A new vault API has been added to rename the 'service' option to
'servicename' to avoid conflicts with 'service' member in a future
patch. The old API is retained for backward compatibility, but the
implementation has been changed to invoke the new API.

https://fedorahosted.org/freeipa/ticket/5193

--
Endi S. Dewata
From 157d38f6954d5453eb494a542f027cc30eb4ea0d Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edew...@redhat.com>
Date: Thu, 6 Aug 2015 21:46:27 +0200
Subject: [PATCH] Fixed conflicting vault 'service' option.

A new vault API has been added to rename the 'service' option to
'servicename' to avoid conflicts with 'service' member in a future
patch. The old API is retained for backward compatibility, but the
implementation has been changed to invoke the new API.

https://fedorahosted.org/freeipa/ticket/5193
---
 API.txt                                    | 230 ++++++++-
 VERSION                                    |   4 +-
 ipalib/plugins/vault.py                    | 595 +++++++++++++++++++-----
 ipatests/test_xmlrpc/test_vault2_plugin.py | 719 +++++++++++++++++++++++++++++
 4 files changed, 1435 insertions(+), 113 deletions(-)
 create mode 100644 ipatests/test_xmlrpc/test_vault2_plugin.py

diff --git a/API.txt b/API.txt
index 
04f2f894f7667239d94a2a7278d0cc80704afeb5..9a777bd029d88f6882a9db341822544c6d1e7b5a
 100644
--- a/API.txt
+++ b/API.txt
@@ -5396,6 +5396,232 @@ option: Str('version?', exclude='webui')
 output: Output('result', <type 'bool'>, None)
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
+command: vault2_add
+args: 1,14,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
+option: Str('addattr*', cli_name='addattr', exclude='webui')
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('description?', cli_name='desc')
+option: Bytes('ipavaultpublickey?', cli_name='public_key')
+option: Str('ipavaulttype?', cli_name='type')
+option: Str('password?', cli_name='password')
+option: Str('password_file?', cli_name='password_file')
+option: Str('public_key_file?', cli_name='public_key_file')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('servicename?', cli_name='service')
+option: Str('setattr*', cli_name='setattr', exclude='webui')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
+command: vault2_add_internal
+args: 1,13,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, required=True)
+option: Str('addattr*', cli_name='addattr', exclude='webui')
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('description', attribute=True, cli_name='desc', multivalue=False, 
required=False)
+option: Bytes('ipavaultpublickey', attribute=True, cli_name='public_key', 
multivalue=False, required=False)
+option: Bytes('ipavaultsalt', attribute=True, cli_name='salt', 
multivalue=False, required=False)
+option: Str('ipavaulttype', attribute=True, autofill=True, cli_name='type', 
default=u'standard', multivalue=False, required=False)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('servicename?', cli_name='service')
+option: Str('setattr*', cli_name='setattr', exclude='webui')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
+command: vault2_add_member
+args: 1,9,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('servicename?', cli_name='service')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Output('completed', <type 'int'>, None)
+output: Output('failed', <type 'dict'>, None)
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+command: vault2_add_owner
+args: 1,9,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('servicename?', cli_name='service')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Output('completed', <type 'int'>, None)
+output: Output('failed', <type 'dict'>, None)
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+command: vault2_archive
+args: 1,10,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Bytes('data?')
+option: Str('in?')
+option: Str('password?', cli_name='password')
+option: Str('password_file?', cli_name='password_file')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('servicename?', cli_name='service')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
+command: vault2_archive_internal
+args: 1,9,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Bytes('nonce')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('servicename?', cli_name='service')
+option: Bytes('session_key')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Bytes('vault_data')
+option: Str('version?', exclude='webui')
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
+command: vault2_del
+args: 1,5,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=True, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
+option: Flag('continue', autofill=True, cli_name='continue', default=False)
+option: Str('servicename?', cli_name='service')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Output('result', <type 'dict'>, None)
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: ListOfPrimaryKeys('value', None, None)
+command: vault2_find
+args: 1,13,4
+arg: Str('criteria?', noextrawhitespace=False)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('cn', attribute=True, autofill=False, cli_name='name', 
maxlength=255, multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, 
query=True, required=False)
+option: Str('description', attribute=True, autofill=False, cli_name='desc', 
multivalue=False, query=True, required=False)
+option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', 
default=u'standard', multivalue=False, query=True, required=False)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('pkey_only?', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('servicename?', cli_name='service')
+option: Flag('shared?', autofill=True, default=False)
+option: Int('sizelimit?', autofill=False, minvalue=0)
+option: Int('timelimit?', autofill=False, minvalue=0)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Output('count', <type 'int'>, None)
+output: ListOfEntries('result', (<type 'list'>, <type 'tuple'>), Gettext('A 
list of LDAP entries', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: Output('truncated', <type 'bool'>, None)
+command: vault2_mod
+args: 1,15,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
+option: Str('addattr*', cli_name='addattr', exclude='webui')
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('delattr*', cli_name='delattr', exclude='webui')
+option: Str('description', attribute=True, autofill=False, cli_name='desc', 
multivalue=False, required=False)
+option: Bytes('ipavaultpublickey', attribute=True, autofill=False, 
cli_name='public_key', multivalue=False, required=False)
+option: Bytes('ipavaultsalt', attribute=True, autofill=False, cli_name='salt', 
multivalue=False, required=False)
+option: Str('ipavaulttype', attribute=True, autofill=False, cli_name='type', 
default=u'standard', multivalue=False, required=False)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Flag('rights', autofill=True, default=False)
+option: Str('servicename?', cli_name='service')
+option: Str('setattr*', cli_name='setattr', exclude='webui')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
+command: vault2_remove_member
+args: 1,9,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('servicename?', cli_name='service')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Output('completed', <type 'int'>, None)
+output: Output('failed', <type 'dict'>, None)
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+command: vault2_remove_owner
+args: 1,9,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('group*', alwaysask=True, cli_name='groups', csv=True)
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('servicename?', cli_name='service')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('user*', alwaysask=True, cli_name='users', csv=True)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Output('completed', <type 'int'>, None)
+output: Output('failed', <type 'dict'>, None)
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+command: vault2_retrieve
+args: 1,11,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Str('out?')
+option: Str('password?', cli_name='password')
+option: Str('password_file?', cli_name='password_file')
+option: Bytes('private_key?', cli_name='private_key')
+option: Str('private_key_file?', cli_name='private_key_file')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('servicename?', cli_name='service')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
+command: vault2_retrieve_internal
+args: 1,7,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('servicename?', cli_name='service')
+option: Bytes('session_key')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
+command: vault2_show
+args: 1,8,3
+arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
+option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
+option: Flag('no_members', autofill=True, default=False, exclude='webui')
+option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Flag('rights', autofill=True, default=False)
+option: Str('servicename?', cli_name='service')
+option: Flag('shared?', autofill=True, default=False)
+option: Str('username?', cli_name='user')
+option: Str('version?', exclude='webui')
+output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an 
LDAP entry', domain='ipa', localedir=None))
+output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
+output: PrimaryKey('value', None, None)
 command: vault_add
 args: 1,14,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, query=True, 
required=True)
@@ -5417,8 +5643,9 @@ output: Entry('result', <type 'dict'>, Gettext('A 
dictionary representing an LDA
 output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
 output: PrimaryKey('value', None, None)
 command: vault_add_internal
-args: 1,11,3
+args: 1,13,3
 arg: Str('cn', attribute=True, cli_name='name', maxlength=255, 
multivalue=False, pattern='^[a-zA-Z0-9_.-]+$', primary_key=True, required=True)
+option: Str('addattr*', cli_name='addattr', exclude='webui')
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Str('description', attribute=True, cli_name='desc', multivalue=False, 
required=False)
 option: Bytes('ipavaultpublickey', attribute=True, cli_name='public_key', 
multivalue=False, required=False)
@@ -5427,6 +5654,7 @@ option: Str('ipavaulttype', attribute=True, 
autofill=True, cli_name='type', defa
 option: Flag('no_members', autofill=True, default=False, exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
 option: Str('service?')
+option: Str('setattr*', cli_name='setattr', exclude='webui')
 option: Flag('shared?', autofill=True, default=False)
 option: Str('username?', cli_name='user')
 option: Str('version?', exclude='webui')
diff --git a/VERSION b/VERSION
index 
a3d586df47ab6a6136bd38c0151fe43876bf5ab3..e656524418e5fedbd318e6998aa67ffc20750533
 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=148
-# Last change: ftweedal - add --out option to user-show
+IPA_API_VERSION_MINOR=149
+# Last change: edewata - Fixed conflicting vault 'service' option.
diff --git a/ipalib/plugins/vault.py b/ipalib/plugins/vault.py
index 
423df6b7c0e39c46b20561133be8cd54560bf8b9..e32d378dbdc7118c2fd60aeabe7a3993c2d63c9c
 100644
--- a/ipalib/plugins/vault.py
+++ b/ipalib/plugins/vault.py
@@ -257,11 +257,225 @@ vault_options = (
     ),
 )
 
+vault2_options = (
+    Str(
+        'servicename?',
+        cli_name='service',
+        doc=_('Service name of the service vault'),
+    ),
+    Flag(
+        'shared?',
+        doc=_('Shared vault'),
+    ),
+    Str(
+        'username?',
+        cli_name='user',
+        doc=_('Username of the user vault'),
+    ),
+)
+
+vault_add_options = (
+    Str(
+        'description?',
+        cli_name='desc',
+        doc=_('Vault description'),
+    ),
+    Str(
+        'ipavaulttype?',
+        cli_name='type',
+        doc=_('Vault type'),
+    ),
+    Str(
+        'password?',
+        cli_name='password',
+        doc=_('Vault password'),
+    ),
+    Str(  # TODO: use File parameter
+        'password_file?',
+        cli_name='password_file',
+        doc=_('File containing the vault password'),
+    ),
+    Bytes(
+        'ipavaultpublickey?',
+        cli_name='public_key',
+        doc=_('Vault public key'),
+    ),
+    Str(  # TODO: use File parameter
+        'public_key_file?',
+        cli_name='public_key_file',
+        doc=_('File containing the vault public key'),
+    ),
+)
+
+vault_archive_options = (
+    Bytes(
+        'data?',
+        doc=_('Binary data to archive'),
+    ),
+    Str(  # TODO: use File parameter
+        'in?',
+        doc=_('File containing data to archive'),
+    ),
+    Str(
+        'password?',
+        cli_name='password',
+        doc=_('Vault password'),
+    ),
+    Str(  # TODO: use File parameter
+        'password_file?',
+        cli_name='password_file',
+        doc=_('File containing the vault password'),
+    ),
+)
+
+vault_archive_internal_options = (
+    Bytes(
+        'session_key',
+        doc=_('Session key wrapped with transport certificate'),
+    ),
+    Bytes(
+        'vault_data',
+        doc=_('Vault data encrypted with session key'),
+    ),
+    Bytes(
+        'nonce',
+        doc=_('Nonce'),
+    ),
+)
+
+vault_retrieve_options = (
+    Str(
+        'out?',
+        doc=_('File to store retrieved data'),
+    ),
+    Str(
+        'password?',
+        cli_name='password',
+        doc=_('Vault password'),
+    ),
+    Str(  # TODO: use File parameter
+        'password_file?',
+        cli_name='password_file',
+        doc=_('File containing the vault password'),
+    ),
+    Bytes(
+        'private_key?',
+        cli_name='private_key',
+        doc=_('Vault private key'),
+    ),
+    Str(  # TODO: use File parameter
+        'private_key_file?',
+        cli_name='private_key_file',
+        doc=_('File containing the vault private key'),
+    ),
+)
+
+vault_retrieve_internal_options = (
+    Bytes(
+        'session_key',
+        doc=_('Session key wrapped with transport certificate'),
+    ),
+)
+
+
+def convert_options(**options):
+    options = options.copy()
+
+    if 'service' in options:
+        options['servicename'] = options.pop('service')
+
+    return options
+
 
 @register()
 class vault(LDAPObject):
     __doc__ = _("""
-    Vault object.
+    Vault 1.0 Plugin.
+    """)
+
+    container_dn = api.env.container_vault
+
+    object_name = _('vault')
+    object_name_plural = _('vaults')
+
+    object_class = ['ipaVault']
+    default_attributes = [
+        'cn',
+        'description',
+        'ipavaulttype',
+        'ipavaultsalt',
+        'ipavaultpublickey',
+        'owner',
+        'member',
+    ]
+    search_display_attributes = [
+        'cn',
+        'description',
+        'ipavaulttype',
+    ]
+    attribute_members = {
+        'owner': ['user', 'group'],
+        'member': ['user', 'group'],
+    }
+
+    label = _('Vaults')
+    label_singular = _('Vault')
+
+    takes_params = (
+        Str(
+            'cn',
+            cli_name='name',
+            label=_('Vault name'),
+            primary_key=True,
+            pattern='^[a-zA-Z0-9_.-]+$',
+            pattern_errmsg='may only include letters, numbers, _, ., and -',
+            maxlength=255,
+        ),
+        Str(
+            'description?',
+            cli_name='desc',
+            label=_('Description'),
+            doc=_('Vault description'),
+        ),
+        Str(
+            'ipavaulttype?',
+            cli_name='type',
+            label=_('Type'),
+            doc=_('Vault type'),
+            default=u'standard',
+            autofill=True,
+        ),
+        Bytes(
+            'ipavaultsalt?',
+            cli_name='salt',
+            label=_('Salt'),
+            doc=_('Vault salt'),
+            flags=['no_search'],
+        ),
+        Bytes(
+            'ipavaultpublickey?',
+            cli_name='public_key',
+            label=_('Public key'),
+            doc=_('Vault public key'),
+            flags=['no_search'],
+        ),
+        Str(
+            'owner_user?',
+            label=_('Owner users'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
+        Str(
+            'owner_group?',
+            label=_('Owner groups'),
+            flags=['no_create', 'no_update', 'no_search'],
+        ),
+    )
+
+
+@register()
+class vault2(LDAPObject):
+    __doc__ = _("""
+    Vault 1.1 Plugin.
     """)
 
     container_dn = api.env.container_vault
@@ -347,7 +561,7 @@ class vault(LDAPObject):
         Generates vault DN from parameters.
         """
 
-        service = options.get('service')
+        service = options.get('servicename')
         shared = options.get('shared')
         user = options.get('username')
 
@@ -369,7 +583,7 @@ class vault(LDAPObject):
         # TODO: create container_dn after object initialization then reuse it
         container_dn = DN(self.container_dn, self.api.env.basedn)
 
-        dn = super(vault, self).get_dn(*keys, **options)
+        dn = super(vault2, self).get_dn(*keys, **options)
         assert dn.endswith(container_dn)
         rdns = DN(*dn[:-len(container_dn)])
 
@@ -546,38 +760,26 @@ class vault(LDAPObject):
 class vault_add(PKQuery, Local):
     __doc__ = _('Create a new vault.')
 
-    takes_options = LDAPCreate.takes_options + vault_options + (
-        Str(
-            'description?',
-            cli_name='desc',
-            doc=_('Vault description'),
-        ),
-        Str(
-            'ipavaulttype?',
-            cli_name='type',
-            doc=_('Vault type'),
-        ),
-        Str(
-            'password?',
-            cli_name='password',
-            doc=_('Vault password'),
-        ),
-        Str(  # TODO: use File parameter
-            'password_file?',
-            cli_name='password_file',
-            doc=_('File containing the vault password'),
-        ),
-        Bytes(
-            'ipavaultpublickey?',
-            cli_name='public_key',
-            doc=_('Vault public key'),
-        ),
-        Str(  # TODO: use File parameter
-            'public_key_file?',
-            cli_name='public_key_file',
-            doc=_('File containing the vault public key'),
-        ),
-    )
+    NO_CLI = True
+
+    takes_options = LDAPCreate.takes_options + vault_options + \
+        vault_add_options
+
+    has_output = output.standard_entry
+
+    def forward(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_add(*args, **options)
+
+
+@register()
+class vault2_add(PKQuery, Local):
+    __doc__ = _('Create a new vault.')
+
+    CLI_NAME = 'vault-add'
+
+    takes_options = LDAPCreate.takes_options + vault2_options + \
+        vault_add_options
 
     has_output = output.standard_entry
 
@@ -654,7 +856,7 @@ class vault_add(PKQuery, Local):
                     error=_('Missing vault public key'))
 
         # create vault
-        response = self.api.Command.vault_add_internal(*args, **options)
+        response = self.api.Command.vault2_add_internal(*args, **options)
 
         # prepare parameters for archival
         opts = options.copy()
@@ -671,7 +873,7 @@ class vault_add(PKQuery, Local):
             del opts['ipavaultpublickey']
 
         # archive blank data
-        self.api.Command.vault_archive(*args, **opts)
+        self.api.Command.vault2_archive(*args, **opts)
 
         return response
 
@@ -681,7 +883,20 @@ class vault_add_internal(LDAPCreate):
 
     NO_CLI = True
 
-    takes_options = vault_options
+    takes_options = LDAPCreate.takes_options + vault_options
+
+    def execute(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_add_internal(*args, **options)
+
+
+@register()
+class vault2_add_internal(LDAPCreate):
+    __doc__ = _('Create a new vault.')
+
+    NO_CLI = True
+
+    takes_options = LDAPCreate.takes_options + vault2_options
 
     msg_summary = _('Added vault "%(value)s"')
 
@@ -715,8 +930,23 @@ class vault_add_internal(LDAPCreate):
 class vault_del(LDAPDelete):
     __doc__ = _('Delete a vault.')
 
+    NO_CLI = True
+
     takes_options = LDAPDelete.takes_options + vault_options
 
+    def execute(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_del(*args, **options)
+
+
+@register()
+class vault2_del(LDAPDelete):
+    __doc__ = _('Delete a vault.')
+
+    CLI_NAME = 'vault-del'
+
+    takes_options = LDAPDelete.takes_options + vault2_options
+
     msg_summary = _('Deleted vault "%(value)s"')
 
     def pre_callback(self, ldap, dn, *keys, **options):
@@ -756,10 +986,27 @@ class vault_del(LDAPDelete):
 class vault_find(LDAPSearch):
     __doc__ = _('Search for vaults.')
 
+    NO_CLI = True
+
     takes_options = LDAPSearch.takes_options + vault_options
 
     has_output_params = LDAPSearch.has_output_params
 
+    def execute(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_find(*args, **options)
+
+
+@register()
+class vault2_find(LDAPSearch):
+    __doc__ = _('Search for vaults.')
+
+    CLI_NAME = 'vault-find'
+
+    takes_options = LDAPSearch.takes_options + vault2_options
+
+    has_output_params = LDAPSearch.has_output_params
+
     msg_summary = ngettext(
         '%(count)d vault matched',
         '%(count)d vaults matched',
@@ -793,10 +1040,25 @@ class vault_find(LDAPSearch):
 class vault_mod(LDAPUpdate):
     __doc__ = _('Modify a vault.')
 
+    NO_CLI = True
+
     takes_options = LDAPUpdate.takes_options + vault_options
 
+    def execute(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_mod(*args, **options)
+
+
+@register()
+class vault2_mod(LDAPUpdate):
+    __doc__ = _('Modify a vault.')
+
+    takes_options = LDAPUpdate.takes_options + vault2_options
+
     msg_summary = _('Modified vault "%(value)s"')
 
+    CLI_NAME = 'vault-mod'
+
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list,
                      *keys, **options):
 
@@ -813,13 +1075,29 @@ class vault_mod(LDAPUpdate):
 class vault_show(LDAPRetrieve):
     __doc__ = _('Display information about a vault.')
 
+    NO_CLI = True
+
     takes_options = LDAPRetrieve.takes_options + vault_options
 
     has_output_params = LDAPRetrieve.has_output_params
 
+    def execute(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_show(*args, **options)
+
+
+@register()
+class vault2_show(LDAPRetrieve):
+    __doc__ = _('Display information about a vault.')
+
+    CLI_NAME = 'vault-show'
+
+    takes_options = LDAPRetrieve.takes_options + vault2_options
+
+    has_output_params = LDAPRetrieve.has_output_params
+
     def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
         assert isinstance(dn, DN)
-
         if not self.api.Command.kra_is_enabled()['result']:
             raise errors.InvocationError(
                 format=_('KRA service is not enabled'))
@@ -886,26 +1164,24 @@ class vaultconfig_show(Retrieve):
 class vault_archive(PKQuery, Local):
     __doc__ = _('Archive data into a vault.')
 
-    takes_options = vault_options + (
-        Bytes(
-            'data?',
-            doc=_('Binary data to archive'),
-        ),
-        Str(  # TODO: use File parameter
-            'in?',
-            doc=_('File containing data to archive'),
-        ),
-        Str(
-            'password?',
-            cli_name='password',
-            doc=_('Vault password'),
-        ),
-        Str(  # TODO: use File parameter
-            'password_file?',
-            cli_name='password_file',
-            doc=_('File containing the vault password'),
-        ),
-    )
+    NO_CLI = True
+
+    takes_options = vault_options + vault_archive_options
+
+    has_output = output.standard_entry
+
+    def forward(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_archive(*args, **options)
+
+
+@register()
+class vault2_archive(PKQuery, Local):
+    __doc__ = _('Archive data into a vault.')
+
+    CLI_NAME = 'vault-archive'
+
+    takes_options = vault2_options + vault_archive_options
 
     has_output = output.standard_entry
 
@@ -948,7 +1224,7 @@ class vault_archive(PKQuery, Local):
             backend.connect(ccache=krbV.default_context().default_ccache())
 
         # retrieve vault info
-        vault = self.api.Command.vault_show(*args, **options)['result']
+        vault = self.api.Command.vault2_show(*args, **options)['result']
 
         vault_type = vault['ipavaulttype'][0]
 
@@ -979,7 +1255,7 @@ class vault_archive(PKQuery, Local):
             opts = options.copy()
             opts['password'] = password
             try:
-                self.api.Command.vault_retrieve(*args, **opts)
+                self.api.Command.vault2_retrieve(*args, **opts)
             except errors.NotFound:
                 pass
 
@@ -1063,7 +1339,7 @@ class vault_archive(PKQuery, Local):
 
         options['vault_data'] = wrapped_vault_data
 
-        return self.api.Command.vault_archive_internal(*args, **options)
+        return self.api.Command.vault2_archive_internal(*args, **options)
 
 
 @register()
@@ -1071,20 +1347,22 @@ class vault_archive_internal(PKQuery):
 
     NO_CLI = True
 
-    takes_options = vault_options + (
-        Bytes(
-            'session_key',
-            doc=_('Session key wrapped with transport certificate'),
-        ),
-        Bytes(
-            'vault_data',
-            doc=_('Vault data encrypted with session key'),
-        ),
-        Bytes(
-            'nonce',
-            doc=_('Nonce'),
-        ),
-    )
+    takes_options = vault_options + vault_archive_internal_options
+
+    has_output = output.standard_entry
+
+    def execute(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_archive_internal(*args, **options)
+
+
+@register()
+class vault2_archive_internal(PKQuery):
+    __doc__ = _('Archive data into a vault.')
+
+    NO_CLI = True
+
+    takes_options = vault2_options + vault_archive_internal_options
 
     has_output = output.standard_entry
 
@@ -1101,7 +1379,7 @@ class vault_archive_internal(PKQuery):
         wrapped_session_key = options.pop('session_key')
 
         # retrieve vault info
-        vault = self.api.Command.vault_show(*args, **options)['result']
+        vault = self.api.Command.vault2_show(*args, **options)['result']
 
         # connect to KRA
         kra_client = self.api.Backend.kra.get_client()
@@ -1147,33 +1425,31 @@ class vault_archive_internal(PKQuery):
 class vault_retrieve(PKQuery, Local):
     __doc__ = _('Retrieve a data from a vault.')
 
-    takes_options = vault_options + (
-        Str(
-            'out?',
-            doc=_('File to store retrieved data'),
-        ),
-        Str(
-            'password?',
-            cli_name='password',
-            doc=_('Vault password'),
-        ),
-        Str(  # TODO: use File parameter
-            'password_file?',
-            cli_name='password_file',
-            doc=_('File containing the vault password'),
-        ),
+    NO_CLI = True
+
+    takes_options = vault_options + vault_retrieve_options
+
+    has_output = output.standard_entry
+    has_output_params = (
         Bytes(
-            'private_key?',
-            cli_name='private_key',
-            doc=_('Vault private key'),
-        ),
-        Str(  # TODO: use File parameter
-            'private_key_file?',
-            cli_name='private_key_file',
-            doc=_('File containing the vault private key'),
+            'data',
+            label=_('Data'),
         ),
     )
 
+    def forward(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_retrieve(*args, **options)
+
+
+@register()
+class vault2_retrieve(PKQuery, Local):
+    __doc__ = _('Retrieve a data from a vault.')
+
+    CLI_NAME = 'vault-retrieve'
+
+    takes_options = vault2_options + vault_retrieve_options
+
     has_output = output.standard_entry
     has_output_params = (
         Bytes(
@@ -1213,7 +1489,7 @@ class vault_retrieve(PKQuery, Local):
             backend.connect(ccache=krbV.default_context().default_ccache())
 
         # retrieve vault info
-        vault = self.api.Command.vault_show(*args, **options)['result']
+        vault = self.api.Command.vault2_show(*args, **options)['result']
 
         vault_type = vault['ipavaulttype'][0]
 
@@ -1241,7 +1517,7 @@ class vault_retrieve(PKQuery, Local):
         # send retrieval request to server
         options['session_key'] = wrapped_session_key.data
 
-        response = self.api.Command.vault_retrieve_internal(*args, **options)
+        response = self.api.Command.vault2_retrieve_internal(*args, **options)
 
         result = response['result']
         nonce = result['nonce']
@@ -1295,7 +1571,8 @@ class vault_retrieve(PKQuery, Local):
                 password = self.obj.get_existing_password()
 
             # generate encryption key from password
-            encryption_key = self.obj.generate_symmetric_key(password, salt)
+            encryption_key = \
+                self.obj.generate_symmetric_key(password, salt)
 
             # decrypt data with encryption key
             data = self.obj.decrypt(data, symmetric_key=encryption_key)
@@ -1347,12 +1624,22 @@ class vault_retrieve_internal(PKQuery):
 
     NO_CLI = True
 
-    takes_options = vault_options + (
-        Bytes(
-            'session_key',
-            doc=_('Session key wrapped with transport certificate'),
-        ),
-    )
+    takes_options = vault_options + vault_retrieve_internal_options
+
+    has_output = output.standard_entry
+
+    def execute(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_retrieve_internal(*args, **options)
+
+
+@register()
+class vault2_retrieve_internal(PKQuery):
+    __doc__ = _('Retrieve a data from a vault.')
+
+    NO_CLI = True
+
+    takes_options = vault2_options + vault_retrieve_internal_options
 
     has_output = output.standard_entry
 
@@ -1367,7 +1654,7 @@ class vault_retrieve_internal(PKQuery):
         wrapped_session_key = options.pop('session_key')
 
         # retrieve vault info
-        vault = self.api.Command.vault_show(*args, **options)['result']
+        vault = self.api.Command.vault2_show(*args, **options)['result']
 
         # connect to KRA
         kra_client = self.api.Backend.kra.get_client()
@@ -1411,6 +1698,8 @@ class vault_retrieve_internal(PKQuery):
 class vault_add_owner(LDAPAddMember):
     __doc__ = _('Add owners to a vault.')
 
+    NO_CLI = True
+
     takes_options = LDAPAddMember.takes_options + vault_options
 
     member_attributes = ['owner']
@@ -1430,11 +1719,40 @@ class vault_add_owner(LDAPAddMember):
         ),
     )
 
+    def execute(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_add_owner(*args, **options)
+
+
+@register()
+class vault2_add_owner(LDAPAddMember):
+    __doc__ = _('Add owners to a vault.')
+
+    CLI_NAME = 'vault-add-owner'
+
+    takes_options = LDAPAddMember.takes_options + vault2_options
+
+    has_output = (
+        output.Entry('result'),
+        output.Output(
+            'failed',
+            type=dict,
+            doc=_('Owners that could not be added'),
+        ),
+        output.Output(
+            'completed',
+            type=int,
+            doc=_('Number of owners added'),
+        ),
+    )
+
 
 @register()
 class vault_remove_owner(LDAPRemoveMember):
     __doc__ = _('Remove owners from a vault.')
 
+    NO_CLI = True
+
     takes_options = LDAPRemoveMember.takes_options + vault_options
 
     member_attributes = ['owner']
@@ -1454,20 +1772,77 @@ class vault_remove_owner(LDAPRemoveMember):
         ),
     )
 
+    def execute(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_remove_owner(*args, **options)
+
+
+@register()
+class vault2_remove_owner(LDAPRemoveMember):
+    __doc__ = _('Remove owners from a vault.')
+
+    CLI_NAME = 'vault-remove-owner'
+
+    takes_options = LDAPRemoveMember.takes_options + vault2_options
+
+    has_output = (
+        output.Entry('result'),
+        output.Output(
+            'failed',
+            type=dict,
+            doc=_('Owners that could not be removed'),
+        ),
+        output.Output(
+            'completed',
+            type=int,
+            doc=_('Number of owners removed'),
+        ),
+    )
+
 
 @register()
 class vault_add_member(LDAPAddMember):
     __doc__ = _('Add members to a vault.')
 
+    NO_CLI = True
+
     takes_options = LDAPAddMember.takes_options + vault_options
 
+    def execute(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_add_member(*args, **options)
+
+
+@register()
+class vault2_add_member(LDAPAddMember):
+    __doc__ = _('Add members to a vault.')
+
+    CLI_NAME = 'vault-add-member'
+
+    takes_options = LDAPAddMember.takes_options + vault2_options
+
 
 @register()
 class vault_remove_member(LDAPRemoveMember):
     __doc__ = _('Remove members from a vault.')
 
+    NO_CLI = True
+
     takes_options = LDAPRemoveMember.takes_options + vault_options
 
+    def execute(self, *args, **options):
+        options = convert_options(**options)
+        return self.api.Command.vault2_remove_member(*args, **options)
+
+
+@register()
+class vault2_remove_member(LDAPRemoveMember):
+    __doc__ = _('Remove members from a vault.')
+
+    CLI_NAME = 'vault-remove-member'
+
+    takes_options = LDAPRemoveMember.takes_options + vault2_options
+
 
 @register()
 class kra_is_enabled(Command):
diff --git a/ipatests/test_xmlrpc/test_vault2_plugin.py 
b/ipatests/test_xmlrpc/test_vault2_plugin.py
new file mode 100644
index 
0000000000000000000000000000000000000000..ff025967cb1aad61a4ed44173a780e73c0d5f3ac
--- /dev/null
+++ b/ipatests/test_xmlrpc/test_vault2_plugin.py
@@ -0,0 +1,719 @@
+# Authors:
+#   Endi S. Dewata <edew...@redhat.com>
+#
+# Copyright (C) 2015  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Test the `ipalib/plugins/vault.py` module.
+"""
+
+import nose
+from ipalib import api, errors
+from xmlrpc_test import Declarative, fuzzy_string
+
+vault_name = u'test_vault'
+service_name = u'HTTP/server.example.com'
+user_name = u'testuser'
+
+standard_vault_name = u'standard_test_vault'
+symmetric_vault_name = u'symmetric_test_vault'
+asymmetric_vault_name = u'asymmetric_test_vault'
+
+# binary data from \x00 to \xff
+secret = ''.join(map(chr, xrange(0, 256)))
+
+password = u'password'
+
+public_key = """
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnT61EFxUOQgCJdM0tmw/
+pRRPDPGchTClnU1eBtiQD3ItKYf1+weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDe
+k/zeB6nSVdk47OdaW1AHrJL+44r238Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqB
+tsxXaaAgjMp0AGq2U/aO/akeEYWQOYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7N
+otG4eR6c2o9Fyjd+M4Gai5Ce0fSrigRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLO
+pVThop+Xivcre3SpI0kt6oZPhBw9i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG6
+3wIDAQAB
+-----END PUBLIC KEY-----
+"""
+
+private_key = """
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAnT61EFxUOQgCJdM0tmw/pRRPDPGchTClnU1eBtiQD3ItKYf1
++weMGwGOSJXPtkto7NlE7Qs8WHAr0UjyeBDek/zeB6nSVdk47OdaW1AHrJL+44r2
+38Jbm/+7VO5lTu6Z4N5p0VqoWNLi0Uh/CkqBtsxXaaAgjMp0AGq2U/aO/akeEYWQ
+OYIdqUKVgAEKX5MmIA8tmbmoYIQ+B4Q3vX7NotG4eR6c2o9Fyjd+M4Gai5Ce0fSr
+igRvxAYi8xpRkQ5yQn5gf4WVrn+UKTfOIjLOpVThop+Xivcre3SpI0kt6oZPhBw9
+i8gbMnqifVmGFpVdhq+QVBqp+MVJvTbhRPG63wIDAQABAoIBAQCD2bXnfxPcMnvi
+jaPwpvoDCPF0EBBHmk/0g5ApO2Qon3uBDJFUqbJwXrCY6o2d9MOJfnGONlKmcYA8
+X+d4h+SqwGjIkjxdYeSauS+Jy6Rzr1ptH/P8EjPQrfG9uJxYQDflV3nxYwwwVrx7
+8kccMPdteRB+8Bb7FzOHufMimmayCNFETnVT5CKH2PrYoPB+fr0itCipWOenDp33
+e73OV+K9U3rclmtHaoRxGohqByKfQRUkipjw4m+T3qfZZc5eN77RGW8J+oL1GVom
+fwtiH7N1HVte0Dmd13nhiASg355kjqRPcIMPsRHvXkOpgg5HRUTKG5elqAyvvm27
+Fzj1YdeRAoGBAMnE61+FYh8qCyEGe8r6RGjO8iuoyk1t+0gBWbmILLBiRnj4K8Tc
+k7HBG/pg3XCNbCuRwiLg8tk3VAAXzn6o+IJr3QnKbNCGa1lKfYU4mt11sBEyuL5V
+NpZcZ8IiPhMlGyDA9cFbTMKOE08RqbOIdxOmTizFt0R5sYZAwOjEvBIZAoGBAMeC
+N/P0bdrScFZGeS51wEdiWme/CO0IyGoqU6saI8L0dbmMJquiaAeIEjIKLqxH1RON
+axhsyk97e0PCcc5QK62Utf50UUAbL/v7CpIG+qdSRYDO4bVHSCkwF32N3pYh/iVU
+EsEBEkZiJi0dWa/0asDbsACutxcHda3RI5pi7oO3AoGAcbGNs/CUHt1xEfX2UaT+
+YVSjb2iYPlNH8gYYygvqqqVl8opdF3v3mYUoP8jPXrnCBzcF/uNk1HNx2O+RQxvx
+lIQ1NGwlLsdfvBvWaPhBg6LqSHadVVrs/IMrUGA9PEp/Y9B3arIIqeSnCrn4Nxsh
+higDCwWKRIKSPwVD7qXVGBkCgYEAu5/CASIRIeYgEXMLSd8hKcDcJo8o1MoauIT/
+1Hyrvw9pm0qrn2QHk3WrLvYWeJzBTTcEzZ6aEG+fN9UodA8/VGnzUc6QDsrCsKWh
+hj0cArlDdeSZrYLQ4TNCFCiUePqU6QQM8weP6TMqlejxTKF+t8qi1bF5rCWuzP1P
+D0UU7DcCgYAUvmEGckugS+FTatop8S/rmkcQ4Bf5M/YCZfsySavucDiHcBt0QtXt
+Swh0XdDsYS3W1yj2XqqsQ7R58KNaffCHjjulWFzb5IiuSvvdxzWtiXHisOpO36MJ
+kUlCMj24a8XsShzYTWBIyW2ngvGe3pQ9PfjkUdm0LGZjYITCBvgOKw==
+-----END RSA PRIVATE KEY-----
+"""
+
+
+class test_vault2_plugin(Declarative):
+
+    @classmethod
+    def setup_class(cls):
+        if not api.Backend.rpcclient.isconnected():
+            api.Backend.rpcclient.connect(fallback=False)
+
+        if not api.Command.kra_is_enabled()['result']:
+            raise nose.SkipTest('KRA service is not enabled')
+
+        super(test_vault2_plugin, cls).setup_class()
+
+    cleanup_commands = [
+        ('vault2_del', [vault_name], {'continue': True}),
+        ('vault2_del', [vault_name], {
+            'servicename': service_name,
+            'continue': True
+        }),
+        ('vault2_del', [vault_name], {'shared': True, 'continue': True}),
+        ('vault2_del', [vault_name], {
+            'username': user_name,
+            'continue': True
+        }),
+        ('vault2_del', [standard_vault_name], {'continue': True}),
+        ('vault2_del', [symmetric_vault_name], {'continue': True}),
+        ('vault2_del', [asymmetric_vault_name], {'continue': True}),
+    ]
+
+    tests = [
+
+        {
+            'desc': 'Create private vault',
+            'command': (
+                'vault2_add',
+                [vault_name],
+                {},
+            ),
+            'expected': {
+                'value': vault_name,
+                'summary': 'Added vault "%s"' % vault_name,
+                'result': {
+                    'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
+                          % (vault_name, api.env.basedn),
+                    'objectclass': [u'top', u'ipaVault'],
+                    'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Find private vaults',
+            'command': (
+                'vault2_find',
+                [],
+                {},
+            ),
+            'expected': {
+                'count': 1,
+                'truncated': False,
+                'summary': u'1 vault matched',
+                'result': [
+                    {
+                        'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
+                              % (vault_name, api.env.basedn),
+                        'cn': [vault_name],
+                        'ipavaulttype': [u'standard'],
+                    },
+                ],
+            },
+        },
+
+        {
+            'desc': 'Show private vault',
+            'command': (
+                'vault2_show',
+                [vault_name],
+                {},
+            ),
+            'expected': {
+                'value': vault_name,
+                'summary': None,
+                'result': {
+                    'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
+                          % (vault_name, api.env.basedn),
+                    'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Modify private vault',
+            'command': (
+                'vault2_mod',
+                [vault_name],
+                {
+                    'description': u'Test vault',
+                },
+            ),
+            'expected': {
+                'value': vault_name,
+                'summary': u'Modified vault "%s"' % vault_name,
+                'result': {
+                    'cn': [vault_name],
+                    'description': [u'Test vault'],
+                    'ipavaulttype': [u'standard'],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Delete private vault',
+            'command': (
+                'vault2_del',
+                [vault_name],
+                {},
+            ),
+            'expected': {
+                'value': [vault_name],
+                'summary': u'Deleted vault "%s"' % vault_name,
+                'result': {
+                    'failed': (),
+                },
+            },
+        },
+
+        {
+            'desc': 'Create service vault',
+            'command': (
+                'vault2_add',
+                [vault_name],
+                {
+                    'servicename': service_name,
+                },
+            ),
+            'expected': {
+                'value': vault_name,
+                'summary': u'Added vault "%s"' % vault_name,
+                'result': {
+                    'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
+                          % (vault_name, service_name, api.env.basedn),
+                    'objectclass': [u'top', u'ipaVault'],
+                    'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Find service vaults',
+            'command': (
+                'vault2_find',
+                [],
+                {
+                    'servicename': service_name,
+                },
+            ),
+            'expected': {
+                'count': 1,
+                'truncated': False,
+                'summary': u'1 vault matched',
+                'result': [
+                    {
+                        'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
+                              % (vault_name, service_name, api.env.basedn),
+                        'cn': [vault_name],
+                        'ipavaulttype': [u'standard'],
+                    },
+                ],
+            },
+        },
+
+        {
+            'desc': 'Show service vault',
+            'command': (
+                'vault2_show',
+                [vault_name],
+                {
+                    'servicename': service_name,
+                },
+            ),
+            'expected': {
+                'value': vault_name,
+                'summary': None,
+                'result': {
+                    'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
+                          % (vault_name, service_name, api.env.basedn),
+                    'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Modify service vault',
+            'command': (
+                'vault2_mod',
+                [vault_name],
+                {
+                    'servicename': service_name,
+                    'description': u'Test vault',
+                },
+            ),
+            'expected': {
+                'value': vault_name,
+                'summary': u'Modified vault "%s"' % vault_name,
+                'result': {
+                    'cn': [vault_name],
+                    'description': [u'Test vault'],
+                    'ipavaulttype': [u'standard'],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Delete service vault',
+            'command': (
+                'vault2_del',
+                [vault_name],
+                {
+                    'servicename': service_name,
+                },
+            ),
+            'expected': {
+                'value': [vault_name],
+                'summary': u'Deleted vault "%s"' % vault_name,
+                'result': {
+                    'failed': (),
+                },
+            },
+        },
+
+        {
+            'desc': 'Create shared vault',
+            'command': (
+                'vault2_add',
+                [vault_name],
+                {
+                    'shared': True
+                },
+            ),
+            'expected': {
+                'value': vault_name,
+                'summary': u'Added vault "%s"' % vault_name,
+                'result': {
+                    'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
+                          % (vault_name, api.env.basedn),
+                    'objectclass': [u'top', u'ipaVault'],
+                    'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Find shared vaults',
+            'command': (
+                'vault2_find',
+                [],
+                {
+                    'shared': True
+                },
+            ),
+            'expected': {
+                'count': 1,
+                'truncated': False,
+                'summary': u'1 vault matched',
+                'result': [
+                    {
+                        'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
+                              % (vault_name, api.env.basedn),
+                        'cn': [vault_name],
+                        'ipavaulttype': [u'standard'],
+                    },
+                ],
+            },
+        },
+
+        {
+            'desc': 'Show shared vault',
+            'command': (
+                'vault2_show',
+                [vault_name],
+                {
+                    'shared': True
+                },
+            ),
+            'expected': {
+                'value': vault_name,
+                'summary': None,
+                'result': {
+                    'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
+                          % (vault_name, api.env.basedn),
+                    'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Modify shared vault',
+            'command': (
+                'vault2_mod',
+                [vault_name],
+                {
+                    'shared': True,
+                    'description': u'Test vault',
+                },
+            ),
+            'expected': {
+                'value': vault_name,
+                'summary': u'Modified vault "%s"' % vault_name,
+                'result': {
+                    'cn': [vault_name],
+                    'description': [u'Test vault'],
+                    'ipavaulttype': [u'standard'],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Delete shared vault',
+            'command': (
+                'vault2_del',
+                [vault_name],
+                {
+                    'shared': True
+                },
+            ),
+            'expected': {
+                'value': [vault_name],
+                'summary': u'Deleted vault "%s"' % vault_name,
+                'result': {
+                    'failed': (),
+                },
+            },
+        },
+
+        {
+            'desc': 'Create user vault',
+            'command': (
+                'vault2_add',
+                [vault_name],
+                {
+                    'username': user_name,
+                },
+            ),
+            'expected': {
+                'value': vault_name,
+                'summary': u'Added vault "%s"' % vault_name,
+                'result': {
+                    'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
+                          % (vault_name, user_name, api.env.basedn),
+                    'objectclass': [u'top', u'ipaVault'],
+                    'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Find user vaults',
+            'command': (
+                'vault2_find',
+                [],
+                {
+                    'username': user_name,
+                },
+            ),
+            'expected': {
+                'count': 1,
+                'truncated': False,
+                'summary': u'1 vault matched',
+                'result': [
+                    {
+                        'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
+                              % (vault_name, user_name, api.env.basedn),
+                        'cn': [vault_name],
+                        'ipavaulttype': [u'standard'],
+                    },
+                ],
+            },
+        },
+
+        {
+            'desc': 'Show user vault',
+            'command': (
+                'vault2_show',
+                [vault_name],
+                {
+                    'username': user_name,
+                },
+            ),
+            'expected': {
+                'value': vault_name,
+                'summary': None,
+                'result': {
+                    'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
+                          % (vault_name, user_name, api.env.basedn),
+                    'cn': [vault_name],
+                    'ipavaulttype': [u'standard'],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Modify user vault',
+            'command': (
+                'vault2_mod',
+                [vault_name],
+                {
+                    'username': user_name,
+                    'description': u'Test vault',
+                },
+            ),
+            'expected': {
+                'value': vault_name,
+                'summary': u'Modified vault "%s"' % vault_name,
+                'result': {
+                    'cn': [vault_name],
+                    'description': [u'Test vault'],
+                    'ipavaulttype': [u'standard'],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Delete user vault',
+            'command': (
+                'vault2_del',
+                [vault_name],
+                {
+                    'username': user_name,
+                },
+            ),
+            'expected': {
+                'value': [vault_name],
+                'summary': u'Deleted vault "%s"' % vault_name,
+                'result': {
+                    'failed': (),
+                },
+            },
+        },
+
+        {
+            'desc': 'Create standard vault',
+            'command': (
+                'vault2_add',
+                [standard_vault_name],
+                {},
+            ),
+            'expected': {
+                'value': standard_vault_name,
+                'summary': 'Added vault "%s"' % standard_vault_name,
+                'result': {
+                    'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
+                          % (standard_vault_name, api.env.basedn),
+                    'objectclass': [u'top', u'ipaVault'],
+                    'cn': [standard_vault_name],
+                    'ipavaulttype': [u'standard'],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Archive secret into standard vault',
+            'command': (
+                'vault2_archive',
+                [standard_vault_name],
+                {
+                    'data': secret,
+                },
+            ),
+            'expected': {
+                'value': standard_vault_name,
+                'summary': 'Archived data into vault "%s"'
+                           % standard_vault_name,
+                'result': {},
+            },
+        },
+
+        {
+            'desc': 'Retrieve secret from standard vault',
+            'command': (
+                'vault2_retrieve',
+                [standard_vault_name],
+                {},
+            ),
+            'expected': {
+                'value': standard_vault_name,
+                'summary': 'Retrieved data from vault "%s"'
+                           % standard_vault_name,
+                'result': {
+                    'data': secret,
+                },
+            },
+        },
+
+        {
+            'desc': 'Create symmetric vault',
+            'command': (
+                'vault2_add',
+                [symmetric_vault_name],
+                {
+                    'ipavaulttype': u'symmetric',
+                    'password': password,
+                },
+            ),
+            'expected': {
+                'value': symmetric_vault_name,
+                'summary': 'Added vault "%s"' % symmetric_vault_name,
+                'result': {
+                    'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
+                          % (symmetric_vault_name, api.env.basedn),
+                    'objectclass': [u'top', u'ipaVault'],
+                    'cn': [symmetric_vault_name],
+                    'ipavaulttype': [u'symmetric'],
+                    'ipavaultsalt': [fuzzy_string],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Archive secret into symmetric vault',
+            'command': (
+                'vault2_archive',
+                [symmetric_vault_name],
+                {
+                    'password': password,
+                    'data': secret,
+                },
+            ),
+            'expected': {
+                'value': symmetric_vault_name,
+                'summary': 'Archived data into vault "%s"'
+                           % symmetric_vault_name,
+                'result': {},
+            },
+        },
+
+        {
+            'desc': 'Retrieve secret from symmetric vault',
+            'command': (
+                'vault2_retrieve',
+                [symmetric_vault_name],
+                {
+                    'password': password,
+                },
+            ),
+            'expected': {
+                'value': symmetric_vault_name,
+                'summary': 'Retrieved data from vault "%s"'
+                           % symmetric_vault_name,
+                'result': {
+                    'data': secret,
+                },
+            },
+        },
+
+        {
+            'desc': 'Create asymmetric vault',
+            'command': (
+                'vault2_add',
+                [asymmetric_vault_name],
+                {
+                    'ipavaulttype': u'asymmetric',
+                    'ipavaultpublickey': public_key,
+                },
+            ),
+            'expected': {
+                'value': asymmetric_vault_name,
+                'summary': 'Added vault "%s"' % asymmetric_vault_name,
+                'result': {
+                    'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
+                          % (asymmetric_vault_name, api.env.basedn),
+                    'objectclass': [u'top', u'ipaVault'],
+                    'cn': [asymmetric_vault_name],
+                    'ipavaulttype': [u'asymmetric'],
+                    'ipavaultpublickey': [public_key],
+                    'owner_user': [u'admin'],
+                },
+            },
+        },
+
+        {
+            'desc': 'Archive secret into asymmetric vault',
+            'command': (
+                'vault2_archive',
+                [asymmetric_vault_name],
+                {
+                    'data': secret,
+                },
+            ),
+            'expected': {
+                'value': asymmetric_vault_name,
+                'summary': 'Archived data into vault "%s"'
+                           % asymmetric_vault_name,
+                'result': {},
+            },
+        },
+
+        {
+            'desc': 'Retrieve secret from asymmetric vault',
+            'command': (
+                'vault2_retrieve',
+                [asymmetric_vault_name],
+                {
+                    'private_key': private_key,
+                },
+            ),
+            'expected': {
+                'value': asymmetric_vault_name,
+                'summary': 'Retrieved data from vault "%s"'
+                           % asymmetric_vault_name,
+                'result': {
+                    'data': secret,
+                },
+            },
+        },
+
+    ]
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to