tests#
__NOTOC__
Test permission
Implemented in
ipatests.test_xmlrpc.test_permission_plugin.test_permission
Misc. tests for the permission plugin
Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm2,cn=permissions,cn=pbac,$SUFFIX
cn: testperm2
ipaPermAllowedAttr: cn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=test
owner: cn=test2
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: read
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=other-test
owner: cn=other-test2
Note: the permission entry cn=testperm,cn=permissions,cn=pbac,$SUFFIX will not be present
Note: the permission entry will look like this:
dn: cn=testperm1_rn,cn=permissions,cn=pbac,$SUFFIX
cn: testperm1_rn
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: all
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=other-test
owner: cn=other-test2
Note: the permission entry cn=testperm1_rn,cn=permissions,cn=pbac,$SUFFIX will not be present
Note: the permission entry will look like this:
dn: cn=Testperm_RN,cn=permissions,cn=pbac,$SUFFIX
cn: Testperm_RN
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=other-test
owner: cn=other-test2
Note: the permission entry will look like this:
dn: cn=Testperm_RN,cn=permissions,cn=pbac,$SUFFIX
cn: Testperm_RN
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTargetFilter: (memberOf=cn=ipausers,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
member: cn=testpriv1,cn=privileges,cn=pbac,$SUFFIX
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=other-test
owner: cn=other-test2
Note: the permission entry will look like this:
dn: cn=testperm2,cn=permissions,cn=pbac,$SUFFIX
cn: testperm2
ipaPermAllowedAttr: cn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
owner: cn=test
owner: cn=test2
Note: the permission entry cn=Testperm_RN,cn=permissions,cn=pbac,$SUFFIX will not be present
Note: the permission entry cn=testperm2,cn=permissions,cn=pbac,$SUFFIX will not be present
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=editors,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry cn=testperm,cn=permissions,cn=pbac,$SUFFIX will not be present
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermTarget: cn=editors,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm3,cn=permissions,cn=pbac,$SUFFIX
cn: testperm3
ipaPermAllowedAttr: cn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm3,cn=permissions,cn=pbac,$SUFFIX
cn: testperm3
ipaPermAllowedAttr: cn
ipaPermAllowedAttr: uid
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Cleanup
ipa permission_del testperm --force
ipa permission_del testperm2 --force
ipa permission_del testperm3 --force
ipa permission_del testperm1_rn --force
ipa permission_del Testperm_RN --force
ipa privilege_del testpriv1
Test permission rollback
Implemented in
ipatests.test_xmlrpc.test_permission_plugin.test_permission_rollback
Test rolling back changes after failed update
Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=admin,cn=users,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Cleanup
ipa permission_del testperm --force
Test permission sync attributes
Implemented in
ipatests.test_xmlrpc.test_permission_plugin.test_permission_sync_attributes
Test the effects of setting permission attributes
Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=groups,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: cn=*,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=groups,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: cn=editors,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Cleanup
ipa permission_del testperm --force
Test permission sync nice
Implemented in
ipatests.test_xmlrpc.test_permission_plugin.test_permission_sync_nice
Test the effects of setting convenience options on permissions
Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=users,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: uid=*,cn=users,cn=accounts,$SUFFIX
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermTargetFilter: (memberOf=cn=admins,cn=groups,cn=accounts,$SUFFIX)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermRight: write
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=groups,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: cn=*,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Note: the permission entry will look like this:
dn: cn=testperm,cn=permissions,cn=pbac,$SUFFIX
cn: testperm
ipaPermAllowedAttr: sn
ipaPermBindRuleType: permission
ipaPermLocation: cn=groups,cn=accounts,$SUFFIX
ipaPermRight: write
ipaPermTarget: cn=editors,cn=groups,cn=accounts,$SUFFIX
ipaPermissionType: SYSTEM
ipaPermissionType: V2
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
objectClass: top
Cleanup
ipa permission_del testperm --force
Test permission flags
Implemented in
ipatests.test_xmlrpc.test_permission_plugin.test_permission_flags
Test that permission flags are handled correctly
Like other tests in the test_xmlrpc suite, these tests should run on a clean IPA installation, or possibly after other similar tests.
Cleanup
ipa permission_del testperm --force