class test_selinuxusermap(Declarative):
cleanup_commands = [
('selinuxusermap_del', [rule1], {}),
('group_del', [group1], {}),
('user_del', [user1], {}),
('host_del', [host1], {}),
('hbacrule_del', [hbacrule1], {}),
('hbacrule_del', [hbacrule2], {}),
]
tests = [
dict(
desc='Try to retrieve non-existent %r' % rule1,
command=('selinuxusermap_show', [rule1], {}),
expected=errors.NotFound(
reason=u'%s: SELinux User Map rule not found' % rule1),
),
dict(
desc='Try to update non-existent %r' % rule1,
command=('selinuxusermap_mod', [rule1], dict(description=u'Foo')),
expected=errors.NotFound(
reason=u'%s: SELinux User Map rule not found' % rule1),
),
dict(
desc='Try to delete non-existent %r' % rule1,
command=('selinuxusermap_del', [rule1], {}),
expected=errors.NotFound(
reason=u'%s: SELinux User Map rule not found' % rule1),
),
dict(
desc='Create rule %r' % rule1,
command=(
'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=selinuxuser1)
),
expected=dict(
value=rule1,
summary=u'Added SELinux User Map "%s"' % rule1,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser1],
objectclass=objectclasses.selinuxusermap,
ipauniqueid=[fuzzy_uuid],
ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
),
),
dict(
desc='Try to create duplicate %r' % rule1,
command=(
'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=selinuxuser1)
),
expected=errors.DuplicateEntry(message=u'SELinux User Map rule ' +
u'with name "%s" already exists' % rule1),
),
dict(
desc='Retrieve rule %r' % rule1,
command=('selinuxusermap_show', [rule1], {}),
expected=dict(
value=rule1,
summary=None,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser1],
ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
),
),
dict(
desc='Update rule %r' % rule1,
command=(
'selinuxusermap_mod', [rule1],
dict(ipaselinuxuser=selinuxuser2)
),
expected=dict(
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
ipaenabledflag=[u'TRUE'],
),
summary=u'Modified SELinux User Map "%s"' % rule1,
value=rule1,
),
),
dict(
desc='Retrieve %r to verify update' % rule1,
command=('selinuxusermap_show', [rule1], {}),
expected=dict(
value=rule1,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
summary=None,
),
),
dict(
desc='Search for rule %r' % rule1,
command=('selinuxusermap_find', [], dict(cn=rule1)),
expected=dict(
count=1,
truncated=False,
result=[
dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
],
summary=u'1 SELinux User Map matched',
),
),
###############
# Create additional entries needed for testing
dict(
desc='Create %r' % user1,
command=(
'user_add', [], dict(givenname=u'Test', sn=u'User1')
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(user1, u'Test', u'User1', 'add'),
),
),
dict(
desc='Create group %r' % group1,
command=(
'group_add', [group1], dict(description=u'Test desc 1')
),
expected=dict(
value=group1,
summary=u'Added group "%s"' % group1,
result=dict(
cn=[group1],
description=[u'Test desc 1'],
gidnumber=[fuzzy_digits],
objectclass=objectclasses.group + [u'posixgroup'],
ipauniqueid=[fuzzy_uuid],
dn=DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'),
api.env.basedn),
),
),
),
dict(
desc='Add member %r to %r' % (user1, group1),
command=(
'group_add_member', [group1], dict(user=user1)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
group=tuple(),
user=tuple(),
),
),
result={
'dn': DN(('cn', group1), ('cn', 'groups'),
('cn', 'accounts'), api.env.basedn),
'member_user': (user1,),
'gidnumber': [fuzzy_digits],
'cn': [group1],
'description': [u'Test desc 1'],
},
),
),
dict(
desc='Create host %r' % host1,
command=('host_add', [host1],
dict(
description=u'Test host 1',
l=u'Undisclosed location 1',
force=True,
),
),
expected=dict(
value=host1,
summary=u'Added host "%s"' % host1,
result=dict(
dn=hostdn1,
fqdn=[host1],
description=[u'Test host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (host1, api.env.realm)],
krbcanonicalname=[u'host/%s@%s' % (host1, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[host1],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create HBAC rule %r' % hbacrule1,
command=(
'hbacrule_add', [hbacrule1], {}
),
expected=dict(
value=hbacrule1,
summary=u'Added HBAC rule "%s"' % hbacrule1,
result=dict(
cn=[hbacrule1],
objectclass=objectclasses.hbacrule,
ipauniqueid=[fuzzy_uuid],
accessruletype=[u'allow'],
ipaenabledflag=[u'TRUE'],
dn=fuzzy_hbacruledn,
),
),
),
dict(
desc='Create HBAC rule %r' % hbacrule2,
command=(
'hbacrule_add', [hbacrule2], {}
),
expected=dict(
value=hbacrule2,
summary=u'Added HBAC rule "%s"' % hbacrule2,
result=dict(
cn=[hbacrule2],
objectclass=objectclasses.hbacrule,
ipauniqueid=[fuzzy_uuid],
accessruletype=[u'allow'],
ipaenabledflag=[u'TRUE'],
dn=fuzzy_hbacruledn,
),
),
),
###############
# Fill out rule with members and/or pointers to HBAC rules
dict(
desc='Add user to %r' % rule1,
command=('selinuxusermap_add_user', [rule1], dict(user=user1)),
expected=dict(
failed=dict(memberuser=dict(group=[], user=[])),
completed=1,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
ipaenabledflag=[u'TRUE'],
memberuser_user=[user1],
dn=fuzzy_selinuxusermapdn,
),
)
),
dict(
desc='Add non-existent user to %r' % rule1,
command=('selinuxusermap_add_user', [rule1],
dict(user=u'notfound')),
expected=dict(
failed=dict(
memberuser=dict(group=[],
user=[(u'notfound', u'no such entry')])
),
completed=0,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
ipaenabledflag=[u'TRUE'],
memberuser_user=[user1],
dn=fuzzy_selinuxusermapdn,
),
)
),
dict(
desc='Remove user from %r' % rule1,
command=('selinuxusermap_remove_user', [rule1], dict(user=user1)),
expected=dict(
failed=dict(memberuser=dict(group=[], user=[])),
completed=1,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
)
),
dict(
desc='Remove non-existent user to %r' % rule1,
command=('selinuxusermap_remove_user', [rule1],
dict(user=u'notfound')),
expected=dict(
failed=dict(
memberuser=dict(group=[],
user=[(u'notfound', u'This entry is not a member')]
)
),
completed=0,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
)
),
dict(
desc='Add group to %r' % rule1,
command=('selinuxusermap_add_user', [rule1], dict(group=group1)),
expected=dict(
failed=dict(memberuser=dict(group=[], user=[])),
completed=1,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
ipaenabledflag=[u'TRUE'],
memberuser_group=[group1],
dn=fuzzy_selinuxusermapdn,
),
)
),
dict(
desc='Add host to %r' % rule1,
command=('selinuxusermap_add_host', [rule1], dict(host=host1)),
expected=dict(
failed=dict(memberhost=dict(hostgroup=[], host=[])),
completed=1,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
ipaenabledflag=[u'TRUE'],
memberhost_host=[host1],
memberuser_group=[group1],
dn=fuzzy_selinuxusermapdn,
),
)
),
###############
# Test enabling and disabling
dict(
desc='Disable %r' % rule1,
command=('selinuxusermap_disable', [rule1], {}),
expected=dict(
result=True,
value=rule1,
summary=u'Disabled SELinux User Map "%s"' % rule1,
)
),
dict(
desc='Disable %r again' % rule1,
command=('selinuxusermap_disable', [rule1], {}),
expected=errors.AlreadyInactive(),
),
dict(
desc='Enable %r' % rule1,
command=('selinuxusermap_enable', [rule1], {}),
expected=dict(
result=True,
value=rule1,
summary=u'Enabled SELinux User Map "%s"' % rule1,
)
),
dict(
desc='Re-enable %r again' % rule1,
command=('selinuxusermap_enable', [rule1], {}),
expected=errors.AlreadyActive(),
),
# Point to an HBAC Rule
dict(
desc='Add an HBAC rule to %r that has other members' % rule1,
command=(
'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1)
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
desc='Remove host from %r' % rule1,
command=('selinuxusermap_remove_host', [rule1], dict(host=host1)),
expected=dict(
failed=dict(memberhost=dict(hostgroup=[], host=[])),
completed=1,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
ipaenabledflag=[u'TRUE'],
memberuser_group=[group1],
dn=fuzzy_selinuxusermapdn,
),
)
),
dict(
desc='Remove group from %r' % rule1,
command=('selinuxusermap_remove_user', [rule1],
dict(group=group1)),
expected=dict(
failed=dict(memberuser=dict(group=[], user=[])),
completed=1,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
)
),
dict(
desc='Add non-existent HBAC rule to %r' % rule1,
command=(
'selinuxusermap_mod', [rule1], dict(seealso=u'notfound')
),
expected=errors.NotFound(
reason=u'HBAC rule notfound not found'),
),
dict(
desc='Add an HBAC rule to %r' % rule1,
command=(
'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1)
),
expected=dict(
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser2],
ipaenabledflag=[u'TRUE'],
seealso=hbacrule1,
),
summary=u'Modified SELinux User Map "%s"' % rule1,
value=rule1,
),
),
dict(
desc='Add user to %r that has HBAC' % rule1,
command=('selinuxusermap_add_user', [rule1], dict(user=user1)),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
desc='Add host to %r that has HBAC' % rule1,
command=('selinuxusermap_add_host', [rule1], dict(host=host1)),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
desc='Try to delete HBAC rule pointed to by %r' % rule1,
command=('hbacrule_del', [hbacrule1], {}),
expected=errors.DependentEntry(key=hbacrule1,
label=u'SELinux User Map', dependent=rule1)
),
# This tests selinuxusermap-find --hbacrule=<foo> returns an
# exact match
dict(
desc='Try to delete similarly named HBAC rule %r' % hbacrule2,
command=('hbacrule_del', [hbacrule2], {}),
expected=dict(
result=dict(failed=[]),
value=[hbacrule2],
summary=u'Deleted HBAC rule "%s"' % hbacrule2,
)
),
# Test clean up
dict(
desc='Delete %r' % rule1,
command=('selinuxusermap_del', [rule1], {}),
expected=dict(
result=dict(failed=[]),
value=[rule1],
summary=u'Deleted SELinux User Map "%s"' % rule1,
)
),
dict(
desc='Try to delete non-existent %r' % rule1,
command=('selinuxusermap_del', [rule1], {}),
expected=errors.NotFound(
reason=u'%s: SELinux User Map rule not found' % rule1),
),
# Some negative tests
dict(
desc='Create rule with unknown user %r' % rule1,
command=(
'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=u'notfound:s0:c0')
),
expected=errors.NotFound(reason=u'SELinux user notfound:s0:c0 ' +
u'not found in ordering list (in config)'),
),
dict(
desc='Create rule with invalid user bad+user',
command=(
'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'bad+user')
),
expected=errors.ValidationError(
name='selinuxuser',
error=u'Invalid SELinux user name, only a-Z, _ '
'and . are allowed'
),
),
dict(
desc='Create rule with invalid MCS xguest_u:s999',
command=(
'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=u'xguest_u:s999')
),
expected=errors.ValidationError(name='selinuxuser',
error=u'Invalid MLS value, must match s[0-15](-s[0-15])'),
),
dict(
desc='Create rule with invalid MLS xguest_u:s0:p88',
command=(
'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=u'xguest_u:s0:p88')
),
expected=errors.ValidationError(name='selinuxuser',
error=u'Invalid MCS value, must match c[0-1023].c[0-1023] ' +
u'and/or c[0-1023]-c[0-c0123]'),
),
dict(
desc='Create rule with invalid MLS xguest_u:s0:c0.c1028',
command=(
'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=u'xguest_u:s0-s0:c0.c1028')
),
expected=errors.ValidationError(name='selinuxuser',
error=u'Invalid MCS value, must match c[0-1023].c[0-1023] ' +
u'and/or c[0-1023]-c[0-c0123]'),
),
dict(
desc='Create rule with invalid user via setattr',
command=(
'selinuxusermap_mod', [rule1],
dict(setattr=u'ipaselinuxuser=deny')
),
expected=errors.ValidationError(name='ipaselinuxuser',
error=u'Invalid MLS value, must match s[0-15](-s[0-15])'),
),
dict(
desc='Create rule with both --hbacrule and --usercat set',
command=(
'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=selinuxuser1,
seealso=hbacrule1,
usercategory=u'all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
desc='Create rule with both --hbacrule and --hostcat set',
command=(
'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=selinuxuser1,
seealso=hbacrule1,
hostcategory=u'all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
desc='Create rule with both --hbacrule '
'and --usercat set via setattr',
command=(
'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=selinuxuser1,
seealso=hbacrule1,
setattr=u'usercategory=all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
desc='Create rule with both --hbacrule '
'and --hostcat set via setattr',
command=(
'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=selinuxuser1,
seealso=hbacrule1,
setattr=u'hostcategory=all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
desc='Create rule %r with --hbacrule' % rule1,
command=(
'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=selinuxuser1, seealso=hbacrule1)
),
expected=dict(
value=rule1,
summary=u'Added SELinux User Map "%s"' % rule1,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser1],
objectclass=objectclasses.selinuxusermap,
ipauniqueid=[fuzzy_uuid],
ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
seealso=hbacrule1
),
),
),
dict(
desc='Add an --usercat to %r that has HBAC set' % rule1,
command=(
'selinuxusermap_mod', [rule1], dict(usercategory=u'all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
desc='Add an --hostcat to %r that has HBAC set' % rule1,
command=(
'selinuxusermap_mod', [rule1], dict(hostcategory=u'all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
desc='Add an usercat via setattr to %r that has HBAC set' % rule1,
command=(
'selinuxusermap_mod', [rule1],
dict(setattr=u'usercategory=all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
desc='Add an hostcat via setattr to %r that has HBAC set' % rule1,
command=(
'selinuxusermap_mod', [rule1],
dict(setattr=u'hostcategory=all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
desc='Delete %r' % rule1,
command=('selinuxusermap_del', [rule1], {}),
expected=dict(
result=dict(failed=[]),
value=[rule1],
summary=u'Deleted SELinux User Map "%s"' % rule1,
)
),
dict(
desc='Create rule %r with usercat and hostcat set' % rule1,
command=(
'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=selinuxuser1,
usercategory=u'all',
hostcategory=u'all')
),
expected=dict(
value=rule1,
summary=u'Added SELinux User Map "%s"' % rule1,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser1],
objectclass=objectclasses.selinuxusermap,
ipauniqueid=[fuzzy_uuid],
ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
usercategory=[u'all'],
hostcategory=[u'all']
),
),
),
dict(
desc='Add HBAC rule to %r that has usercat and hostcat' % rule1,
command=(
'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1)
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
desc='Delete %r' % rule1,
command=('selinuxusermap_del', [rule1], {}),
expected=dict(
result=dict(failed=[]),
value=[rule1],
summary=u'Deleted SELinux User Map "%s"' % rule1,
)
),
dict(
desc='Create rule %r' % rule1,
command=(
'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=selinuxuser1)
),
expected=dict(
value=rule1,
summary=u'Added SELinux User Map "%s"' % rule1,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser1],
objectclass=objectclasses.selinuxusermap,
ipauniqueid=[fuzzy_uuid],
ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
),
),
),
dict(
desc='Add HBAC rule, hostcat and usercat to %r' % rule1,
command=(
'selinuxusermap_mod', [rule1],
dict(seealso=hbacrule1,
usercategory=u'all',
hostcategory=u'all')
),
expected=errors.MutuallyExclusiveError(
reason=u'HBAC rule and local members cannot both be set'),
),
dict(
desc='Delete %r' % rule1,
command=('selinuxusermap_del', [rule1], {}),
expected=dict(
result=dict(failed=[]),
value=[rule1],
summary=u'Deleted SELinux User Map "%s"' % rule1,
)
),
dict(
desc='Create rule %r with '
'--setattr=seealso=<allow_all rule DN>' % rule1,
command=(
'selinuxusermap_add',
[rule1],
dict(ipaselinuxuser=selinuxuser1,
setattr=u'seealso=%s' % allow_all_rule_dn)
),
expected=dict(
value=rule1,
summary=u'Added SELinux User Map "%s"' % rule1,
result=dict(
cn=[rule1],
ipaselinuxuser=[selinuxuser1],
objectclass=objectclasses.selinuxusermap,
ipauniqueid=[fuzzy_uuid],
ipaenabledflag=[u'TRUE'],
dn=fuzzy_selinuxusermapdn,
seealso=u'allow_all',
),
),
),
dict(
desc='Delete %r' % rule1,
command=('selinuxusermap_del', [rule1], {}),
expected=dict(
result=dict(failed=[]),
value=[rule1],
summary=u'Deleted SELinux User Map "%s"' % rule1,
)
),
]
class test_krbtpolicy(Declarative):
cleanup_commands = [
('user_del', [user1], {}),
('krbtpolicy_reset', [], {}),
]
tests = [
dict(
desc='Reset global policy',
command=('krbtpolicy_reset', [], {}),
expected=dict(
value=None,
summary=None,
result=dict(
krbmaxticketlife=[u'86400'],
krbmaxrenewableage=[u'604800'],
),
),
),
dict(
desc='Show global policy',
command=('krbtpolicy_show', [], {}),
expected=dict(
value=None,
summary=None,
result=dict(
dn=DN(('cn', api.env.domain), ('cn', 'kerberos'),
api.env.basedn),
krbmaxticketlife=[u'86400'],
krbmaxrenewableage=[u'604800'],
),
),
),
dict(
desc='Update global policy',
command=('krbtpolicy_mod', [], dict(krbmaxticketlife=3600)),
expected=dict(
value=None,
summary=None,
result=dict(
krbmaxticketlife=[u'3600'],
krbmaxrenewableage=[u'604800'],
),
),
),
dict(
desc='Create %r' % user1,
command=('user_add', [user1], dict(givenname=u'Test',
sn=u'User1')),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(user1, u'Test', u'User1', 'add'),
),
),
dict(
desc='Update user ticket policy',
command=('krbtpolicy_mod', [user1], dict(krbmaxticketlife=3600)),
expected=dict(
value=user1,
summary=None,
result=dict(krbmaxticketlife=[u'3600'], ),
),
),
dict(
desc='Update user ticket policy for auth indicator pkinit',
command=('krbtpolicy_mod', [user1],
dict(krbauthindmaxticketlife_pkinit=3800)),
expected=dict(
value=user1,
summary=None,
result=dict(
krbmaxticketlife=[u'3600'],
krbauthindmaxticketlife_pkinit=[u'3800'],
),
),
),
dict(
desc='Update user ticket policy for auth indicator otp',
command=('krbtpolicy_mod', [user1],
dict(krbauthindmaxticketlife_otp=3700)),
expected=dict(
value=user1,
summary=None,
result=dict(
krbmaxticketlife=[u'3600'],
krbauthindmaxticketlife_pkinit=[u'3800'],
krbauthindmaxticketlife_otp=[u'3700'],
),
),
),
dict(
desc='Update user ticket policy for auth indicator radius',
command=('krbtpolicy_mod', [user1],
dict(krbauthindmaxticketlife_radius=1)),
expected=dict(
value=user1,
summary=None,
result=dict(
krbmaxticketlife=[u'3600'],
krbauthindmaxticketlife_otp=[u'3700'],
krbauthindmaxticketlife_pkinit=[u'3800'],
krbauthindmaxticketlife_radius=[u'1'],
),
),
),
dict(
desc='Update user ticket policy for auth indicator hardened',
command=('krbtpolicy_mod', [user1],
dict(krbauthindmaxticketlife_hardened=2147483647)),
expected=dict(
value=user1,
summary=None,
result=dict(
krbmaxticketlife=[u'3600'],
krbauthindmaxticketlife_otp=[u'3700'],
krbauthindmaxticketlife_pkinit=[u'3800'],
krbauthindmaxticketlife_radius=[u'1'],
krbauthindmaxticketlife_hardened=[u'2147483647'],
),
),
),
dict(
desc='Update maxrenew user ticket policy for '
'auth indicator hardened',
command=('krbtpolicy_mod', [user1],
dict(krbauthindmaxrenewableage_hardened=2147483647)),
expected=dict(
value=user1,
summary=None,
result=dict(
krbmaxticketlife=[u'3600'],
krbauthindmaxticketlife_otp=[u'3700'],
krbauthindmaxticketlife_pkinit=[u'3800'],
krbauthindmaxticketlife_radius=[u'1'],
krbauthindmaxticketlife_hardened=[u'2147483647'],
krbauthindmaxrenewableage_hardened=[u'2147483647'],
),
),
),
dict(
desc='Update maxrenew user ticket policy for '
'auth indicator otp',
command=('krbtpolicy_mod', [user1],
dict(krbauthindmaxrenewableage_otp=3700)),
expected=dict(
value=user1,
summary=None,
result=dict(
krbmaxticketlife=[u'3600'],
krbauthindmaxticketlife_otp=[u'3700'],
krbauthindmaxticketlife_pkinit=[u'3800'],
krbauthindmaxticketlife_radius=[u'1'],
krbauthindmaxticketlife_hardened=[u'2147483647'],
krbauthindmaxrenewableage_hardened=[u'2147483647'],
krbauthindmaxrenewableage_otp=[u'3700'],
),
),
),
dict(
desc='Update maxrenew user ticket policy for '
'auth indicator radius',
command=('krbtpolicy_mod', [user1],
dict(krbauthindmaxrenewableage_radius=1)),
expected=dict(
value=user1,
summary=None,
result=dict(
krbmaxticketlife=[u'3600'],
krbauthindmaxticketlife_otp=[u'3700'],
krbauthindmaxticketlife_pkinit=[u'3800'],
krbauthindmaxticketlife_radius=[u'1'],
krbauthindmaxticketlife_hardened=[u'2147483647'],
krbauthindmaxrenewableage_hardened=[u'2147483647'],
krbauthindmaxrenewableage_otp=[u'3700'],
krbauthindmaxrenewableage_radius=[u'1'],
),
),
),
dict(
desc='Update maxrenew user ticket policy for '
'auth indicator pkinit',
command=('krbtpolicy_mod', [user1],
dict(krbauthindmaxrenewableage_pkinit=3800)),
expected=dict(
value=user1,
summary=None,
result=dict(
krbmaxticketlife=[u'3600'],
krbauthindmaxticketlife_otp=[u'3700'],
krbauthindmaxticketlife_pkinit=[u'3800'],
krbauthindmaxticketlife_radius=[u'1'],
krbauthindmaxticketlife_hardened=[u'2147483647'],
krbauthindmaxrenewableage_hardened=[u'2147483647'],
krbauthindmaxrenewableage_otp=[u'3700'],
krbauthindmaxrenewableage_radius=[u'1'],
krbauthindmaxrenewableage_pkinit=[u'3800'],
),
),
),
dict(
desc='Try updating other user attribute',
command=('krbtpolicy_mod', [user1],
dict(setattr=u'givenname=Pete')),
expected=errors.ObjectclassViolation(
info='attribute "givenname" not allowed'),
),
]
for (value, error) in invalid_values:
for (param, param_name) in parameters:
tests.append(
create_dict(desc='Try updating invalid {0} with {1}'.format(
param_name, value),
param=param,
param_name=param_name,
value=value,
error=error))
class test_raduisproxy(Declarative):
cleanup_commands = [
('radiusproxy_del', [radius1], {}),
('user_del', [user1], {}),
]
tests = [
dict(
desc='Try to retrieve non-existent %r' % radius1,
command=('radiusproxy_show', [radius1], {}),
expected=errors.NotFound(
reason=u'%s: RADIUS proxy server not found' % radius1),
),
dict(
desc='Try to update non-existent %r' % radius1,
command=('radiusproxy_mod', [radius1], {}),
expected=errors.NotFound(
reason=_('%s: RADIUS proxy server not found') % radius1),
),
dict(
desc='Try to delete non-existent %r' % radius1,
command=('radiusproxy_del', [radius1], {}),
expected=errors.NotFound(
reason=_('%s: RADIUS proxy server not found') % radius1),
),
dict(
desc='Try to add multiple radius proxy server %r' % radius1,
command=('radiusproxy_add', [radius1],
dict(
ipatokenradiusserver=radius1_fqdn,
addattr=u'ipatokenradiusserver=radius1_fqdn',
ipatokenradiussecret=password1,
),
),
expected=errors.OnlyOneValueAllowed(attr='ipatokenradiusserver')
),
dict(
desc='Create %r' % radius1,
command=('radiusproxy_add', [radius1],
dict(
ipatokenradiusserver=radius1_fqdn,
ipatokenradiussecret=password1,
),
),
expected=dict(
value=radius1,
summary=u'Added RADIUS proxy server "%s"' % radius1,
result=dict(
cn=[radius1],
dn=radius1_dn,
ipatokenradiussecret=[password1_bytes],
ipatokenradiusserver=[radius1_fqdn],
objectclass=objectclasses.radiusproxy,
),
),
),
dict(
desc='Try to create duplicate %r' % radius1,
command=('radiusproxy_add', [radius1],
dict(
ipatokenradiusserver=radius1_fqdn,
ipatokenradiussecret=password1,
),
),
expected=errors.DuplicateEntry(message=_('RADIUS proxy server '
'with name "%s" already exists') % radius1),
),
dict(
desc='Retrieve %r' % radius1,
command=('radiusproxy_show', [radius1], {}),
expected=dict(
value=radius1,
summary=None,
result=dict(
cn=[radius1],
dn=radius1_dn,
ipatokenradiusserver=[radius1_fqdn],
),
),
),
dict(
desc='Retrieve %r with all=True' % radius1,
command=('radiusproxy_show', [radius1], dict(all=True)),
expected=dict(
value=radius1,
summary=None,
result=dict(
cn=[radius1],
dn=radius1_dn,
ipatokenradiussecret=[password1_bytes],
ipatokenradiusserver=[radius1_fqdn],
objectclass=objectclasses.radiusproxy,
),
),
),
] + [
dict(
desc='Set timeout of %s to %s (valid)' % (radius1, num),
command=('radiusproxy_mod', [radius1],
dict(ipatokenradiustimeout=num)),
expected=dict(
value=radius1,
summary=u'Modified RADIUS proxy server "%s"' % radius1,
result=dict(
cn=[radius1],
ipatokenradiusserver=[radius1_fqdn],
ipatokenradiustimeout=[unicode(num)],
),
),
)
for num in (1, 100)
] + [
dict(
desc='Set timeout of %s to 0 (invalid)' % radius1,
command=('radiusproxy_mod', [radius1],
dict(ipatokenradiustimeout=0)),
expected=errors.ValidationError(
name='timeout', error=_('must be at least 1')),
),
dict(
desc='Unset timeout of %s' % radius1,
command=('radiusproxy_mod', [radius1],
dict(ipatokenradiustimeout=None)),
expected=dict(
value=radius1,
summary=u'Modified RADIUS proxy server "%s"' % radius1,
result=dict(
cn=[radius1],
ipatokenradiusserver=[radius1_fqdn],
),
),
),
] + [
dict(
desc='Set retries of %s to %s (valid)' % (radius1, num),
command=('radiusproxy_mod', [radius1],
dict(ipatokenradiusretries=num)),
expected=dict(
value=radius1,
summary=u'Modified RADIUS proxy server "%s"' % radius1,
result=dict(
cn=[radius1],
ipatokenradiusserver=[radius1_fqdn],
ipatokenradiusretries=[unicode(num)],
),
),
)
for num in (0, 4, 10)
] + [
dict(
desc='Set retries of %s to %s (invalid)' % (radius1, num),
command=('radiusproxy_mod', [radius1],
dict(ipatokenradiusretries=num)),
expected=errors.ValidationError(
name='retries', error=reason),
)
for num, reason in ((-1, 'must be at least 0'),
(11, 'can be at most 10'),
(100, 'can be at most 10'))
] + [
dict(
desc='Unset retries of %s' % radius1,
command=('radiusproxy_mod', [radius1],
dict(ipatokenradiusretries=None)),
expected=dict(
value=radius1,
summary=u'Modified RADIUS proxy server "%s"' % radius1,
result=dict(
cn=[radius1],
ipatokenradiusserver=[radius1_fqdn],
),
),
),
] + [
dict(
desc='Set server string of %s to %s (valid)' % (radius1, fqdn),
command=('radiusproxy_mod', [radius1],
dict(ipatokenradiusserver=fqdn)),
expected=dict(
value=radius1,
summary=u'Modified RADIUS proxy server "%s"' % radius1,
result=dict(
cn=[radius1],
ipatokenradiusserver=[fqdn],
),
),
)
for fqdn in (radius1_fqdn + u':12345', radius1_fqdn)
] + [
dict(
desc='Set server string of %s to %s (invalid)' % (radius1, fqdn),
command=('radiusproxy_mod', [radius1],
dict(ipatokenradiusserver=fqdn)),
expected=errors.ValidationError(name='ipatokenradiusserver',
error=error),
)
for fqdn, error in (
(radius1_fqdn + u':0x5a', 'invalid port number'),
(radius1_fqdn + u':1:2:3',
"only letters, numbers, '_', '-' are allowed. DNS label may not "
"start or end with '-'"),
(u'bogus', 'not fully qualified'),
)
] + [
dict(
desc='Try to unset server string of %s' % radius1,
command=('radiusproxy_mod', [radius1],
dict(ipatokenradiusserver=None)),
expected=errors.RequirementError(name='server'),
),
dict(
desc='Set userattr of %s to %s (valid)' % (radius1, u'cn'),
command=('radiusproxy_mod', [radius1],
dict(ipatokenusermapattribute=u'cn')),
expected=dict(
value=radius1,
summary=u'Modified RADIUS proxy server "%s"' % radius1,
result=dict(
cn=[radius1],
ipatokenradiusserver=[radius1_fqdn],
ipatokenusermapattribute=[u'cn'],
),
),
),
dict(
desc='Set userattr of %s to %s (invalid)' % (radius1, u'$%^&*'),
command=('radiusproxy_mod', [radius1],
dict(ipatokenusermapattribute=u'$%^&*')),
expected=errors.ValidationError(name='ipatokenusermapattribute',
error=u'invalid attribute name'),
),
dict(
desc='Unset userattr of %s' % radius1,
command=('radiusproxy_mod', [radius1],
dict(ipatokenusermapattribute=None)),
expected=dict(
value=radius1,
summary=u'Modified RADIUS proxy server "%s"' % radius1,
result=dict(
cn=[radius1],
ipatokenradiusserver=[radius1_fqdn],
),
),
),
dict(
desc='Set desc of %s' % radius1,
command=('radiusproxy_mod', [radius1],
dict(description=u'a virtual radius server')),
expected=dict(
value=radius1,
summary=u'Modified RADIUS proxy server "%s"' % radius1,
result=dict(
cn=[radius1],
ipatokenradiusserver=[radius1_fqdn],
description=[u'a virtual radius server'],
),
),
),
dict(
desc='Unset desc of %s' % radius1,
command=('radiusproxy_mod', [radius1],
dict(description=None)),
expected=dict(
value=radius1,
summary=u'Modified RADIUS proxy server "%s"' % radius1,
result=dict(
cn=[radius1],
ipatokenradiusserver=[radius1_fqdn],
),
),
),
dict(
desc='Create "%s"' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1')
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(user1, u'Test', u'User1', 'add'),
),
),
dict(
desc='Set radiusconfiglink of %r' % user1,
command=('user_mod', [user1],
dict(ipatokenradiusconfiglink=radius1,)),
expected=dict(
result=get_user_result(user1, u'Test', u'User1', 'mod',
ipatokenradiusconfiglink=[radius1]),
value=user1,
summary='Modified user "%s"' % user1,
),
),
dict(
desc='Retrieve %r to verify %s is output' % (radius1, user1),
command=('radiusproxy_show', [radius1], {}),
expected=dict(
value=radius1,
summary=None,
result=dict(
cn=[radius1],
dn=radius1_dn,
ipatokenradiusserver=[radius1_fqdn],
),
),
),
dict(
desc='Retrieve %r to verify %s is output' % (user1, radius1),
command=('user_show', [user1], {}),
expected=dict(
value=user1,
summary=None,
result=get_user_result(user1, u'Test', u'User1', 'show',
ipatokenradiusconfiglink=[radius1]),
),
),
dict(
desc='Delete %r' % radius1,
command=('radiusproxy_del', [radius1], {}),
expected=dict(
value=[radius1],
summary=u'Deleted RADIUS proxy server "%s"' % radius1,
result=dict(failed=[]),
),
),
dict(
desc='Retrieve %s to verify link is deleted' % user1,
command=('user_show', [user1], {}),
expected=dict(
value=user1,
summary=None,
result=get_user_result(user1, u'Test', u'User1', 'show'),
),
),
]
class test_netgroup(Declarative):
"""
Test the `netgroup` plugin.
"""
cleanup_commands = [
('netgroup_del', [netgroup1], {}),
('netgroup_del', [netgroup2], {}),
('host_del', [host1], {}),
('hostgroup_del', [hostgroup1], {}),
('user_del', [user1], {}),
('user_del', [user2], {}),
('group_del', [group1], {}),
]
tests=[
dict(
desc='Try to retrieve non-existent %r' % netgroup1,
command=('netgroup_show', [netgroup1], {}),
expected=errors.NotFound(
reason=u'%s: netgroup not found' % netgroup1),
),
dict(
desc='Try to update non-existent %r' % netgroup1,
command=('netgroup_mod', [netgroup1],
dict(description=u'Updated hostgroup 1')
),
expected=errors.NotFound(
reason=u'%s: netgroup not found' % netgroup1),
),
dict(
desc='Try to delete non-existent %r' % netgroup1,
command=('netgroup_del', [netgroup1], {}),
expected=errors.NotFound(
reason=u'%s: netgroup not found' % netgroup1),
),
dict(
desc='Test an invalid netgroup name %r' % invalidnetgroup1,
command=('netgroup_add', [invalidnetgroup1], dict(description=u'Test')),
expected=errors.ValidationError(name='name',
error=u'may only include letters, numbers, _, -, and .'),
),
dict(
desc='Test an invalid nisdomain1 name %r' % invalidnisdomain1,
command=('netgroup_add', [netgroup1],
dict(description=u'Test',nisdomainname=invalidnisdomain1)),
expected=errors.ValidationError(name='nisdomain',
error='may only include letters, numbers, _, -, and .'),
),
dict(
desc='Test an invalid nisdomain2 name %r' % invalidnisdomain2,
command=('netgroup_add', [netgroup1],
dict(description=u'Test',nisdomainname=invalidnisdomain2)),
expected=errors.ValidationError(name='nisdomain',
error='may only include letters, numbers, _, -, and .'),
),
dict(
desc='Create %r' % netgroup1,
command=('netgroup_add', [netgroup1],
dict(description=u'Test netgroup 1')
),
expected=dict(
value=netgroup1,
summary=u'Added netgroup "%s"' % netgroup1,
result=dict(
dn=fuzzy_netgroupdn,
cn=[netgroup1],
objectclass=objectclasses.netgroup,
description=[u'Test netgroup 1'],
nisdomainname=['%s' % api.env.domain],
ipauniqueid=[fuzzy_uuid],
),
),
),
dict(
desc='Create %r' % netgroup2,
command=('netgroup_add', [netgroup2],
dict(description=u'Test netgroup 2')
),
expected=dict(
value=netgroup2,
summary=u'Added netgroup "%s"' % netgroup2,
result=dict(
dn=fuzzy_netgroupdn,
cn=[netgroup2],
objectclass=objectclasses.netgroup,
description=[u'Test netgroup 2'],
nisdomainname=['%s' % api.env.domain],
ipauniqueid=[fuzzy_uuid],
),
),
),
dict(
desc='Create netgroup with name containing only one letter: %r' % netgroup_single,
command=('netgroup_add', [netgroup_single],
dict(description=u'Test netgroup_single')
),
expected=dict(
value=netgroup_single,
summary=u'Added netgroup "%s"' % netgroup_single,
result=dict(
dn=fuzzy_netgroupdn,
cn=[netgroup_single],
objectclass=objectclasses.netgroup,
description=[u'Test netgroup_single'],
nisdomainname=['%s' % api.env.domain],
ipauniqueid=[fuzzy_uuid],
),
),
),
dict(
desc='Delete %r' % netgroup_single,
command=('netgroup_del', [netgroup_single], {}),
expected=dict(
value=[netgroup_single],
summary=u'Deleted netgroup "%s"' % netgroup_single,
result=dict(failed=[]),
),
),
dict(
desc='Try to create duplicate %r' % netgroup1,
command=('netgroup_add', [netgroup1],
dict(description=u'Test netgroup 1')
),
expected=errors.DuplicateEntry(
message=u'netgroup with name "%s" already exists' % netgroup1),
),
dict(
desc='Create host %r' % host1,
command=('host_add', [host1],
dict(
description=u'Test host 1',
l=u'Undisclosed location 1',
force=True,
),
),
expected=dict(
value=host1,
summary=u'Added host "%s"' % host1,
result=dict(
dn=host_dn1,
fqdn=[host1],
description=[u'Test host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (host1, api.env.realm)],
krbcanonicalname=[u'host/%s@%s' % (host1, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[host1],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % hostgroup1,
command=('hostgroup_add', [hostgroup1],
dict(description=u'Test hostgroup 1')
),
expected=dict(
value=hostgroup1,
summary=u'Added hostgroup "%s"' % hostgroup1,
result=dict(
dn=hostgroup_dn1,
cn=[hostgroup1],
objectclass=objectclasses.hostgroup,
description=[u'Test hostgroup 1'],
mepmanagedentry=[DN(('cn',hostgroup1),('cn','ng'),('cn','alt'),
api.env.basedn)],
ipauniqueid=[fuzzy_uuid],
),
),
),
dict(
desc='Create %r' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1')
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(user1, u'Test', u'User1', 'add'),
),
),
dict(
desc='Create %r' % user2,
command=(
'user_add', [user2], dict(givenname=u'Test', sn=u'User2')
),
expected=dict(
value=user2,
summary=u'Added user "%s"' % user2,
result=get_user_result(user2, u'Test', u'User2', 'add'),
),
),
dict(
desc='Create %r' % group1,
command=(
'group_add', [group1], dict(description=u'Test desc 1')
),
expected=dict(
value=group1,
summary=u'Added group "%s"' % group1,
result=dict(
cn=[group1],
description=[u'Test desc 1'],
gidnumber=[fuzzy_digits],
objectclass=objectclasses.group + [u'posixgroup'],
ipauniqueid=[fuzzy_uuid],
dn=DN(('cn',group1),('cn','groups'),('cn','accounts'),
api.env.basedn),
),
),
),
dict(
desc='Add user %r to group %r' % (user2, group1),
command=(
'group_add_member', [group1], dict(user=user2)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
group=tuple(),
user=tuple(),
service=tuple(),
),
),
result={
'dn': DN(('cn',group1),('cn','groups'),('cn','accounts'),
api.env.basedn),
'member_user': (user2,),
'gidnumber': [fuzzy_digits],
'cn': [group1],
'description': [u'Test desc 1'],
},
),
),
dict(
desc='Add invalid host %r to netgroup %r' % (invalidhost, netgroup1),
command=('netgroup_add_member', [netgroup1], dict(host=invalidhost)),
expected=errors.ValidationError(name='host',
error=u"only letters, numbers, '_', '-' are allowed. " +
u"DNS label may not start or end with '-'"),
),
dict(
desc='Add host %r to netgroup %r' % (host1, netgroup1),
command=(
'netgroup_add_member', [netgroup1], dict(host=host1)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
},
),
),
dict(
desc='Add hostgroup %r to netgroup %r' % (hostgroup1, netgroup1),
command=(
'netgroup_add_member', [netgroup1], dict(hostgroup=hostgroup1)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
},
),
),
dict(
desc='Search for netgroups using no_user with members',
command=('netgroup_find', [], dict(
no_user=user1, no_members=False)),
expected=dict(
count=2,
truncated=False,
summary=u'2 netgroups matched',
result=[
{
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
},
{
'dn': fuzzy_netgroupdn,
'cn': [netgroup2],
'description': [u'Test netgroup 2'],
'nisdomainname': [u'%s' % api.env.domain],
},
],
),
),
dict(
desc='Search for netgroups using no_user',
command=('netgroup_find', [], dict(no_user=user1)),
expected=dict(
count=2,
truncated=False,
summary=u'2 netgroups matched',
result=[
{
'dn': fuzzy_netgroupdn,
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
},
{
'dn': fuzzy_netgroupdn,
'cn': [netgroup2],
'description': [u'Test netgroup 2'],
'nisdomainname': [u'%s' % api.env.domain],
},
],
),
),
dict(
desc="Check %r doesn't match when searching for %s" % (netgroup1, user1),
command=('netgroup_find', [], dict(user=user1)),
expected=dict(
count=0,
truncated=False,
summary=u'0 netgroups matched',
result=[],
),
),
dict(
desc='Add user %r to netgroup %r' % (user1, netgroup1),
command=(
'netgroup_add_member', [netgroup1], dict(user=user1)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
},
),
),
dict(
desc="Check %r doesn't match when searching for no %s" % (netgroup1, user1),
command=('netgroup_find', [], dict(no_user=user1)),
expected=dict(
count=1,
truncated=False,
summary=u'1 netgroup matched',
result=[
{
'dn': fuzzy_netgroupdn,
'cn': [netgroup2],
'description': [u'Test netgroup 2'],
'nisdomainname': [u'%s' % api.env.domain],
},
],
),
),
dict(
desc='Add group %r to netgroup %r' % (group1, netgroup1),
command=(
'netgroup_add_member', [netgroup1], dict(group=group1)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
},
),
),
dict(
desc='Add netgroup %r to netgroup %r' % (netgroup2, netgroup1),
command=(
'netgroup_add_member', [netgroup1], dict(netgroup=netgroup2)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
},
),
),
dict(
desc='Add non-existent netgroup to netgroup %r' % (netgroup1),
command=(
'netgroup_add_member', [netgroup1], dict(netgroup=u'notfound')
),
expected=dict(
completed=0,
failed=dict(
member=dict(
netgroup=[(u'notfound', u'no such entry')],
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
},
),
),
dict(
desc='Add duplicate user %r to netgroup %r' % (user1, netgroup1),
command=(
'netgroup_add_member', [netgroup1], dict(user=user1)
),
expected=dict(
completed=0,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=[('%s' % user1, u'This entry is already a member')],
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
},
),
),
dict(
desc='Add duplicate group %r to netgroup %r' % (group1, netgroup1),
command=(
'netgroup_add_member', [netgroup1], dict(group=group1)
),
expected=dict(
completed=0,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=[('%s' % group1, u'This entry is already a member')],
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
},
),
),
dict(
desc='Add duplicate host %r to netgroup %r' % (host1, netgroup1),
command=(
'netgroup_add_member', [netgroup1], dict(host=host1)
),
expected=dict(
completed=0,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=[('%s' % host1, u'This entry is already a member')],
),
),
result={
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
},
),
),
dict(
desc='Add duplicate hostgroup %r to netgroup %r' % (hostgroup1, netgroup1),
command=(
'netgroup_add_member', [netgroup1], dict(hostgroup=hostgroup1)
),
expected=dict(
completed=0,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=[('%s' % hostgroup1, u'This entry is already a member')],
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
},
),
),
dict(
desc='Add unknown host %r to netgroup %r' % (unknown_host, netgroup1),
command=(
'netgroup_add_member', [netgroup1], dict(host=unknown_host)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
),
),
dict(
desc='Add invalid host %r to netgroup %r using setattr' %
(invalidhost, netgroup1),
command=(
'netgroup_mod', [netgroup1],
dict(setattr='externalhost=%s' % invalidhost)
),
expected=errors.ValidationError(name='externalhost',
error=u"only letters, numbers, '_', '-' are allowed. " +
u"DNS label may not start or end with '-'"),
),
dict(
desc='Add unknown host %r to netgroup %r using addattr' %
(unknown_host2, netgroup1),
command=(
'netgroup_mod', [netgroup1],
dict(addattr='externalhost=%s' % unknown_host2)
),
expected=dict(
value=u'netgroup1',
summary=u'Modified netgroup "netgroup1"',
result={
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host, unknown_host2],
},
)
),
dict(
desc='Remove unknown host %r from netgroup %r using delattr' %
(unknown_host2, netgroup1),
command=(
'netgroup_mod', [netgroup1],
dict(delattr='externalhost=%s' % unknown_host2)
),
expected=dict(
value=u'netgroup1',
summary=u'Modified netgroup "netgroup1"',
result={
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
)
),
dict(
desc='Retrieve %r' % netgroup1,
command=('netgroup_show', [netgroup1], {}),
expected=dict(
value=netgroup1,
summary=None,
result={
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
),
),
dict(
desc='Search for %r with members' % netgroup1,
command=('netgroup_find', [], dict(
cn=netgroup1, no_members=False)),
expected=dict(
count=1,
truncated=False,
summary=u'1 netgroup matched',
result=[
{
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
],
),
),
dict(
desc='Search for %r' % netgroup1,
command=('netgroup_find', [], dict(cn=netgroup1)),
expected=dict(
count=1,
truncated=False,
summary=u'1 netgroup matched',
result=[
{
'dn': fuzzy_netgroupdn,
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
],
),
),
dict(
desc='Search for %r using user with members' % netgroup1,
command=('netgroup_find', [], dict(
user=user1, no_members=False)),
expected=dict(
count=1,
truncated=False,
summary=u'1 netgroup matched',
result=[
{
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
],
),
),
dict(
desc='Search for %r using user' % netgroup1,
command=('netgroup_find', [], dict(user=user1)),
expected=dict(
count=1,
truncated=False,
summary=u'1 netgroup matched',
result=[
{
'dn': fuzzy_netgroupdn,
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
],
),
),
dict(
desc=('Search for all netgroups using empty member user with '
'members'),
command=('netgroup_find', [], dict(user=None, no_members=False)),
expected=dict(
count=2,
truncated=False,
summary=u'2 netgroups matched',
result=[
{
'dn': fuzzy_netgroupdn,
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
{
'dn': fuzzy_netgroupdn,
'memberof_netgroup': (netgroup1,),
'cn': [netgroup2],
'description': [u'Test netgroup 2'],
'nisdomainname': [u'%s' % api.env.domain],
},
],
),
),
dict(
desc='Search for all netgroups using empty member user',
command=('netgroup_find', [], dict(user=None)),
expected=dict(
count=2,
truncated=False,
summary=u'2 netgroups matched',
result=[
{
'dn': fuzzy_netgroupdn,
'cn': [netgroup1],
'description': [u'Test netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
{
'dn': fuzzy_netgroupdn,
'cn': [netgroup2],
'description': [u'Test netgroup 2'],
'nisdomainname': [u'%s' % api.env.domain],
},
],
),
),
dict(
desc='Update %r' % netgroup1,
command=('netgroup_mod', [netgroup1],
dict(description=u'Updated netgroup 1')
),
expected=dict(
value=netgroup1,
summary=u'Modified netgroup "%s"' % netgroup1,
result={
'memberhost_host': (host1,),
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Updated netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
),
),
dict(
desc='Remove host %r from netgroup %r' % (host1, netgroup1),
command=(
'netgroup_remove_member', [netgroup1], dict(host=host1)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'memberhost_hostgroup': (hostgroup1,),
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Updated netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
),
),
dict(
desc='Remove hostgroup %r from netgroup %r' % (hostgroup1, netgroup1),
command=(
'netgroup_remove_member', [netgroup1], dict(hostgroup=hostgroup1)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'memberuser_user': (user1,),
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Updated netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
),
),
dict(
desc='Remove user %r from netgroup %r' % (user1, netgroup1),
command=(
'netgroup_remove_member', [netgroup1], dict(user=user1)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'memberuser_group': (group1,),
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Updated netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
),
),
dict(
desc='Remove group %r from netgroup %r' % (group1, netgroup1),
command=(
'netgroup_remove_member', [netgroup1], dict(group=group1)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'member_netgroup': (netgroup2,),
'cn': [netgroup1],
'description': [u'Updated netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
),
),
dict(
desc='Remove netgroup %r from netgroup %r' % (netgroup2, netgroup1),
command=(
'netgroup_remove_member', [netgroup1], dict(netgroup=netgroup2)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'cn': [netgroup1],
'description': [u'Updated netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
),
),
dict(
desc='Remove host %r from netgroup %r again' % (host1, netgroup1),
command=(
'netgroup_remove_member', [netgroup1], dict(host=host1)
),
expected=dict(
completed=0,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=[('%s' % host1, u'This entry is not a member')]
),
),
result={
'dn': fuzzy_netgroupdn,
'cn': [netgroup1],
'description': [u'Updated netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
),
),
dict(
desc='Remove hostgroup %r from netgroup %r again' % (hostgroup1, netgroup1),
command=(
'netgroup_remove_member', [netgroup1], dict(hostgroup=hostgroup1)
),
expected=dict(
completed=0,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=[('%s' % hostgroup1, u'This entry is not a member')],
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'cn': [netgroup1],
'description': [u'Updated netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
),
),
dict(
desc='Remove user %r from netgroup %r again' % (user1, netgroup1),
command=(
'netgroup_remove_member', [netgroup1], dict(user=user1)
),
expected=dict(
completed=0,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group=tuple(),
user=[('%s' % user1, u'This entry is not a member')],
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'cn': [netgroup1],
'description': [u'Updated netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
),
),
dict(
desc='Remove group %r from netgroup %r again' % (group1, netgroup1),
command=(
'netgroup_remove_member', [netgroup1], dict(group=group1)
),
expected=dict(
completed=0,
failed=dict(
member=dict(
netgroup=tuple(),
),
memberuser=dict(
group= [('%s' % group1, u'This entry is not a member')],
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'cn': [netgroup1],
'description': [u'Updated netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
),
),
dict(
desc='Remove netgroup %r from netgroup %r again' % (netgroup2, netgroup1),
command=(
'netgroup_remove_member', [netgroup1], dict(netgroup=netgroup2)
),
expected=dict(
completed=0,
failed=dict(
member=dict(
netgroup=[('%s' % netgroup2, u'This entry is not a member')],
),
memberuser=dict(
group=tuple(),
user=tuple(),
),
memberhost=dict(
hostgroup=tuple(),
host=tuple(),
),
),
result={
'dn': fuzzy_netgroupdn,
'cn': [netgroup1],
'description': [u'Updated netgroup 1'],
'nisdomainname': [u'%s' % api.env.domain],
'externalhost': [unknown_host],
},
),
),
dict(
desc='Delete %r' % netgroup1,
command=('netgroup_del', [netgroup1], {}),
expected=dict(
value=[netgroup1],
summary=u'Deleted netgroup "%s"' % netgroup1,
result=dict(failed=[]),
),
),
]
class test_range(Declarative):
mockldap = None
@pytest.fixture(autouse=True, scope="class")
def range_setup(self, request, declarative_setup):
cls = request.cls
def fin():
cls.mockldap = MockLDAP()
cls.mockldap.del_entry(domain2_dn)
cls.mockldap.del_entry(domain3_dn)
cls.mockldap.del_entry(domain4_dn)
cls.mockldap.del_entry(domain5_dn)
cls.mockldap.del_entry(domain6_dn)
cls.mockldap.del_entry(domain7_dn)
cls.mockldap.del_entry(domain1range1_dn)
cls.mockldap.del_entry(domain2range1_dn)
cls.mockldap.del_entry(domain2range2_dn)
cls.mockldap.del_entry(domain3range1_dn)
cls.mockldap.del_entry(domain3range2_dn)
cls.mockldap.del_entry(domain4range1_dn)
cls.mockldap.del_entry(domain5range1_dn)
cls.mockldap.del_entry(domain5range2_dn)
cls.mockldap.del_entry(domain6range1_dn)
cls.mockldap.del_entry(domain7range1_dn)
cls.mockldap.del_entry(trust_container_dn)
cls.mockldap.del_entry(trust_local_dn)
cls.mockldap.del_entry(smb_cont_dn)
cls.mockldap.unbind()
fin()
cls.mockldap = MockLDAP()
cls.mockldap.add_entry(trust_container_dn, trust_container_add)
cls.mockldap.add_entry(smb_cont_dn, smb_cont_add)
cls.mockldap.add_entry(trust_local_dn, trust_local_add)
cls.mockldap.add_entry(domain2_dn, domain2_add)
cls.mockldap.add_entry(domain3_dn, domain3_add)
cls.mockldap.add_entry(domain4_dn, domain4_add)
cls.mockldap.add_entry(domain5_dn, domain5_add)
cls.mockldap.add_entry(domain6_dn, domain6_add)
cls.mockldap.add_entry(domain7_dn, domain7_add)
cls.mockldap.add_entry(domain1range1_dn, domain1range1_add)
cls.mockldap.add_entry(domain2range1_dn, domain2range1_add)
cls.mockldap.add_entry(domain2range2_dn, domain2range2_add)
cls.mockldap.add_entry(domain3range1_dn, domain3range1_add)
cls.mockldap.add_entry(domain3range2_dn, domain3range2_add)
cls.mockldap.add_entry(domain4range1_dn, domain4range1_add)
cls.mockldap.add_entry(domain5range1_dn, domain5range1_add)
cls.mockldap.add_entry(domain5range2_dn, domain5range2_add)
cls.mockldap.add_entry(domain6range1_dn, domain6range1_add)
cls.mockldap.unbind()
request.addfinalizer(fin)
cleanup_commands = [
('idrange_del', [
testrange1, testrange2, testrange3, testrange4, testrange5,
testrange6, testrange7, testrange8, testrange9
], {
'continue': True
}),
('user_del', [user1], {}),
('group_del', [group1], {}),
]
# Basic tests.
tests = [
dict(
desc='Create ID range %r' % (testrange1),
command=('idrange_add', [testrange1],
dict(ipabaseid=testrange1_base_id,
ipaidrangesize=testrange1_size,
ipabaserid=testrange1_base_rid,
ipasecondarybaserid=testrange1_secondary_base_rid)),
expected=dict(
result=dict(
dn=DN(('cn', testrange1), ('cn', 'ranges'), ('cn', 'etc'),
api.env.basedn),
cn=[testrange1],
objectclass=[u'ipaIDrange', u'ipadomainidrange'],
ipabaseid=[unicode(testrange1_base_id)],
ipabaserid=[unicode(testrange1_base_rid)],
ipasecondarybaserid=[
unicode(testrange1_secondary_base_rid)
],
ipaidrangesize=[unicode(testrange1_size)],
iparangetyperaw=[u'ipa-local'],
iparangetype=[u'local domain range'],
),
value=testrange1,
summary=u'Added ID range "%s"' % (testrange1),
),
),
dict(
desc='Retrieve ID range %r' % (testrange1),
command=('idrange_show', [testrange1], dict()),
expected=dict(
result=dict(
dn=DN(('cn', testrange1), ('cn', 'ranges'), ('cn', 'etc'),
api.env.basedn),
cn=[testrange1],
ipabaseid=[unicode(testrange1_base_id)],
ipabaserid=[unicode(testrange1_base_rid)],
ipasecondarybaserid=[
unicode(testrange1_secondary_base_rid)
],
ipaidrangesize=[unicode(testrange1_size)],
iparangetyperaw=[u'ipa-local'],
iparangetype=[u'local domain range'],
),
value=testrange1,
summary=None,
),
),
# Checks for modifications leaving objects outside of the range.
dict(
desc='Create user %r in ID range %r' % (user1, testrange1),
command=('user_add', [user1],
dict(givenname=u'Test', sn=u'User1',
uidnumber=user1_uid)),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(
user1,
u'Test',
u'User1',
'add',
uidnumber=[unicode(user1_uid)],
gidnumber=[unicode(user1_uid)],
),
),
),
dict(
desc='Create group %r in ID range %r' % (group1, testrange1),
command=('group_add', [group1],
dict(description=u'Test desc 1', gidnumber=group1_gid)),
expected=dict(
value=group1,
summary=u'Added group "%s"' % group1,
result=dict(
cn=[group1],
description=[u'Test desc 1'],
gidnumber=[unicode(group1_gid)],
objectclass=objectclasses.group + [u'posixgroup'],
ipauniqueid=[fuzzy_uuid],
dn=DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'),
api.env.basedn),
),
),
),
dict(
desc='Try to modify ID range %r to get out bounds object #1' %
(testrange1),
command=('idrange_mod', [testrange1],
dict(ipabaseid=user1_uid + 1)),
expected=errors.ExecutionError(message=IPA_LOCAL_RANGE_MOD_ERR),
),
dict(
desc='Try to modify ID range %r to get out bounds object #2' %
(testrange1),
command=('idrange_mod', [testrange1], dict(ipaidrangesize=100)),
expected=errors.ExecutionError(message=IPA_LOCAL_RANGE_MOD_ERR),
),
dict(
desc='Try to modify ID range %r to get out bounds object #3' %
(testrange1),
command=('idrange_mod', [testrange1],
dict(ipabaseid=100, ipaidrangesize=100)),
expected=errors.ExecutionError(message=IPA_LOCAL_RANGE_MOD_ERR),
),
dict(desc='Modify ID range %r' % (testrange1),
command=('idrange_mod', [testrange1], dict(ipaidrangesize=90000)),
expected=errors.ExecutionError(message=IPA_LOCAL_RANGE_MOD_ERR)),
dict(
desc='Try to delete ID range %r with active IDs inside it' %
testrange1,
command=('idrange_del', [testrange1], {}),
expected=errors.ValidationError(
name='ipabaseid,ipaidrangesize',
error=u'range modification leaving objects with ID out of the'
u' defined range is not allowed'),
),
dict(
desc='Delete user %r' % user1,
command=('user_del', [user1], {}),
expected=dict(
result=dict(failed=[]),
value=[user1],
summary=u'Deleted user "%s"' % user1,
),
),
dict(
desc='Delete group %r' % group1,
command=('group_del', [group1], {}),
expected=dict(
result=dict(failed=[]),
value=[group1],
summary=u'Deleted group "%s"' % group1,
),
),
# Framework validation: mod local idrange with auto-private-groups
# is prohibited
dict(desc=('Try to modify local range %r with --auto-private-groups' %
(testrange1)),
command=('idrange_mod', [testrange1],
dict(ipaautoprivategroups='true')),
expected=errors.ExecutionError(message=IPA_LOCAL_RANGE_MOD_ERR)),
dict(
desc='Delete ID range %r' % testrange1,
command=('idrange_del', [testrange1], {}),
expected=dict(
result=dict(failed=[]),
value=[testrange1],
summary=u'Deleted ID range "%s"' % testrange1,
),
),
# Tests for overlapping local ranges.
dict(
desc='Create ID range %r' % (testrange2),
command=('idrange_add', [testrange2],
dict(ipabaseid=testrange2_base_id,
ipaidrangesize=testrange2_size,
ipabaserid=testrange2_base_rid,
ipasecondarybaserid=testrange2_secondary_base_rid)),
expected=dict(
result=dict(
dn=DN(('cn', testrange2), ('cn', 'ranges'), ('cn', 'etc'),
api.env.basedn),
cn=[testrange2],
objectclass=[u'ipaIDrange', u'ipadomainidrange'],
ipabaseid=[unicode(testrange2_base_id)],
ipabaserid=[unicode(testrange2_base_rid)],
ipasecondarybaserid=[
unicode(testrange2_secondary_base_rid)
],
ipaidrangesize=[unicode(testrange2_size)],
iparangetyperaw=[u'ipa-local'],
iparangetype=[u'local domain range'],
),
value=testrange2,
summary=u'Added ID range "%s"' % (testrange2),
),
),
dict(
desc=
'Try to modify ID range %r so that its rid ranges are overlapping themselves'
% (testrange2),
command=('idrange_mod', [testrange2],
dict(ipabaserid=(testrange2_secondary_base_rid))),
expected=errors.ExecutionError(message=IPA_LOCAL_RANGE_MOD_ERR),
),
dict(
desc='Try to create ID range %r with overlapping rid range' %
(testrange3),
command=('idrange_add', [testrange3],
dict(ipabaseid=testrange3_base_id,
ipaidrangesize=testrange3_size,
ipabaserid=testrange3_base_rid,
ipasecondarybaserid=testrange3_secondary_base_rid)),
expected=errors.DatabaseError(
desc='Constraint violation',
info=
'New primary rid range overlaps with existing primary rid range.'
),
),
dict(
desc=
'Try to create ID range %r with overlapping secondary rid range' %
(testrange4),
command=('idrange_add', [testrange4],
dict(ipabaseid=testrange4_base_id,
ipaidrangesize=testrange4_size,
ipabaserid=testrange4_base_rid,
ipasecondarybaserid=testrange4_secondary_base_rid)),
expected=errors.DatabaseError(
desc='Constraint violation',
info=
'New secondary rid range overlaps with existing secondary rid range.'
),
),
dict(
desc=
'Try to create ID range %r with primary range overlapping secondary rid range'
% (testrange5),
command=('idrange_add', [testrange5],
dict(ipabaseid=testrange5_base_id,
ipaidrangesize=testrange5_size,
ipabaserid=testrange5_base_rid,
ipasecondarybaserid=testrange5_secondary_base_rid)),
expected=errors.DatabaseError(
desc='Constraint violation',
info=
'New primary rid range overlaps with existing secondary rid range.'
),
),
dict(
desc='Try to create ID range %r with overlapping id range' %
(testrange6),
command=('idrange_add', [testrange6],
dict(ipabaseid=testrange6_base_id,
ipaidrangesize=testrange6_size,
ipabaserid=testrange6_base_rid,
ipasecondarybaserid=testrange6_secondary_base_rid)),
expected=errors.DatabaseError(
desc='Constraint violation',
info='New base range overlaps with existing base range.'),
),
dict(
desc=
'Try to create ID range %r with rid ranges overlapping themselves'
% (testrange7),
command=('idrange_add', [testrange7],
dict(ipabaseid=testrange7_base_id,
ipaidrangesize=testrange7_size,
ipabaserid=testrange7_base_rid,
ipasecondarybaserid=testrange7_secondary_base_rid)),
expected=errors.ValidationError(
name='ID Range setup',
error='Primary RID range and secondary RID range cannot overlap'
),
),
dict(
desc='Delete ID range %r' % testrange2,
command=('idrange_del', [testrange2], {}),
expected=dict(
result=dict(failed=[]),
value=[testrange2],
summary=u'Deleted ID range "%s"' % testrange2,
),
),
# Testing framework validation: --dom-sid/--dom-name and secondary RID
# base cannot be used together
dict(
desc='Create ID range %r' % (testrange8),
command=('idrange_add', [testrange8],
dict(ipabaseid=testrange8_base_id,
ipaidrangesize=testrange8_size,
ipabaserid=testrange8_base_rid,
ipasecondarybaserid=testrange8_secondary_base_rid,
ipanttrusteddomainsid=domain1_sid)),
expected=errors.ValidationError(
name='ID Range setup',
error='Options dom-sid/dom-name and '
'secondary-rid-base cannot be used together'),
),
# Testing framework validation: --auto-private-groups is prohibited
# with ipa-local range
dict(
desc='Local ID range %r with auto-private-groups' % (testrange8),
command=('idrange_add', [testrange8],
dict(ipabaseid=testrange8_base_id,
ipaidrangesize=testrange8_size,
ipaautoprivategroups='true')),
expected=errors.ValidationError(
name='ID Range setup',
error='IPA Range type must be one of ipa-ad-trust '
'or ipa-ad-trust-posix when '
'auto-private-groups is specified'),
),
# Testing framework validation: --rid-base is prohibited with ipa-ad-posix
dict(
desc='Try to create ipa-ad-trust-posix ID range %r with base RID' %
(domain7range1),
command=('idrange_add', [domain7range1],
dict(ipabaseid=domain7range1_base_id,
ipaidrangesize=domain7range1_size,
ipabaserid=domain7range1_base_rid,
iparangetype=domain7range1_type,
ipanttrusteddomainsid=domain7_sid)),
expected=errors.ValidationError(
name='ID Range setup',
error='Option rid-base must not be used when IPA range '
'type is ipa-ad-trust-posix'),
),
# Testing framework validation: --auto-private-groups can only be
# one of true, false, hybrid
dict(
desc=('Create ID range %r with bogus --auto-private-groups' %
(domain7range1)),
command=('idrange_add', [domain7range1],
dict(ipabaseid=domain7range1_base_id,
ipaidrangesize=domain7range1_size,
iparangetype=domain7range1_type,
ipanttrusteddomainsid=domain7_sid,
ipaautoprivategroups='bogus')),
expected=errors.ValidationError(
name='auto_private_groups',
error="must be one of 'true', 'false', 'hybrid'"),
),
dict(
desc='Create ID range %r' % (domain7range1),
command=('idrange_add', [domain7range1],
dict(ipabaseid=domain7range1_base_id,
ipaidrangesize=domain7range1_size,
iparangetype=domain7range1_type,
ipanttrusteddomainsid=domain7_sid)),
expected=dict(
result=dict(
dn=unicode(domain7range1_dn),
cn=[domain7range1],
objectclass=[u'ipaIDrange', u'ipatrustedaddomainrange'],
ipabaseid=[unicode(domain7range1_base_id)],
ipaidrangesize=[unicode(domain7range1_size)],
ipanttrusteddomainsid=[unicode(domain7_sid)],
iparangetyperaw=[u'ipa-ad-trust-posix'],
iparangetype=[
u'Active Directory trust range with POSIX attributes'
],
),
value=unicode(domain7range1),
summary=u'Added ID range "%s"' % (domain7range1),
),
),
dict(
desc='Try to modify ipa-ad-trust-posix ID range %r with base RID' %
(domain7range1),
command=('idrange_mod', [domain7range1],
dict(ipabaserid=domain7range1_base_rid)),
expected=errors.ValidationError(
name='ID Range setup',
error='Option rid-base must not be used when IPA range '
'type is ipa-ad-trust-posix'),
),
# Testing prohibition of deletion of ranges belonging to active
# trusted domains.
dict(
desc='Delete non-active AD trusted range %r' % domain1range1,
command=('idrange_del', [domain1range1], {}),
expected=dict(
result=dict(failed=[]),
value=[domain1range1],
summary=u'Deleted ID range "%s"' % domain1range1,
),
),
dict(
desc='Try to delete active AD trusted range %r' % domain2range1,
command=('idrange_del', [domain2range1], {}),
expected=errors.DependentEntry(label='Active Trust domain',
key=domain2range1,
dependent=domain2),
),
# Testing base range overlaps for ranges of different types and
# different domains
# - Base range overlaps
# 1. ipa-ad-trust-posix type ranges from the same forest can overlap
# on base ranges, use domain3range1 and domain3range2
dict(
desc=('Modify ipa-ad-trust-posix range %r to overlap on base range'
' with posix range from the same domain' % (domain3range2)),
command=('idrange_mod', [domain3range2],
dict(ipabaseid=domain3range1_base_id)),
expected=dict(
messages=(messages.ServiceRestartRequired(
service=services.knownservices['sssd'].systemd_name,
server=domain3range2).to_dict(), ),
result=dict(
cn=[domain3range2],
ipabaseid=[unicode(domain3range1_base_id)],
ipaidrangesize=[unicode(domain3range2_size)],
ipanttrusteddomainsid=[unicode(domain3_sid)],
iparangetyperaw=[u'ipa-ad-trust-posix'],
iparangetype=[
u'Active Directory trust range with POSIX '
'attributes'
],
),
value=domain3range2,
summary=u'Modified ID range "%s"' % (domain3range2),
),
),
# 2. ipa-ad-trust-posix type ranges from different forests cannot
# overlap on base ranges, use domain3range1 and domain4range1
dict(
desc=('Modify ipa-ad-trust-posix range %r to overlap on base range'
' with posix range from different domain' % (domain3range1)),
command=('idrange_mod', [domain3range1],
dict(ipabaseid=domain4range1_base_id)),
expected=errors.DatabaseError(
desc='Constraint violation',
info='New base range overlaps with existing base range.'),
),
# 3. ipa-ad-trust ranges from same forest cannot overlap on base ranges,
# use domain5range1 and domain5range2
dict(
desc=('Modify ipa-ad-trust range %r to overlap on base range'
' with posix range from the same domain' % (domain5range1)),
command=('idrange_mod', [domain5range1],
dict(ipabaseid=domain5range2_base_id)),
expected=errors.DatabaseError(
desc='Constraint violation',
info='New base range overlaps with existing base range.'),
),
# 4. ipa-ad-trust ranges from different forests cannot overlap on base
# ranges, use domain5range1 and domain6range1
dict(
desc=('Modify ipa-ad-trust range %r to overlap on base range'
' with posix range from different domain' % (domain5range1)),
command=('idrange_mod', [domain5range1],
dict(ipabaseid=domain6range1_base_id)),
expected=errors.DatabaseError(
desc='Constraint violation',
info='New base range overlaps with existing base range.'),
),
# - RID range overlaps
# 1. Overlaps on base RID ranges are allowed for ranges from different
# domains, use domain2range1 and domain5range1
dict(
desc=('Modify ipa-ad-trust range %r to overlap on base RID'
' range with nonposix range from different domain' %
(domain2range1)),
command=('idrange_mod', [domain2range1],
dict(ipabaserid=domain5range1_base_rid)),
expected=dict(
messages=(messages.ServiceRestartRequired(
service=services.knownservices['sssd'].systemd_name,
server=domain2range1).to_dict(), ),
result=dict(
cn=[domain2range1],
ipabaseid=[unicode(domain2range1_base_id)],
ipabaserid=[unicode(domain5range1_base_rid)],
ipaidrangesize=[unicode(domain2range1_size)],
ipanttrusteddomainsid=[unicode(domain2_sid)],
iparangetyperaw=[u'ipa-ad-trust'],
iparangetype=[u'Active Directory domain range'],
),
value=domain2range1,
summary=u'Modified ID range "%s"' % (domain2range1),
),
),
# 2. ipa-ad-trust ranges from the same forest cannot overlap on base
# RID ranges, use domain5range1 and domain5range2
dict(
desc=('Modify ipa-ad-trust range %r to overlap on base RID range'
' with range from the same domain' % (domain2range1)),
command=('idrange_mod', [domain2range1],
dict(ipabaserid=domain2range2_base_rid)),
expected=errors.DatabaseError(
desc='Constraint violation',
info='New primary rid range overlaps with existing primary rid '
'range.'),
),
dict(
desc=('Modify ipa-ad-trust range %r with --auto-private-groups='
'true' % (domain2range1)),
command=('idrange_mod', [domain2range1],
dict(ipaautoprivategroups='true')),
expected=dict(
messages=(messages.ServiceRestartRequired(
service=services.knownservices['sssd'].systemd_name,
server=domain2range1).to_dict(), ),
result=dict(
cn=[domain2range1],
ipabaseid=[unicode(domain2range1_base_id)],
ipabaserid=[unicode(domain5range1_base_rid)],
ipaidrangesize=[unicode(domain2range1_size)],
ipanttrusteddomainsid=[unicode(domain2_sid)],
iparangetyperaw=[u'ipa-ad-trust'],
ipaautoprivategroups=[u'true'],
iparangetype=[u'Active Directory domain range'],
),
value=domain2range1,
summary=u'Modified ID range "%s"' % (domain2range1),
),
),
dict(
desc=('Modify ipa-ad-trust range %r with --auto-private-groups='
'false' % (domain2range1)),
command=('idrange_mod', [domain2range1],
dict(ipaautoprivategroups='false')),
expected=dict(
messages=(messages.ServiceRestartRequired(
service=services.knownservices['sssd'].systemd_name,
server=domain2range1).to_dict(), ),
result=dict(
cn=[domain2range1],
ipabaseid=[unicode(domain2range1_base_id)],
ipabaserid=[unicode(domain5range1_base_rid)],
ipaidrangesize=[unicode(domain2range1_size)],
ipanttrusteddomainsid=[unicode(domain2_sid)],
iparangetyperaw=[u'ipa-ad-trust'],
ipaautoprivategroups=[u'false'],
iparangetype=[u'Active Directory domain range'],
),
value=domain2range1,
summary=u'Modified ID range "%s"' % (domain2range1),
),
),
dict(
desc=('Modify ipa-ad-trust range %r with --auto-private-groups='
'hybrid' % (domain2range1)),
command=('idrange_mod', [domain2range1],
dict(ipaautoprivategroups='hybrid')),
expected=dict(
messages=(messages.ServiceRestartRequired(
service=services.knownservices['sssd'].systemd_name,
server=domain2range1).to_dict(), ),
result=dict(
cn=[domain2range1],
ipabaseid=[unicode(domain2range1_base_id)],
ipabaserid=[unicode(domain5range1_base_rid)],
ipaidrangesize=[unicode(domain2range1_size)],
ipanttrusteddomainsid=[unicode(domain2_sid)],
iparangetyperaw=[u'ipa-ad-trust'],
ipaautoprivategroups=[u'hybrid'],
iparangetype=[u'Active Directory domain range'],
),
value=domain2range1,
summary=u'Modified ID range "%s"' % (domain2range1),
),
),
dict(
desc=('Modify ipa-ad-trust range %r with --auto-private-groups='
'<empty>' % (domain2range1)),
command=('idrange_mod', [domain2range1],
dict(ipaautoprivategroups='')),
expected=dict(
messages=(messages.ServiceRestartRequired(
service=services.knownservices['sssd'].systemd_name,
server=domain2range1).to_dict(), ),
result=dict(
cn=[domain2range1],
ipabaseid=[unicode(domain2range1_base_id)],
ipabaserid=[unicode(domain5range1_base_rid)],
ipaidrangesize=[unicode(domain2range1_size)],
ipanttrusteddomainsid=[unicode(domain2_sid)],
iparangetyperaw=[u'ipa-ad-trust'],
iparangetype=[u'Active Directory domain range'],
),
value=domain2range1,
summary=u'Modified ID range "%s"' % (domain2range1),
),
),
# Test for bug 6404
# if dom-name is empty, add should not fail
dict(
desc='Create ID range %r' % (testrange9),
command=('idrange_add', [testrange9],
dict(ipanttrusteddomainname=None,
ipabaseid=testrange9_base_id,
ipaidrangesize=testrange9_size,
ipabaserid=testrange9_base_rid,
ipasecondarybaserid=testrange9_secondary_base_rid)),
expected=dict(
result=dict(
dn=DN(('cn', testrange9), ('cn', 'ranges'), ('cn', 'etc'),
api.env.basedn),
cn=[testrange9],
objectclass=[u'ipaIDrange', u'ipadomainidrange'],
ipabaseid=[unicode(testrange9_base_id)],
ipabaserid=[unicode(testrange9_base_rid)],
ipasecondarybaserid=[
unicode(testrange9_secondary_base_rid)
],
ipaidrangesize=[unicode(testrange9_size)],
iparangetyperaw=[u'ipa-local'],
iparangetype=[u'local domain range'],
),
value=testrange9,
summary=u'Added ID range "%s"' % (testrange9),
),
),
dict(
desc='Delete ID range %r' % testrange9,
command=('idrange_del', [testrange9], {}),
expected=dict(
result=dict(failed=[]),
value=[testrange9],
summary=u'Deleted ID range "%s"' % testrange9,
),
),
]
class test_service_allowed_to(Declarative):
cleanup_commands = [
('user_del', [user1], {}),
('user_del', [user2], {}),
('group_del', [group1], {}),
('group_del', [group2], {}),
('host_del', [fqdn1], {}),
('service_del', [service1], {}),
('hostgroup_del', [hostgroup1], {}),
]
tests = [
# prepare entries
dict(
desc='Create %r' % user1,
command=('user_add', [], dict(givenname=u'Test', sn=u'User1')),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(user1, u'Test', u'User1', 'add'),
),
),
dict(
desc='Create %r' % user2,
command=('user_add', [], dict(givenname=u'Test', sn=u'User2')),
expected=dict(
value=user2,
summary=u'Added user "%s"' % user2,
result=get_user_result(user2, u'Test', u'User2', 'add'),
),
),
dict(
desc='Create group: %r' % group1,
command=('group_add', [group1], dict()),
expected=dict(
value=group1,
summary=u'Added group "%s"' % group1,
result=dict(cn=[group1],
objectclass=objectclasses.group + [u'posixgroup'],
ipauniqueid=[fuzzy_uuid],
gidnumber=[fuzzy_digits],
dn=group1_dn),
),
),
dict(
desc='Create group: %r' % group2,
command=('group_add', [group2], dict()),
expected=dict(
value=group2,
summary=u'Added group "%s"' % group2,
result=dict(cn=[group2],
objectclass=objectclasses.group + [u'posixgroup'],
ipauniqueid=[fuzzy_uuid],
gidnumber=[fuzzy_digits],
dn=group2_dn),
),
),
dict(
desc='Create %r' % fqdn1,
command=(
'host_add',
[fqdn1],
dict(
description=u'Test host 1',
l=u'Undisclosed location 1',
force=True,
),
),
expected=dict(
value=fqdn1,
summary=u'Added host "%s"' % fqdn1,
result=dict(
dn=host1dn,
fqdn=[fqdn1],
description=[u'Test host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[u'%s' % fqdn1],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % hostgroup1,
command=('hostgroup_add', [hostgroup1],
dict(description=u'Test hostgroup 1')),
expected=dict(
value=hostgroup1,
summary=u'Added hostgroup "testhostgroup1"',
result=dict(
dn=hostgroup1_dn,
cn=[hostgroup1],
objectclass=objectclasses.hostgroup,
description=[u'Test hostgroup 1'],
ipauniqueid=[fuzzy_uuid],
mepmanagedentry=[
DN(('cn', hostgroup1), ('cn', 'ng'), ('cn', 'alt'),
api.env.basedn)
],
),
),
),
dict(
desc='Create %r' % service1,
command=('service_add', [service1_no_realm], dict(force=True)),
expected=dict(
value=service1,
summary=u'Added service "%s"' % service1,
result=dict(
dn=service1dn,
krbprincipalname=[service1],
objectclass=objectclasses.service,
ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1],
),
),
),
# verify
dict(
desc='Allow %r to a retrieve keytab of %r' % (user1, service1),
command=('service_allow_retrieve_keytab', [service1],
dict(user=user1)),
expected=dict(
failed=dict(ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
), ),
completed=1,
result=dict(
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Duplicate add: user %r' % (user1),
command=('service_allow_retrieve_keytab', [service1],
dict(user=user1)),
expected=dict(
failed=dict(ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[[user1, u'This entry is already a member']],
), ),
completed=0,
result=dict(
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Allow %r, %r, %r to a retrieve keytab of %r' %
(group1, group2, fqdn1, service1),
command=('service_allow_retrieve_keytab', [service1],
dict(group=[group1, group2],
host=[fqdn1],
hostgroup=[hostgroup1])),
expected=dict(
failed=dict(ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
), ),
completed=4,
result=dict(
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1, group2],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Invalid removal of retrieve keytab %r' % (user2),
command=('service_disallow_retrieve_keytab', [service1],
dict(user=[user2])),
expected=dict(
failed=dict(ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[[user2, u'This entry is not a member']],
), ),
completed=0,
result=dict(
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1, group2],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Removal of retrieve keytab %r' % (group2),
command=('service_disallow_retrieve_keytab', [service1],
dict(group=[group2])),
expected=dict(
failed=dict(ipaallowedtoperform_read_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
), ),
completed=1,
result=dict(
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Allow %r, %r, %r to a create keytab of %r' %
(group1, user1, fqdn1, service1),
command=('service_allow_create_keytab', [service1],
dict(group=[group1, group2],
user=[user1],
host=[fqdn1],
hostgroup=[hostgroup1])),
expected=dict(
failed=dict(ipaallowedtoperform_write_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
), ),
completed=5,
result=dict(
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1, group2],
ipaallowedtoperform_write_keys_host=[fqdn1],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Duplicate add: %r, %r' % (user1, group1),
command=('service_allow_create_keytab', [service1],
dict(group=[group1],
user=[user1],
host=[fqdn1],
hostgroup=[hostgroup1])),
expected=dict(
failed=dict(ipaallowedtoperform_write_keys=dict(
group=[[group1, u'This entry is already a member']],
host=[[fqdn1, u'This entry is already a member']],
user=[[user1, u'This entry is already a member']],
hostgroup=[[hostgroup1,
u'This entry is already a member']],
), ),
completed=0,
result=dict(
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1, group2],
ipaallowedtoperform_write_keys_host=[fqdn1],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Invalid removal of create keytab %r' % (user2),
command=('service_disallow_create_keytab', [service1],
dict(user=[user2])),
expected=dict(
failed=dict(ipaallowedtoperform_write_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[[user2, u'This entry is not a member']],
), ),
completed=0,
result=dict(
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1, group2],
ipaallowedtoperform_write_keys_host=[fqdn1],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Removal of create keytab %r' % (group2),
command=('service_disallow_create_keytab', [service1],
dict(group=[group2])),
expected=dict(
failed=dict(ipaallowedtoperform_write_keys=dict(
group=[],
host=[],
hostgroup=[],
user=[],
), ),
completed=1,
result=dict(
dn=service1dn,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1],
ipaallowedtoperform_write_keys_host=[fqdn1],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Presence of ipaallowedtoperform in show output',
command=('service_show', [service1_no_realm], {}),
expected=dict(
value=service1,
summary=None,
result=dict(
dn=service1dn,
has_keytab=False,
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1],
ipaallowedtoperform_write_keys_host=[fqdn1],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
krbprincipalname=[service1],
managedby_host=[fqdn1],
),
),
),
dict(
desc='Presence of ipaallowedtoperform in mod output',
command=('service_mod', [service1_no_realm],
dict(ipakrbokasdelegate=True)),
expected=dict(
value=service1,
summary=u'Modified service "%s"' % service1,
result=dict(
ipaallowedtoperform_read_keys_user=[user1],
ipaallowedtoperform_read_keys_group=[group1],
ipaallowedtoperform_read_keys_host=[fqdn1],
ipaallowedtoperform_read_keys_hostgroup=[hostgroup1],
ipaallowedtoperform_write_keys_user=[user1],
ipaallowedtoperform_write_keys_group=[group1],
ipaallowedtoperform_write_keys_host=[fqdn1],
ipaallowedtoperform_write_keys_hostgroup=[hostgroup1],
ipakrbokasdelegate=True,
krbprincipalname=[service1],
krbticketflags=[u'1048704'],
managedby_host=[fqdn1],
),
),
),
]
class test_krbtpolicy(Declarative):
cleanup_commands = [
('user_del', [user1], {}),
('krbtpolicy_reset', [], {}),
]
tests = [
dict(
desc='Reset global policy',
command=('krbtpolicy_reset', [], {}),
expected=dict(
value=None,
summary=None,
result=dict(
krbmaxticketlife=[u'86400'],
krbmaxrenewableage=[u'604800'],
),
),
),
dict(
desc='Show global policy',
command=('krbtpolicy_show', [], {}),
expected=dict(
value=None,
summary=None,
result=dict(
dn=DN(('cn', api.env.domain), ('cn', 'kerberos'),
api.env.basedn),
krbmaxticketlife=[u'86400'],
krbmaxrenewableage=[u'604800'],
),
),
),
dict(
desc='Update global policy',
command=('krbtpolicy_mod', [], dict(krbmaxticketlife=3600)),
expected=dict(
value=None,
summary=None,
result=dict(
krbmaxticketlife=[u'3600'],
krbmaxrenewableage=[u'604800'],
),
),
),
dict(
desc='Create %r' % user1,
command=('user_add', [user1], dict(givenname=u'Test',
sn=u'User1')),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(user1, u'Test', u'User1', 'add'),
),
),
dict(
desc='Update user ticket policy',
command=('krbtpolicy_mod', [user1], dict(krbmaxticketlife=3600)),
expected=dict(
value=user1,
summary=None,
result=dict(krbmaxticketlife=[u'3600'], ),
),
),
dict(
desc='Try updating other user attribute',
command=('krbtpolicy_mod', [user1],
dict(setattr=u'givenname=Pete')),
expected=errors.ObjectclassViolation(
info='attribute "givenname" not allowed'),
),
]
class test_nesting(Declarative):
cleanup_commands = [
('group_del', [group1], {}),
('group_del', [group2], {}),
('group_del', [group3], {}),
('group_del', [group4], {}),
('user_del', [user1], {}),
('user_del', [user2], {}),
('user_del', [user3], {}),
('user_del', [user4], {}),
('host_del', [fqdn1], {}),
('hostgroup_del', [hostgroup1], {}),
('hostgroup_del', [hostgroup2], {}),
]
tests = [
################
# create group1:
dict(
desc='Create %r' % group1,
command=('group_add', [group1], dict(description=u'Test desc 1')),
expected=dict(
value=group1,
summary=u'Added group "testgroup1"',
result=dict(
cn=[group1],
description=[u'Test desc 1'],
objectclass=objectclasses.group + [u'posixgroup'],
ipauniqueid=[fuzzy_uuid],
gidnumber=[fuzzy_digits],
dn=DN(('cn', 'testgroup1'), ('cn', 'groups'),
('cn', 'accounts'), api.env.basedn),
),
),
),
################
# create group2:
dict(
desc='Create %r' % group2,
command=('group_add', [group2], dict(description=u'Test desc 2')),
expected=dict(
value=group2,
summary=u'Added group "testgroup2"',
result=dict(
cn=[group2],
description=[u'Test desc 2'],
gidnumber=[fuzzy_digits],
objectclass=objectclasses.group + [u'posixgroup'],
ipauniqueid=[fuzzy_uuid],
dn=DN(('cn', 'testgroup2'), ('cn', 'groups'),
('cn', 'accounts'), api.env.basedn),
),
),
),
dict(
desc='Create %r' % group3,
command=('group_add', [group3], dict(description=u'Test desc 3')),
expected=dict(
value=group3,
summary=u'Added group "testgroup3"',
result=dict(
cn=[group3],
description=[u'Test desc 3'],
gidnumber=[fuzzy_digits],
objectclass=objectclasses.group + [u'posixgroup'],
ipauniqueid=[fuzzy_uuid],
dn=DN(('cn', 'testgroup3'), ('cn', 'groups'),
('cn', 'accounts'), api.env.basedn),
),
),
),
dict(
desc='Create %r' % group4,
command=('group_add', [group4], dict(description=u'Test desc 4')),
expected=dict(
value=group4,
summary=u'Added group "testgroup4"',
result=dict(
cn=[group4],
description=[u'Test desc 4'],
gidnumber=[fuzzy_digits],
objectclass=objectclasses.group + [u'posixgroup'],
ipauniqueid=[fuzzy_uuid],
dn=DN(('cn', 'testgroup4'), ('cn', 'groups'),
('cn', 'accounts'), api.env.basedn),
),
),
),
dict(
desc='Create %r' % user1,
command=('user_add', [user1], dict(givenname=u'Test',
sn=u'User1')),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(user1, u'Test', u'User1', 'add'),
),
),
dict(
desc='Create %r' % user2,
command=('user_add', [user2], dict(givenname=u'Test',
sn=u'User2')),
expected=dict(
value=user2,
summary=u'Added user "%s"' % user2,
result=get_user_result(user2, u'Test', u'User2', 'add'),
),
),
dict(
desc='Create %r' % user3,
command=('user_add', [user3], dict(givenname=u'Test',
sn=u'User3')),
expected=dict(
value=user3,
summary=u'Added user "%s"' % user3,
result=get_user_result(user3, u'Test', u'User3', 'add'),
),
),
dict(
desc='Create %r' % user4,
command=('user_add', [user4], dict(givenname=u'Test',
sn=u'User4')),
expected=dict(
value=user4,
summary=u'Added user "%s"' % user4,
result=get_user_result(user4, u'Test', u'User4', 'add'),
),
),
###############
# member stuff
#
# Create 4 groups and 4 users and set the following membership:
#
# g1:
# no direct memberships
#
# g2:
# memberof: g1
# member: user1, user2
#
# g3:
# memberof: g1
# member: user3, g4
#
# g4:
# memberof: g3
# member: user1, user4
#
# So when we do a show it looks like:
#
# g1:
# member groups: g2, g3
# indirect member group: g4
# indirect member users: user1, user2, tuser3, tuser4
#
# g2:
# member of group: g1
# member users: tuser1, tuser2
#
# g3:
# member users: tuser3
# member groups: g4
# member of groups: g1
# indirect member users: tuser4
#
# g4:
# member users: tuser1, tuser4
# member of groups: g3
# indirect member of groups: g1
#
# Note that tuser1 is an indirect member of g1 both through
# g2 and g4. It should appear just once in the list.
dict(
desc='Add a group member %r to %r' % (group2, group1),
command=('group_add_member', [group1], dict(group=group2)),
expected=dict(
completed=1,
failed=dict(member=dict(
group=tuple(),
user=tuple(),
), ),
result={
'dn':
DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'),
api.env.basedn),
'member_group': (group2, ),
'gidnumber': [fuzzy_digits],
'cn': [group1],
'description': [u'Test desc 1'],
},
),
),
dict(
desc='Add a group member %r to %r' % (group3, group1),
command=('group_add_member', [group1], dict(group=group3)),
expected=dict(
completed=1,
failed=dict(member=dict(
group=tuple(),
user=tuple(),
), ),
result={
'dn':
DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'),
api.env.basedn),
'member_group': [
group2,
group3,
],
'gidnumber': [fuzzy_digits],
'cn': [group1],
'description': [u'Test desc 1'],
},
),
),
dict(
desc='Add a user member %r to %r' % (user1, group2),
command=('group_add_member', [group2], dict(user=user1)),
expected=dict(
completed=1,
failed=dict(member=dict(
group=tuple(),
user=tuple(),
), ),
result={
'dn':
DN(('cn', group2), ('cn', 'groups'), ('cn', 'accounts'),
api.env.basedn),
'member_user': (u'tuser1', ),
'memberof_group': (u'testgroup1', ),
'gidnumber': [fuzzy_digits],
'cn': [group2],
'description': [u'Test desc 2'],
},
),
),
dict(
desc='Add a user member %r to %r' % (user2, group2),
command=('group_add_member', [group2], dict(user=user2)),
expected=dict(
completed=1,
failed=dict(member=dict(
group=tuple(),
user=tuple(),
), ),
result={
'dn':
DN(('cn', group2), ('cn', 'groups'), ('cn', 'accounts'),
api.env.basedn),
'member_user': [user1, user2],
'memberof_group': [group1],
'gidnumber': [fuzzy_digits],
'cn': [group2],
'description': [u'Test desc 2'],
},
),
),
dict(
desc='Add a user member %r to %r' % (user3, group3),
command=('group_add_member', [group3], dict(user=user3)),
expected=dict(
completed=1,
failed=dict(member=dict(
group=tuple(),
user=tuple(),
), ),
result={
'dn':
DN(('cn', group3), ('cn', 'groups'), ('cn', 'accounts'),
api.env.basedn),
'member_user': [user3],
'memberof_group': [group1],
'gidnumber': [fuzzy_digits],
'cn': [group3],
'description': [u'Test desc 3'],
},
),
),
dict(
desc='Add a group member %r to %r' % (group4, group3),
command=('group_add_member', [group3], dict(group=group4)),
expected=dict(
completed=1,
failed=dict(member=dict(
group=tuple(),
user=tuple(),
), ),
result={
'dn':
DN(('cn', group3), ('cn', 'groups'), ('cn', 'accounts'),
api.env.basedn),
'member_user': [user3],
'memberof_group': [group1],
'member_group': [group4],
'gidnumber': [fuzzy_digits],
'cn': [group3],
'description': [u'Test desc 3'],
},
),
),
dict(
desc='Add a user member %r to %r' % (user1, group4),
command=('group_add_member', [group4], dict(user=user1)),
expected=dict(
completed=1,
failed=dict(member=dict(
group=tuple(),
user=tuple(),
), ),
result={
'dn':
DN(('cn', group4), ('cn', 'groups'), ('cn', 'accounts'),
api.env.basedn),
'member_user': [user1],
'memberof_group': [group3],
'memberofindirect_group': [group1],
'gidnumber': [fuzzy_digits],
'cn': [group4],
'description': [u'Test desc 4'],
},
),
),
dict(
desc='Add a user member %r to %r' % (user4, group4),
command=('group_add_member', [group4], dict(user=user4)),
expected=dict(
completed=1,
failed=dict(member=dict(
group=tuple(),
user=tuple(),
), ),
result={
'dn':
DN(('cn', group4), ('cn', 'groups'), ('cn', 'accounts'),
api.env.basedn),
'member_user': [user1, user4],
'memberof_group': [group3],
'memberofindirect_group': [group1],
'gidnumber': [fuzzy_digits],
'cn': [group4],
'description': [u'Test desc 4'],
},
),
),
dict(
desc='Retrieve group %r' % group1,
command=('group_show', [group1], {}),
expected=dict(
value=group1,
summary=None,
result=dict(
cn=[group1],
description=[u'Test desc 1'],
gidnumber=[fuzzy_digits],
memberindirect_group=[group4],
member_group=[group2, group3],
memberindirect_user=[user1, user2, user3, user4],
dn=DN(('cn', 'testgroup1'), ('cn', 'groups'),
('cn', 'accounts'), api.env.basedn),
),
),
),
dict(
desc='Retrieve group %r' % group2,
command=('group_show', [group2], {}),
expected=dict(
value=group2,
summary=None,
result=dict(
cn=[group2],
description=[u'Test desc 2'],
gidnumber=[fuzzy_digits],
memberof_group=[group1],
member_user=[user1, user2],
dn=DN(('cn', 'testgroup2'), ('cn', 'groups'),
('cn', 'accounts'), api.env.basedn),
),
),
),
dict(
desc='Retrieve group %r' % group3,
command=('group_show', [group3], {}),
expected=dict(
value=group3,
summary=None,
result=dict(
cn=[group3],
description=[u'Test desc 3'],
gidnumber=[fuzzy_digits],
memberof_group=[group1],
member_user=[user3],
member_group=[group4],
memberindirect_user=[user1, user4],
dn=DN(('cn', 'testgroup3'), ('cn', 'groups'),
('cn', 'accounts'), api.env.basedn),
),
),
),
dict(
desc='Retrieve group %r' % group4,
command=('group_show', [group4], {}),
expected=dict(
value=group4,
summary=None,
result=dict(
cn=[group4],
description=[u'Test desc 4'],
gidnumber=[fuzzy_digits],
memberof_group=[group3],
member_user=[user1, user4],
memberofindirect_group=[group1],
dn=DN(('cn', 'testgroup4'), ('cn', 'groups'),
('cn', 'accounts'), api.env.basedn),
),
),
),
# Now do something similar with hosts and hostgroups
dict(
desc='Create host %r' % fqdn1,
command=(
'host_add',
[fqdn1],
dict(
description=u'Test host 1',
l=u'Undisclosed location 1',
force=True,
),
),
expected=dict(
value=fqdn1,
summary=u'Added host "%s"' % fqdn1,
result=dict(
dn=host_dn1,
fqdn=[fqdn1],
description=[u'Test host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
objectclass=objectclasses.host,
ipauniqueid=[fuzzy_uuid],
managedby_host=[fqdn1],
has_keytab=False,
has_password=False,
),
),
),
dict(
desc='Create %r' % hostgroup1,
command=('hostgroup_add', [hostgroup1],
dict(description=u'Test hostgroup 1')),
expected=dict(
value=hostgroup1,
summary=u'Added hostgroup "testhostgroup1"',
result=dict(
dn=hgdn1,
cn=[hostgroup1],
objectclass=objectclasses.hostgroup,
description=[u'Test hostgroup 1'],
ipauniqueid=[fuzzy_uuid],
mepmanagedentry=[
DN(('cn', hostgroup1), ('cn', 'ng'), ('cn', 'alt'),
api.env.basedn)
],
),
),
),
dict(
desc='Create %r' % hostgroup2,
command=('hostgroup_add', [hostgroup2],
dict(description=u'Test hostgroup 2')),
expected=dict(
value=hostgroup2,
summary=u'Added hostgroup "testhostgroup2"',
result=dict(
dn=hgdn2,
cn=[hostgroup2],
objectclass=objectclasses.hostgroup,
description=[u'Test hostgroup 2'],
ipauniqueid=[fuzzy_uuid],
mepmanagedentry=[
DN(('cn', hostgroup2), ('cn', 'ng'), ('cn', 'alt'),
api.env.basedn)
],
),
),
),
dict(
desc=u'Add host %r to %r' % (fqdn1, hostgroup2),
command=('hostgroup_add_member', [hostgroup2], dict(host=fqdn1)),
expected=dict(
completed=1,
failed=dict(member=dict(
host=tuple(),
hostgroup=tuple(),
), ),
result={
'dn': hgdn2,
'cn': [hostgroup2],
'description': [u'Test hostgroup 2'],
'member_host': [fqdn1],
},
),
),
dict(
desc=u'Add hostgroup %r to %r' % (hostgroup2, hostgroup1),
command=('hostgroup_add_member', [hostgroup1],
dict(hostgroup=hostgroup2)),
expected=dict(
completed=1,
failed=dict(member=dict(
host=tuple(),
hostgroup=tuple(),
), ),
result={
'dn': hgdn1,
'cn': [hostgroup1],
'description': [u'Test hostgroup 1'],
'member_hostgroup': [hostgroup2],
'memberindirect_host': [fqdn1],
},
),
),
dict(
desc='Retrieve %r' % hostgroup1,
command=('hostgroup_show', [hostgroup1], {}),
expected=dict(
value=hostgroup1,
summary=None,
result={
'dn': hgdn1,
'memberindirect_host': [u'testhost1.%s' % api.env.domain],
'member_hostgroup': [hostgroup2],
'cn': [hostgroup1],
'description': [u'Test hostgroup 1'],
},
),
),
dict(
desc='Retrieve %r' % fqdn1,
command=('host_show', [fqdn1], {}),
expected=dict(
value=fqdn1,
summary=None,
result=dict(
dn=host_dn1,
fqdn=[fqdn1],
description=[u'Test host 1'],
l=[u'Undisclosed location 1'],
krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)],
has_keytab=False,
has_password=False,
managedby_host=[fqdn1],
memberof_hostgroup=[u'testhostgroup2'],
memberofindirect_hostgroup=[u'testhostgroup1'],
),
),
),
]
class test_attr(Declarative):
cleanup_commands = [
('user_del', [user1], {}),
]
tests = [
dict(
desc='Try to add user %r with single-value attribute set via '
'option and --addattr' % user1,
command=('user_add', [user1],
dict(givenname=u'Test', sn=u'User1',
addattr=u'sn=User2')),
expected=errors.OnlyOneValueAllowed(attr='sn'),
),
dict(
desc='Create %r' % user1,
command=('user_add', [user1],
dict(givenname=u'Test', sn=u'User1', setattr=None)),
expected=dict(
value=user1,
summary=u'Added user "tuser1"',
result=get_user_result(user1, u'Test', u'User1', 'add'),
),
),
dict(
desc='Change givenname, add mail %r' % user1,
command=('user_mod', [user1],
dict(setattr=(u'givenname=Finkle',
u'[email protected]'))),
expected=dict(
result=get_user_result(
user1,
u'Finkle',
u'User1',
'mod',
mail=[u'*****@*****.**'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Add another mail %r' % user1,
command=('user_mod', [user1],
dict(addattr=u'[email protected]')),
expected=dict(
result=get_user_result(
user1,
u'Finkle',
u'User1',
'mod',
mail=[u'*****@*****.**', u'*****@*****.**'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Add two phone numbers at once %r' % user1,
command=('user_mod', [user1],
dict(setattr=u'telephoneNumber=410-555-1212',
addattr=u'telephoneNumber=301-555-1212')),
expected=dict(
result=get_user_result(
user1,
u'Finkle',
u'User1',
'mod',
mail=[u'*****@*****.**', u'*****@*****.**'],
telephonenumber=[u'410-555-1212', u'301-555-1212'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Go from two phone numbers to one %r' % user1,
command=('user_mod', [user1],
dict(setattr=u'telephoneNumber=301-555-1212')),
expected=dict(
result=get_user_result(
user1,
u'Finkle',
u'User1',
'mod',
mail=[u'*****@*****.**', u'*****@*****.**'],
telephonenumber=[u'301-555-1212'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Add two more phone numbers %r' % user1,
command=('user_mod', [user1],
dict(addattr=(u'telephoneNumber=703-555-1212',
u'telephoneNumber=202-888-9833'))),
expected=dict(
result=get_user_result(
user1,
u'Finkle',
u'User1',
'mod',
mail=[u'*****@*****.**', u'*****@*****.**'],
telephonenumber=[
u'301-555-1212', u'703-555-1212', u'202-888-9833'
],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Delete one phone number for %r' % user1,
command=('user_mod', [user1],
dict(delattr=u'telephoneNumber=301-555-1212')),
expected=dict(
result=get_user_result(
user1,
u'Finkle',
u'User1',
'mod',
mail=[u'*****@*****.**', u'*****@*****.**'],
telephonenumber=[u'703-555-1212', u'202-888-9833'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(desc='Try deleting the number again for %r' % user1,
command=('user_mod', [user1],
dict(delattr=u'telephoneNumber=301-555-1212')),
expected=errors.AttrValueNotFound(attr=u'telephonenumber',
value=u'301-555-1212')),
dict(
desc='Add and delete one phone number for %r' % user1,
command=('user_mod', [user1],
dict(addattr=u'telephoneNumber=301-555-1212',
delattr=u'telephoneNumber=202-888-9833')),
expected=dict(
result=get_user_result(
user1,
u'Finkle',
u'User1',
'mod',
mail=[u'*****@*****.**', u'*****@*****.**'],
telephonenumber=[u'703-555-1212', u'301-555-1212'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Add and delete the same phone number for %r' % user1,
command=('user_mod', [user1],
dict(addattr=(u'telephoneNumber=301-555-1212',
u'telephoneNumber=202-888-9833'),
delattr=u'telephoneNumber=301-555-1212')),
expected=dict(
result=get_user_result(
user1,
u'Finkle',
u'User1',
'mod',
mail=[u'*****@*****.**', u'*****@*****.**'],
telephonenumber=[
u'703-555-1212', u'301-555-1212', u'202-888-9833'
],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Set and delete a phone number for %r' % user1,
command=('user_mod', [user1],
dict(setattr=(u'telephoneNumber=301-555-1212',
u'telephoneNumber=202-888-9833'),
delattr=u'telephoneNumber=301-555-1212')),
expected=dict(
result=get_user_result(
user1,
u'Finkle',
u'User1',
'mod',
mail=[u'*****@*****.**', u'*****@*****.**'],
telephonenumber=[u'202-888-9833'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Try setting givenname to None with setattr in %r' % user1,
command=('user_mod', [user1], dict(setattr=(u'givenname='))),
expected=errors.RequirementError(name='givenname'),
),
dict(
desc='Try setting givenname to None with option in %r' % user1,
command=('user_mod', [user1], dict(givenname=None)),
expected=errors.RequirementError(name='first'),
),
dict(
desc='Make sure setting givenname works with option in %r' % user1,
command=('user_mod', [user1], dict(givenname=u'Fred')),
expected=dict(
result=get_user_result(
user1,
u'Fred',
u'User1',
'mod',
mail=[u'*****@*****.**', u'*****@*****.**'],
telephonenumber=[u'202-888-9833'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Make sure setting givenname works with setattr in %r' %
user1,
command=('user_mod', [user1], dict(setattr=u'givenname=Finkle')),
expected=dict(
result=get_user_result(
user1,
u'Finkle',
u'User1',
'mod',
mail=[u'*****@*****.**', u'*****@*****.**'],
telephonenumber=[u'202-888-9833'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Try to "remove" empty location from %r' % user1,
command=('user_mod', [user1], dict(l=None)),
expected=errors.EmptyModlist(),
),
dict(
desc='Lock %r using setattr' % user1,
command=('user_mod', [user1], dict(setattr=u'nsaccountlock=TrUe')),
expected=dict(
result=get_user_result(
user1,
u'Finkle',
u'User1',
'mod',
mail=[u'*****@*****.**', u'*****@*****.**'],
telephonenumber=[u'202-888-9833'],
nsaccountlock=True,
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Unlock %r using addattr&delattr' % user1,
command=('user_mod', [user1],
dict(addattr=u'nsaccountlock=FaLsE',
delattr=u'nsaccountlock=TRUE')),
expected=dict(
result=get_user_result(
user1,
u'Finkle',
u'User1',
'mod',
mail=[u'*****@*****.**', u'*****@*****.**'],
telephonenumber=[u'202-888-9833'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Try adding a new group search fields config entry',
command=('config_mod', [],
dict(addattr=u'ipagroupsearchfields=newattr')),
expected=errors.OnlyOneValueAllowed(attr='ipagroupsearchfields'),
),
dict(
desc='Try adding a new cert subject base config entry',
command=('config_mod', [],
dict(addattr=u'ipacertificatesubjectbase=0=DOMAIN.COM')),
expected=errors.ValidationError(
name='ipacertificatesubjectbase',
error='attribute is not configurable'),
),
dict(
desc='Try deleting a required config entry',
command=('config_mod', [],
dict(delattr=u'ipasearchrecordslimit=100')),
expected=errors.RequirementError(name='ipasearchrecordslimit'),
),
dict(
desc='Try setting nonexistent attribute',
command=('config_mod', [], dict(setattr=u'invalid_attr=false')),
expected=errors.ObjectclassViolation(
info='attribute "invalid_attr" not allowed'),
),
dict(
desc='Try setting out-of-range krbpwdmaxfailure',
command=('pwpolicy_mod', [], dict(setattr=u'krbpwdmaxfailure=-1')),
expected=errors.ValidationError(name='krbpwdmaxfailure',
error='must be at least 0'),
),
dict(
desc='Try setting out-of-range maxfail',
command=('pwpolicy_mod', [], dict(krbpwdmaxfailure=u'-1')),
expected=errors.ValidationError(name='maxfail',
error='must be at least 0'),
),
dict(
desc='Try setting non-numeric krbpwdmaxfailure',
command=('pwpolicy_mod', [],
dict(setattr=u'krbpwdmaxfailure=abc')),
expected=errors.ConversionError(name='krbpwdmaxfailure',
error='must be an integer'),
),
dict(
desc='Try setting non-numeric maxfail',
command=('pwpolicy_mod', [], dict(krbpwdmaxfailure=u'abc')),
expected=errors.ConversionError(name='maxfail',
error='must be an integer'),
),
dict(
desc='Try deleting bogus attribute',
command=('config_mod', [], dict(delattr=u'bogusattribute=xyz')),
expected=errors.ValidationError(
name='bogusattribute',
error='No such attribute on this entry'),
),
dict(
desc='Try deleting empty attribute',
command=('config_mod', [],
dict(delattr=u'ipaCustomFields=See Also,seealso,false')),
expected=errors.ValidationError(
name='ipacustomfields',
error='No such attribute on this entry'),
),
dict(
desc='Set and delete one value, plus try deleting a missing one',
command=('config_mod', [],
dict(delattr=[
u'ipaCustomFields=See Also,seealso,false',
u'ipaCustomFields=Country,c,false'
],
addattr=u'ipaCustomFields=See Also,seealso,false')),
expected=errors.AttrValueNotFound(attr='ipacustomfields',
value='Country,c,false'),
),
dict(
desc='Try to delete an operational attribute with --delattr',
command=('config_mod', [],
dict(delattr=u'creatorsName=cn=directory manager')),
expected=errors.DatabaseError(
desc='Server is unwilling to perform', info=''),
),
]
class test_replace(Declarative):
cleanup_commands = [
('user_del', [user1], {}),
]
tests = [
dict(
desc='Create %r with 2 e-mail accounts' % user1,
command=('user_add', [user1],
dict(givenname=u'Test',
sn=u'User1',
mail=[u'*****@*****.**', u'*****@*****.**'])),
expected=dict(
value=user1,
summary=u'Added user "tuser1"',
result=get_user_result(
user1,
u'Test',
u'User1',
'add',
mail=[u'*****@*****.**', u'*****@*****.**'],
),
),
),
dict(
desc='Drop one e-mail account, add another to %r' % user1,
command=('user_mod', [user1],
dict(mail=[u'*****@*****.**', u'*****@*****.**'])),
expected=dict(
result=get_user_result(
user1,
u'Test',
u'User1',
'mod',
mail=[u'*****@*****.**', u'*****@*****.**'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Set mail to a new single value %r' % user1,
command=('user_mod', [user1], dict(mail=u'*****@*****.**')),
expected=dict(
result=get_user_result(
user1,
u'Test',
u'User1',
'mod',
mail=[u'*****@*****.**'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Set mail to three new values %r' % user1,
command=('user_mod', [user1],
dict(mail=[
u'*****@*****.**', u'*****@*****.**',
u'*****@*****.**'
])),
expected=dict(
result=get_user_result(
user1,
u'Test',
u'User1',
'mod',
mail=[
u'*****@*****.**', u'*****@*****.**',
u'*****@*****.**'
],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Remove all mail values %r' % user1,
command=('user_mod', [user1], dict(mail=u'')),
expected=dict(
result=get_user_result(
user1,
u'Test',
u'User1',
'mod',
omit=['mail'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Ensure single-value mods work too, replace initials %r' %
user1,
command=('user_mod', [user1], dict(initials=u'ABC')),
expected=dict(
result=get_user_result(
user1,
u'Test',
u'User1',
'mod',
initials=[u'ABC'],
omit=['mail'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
dict(
desc='Drop a single-value attribute %r' % user1,
command=('user_mod', [user1], dict(initials=u'')),
expected=dict(
result=get_user_result(
user1,
u'Test',
u'User1',
'mod',
omit=['mail'],
),
summary=u'Modified user "tuser1"',
value=user1,
),
),
]
class test_range(Declarative):
@classmethod
def setup_class(cls):
super(test_range, cls).setup_class()
cls.teardown_class()
cls.mockldap = MockLDAP()
cls.mockldap.add_entry(trust_container_dn, trust_container_add)
cls.mockldap.add_entry(smb_cont_dn, smb_cont_add)
cls.mockldap.add_entry(trust_local_dn, trust_local_add)
cls.mockldap.add_entry(domain2_dn, domain2_add)
cls.mockldap.add_entry(domain3_dn, domain3_add)
cls.mockldap.add_entry(domain4_dn, domain4_add)
cls.mockldap.add_entry(domain5_dn, domain5_add)
cls.mockldap.add_entry(domain6_dn, domain6_add)
cls.mockldap.add_entry(domain7_dn, domain7_add)
cls.mockldap.add_entry(domain1range1_dn, domain1range1_add)
cls.mockldap.add_entry(domain2range1_dn, domain2range1_add)
cls.mockldap.add_entry(domain2range2_dn, domain2range2_add)
cls.mockldap.add_entry(domain3range1_dn, domain3range1_add)
cls.mockldap.add_entry(domain3range2_dn, domain3range2_add)
cls.mockldap.add_entry(domain4range1_dn, domain4range1_add)
cls.mockldap.add_entry(domain5range1_dn, domain5range1_add)
cls.mockldap.add_entry(domain5range2_dn, domain5range2_add)
cls.mockldap.add_entry(domain6range1_dn, domain6range1_add)
cls.mockldap.unbind()
@classmethod
def teardown_class(cls):
cls.mockldap = MockLDAP()
cls.mockldap.del_entry(domain2_dn)
cls.mockldap.del_entry(domain3_dn)
cls.mockldap.del_entry(domain4_dn)
cls.mockldap.del_entry(domain5_dn)
cls.mockldap.del_entry(domain6_dn)
cls.mockldap.del_entry(domain7_dn)
cls.mockldap.del_entry(domain1range1_dn)
cls.mockldap.del_entry(domain2range1_dn)
cls.mockldap.del_entry(domain2range2_dn)
cls.mockldap.del_entry(domain3range1_dn)
cls.mockldap.del_entry(domain3range2_dn)
cls.mockldap.del_entry(domain4range1_dn)
cls.mockldap.del_entry(domain5range1_dn)
cls.mockldap.del_entry(domain5range2_dn)
cls.mockldap.del_entry(domain6range1_dn)
cls.mockldap.del_entry(domain7range1_dn)
cls.mockldap.del_entry(trust_container_dn)
cls.mockldap.del_entry(trust_local_dn)
cls.mockldap.del_entry(smb_cont_dn)
cls.mockldap.unbind()
cleanup_commands = [
('idrange_del', [
testrange1, testrange2, testrange3, testrange4, testrange5,
testrange6, testrange7, testrange8
], {
'continue': True
}),
('user_del', [user1], {}),
('group_del', [group1], {}),
]
# Basic tests.
tests = [
dict(
desc='Create ID range %r' % (testrange1),
command=('idrange_add', [testrange1],
dict(ipabaseid=testrange1_base_id,
ipaidrangesize=testrange1_size,
ipabaserid=testrange1_base_rid,
ipasecondarybaserid=testrange1_secondary_base_rid)),
expected=dict(
result=dict(
dn=DN(('cn', testrange1), ('cn', 'ranges'), ('cn', 'etc'),
api.env.basedn),
cn=[testrange1],
objectclass=[u'ipaIDrange', u'ipadomainidrange'],
ipabaseid=[unicode(testrange1_base_id)],
ipabaserid=[unicode(testrange1_base_rid)],
ipasecondarybaserid=[
unicode(testrange1_secondary_base_rid)
],
ipaidrangesize=[unicode(testrange1_size)],
iparangetyperaw=[u'ipa-local'],
iparangetype=[u'local domain range'],
),
value=testrange1,
summary=u'Added ID range "%s"' % (testrange1),
),
),
dict(
desc='Retrieve ID range %r' % (testrange1),
command=('idrange_show', [testrange1], dict()),
expected=dict(
result=dict(
dn=DN(('cn', testrange1), ('cn', 'ranges'), ('cn', 'etc'),
api.env.basedn),
cn=[testrange1],
ipabaseid=[unicode(testrange1_base_id)],
ipabaserid=[unicode(testrange1_base_rid)],
ipasecondarybaserid=[
unicode(testrange1_secondary_base_rid)
],
ipaidrangesize=[unicode(testrange1_size)],
iparangetyperaw=[u'ipa-local'],
iparangetype=[u'local domain range'],
),
value=testrange1,
summary=None,
),
),
# Checks for modifications leaving objects outside of the range.
dict(
desc='Create user %r in ID range %r' % (user1, testrange1),
command=('user_add', [user1],
dict(givenname=u'Test', sn=u'User1',
uidnumber=user1_uid)),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(
user1,
u'Test',
u'User1',
'add',
uidnumber=[unicode(user1_uid)],
gidnumber=[unicode(user1_uid)],
),
),
),
dict(
desc='Create group %r in ID range %r' % (group1, testrange1),
command=('group_add', [group1],
dict(description=u'Test desc 1', gidnumber=group1_gid)),
expected=dict(
value=group1,
summary=u'Added group "%s"' % group1,
result=dict(
cn=[group1],
description=[u'Test desc 1'],
gidnumber=[unicode(group1_gid)],
objectclass=objectclasses.group + [u'posixgroup'],
ipauniqueid=[fuzzy_uuid],
dn=DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'),
api.env.basedn),
),
),
),
dict(
desc='Try to modify ID range %r to get out bounds object #1' %
(testrange1),
command=('idrange_mod', [testrange1],
dict(ipabaseid=user1_uid + 1)),
expected=errors.ValidationError(
name='ipabaseid,ipaidrangesize',
error=u'range modification leaving objects with ID out of the'
u' defined range is not allowed'),
),
dict(
desc='Try to modify ID range %r to get out bounds object #2' %
(testrange1),
command=('idrange_mod', [testrange1], dict(ipaidrangesize=100)),
expected=errors.ValidationError(
name='ipabaseid,ipaidrangesize',
error=u'range modification leaving objects with ID out of the'
u' defined range is not allowed'),
),
dict(
desc='Try to modify ID range %r to get out bounds object #3' %
(testrange1),
command=('idrange_mod', [testrange1],
dict(ipabaseid=100, ipaidrangesize=100)),
expected=errors.ValidationError(
name='ipabaseid,ipaidrangesize',
error=u'range modification leaving objects with ID out of the'
u' defined range is not allowed'),
),
dict(
desc='Modify ID range %r' % (testrange1),
command=('idrange_mod', [testrange1], dict(ipaidrangesize=90000)),
expected=dict(
result=dict(
cn=[testrange1],
ipabaseid=[unicode(testrange1_base_id)],
ipabaserid=[unicode(testrange1_base_rid)],
ipasecondarybaserid=[
unicode(testrange1_secondary_base_rid)
],
ipaidrangesize=[u'90000'],
iparangetyperaw=[u'ipa-local'],
iparangetype=[u'local domain range'],
),
value=testrange1,
summary=u'Modified ID range "%s"' % (testrange1),
),
),
dict(
desc='Try to delete ID range %r with active IDs inside it' %
testrange1,
command=('idrange_del', [testrange1], {}),
expected=errors.ValidationError(
name='ipabaseid,ipaidrangesize',
error=u'range modification leaving objects with ID out of the'
u' defined range is not allowed'),
),
dict(
desc='Delete user %r' % user1,
command=('user_del', [user1], {}),
expected=dict(
result=dict(failed=[]),
value=[user1],
summary=u'Deleted user "%s"' % user1,
),
),
dict(
desc='Delete group %r' % group1,
command=('group_del', [group1], {}),
expected=dict(
result=dict(failed=[]),
value=[group1],
summary=u'Deleted group "%s"' % group1,
),
),
dict(
desc='Delete ID range %r' % testrange1,
command=('idrange_del', [testrange1], {}),
expected=dict(
result=dict(failed=[]),
value=[testrange1],
summary=u'Deleted ID range "%s"' % testrange1,
),
),
# Tests for overlapping local ranges.
dict(
desc='Create ID range %r' % (testrange2),
command=('idrange_add', [testrange2],
dict(ipabaseid=testrange2_base_id,
ipaidrangesize=testrange2_size,
ipabaserid=testrange2_base_rid,
ipasecondarybaserid=testrange2_secondary_base_rid)),
expected=dict(
result=dict(
dn=DN(('cn', testrange2), ('cn', 'ranges'), ('cn', 'etc'),
api.env.basedn),
cn=[testrange2],
objectclass=[u'ipaIDrange', u'ipadomainidrange'],
ipabaseid=[unicode(testrange2_base_id)],
ipabaserid=[unicode(testrange2_base_rid)],
ipasecondarybaserid=[
unicode(testrange2_secondary_base_rid)
],
ipaidrangesize=[unicode(testrange2_size)],
iparangetyperaw=[u'ipa-local'],
iparangetype=[u'local domain range'],
),
value=testrange2,
summary=u'Added ID range "%s"' % (testrange2),
),
),
dict(
desc=
'Try to modify ID range %r so that its rid ranges are overlapping themselves'
% (testrange2),
command=('idrange_mod', [testrange2],
dict(ipabaserid=(testrange2_secondary_base_rid))),
expected=errors.ValidationError(
name='ID Range setup',
error='Primary RID range and secondary RID range cannot overlap'
),
),
dict(
desc='Try to create ID range %r with overlapping rid range' %
(testrange3),
command=('idrange_add', [testrange3],
dict(ipabaseid=testrange3_base_id,
ipaidrangesize=testrange3_size,
ipabaserid=testrange3_base_rid,
ipasecondarybaserid=testrange3_secondary_base_rid)),
expected=errors.DatabaseError(
desc='Constraint violation',
info=
'New primary rid range overlaps with existing primary rid range.'
),
),
dict(
desc=
'Try to create ID range %r with overlapping secondary rid range' %
(testrange4),
command=('idrange_add', [testrange4],
dict(ipabaseid=testrange4_base_id,
ipaidrangesize=testrange4_size,
ipabaserid=testrange4_base_rid,
ipasecondarybaserid=testrange4_secondary_base_rid)),
expected=errors.DatabaseError(
desc='Constraint violation',
info=
'New secondary rid range overlaps with existing secondary rid range.'
),
),
dict(
desc=
'Try to create ID range %r with primary range overlapping secondary rid range'
% (testrange5),
command=('idrange_add', [testrange5],
dict(ipabaseid=testrange5_base_id,
ipaidrangesize=testrange5_size,
ipabaserid=testrange5_base_rid,
ipasecondarybaserid=testrange5_secondary_base_rid)),
expected=errors.DatabaseError(
desc='Constraint violation',
info=
'New primary rid range overlaps with existing secondary rid range.'
),
),
dict(
desc='Try to create ID range %r with overlapping id range' %
(testrange6),
command=('idrange_add', [testrange6],
dict(ipabaseid=testrange6_base_id,
ipaidrangesize=testrange6_size,
ipabaserid=testrange6_base_rid,
ipasecondarybaserid=testrange6_secondary_base_rid)),
expected=errors.DatabaseError(
desc='Constraint violation',
info='New base range overlaps with existing base range.'),
),
dict(
desc=
'Try to create ID range %r with rid ranges overlapping themselves'
% (testrange7),
command=('idrange_add', [testrange7],
dict(ipabaseid=testrange7_base_id,
ipaidrangesize=testrange7_size,
ipabaserid=testrange7_base_rid,
ipasecondarybaserid=testrange7_secondary_base_rid)),
expected=errors.ValidationError(
name='ID Range setup',
error='Primary RID range and secondary RID range cannot overlap'
),
),
dict(
desc='Delete ID range %r' % testrange2,
command=('idrange_del', [testrange2], {}),
expected=dict(
result=dict(failed=[]),
value=[testrange2],
summary=u'Deleted ID range "%s"' % testrange2,
),
),
# Testing framework validation: --dom-sid/--dom-name and secondary RID
# base cannot be used together
dict(
desc='Create ID range %r' % (testrange8),
command=('idrange_add', [testrange8],
dict(ipabaseid=testrange8_base_id,
ipaidrangesize=testrange8_size,
ipabaserid=testrange8_base_rid,
ipasecondarybaserid=testrange8_secondary_base_rid,
ipanttrusteddomainsid=domain1_sid)),
expected=errors.ValidationError(
name='ID Range setup',
error='Options dom-sid/dom-name and '
'secondary-rid-base cannot be used together'),
),
# Testing framework validation: --rid-base is prohibited with ipa-ad-posix
dict(
desc='Try to create ipa-ad-trust-posix ID range %r with base RID' %
(domain7range1),
command=('idrange_add', [domain7range1],
dict(ipabaseid=domain7range1_base_id,
ipaidrangesize=domain7range1_size,
ipabaserid=domain7range1_base_rid,
iparangetype=domain7range1_type,
ipanttrusteddomainsid=domain7_sid)),
expected=errors.ValidationError(
name='ID Range setup',
error='Option rid-base must not be used when IPA range '
'type is ipa-ad-trust-posix'),
),
dict(
desc='Create ID range %r' % (domain7range1),
command=('idrange_add', [domain7range1],
dict(ipabaseid=domain7range1_base_id,
ipaidrangesize=domain7range1_size,
iparangetype=domain7range1_type,
ipanttrusteddomainsid=domain7_sid)),
expected=dict(
result=dict(
dn=unicode(domain7range1_dn),
cn=[domain7range1],
objectclass=[u'ipaIDrange', u'ipatrustedaddomainrange'],
ipabaseid=[unicode(domain7range1_base_id)],
ipaidrangesize=[unicode(domain7range1_size)],
ipanttrusteddomainsid=[unicode(domain7_sid)],
iparangetyperaw=[u'ipa-ad-trust-posix'],
iparangetype=[
u'Active Directory trust range with POSIX attributes'
],
),
value=unicode(domain7range1),
summary=u'Added ID range "%s"' % (domain7range1),
),
),
dict(
desc='Try to modify ipa-ad-trust-posix ID range %r with base RID' %
(domain7range1),
command=('idrange_mod', [domain7range1],
dict(ipabaserid=domain7range1_base_rid)),
expected=errors.ValidationError(
name='ID Range setup',
error='Option rid-base must not be used when IPA range '
'type is ipa-ad-trust-posix'),
),
# Testing prohibition of deletion of ranges belonging to active
# trusted domains.
dict(
desc='Delete non-active AD trusted range %r' % domain1range1,
command=('idrange_del', [domain1range1], {}),
expected=dict(
result=dict(failed=[]),
value=[domain1range1],
summary=u'Deleted ID range "%s"' % domain1range1,
),
),
dict(
desc='Try to delete active AD trusted range %r' % domain2range1,
command=('idrange_del', [domain2range1], {}),
expected=errors.DependentEntry(label='Active Trust domain',
key=domain2range1,
dependent=domain2),
),
# Testing base range overlaps for ranges of different types and
# different domains
# - Base range overlaps
# 1. ipa-ad-trust-posix type ranges from the same forest can overlap
# on base ranges, use domain3range1 and domain3range2
dict(
desc=('Modify ipa-ad-trust-posix range %r to overlap on base range'
' with posix range from the same domain' % (domain3range2)),
command=('idrange_mod', [domain3range2],
dict(ipabaseid=domain3range1_base_id)),
expected=dict(
result=dict(
cn=[domain3range2],
ipabaseid=[unicode(domain3range1_base_id)],
ipaidrangesize=[unicode(domain3range2_size)],
ipanttrusteddomainsid=[unicode(domain3_sid)],
iparangetyperaw=[u'ipa-ad-trust-posix'],
iparangetype=[
u'Active Directory trust range with POSIX '
'attributes'
],
),
value=domain3range2,
summary=u'Modified ID range "%s"' % (domain3range2),
),
),
# 2. ipa-ad-trust-posix type ranges from different forests cannot
# overlap on base ranges, use domain3range1 and domain4range1
dict(
desc=('Modify ipa-ad-trust-posix range %r to overlap on base range'
' with posix range from different domain' % (domain3range1)),
command=('idrange_mod', [domain3range1],
dict(ipabaseid=domain4range1_base_id)),
expected=errors.DatabaseError(
desc='Constraint violation',
info='New base range overlaps with existing base range.'),
),
# 3. ipa-ad-trust ranges from same forest cannot overlap on base ranges,
# use domain5range1 and domain5range2
dict(
desc=('Modify ipa-ad-trust range %r to overlap on base range'
' with posix range from the same domain' % (domain5range1)),
command=('idrange_mod', [domain5range1],
dict(ipabaseid=domain5range2_base_id)),
expected=errors.DatabaseError(
desc='Constraint violation',
info='New base range overlaps with existing base range.'),
),
# 4. ipa-ad-trust ranges from different forests cannot overlap on base
# ranges, use domain5range1 and domain6range1
dict(
desc=('Modify ipa-ad-trust range %r to overlap on base range'
' with posix range from different domain' % (domain5range1)),
command=('idrange_mod', [domain5range1],
dict(ipabaseid=domain6range1_base_id)),
expected=errors.DatabaseError(
desc='Constraint violation',
info='New base range overlaps with existing base range.'),
),
# - RID range overlaps
# 1. Overlaps on base RID ranges are allowed for ranges from different
# domains, use domain2range1 and domain5range1
dict(
desc=('Modify ipa-ad-trust range %r to overlap on base RID'
' range with nonposix range from different domain' %
(domain2range1)),
command=('idrange_mod', [domain2range1],
dict(ipabaserid=domain5range1_base_rid)),
expected=dict(
result=dict(
cn=[domain2range1],
ipabaseid=[unicode(domain2range1_base_id)],
ipabaserid=[unicode(domain5range1_base_rid)],
ipaidrangesize=[unicode(domain2range1_size)],
ipanttrusteddomainsid=[unicode(domain2_sid)],
iparangetyperaw=[u'ipa-ad-trust'],
iparangetype=[u'Active Directory domain range'],
),
value=domain2range1,
summary=u'Modified ID range "%s"' % (domain2range1),
),
),
# 2. ipa-ad-trust ranges from the same forest cannot overlap on base
# RID ranges, use domain5range1 and domain5range2
dict(
desc=('Modify ipa-ad-trust range %r to overlap on base RID range'
' with range from the same domain' % (domain2range1)),
command=('idrange_mod', [domain2range1],
dict(ipabaserid=domain2range2_base_rid)),
expected=errors.DatabaseError(
desc='Constraint violation',
info='New primary rid range overlaps with existing primary rid '
'range.'),
),
]
class test_group(Declarative):
cleanup_commands = [
('group_del', [group1], {}),
('group_del', [group2], {}),
('group_del', [group3], {}),
('group_del', [renamedgroup1], {}),
('user_del', [user1], {}),
]
tests = [
################
# create group1:
dict(
desc='Try to retrieve non-existent %r' % group1,
command=('group_show', [group1], {}),
expected=errors.NotFound(reason=u'%s: group not found' % group1),
),
dict(
desc='Try to update non-existent %r' % group1,
command=('group_mod', [group1], dict(description=u'Foo')),
expected=errors.NotFound(reason=u'%s: group not found' % group1),
),
dict(
desc='Try to delete non-existent %r' % group1,
command=('group_del', [group1], {}),
expected=errors.NotFound(reason=u'%s: group not found' % group1),
),
dict(
desc='Try to rename non-existent %r' % group1,
command=('group_mod', [group1], dict(setattr=u'cn=%s' % renamedgroup1)),
expected=errors.NotFound(reason=u'%s: group not found' % group1),
),
dict(
desc='Create non-POSIX %r' % group1,
command=(
'group_add', [group1], dict(description=u'Test desc 1',nonposix=True)
),
expected=dict(
value=group1,
summary=u'Added group "testgroup1"',
result=dict(
cn=[group1],
description=[u'Test desc 1'],
objectclass=objectclasses.group,
ipauniqueid=[fuzzy_uuid],
dn=get_group_dn('testgroup1'),
),
),
),
dict(
desc='Try to create duplicate %r' % group1,
command=(
'group_add', [group1], dict(description=u'Test desc 1')
),
expected=errors.DuplicateEntry(
message=u'group with name "%s" already exists' % group1),
),
dict(
desc='Retrieve non-POSIX %r' % group1,
command=('group_show', [group1], {}),
expected=dict(
value=group1,
summary=None,
result=dict(
cn=[group1],
description=[u'Test desc 1'],
dn=get_group_dn('testgroup1'),
),
),
),
dict(
desc='Updated non-POSIX %r' % group1,
command=(
'group_mod', [group1], dict(description=u'New desc 1')
),
expected=dict(
result=dict(
cn=[group1],
description=[u'New desc 1'],
),
summary=u'Modified group "testgroup1"',
value=group1,
),
),
dict(
desc='Retrieve %r to verify update' % group1,
command=('group_show', [group1], {}),
expected=dict(
value=group1,
result=dict(
cn=[group1],
description=[u'New desc 1'],
dn=get_group_dn('testgroup1'),
),
summary=None,
),
),
# FIXME: The return value is totally different here than from the above
# group_mod() test. I think that for all *_mod() commands we should
# just return the entry exactly as *_show() does.
dict(
desc='Updated %r to promote it to a POSIX group' % group1,
command=('group_mod', [group1], dict(posix=True)),
expected=dict(
result=dict(
cn=[group1],
description=[u'New desc 1'],
gidnumber=[fuzzy_digits],
),
value=group1,
summary=u'Modified group "testgroup1"',
),
),
dict(
desc="Retrieve %r to verify it's a POSIX group" % group1,
command=('group_show', [group1], {}),
expected=dict(
value=group1,
result=dict(
cn=[group1],
description=(u'New desc 1',),
dn=get_group_dn('testgroup1'),
gidnumber=[fuzzy_digits],
),
summary=None,
),
),
dict(
desc='Search for %r' % group1,
command=('group_find', [], dict(cn=group1)),
expected=dict(
count=1,
truncated=False,
result=[
dict(
dn=get_group_dn(group1),
cn=[group1],
description=[u'New desc 1'],
gidnumber=[fuzzy_digits],
),
],
summary=u'1 group matched',
),
),
################
# create group2:
dict(
desc='Try to retrieve non-existent %r' % group2,
command=('group_show', [group2], {}),
expected=errors.NotFound(reason=u'%s: group not found' % group2),
),
dict(
desc='Try to update non-existent %r' % group2,
command=('group_mod', [group2], dict(description=u'Foo')),
expected=errors.NotFound(reason=u'%s: group not found' % group2),
),
dict(
desc='Try to delete non-existent %r' % group2,
command=('group_del', [group2], {}),
expected=errors.NotFound(reason=u'%s: group not found' % group2),
),
dict(
desc='Create %r' % group2,
command=(
'group_add', [group2], dict(description=u'Test desc 2')
),
expected=dict(
value=group2,
summary=u'Added group "testgroup2"',
result=dict(
cn=[group2],
description=[u'Test desc 2'],
gidnumber=[fuzzy_digits],
objectclass=objectclasses.posixgroup,
ipauniqueid=[fuzzy_uuid],
dn=get_group_dn('testgroup2'),
),
),
),
dict(
desc='Try to create duplicate %r' % group2,
command=(
'group_add', [group2], dict(description=u'Test desc 2')
),
expected=errors.DuplicateEntry(
message=u'group with name "%s" already exists' % group2),
),
dict(
desc='Retrieve %r' % group2,
command=('group_show', [group2], {}),
expected=dict(
value=group2,
summary=None,
result=dict(
cn=[group2],
description=[u'Test desc 2'],
gidnumber=[fuzzy_digits],
dn=get_group_dn('testgroup2'),
),
),
),
dict(
desc='Updated %r' % group2,
command=(
'group_mod', [group2], dict(description=u'New desc 2')
),
expected=dict(
result=dict(
cn=[group2],
gidnumber=[fuzzy_digits],
description=[u'New desc 2'],
),
summary=u'Modified group "testgroup2"',
value=group2,
),
),
dict(
desc='Retrieve %r to verify update' % group2,
command=('group_show', [group2], {}),
expected=dict(
value=group2,
result=dict(
cn=[group2],
description=[u'New desc 2'],
gidnumber=[fuzzy_digits],
dn=get_group_dn('testgroup2'),
),
summary=None,
),
),
dict(
desc='Search for %r' % group2,
command=('group_find', [], dict(cn=group2)),
expected=dict(
count=1,
truncated=False,
result=[
dict(
dn=get_group_dn('testgroup2'),
cn=[group2],
description=[u'New desc 2'],
gidnumber=[fuzzy_digits],
),
],
summary=u'1 group matched',
),
),
dict(
desc='Search for all groups',
command=('group_find', [], {}),
expected=dict(
summary=u'6 groups matched',
count=6,
truncated=False,
result=[
{
'dn': get_group_dn('admins'),
'member_user': [u'admin'],
'gidnumber': [fuzzy_digits],
'cn': [u'admins'],
'description': [u'Account administrators group'],
},
{
'dn': get_group_dn('editors'),
'gidnumber': [fuzzy_digits],
'cn': [u'editors'],
'description': [u'Limited admins who can edit other users'],
},
{
'dn': get_group_dn('ipausers'),
'cn': [u'ipausers'],
'description': [u'Default group for all users'],
},
dict(
dn=get_group_dn(group1),
cn=[group1],
description=[u'New desc 1'],
gidnumber=[fuzzy_digits],
),
dict(
dn=get_group_dn(group2),
cn=[group2],
description=[u'New desc 2'],
gidnumber=[fuzzy_digits],
),
{
'dn': get_group_dn('trust admins'),
'member_user': [u'admin'],
'cn': [u'trust admins'],
'description': [u'Trusts administrators group'],
},
],
),
),
dict(
desc='Search for non-POSIX groups',
command=('group_find', [], dict(nonposix=True, all=True)),
expected=dict(
summary=u'2 groups matched',
count=2,
truncated=False,
result=[
{
'dn': get_group_dn('ipausers'),
'cn': [u'ipausers'],
'description': [u'Default group for all users'],
'objectclass': fuzzy_set_ci(objectclasses.group),
'ipauniqueid': [fuzzy_uuid],
},
{
'dn': get_group_dn('trust admins'),
'member_user': [u'admin'],
'cn': [u'trust admins'],
'description': [u'Trusts administrators group'],
'objectclass': fuzzy_set_ci(objectclasses.group),
'ipauniqueid': [fuzzy_uuid],
},
],
),
),
dict(
desc='Search for non-POSIX groups with criteria filter',
command=('group_find', [u'users'], dict(nonposix=True, all=True)),
expected=dict(
summary=u'1 group matched',
count=1,
truncated=False,
result=[
{
'dn': get_group_dn('ipausers'),
'cn': [u'ipausers'],
'description': [u'Default group for all users'],
'objectclass': fuzzy_set_ci(objectclasses.group),
'ipauniqueid': [fuzzy_uuid],
},
],
),
),
dict(
desc='Search for POSIX groups',
command=('group_find', [], dict(posix=True, all=True)),
expected=dict(
summary=u'4 groups matched',
count=4,
truncated=False,
result=[
add_sid({
'dn': get_group_dn('admins'),
'member_user': [u'admin'],
'gidnumber': [fuzzy_digits],
'cn': [u'admins'],
'description': [u'Account administrators group'],
'objectclass': fuzzy_set_ci(add_oc(
objectclasses.posixgroup, u'ipantgroupattrs')),
'ipauniqueid': [fuzzy_uuid],
}),
add_sid({
'dn': get_group_dn('editors'),
'gidnumber': [fuzzy_digits],
'cn': [u'editors'],
'description': [u'Limited admins who can edit other users'],
'objectclass': fuzzy_set_ci(add_oc(
objectclasses.posixgroup,
u'ipantgroupattrs',
check_sidgen=True)),
'ipauniqueid': [fuzzy_uuid],
}, check_sidgen=True),
dict(
dn=get_group_dn(group1),
cn=[group1],
description=[u'New desc 1'],
gidnumber=[fuzzy_digits],
objectclass=fuzzy_set_ci(objectclasses.posixgroup),
ipauniqueid=[fuzzy_uuid],
),
add_sid(dict(
dn=get_group_dn(group2),
cn=[group2],
description=[u'New desc 2'],
gidnumber=[fuzzy_digits],
objectclass=fuzzy_set_ci(add_oc(
objectclasses.posixgroup, u'ipantgroupattrs')),
ipauniqueid=[fuzzy_uuid],
)),
],
),
),
###############
# test external SID members for group3:
dict(
desc='Create external %r' % group3,
command=(
'group_add', [group3], dict(description=u'Test desc 3',external=True)
),
expected=dict(
value=group3,
summary=u'Added group "testgroup3"',
result=dict(
cn=[group3],
description=[u'Test desc 3'],
objectclass=objectclasses.externalgroup,
ipauniqueid=[fuzzy_uuid],
dn=get_group_dn(group3),
),
),
),
dict(
desc='Search for external groups',
command=('group_find', [], dict(external=True, all=True)),
expected=dict(
summary=u'1 group matched',
count=1,
truncated=False,
result=[
dict(
cn=[group3],
description=[u'Test desc 3'],
objectclass=fuzzy_set_ci(objectclasses.externalgroup),
ipauniqueid=[fuzzy_uuid],
dn=get_group_dn(group3),
),
],
),
),
dict(
desc='Convert posix group %r to support external membership' % (group2),
command=(
'group_mod', [group2], dict(external=True)
),
expected=errors.PosixGroupViolation(),
),
dict(
desc='Convert external members group %r to posix' % (group3),
command=(
'group_mod', [group3], dict(posix=True)
),
expected=errors.ExternalGroupViolation(),
),
dict(
desc='Add external member %r to %r' % (external_sid1, group3),
command=(
'group_add_member', [group3], dict(ipaexternalmember=external_sid1)
),
expected=lambda x, output: (type(x) == errors.ValidationError
or type(x) == errors.NotFound
or 'failed' in output),
),
dict(
desc='Remove group %r with external membership' % (group3),
command=('group_del', [group3], {}),
expected=dict(
result=dict(failed=[]),
value=[group3],
summary=u'Deleted group "testgroup3"',
),
),
###############
# member stuff:
dict(
desc='Add member %r to %r' % (group2, group1),
command=(
'group_add_member', [group1], dict(group=group2)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
group=tuple(),
user=tuple(),
),
),
result={
'dn': get_group_dn(group1),
'member_group': (group2,),
'gidnumber': [fuzzy_digits],
'cn': [group1],
'description': [u'New desc 1'],
},
),
),
dict(
# FIXME: Shouldn't this raise a NotFound instead?
desc='Try to add non-existent member to %r' % group1,
command=(
'group_add_member', [group1], dict(group=u'notfound')
),
expected=dict(
completed=0,
failed=dict(
member=dict(
group=[(u'notfound', u'no such entry')],
user=tuple(),
),
),
result={
'dn': get_group_dn(group1),
'member_group': (group2,),
'gidnumber': [fuzzy_digits],
'cn': [group1],
'description': [u'New desc 1'],
},
),
),
dict(
desc='Remove member %r from %r' % (group2, group1),
command=('group_remove_member',
[group1], dict(group=group2)
),
expected=dict(
completed=1,
failed=dict(
member=dict(
group=tuple(),
user=tuple(),
),
),
result={
'dn': get_group_dn(group1),
'cn': [group1],
'gidnumber': [fuzzy_digits],
'description': [u'New desc 1'],
},
),
),
dict(
# FIXME: Shouldn't this raise a NotFound instead?
desc='Try to remove non-existent member from %r' % group1,
command=('group_remove_member',
[group1], dict(group=u'notfound')
),
expected=dict(
completed=0,
failed=dict(
member=dict(
group=[(u'notfound', u'This entry is not a member')],
user=tuple(),
),
),
result={
'dn': get_group_dn(group1),
'cn': [group1],
'gidnumber': [fuzzy_digits],
'description': [u'New desc 1'],
},
),
),
dict(
desc='Rename %r' % group1,
command=('group_mod', [group1], dict(setattr=u'cn=%s' % renamedgroup1)),
expected=dict(
value=group1,
result=dict(
cn=[renamedgroup1],
description=[u'New desc 1'],
gidnumber=[fuzzy_digits],
),
summary=u'Modified group "%s"' % group1
)
),
dict(
desc='Rename %r back' % renamedgroup1,
command=('group_mod', [renamedgroup1], dict(setattr=u'cn=%s' % group1)),
expected=dict(
value=renamedgroup1,
result=dict(
cn=[group1],
description=[u'New desc 1'],
gidnumber=[fuzzy_digits],
),
summary=u'Modified group "%s"' % renamedgroup1
)
),
################
# delete group1:
dict(
desc='Delete %r' % group1,
command=('group_del', [group1], {}),
expected=dict(
result=dict(failed=[]),
value=[group1],
summary=u'Deleted group "testgroup1"',
)
),
dict(
desc='Try to delete non-existent %r' % group1,
command=('group_del', [group1], {}),
expected=errors.NotFound(reason=u'%s: group not found' % group1),
),
dict(
desc='Try to retrieve non-existent %r' % group1,
command=('group_show', [group1], {}),
expected=errors.NotFound(reason=u'%s: group not found' % group1),
),
dict(
desc='Try to update non-existent %r' % group1,
command=('group_mod', [group1], dict(description=u'Foo')),
expected=errors.NotFound(reason=u'%s: group not found' % group1),
),
################
# delete group2:
dict(
desc='Delete %r' % group2,
command=('group_del', [group2], {}),
expected=dict(
result=dict(failed=[]),
value=[group2],
summary=u'Deleted group "testgroup2"',
)
),
dict(
desc='Try to delete non-existent %r' % group2,
command=('group_del', [group2], {}),
expected=errors.NotFound(reason=u'%s: group not found' % group2),
),
dict(
desc='Try to retrieve non-existent %r' % group2,
command=('group_show', [group2], {}),
expected=errors.NotFound(reason=u'%s: group not found' % group2),
),
dict(
desc='Try to update non-existent %r' % group2,
command=('group_mod', [group2], dict(description=u'Foo')),
expected=errors.NotFound(reason=u'%s: group not found' % group2),
),
dict(
desc='Test an invalid group name %r' % invalidgroup1,
command=('group_add', [invalidgroup1], dict(description=u'Test')),
expected=errors.ValidationError(name='group_name',
error=u'may only include letters, numbers, _, -, . and $'),
),
# The assumption on these next 4 tests is that if we don't get a
# validation error then the request was processed normally.
dict(
desc='Test that validation is disabled on mods',
command=('group_mod', [invalidgroup1], {}),
expected=errors.NotFound(
reason=u'%s: group not found' % invalidgroup1),
),
dict(
desc='Test that validation is disabled on deletes',
command=('group_del', [invalidgroup1], {}),
expected=errors.NotFound(
reason=u'%s: group not found' % invalidgroup1),
),
dict(
desc='Test that validation is disabled on show',
command=('group_show', [invalidgroup1], {}),
expected=errors.NotFound(
reason=u'%s: group not found' % invalidgroup1),
),
##### managed entry tests
dict(
desc='Create %r' % user1,
command=(
'user_add', [], dict(givenname=u'Test', sn=u'User1')
),
expected=dict(
value=user1,
summary=u'Added user "%s"' % user1,
result=get_user_result(user1, u'Test', u'User1', 'add'),
),
),
dict(
desc='Verify the managed group %r was created' % user1,
command=('group_show', [user1], {}),
expected=dict(
value=user1,
summary=None,
result=dict(
cn=[user1],
description=[u'User private group for %s' % user1],
gidnumber=[fuzzy_digits],
dn=get_group_dn(user1),
),
),
),
dict(
desc='Verify that managed group %r can be found' % user1,
command=('group_find', [], {'cn': user1, 'private': True}),
expected=dict(
count=1,
truncated=False,
result=[
dict(
dn=get_group_dn(user1),
cn=[user1],
description=[u'User private group for %s' % user1],
gidnumber=[fuzzy_digits],
),
],
summary=u'1 group matched',
),
),
dict(
desc='Try to delete a managed group %r' % user1,
command=('group_del', [user1], {}),
expected=errors.ManagedGroupError(),
),
dict(
desc='Detach managed group %r' % user1,
command=('group_detach', [user1], {}),
expected=dict(
result=True,
value=user1,
summary=u'Detached group "%s" from user "%s"' % (user1, user1),
),
),
dict(
desc='Now delete the unmanaged group %r' % user1,
command=('group_del', [user1], {}),
expected=dict(
result=dict(failed=[]),
value=[user1],
summary=u'Deleted group "%s"' % user1,
)
),
dict(
desc='Verify that %r is really gone' % user1,
command=('group_show', [user1], {}),
expected=errors.NotFound(reason=u'%s: group not found' % user1),
),
dict(
desc='Delete %r' % user1,
command=('user_del', [user1], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "tuser1"',
value=[user1],
),
),
dict(
desc='Create %r without User Private Group' % user1,
command=(
'user_add', [user1], dict(givenname=u'Test', sn=u'User1', noprivate=True, gidnumber=1000)
),
expected=dict(
value=user1,
summary=u'Added user "tuser1"',
result=get_user_result(
user1, u'Test', u'User1', 'add',
description=[],
objectclass=add_oc(objectclasses.user_base,
u'ipantuserattrs'),
gidnumber=[u'1000'],
omit=['mepmanagedentry'],
),
),
),
dict(
desc='Verify the managed group %r was not created' % user1,
command=('group_show', [user1], {}),
expected=errors.NotFound(reason=u'%s: group not found' % user1),
),
dict(
desc='Try to remove the admin user from the admins group',
command=('group_remove_member', [u'admins'], dict(user=[u'admin'])),
expected=errors.LastMemberError(key=u'admin', label=u'group',
container='admins'),
),
dict(
desc='Add %r to the admins group' % user1,
command=('group_add_member', [u'admins'], dict(user=user1)),
expected=dict(
completed=1,
failed=dict(
member=dict(
group=tuple(),
user=tuple(),
),
),
result={
'dn': get_group_dn('admins'),
'member_user': [u'admin', user1],
'gidnumber': [fuzzy_digits],
'cn': [u'admins'],
'description': [u'Account administrators group'],
},
),
),
dict(
desc='Try to remove admin and %r from the admins group' % user1,
command=('group_remove_member', [u'admins'],
dict(user=[u'admin', user1])),
expected=errors.LastMemberError(key=u'admin', label=u'group',
container='admins'),
),
dict(
desc='Try to delete the admins group',
command=('group_del', [u'admins'], {}),
expected=errors.ProtectedEntryError(label=u'group',
key='admins', reason='privileged group'),
),
dict(
desc='Try to rename the admins group',
command=('group_mod', [u'admins'], dict(rename=u'loosers')),
expected=errors.ProtectedEntryError(label=u'group',
key='admins', reason='Cannot be renamed'),
),
dict(
desc='Try to rename the admins group via setattr',
command=('group_mod', [u'admins'], {'setattr': u'cn=loosers'}),
expected=errors.ProtectedEntryError(label=u'group',
key='admins', reason='Cannot be renamed'),
),
dict(
desc='Try to modify the admins group to support external membership',
command=('group_mod', [u'admins'], dict(external=True)),
expected=errors.ProtectedEntryError(label=u'group',
key='admins', reason='Cannot support external non-IPA members'),
),
dict(
desc='Try to delete the trust admins group',
command=('group_del', [u'trust admins'], {}),
expected=errors.ProtectedEntryError(label=u'group',
key='trust admins', reason='privileged group'),
),
dict(
desc='Try to rename the trust admins group',
command=('group_mod', [u'trust admins'], dict(rename=u'loosers')),
expected=errors.ProtectedEntryError(label=u'group',
key='trust admins', reason='Cannot be renamed'),
),
dict(
desc='Try to rename the trust admins group via setattr',
command=('group_mod', [u'trust admins'], {'setattr': u'cn=loosers'}),
expected=errors.ProtectedEntryError(label=u'group',
key='trust admins', reason='Cannot be renamed'),
),
dict(
desc='Try to modify the trust admins group to support external membership',
command=('group_mod', [u'trust admins'], dict(external=True)),
expected=errors.ProtectedEntryError(label=u'group',
key='trust admins', reason='Cannot support external non-IPA members'),
),
dict(
desc='Delete %r' % user1,
command=('user_del', [user1], {}),
expected=dict(
result=dict(failed=[]),
summary=u'Deleted user "%s"' % user1,
value=[user1],
),
),
]
