https://fedorahosted.org/freeipa/ticket/2255
https://fedorahosted.org/freeipa/ticket/2286
https://fedorahosted.org/freeipa/ticket/2305

Added checking of existence of groups that are specified in permission
and delegation module. Also the permission plugin now allows to unset
memberof value. Additional unit tests for checking new behaviour were
created.

--
Regards,

Ondrej Hamada
FreeIPA team
jabber: oh...@jabbim.cz
IRC: ohamada

From e26c980cffc5703845aeca4dba28dcca0364ab3a Mon Sep 17 00:00:00 2001
From: Ondrej Hamada <oham...@redhat.com>
Date: Mon, 6 Feb 2012 11:04:15 +0100
Subject: [PATCH] Memberof attribute control and update

Added checking of existence of groups that are specified in permission
and delegation module.

https://fedorahosted.org/freeipa/ticket/2286
https://fedorahosted.org/freeipa/ticket/2305

Permission plugin now allows to unset memberof value.
https://fedorahosted.org/freeipa/ticket/2255
---
 ipalib/plugins/aci.py                       |   11 ++++-
 tests/test_xmlrpc/test_delegation_plugin.py |   12 ++++++
 tests/test_xmlrpc/test_permission_plugin.py |   57 +++++++++++++++++++++++++++
 3 files changed, 78 insertions(+), 2 deletions(-)

diff --git a/ipalib/plugins/aci.py b/ipalib/plugins/aci.py
index e87ac9bff09fc87fec6987ae40b0cf1dd353dd3b..83d43cab8c20ac04b4a546653a682b7860c7d1b4 100644
--- a/ipalib/plugins/aci.py
+++ b/ipalib/plugins/aci.py
@@ -265,8 +265,15 @@ def _make_aci(ldap, current, aciname, kw):
         if 'attrs' in kw:
             a.set_target_attr(kw['attrs'])
         if 'memberof' in kw:
-            groupdn = _group_from_memberof(kw['memberof'])
-            a.set_target_filter('memberOf=%s' % groupdn)
+            if kw['memberof'] is not None:
+                try:
+                    api.Command['group_show'](kw['memberof'])
+                except errors.NotFound:
+                    api.Object['group'].handle_not_found(kw['memberof'])
+                groupdn = _group_from_memberof(kw['memberof'])
+                a.set_target_filter('memberOf=%s' % groupdn)
+            else:
+                del kw['memberof']
         if 'filter' in kw:
             # Test the filter by performing a simple search on it. The
             # filter is considered valid if either it returns some entries
diff --git a/tests/test_xmlrpc/test_delegation_plugin.py b/tests/test_xmlrpc/test_delegation_plugin.py
index 1a9c36743d305cc382350db8e866ace21331fc5c..db5f7186527d2e0c6567dd5a727e878144bd3020 100644
--- a/tests/test_xmlrpc/test_delegation_plugin.py
+++ b/tests/test_xmlrpc/test_delegation_plugin.py
@@ -68,6 +68,18 @@ class test_delegation(Declarative):
             ),
         ),
 
+        dict(
+            desc='Try to create %r for non-existing member group' % delegation1,
+            command=(
+                'delegation_add', [delegation1], dict(
+                     attrs=u'street,c,l,st,postalCode',
+                     permissions=u'write',
+                     group=u'editors',
+                     memberof=u'nonexisting',
+                ),
+            ),
+            expected=errors.NotFound(reason='group not found'),
+        ),
 
         # Note that we add postalCode but expect postalcode. This tests
         # the attrs normalizer.
diff --git a/tests/test_xmlrpc/test_permission_plugin.py b/tests/test_xmlrpc/test_permission_plugin.py
index 50d368197cbc080f40fecf2038ae14337ed78b7c..e8e6bebcd387307f30e4a7bc4d266092b7e41424 100644
--- a/tests/test_xmlrpc/test_permission_plugin.py
+++ b/tests/test_xmlrpc/test_permission_plugin.py
@@ -500,6 +500,16 @@ class test_permission(Declarative):
             )
         ),
 
+        dict(
+            desc='Try to create permission %r with non-existing memberof' % permission1,
+            command=(
+                'permission_add', [permission1], dict(
+                     memberof=u'nonexisting',
+                     permissions=u'write',
+                )
+            ),
+            expected=errors.NotFound(reason='group not found'),
+        ),
 
         dict(
             desc='Create memberof permission %r' % permission1,
@@ -507,6 +517,7 @@ class test_permission(Declarative):
                 'permission_add', [permission1], dict(
                      memberof=u'editors',
                      permissions=u'write',
+                     type=u'user',
                 )
             ),
             expected=dict(
@@ -518,6 +529,52 @@ class test_permission(Declarative):
                     objectclass=objectclasses.permission,
                     memberof=u'editors',
                     permissions=[u'write'],
+                    type=u'user',
+                ),
+            ),
+        ),
+
+        dict(
+            desc='Try to update non-existent memberof of %r' % permission1,
+            command=('permission_mod', [permission1], dict(memberof=u'nonexisting')),
+            expected=errors.NotFound(reason='group not found'),
+        ),
+
+        dict(
+            desc='Update memberof permission %r' % permission1,
+            command=(
+                'permission_mod', [permission1], dict(
+                     memberof=u'admins',
+                )
+            ),
+            expected=dict(
+                value=permission1,
+                summary=u'Modified permission "%s"' % permission1,
+                result=dict(
+                    dn=lambda x: DN(x) == permission1_dn,
+                    cn=[permission1],
+                    memberof=u'admins',
+                    permissions=[u'write'],
+                    type=u'user',
+                ),
+            ),
+        ),
+
+        dict(
+            desc='Unset memberof of permission %r' % permission1,
+            command=(
+                'permission_mod', [permission1], dict(
+                     memberof=None,
+                )
+            ),
+            expected=dict(
+                summary=u'Modified permission "%s"' % permission1,
+                value=permission1,
+                result=dict(
+                    dn=lambda x: DN(x) == permission1_dn,
+                    cn=[permission1],
+                    permissions=[u'write'],
+                    type=u'user',
                 ),
             ),
         ),
-- 
1.7.6.5

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to