'*****@*****.**', u'*****@*****.**'], telephonenumber=[u'410-555-1212', u'301-555-1212'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Go from two phone numbers to one %r' % user1, command=('user_mod', [user1], dict(setattr=u'telephoneNumber=301-555-1212')), expected=dict( result=get_user_result( user1, u'Finkle', u'User1', 'mod', mail=[u'*****@*****.**', u'*****@*****.**'], telephonenumber=[u'301-555-1212'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Add two more phone numbers %r' % user1, command=('user_mod', [user1], dict(addattr=(u'telephoneNumber=703-555-1212', u'telephoneNumber=202-888-9833'))), expected=dict( result=get_user_result( user1, u'Finkle', u'User1', 'mod', mail=[u'*****@*****.**', u'*****@*****.**'], telephonenumber=[ u'301-555-1212', u'703-555-1212', u'202-888-9833' ], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Delete one phone number for %r' % user1, command=('user_mod', [user1], dict(delattr=u'telephoneNumber=301-555-1212')), expected=dict( result=get_user_result( user1, u'Finkle', u'User1', 'mod', mail=[u'*****@*****.**', u'*****@*****.**'], telephonenumber=[u'703-555-1212', u'202-888-9833'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict(desc='Try deleting the number again for %r' % user1, command=('user_mod', [user1], dict(delattr=u'telephoneNumber=301-555-1212')), expected=errors.AttrValueNotFound(attr=u'telephonenumber', value=u'301-555-1212')), dict( desc='Add and delete one phone number for %r' % user1, command=('user_mod', [user1], dict(addattr=u'telephoneNumber=301-555-1212', delattr=u'telephoneNumber=202-888-9833')), expected=dict( result=get_user_result( user1, u'Finkle', u'User1', 'mod', mail=[u'*****@*****.**', u'*****@*****.**'], telephonenumber=[u'703-555-1212', u'301-555-1212'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Add and delete the same phone number for %r' % user1, command=('user_mod', [user1], dict(addattr=(u'telephoneNumber=301-555-1212', u'telephoneNumber=202-888-9833'), delattr=u'telephoneNumber=301-555-1212')), expected=dict( result=get_user_result( user1, u'Finkle', u'User1', 'mod', mail=[u'*****@*****.**', u'*****@*****.**'], telephonenumber=[ u'703-555-1212', u'301-555-1212', u'202-888-9833' ], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Set and delete a phone number for %r' % user1, command=('user_mod', [user1], dict(setattr=(u'telephoneNumber=301-555-1212', u'telephoneNumber=202-888-9833'), delattr=u'telephoneNumber=301-555-1212')), expected=dict( result=get_user_result( user1, u'Finkle', u'User1', 'mod', mail=[u'*****@*****.**', u'*****@*****.**'], telephonenumber=[u'202-888-9833'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Try setting givenname to None with setattr in %r' % user1, command=('user_mod', [user1], dict(setattr=(u'givenname='))), expected=errors.RequirementError(name='givenname'), ), dict( desc='Try setting givenname to None with option in %r' % user1, command=('user_mod', [user1], dict(givenname=None)), expected=errors.RequirementError(name='first'), ), dict( desc='Make sure setting givenname works with option in %r' % user1, command=('user_mod', [user1], dict(givenname=u'Fred')), expected=dict( result=get_user_result( user1, u'Fred', u'User1', 'mod', mail=[u'*****@*****.**', u'*****@*****.**'], telephonenumber=[u'202-888-9833'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Make sure setting givenname works with setattr in %r' % user1, command=('user_mod', [user1], dict(setattr=u'givenname=Finkle')), expected=dict( result=get_user_result( user1, u'Finkle', u'User1', 'mod', mail=[u'*****@*****.**', u'*****@*****.**'], telephonenumber=[u'202-888-9833'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Try to "remove" empty location from %r' % user1, command=('user_mod', [user1], dict(l=None)), expected=errors.EmptyModlist(), ), dict( desc='Lock %r using setattr' % user1, command=('user_mod', [user1], dict(setattr=u'nsaccountlock=TrUe')), expected=dict( result=get_user_result( user1, u'Finkle', u'User1', 'mod', mail=[u'*****@*****.**', u'*****@*****.**'], telephonenumber=[u'202-888-9833'], nsaccountlock=True, ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Unlock %r using addattr&delattr' % user1, command=('user_mod', [user1], dict(addattr=u'nsaccountlock=FaLsE', delattr=u'nsaccountlock=TRUE')), expected=dict( result=get_user_result( user1, u'Finkle', u'User1', 'mod', mail=[u'*****@*****.**', u'*****@*****.**'], telephonenumber=[u'202-888-9833'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Try adding a new group search fields config entry', command=('config_mod', [], dict(addattr=u'ipagroupsearchfields=newattr')), expected=errors.OnlyOneValueAllowed(attr='ipagroupsearchfields'), ), dict( desc='Try adding a new cert subject base config entry', command=('config_mod', [], dict(addattr=u'ipacertificatesubjectbase=0=DOMAIN.COM')), expected=errors.ValidationError( name='ipacertificatesubjectbase', error='attribute is not configurable'), ), dict( desc='Try deleting a required config entry', command=('config_mod', [], dict(delattr=u'ipasearchrecordslimit=100')), expected=errors.RequirementError(name='ipasearchrecordslimit'), ), dict( desc='Try setting nonexistent attribute', command=('config_mod', [], dict(setattr=u'invalid_attr=false')), expected=errors.ObjectclassViolation( info='attribute "invalid_attr" not allowed'), ), dict( desc='Try setting out-of-range krbpwdmaxfailure', command=('pwpolicy_mod', [], dict(setattr=u'krbpwdmaxfailure=-1')), expected=errors.ValidationError(name='krbpwdmaxfailure', error='must be at least 0'), ), dict( desc='Try setting out-of-range maxfail', command=('pwpolicy_mod', [], dict(krbpwdmaxfailure=u'-1')), expected=errors.ValidationError(name='maxfail', error='must be at least 0'), ), dict( desc='Try setting non-numeric krbpwdmaxfailure', command=('pwpolicy_mod', [], dict(setattr=u'krbpwdmaxfailure=abc')), expected=errors.ConversionError(name='krbpwdmaxfailure', error='must be an integer'), ), dict( desc='Try setting non-numeric maxfail', command=('pwpolicy_mod', [], dict(krbpwdmaxfailure=u'abc')), expected=errors.ConversionError(name='maxfail', error='must be an integer'), ), dict( desc='Try deleting bogus attribute', command=('config_mod', [], dict(delattr=u'bogusattribute=xyz')), expected=errors.ValidationError( name='bogusattribute', error='No such attribute on this entry'), ), dict( desc='Try deleting empty attribute', command=('config_mod', [], dict(delattr=u'ipaCustomFields=See Also,seealso,false')), expected=errors.ValidationError( name='ipacustomfields', error='No such attribute on this entry'), ), dict( desc='Set and delete one value, plus try deleting a missing one', command=('config_mod', [], dict(delattr=[ u'ipaCustomFields=See Also,seealso,false', u'ipaCustomFields=Country,c,false' ], addattr=u'ipaCustomFields=See Also,seealso,false')), expected=errors.AttrValueNotFound(attr='ipacustomfields', value='Country,c,false'), ), dict( desc='Try to delete an operational attribute with --delattr', command=('config_mod', [], dict(delattr=u'creatorsName=cn=directory manager')), expected=errors.DatabaseError( desc='Server is unwilling to perform', info=''), ), ]
class test_replace(Declarative): cleanup_commands = [ ('user_del', [user1], {}), ] tests = [ dict( desc='Create %r with 2 e-mail accounts' % user1, command=('user_add', [user1], dict(givenname=u'Test', sn=u'User1', mail=[u'*****@*****.**', u'*****@*****.**'])), expected=dict( value=user1, summary=u'Added user "tuser1"', result=get_user_result( user1, u'Test', u'User1', 'add', mail=[u'*****@*****.**', u'*****@*****.**'], ), ), ), dict( desc='Drop one e-mail account, add another to %r' % user1, command=('user_mod', [user1], dict(mail=[u'*****@*****.**', u'*****@*****.**'])), expected=dict( result=get_user_result( user1, u'Test', u'User1', 'mod', mail=[u'*****@*****.**', u'*****@*****.**'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Set mail to a new single value %r' % user1, command=('user_mod', [user1], dict(mail=u'*****@*****.**')), expected=dict( result=get_user_result( user1, u'Test', u'User1', 'mod', mail=[u'*****@*****.**'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Set mail to three new values %r' % user1, command=('user_mod', [user1], dict(mail=[ u'*****@*****.**', u'*****@*****.**', u'*****@*****.**' ])), expected=dict( result=get_user_result( user1, u'Test', u'User1', 'mod', mail=[ u'*****@*****.**', u'*****@*****.**', u'*****@*****.**' ], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Remove all mail values %r' % user1, command=('user_mod', [user1], dict(mail=u'')), expected=dict( result=get_user_result( user1, u'Test', u'User1', 'mod', omit=['mail'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Ensure single-value mods work too, replace initials %r' % user1, command=('user_mod', [user1], dict(initials=u'ABC')), expected=dict( result=get_user_result( user1, u'Test', u'User1', 'mod', initials=[u'ABC'], omit=['mail'], ), summary=u'Modified user "tuser1"', value=user1, ), ), dict( desc='Drop a single-value attribute %r' % user1, command=('user_mod', [user1], dict(initials=u'')), expected=dict( result=get_user_result( user1, u'Test', u'User1', 'mod', omit=['mail'], ), summary=u'Modified user "tuser1"', value=user1, ), ), ]
class test_range(Declarative): @classmethod def setup_class(cls): super(test_range, cls).setup_class() cls.teardown_class() cls.mockldap = MockLDAP() cls.mockldap.add_entry(trust_container_dn, trust_container_add) cls.mockldap.add_entry(smb_cont_dn, smb_cont_add) cls.mockldap.add_entry(trust_local_dn, trust_local_add) cls.mockldap.add_entry(domain2_dn, domain2_add) cls.mockldap.add_entry(domain3_dn, domain3_add) cls.mockldap.add_entry(domain4_dn, domain4_add) cls.mockldap.add_entry(domain5_dn, domain5_add) cls.mockldap.add_entry(domain6_dn, domain6_add) cls.mockldap.add_entry(domain7_dn, domain7_add) cls.mockldap.add_entry(domain1range1_dn, domain1range1_add) cls.mockldap.add_entry(domain2range1_dn, domain2range1_add) cls.mockldap.add_entry(domain2range2_dn, domain2range2_add) cls.mockldap.add_entry(domain3range1_dn, domain3range1_add) cls.mockldap.add_entry(domain3range2_dn, domain3range2_add) cls.mockldap.add_entry(domain4range1_dn, domain4range1_add) cls.mockldap.add_entry(domain5range1_dn, domain5range1_add) cls.mockldap.add_entry(domain5range2_dn, domain5range2_add) cls.mockldap.add_entry(domain6range1_dn, domain6range1_add) cls.mockldap.unbind() @classmethod def teardown_class(cls): cls.mockldap = MockLDAP() cls.mockldap.del_entry(domain2_dn) cls.mockldap.del_entry(domain3_dn) cls.mockldap.del_entry(domain4_dn) cls.mockldap.del_entry(domain5_dn) cls.mockldap.del_entry(domain6_dn) cls.mockldap.del_entry(domain7_dn) cls.mockldap.del_entry(domain1range1_dn) cls.mockldap.del_entry(domain2range1_dn) cls.mockldap.del_entry(domain2range2_dn) cls.mockldap.del_entry(domain3range1_dn) cls.mockldap.del_entry(domain3range2_dn) cls.mockldap.del_entry(domain4range1_dn) cls.mockldap.del_entry(domain5range1_dn) cls.mockldap.del_entry(domain5range2_dn) cls.mockldap.del_entry(domain6range1_dn) cls.mockldap.del_entry(domain7range1_dn) cls.mockldap.del_entry(trust_container_dn) cls.mockldap.del_entry(trust_local_dn) cls.mockldap.del_entry(smb_cont_dn) cls.mockldap.unbind() cleanup_commands = [ ('idrange_del', [ testrange1, testrange2, testrange3, testrange4, testrange5, testrange6, testrange7, testrange8 ], { 'continue': True }), ('user_del', [user1], {}), ('group_del', [group1], {}), ] # Basic tests. tests = [ dict( desc='Create ID range %r' % (testrange1), command=('idrange_add', [testrange1], dict(ipabaseid=testrange1_base_id, ipaidrangesize=testrange1_size, ipabaserid=testrange1_base_rid, ipasecondarybaserid=testrange1_secondary_base_rid)), expected=dict( result=dict( dn=DN(('cn', testrange1), ('cn', 'ranges'), ('cn', 'etc'), api.env.basedn), cn=[testrange1], objectclass=[u'ipaIDrange', u'ipadomainidrange'], ipabaseid=[unicode(testrange1_base_id)], ipabaserid=[unicode(testrange1_base_rid)], ipasecondarybaserid=[ unicode(testrange1_secondary_base_rid) ], ipaidrangesize=[unicode(testrange1_size)], iparangetyperaw=[u'ipa-local'], iparangetype=[u'local domain range'], ), value=testrange1, summary=u'Added ID range "%s"' % (testrange1), ), ), dict( desc='Retrieve ID range %r' % (testrange1), command=('idrange_show', [testrange1], dict()), expected=dict( result=dict( dn=DN(('cn', testrange1), ('cn', 'ranges'), ('cn', 'etc'), api.env.basedn), cn=[testrange1], ipabaseid=[unicode(testrange1_base_id)], ipabaserid=[unicode(testrange1_base_rid)], ipasecondarybaserid=[ unicode(testrange1_secondary_base_rid) ], ipaidrangesize=[unicode(testrange1_size)], iparangetyperaw=[u'ipa-local'], iparangetype=[u'local domain range'], ), value=testrange1, summary=None, ), ), # Checks for modifications leaving objects outside of the range. dict( desc='Create user %r in ID range %r' % (user1, testrange1), command=('user_add', [user1], dict(givenname=u'Test', sn=u'User1', uidnumber=user1_uid)), expected=dict( value=user1, summary=u'Added user "%s"' % user1, result=get_user_result( user1, u'Test', u'User1', 'add', uidnumber=[unicode(user1_uid)], gidnumber=[unicode(user1_uid)], ), ), ), dict( desc='Create group %r in ID range %r' % (group1, testrange1), command=('group_add', [group1], dict(description=u'Test desc 1', gidnumber=group1_gid)), expected=dict( value=group1, summary=u'Added group "%s"' % group1, result=dict( cn=[group1], description=[u'Test desc 1'], gidnumber=[unicode(group1_gid)], objectclass=objectclasses.group + [u'posixgroup'], ipauniqueid=[fuzzy_uuid], dn=DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn), ), ), ), dict( desc='Try to modify ID range %r to get out bounds object #1' % (testrange1), command=('idrange_mod', [testrange1], dict(ipabaseid=user1_uid + 1)), expected=errors.ValidationError( name='ipabaseid,ipaidrangesize', error=u'range modification leaving objects with ID out of the' u' defined range is not allowed'), ), dict( desc='Try to modify ID range %r to get out bounds object #2' % (testrange1), command=('idrange_mod', [testrange1], dict(ipaidrangesize=100)), expected=errors.ValidationError( name='ipabaseid,ipaidrangesize', error=u'range modification leaving objects with ID out of the' u' defined range is not allowed'), ), dict( desc='Try to modify ID range %r to get out bounds object #3' % (testrange1), command=('idrange_mod', [testrange1], dict(ipabaseid=100, ipaidrangesize=100)), expected=errors.ValidationError( name='ipabaseid,ipaidrangesize', error=u'range modification leaving objects with ID out of the' u' defined range is not allowed'), ), dict( desc='Modify ID range %r' % (testrange1), command=('idrange_mod', [testrange1], dict(ipaidrangesize=90000)), expected=dict( result=dict( cn=[testrange1], ipabaseid=[unicode(testrange1_base_id)], ipabaserid=[unicode(testrange1_base_rid)], ipasecondarybaserid=[ unicode(testrange1_secondary_base_rid) ], ipaidrangesize=[u'90000'], iparangetyperaw=[u'ipa-local'], iparangetype=[u'local domain range'], ), value=testrange1, summary=u'Modified ID range "%s"' % (testrange1), ), ), dict( desc='Try to delete ID range %r with active IDs inside it' % testrange1, command=('idrange_del', [testrange1], {}), expected=errors.ValidationError( name='ipabaseid,ipaidrangesize', error=u'range modification leaving objects with ID out of the' u' defined range is not allowed'), ), dict( desc='Delete user %r' % user1, command=('user_del', [user1], {}), expected=dict( result=dict(failed=[]), value=[user1], summary=u'Deleted user "%s"' % user1, ), ), dict( desc='Delete group %r' % group1, command=('group_del', [group1], {}), expected=dict( result=dict(failed=[]), value=[group1], summary=u'Deleted group "%s"' % group1, ), ), dict( desc='Delete ID range %r' % testrange1, command=('idrange_del', [testrange1], {}), expected=dict( result=dict(failed=[]), value=[testrange1], summary=u'Deleted ID range "%s"' % testrange1, ), ), # Tests for overlapping local ranges. dict( desc='Create ID range %r' % (testrange2), command=('idrange_add', [testrange2], dict(ipabaseid=testrange2_base_id, ipaidrangesize=testrange2_size, ipabaserid=testrange2_base_rid, ipasecondarybaserid=testrange2_secondary_base_rid)), expected=dict( result=dict( dn=DN(('cn', testrange2), ('cn', 'ranges'), ('cn', 'etc'), api.env.basedn), cn=[testrange2], objectclass=[u'ipaIDrange', u'ipadomainidrange'], ipabaseid=[unicode(testrange2_base_id)], ipabaserid=[unicode(testrange2_base_rid)], ipasecondarybaserid=[ unicode(testrange2_secondary_base_rid) ], ipaidrangesize=[unicode(testrange2_size)], iparangetyperaw=[u'ipa-local'], iparangetype=[u'local domain range'], ), value=testrange2, summary=u'Added ID range "%s"' % (testrange2), ), ), dict( desc= 'Try to modify ID range %r so that its rid ranges are overlapping themselves' % (testrange2), command=('idrange_mod', [testrange2], dict(ipabaserid=(testrange2_secondary_base_rid))), expected=errors.ValidationError( name='ID Range setup', error='Primary RID range and secondary RID range cannot overlap' ), ), dict( desc='Try to create ID range %r with overlapping rid range' % (testrange3), command=('idrange_add', [testrange3], dict(ipabaseid=testrange3_base_id, ipaidrangesize=testrange3_size, ipabaserid=testrange3_base_rid, ipasecondarybaserid=testrange3_secondary_base_rid)), expected=errors.DatabaseError( desc='Constraint violation', info= 'New primary rid range overlaps with existing primary rid range.' ), ), dict( desc= 'Try to create ID range %r with overlapping secondary rid range' % (testrange4), command=('idrange_add', [testrange4], dict(ipabaseid=testrange4_base_id, ipaidrangesize=testrange4_size, ipabaserid=testrange4_base_rid, ipasecondarybaserid=testrange4_secondary_base_rid)), expected=errors.DatabaseError( desc='Constraint violation', info= 'New secondary rid range overlaps with existing secondary rid range.' ), ), dict( desc= 'Try to create ID range %r with primary range overlapping secondary rid range' % (testrange5), command=('idrange_add', [testrange5], dict(ipabaseid=testrange5_base_id, ipaidrangesize=testrange5_size, ipabaserid=testrange5_base_rid, ipasecondarybaserid=testrange5_secondary_base_rid)), expected=errors.DatabaseError( desc='Constraint violation', info= 'New primary rid range overlaps with existing secondary rid range.' ), ), dict( desc='Try to create ID range %r with overlapping id range' % (testrange6), command=('idrange_add', [testrange6], dict(ipabaseid=testrange6_base_id, ipaidrangesize=testrange6_size, ipabaserid=testrange6_base_rid, ipasecondarybaserid=testrange6_secondary_base_rid)), expected=errors.DatabaseError( desc='Constraint violation', info='New base range overlaps with existing base range.'), ), dict( desc= 'Try to create ID range %r with rid ranges overlapping themselves' % (testrange7), command=('idrange_add', [testrange7], dict(ipabaseid=testrange7_base_id, ipaidrangesize=testrange7_size, ipabaserid=testrange7_base_rid, ipasecondarybaserid=testrange7_secondary_base_rid)), expected=errors.ValidationError( name='ID Range setup', error='Primary RID range and secondary RID range cannot overlap' ), ), dict( desc='Delete ID range %r' % testrange2, command=('idrange_del', [testrange2], {}), expected=dict( result=dict(failed=[]), value=[testrange2], summary=u'Deleted ID range "%s"' % testrange2, ), ), # Testing framework validation: --dom-sid/--dom-name and secondary RID # base cannot be used together dict( desc='Create ID range %r' % (testrange8), command=('idrange_add', [testrange8], dict(ipabaseid=testrange8_base_id, ipaidrangesize=testrange8_size, ipabaserid=testrange8_base_rid, ipasecondarybaserid=testrange8_secondary_base_rid, ipanttrusteddomainsid=domain1_sid)), expected=errors.ValidationError( name='ID Range setup', error='Options dom-sid/dom-name and ' 'secondary-rid-base cannot be used together'), ), # Testing framework validation: --rid-base is prohibited with ipa-ad-posix dict( desc='Try to create ipa-ad-trust-posix ID range %r with base RID' % (domain7range1), command=('idrange_add', [domain7range1], dict(ipabaseid=domain7range1_base_id, ipaidrangesize=domain7range1_size, ipabaserid=domain7range1_base_rid, iparangetype=domain7range1_type, ipanttrusteddomainsid=domain7_sid)), expected=errors.ValidationError( name='ID Range setup', error='Option rid-base must not be used when IPA range ' 'type is ipa-ad-trust-posix'), ), dict( desc='Create ID range %r' % (domain7range1), command=('idrange_add', [domain7range1], dict(ipabaseid=domain7range1_base_id, ipaidrangesize=domain7range1_size, iparangetype=domain7range1_type, ipanttrusteddomainsid=domain7_sid)), expected=dict( result=dict( dn=unicode(domain7range1_dn), cn=[domain7range1], objectclass=[u'ipaIDrange', u'ipatrustedaddomainrange'], ipabaseid=[unicode(domain7range1_base_id)], ipaidrangesize=[unicode(domain7range1_size)], ipanttrusteddomainsid=[unicode(domain7_sid)], iparangetyperaw=[u'ipa-ad-trust-posix'], iparangetype=[ u'Active Directory trust range with POSIX attributes' ], ), value=unicode(domain7range1), summary=u'Added ID range "%s"' % (domain7range1), ), ), dict( desc='Try to modify ipa-ad-trust-posix ID range %r with base RID' % (domain7range1), command=('idrange_mod', [domain7range1], dict(ipabaserid=domain7range1_base_rid)), expected=errors.ValidationError( name='ID Range setup', error='Option rid-base must not be used when IPA range ' 'type is ipa-ad-trust-posix'), ), # Testing prohibition of deletion of ranges belonging to active # trusted domains. dict( desc='Delete non-active AD trusted range %r' % domain1range1, command=('idrange_del', [domain1range1], {}), expected=dict( result=dict(failed=[]), value=[domain1range1], summary=u'Deleted ID range "%s"' % domain1range1, ), ), dict( desc='Try to delete active AD trusted range %r' % domain2range1, command=('idrange_del', [domain2range1], {}), expected=errors.DependentEntry(label='Active Trust domain', key=domain2range1, dependent=domain2), ), # Testing base range overlaps for ranges of different types and # different domains # - Base range overlaps # 1. ipa-ad-trust-posix type ranges from the same forest can overlap # on base ranges, use domain3range1 and domain3range2 dict( desc=('Modify ipa-ad-trust-posix range %r to overlap on base range' ' with posix range from the same domain' % (domain3range2)), command=('idrange_mod', [domain3range2], dict(ipabaseid=domain3range1_base_id)), expected=dict( result=dict( cn=[domain3range2], ipabaseid=[unicode(domain3range1_base_id)], ipaidrangesize=[unicode(domain3range2_size)], ipanttrusteddomainsid=[unicode(domain3_sid)], iparangetyperaw=[u'ipa-ad-trust-posix'], iparangetype=[ u'Active Directory trust range with POSIX ' 'attributes' ], ), value=domain3range2, summary=u'Modified ID range "%s"' % (domain3range2), ), ), # 2. ipa-ad-trust-posix type ranges from different forests cannot # overlap on base ranges, use domain3range1 and domain4range1 dict( desc=('Modify ipa-ad-trust-posix range %r to overlap on base range' ' with posix range from different domain' % (domain3range1)), command=('idrange_mod', [domain3range1], dict(ipabaseid=domain4range1_base_id)), expected=errors.DatabaseError( desc='Constraint violation', info='New base range overlaps with existing base range.'), ), # 3. ipa-ad-trust ranges from same forest cannot overlap on base ranges, # use domain5range1 and domain5range2 dict( desc=('Modify ipa-ad-trust range %r to overlap on base range' ' with posix range from the same domain' % (domain5range1)), command=('idrange_mod', [domain5range1], dict(ipabaseid=domain5range2_base_id)), expected=errors.DatabaseError( desc='Constraint violation', info='New base range overlaps with existing base range.'), ), # 4. ipa-ad-trust ranges from different forests cannot overlap on base # ranges, use domain5range1 and domain6range1 dict( desc=('Modify ipa-ad-trust range %r to overlap on base range' ' with posix range from different domain' % (domain5range1)), command=('idrange_mod', [domain5range1], dict(ipabaseid=domain6range1_base_id)), expected=errors.DatabaseError( desc='Constraint violation', info='New base range overlaps with existing base range.'), ), # - RID range overlaps # 1. Overlaps on base RID ranges are allowed for ranges from different # domains, use domain2range1 and domain5range1 dict( desc=('Modify ipa-ad-trust range %r to overlap on base RID' ' range with nonposix range from different domain' % (domain2range1)), command=('idrange_mod', [domain2range1], dict(ipabaserid=domain5range1_base_rid)), expected=dict( result=dict( cn=[domain2range1], ipabaseid=[unicode(domain2range1_base_id)], ipabaserid=[unicode(domain5range1_base_rid)], ipaidrangesize=[unicode(domain2range1_size)], ipanttrusteddomainsid=[unicode(domain2_sid)], iparangetyperaw=[u'ipa-ad-trust'], iparangetype=[u'Active Directory domain range'], ), value=domain2range1, summary=u'Modified ID range "%s"' % (domain2range1), ), ), # 2. ipa-ad-trust ranges from the same forest cannot overlap on base # RID ranges, use domain5range1 and domain5range2 dict( desc=('Modify ipa-ad-trust range %r to overlap on base RID range' ' with range from the same domain' % (domain2range1)), command=('idrange_mod', [domain2range1], dict(ipabaserid=domain2range2_base_rid)), expected=errors.DatabaseError( desc='Constraint violation', info='New primary rid range overlaps with existing primary rid ' 'range.'), ), ]
class test_group(Declarative): cleanup_commands = [ ('group_del', [group1], {}), ('group_del', [group2], {}), ('group_del', [group3], {}), ('group_del', [renamedgroup1], {}), ('user_del', [user1], {}), ] tests = [ ################ # create group1: dict( desc='Try to retrieve non-existent %r' % group1, command=('group_show', [group1], {}), expected=errors.NotFound(reason=u'%s: group not found' % group1), ), dict( desc='Try to update non-existent %r' % group1, command=('group_mod', [group1], dict(description=u'Foo')), expected=errors.NotFound(reason=u'%s: group not found' % group1), ), dict( desc='Try to delete non-existent %r' % group1, command=('group_del', [group1], {}), expected=errors.NotFound(reason=u'%s: group not found' % group1), ), dict( desc='Try to rename non-existent %r' % group1, command=('group_mod', [group1], dict(setattr=u'cn=%s' % renamedgroup1)), expected=errors.NotFound(reason=u'%s: group not found' % group1), ), dict( desc='Create non-POSIX %r' % group1, command=( 'group_add', [group1], dict(description=u'Test desc 1',nonposix=True) ), expected=dict( value=group1, summary=u'Added group "testgroup1"', result=dict( cn=[group1], description=[u'Test desc 1'], objectclass=objectclasses.group, ipauniqueid=[fuzzy_uuid], dn=get_group_dn('testgroup1'), ), ), ), dict( desc='Try to create duplicate %r' % group1, command=( 'group_add', [group1], dict(description=u'Test desc 1') ), expected=errors.DuplicateEntry( message=u'group with name "%s" already exists' % group1), ), dict( desc='Retrieve non-POSIX %r' % group1, command=('group_show', [group1], {}), expected=dict( value=group1, summary=None, result=dict( cn=[group1], description=[u'Test desc 1'], dn=get_group_dn('testgroup1'), ), ), ), dict( desc='Updated non-POSIX %r' % group1, command=( 'group_mod', [group1], dict(description=u'New desc 1') ), expected=dict( result=dict( cn=[group1], description=[u'New desc 1'], ), summary=u'Modified group "testgroup1"', value=group1, ), ), dict( desc='Retrieve %r to verify update' % group1, command=('group_show', [group1], {}), expected=dict( value=group1, result=dict( cn=[group1], description=[u'New desc 1'], dn=get_group_dn('testgroup1'), ), summary=None, ), ), # FIXME: The return value is totally different here than from the above # group_mod() test. I think that for all *_mod() commands we should # just return the entry exactly as *_show() does. dict( desc='Updated %r to promote it to a POSIX group' % group1, command=('group_mod', [group1], dict(posix=True)), expected=dict( result=dict( cn=[group1], description=[u'New desc 1'], gidnumber=[fuzzy_digits], ), value=group1, summary=u'Modified group "testgroup1"', ), ), dict( desc="Retrieve %r to verify it's a POSIX group" % group1, command=('group_show', [group1], {}), expected=dict( value=group1, result=dict( cn=[group1], description=(u'New desc 1',), dn=get_group_dn('testgroup1'), gidnumber=[fuzzy_digits], ), summary=None, ), ), dict( desc='Search for %r' % group1, command=('group_find', [], dict(cn=group1)), expected=dict( count=1, truncated=False, result=[ dict( dn=get_group_dn(group1), cn=[group1], description=[u'New desc 1'], gidnumber=[fuzzy_digits], ), ], summary=u'1 group matched', ), ), ################ # create group2: dict( desc='Try to retrieve non-existent %r' % group2, command=('group_show', [group2], {}), expected=errors.NotFound(reason=u'%s: group not found' % group2), ), dict( desc='Try to update non-existent %r' % group2, command=('group_mod', [group2], dict(description=u'Foo')), expected=errors.NotFound(reason=u'%s: group not found' % group2), ), dict( desc='Try to delete non-existent %r' % group2, command=('group_del', [group2], {}), expected=errors.NotFound(reason=u'%s: group not found' % group2), ), dict( desc='Create %r' % group2, command=( 'group_add', [group2], dict(description=u'Test desc 2') ), expected=dict( value=group2, summary=u'Added group "testgroup2"', result=dict( cn=[group2], description=[u'Test desc 2'], gidnumber=[fuzzy_digits], objectclass=objectclasses.posixgroup, ipauniqueid=[fuzzy_uuid], dn=get_group_dn('testgroup2'), ), ), ), dict( desc='Try to create duplicate %r' % group2, command=( 'group_add', [group2], dict(description=u'Test desc 2') ), expected=errors.DuplicateEntry( message=u'group with name "%s" already exists' % group2), ), dict( desc='Retrieve %r' % group2, command=('group_show', [group2], {}), expected=dict( value=group2, summary=None, result=dict( cn=[group2], description=[u'Test desc 2'], gidnumber=[fuzzy_digits], dn=get_group_dn('testgroup2'), ), ), ), dict( desc='Updated %r' % group2, command=( 'group_mod', [group2], dict(description=u'New desc 2') ), expected=dict( result=dict( cn=[group2], gidnumber=[fuzzy_digits], description=[u'New desc 2'], ), summary=u'Modified group "testgroup2"', value=group2, ), ), dict( desc='Retrieve %r to verify update' % group2, command=('group_show', [group2], {}), expected=dict( value=group2, result=dict( cn=[group2], description=[u'New desc 2'], gidnumber=[fuzzy_digits], dn=get_group_dn('testgroup2'), ), summary=None, ), ), dict( desc='Search for %r' % group2, command=('group_find', [], dict(cn=group2)), expected=dict( count=1, truncated=False, result=[ dict( dn=get_group_dn('testgroup2'), cn=[group2], description=[u'New desc 2'], gidnumber=[fuzzy_digits], ), ], summary=u'1 group matched', ), ), dict( desc='Search for all groups', command=('group_find', [], {}), expected=dict( summary=u'6 groups matched', count=6, truncated=False, result=[ { 'dn': get_group_dn('admins'), 'member_user': [u'admin'], 'gidnumber': [fuzzy_digits], 'cn': [u'admins'], 'description': [u'Account administrators group'], }, { 'dn': get_group_dn('editors'), 'gidnumber': [fuzzy_digits], 'cn': [u'editors'], 'description': [u'Limited admins who can edit other users'], }, { 'dn': get_group_dn('ipausers'), 'cn': [u'ipausers'], 'description': [u'Default group for all users'], }, dict( dn=get_group_dn(group1), cn=[group1], description=[u'New desc 1'], gidnumber=[fuzzy_digits], ), dict( dn=get_group_dn(group2), cn=[group2], description=[u'New desc 2'], gidnumber=[fuzzy_digits], ), { 'dn': get_group_dn('trust admins'), 'member_user': [u'admin'], 'cn': [u'trust admins'], 'description': [u'Trusts administrators group'], }, ], ), ), dict( desc='Search for non-POSIX groups', command=('group_find', [], dict(nonposix=True, all=True)), expected=dict( summary=u'2 groups matched', count=2, truncated=False, result=[ { 'dn': get_group_dn('ipausers'), 'cn': [u'ipausers'], 'description': [u'Default group for all users'], 'objectclass': fuzzy_set_ci(objectclasses.group), 'ipauniqueid': [fuzzy_uuid], }, { 'dn': get_group_dn('trust admins'), 'member_user': [u'admin'], 'cn': [u'trust admins'], 'description': [u'Trusts administrators group'], 'objectclass': fuzzy_set_ci(objectclasses.group), 'ipauniqueid': [fuzzy_uuid], }, ], ), ), dict( desc='Search for non-POSIX groups with criteria filter', command=('group_find', [u'users'], dict(nonposix=True, all=True)), expected=dict( summary=u'1 group matched', count=1, truncated=False, result=[ { 'dn': get_group_dn('ipausers'), 'cn': [u'ipausers'], 'description': [u'Default group for all users'], 'objectclass': fuzzy_set_ci(objectclasses.group), 'ipauniqueid': [fuzzy_uuid], }, ], ), ), dict( desc='Search for POSIX groups', command=('group_find', [], dict(posix=True, all=True)), expected=dict( summary=u'4 groups matched', count=4, truncated=False, result=[ add_sid({ 'dn': get_group_dn('admins'), 'member_user': [u'admin'], 'gidnumber': [fuzzy_digits], 'cn': [u'admins'], 'description': [u'Account administrators group'], 'objectclass': fuzzy_set_ci(add_oc( objectclasses.posixgroup, u'ipantgroupattrs')), 'ipauniqueid': [fuzzy_uuid], }), add_sid({ 'dn': get_group_dn('editors'), 'gidnumber': [fuzzy_digits], 'cn': [u'editors'], 'description': [u'Limited admins who can edit other users'], 'objectclass': fuzzy_set_ci(add_oc( objectclasses.posixgroup, u'ipantgroupattrs', check_sidgen=True)), 'ipauniqueid': [fuzzy_uuid], }, check_sidgen=True), dict( dn=get_group_dn(group1), cn=[group1], description=[u'New desc 1'], gidnumber=[fuzzy_digits], objectclass=fuzzy_set_ci(objectclasses.posixgroup), ipauniqueid=[fuzzy_uuid], ), add_sid(dict( dn=get_group_dn(group2), cn=[group2], description=[u'New desc 2'], gidnumber=[fuzzy_digits], objectclass=fuzzy_set_ci(add_oc( objectclasses.posixgroup, u'ipantgroupattrs')), ipauniqueid=[fuzzy_uuid], )), ], ), ), ############### # test external SID members for group3: dict( desc='Create external %r' % group3, command=( 'group_add', [group3], dict(description=u'Test desc 3',external=True) ), expected=dict( value=group3, summary=u'Added group "testgroup3"', result=dict( cn=[group3], description=[u'Test desc 3'], objectclass=objectclasses.externalgroup, ipauniqueid=[fuzzy_uuid], dn=get_group_dn(group3), ), ), ), dict( desc='Search for external groups', command=('group_find', [], dict(external=True, all=True)), expected=dict( summary=u'1 group matched', count=1, truncated=False, result=[ dict( cn=[group3], description=[u'Test desc 3'], objectclass=fuzzy_set_ci(objectclasses.externalgroup), ipauniqueid=[fuzzy_uuid], dn=get_group_dn(group3), ), ], ), ), dict( desc='Convert posix group %r to support external membership' % (group2), command=( 'group_mod', [group2], dict(external=True) ), expected=errors.PosixGroupViolation(), ), dict( desc='Convert external members group %r to posix' % (group3), command=( 'group_mod', [group3], dict(posix=True) ), expected=errors.ExternalGroupViolation(), ), dict( desc='Add external member %r to %r' % (external_sid1, group3), command=( 'group_add_member', [group3], dict(ipaexternalmember=external_sid1) ), expected=lambda x, output: (type(x) == errors.ValidationError or type(x) == errors.NotFound or 'failed' in output), ), dict( desc='Remove group %r with external membership' % (group3), command=('group_del', [group3], {}), expected=dict( result=dict(failed=[]), value=[group3], summary=u'Deleted group "testgroup3"', ), ), ############### # member stuff: dict( desc='Add member %r to %r' % (group2, group1), command=( 'group_add_member', [group1], dict(group=group2) ), expected=dict( completed=1, failed=dict( member=dict( group=tuple(), user=tuple(), ), ), result={ 'dn': get_group_dn(group1), 'member_group': (group2,), 'gidnumber': [fuzzy_digits], 'cn': [group1], 'description': [u'New desc 1'], }, ), ), dict( # FIXME: Shouldn't this raise a NotFound instead? desc='Try to add non-existent member to %r' % group1, command=( 'group_add_member', [group1], dict(group=u'notfound') ), expected=dict( completed=0, failed=dict( member=dict( group=[(u'notfound', u'no such entry')], user=tuple(), ), ), result={ 'dn': get_group_dn(group1), 'member_group': (group2,), 'gidnumber': [fuzzy_digits], 'cn': [group1], 'description': [u'New desc 1'], }, ), ), dict( desc='Remove member %r from %r' % (group2, group1), command=('group_remove_member', [group1], dict(group=group2) ), expected=dict( completed=1, failed=dict( member=dict( group=tuple(), user=tuple(), ), ), result={ 'dn': get_group_dn(group1), 'cn': [group1], 'gidnumber': [fuzzy_digits], 'description': [u'New desc 1'], }, ), ), dict( # FIXME: Shouldn't this raise a NotFound instead? desc='Try to remove non-existent member from %r' % group1, command=('group_remove_member', [group1], dict(group=u'notfound') ), expected=dict( completed=0, failed=dict( member=dict( group=[(u'notfound', u'This entry is not a member')], user=tuple(), ), ), result={ 'dn': get_group_dn(group1), 'cn': [group1], 'gidnumber': [fuzzy_digits], 'description': [u'New desc 1'], }, ), ), dict( desc='Rename %r' % group1, command=('group_mod', [group1], dict(setattr=u'cn=%s' % renamedgroup1)), expected=dict( value=group1, result=dict( cn=[renamedgroup1], description=[u'New desc 1'], gidnumber=[fuzzy_digits], ), summary=u'Modified group "%s"' % group1 ) ), dict( desc='Rename %r back' % renamedgroup1, command=('group_mod', [renamedgroup1], dict(setattr=u'cn=%s' % group1)), expected=dict( value=renamedgroup1, result=dict( cn=[group1], description=[u'New desc 1'], gidnumber=[fuzzy_digits], ), summary=u'Modified group "%s"' % renamedgroup1 ) ), ################ # delete group1: dict( desc='Delete %r' % group1, command=('group_del', [group1], {}), expected=dict( result=dict(failed=[]), value=[group1], summary=u'Deleted group "testgroup1"', ) ), dict( desc='Try to delete non-existent %r' % group1, command=('group_del', [group1], {}), expected=errors.NotFound(reason=u'%s: group not found' % group1), ), dict( desc='Try to retrieve non-existent %r' % group1, command=('group_show', [group1], {}), expected=errors.NotFound(reason=u'%s: group not found' % group1), ), dict( desc='Try to update non-existent %r' % group1, command=('group_mod', [group1], dict(description=u'Foo')), expected=errors.NotFound(reason=u'%s: group not found' % group1), ), ################ # delete group2: dict( desc='Delete %r' % group2, command=('group_del', [group2], {}), expected=dict( result=dict(failed=[]), value=[group2], summary=u'Deleted group "testgroup2"', ) ), dict( desc='Try to delete non-existent %r' % group2, command=('group_del', [group2], {}), expected=errors.NotFound(reason=u'%s: group not found' % group2), ), dict( desc='Try to retrieve non-existent %r' % group2, command=('group_show', [group2], {}), expected=errors.NotFound(reason=u'%s: group not found' % group2), ), dict( desc='Try to update non-existent %r' % group2, command=('group_mod', [group2], dict(description=u'Foo')), expected=errors.NotFound(reason=u'%s: group not found' % group2), ), dict( desc='Test an invalid group name %r' % invalidgroup1, command=('group_add', [invalidgroup1], dict(description=u'Test')), expected=errors.ValidationError(name='group_name', error=u'may only include letters, numbers, _, -, . and $'), ), # The assumption on these next 4 tests is that if we don't get a # validation error then the request was processed normally. dict( desc='Test that validation is disabled on mods', command=('group_mod', [invalidgroup1], {}), expected=errors.NotFound( reason=u'%s: group not found' % invalidgroup1), ), dict( desc='Test that validation is disabled on deletes', command=('group_del', [invalidgroup1], {}), expected=errors.NotFound( reason=u'%s: group not found' % invalidgroup1), ), dict( desc='Test that validation is disabled on show', command=('group_show', [invalidgroup1], {}), expected=errors.NotFound( reason=u'%s: group not found' % invalidgroup1), ), ##### managed entry tests dict( desc='Create %r' % user1, command=( 'user_add', [], dict(givenname=u'Test', sn=u'User1') ), expected=dict( value=user1, summary=u'Added user "%s"' % user1, result=get_user_result(user1, u'Test', u'User1', 'add'), ), ), dict( desc='Verify the managed group %r was created' % user1, command=('group_show', [user1], {}), expected=dict( value=user1, summary=None, result=dict( cn=[user1], description=[u'User private group for %s' % user1], gidnumber=[fuzzy_digits], dn=get_group_dn(user1), ), ), ), dict( desc='Verify that managed group %r can be found' % user1, command=('group_find', [], {'cn': user1, 'private': True}), expected=dict( count=1, truncated=False, result=[ dict( dn=get_group_dn(user1), cn=[user1], description=[u'User private group for %s' % user1], gidnumber=[fuzzy_digits], ), ], summary=u'1 group matched', ), ), dict( desc='Try to delete a managed group %r' % user1, command=('group_del', [user1], {}), expected=errors.ManagedGroupError(), ), dict( desc='Detach managed group %r' % user1, command=('group_detach', [user1], {}), expected=dict( result=True, value=user1, summary=u'Detached group "%s" from user "%s"' % (user1, user1), ), ), dict( desc='Now delete the unmanaged group %r' % user1, command=('group_del', [user1], {}), expected=dict( result=dict(failed=[]), value=[user1], summary=u'Deleted group "%s"' % user1, ) ), dict( desc='Verify that %r is really gone' % user1, command=('group_show', [user1], {}), expected=errors.NotFound(reason=u'%s: group not found' % user1), ), dict( desc='Delete %r' % user1, command=('user_del', [user1], {}), expected=dict( result=dict(failed=[]), summary=u'Deleted user "tuser1"', value=[user1], ), ), dict( desc='Create %r without User Private Group' % user1, command=( 'user_add', [user1], dict(givenname=u'Test', sn=u'User1', noprivate=True, gidnumber=1000) ), expected=dict( value=user1, summary=u'Added user "tuser1"', result=get_user_result( user1, u'Test', u'User1', 'add', description=[], objectclass=add_oc(objectclasses.user_base, u'ipantuserattrs'), gidnumber=[u'1000'], omit=['mepmanagedentry'], ), ), ), dict( desc='Verify the managed group %r was not created' % user1, command=('group_show', [user1], {}), expected=errors.NotFound(reason=u'%s: group not found' % user1), ), dict( desc='Try to remove the admin user from the admins group', command=('group_remove_member', [u'admins'], dict(user=[u'admin'])), expected=errors.LastMemberError(key=u'admin', label=u'group', container='admins'), ), dict( desc='Add %r to the admins group' % user1, command=('group_add_member', [u'admins'], dict(user=user1)), expected=dict( completed=1, failed=dict( member=dict( group=tuple(), user=tuple(), ), ), result={ 'dn': get_group_dn('admins'), 'member_user': [u'admin', user1], 'gidnumber': [fuzzy_digits], 'cn': [u'admins'], 'description': [u'Account administrators group'], }, ), ), dict( desc='Try to remove admin and %r from the admins group' % user1, command=('group_remove_member', [u'admins'], dict(user=[u'admin', user1])), expected=errors.LastMemberError(key=u'admin', label=u'group', container='admins'), ), dict( desc='Try to delete the admins group', command=('group_del', [u'admins'], {}), expected=errors.ProtectedEntryError(label=u'group', key='admins', reason='privileged group'), ), dict( desc='Try to rename the admins group', command=('group_mod', [u'admins'], dict(rename=u'loosers')), expected=errors.ProtectedEntryError(label=u'group', key='admins', reason='Cannot be renamed'), ), dict( desc='Try to rename the admins group via setattr', command=('group_mod', [u'admins'], {'setattr': u'cn=loosers'}), expected=errors.ProtectedEntryError(label=u'group', key='admins', reason='Cannot be renamed'), ), dict( desc='Try to modify the admins group to support external membership', command=('group_mod', [u'admins'], dict(external=True)), expected=errors.ProtectedEntryError(label=u'group', key='admins', reason='Cannot support external non-IPA members'), ), dict( desc='Try to delete the trust admins group', command=('group_del', [u'trust admins'], {}), expected=errors.ProtectedEntryError(label=u'group', key='trust admins', reason='privileged group'), ), dict( desc='Try to rename the trust admins group', command=('group_mod', [u'trust admins'], dict(rename=u'loosers')), expected=errors.ProtectedEntryError(label=u'group', key='trust admins', reason='Cannot be renamed'), ), dict( desc='Try to rename the trust admins group via setattr', command=('group_mod', [u'trust admins'], {'setattr': u'cn=loosers'}), expected=errors.ProtectedEntryError(label=u'group', key='trust admins', reason='Cannot be renamed'), ), dict( desc='Try to modify the trust admins group to support external membership', command=('group_mod', [u'trust admins'], dict(external=True)), expected=errors.ProtectedEntryError(label=u'group', key='trust admins', reason='Cannot support external non-IPA members'), ), dict( desc='Delete %r' % user1, command=('user_del', [user1], {}), expected=dict( result=dict(failed=[]), summary=u'Deleted user "%s"' % user1, value=[user1], ), ), ]