On 05/20/2015 10:38 AM, Martin Kosek wrote:
On 05/19/2015 05:54 PM, thierry bordaz wrote:
On 05/13/2015 05:54 PM, Martin Basti wrote:
On 13/05/15 17:44, David Kupka wrote:
On 05/13/2015 02:57 PM, Lenka Ryznarova wrote:
Hi,

I've prepared test plan design for User Lifecycle Plugin - [1]. Please
review and let me know if you have any comments on that.

Thanks,
Lenka

[1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management/Test_Plan


Hi,
thanks for sharing the test plan. I've quickly looked at it and have just 2
notes:

1) please add "Verify that specific GID number of a staged entry is
preserved after activation"

2) In a block of tests "Try activating staged entry with
<every-possible-attribute>" please add a activation tests. It should be
possible to add/modify the attributes in staging are freely all the check
must be applied when the user is activated.

Hello, following tests are out of scope of API tests, but would be nice to have:
* test to make sure the staged/deleted user is unable to kinit
* opposite case the reactivated user is able to kinit (if this case is valid)
* ACI tests: to make sure only proper roles can manipulate with staged users.

Hello Lenka,

This is looking as a very good set of tests. If you have time, you may also add
those tests:

  * try do a simple bind with a stage/delete user
  * option only-delete, also-delete and --deleted are deprecated.. sorry
    the design is not up-to-date, now it is --preserved flag
  * Run the tests as admin
+1 for above

  * Run the tests as a stageadm (member of 'User administrator')
I would not push on this for version 1, IIRC we still miss the infrastructure
to easily run tests like this. But +1 for the intent.
If test infrastructure require 'admin', no problem. But I usually simply do the following commands before running the ULC CLI tests.

(echo "hello";echo "hello") | ipa user-add --first=stage --last=administrator stageadm --password

ipa role-add-member "User Administrator" --users=stageadm

(echo "hello";echo "Secret123";echo "Secret123")  | kinit stageadm


  * Try to update a stageuser with invalid uid/gidnumber (<0 , or string)
  * Check that activated and undelete users are member of ipausers
  * Being authenticated with a newly activated user, check you have
    limited access to entries (only modify yourself)
  * Try to add (ldapadd) an entry directly in delete container, should
    not be allowed even for admin.
  * Create a user that is member of a 'system provisioning' role.
    'system provisioning' role has the 'Stage user provisioning' priviledge.
    This user should only be allow to add 'stage' user (no read, delete,
    mod)
I quickly checked the test case, I think it misses some of the basic test cases:
- Add user, add him as a member of a custom group. Delete/preserve the user,
check that he is no longer a member of that custom group
- Add staged user via LDAP directly as this is the primary use case. Then try
to activate it. The user may have different/minimal formats (more minimal than
with stageuser-add), see design for examples.
+1

Yes I forgot the DS plugins (uniqueness, ref. int., memberof).
uniqueness is scoping Active/Delete user (uid and ipaUniqueID).
referential integrity scopes Active user for (member, manager, managedby, secretary, uniquemember...), so preserving a user should update those attributes. memberof scopes Active user, so preserving a user should update its memberof values



--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to