URL: https://github.com/freeipa/freeipa/pull/5935 Author: rcritten Title: #5935: Don't assume that plugin attributes and objectclasses are lowercase Action: opened
PR body: """ Don't assume that plugin attributes and objectclasses are lowercase A user wrote their own plugin to add custom attributes which was failing with an incorrect error that the attribute wasn't allowed. It wasn't allowed because it wasn't being treated as case-insensitive so wasn't being found in the schema. https://pagure.io/freeipa/issue/8415 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> **NOTE**: the new test file is not yet integrated into PR-CI. I think this is fine testing as part of the nightlies and not as gating but I'm open to suggestions. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5935/head:pr5935 git checkout pr5935
From cc77ce5741ff8ef048c3bd8e3677e5808c78cd75 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Thu, 29 Jul 2021 17:55:52 -0400 Subject: [PATCH 1/3] Don't assume that plugin attributes and objectclasses are lowercase A user wrote their own plugin to add custom attributes which was failing with an incorrect error that the attribute wasn't allowed. It wasn't allowed because it wasn't being treated as case-insensitive so wasn't being found in the schema. https://pagure.io/freeipa/issue/8415 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaserver/plugins/config.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py index 3526153ec11..ad3dd6a7fdd 100644 --- a/ipaserver/plugins/config.py +++ b/ipaserver/plugins/config.py @@ -534,14 +534,14 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): checked_attrs = checked_attrs + [self.api.Object[obj].uuid_attribute] for obj_attr in checked_attrs: obj_attr, _unused1, _unused2 = obj_attr.partition(';') - if obj_attr in OPERATIONAL_ATTRIBUTES: + if obj_attr.lower() in OPERATIONAL_ATTRIBUTES: continue - if obj_attr in self.api.Object[obj].params and \ + if obj_attr.lower() in self.api.Object[obj].params and \ 'virtual_attribute' in \ - self.api.Object[obj].params[obj_attr].flags: + self.api.Object[obj].params[obj_attr.lower()].flags: # skip virtual attributes continue - if obj_attr not in new_allowed_attrs: + if obj_attr.lower() not in new_allowed_attrs: raise errors.ValidationError(name=attr, error=_('%(obj)s default attribute %(attr)s would not be allowed!') \ % dict(obj=obj, attr=obj_attr)) From 242bb877d92a3ba7044dd19c82339fdd8305ad89 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Thu, 29 Jul 2021 17:56:32 -0400 Subject: [PATCH 2/3] ipatests: add suite for testing custom plugins Ensure that attributes and objectclasses are case-insensitive. https://pagure.io/freeipa/issue/8415 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- .../test_integration/test_custom_plugins.py | 85 +++++++++++++++++++ 1 file changed, 85 insertions(+) create mode 100644 ipatests/test_integration/test_custom_plugins.py diff --git a/ipatests/test_integration/test_custom_plugins.py b/ipatests/test_integration/test_custom_plugins.py new file mode 100644 index 00000000000..6643d713d11 --- /dev/null +++ b/ipatests/test_integration/test_custom_plugins.py @@ -0,0 +1,85 @@ +# +# Copyright (C) 2021 FreeIPA Contributors see COPYING for license +# +"""Tests for custom plugins +""" +from __future__ import absolute_import + +import logging +import os +import site + +from ipatests.test_integration.base import IntegrationTest +from ipatests.pytest_ipa.integration import tasks + +logger = logging.getLogger(__name__) + + +class TestCustomPlugin(IntegrationTest): + """ + Tests for user-generated custom plugins + """ + + def test_add_user_objectclass_with_custom_schema(self): + """Test adding a custom userclass to new users + + Attributes should not be case-sensitive. + + Based heavily on the custom plugin and schema at + https://github.com/Brandeis-CS-Systems/idm-unet-id-plugin + """ + schema = ( + "dn: cn=schema\n" + "attributeTypes: ( 2.16.840.1.113730.3.8.24.1.1 NAME 'customID' " + "EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX " + "1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Testing' )\n" + "objectClasses: ( 2.16.840.1.113730.3.8.24.2.1 NAME 'customUser' " + "DESC 'custom user ID objectClass' AUXILIARY MAY ( customID ) " + "X-ORIGIN 'Testing' )\n" + ) + plugin = ( + "from ipalib.parameters import Str\n\n" + "from ipaserver.plugins.user import user\n\n" + "if 'customUser' not in user.possible_objectclasses:\n" + " user.possible_objectclasses.append('customUser')\n" + "customuser_attributes = ['customID']\n" + "user.default_attributes.extend(customuser_attributes)\n" + "takes_params = (\n" + " Str('customid?',\n" + " cli_name='customid',\n" + " maxlength=64,\n" + " label='User custom uid'),\n" + ")\n" + "user.takes_params += takes_params\n" + ) + + tasks.kinit_admin(self.master) + self.master.put_file_contents('/tmp/schema.ldif', schema) + self.master.run_command(['ipa-ldap-updater', '-S', '/tmp/schema.ldif']) + self.master.put_file_contents('/tmp/schema.ldif', schema) + + site_packages = site.getsitepackages()[-1] + site_file = os.path.join( + site_packages, "ipaserver", "plugins", "test.py" + ) + + self.master.put_file_contents(site_file, plugin) + + self.master.run_command(['ipactl', 'restart']) + + self.master.run_command([ + 'ipa', 'config-mod', + '--userobjectclasses', 'top', + '--userobjectclasses', 'person', + '--userobjectclasses', 'organizationalperson', + '--userobjectclasses', 'inetorgperson', + '--userobjectclasses', 'inetuser', + '--userobjectclasses', 'posixaccount', + '--userobjectclasses', 'krbprincipalaux', + '--userobjectclasses', 'krbticketpolicyaux', + '--userobjectclasses', 'ipaobject', + '--userobjectclasses', 'ipasshuser', + '--userobjectclasses', 'customuser', + ]) + + self.master.run_command(['rm', '-f', site_file]) From af9586a3d522b830211d0c08438929d43162ab88 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Fri, 30 Jul 2021 11:36:21 -0400 Subject: [PATCH 3/3] Temp commit Note that the new test file is not yet integrated into any PR-CI runs. --- .freeipa-pr-ci.yaml | 2 +- ipatests/prci_definitions/temp_commit.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b634..80656690080 120000 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index 4b0398b9218..fee03889d5d 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -68,7 +68,7 @@ jobs: class: RunPytest args: build_url: '{fedora-latest/build_url}' - test_suite: test_integration/test_REPLACEME.py + test_suite: test_integration/test_custom_plugins.py template: *ci-master-latest timeout: 3600 - topology: *master_1repl_1client + topology: *master_1repl
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
