Don't use camel-case LDAP attributes in ACI and don't clear enrolledBy

We keep LDAP attributes lower-case elsewhere in the API we should do the same with all access controls.

There were two ACIs pointing at the manage_host_keytab permission. This isn't allowed in general and we have decided separately to not clear out enrolledBy when a host is unenrolled so dropping it is the obvious thing to do.

ticket 597

rob
>From ed2c3d0aaa3bb2be9771f203bd7114f540123ce7 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Fri, 17 Dec 2010 16:57:28 -0500
Subject: [PATCH] Don't use camel-case LDAP attributes in ACI and don't clear enrolledBy

We keep LDAP attributes lower-case elsewhere in the API we should do the
same with all access controls.

There were two ACIs pointing at the manage_host_keytab permission. This
isn't allowed in general and we have decided separately to not clear out
enrolledBy when a host is unenrolled so dropping it is the obvious thing
to do.

ticket 597
---
 install/share/default-aci.ldif               |    6 ++--
 install/share/delegation.ldif                |   35 ++++++++++---------------
 ipalib/plugins/delegation.py                 |    1 +
 ipalib/plugins/host.py                       |    1 -
 ipalib/plugins/permission.py                 |    1 +
 ipalib/plugins/selfservice.py                |    1 +
 tests/test_xmlrpc/test_delegation_plugin.py  |   12 +++++---
 tests/test_xmlrpc/test_selfservice_plugin.py |   12 +++++---
 8 files changed, 34 insertions(+), 35 deletions(-)

diff --git a/install/share/default-aci.ldif b/install/share/default-aci.ldif
index d725cd5..d0dfa23 100644
--- a/install/share/default-aci.ldif
+++ b/install/share/default-aci.ldif
@@ -5,7 +5,7 @@ changetype: modify
 add: aci
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";;)
 aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey || krbPrincipalName || krbCanonicalName || krbUPEnabled || krbTicketPolicyReference || krbPrincipalExpiration || krbPasswordExpiration || krbPwdPolicyReference || krbPrincipalType || krbPwdHistory || krbLastPwdChange || krbPrincipalAliases || krbExtraData || krbLastSuccessfulAuth || krbLastFailedAuth || krbLoginFailedCount || krbTicketFlags || ipaUniqueId || memberOf || serverHostName || enrolledBy")(version 3.0; acl "Admin can manage any entry"; allow (all) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
-aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";;)
+aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";;)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;)
 aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/chang...@$realm,cn=$REALM,cn=kerberos,$SUFFIX";;)
 aci: (targetattr = "userPassword || krbPrincipalKey || krbPasswordExpiration || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "KDC System Account can access passwords"; allow (all) userdn="ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";;)
@@ -16,7 +16,7 @@ aci: (targetfilter = "(objectClass=krbPwdPolicy)")(targetattr = "krbMaxPwdLife |
 dn: cn=users,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType  || businessCategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";;)
+aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeeType  || businesscategory || ou")(version 3.0;acl "Self service";allow (write) userdn = "ldap:///self";;)
 
 dn: cn=etc,$SUFFIX
 changetype: modify
@@ -54,7 +54,7 @@ aci: (targetattr="userCertificate || krbPrincipalKey")(version 3.0; acl "Hosts c
 dn: cn=computers,cn=accounts,$SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr="userCertificate || krbLastPwdChange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";;)
+aci: (targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";;)
 
 # Define which hosts can edit other hosts
 # The managedby attribute stores the DN of hosts that are allowed to manage
diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif
index d87b6c2..235f59b 100644
--- a/install/share/delegation.ldif
+++ b/install/share/delegation.ldif
@@ -493,10 +493,10 @@ dn: $SUFFIX
 changetype: modify
 add: aci
 aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Add Users";allow (add) groupdn = "ldap:///cn=addusers,cn=permissions,cn=accounts,$SUFFIX";;)
-aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword || passwordhistory")(version 3.0;acl "Change a user password";allow (write) groupdn = "ldap:///cn=change_password,cn=permissions,cn=accounts,$SUFFIX";;)
 aci: (targetattr = "member")(target = "ldap:///cn=ipausers,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Add user to default group";allow (write) groupdn = "ldap:///cn=add_user_to_default_group,cn=permissions,cn=accounts,$SUFFIX";;)
 aci: (target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Remove Users";allow (delete) groupdn = "ldap:///cn=removeusers,cn=permissions,cn=accounts,$SUFFIX";;)
-aci: (targetattr = "givenName || sn || cn || displayName || title || initials || loginShell || gecos || homePhone || mobile || pager || facsimileTelephoneNumber || telephoneNumber || street || roomNumber || l || st || postalCode || manager || secretary || description || carLicense || labeledURI || inetUserHTTPURL || seeAlso || employeeType || businessCategory || ou || mepManagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou || mepmanagedEntry || objectclass")(target = "ldap:///uid=*,cn=users,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Users";allow (write) groupdn = "ldap:///cn=modifyusers,cn=permissions,cn=accounts,$SUFFIX";;)
 
 # Group administration
 
@@ -508,7 +508,7 @@ aci: (targetattr = "member")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFI
 aci: (target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Remove Groups";allow (delete) groupdn = "ldap:///cn=removegroups,cn=permissions,cn=accounts,$SUFFIX";;)
 # We need objectclass and gidnumber in modify so a non-posix group can be
 # promoted. We need mqpManagedBy and ipaUniqueId so a group can be detached.
-aci: (targetattr = "cn || description || gidnumber || objectclass || mepManagedBy || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "cn || description || gidnumber || objectclass || mepmanagedby || ipaUniqueId")(target = "ldap:///cn=*,cn=groups,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Groups";allow (write) groupdn = "ldap:///cn=modifygroups,cn=permissions,cn=accounts,$SUFFIX";;)
 
 # Host administration
 
@@ -536,7 +536,7 @@ changetype: modify
 add: aci
 aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "Add Services";allow (add) groupdn = "ldap:///cn=addservices,cn=permissions,cn=accounts,$SUFFIX";;)
 aci: (target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap:///cn=removeservices,cn=permissions,cn=accounts,$SUFFIX";;)
-aci: (targetattr = "userCertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "usercertificate")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "Modify Services";allow (write) groupdn = "ldap:///cn=modifyservices,cn=permissions,cn=accounts,$SUFFIX";;)
 
 # Delegation administration
 
@@ -574,21 +574,14 @@ aci: (targetattr = "memberhost || externalhost || memberuser || member")(target
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "Manage host keytab";allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";;)
 
 # Service keytab admin
 
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "krbPrincipalKey || krbLastPwdChange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";;)
-
-# Allow enrolledBy to be removed when a host is not enrolled
-
-dn: $SUFFIX
-changetype: modify
-add: aci
-aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(targetattr = "enrolledBy")(targetfilter="(!(krblastpwdchange=*))")(targattrfilters="del=enrolledby:(enrolledBy=*)")(version 3.0;acl "Allow enrolledBy to be removed when a host is not enrolled"; allow (write) groupdn = "ldap:///cn=manage_host_keytab,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "krblrincipalkey || krblastpwdchange")(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,$SUFFIX";)(version 3.0;acl "Manage service keytab";allow (write) groupdn = "ldap:///cn=manage_service_keytab,cn=permissions,cn=accounts,$SUFFIX";;)
 
 # Add the ACI needed to do host enrollment. When this occurs we
 # set the krbPrincipalName, add krbPrincipalAux to objectClass and
@@ -597,7 +590,7 @@ aci: (target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(targetattr = "
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "enrolledBy || objectClass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "Enroll a host";allow (write) groupdn = "ldap:///cn=enroll_host,cn=permissions,cn=accounts,$SUFFIX";;)
 
 # Replica administration
 
@@ -621,7 +614,7 @@ aci: (target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "userCertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "usercertificate")(target = "ldap:///ipauniqueid=*,cn=entitlements,cn=etc,$SUFFIX";)(version 3.0;acl "Modify Entitlements";allow (write) groupdn = "ldap:///cn=modifyentitlements,cn=permissions,cn=accounts,$SUFFIX";;)
 
 dn: $SUFFIX
 changetype: modify
@@ -654,7 +647,7 @@ member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "objectClass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=retrieve certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Retrieve Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=retrieve_certs,cn=permissions,cn=accounts,$SUFFIX";;)
 
 # Request Certificate virtual op
 dn: cn=request certificate,cn=virtual operations,$SUFFIX
@@ -674,7 +667,7 @@ member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from the CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=permissions,cn=accounts,$SUFFIX";;)
 
 # Request Certificate from different host virtual op
 dn: cn=request certificate different host,cn=virtual operations,$SUFFIX
@@ -694,7 +687,7 @@ member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "objectClass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate different host,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Request Certificates from a different host" ; allow (write) groupdn = "ldap:///cn=request_cert_different_host,cn=permissions,cn=accounts,$SUFFIX";;)
 
 # Certificate Status virtual op
 dn: cn=certificate status,cn=virtual operations,$SUFFIX
@@ -714,7 +707,7 @@ member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate status,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Get Certificates status from the CA" ; allow (write) groupdn = "ldap:///cn=certificate_status,cn=permissions,cn=accounts,$SUFFIX";;)
 
 # Revoke Certificate virtual op
 dn: cn=revoke certificate,cn=virtual operations,$SUFFIX
@@ -734,7 +727,7 @@ member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "objectClass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=revoke certificate,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Revoke Certificate"; allow (write) groupdn = "ldap:///cn=revoke_certificate,cn=permissions,cn=accounts,$SUFFIX";;)
 
 # Certificate Remove Hold virtual op
 dn: cn=certificate remove hold,cn=virtual operations,$SUFFIX
@@ -754,4 +747,4 @@ member: cn=certadmin,cn=privileges,cn=accounts,$SUFFIX
 dn: $SUFFIX
 changetype: modify
 add: aci
-aci: (targetattr = "objectClass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX";;)
+aci: (targetattr = "objectclass")(target = "ldap:///cn=certificate remove hold,cn=virtual operations,$SUFFIX" )(version 3.0 ; acl "Certificate Remove Hold"; allow (write) groupdn = "ldap:///cn=certificate_remove_hold,cn=permissions,cn=accounts,$SUFFIX";;)
diff --git a/ipalib/plugins/delegation.py b/ipalib/plugins/delegation.py
index b9fc7f1..c233784 100644
--- a/ipalib/plugins/delegation.py
+++ b/ipalib/plugins/delegation.py
@@ -108,6 +108,7 @@ class delegation(Object):
             cli_name='attrs',
             label=_('Attributes'),
             doc=_('Comma-separated list of attributes'),
+            normalizer=lambda value: value.lower(),
         ),
         Str('memberof',
             cli_name='membergroup',
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index 22cd424..91aa651 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -686,7 +686,6 @@ class host_disable(LDAPQuery):
 
         if 'krblastpwdchange' in entry_attrs:
             ldap.remove_principal_key(dn)
-            api.Command['host_mod'](fqdn=keys[-1], setattr=u'enrolledby=')
             done_work = True
 
         if not done_work:
diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index 058a2cd..3734ae2 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -115,6 +115,7 @@ class permission(LDAPObject):
             cli_name='attrs',
             label=_('Attributes'),
             doc=_('Comma-separated list of attributes'),
+            normalizer=lambda value: value.lower(),
         ),
         StrEnum('type?',
             cli_name='type',
diff --git a/ipalib/plugins/selfservice.py b/ipalib/plugins/selfservice.py
index 63c40f6..cedcf9b 100644
--- a/ipalib/plugins/selfservice.py
+++ b/ipalib/plugins/selfservice.py
@@ -89,6 +89,7 @@ class selfservice(Object):
             cli_name='attrs',
             label=_('Attributes'),
             doc=_('Comma-separated list of attributes'),
+            normalizer=lambda value: value.lower(),
         ),
     )
 
diff --git a/tests/test_xmlrpc/test_delegation_plugin.py b/tests/test_xmlrpc/test_delegation_plugin.py
index ded6d4f..a4520f4 100644
--- a/tests/test_xmlrpc/test_delegation_plugin.py
+++ b/tests/test_xmlrpc/test_delegation_plugin.py
@@ -69,6 +69,8 @@ class test_delegation(Declarative):
         ),
 
 
+        # Note that we add postalCode but expect postalcode. This tests
+        # the attrs normalizer.
         dict(
             desc='Create %r' % delegation1,
             command=(
@@ -83,7 +85,7 @@ class test_delegation(Declarative):
                 value=delegation1,
                 summary=u'Added delegation "%s"' % delegation1,
                 result=dict(
-                    attrs=[u'street', u'c', u'l', u'st', u'postalCode'],
+                    attrs=[u'street', u'c', u'l', u'st', u'postalcode'],
                     permissions=[u'write'],
                     aciname=delegation1,
                     group=u'editors',
@@ -115,7 +117,7 @@ class test_delegation(Declarative):
                 value=delegation1,
                 summary=None,
                 result={
-                    'attrs': [u'street', u'c', u'l', u'st', u'postalCode'],
+                    'attrs': [u'street', u'c', u'l', u'st', u'postalcode'],
                     'permissions': [u'write'],
                     'aciname': delegation1,
                     'group': u'editors',
@@ -135,7 +137,7 @@ class test_delegation(Declarative):
                 summary=u'1 delegation matched',
                 result=[
                     {
-                    'attrs': [u'street', u'c', u'l', u'st', u'postalCode'],
+                    'attrs': [u'street', u'c', u'l', u'st', u'postalcode'],
                     'permissions': [u'write'],
                     'aciname': delegation1,
                     'group': u'editors',
@@ -156,7 +158,7 @@ class test_delegation(Declarative):
                 value=delegation1,
                 summary=u'Modified delegation "%s"' % delegation1,
                 result=dict(
-                    attrs=[u'street', u'c', u'l', u'st', u'postalCode'],
+                    attrs=[u'street', u'c', u'l', u'st', u'postalcode'],
                     permissions=[u'read'],
                     aciname=delegation1,
                     group=u'editors',
@@ -174,7 +176,7 @@ class test_delegation(Declarative):
                 value=delegation1,
                 summary=None,
                 result={
-                    'attrs': [u'street', u'c', u'l', u'st', u'postalCode'],
+                    'attrs': [u'street', u'c', u'l', u'st', u'postalcode'],
                     'permissions': [u'read'],
                     'aciname': delegation1,
                     'group': u'editors',
diff --git a/tests/test_xmlrpc/test_selfservice_plugin.py b/tests/test_xmlrpc/test_selfservice_plugin.py
index 897bd0d..30b5d76 100644
--- a/tests/test_xmlrpc/test_selfservice_plugin.py
+++ b/tests/test_xmlrpc/test_selfservice_plugin.py
@@ -68,6 +68,8 @@ class test_selfservice(Declarative):
         ),
 
 
+        # Note that we add postalCode but expect postalcode. This tests
+        # the attrs normalizer.
         dict(
             desc='Create %r' % selfservice1,
             command=(
@@ -80,7 +82,7 @@ class test_selfservice(Declarative):
                 value=selfservice1,
                 summary=u'Added selfservice "%s"' % selfservice1,
                 result=dict(
-                    attrs=[u'street', u'c', u'l', u'st', u'postalCode'],
+                    attrs=[u'street', u'c', u'l', u'st', u'postalcode'],
                     permissions=[u'write'],
                     selfaci=True,
                     aciname=selfservice1,
@@ -108,7 +110,7 @@ class test_selfservice(Declarative):
                 value=selfservice1,
                 summary=None,
                 result={
-                    'attrs': [u'street', u'c', u'l', u'st', u'postalCode'],
+                    'attrs': [u'street', u'c', u'l', u'st', u'postalcode'],
                     'permissions': [u'write'],
                     'selfaci': True,
                     'aciname': selfservice1,
@@ -126,7 +128,7 @@ class test_selfservice(Declarative):
                 summary=u'1 selfservice matched',
                 result=[
                     {
-                        'attrs': [u'street', u'c', u'l', u'st', u'postalCode'],
+                        'attrs': [u'street', u'c', u'l', u'st', u'postalcode'],
                         'permissions': [u'write'],
                         'selfaci': True,
                         'aciname': selfservice1,
@@ -145,7 +147,7 @@ class test_selfservice(Declarative):
                 value=selfservice1,
                 summary=u'Modified selfservice "%s"' % selfservice1,
                 result=dict(
-                    attrs=[u'street', u'c', u'l', u'st', u'postalCode'],
+                    attrs=[u'street', u'c', u'l', u'st', u'postalcode'],
                     permissions=[u'read'],
                     selfaci=True,
                     aciname=selfservice1,
@@ -161,7 +163,7 @@ class test_selfservice(Declarative):
                 value=selfservice1,
                 summary=None,
                 result={
-                        'attrs': [u'street', u'c', u'l', u'st', u'postalCode'],
+                        'attrs': [u'street', u'c', u'l', u'st', u'postalcode'],
                         'permissions': [u'read'],
                         'selfaci': True,
                         'aciname': selfservice1,
-- 
1.7.2.1

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to