Ctrl+K

tests

tests#

__NOTOC__

Test permission

Implemented in ipatests.test_xmlrpc.test_permission_plugin.test_permission

Misc. tests for the permission plugin

Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm2,cn=permissions,cn=pbac,$SUFFIX
cn: testperm2
ipaPermAllowedAttr: cn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=test
owner: cn=test2

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: read
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=other-test
owner: cn=other-test2

Note: the permission entry cn=testperm,cn=permissions,cn=pbac,$SUFFIX will not be present

Note: the permission entry will look like this:

dn: cn=testperm1_rn,cn=permissions,cn=pbac,$SUFFIX
cn: testperm1_rn
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: all
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=other-test
owner: cn=other-test2

Note: the permission entry cn=testperm1_rn,cn=permissions,cn=pbac,$SUFFIX will not be present

Note: the permission entry will look like this:

dn: cn=Testperm_RN,cn=permissions,cn=pbac,$SUFFIX
cn: Testperm_RN
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=other-test
owner: cn=other-test2

Note: the permission entry will look like this:

dn: cn=Testperm_RN,cn=permissions,cn=pbac,$SUFFIX
cn: Testperm_RN
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTargetFilter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=other-test
owner: cn=other-test2

Note: the permission entry will look like this:

dn: cn=testperm2,cn=permissions,cn=pbac,$SUFFIX
cn: testperm2
ipaPermAllowedAttr: cn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=test
owner: cn=test2

Note: the permission entry cn=Testperm_RN,cn=permissions,cn=pbac,$SUFFIX will not be present

Note: the permission entry cn=testperm2,cn=permissions,cn=pbac,$SUFFIX will not be present

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=editors,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry cn=testperm,cn=permissions,cn=pbac,$SUFFIX will not be present

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermTarget: cn=editors,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm3,cn=permissions,cn=pbac,$SUFFIX
cn: testperm3
ipaPermAllowedAttr: cn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm3,cn=permissions,cn=pbac,$SUFFIX
cn: testperm3
ipaPermAllowedAttr: cn
ipaPermAllowedAttr: uid
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Cleanup

ipa permission_del testperm --force
ipa permission_del testperm2 --force
ipa permission_del testperm3 --force
ipa permission_del testperm1_rn --force
ipa permission_del Testperm_RN --force
ipa privilege_del testpriv1

Test permission rollback

Implemented in ipatests.test_xmlrpc.test_permission_plugin.test_permission_rollback

Test rolling back changes after failed update

Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Cleanup

ipa permission_del testperm --force

Test permission sync attributes

Implemented in ipatests.test_xmlrpc.test_permission_plugin.test_permission_sync_attributes

Test the effects of setting permission attributes

Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=groups,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: cn=*,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=groups,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: cn=editors,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Cleanup

ipa permission_del testperm --force

Test permission sync nice

Implemented in ipatests.test_xmlrpc.test_permission_plugin.test_permission_sync_nice

Test the effects of setting convenience options on permissions

Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=groups,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: cn=*,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=groups,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: cn=editors,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top

Cleanup

ipa permission_del testperm --force

Test permission flags

Implemented in ipatests.test_xmlrpc.test_permission_plugin.test_permission_flags

Test that permission flags are handled correctly

Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.

Cleanup

ipa permission_del testperm --force