https://fedorahosted.org/freeipa/ticket/2255 https://fedorahosted.org/freeipa/ticket/2286 https://fedorahosted.org/freeipa/ticket/2305
Added checking of existence of groups that are specified in permission and delegation module. Also the permission plugin now allows to unset memberof value. Additional unit tests for checking new behaviour were created. -- Regards, Ondrej Hamada FreeIPA team jabber: [email protected] IRC: ohamada
From e26c980cffc5703845aeca4dba28dcca0364ab3a Mon Sep 17 00:00:00 2001 From: Ondrej Hamada <[email protected]> Date: Mon, 6 Feb 2012 11:04:15 +0100 Subject: [PATCH] Memberof attribute control and update Added checking of existence of groups that are specified in permission and delegation module. https://fedorahosted.org/freeipa/ticket/2286 https://fedorahosted.org/freeipa/ticket/2305 Permission plugin now allows to unset memberof value. https://fedorahosted.org/freeipa/ticket/2255 --- ipalib/plugins/aci.py | 11 ++++- tests/test_xmlrpc/test_delegation_plugin.py | 12 ++++++ tests/test_xmlrpc/test_permission_plugin.py | 57 +++++++++++++++++++++++++++ 3 files changed, 78 insertions(+), 2 deletions(-) diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py index e87ac9bff09fc87fec6987ae40b0cf1dd353dd3b..83d43cab8c20ac04b4a546653a682b7860c7d1b4 100644 --- a/ipalib/plugins/aci.py +++ b/ipalib/plugins/aci.py @@ -265,8 +265,15 @@ def _make_aci(ldap, current, aciname, kw): if 'attrs' in kw: a.set_target_attr(kw['attrs']) if 'memberof' in kw: - groupdn = _group_from_memberof(kw['memberof']) - a.set_target_filter('memberOf=%s' % groupdn) + if kw['memberof'] is not None: + try: + api.Command['group_show'](kw['memberof']) + except errors.NotFound: + api.Object['group'].handle_not_found(kw['memberof']) + groupdn = _group_from_memberof(kw['memberof']) + a.set_target_filter('memberOf=%s' % groupdn) + else: + del kw['memberof'] if 'filter' in kw: # Test the filter by performing a simple search on it. The # filter is considered valid if either it returns some entries diff --git a/tests/test_xmlrpc/test_delegation_plugin.py b/tests/test_xmlrpc/test_delegation_plugin.py index 1a9c36743d305cc382350db8e866ace21331fc5c..db5f7186527d2e0c6567dd5a727e878144bd3020 100644 --- a/tests/test_xmlrpc/test_delegation_plugin.py +++ b/tests/test_xmlrpc/test_delegation_plugin.py @@ -68,6 +68,18 @@ class test_delegation(Declarative): ), ), + dict( + desc='Try to create %r for non-existing member group' % delegation1, + command=( + 'delegation_add', [delegation1], dict( + attrs=u'street,c,l,st,postalCode', + permissions=u'write', + group=u'editors', + memberof=u'nonexisting', + ), + ), + expected=errors.NotFound(reason='group not found'), + ), # Note that we add postalCode but expect postalcode. This tests # the attrs normalizer. diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py index 50d368197cbc080f40fecf2038ae14337ed78b7c..e8e6bebcd387307f30e4a7bc4d266092b7e41424 100644 --- a/tests/test_xmlrpc/test_permission_plugin.py +++ b/tests/test_xmlrpc/test_permission_plugin.py @@ -500,6 +500,16 @@ class test_permission(Declarative): ) ), + dict( + desc='Try to create permission %r with non-existing memberof' % permission1, + command=( + 'permission_add', [permission1], dict( + memberof=u'nonexisting', + permissions=u'write', + ) + ), + expected=errors.NotFound(reason='group not found'), + ), dict( desc='Create memberof permission %r' % permission1, @@ -507,6 +517,7 @@ class test_permission(Declarative): 'permission_add', [permission1], dict( memberof=u'editors', permissions=u'write', + type=u'user', ) ), expected=dict( @@ -518,6 +529,52 @@ class test_permission(Declarative): objectclass=objectclasses.permission, memberof=u'editors', permissions=[u'write'], + type=u'user', + ), + ), + ), + + dict( + desc='Try to update non-existent memberof of %r' % permission1, + command=('permission_mod', [permission1], dict(memberof=u'nonexisting')), + expected=errors.NotFound(reason='group not found'), + ), + + dict( + desc='Update memberof permission %r' % permission1, + command=( + 'permission_mod', [permission1], dict( + memberof=u'admins', + ) + ), + expected=dict( + value=permission1, + summary=u'Modified permission "%s"' % permission1, + result=dict( + dn=lambda x: DN(x) == permission1_dn, + cn=[permission1], + memberof=u'admins', + permissions=[u'write'], + type=u'user', + ), + ), + ), + + dict( + desc='Unset memberof of permission %r' % permission1, + command=( + 'permission_mod', [permission1], dict( + memberof=None, + ) + ), + expected=dict( + summary=u'Modified permission "%s"' % permission1, + value=permission1, + result=dict( + dn=lambda x: DN(x) == permission1_dn, + cn=[permission1], + permissions=[u'write'], + type=u'user', ), ), ), -- 1.7.6.5
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
