Jump to: navigation, search

V3/Permissions V2/tests

Test permission

Implemented in ipatests.test_xmlrpc.test_permission_plugin.test_permission

Misc. tests for the permission plugin

Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.

Test case: Try to retrieve non-existent u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_show testperm

Expected results

The command fails with this error:

testperm: permission not found


Test case: Try to update non-existent u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --permissions=all

Expected results

The command fails with this error:

testperm: permission not found


Test case: Try to delete non-existent u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_del testperm

Expected results

The command fails with this error:

testperm: permission not found


Test case: Search for non-existent u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find testperm

Expected results

The command fails (return code 1), with this output:

---------------------
0 permissions matched
---------------------
----------------------------
Number of entries returned 0
----------------------------


Test case: Create u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_add testperm --permissions=write --attrs=sn --type=user

Expected results

The command succeeds with this output:

---------------------------
Added permission "testperm"
---------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Try to create duplicate u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_add testperm --permissions=write --attrs=sn --type=user

Expected results

The command fails with this error:

permission with name "testperm" already exists


Test case: Create u'testpriv1'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa privilege_add testpriv1 --desc='privilege desc. 1'

Expected results

The command succeeds with this output:

---------------------------
Added privilege "testpriv1"
---------------------------
  Privilege name: testpriv1
  Description: privilege desc. 1


Test case: Add permission u'testperm' to privilege u'testpriv1'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa privilege_add_permission testpriv1 --permissions=testperm

Expected results

The command succeeds with this output:

  Privilege name: testpriv1
  Description: privilege desc. 1
  Permissions: testperm
-----------------------------
Number of permissions added 1
-----------------------------


Test case: Retrieve u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_show testperm

Expected results

The command succeeds with this output:

  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Granted to Privilege: testpriv1


Test case: Retrieve u'testperm' with --raw

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_show testperm --raw

Expected results

The command succeeds with this output:

  cn: testperm
  ipapermright: write
  ipapermallowedattr: sn
  ipapermbindruletype: permission
  ipapermlocation: cn=users,cn=accounts,$SUFFIX
  ipapermtarget: uid=*,cn=users,cn=accounts,$SUFFIX
  member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
  aci: (targetattr = "sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Test case: Search for u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find testperm

Expected results

The command succeeds with this output:

--------------------
1 permission matched
--------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Granted to Privilege: testpriv1
----------------------------
Number of entries returned 1
----------------------------


Test case: Search for u'testperm' using --name

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find --name=testperm

Expected results

The command succeeds with this output:

--------------------
1 permission matched
--------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Granted to Privilege: testpriv1
----------------------------
Number of entries returned 1
----------------------------


Test case: Search for non-existent permission using --name

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find --name=notfound

Expected results

The command fails (return code 1), with this output:

---------------------
0 permissions matched
---------------------
----------------------------
Number of entries returned 0
----------------------------


Test case: Search for u'testpriv1'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find testpriv1

Expected results

The command succeeds with this output:

--------------------
1 permission matched
--------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Granted to Privilege: testpriv1
----------------------------
Number of entries returned 1
----------------------------


Test case: Search for u'testperm' with --raw

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find testperm --raw

Expected results

The command succeeds with this output:

--------------------
1 permission matched
--------------------
  cn: testperm
  ipapermright: write
  ipapermallowedattr: sn
  ipapermbindruletype: permission
  ipapermlocation: cn=users,cn=accounts,$SUFFIX
  ipapermtarget: uid=*,cn=users,cn=accounts,$SUFFIX
  member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
  aci: (targetattr = "sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)
----------------------------
Number of entries returned 1
----------------------------


Test case: Create u'testperm2'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_add testperm2 --permissions=write --attrs=cn --addattr='owner=cn=test2' --type=user --setattr='owner=cn=test'

Expected results

The command succeeds with this output:

----------------------------
Added permission "testperm2"
----------------------------
  Permission name: testperm2
  Permissions: write
  Attributes: cn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user


Test case: Verify ACI of testperm2

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm2 in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "cn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm2";allow (write) groupdn = "ldap:///cn=testperm2,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm2,cn=permissions,cn=pbac,$SUFFIX
cn: testperm2
ipaPermAllowedAttr: cn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=test
owner: cn=test2


Test case: Search for u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find testperm

Expected results

The command succeeds with this output:

---------------------
2 permissions matched
---------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Granted to Privilege: testpriv1

  Permission name: testperm2
  Permissions: write
  Attributes: cn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
----------------------------
Number of entries returned 2
----------------------------


Test case: Search for u'testperm' with --pkey-only

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find testperm --pkey_only

Expected results

The command succeeds with this output:

---------------------
2 permissions matched
---------------------
  Permission name: testperm

  Permission name: testperm2
----------------------------
Number of entries returned 2
----------------------------


Test case: Search by ACI attribute with --pkey-only

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find --attrs=krbminpwdlife --pkey_only

Expected results

The command succeeds with this output:

--------------------
1 permission matched
--------------------
  Permission name: Modify Group Password Policy
----------------------------
Number of entries returned 1
----------------------------


Test case: Search for u'testpriv1'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa privilege_find testpriv1

Expected results

The command succeeds with this output:

-------------------
1 privilege matched
-------------------
  Privilege name: testpriv1
  Description: privilege desc. 1
  Permissions: testperm
----------------------------
Number of entries returned 1
----------------------------


Test case: Search for u'testperm' with a limit of 1 (truncated)

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find testperm --sizelimit=1

Expected results

The command succeeds with this output:

--------------------
1 permission matched
--------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Granted to Privilege: testpriv1
----------------------------
Number of entries returned 1
----------------------------


Test case: Search for u'testperm' with a limit of 2

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find testperm --sizelimit=2

Expected results

The command succeeds with this output:

---------------------
2 permissions matched
---------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  Granted to Privilege: testpriv1

  Permission name: testperm2
  Permissions: write
  Attributes: cn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
----------------------------
Number of entries returned 2
----------------------------


Test case: Search for permissions by attr with a limit of 1 (truncated)

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find --sizelimit=1 --attrs=ipaenabledflag

Expected results

The command succeeds with this output:

--------------------
1 permission matched
--------------------
  Permission name: Modify HBAC rule
  Permissions: write
  Attributes: servicecategory, sourcehostcategory, cn, description, ipaenabledflag, accesstime, usercategory, hostcategory, accessruletype, sourcehost
  Bind rule type: permission
  ACI target DN: ipauniqueid=*,cn=hbac,$SUFFIX
  Granted to Privilege: HBAC Administrator
  Indirect Member of roles: IT Security Specialist
----------------------------
Number of entries returned 1
----------------------------


Test case: Update u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --permissions=read --memberof=ipausers --addattr='owner=cn=other-test2' --setattr='owner=cn=other-test'

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: read
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target filter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Member of group: ipausers
  Type: user
  Granted to Privilege: testpriv1


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetfilter = "(memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)")(version 3.0;acl "permission:testperm";allow (read) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: read
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=other-test
owner: cn=other-test2


Test case: Retrieve u'testperm' to verify update

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_show testperm

Expected results

The command succeeds with this output:

  Permission name: testperm
  Permissions: read
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target filter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Member of group: ipausers
  Type: user
  Granted to Privilege: testpriv1


Test case: Try to rename u'testperm' to existing permission u'testperm2'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --permissions=all --rename=testperm2

Expected results

The command fails with this error:

This entry already exists


Test case: Try to rename u'testperm' to empty name

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --permissions=all --rename=

Expected results

The command fails with this error:

invalid 'rename': New name can not be empty


Test case: Check integrity of original permission u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_show testperm

Expected results

The command succeeds with this output:

  Permission name: testperm
  Permissions: read
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target filter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Member of group: ipausers
  Type: user
  Granted to Privilege: testpriv1


Test case: Rename u'testperm' to permission u'testperm1_rn'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --permissions=all --rename=testperm1_rn

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm1_rn
  Permissions: all
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target filter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Member of group: ipausers
  Type: user
  Granted to Privilege: testpriv1


Test case: Verify ACI of testperm is missing

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

Such ACI is not found.


Note: the permission entry cn=testperm,cn=permissions,cn=pbac,$SUFFIX will not be present


Test case: Verify ACI of testperm1_rn

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm1_rn in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetfilter = "(memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)")(version 3.0;acl "permission:testperm1_rn";allow (all) groupdn = "ldap:///cn=testperm1_rn,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm1_rn,cn=permissions,cn=pbac,$SUFFIX
cn: testperm1_rn
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: all
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=other-test
owner: cn=other-test2


Test case: Rename u'testperm1_rn' to permission u'Testperm_RN'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm1_rn --permissions=write --rename=Testperm_RN

Expected results

The command succeeds with this output:

----------------------------------
Modified permission "testperm1_rn"
----------------------------------
  Permission name: Testperm_RN
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target filter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Member of group: ipausers
  Type: user
  Granted to Privilege: testpriv1


Test case: Verify ACI of testperm1_rn is missing

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm1_rn in cn=users,cn=accounts,$SUFFIX

Expected results

Such ACI is not found.


Note: the permission entry cn=testperm1_rn,cn=permissions,cn=pbac,$SUFFIX will not be present


Test case: Verify ACI of Testperm_RN

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:Testperm_RN in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetfilter = "(memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)")(version 3.0;acl "permission:Testperm_RN";allow (write) groupdn = "ldap:///cn=Testperm_RN,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=Testperm_RN,cn=permissions,cn=pbac,$SUFFIX
cn: Testperm_RN
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=other-test
owner: cn=other-test2


Test case: Change u'Testperm_RN' to a subtree type

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod Testperm_RN --subtree='cn=users,cn=accounts,$SUFFIX' --type=None

Expected results

The command succeeds with this output:

---------------------------------
Modified permission "Testperm_RN"
---------------------------------
  Permission name: Testperm_RN
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target filter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
  Member of group: ipausers
  Granted to Privilege: testpriv1


Test case: Verify ACI of Testperm_RN

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:Testperm_RN in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(targetfilter = "(memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)")(version 3.0;acl "permission:Testperm_RN";allow (write) groupdn = "ldap:///cn=Testperm_RN,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=Testperm_RN,cn=permissions,cn=pbac,$SUFFIX
cn: Testperm_RN
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTargetFilter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=other-test
owner: cn=other-test2


Test case: Unset --subtree from u'testperm2'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm2 --subtree=None

Expected results

The command succeeds with this output:

-------------------------------
Modified permission "testperm2"
-------------------------------
  Permission name: testperm2
  Permissions: write
  Attributes: cn
  Bind rule type: permission
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX


Test case: Verify ACI of testperm2

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm2 in $SUFFIX

Expected results

The following ACI is found:

(targetattr = "cn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm2";allow (write) groupdn = "ldap:///cn=testperm2,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm2,cn=permissions,cn=pbac,$SUFFIX
cn: testperm2
ipaPermAllowedAttr: cn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=test
owner: cn=test2


Test case: Search for u'testperm' using --subtree

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find --subtree='ldap:///cn=users,cn=accounts,$SUFFIX'

Expected results

The command succeeds with this output:

--------------------
1 permission matched
--------------------
  Permission name: Testperm_RN
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target filter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
  Member of group: ipausers
  Granted to Privilege: testpriv1
----------------------------
Number of entries returned 1
----------------------------


Test case: Search using nonexistent --subtree

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find --subtree=foo

Expected results

The command fails with this error:

invalid 'subtree': malformed RDN string = "foo"


Test case: Search using --targetgroup

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find --targetgroup=ipausers

Expected results

The command succeeds with this output:

--------------------
1 permission matched
--------------------
  Permission name: Add user to default group
  Permissions: write
  Attributes: member
  Bind rule type: permission
  ACI target DN: cn=ipausers,cn=groups,cn=accounts,$SUFFIX
  Target group: ipausers
  Granted to Privilege: User Administrators
  Indirect Member of roles: User Administrator
----------------------------
Number of entries returned 1
----------------------------


Test case: Delete u'Testperm_RN'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_del Testperm_RN

Expected results

The command succeeds with this output:

--------------------------------
Deleted permission "Testperm_RN"
--------------------------------


Test case: Verify ACI of Testperm_RN is missing

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:Testperm_RN in cn=users,cn=accounts,$SUFFIX

Expected results

Such ACI is not found.


Note: the permission entry cn=Testperm_RN,cn=permissions,cn=pbac,$SUFFIX will not be present


Test case: Try to delete non-existent u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_del testperm

Expected results

The command fails with this error:

testperm: permission not found


Test case: Try to retrieve non-existent u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_show testperm

Expected results

The command fails with this error:

testperm: permission not found


Test case: Try to update non-existent u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --rename=Foo

Expected results

The command fails with this error:

testperm: permission not found


Test case: Delete u'testperm2'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_del testperm2

Expected results

The command succeeds with this output:

------------------------------
Deleted permission "testperm2"
------------------------------


Test case: Verify ACI of testperm2 is missing

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm2 in cn=users,cn=accounts,$SUFFIX

Expected results

Such ACI is not found.


Note: the permission entry cn=testperm2,cn=permissions,cn=pbac,$SUFFIX will not be present


Test case: Search for u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_find testperm

Expected results

The command fails (return code 1), with this output:

---------------------
0 permissions matched
---------------------
----------------------------
Number of entries returned 0
----------------------------


Test case: Delete u'testpriv1'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa privilege_del testpriv1

Expected results

The command succeeds with this output:

-----------------------------
Deleted privilege "testpriv1"
-----------------------------


Test case: Try to create permission u'testperm' with non-existing memberof

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_add testperm --permissions=write --attrs=cn --memberof=nonexisting

Expected results

The command fails with this error:

nonexisting: group not found


Test case: Create memberof permission u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_add testperm --permissions=write --attrs=sn --type=user --memberof=editors

Expected results

The command succeeds with this output:

---------------------------
Added permission "testperm"
---------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target filter: (memberOf=cn=editors,cn=groups,cn=accounts,$SUFFIX)
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Member of group: editors
  Type: user


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetfilter = "(memberOf=cn=editors,cn=groups,cn=accounts,$SUFFIX)")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=editors,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Try to update non-existent memberof of u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --memberof=nonexisting

Expected results

The command fails with this error:

nonexisting: group not found


Test case: Update memberof permission u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --memberof=admins

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target filter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Member of group: admins
  Type: user


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetfilter = "(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Unset memberof of permission u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --memberof=None

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Delete u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_del testperm

Expected results

The command succeeds with this output:

-----------------------------
Deleted permission "testperm"
-----------------------------


Test case: Verify ACI of testperm is missing

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

Such ACI is not found.


Note: the permission entry cn=testperm,cn=permissions,cn=pbac,$SUFFIX will not be present


Test case: Create targetgroup permission u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_add testperm --permissions=write --attrs=sn --targetgroup=editors

Expected results

The command succeeds with this output:

---------------------------
Added permission "testperm"
---------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  ACI target DN: cn=editors,cn=groups,cn=accounts,$SUFFIX
  Target group: editors


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in $SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///cn=editors,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermTarget: cn=editors,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Try to create invalid u'bad;perm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_add 'bad;perm' --permissions=write --type=user

Expected results

The command fails with this error:

invalid 'name': May only contain letters, numbers, -, _, ., and space


Test case: Create u'testperm3'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_add testperm3 --permissions=write --attrs=cn --type=user

Expected results

The command succeeds with this output:

----------------------------
Added permission "testperm3"
----------------------------
  Permission name: testperm3
  Permissions: write
  Attributes: cn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user


Test case: Verify ACI of testperm3

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm3 in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "cn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm3";allow (write) groupdn = "ldap:///cn=testperm3,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm3,cn=permissions,cn=pbac,$SUFFIX
cn: testperm3
ipaPermAllowedAttr: cn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Retrieve u'testperm3' with --all --rights

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_show testperm3 --all --rights

Expected results

The command succeeds with this output:

  dn: cn=testperm3,cn=permissions,cn=pbac,$SUFFIX
  Permission name: testperm3
  Permissions: write
  Attributes: cn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  attributelevelrights: {'ipapermright': u'rscwo', 'cn': u'rscwo', 'ipapermtarget': u'rscwo', 'ipapermlocation': u'rscwo', 'owner': u'rscwo', 'nsaccountlock': u'rscwo', 'ipapermbindruletype': u'rscwo', 'member': u'rscwo', 'memberof': u'rscwo', 'type': u'rscwo', 'ipapermtargetfilter': u'rscwo', 'description': u'rscwo', 'businesscategory': u'rscwo', 'ipapermallowedattr': u'rscwo', 'seealso': u'rscwo', 'ipapermissiontype': u'rscwo', 'objectclass': u'rscwo', 'aci': u'rscwo', 'o': u'rscwo', 'ipapermdefaultattr': u'rscwo', 'ou': u'rscwo', 'targetgroup': u'rscwo', 'ipapermexcludedattr': u'rscwo'}
  ipapermissiontype: SYSTEM, V2
  objectclass: groupofnames, ipapermission, ipapermissionv2, top


Test case: Modify u'testperm3' with --all --rights

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm3 --attrs={cn,uid} --all --rights

Expected results

The command succeeds with this output:

-------------------------------
Modified permission "testperm3"
-------------------------------
  dn: cn=testperm3,cn=permissions,cn=pbac,$SUFFIX
  Permission name: testperm3
  Permissions: write
  Attributes: cn, uid
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Type: user
  attributelevelrights: {'ipapermright': u'rscwo', 'cn': u'rscwo', 'ipapermtarget': u'rscwo', 'ipapermlocation': u'rscwo', 'owner': u'rscwo', 'nsaccountlock': u'rscwo', 'ipapermbindruletype': u'rscwo', 'member': u'rscwo', 'memberof': u'rscwo', 'type': u'rscwo', 'ipapermtargetfilter': u'rscwo', 'description': u'rscwo', 'businesscategory': u'rscwo', 'ipapermallowedattr': u'rscwo', 'seealso': u'rscwo', 'ipapermissiontype': u'rscwo', 'objectclass': u'rscwo', 'aci': u'rscwo', 'o': u'rscwo', 'ipapermdefaultattr': u'rscwo', 'ou': u'rscwo', 'targetgroup': u'rscwo', 'ipapermexcludedattr': u'rscwo'}
  ipapermissiontype: SYSTEM, V2
  objectclass: groupofnames, ipapermission, ipapermissionv2, top


Test case: Verify ACI of testperm3

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm3 in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "cn


Note: the permission entry will look like this:

dn: cn=testperm3,cn=permissions,cn=pbac,$SUFFIX
cn: testperm3
ipaPermAllowedAttr: cn
ipaPermAllowedAttr: uid
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Try to modify u'testperm' with invalid targetfilter

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --filter='ceci n'\est pas un filtre'

Expected results

The command fails with this error:

invalid 'ipapermtargetfilter': Bad search filter


Test case: Try setting nonexisting location on u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --subtree='cn=does not exist,$SUFFIX'

Expected results

The command fails with this error:

invalid 'ipapermlocation': Entry cn=does not exist,$SUFFIX does not exist

Cleanup

ipa permission_del testperm --force
ipa permission_del testperm2 --force
ipa permission_del testperm3 --force
ipa permission_del testperm1_rn --force
ipa permission_del Testperm_RN --force
ipa privilege_del testpriv1


Test permission rollback

Implemented in ipatests.test_xmlrpc.test_permission_plugin.test_permission_rollback

Test rolling back changes after failed update

Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.

Test case: Create u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_add testperm --permissions=write --attrs=sn --target='uid=admin,cn=users,cn=accounts,$SUFFIX' --subtree='cn=users,cn=accounts,$SUFFIX'

Expected results

The command succeeds with this output:

---------------------------
Added permission "testperm"
---------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=admin,cn=users,cn=accounts,$SUFFIX


Test case: Retrieve u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_show testperm

Expected results

The command succeeds with this output:

  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=admin,cn=users,cn=accounts,$SUFFIX


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Verify ACI of testperm is missing

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=etc,$SUFFIX

Expected results

Such ACI is not found.


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Move u'testperm' to non-existent DN

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --subtree='foo=bar'

Expected results

The command fails with this error:

invalid 'ipapermlocation': Entry foo=bar does not exist


Test case: Retrieve u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_show testperm

Expected results

The command succeeds with this output:

  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=admin,cn=users,cn=accounts,$SUFFIX


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Verify ACI of testperm is missing

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=etc,$SUFFIX

Expected results

Such ACI is not found.


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Move u'testperm' to another DN

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --subtree='cn=etc,$SUFFIX'

Expected results

The command fails with this error:

ACL Invalid Target Error(-8): Target is beyond the scope of the ACL(SCOPE:cn=etc,$SUFFIX) (targetattr = \22sn\22)(target = \22ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX\22)(version 3.0;acl \22permission:testperm\22;allow (write) groupdn = \22ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX\22;): Invalid syntax.


Test case: Retrieve u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_show testperm

Expected results

The command succeeds with this output:

  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target DN: uid=admin,cn=users,cn=accounts,$SUFFIX


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Verify ACI of testperm is missing

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=etc,$SUFFIX

Expected results

Such ACI is not found.


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Cleanup

ipa permission_del testperm --force


Test permission sync attributes

Implemented in ipatests.test_xmlrpc.test_permission_plugin.test_permission_sync_attributes

Test the effects of setting permission attributes

Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.

Test case: Create u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_add testperm --target='uid=*,cn=users,cn=accounts,$SUFFIX' --filter='(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)' --subtree='cn=users,cn=accounts,$SUFFIX' --permissions=write --attrs=sn

Expected results

The command succeeds with this output:

---------------------------
Added permission "testperm"
---------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target filter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Member of group: admins
  Type: user


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetfilter = "(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Unset location on u'testperm', verify type is gone

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --subtree=None

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  ACI target filter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Member of group: admins


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in $SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetfilter = "(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Reset location on u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --subtree='cn=users,cn=accounts,$SUFFIX'

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target filter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Member of group: admins
  Type: user


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetfilter = "(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Unset target on u'testperm', verify type is gone

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --target=None

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target filter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
  Member of group: admins


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(targetfilter = "(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Unset targetfilter on u'testperm', verify memberof is gone

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --filter=None

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Set type of u'testperm' to group

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --type=group

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=groups,cn=accounts,$SUFFIX
  ACI target DN: cn=*,cn=groups,cn=accounts,$SUFFIX
  Type: group


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=groups,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=groups,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: cn=*,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Set target on u'testperm', verify targetgroup is set

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --target='cn=editors,cn=groups,cn=accounts,$SUFFIX'

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=groups,cn=accounts,$SUFFIX
  ACI target DN: cn=editors,cn=groups,cn=accounts,$SUFFIX
  Target group: editors


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=groups,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///cn=editors,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=groups,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: cn=editors,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Cleanup

ipa permission_del testperm --force


Test permission sync nice

Implemented in ipatests.test_xmlrpc.test_permission_plugin.test_permission_sync_nice

Test the effects of setting convenience options on permissions

Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.

Test case: Create u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_add testperm --permissions=write --memberof=admins --type=user --attrs=sn

Expected results

The command succeeds with this output:

---------------------------
Added permission "testperm"
---------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=users,cn=accounts,$SUFFIX
  ACI target filter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
  ACI target DN: uid=*,cn=users,cn=accounts,$SUFFIX
  Member of group: admins
  Type: user


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=users,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX")(targetfilter = "(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Unset type on u'testperm', verify target & location are gone

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --type=None

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  ACI target filter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
  Member of group: admins


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in $SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(targetfilter = "(memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Unset memberof on u'testperm', verify targetfilter is gone

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --memberof=None

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in $SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Set type of u'testperm' to group

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --type=group

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=groups,cn=accounts,$SUFFIX
  ACI target DN: cn=*,cn=groups,cn=accounts,$SUFFIX
  Type: group


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=groups,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=groups,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: cn=*,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Test case: Set targetgroup on u'testperm', verify target is set

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --targetgroup=editors

Expected results

The command succeeds with this output:

------------------------------
Modified permission "testperm"
------------------------------
  Permission name: testperm
  Permissions: write
  Attributes: sn
  Bind rule type: permission
  Subtree: cn=groups,cn=accounts,$SUFFIX
  ACI target DN: cn=editors,cn=groups,cn=accounts,$SUFFIX
  Target group: editors


Test case: Verify ACI of testperm

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Search for ACI named permission:testperm in cn=groups,cn=accounts,$SUFFIX

Expected results

The following ACI is found:

(targetattr = "sn")(target = "ldap:///cn=editors,cn=groups,cn=accounts,$SUFFIX")(version 3.0;acl "permission:testperm";allow (write) groupdn = "ldap:///cn=testperm,cn=permissions,cn=pbac,$SUFFIX";)


Note: the permission entry will look like this:

dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=groups,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: cn=editors,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top


Cleanup

ipa permission_del testperm --force


Test permission flags

Implemented in ipatests.test_xmlrpc.test_permission_plugin.test_permission_flags

Test that permission flags are handled correctly

Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.

Test case: Create u'testperm' with flags [u'SYSTEM']

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Issue the following through the JSON API:

{
  "id": 0, 
  "method": "permission_add_noaci", 
  "params": [
    [
      "testperm"
    ], 
    {
      "ipapermissiontype": [
        "SYSTEM"
      ]
    }
  ]
}

Expected results

The response is:

{
  "result": {
    "cn": [
      "testperm"
    ], 
    "dn": "cn=testperm,cn=permissions,cn=pbac,$SUFFIX", 
    "ipapermbindruletype": [
      "permission"
    ], 
    "ipapermissiontype": [
      "SYSTEM"
    ], 
    "objectclass": [
      "groupofnames", 
      "ipapermission", 
      "ipapermissionv2", 
      "top"
    ]
  }, 
  "summary": "Added permission \"testperm\"", 
  "value": "testperm"
}


Test case: Try to modify u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --type=user

Expected results

The command fails with this error:

Insufficient access: A SYSTEM permission may not be modified or removed


Test case: Try to delete u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_del testperm

Expected results

The command fails with this error:

Insufficient access: A SYSTEM permission may not be modified or removed


Test case: Delete u'testperm' with --force

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_del testperm --force

Expected results

The command succeeds with this output:

-----------------------------
Deleted permission "testperm"
-----------------------------


Test case: Create u'testperm' with flags [u'??']

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Issue the following through the JSON API:

{
  "id": 0, 
  "method": "permission_add_noaci", 
  "params": [
    [
      "testperm"
    ], 
    {
      "ipapermissiontype": [
        "??"
      ]
    }
  ]
}

Expected results

The response is:

{
  "result": {
    "cn": [
      "testperm"
    ], 
    "dn": "cn=testperm,cn=permissions,cn=pbac,$SUFFIX", 
    "ipapermbindruletype": [
      "permission"
    ], 
    "ipapermissiontype": [
      "??"
    ], 
    "objectclass": [
      "groupofnames", 
      "ipapermission", 
      "ipapermissionv2", 
      "top"
    ]
  }, 
  "summary": "Added permission \"testperm\"", 
  "value": "testperm"
}


Test case: Try to modify u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --type=user

Expected results

The command fails with this error:

Insufficient access: Permission with unknown flag ?? may not be modified or removed


Test case: Try to delete u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_del testperm

Expected results

The command fails with this error:

Insufficient access: Permission with unknown flag ?? may not be modified or removed


Test case: Delete u'testperm' with --force

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_del testperm --force

Expected results

The command succeeds with this output:

-----------------------------
Deleted permission "testperm"
-----------------------------


Test case: Create u'testperm' with flags [u'SYSTEM', u'??']

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Issue the following through the JSON API:

{
  "id": 0, 
  "method": "permission_add_noaci", 
  "params": [
    [
      "testperm"
    ], 
    {
      "ipapermissiontype": [
        "SYSTEM", 
        "??"
      ]
    }
  ]
}

Expected results

The response is:

{
  "result": {
    "cn": [
      "testperm"
    ], 
    "dn": "cn=testperm,cn=permissions,cn=pbac,$SUFFIX", 
    "ipapermbindruletype": [
      "permission"
    ], 
    "ipapermissiontype": [
      "SYSTEM", 
      "??"
    ], 
    "objectclass": [
      "groupofnames", 
      "ipapermission", 
      "ipapermissionv2", 
      "top"
    ]
  }, 
  "summary": "Added permission \"testperm\"", 
  "value": "testperm"
}


Test case: Try to modify u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_mod testperm --type=user

Expected results

The command fails with this error:

Insufficient access: Permission with unknown flag ?? may not be modified or removed


Test case: Try to delete u'testperm'

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_del testperm

Expected results

The command fails with this error:

Insufficient access: Permission with unknown flag ?? may not be modified or removed


Test case: Delete u'testperm' with --force

Autotest

{{{autotest}}}

Setup

See beginning of the Tests section

Actions

Run the following command:

ipa permission_del testperm --force

Expected results

The command succeeds with this output:

-----------------------------
Deleted permission "testperm"
-----------------------------

Cleanup

ipa permission_del testperm --force