URL: https://github.com/freeipa/freeipa/pull/413
Author: dkupka
 Title: #413: Complete stageuser API
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/413/head:pr413
git checkout pr413
From b9cbb263a2a97e5c2c04ca4e911d7cc1988ac483 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Thu, 19 Jan 2017 09:18:32 +0100
Subject: [PATCH 1/8] tests: Add LDAP URI to ldappasswd explicitelly

Test should always respect api.env.* values.

https://fedorahosted.org/freeipa/ticket/6622
---
 ipatests/util.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipatests/util.py b/ipatests/util.py
index 9320383..2450f13 100644
--- a/ipatests/util.py
+++ b/ipatests/util.py
@@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw):
         user, api.env.container_user, api.env.basedn)
 
     args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw,
-            '-s', newpw, '-x']
+            '-s', newpw, '-x', '-H', api.env.ldap_uri]
     return run(args)
 
 

From b7c90dfdabfc6229cbe6d33efe326bcca5873958 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 18 Jan 2017 13:24:29 +0100
Subject: [PATCH 2/8] stageuser: Add stageuser-{add,remove}-cert

Move {add,remove}-cert implementation from user to baseuser and inherit
{,stage}user-{add,remove}-cert from it.

https://fedorahosted.org/freeipa/ticket/6623
---
 API.txt                        | 24 ++++++++++++++++++++++++
 ipaserver/plugins/baseuser.py  | 36 +++++++++++++++++++++++++++++++++++-
 ipaserver/plugins/stageuser.py | 14 ++++++++++++++
 ipaserver/plugins/user.py      | 42 +++++-------------------------------------
 4 files changed, 78 insertions(+), 38 deletions(-)

diff --git a/API.txt b/API.txt
index 543cec5..182daa8 100644
--- a/API.txt
+++ b/API.txt
@@ -4751,6 +4751,17 @@ option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
+command: stageuser_add_cert/1
+args: 1,5,3
+arg: Str('uid', cli_name='login')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate')
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
 command: stageuser_add_manager/1
 args: 1,5,3
 arg: Str('uid', cli_name='login')
@@ -4882,6 +4893,17 @@ option: Str('version?')
 output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
+command: stageuser_remove_cert/1
+args: 1,5,3
+arg: Str('uid', cli_name='login')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate')
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
 command: stageuser_remove_manager/1
 args: 1,5,3
 arg: Str('uid', cli_name='login')
@@ -6661,10 +6683,12 @@ default: sidgen_was_run/1
 default: stageuser/1
 default: stageuser_activate/1
 default: stageuser_add/1
+default: stageuser_add_cert/1
 default: stageuser_add_manager/1
 default: stageuser_del/1
 default: stageuser_find/1
 default: stageuser_mod/1
+default: stageuser_remove_cert/1
 default: stageuser_remove_manager/1
 default: stageuser_show/1
 default: sudocmd/1
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index 85ad417..75cf7d8 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -26,7 +26,7 @@
 from .baseldap import (
     DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete,
     LDAPRetrieve, LDAPAddAttribute, LDAPRemoveAttribute, LDAPAddMember,
-    LDAPRemoveMember)
+    LDAPRemoveMember, LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption)
 from ipaserver.plugins.service import (
    validate_certificate, validate_realm, normalize_principal)
 from ipalib.request import context
@@ -694,3 +694,37 @@ class baseuser_remove_principal(LDAPRemoveAttribute):
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
         ensure_last_krbprincipalname(ldap, entry_attrs, *keys)
         return dn
+
+
+class baseuser_add_cert(LDAPAddAttributeViaOption):
+    attribute = 'usercertificate'
+
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
+                     **options):
+        self.obj.convert_usercertificate_pre(entry_attrs)
+
+        return dn
+
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        assert isinstance(dn, DN)
+
+        self.obj.convert_usercertificate_post(entry_attrs, **options)
+
+        return dn
+
+
+class baseuser_remove_cert(LDAPRemoveAttributeViaOption):
+    attribute = 'usercertificate'
+
+    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
+                     **options):
+        self.obj.convert_usercertificate_pre(entry_attrs)
+
+        return dn
+
+    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+        assert isinstance(dn, DN)
+
+        self.obj.convert_usercertificate_post(entry_attrs, **options)
+
+        return dn
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index afd402e..b2f75a1 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -39,6 +39,8 @@
     baseuser_show,
     NO_UPG_MAGIC,
     baseuser_output_params,
+    baseuser_add_cert,
+    baseuser_remove_cert,
     baseuser_add_manager,
     baseuser_remove_manager)
 from ipalib.request import context
@@ -744,3 +746,15 @@ class stageuser_add_manager(baseuser_add_manager):
 @register()
 class stageuser_remove_manager(baseuser_remove_manager):
     __doc__ = _("Remove a manager to the stage user entry")
+
+
+@register()
+class stageuser_add_cert(baseuser_add_cert):
+    __doc__ = _("Add one or more certificates to the stageuser entry")
+    msg_summary = _('Added certificates to stageuser "%(value)s"')
+
+
+@register()
+class stageuser_remove_cert(baseuser_remove_cert):
+    __doc__ = _("Remove one or more certificates to the stageuser entry")
+    msg_summary = _('Removed certificates from stageuser "%(value)s"')
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 6440548..1ef71d2 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -43,6 +43,8 @@
     fix_addressbook_permission_bindrule,
     baseuser_add_manager,
     baseuser_remove_manager,
+    baseuser_add_cert,
+    baseuser_remove_cert,
     baseuser_add_principal,
     baseuser_remove_principal)
 from .idviews import remove_ipaobject_overrides
@@ -53,9 +55,7 @@
     LDAPCreate,
     LDAPSearch,
     LDAPQuery,
-    LDAPMultiQuery,
-    LDAPAddAttributeViaOption,
-    LDAPRemoveAttributeViaOption)
+    LDAPMultiQuery)
 from . import baseldap
 from ipalib.request import context
 from ipalib import _, ngettext
@@ -1157,47 +1157,15 @@ def execute(self, *keys, **options):
 
 
 @register()
-class user_add_cert(LDAPAddAttributeViaOption):
+class user_add_cert(baseuser_add_cert):
     __doc__ = _('Add one or more certificates to the user entry')
     msg_summary = _('Added certificates to user "%(value)s"')
-    attribute = 'usercertificate'
-
-    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
-                     **options):
-        dn = self.obj.get_either_dn(*keys, **options)
-
-        self.obj.convert_usercertificate_pre(entry_attrs)
-
-        return dn
-
-    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-        assert isinstance(dn, DN)
-
-        self.obj.convert_usercertificate_post(entry_attrs, **options)
-
-        return dn
 
 
 @register()
-class user_remove_cert(LDAPRemoveAttributeViaOption):
+class user_remove_cert(baseuser_remove_cert):
     __doc__ = _('Remove one or more certificates to the user entry')
     msg_summary = _('Removed certificates from user "%(value)s"')
-    attribute = 'usercertificate'
-
-    def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
-                     **options):
-        dn = self.obj.get_either_dn(*keys, **options)
-
-        self.obj.convert_usercertificate_pre(entry_attrs)
-
-        return dn
-
-    def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-        assert isinstance(dn, DN)
-
-        self.obj.convert_usercertificate_post(entry_attrs, **options)
-
-        return dn
 
 
 @register()

From 1811b5c6f8af564f5df2c7950db2d42715d3ece4 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 18 Jan 2017 13:25:11 +0100
Subject: [PATCH 3/8] stageuser: Add stageuser-{add,remove}-principal

https://fedorahosted.org/freeipa/ticket/6623
---
 API.txt                        | 24 ++++++++++++++++++++++++
 ipaserver/plugins/stageuser.py | 14 ++++++++++++++
 2 files changed, 38 insertions(+)

diff --git a/API.txt b/API.txt
index 182daa8..128d184 100644
--- a/API.txt
+++ b/API.txt
@@ -4773,6 +4773,17 @@ option: Str('version?')
 output: Output('completed', type=[<type 'int'>])
 output: Output('failed', type=[<type 'dict'>])
 output: Entry('result')
+command: stageuser_add_principal/1
+args: 2,4,3
+arg: Str('uid', cli_name='login')
+arg: Principal('krbprincipalname+', alwaysask=True, autofill=True, cli_name='principal')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
 command: stageuser_del/1
 args: 1,2,3
 arg: Str('uid+', cli_name='login')
@@ -4915,6 +4926,17 @@ option: Str('version?')
 output: Output('completed', type=[<type 'int'>])
 output: Output('failed', type=[<type 'dict'>])
 output: Entry('result')
+command: stageuser_remove_principal/1
+args: 2,4,3
+arg: Str('uid', cli_name='login')
+arg: Principal('krbprincipalname+', alwaysask=True, autofill=True, cli_name='principal')
+option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('no_members', autofill=True, default=False)
+option: Flag('raw', autofill=True, cli_name='raw', default=False)
+option: Str('version?')
+output: Entry('result')
+output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
+output: PrimaryKey('value')
 command: stageuser_show/1
 args: 1,5,3
 arg: Str('uid', cli_name='login')
@@ -6685,11 +6707,13 @@ default: stageuser_activate/1
 default: stageuser_add/1
 default: stageuser_add_cert/1
 default: stageuser_add_manager/1
+default: stageuser_add_principal/1
 default: stageuser_del/1
 default: stageuser_find/1
 default: stageuser_mod/1
 default: stageuser_remove_cert/1
 default: stageuser_remove_manager/1
+default: stageuser_remove_principal/1
 default: stageuser_show/1
 default: sudocmd/1
 default: sudocmd_add/1
diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py
index b2f75a1..5602514 100644
--- a/ipaserver/plugins/stageuser.py
+++ b/ipaserver/plugins/stageuser.py
@@ -41,6 +41,8 @@
     baseuser_output_params,
     baseuser_add_cert,
     baseuser_remove_cert,
+    baseuser_add_principal,
+    baseuser_remove_principal,
     baseuser_add_manager,
     baseuser_remove_manager)
 from ipalib.request import context
@@ -758,3 +760,15 @@ class stageuser_add_cert(baseuser_add_cert):
 class stageuser_remove_cert(baseuser_remove_cert):
     __doc__ = _("Remove one or more certificates to the stageuser entry")
     msg_summary = _('Removed certificates from stageuser "%(value)s"')
+
+
+@register()
+class stageuser_add_principal(baseuser_add_principal):
+    __doc__ = _('Add new principal alias to the stageuser entry')
+    msg_summary = _('Added new aliases to stageuser "%(value)s"')
+
+
+@register()
+class stageuser_remove_principal(baseuser_remove_principal):
+    __doc__ = _('Remove principal alias from the stageuser entry')
+    msg_summary = _('Removed aliases from stageuser "%(value)s"')

From 237a3ed9eb329c5ed87239eb8ac1bef46520ae1c Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Mon, 23 Jan 2017 10:38:34 +0100
Subject: [PATCH 4/8] ipalib.x509: Handle missing SAN gracefully

When extension is not present None is returned instead of empty iterable
or exception thrown.
---
 ipalib/x509.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index 13327c1..5ef8ffd 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -422,8 +422,12 @@ def get_san_general_names(cert):
         asn1Spec=rfc2459.TBSCertificate()
     )[0]
     OID_SAN = univ.ObjectIdentifier('2.5.29.17')
+    # One would expect KeyError or empty iterable when the key ('extensions'
+    # in this particular case) is not pressent in the certificate but pyasn1
+    # returns None here
+    extensions = tbs['extensions'] or []
     gns = []
-    for ext in tbs['extensions']:
+    for ext in extensions:
         if ext['extnID'] == OID_SAN:
             der = decoder.decode(
                 ext['extnValue'], asn1Spec=univ.OctetString())[0]

From 481c8b88bd3b9bec4630053ef80f00f4735bf841 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 25 Jan 2017 12:43:22 +0100
Subject: [PATCH 5/8] tests: add-remove-cert: Use harcoded certificates instead
 of requesting them

Requesting certificates for test purposes is not necessary as we allow to
upload arbitrary certificate to the user, host or service. Also requesting
certificate from dogtag takes some time and the test is slower for no good
reason.
More it's not posible to request certificate for stageuser even though it's
possible to upload certificates to stageusers now.

https://fedorahosted.org/freeipa/ticket/6623
---
 ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 86 ++++++++++++++++++++++--
 1 file changed, 81 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
index 7706133..631d898 100644
--- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
+++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
@@ -113,15 +113,91 @@ def setup_class(cls):
 
         # list of certificates to add to entry
         cls.certs = [
-            get_testcert(DN(('CN', cls.entity_subject)), cls.entity_principal)
-            for _i in range(3)
+            u"MIICszCCAZugAwIBAgICM24wDQYJKoZIhvcNAQELBQAwIzEUMBIGA1UEChML\r\n"
+            "RVhBTVBMRS5PUkcxCzAJBgNVBAMTAkNBMB4XDTE3MDExOTEwMjUyOVoXDTE3M\r\n"
+            "DQxOTEwMjUyOVowFjEUMBIGA1UEAxMLc3RhZ2V1c2VyLTEwggEiMA0GCSqGSI\r\n"
+            "b3DQEBAQUAA4IBDwAwggEKAoIBAQCq03FRQQBvq4HwYMKP8USLZuOkKzuIs2V\r\n"
+            "Pt8k/+nO1dADrzMogKDiUDjCwYoG2UM/sj6P+PJUUCNDLh5eRRI+aR5VE5y2a\r\n"
+            "K95iCsj1ByDWrugAUXgr8GUUr+UbaGc0XxHCMnQBkYhzbXY3u91KYRRh5l3lx\r\n"
+            "RSICcVeJFJ/tiMS14Vsor1DWykHGz1wm0Zjwg1XDV3oea+uwrSz5Pa6RNPlgC\r\n"
+            "+GGW6B7+8qC2XdSSEwvY7y1SAGgqyOxN/FLwvqqMDNU0uX7fww587uZ57IfYz\r\n"
+            "b8Xn5DAprRFNk40FDc46rMlkPBT+Tij1I0jedD8h2e6WEa7JRU6SGToYDbRm4\r\n"
+            "RL9xAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHqm1jXzYer9oSjYs9qh1jWpM\r\n"
+            "vTcN+0/z1uuX++Wezh3lG7IzYtypbZNxlXDECyrkUh+9oxzMJqdlZ562ko2br\r\n"
+            "uK6X5csbbM9uVsUva8NCsPPfZXDhrYaMKFvQGFY4pO3uhFGhccob037VN5Ifm\r\n"
+            "aKGM8aJ40cw2PQh38QPDdemizyVCThQ9Pcr+WgWKiG+t2Gd9NldJRLEhky0bW\r\n"
+            "2fc4zWZVbGq5nFXy1k+d/bgkHbVzf255eFZOKKy0NgZwig+uSlhVWPJjS4Z1w\r\n"
+            "LbpBKxTZp/xD0yEARs0u1ZcCELO/BkgQM50EDKmahIM4mdCs/7j1B/DdWs2i3\r\n"
+            "5lnbjxYYiUiyA=",
+            u"MIICszCCAZugAwIBAgICJGMwDQYJKoZIhvcNAQELBQAwIzEUMBIGA1UEChML\r\n"
+            "RVhBTVBMRS5PUkcxCzAJBgNVBAMTAkNBMB4XDTE3MDExOTEwMjcyN1oXDTE3M\r\n"
+            "DQxOTEwMjcyN1owFjEUMBIGA1UEAxMLc3RhZ2V1c2VyLTIwggEiMA0GCSqGSI\r\n"
+            "b3DQEBAQUAA4IBDwAwggEKAoIBAQDsEuTITzsRiUHXb8LxduokAEHwStCveKV\r\n"
+            "i8aVFBYQCRbpoXcoTfBISWvdmF3WOkIUfR1O0qrm0s3CPMAyWdTrnCI/45/Cc\r\n"
+            "FNDpGKPf+izN1t+WSrr6gCoz24y5ALyUEG5FSvHdDcIn+hY9Qvg3cRLxY9M4W\r\n"
+            "XmtR6p+d48v08nSSJXprgXS6ZiVvN7QGQfNRNDNoQZLmP9tQ/XvgJuiBMPj2N\r\n"
+            "aUFM8AwDnxGcvzExgaFlX0OKS6hymsUG60PeF0H0aYDgVH/0DKK+mZEA2FNbR\r\n"
+            "JIQt5Vk+c5aBvPrOfRLKrsQQ/zhtNOxk8Q0G+cwlzANCqbV7EzUFEFEtonnOP\r\n"
+            "tzY7AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIPcStKnxv6bdPiL2I7f4B/ME\r\n"
+            "BEV+kFnzu1msfkh1iouiKmM4ZkXLiqInKxEBwWNmhpRFoxKWaI3DjYtf/PYH/\r\n"
+            "guHipZvLIrVgfxlf/5ldXeoa7IHZ9hzvrG3WuYG6SHoJw6yaA6Vn8j8Q3r/kG\r\n"
+            "/1SLZpRpoq0EuhD7V/aHvxr/aiFnU4Fh2VaQd2ICOK2qBFQnoL5QyySVEJ7GA\r\n"
+            "RmajT3BqAASoixEqfMWYv2AqZnJ84JoI4reP0uZGjz5Cy32xQuenQckr8Faki\r\n"
+            "p28buFp46C34AWifbRERE396xocc9/Oc7dx9DyjeYqa9CuNo/pYlC4r8QCOkm\r\n"
+            "0xMWjoGcVUtUw=",
+            u"MIICszCCAZugAwIBAgICFpYwDQYJKoZIhvcNAQELBQAwIzEUMBIGA1UEChML\r\n"
+            "RVhBTVBMRS5PUkcxCzAJBgNVBAMTAkNBMB4XDTE3MDExOTEwMjczMVoXDTE3M\r\n"
+            "DQxOTEwMjczMVowFjEUMBIGA1UEAxMLc3RhZ2V1c2VyLTMwggEiMA0GCSqGSI\r\n"
+            "b3DQEBAQUAA4IBDwAwggEKAoIBAQDEIMvN8aElxMSyfqIj91nDuuvli/RKNhF\r\n"
+            "sIU32c7NJVF7kthvltmEwIVKKCE1Yji3GRWXBuZlSz5eSyDaqqpOpdYsVjYaz\r\n"
+            "XfWA5kjL8vGkoVt97SQ0TEkSOlinnjuo2unjU33RcruRp4rqeQE8EPBlAXYJr\r\n"
+            "+iK5Y+RF9Mz047ba097wUUX85QeEp1LWwYbLZleNFK1BwsmSL5Js+GcKEBEdi\r\n"
+            "KS/OfidTz7Hf7KICLo+iZlbG3lNLFQMvWFG8bzTeOgZ5OLDeBRzG6cSZK0Q3A\r\n"
+            "18uVg0jf0rv/nsOO/JQRK1FufvmOL2Xp7lqLFaAIuQqH1OuAq6MHfuaxwpdiU\r\n"
+            "yzVfAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAAs0K12ugVJ4t7/iUdddTmS+v\r\n"
+            "8FEEL92fWgU1bQHR/gMa2by9SIqS1KZVBc5JpJePqVf/S35Gt4o7sE3rbbmZm\r\n"
+            "mhGDL8D+BmGHjxdhENLyk6rvHOm+TDgM7nQK0FbPekMzkbsFxfw9R7iq8cnZD\r\n"
+            "7Y1T5e2N+WMzx6Jf/ner32V9CTfFbGP84G0+kqyqo7vp59VIwyHpC0L/0bh8W\r\n"
+            "YjFKNCPMbnZpO3212dNCaIMp0Kugi9D4kXAeM3unQ2/p5pN7Vgo+Xl9hioN5g\r\n"
+            "As+3SQR2pArUmr8RtjvfH/PxE8scWtRCCH4aBhfklrCHK+rpUzh4PXqhXGYJC\r\n"
+            "TmYzsAw/Z7vnY=",
         ]
 
         # list of certificates for testing of removal of non-existent certs
         cls.nonexistent_certs = [
-            get_testcert(DN(('CN', cls.entity_subject)), cls.entity_principal)
-            for _j in range(2)
-            ]
+            u"MIICszCCAZugAwIBAgICYDAwDQYJKoZIhvcNAQELBQAwIzEUMBIGA1UEChML\r\n"
+            "RVhBTVBMRS5PUkcxCzAJBgNVBAMTAkNBMB4XDTE3MDExOTEwMjczNVoXDTE3M\r\n"
+            "DQxOTEwMjczNVowFjEUMBIGA1UEAxMLc3RhZ2V1c2VyLTQwggEiMA0GCSqGSI\r\n"
+            "b3DQEBAQUAA4IBDwAwggEKAoIBAQDAw12yHMBzQd27/Zv5STUlrkgGaClC4/U\r\n"
+            "+HxjHSHxFJLStYgK9DrXpRIqnkdwAr7rftlhFiRkqFE4GNGNAlhUlnkn0YTvD\r\n"
+            "59ucnpSRC7kjkrHAb1fWDNE3VYQOOF93CObOOAciNEl/K0HXqXxxYkhF6cz+m\r\n"
+            "N1gGd6oOtCu+G1vCoM25X3nlQdgOJtI8X2/MDvZ+nJVRqscsjeNnM0+A1Q1Cf\r\n"
+            "u2ukiqYgiQVYAa88hpADhXEF+hht3iIiw53GgD1Bb5xFm+OKpwBSegRJOjraj\r\n"
+            "XeWpr1ZN44JCTuFmAxwaNzynpYjrDbWXoLzbXEhyPbtT1jui6A1rRhEpc9Tyd\r\n"
+            "Wb4rAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAMe/xoqCmmSV/8x+hawb216sv\r\n"
+            "5CX6+WKMlLJTsmB586fQoJWJecn3Wg7DB1vfLeffayh9b+7g0w0OZnaUJlPNH\r\n"
+            "T6x5P29jH9J6fGOu3CIafCpvEXyamJKyQD6tER3l4iRBzoqW74BQh3W6rQnVs\r\n"
+            "lvM07LlQA0PB9RXYNvEmTCJKOtzA7wcARukvss9VS9oBfxjFgcGDKfMPPNaH9\r\n"
+            "IGEZi8QwEnOsSpLUobWPhRENbxwTMwlMspk9QG7NvTfisqFRXkAov0R/rHPqr\r\n"
+            "AXJTZmkPP+MhrsrbnT0CV2f6bxPkvXknuf+7Xi3h900BLQOSY+jqmtmGrYjln\r\n"
+            "tsqX1gL4y2e98=",
+            u"MIICszCCAZugAwIBAgICeicwDQYJKoZIhvcNAQELBQAwIzEUMBIGA1UEChML\r\n"
+            "RVhBTVBMRS5PUkcxCzAJBgNVBAMTAkNBMB4XDTE3MDExOTEwMjczOVoXDTE3M\r\n"
+            "DQxOTEwMjczOVowFjEUMBIGA1UEAxMLc3RhZ2V1c2VyLTUwggEiMA0GCSqGSI\r\n"
+            "b3DQEBAQUAA4IBDwAwggEKAoIBAQCd1VDwUwkwieLqngX1q2HoOe/tKnPxnr/\r\n"
+            "DrjbXAwFxEDcp7lfIUXALy33YZTAUGaNhlKzL+5sL3O5RcebSywBvw9Cpg9O4\r\n"
+            "lLPeAwdgnCHpNMaBjFL9/ySnwrIH0Hpx7chUXt1zz+z4ia1i7ZfVWHlP3D+pu\r\n"
+            "dR8MdzKH+1irtLcVL8ESfIqVsLGf0qV3wi2znqFsul6+e1MLE/RVXFoCmEX7J\r\n"
+            "5mJ77aFm6GgpXR7O3UAGl1NAfbZUz1Itt/NSrx8lHAYur4tUPQPEEa8XSe/B8\r\n"
+            "hG5J1inw6jm94vvpi2a3GOU6eDz4q0nM0/Rbia212tdbpyKdkm4aCQkoyhrJR\r\n"
+            "+DhvAgMBAAEwDQYJKoZIhvcNAQELBQADggEBADd5V5BMVY4zBRQiLZ2x+7seD\r\n"
+            "oT7ewyYW6Kk9oMlk7JWXgNyAG5/561vSkKIBkQG2CTRD3dAX7SbUwkxP7/a9g\r\n"
+            "ozJN3VOrLBUDhxyesr3cMuIU9XVyPezT3KapQjXkxzmJKiRNPc/fope4Xx5uc\r\n"
+            "UwYa6lm9QVCD4gnNElf+RexpI3VwkjmAWS3cvsKRFFNbZCS5gpCM/rOX76m4l\r\n"
+            "YcBSA8B+jb0FkOJt3u9fwtoMbhv5kdjEDGNWmG1kJ86ybqeWj12BpKGh4G6m4\r\n"
+            "E8ROnyuBt8Bolk4jqR3uCPfD4T+HpkttqrznRaGvroD020pEjtU22sAKkhBZQ\r\n"
+            "2Wbfkc49wxqpY=",
+        ]
 
         # cert subset to remove from entry
         cls.certs_subset = cls.certs[:2]

From 660a58abf6f742b557be15d21b764867a6e97d7a Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 25 Jan 2017 12:43:32 +0100
Subject: [PATCH 6/8] tests: Stageuser-{add,remove}-cert

https://fedorahosted.org/freeipa/ticket/6623
---
 ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
index 631d898..d057047 100644
--- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
+++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py
@@ -403,6 +403,25 @@ def remove_caacl(cls):
 
 
 @pytest.mark.tier1
+class TestCertManipCmdStageuser(CertManipCmdTestBase):
+    entity_class = 'stageuser'
+    entity_pkey = u'suser'
+    entity_subject = entity_pkey
+    entity_principal = u'suser'
+    non_existent_entity = u'nonexistentstageuser'
+
+    cmd_options = dict(
+        entity_add=dict(givenname=u'Stage', sn=u'User'),
+    )
+
+    cert_add_cmd = api.Command.stageuser_add_cert
+    cert_del_cmd = api.Command.stageuser_remove_cert
+
+    cert_add_summary = u'Added certificates to stageuser "%s"'
+    cert_del_summary = u'Removed certificates from stageuser "%s"'
+
+
+@pytest.mark.tier1
 class TestCertManipCmdHost(CertManipCmdTestBase):
     entity_class = 'host'
     entity_pkey = u'host.example.com'

From 60024e78012e7cd70a729cc85257d0cd378601ef Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Thu, 19 Jan 2017 09:27:52 +0100
Subject: [PATCH 7/8] tests: kerberos_principal_aliases: Deduplicate tests

https://fedorahosted.org/freeipa/ticket/6623
---
 .../test_xmlrpc/test_kerberos_principal_aliases.py | 62 +++++++++++-----------
 1 file changed, 32 insertions(+), 30 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py b/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py
index a1973af..95d23ac 100644
--- a/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py
+++ b/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py
@@ -85,13 +85,6 @@ def krbalias_user_c(request):
     return tracker.make_fixture(request)
 
 
-@pytest.fixture(scope='function')
-def krbalias_host(request):
-    tracker = HostTracker(u'testhost-krb')
-
-    return tracker.make_fixture(request)
-
-
 @pytest.fixture
 def krb_service_host(request):
     tracker = HostTracker(u'krb-srv-host')
@@ -108,6 +101,12 @@ def krbalias_service(request, krb_service_host):
     return tracker.make_fixture(request)
 
 
+@pytest.fixture(scope='function')
+def krbalias(request, tracker_cls, tracker_args, tracker_kwargs):
+    tracker = tracker_cls(*tracker_args, **tracker_kwargs)
+    return tracker.make_fixture(request)
+
+
 @pytest.fixture
 def ldapservice(request):
     tracker = ServiceTracker(
@@ -118,29 +117,32 @@ def ldapservice(request):
 
 
 class TestKerberosAliasManipulation(XMLRPC_test):
-
-    def test_add_user_principal_alias(self, krbalias_user):
-        krbalias_user.ensure_exists()
-        krbalias_user.add_principal([u'test-user-alias'])
-        krbalias_user.retrieve()
-
-    def test_remove_user_principal_alias(self, krbalias_user):
-        krbalias_user.ensure_exists()
-        krbalias_user.add_principal([u'test-user-alias'])
-        krbalias_user.remove_principal(u'test-user-alias')
-        krbalias_user.retrieve()
-
-    def test_add_host_principal_alias(self, krbalias_host):
-        krbalias_host.ensure_exists()
-        krbalias_host.add_principal([u'testhost-krb-alias'])
-        krbalias_host.retrieve()
-
-    def test_remove_host_principal_alias(self, krbalias_host):
-        krbalias_host.ensure_exists()
-        krbalias_host.add_principal([u'testhost-krb-alias'])
-        krbalias_host.retrieve()
-        krbalias_host.remove_principal([u'testhost-krb-alias'])
-        krbalias_host.retrieve()
+    add_remove_test_data = [
+        u'testuser-alias',
+        u'testhost-alias',
+    ]
+    tracker_init_data = [
+        (UserTracker, (u'krbalias_user', u'krbalias', u'test',), {},),
+        (HostTracker, (u'testhost-krb',), {},),
+    ]
+
+    tracker_data = [(add_remove_test_data[i],) + tracker_init_data[i]
+                    for i in range(len(tracker_init_data))]
+
+    @pytest.mark.parametrize('alias,tracker_cls,tracker_args,tracker_kwargs',
+                             tracker_data)
+    def test_add_principal_alias(self, alias, krbalias):
+        krbalias.ensure_exists()
+        krbalias.add_principal([alias])
+        krbalias.retrieve()
+
+    @pytest.mark.parametrize('alias,tracker_cls,tracker_args,tracker_kwargs',
+                             tracker_data)
+    def test_remove_principal_alias(self, alias, krbalias):
+        krbalias.ensure_exists()
+        krbalias.add_principal([alias])
+        krbalias.remove_principal(alias)
+        krbalias.retrieve()
 
     def test_add_service_principal_alias(self, krbalias_service):
         krbalias_service.ensure_exists()

From 8dbb1155e669471d413fec02211b6559736c4ed3 Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Thu, 19 Jan 2017 09:28:58 +0100
Subject: [PATCH 8/8] tests: Add tests for kerberos principal aliases in
 stageuser

https://fedorahosted.org/freeipa/ticket/6623
---
 ipatests/test_xmlrpc/test_kerberos_principal_aliases.py | 3 +++
 ipatests/test_xmlrpc/tracker/stageuser_plugin.py        | 9 ++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py b/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py
index 95d23ac..ed1b159 100644
--- a/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py
+++ b/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py
@@ -15,6 +15,7 @@
 from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker
 from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker
 from ipatests.test_xmlrpc.tracker.service_plugin import ServiceTracker
+from ipatests.test_xmlrpc.tracker.stageuser_plugin import StageUserTracker
 from ipatests.test_xmlrpc.mock_trust import (
     mocked_trust_containers, get_trust_dn, get_trusted_dom_dict,
     encode_mockldap_value)
@@ -120,10 +121,12 @@ class TestKerberosAliasManipulation(XMLRPC_test):
     add_remove_test_data = [
         u'testuser-alias',
         u'testhost-alias',
+        u'teststageuser-alias',
     ]
     tracker_init_data = [
         (UserTracker, (u'krbalias_user', u'krbalias', u'test',), {},),
         (HostTracker, (u'testhost-krb',), {},),
+        (StageUserTracker, (u'krbalias_stageuser', u'krbalias', u'test',), {},),
     ]
 
     tracker_data = [(add_remove_test_data[i],) + tracker_init_data[i]
diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
index 27f56d3..fe408af 100644
--- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py
@@ -7,6 +7,7 @@
 from ipalib import api, errors
 
 from ipatests.test_xmlrpc.tracker.base import Tracker
+from ipatests.test_xmlrpc.tracker.kerberos_aliases import KerberosAliasMixin
 from ipatests.test_xmlrpc import objectclasses
 from ipatests.test_xmlrpc.xmlrpc_test import (
     Fuzzy, fuzzy_string, fuzzy_dergeneralizedtime, raises_exact)
@@ -28,7 +29,7 @@
                'public key test (ssh-rsa)')
 
 
-class StageUserTracker(Tracker):
+class StageUserTracker(KerberosAliasMixin, Tracker):
     """ Tracker class for staged user LDAP object
 
         Implements helper functions for host plugin.
@@ -292,3 +293,9 @@ def create_from_preserved(self, user):
         self.dn = DN(
             ('uid', self.uid), api.env.container_stageuser, api.env.basedn)
         self.attrs[u'dn'] = self.dn
+
+    def _make_add_alias_cmd(self):
+        return self.make_command('stageuser_add_principal', self.name)
+
+    def _make_remove_alias_cmd(self):
+        return self.make_command('stageuser_remove_principal', self.name)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to