URL: https://github.com/freeipa/freeipa/pull/413 Author: dkupka Title: #413: Complete stageuser API Action: opened
PR body: """ https://fedorahosted.org/freeipa/ticket/6623 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/413/head:pr413 git checkout pr413
From b9cbb263a2a97e5c2c04ca4e911d7cc1988ac483 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Thu, 19 Jan 2017 09:18:32 +0100 Subject: [PATCH 1/8] tests: Add LDAP URI to ldappasswd explicitelly Test should always respect api.env.* values. https://fedorahosted.org/freeipa/ticket/6622 --- ipatests/util.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipatests/util.py b/ipatests/util.py index 9320383..2450f13 100644 --- a/ipatests/util.py +++ b/ipatests/util.py @@ -721,7 +721,7 @@ def unlock_principal_password(user, oldpw, newpw): user, api.env.container_user, api.env.basedn) args = [paths.LDAPPASSWD, '-D', userdn, '-w', oldpw, '-a', oldpw, - '-s', newpw, '-x'] + '-s', newpw, '-x', '-H', api.env.ldap_uri] return run(args) From edb52e84f3d1c59d7057855de50f795755ce9a44 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Wed, 18 Jan 2017 13:24:29 +0100 Subject: [PATCH 2/8] stageuser: Add stageuser-{add,remove}-cert Move {add,remove}-cert implementation from user to baseuser and inherit {,stage}user-{add,remove}-cert from it. https://fedorahosted.org/freeipa/ticket/6623 --- API.txt | 24 ++++++++++++++++++++++++ ipaserver/plugins/baseuser.py | 36 +++++++++++++++++++++++++++++++++++- ipaserver/plugins/stageuser.py | 14 ++++++++++++++ ipaserver/plugins/user.py | 38 ++++---------------------------------- 4 files changed, 77 insertions(+), 35 deletions(-) diff --git a/API.txt b/API.txt index 543cec5..182daa8 100644 --- a/API.txt +++ b/API.txt @@ -4751,6 +4751,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) output: PrimaryKey('value') +command: stageuser_add_cert/1 +args: 1,5,3 +arg: Str('uid', cli_name='login') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) +output: PrimaryKey('value') command: stageuser_add_manager/1 args: 1,5,3 arg: Str('uid', cli_name='login') @@ -4882,6 +4893,17 @@ option: Str('version?') output: Entry('result') output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) output: PrimaryKey('value') +command: stageuser_remove_cert/1 +args: 1,5,3 +arg: Str('uid', cli_name='login') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Bytes('usercertificate+', alwaysask=True, cli_name='certificate') +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) +output: PrimaryKey('value') command: stageuser_remove_manager/1 args: 1,5,3 arg: Str('uid', cli_name='login') @@ -6661,10 +6683,12 @@ default: sidgen_was_run/1 default: stageuser/1 default: stageuser_activate/1 default: stageuser_add/1 +default: stageuser_add_cert/1 default: stageuser_add_manager/1 default: stageuser_del/1 default: stageuser_find/1 default: stageuser_mod/1 +default: stageuser_remove_cert/1 default: stageuser_remove_manager/1 default: stageuser_show/1 default: sudocmd/1 diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py index 85ad417..75cf7d8 100644 --- a/ipaserver/plugins/baseuser.py +++ b/ipaserver/plugins/baseuser.py @@ -26,7 +26,7 @@ from .baseldap import ( DN, LDAPObject, LDAPCreate, LDAPUpdate, LDAPSearch, LDAPDelete, LDAPRetrieve, LDAPAddAttribute, LDAPRemoveAttribute, LDAPAddMember, - LDAPRemoveMember) + LDAPRemoveMember, LDAPAddAttributeViaOption, LDAPRemoveAttributeViaOption) from ipaserver.plugins.service import ( validate_certificate, validate_realm, normalize_principal) from ipalib.request import context @@ -694,3 +694,37 @@ class baseuser_remove_principal(LDAPRemoveAttribute): def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): ensure_last_krbprincipalname(ldap, entry_attrs, *keys) return dn + + +class baseuser_add_cert(LDAPAddAttributeViaOption): + attribute = 'usercertificate' + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, + **options): + self.obj.convert_usercertificate_pre(entry_attrs) + + return dn + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) + + self.obj.convert_usercertificate_post(entry_attrs, **options) + + return dn + + +class baseuser_remove_cert(LDAPRemoveAttributeViaOption): + attribute = 'usercertificate' + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, + **options): + self.obj.convert_usercertificate_pre(entry_attrs) + + return dn + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) + + self.obj.convert_usercertificate_post(entry_attrs, **options) + + return dn diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py index afd402e..b2f75a1 100644 --- a/ipaserver/plugins/stageuser.py +++ b/ipaserver/plugins/stageuser.py @@ -39,6 +39,8 @@ baseuser_show, NO_UPG_MAGIC, baseuser_output_params, + baseuser_add_cert, + baseuser_remove_cert, baseuser_add_manager, baseuser_remove_manager) from ipalib.request import context @@ -744,3 +746,15 @@ class stageuser_add_manager(baseuser_add_manager): @register() class stageuser_remove_manager(baseuser_remove_manager): __doc__ = _("Remove a manager to the stage user entry") + + +@register() +class stageuser_add_cert(baseuser_add_cert): + __doc__ = _("Add one or more certificates to the stageuser entry") + msg_summary = _('Added certificates to stageuser "%(value)s"') + + +@register() +class stageuser_remove_cert(baseuser_remove_cert): + __doc__ = _("Remove one or more certificates to the stageuser entry") + msg_summary = _('Removed certificates from stageuser "%(value)s"') diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py index 6440548..53ee6e6 100644 --- a/ipaserver/plugins/user.py +++ b/ipaserver/plugins/user.py @@ -43,6 +43,8 @@ fix_addressbook_permission_bindrule, baseuser_add_manager, baseuser_remove_manager, + baseuser_add_cert, + baseuser_remove_cert, baseuser_add_principal, baseuser_remove_principal) from .idviews import remove_ipaobject_overrides @@ -1157,47 +1159,15 @@ def execute(self, *keys, **options): @register() -class user_add_cert(LDAPAddAttributeViaOption): +class user_add_cert(baseuser_add_cert): __doc__ = _('Add one or more certificates to the user entry') msg_summary = _('Added certificates to user "%(value)s"') - attribute = 'usercertificate' - - def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, - **options): - dn = self.obj.get_either_dn(*keys, **options) - - self.obj.convert_usercertificate_pre(entry_attrs) - - return dn - - def post_callback(self, ldap, dn, entry_attrs, *keys, **options): - assert isinstance(dn, DN) - - self.obj.convert_usercertificate_post(entry_attrs, **options) - - return dn @register() -class user_remove_cert(LDAPRemoveAttributeViaOption): +class user_remove_cert(baseuser_remove_cert): __doc__ = _('Remove one or more certificates to the user entry') msg_summary = _('Removed certificates from user "%(value)s"') - attribute = 'usercertificate' - - def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, - **options): - dn = self.obj.get_either_dn(*keys, **options) - - self.obj.convert_usercertificate_pre(entry_attrs) - - return dn - - def post_callback(self, ldap, dn, entry_attrs, *keys, **options): - assert isinstance(dn, DN) - - self.obj.convert_usercertificate_post(entry_attrs, **options) - - return dn @register() From f3d74e9f1937b596074f4af55ee2dddabd270834 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Wed, 18 Jan 2017 13:25:11 +0100 Subject: [PATCH 3/8] stageuser: Add stageuser-{add,remove}-principal https://fedorahosted.org/freeipa/ticket/6623 --- API.txt | 24 ++++++++++++++++++++++++ ipaserver/plugins/stageuser.py | 14 ++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/API.txt b/API.txt index 182daa8..128d184 100644 --- a/API.txt +++ b/API.txt @@ -4773,6 +4773,17 @@ option: Str('version?') output: Output('completed', type=[<type 'int'>]) output: Output('failed', type=[<type 'dict'>]) output: Entry('result') +command: stageuser_add_principal/1 +args: 2,4,3 +arg: Str('uid', cli_name='login') +arg: Principal('krbprincipalname+', alwaysask=True, autofill=True, cli_name='principal') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) +output: PrimaryKey('value') command: stageuser_del/1 args: 1,2,3 arg: Str('uid+', cli_name='login') @@ -4915,6 +4926,17 @@ option: Str('version?') output: Output('completed', type=[<type 'int'>]) output: Output('failed', type=[<type 'dict'>]) output: Entry('result') +command: stageuser_remove_principal/1 +args: 2,4,3 +arg: Str('uid', cli_name='login') +arg: Principal('krbprincipalname+', alwaysask=True, autofill=True, cli_name='principal') +option: Flag('all', autofill=True, cli_name='all', default=False) +option: Flag('no_members', autofill=True, default=False) +option: Flag('raw', autofill=True, cli_name='raw', default=False) +option: Str('version?') +output: Entry('result') +output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>]) +output: PrimaryKey('value') command: stageuser_show/1 args: 1,5,3 arg: Str('uid', cli_name='login') @@ -6685,11 +6707,13 @@ default: stageuser_activate/1 default: stageuser_add/1 default: stageuser_add_cert/1 default: stageuser_add_manager/1 +default: stageuser_add_principal/1 default: stageuser_del/1 default: stageuser_find/1 default: stageuser_mod/1 default: stageuser_remove_cert/1 default: stageuser_remove_manager/1 +default: stageuser_remove_principal/1 default: stageuser_show/1 default: sudocmd/1 default: sudocmd_add/1 diff --git a/ipaserver/plugins/stageuser.py b/ipaserver/plugins/stageuser.py index b2f75a1..5602514 100644 --- a/ipaserver/plugins/stageuser.py +++ b/ipaserver/plugins/stageuser.py @@ -41,6 +41,8 @@ baseuser_output_params, baseuser_add_cert, baseuser_remove_cert, + baseuser_add_principal, + baseuser_remove_principal, baseuser_add_manager, baseuser_remove_manager) from ipalib.request import context @@ -758,3 +760,15 @@ class stageuser_add_cert(baseuser_add_cert): class stageuser_remove_cert(baseuser_remove_cert): __doc__ = _("Remove one or more certificates to the stageuser entry") msg_summary = _('Removed certificates from stageuser "%(value)s"') + + +@register() +class stageuser_add_principal(baseuser_add_principal): + __doc__ = _('Add new principal alias to the stageuser entry') + msg_summary = _('Added new aliases to stageuser "%(value)s"') + + +@register() +class stageuser_remove_principal(baseuser_remove_principal): + __doc__ = _('Remove principal alias from the stageuser entry') + msg_summary = _('Removed aliases from stageuser "%(value)s"') From 765623638743d7400a6a01b0c4fa3fcc27f84091 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Mon, 23 Jan 2017 10:38:34 +0100 Subject: [PATCH 4/8] ipalib.x509: Handle missing SAN gracefully When extension is not present None is returned instead of empty iterable or exception thrown. --- ipalib/x509.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index 13327c1..5ef8ffd 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -422,8 +422,12 @@ def get_san_general_names(cert): asn1Spec=rfc2459.TBSCertificate() )[0] OID_SAN = univ.ObjectIdentifier('2.5.29.17') + # One would expect KeyError or empty iterable when the key ('extensions' + # in this particular case) is not pressent in the certificate but pyasn1 + # returns None here + extensions = tbs['extensions'] or [] gns = [] - for ext in tbs['extensions']: + for ext in extensions: if ext['extnID'] == OID_SAN: der = decoder.decode( ext['extnValue'], asn1Spec=univ.OctetString())[0] From e1064115529f5a1b7f62cec4b63fbc338c77ff86 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Wed, 25 Jan 2017 12:43:22 +0100 Subject: [PATCH 5/8] tests: add-remove-cert: Use harcoded certificates instead of requesting them Requesting certificates for test purposes is not necessary as we allow to upload arbitrary certificate to the user, host or service. Also requesting certificate from dogtag takes some time and the test is slower for no good reason. More it's not posible to request certificate for stageuser even though it's possible to upload certificates to stageusers now. https://fedorahosted.org/freeipa/ticket/6623 --- ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 87 +++++++++++++++++++++--- 1 file changed, 79 insertions(+), 8 deletions(-) diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py index 7706133..9d9904c 100644 --- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py +++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py @@ -112,16 +112,87 @@ def setup_class(cls): cls.disable_profile_store() # list of certificates to add to entry - cls.certs = [ - get_testcert(DN(('CN', cls.entity_subject)), cls.entity_principal) - for _i in range(3) - ] + cls.certs = [ # base64.b64decode(cert) for cert in [ + u"MIICszCCAZugAwIBAgICM24wDQYJKoZIhvcNAQELBQAwIzEUMBIGA1UEChMLRVhB\r\n" + "TVBMRS5PUkcxCzAJBgNVBAMTAkNBMB4XDTE3MDExOTEwMjUyOVoXDTE3MDQxOTEw\r\n" + "MjUyOVowFjEUMBIGA1UEAxMLc3RhZ2V1c2VyLTEwggEiMA0GCSqGSIb3DQEBAQUA\r\n" + "A4IBDwAwggEKAoIBAQCq03FRQQBvq4HwYMKP8USLZuOkKzuIs2VPt8k/+nO1dADr\r\n" + "zMogKDiUDjCwYoG2UM/sj6P+PJUUCNDLh5eRRI+aR5VE5y2aK95iCsj1ByDWrugA\r\n" + "UXgr8GUUr+UbaGc0XxHCMnQBkYhzbXY3u91KYRRh5l3lxRSICcVeJFJ/tiMS14Vs\r\n" + "or1DWykHGz1wm0Zjwg1XDV3oea+uwrSz5Pa6RNPlgC+GGW6B7+8qC2XdSSEwvY7y\r\n" + "1SAGgqyOxN/FLwvqqMDNU0uX7fww587uZ57IfYzb8Xn5DAprRFNk40FDc46rMlkP\r\n" + "BT+Tij1I0jedD8h2e6WEa7JRU6SGToYDbRm4RL9xAgMBAAEwDQYJKoZIhvcNAQEL\r\n" + "BQADggEBAHqm1jXzYer9oSjYs9qh1jWpMvTcN+0/z1uuX++Wezh3lG7IzYtypbZN\r\n" + "xlXDECyrkUh+9oxzMJqdlZ562ko2bruK6X5csbbM9uVsUva8NCsPPfZXDhrYaMKF\r\n" + "vQGFY4pO3uhFGhccob037VN5IfmaKGM8aJ40cw2PQh38QPDdemizyVCThQ9Pcr+W\r\n" + "gWKiG+t2Gd9NldJRLEhky0bW2fc4zWZVbGq5nFXy1k+d/bgkHbVzf255eFZOKKy0\r\n" + "NgZwig+uSlhVWPJjS4Z1wLbpBKxTZp/xD0yEARs0u1ZcCELO/BkgQM50EDKmahIM\r\n" + "4mdCs/7j1B/DdWs2i35lnbjxYYiUiyA=", + u"MIICszCCAZugAwIBAgICJGMwDQYJKoZIhvcNAQELBQAwIzEUMBIGA1UEChMLRVhB\r\n" + "TVBMRS5PUkcxCzAJBgNVBAMTAkNBMB4XDTE3MDExOTEwMjcyN1oXDTE3MDQxOTEw\r\n" + "MjcyN1owFjEUMBIGA1UEAxMLc3RhZ2V1c2VyLTIwggEiMA0GCSqGSIb3DQEBAQUA\r\n" + "A4IBDwAwggEKAoIBAQDsEuTITzsRiUHXb8LxduokAEHwStCveKVi8aVFBYQCRbpo\r\n" + "XcoTfBISWvdmF3WOkIUfR1O0qrm0s3CPMAyWdTrnCI/45/CcFNDpGKPf+izN1t+W\r\n" + "Srr6gCoz24y5ALyUEG5FSvHdDcIn+hY9Qvg3cRLxY9M4WXmtR6p+d48v08nSSJXp\r\n" + "rgXS6ZiVvN7QGQfNRNDNoQZLmP9tQ/XvgJuiBMPj2NaUFM8AwDnxGcvzExgaFlX0\r\n" + "OKS6hymsUG60PeF0H0aYDgVH/0DKK+mZEA2FNbRJIQt5Vk+c5aBvPrOfRLKrsQQ/\r\n" + "zhtNOxk8Q0G+cwlzANCqbV7EzUFEFEtonnOPtzY7AgMBAAEwDQYJKoZIhvcNAQEL\r\n" + "BQADggEBAIPcStKnxv6bdPiL2I7f4B/MEBEV+kFnzu1msfkh1iouiKmM4ZkXLiqI\r\n" + "nKxEBwWNmhpRFoxKWaI3DjYtf/PYH/guHipZvLIrVgfxlf/5ldXeoa7IHZ9hzvrG\r\n" + "3WuYG6SHoJw6yaA6Vn8j8Q3r/kG/1SLZpRpoq0EuhD7V/aHvxr/aiFnU4Fh2VaQd\r\n" + "2ICOK2qBFQnoL5QyySVEJ7GARmajT3BqAASoixEqfMWYv2AqZnJ84JoI4reP0uZG\r\n" + "jz5Cy32xQuenQckr8Fakip28buFp46C34AWifbRERE396xocc9/Oc7dx9DyjeYqa\r\n" + "9CuNo/pYlC4r8QCOkm0xMWjoGcVUtUw=", + u"MIICszCCAZugAwIBAgICFpYwDQYJKoZIhvcNAQELBQAwIzEUMBIGA1UEChMLRVhB\r\n" + "TVBMRS5PUkcxCzAJBgNVBAMTAkNBMB4XDTE3MDExOTEwMjczMVoXDTE3MDQxOTEw\r\n" + "MjczMVowFjEUMBIGA1UEAxMLc3RhZ2V1c2VyLTMwggEiMA0GCSqGSIb3DQEBAQUA\r\n" + "A4IBDwAwggEKAoIBAQDEIMvN8aElxMSyfqIj91nDuuvli/RKNhFsIU32c7NJVF7k\r\n" + "thvltmEwIVKKCE1Yji3GRWXBuZlSz5eSyDaqqpOpdYsVjYazXfWA5kjL8vGkoVt9\r\n" + "7SQ0TEkSOlinnjuo2unjU33RcruRp4rqeQE8EPBlAXYJr+iK5Y+RF9Mz047ba097\r\n" + "wUUX85QeEp1LWwYbLZleNFK1BwsmSL5Js+GcKEBEdiKS/OfidTz7Hf7KICLo+iZl\r\n" + "bG3lNLFQMvWFG8bzTeOgZ5OLDeBRzG6cSZK0Q3A18uVg0jf0rv/nsOO/JQRK1Fuf\r\n" + "vmOL2Xp7lqLFaAIuQqH1OuAq6MHfuaxwpdiUyzVfAgMBAAEwDQYJKoZIhvcNAQEL\r\n" + "BQADggEBAAs0K12ugVJ4t7/iUdddTmS+v8FEEL92fWgU1bQHR/gMa2by9SIqS1KZ\r\n" + "VBc5JpJePqVf/S35Gt4o7sE3rbbmZmmhGDL8D+BmGHjxdhENLyk6rvHOm+TDgM7n\r\n" + "QK0FbPekMzkbsFxfw9R7iq8cnZD7Y1T5e2N+WMzx6Jf/ner32V9CTfFbGP84G0+k\r\n" + "qyqo7vp59VIwyHpC0L/0bh8WYjFKNCPMbnZpO3212dNCaIMp0Kugi9D4kXAeM3un\r\n" + "Q2/p5pN7Vgo+Xl9hioN5gAs+3SQR2pArUmr8RtjvfH/PxE8scWtRCCH4aBhfklrC\r\n" + "HK+rpUzh4PXqhXGYJCTmYzsAw/Z7vnY=", + ] # ] # list of certificates for testing of removal of non-existent certs - cls.nonexistent_certs = [ - get_testcert(DN(('CN', cls.entity_subject)), cls.entity_principal) - for _j in range(2) - ] + cls.nonexistent_certs = [ # base64.b64decode(cert) for cert in [ + u"MIICszCCAZugAwIBAgICYDAwDQYJKoZIhvcNAQELBQAwIzEUMBIGA1UEChMLRVhB\r\n" + "TVBMRS5PUkcxCzAJBgNVBAMTAkNBMB4XDTE3MDExOTEwMjczNVoXDTE3MDQxOTEw\r\n" + "MjczNVowFjEUMBIGA1UEAxMLc3RhZ2V1c2VyLTQwggEiMA0GCSqGSIb3DQEBAQUA\r\n" + "A4IBDwAwggEKAoIBAQDAw12yHMBzQd27/Zv5STUlrkgGaClC4/U+HxjHSHxFJLSt\r\n" + "YgK9DrXpRIqnkdwAr7rftlhFiRkqFE4GNGNAlhUlnkn0YTvD59ucnpSRC7kjkrHA\r\n" + "b1fWDNE3VYQOOF93CObOOAciNEl/K0HXqXxxYkhF6cz+mN1gGd6oOtCu+G1vCoM2\r\n" + "5X3nlQdgOJtI8X2/MDvZ+nJVRqscsjeNnM0+A1Q1Cfu2ukiqYgiQVYAa88hpADhX\r\n" + "EF+hht3iIiw53GgD1Bb5xFm+OKpwBSegRJOjrajXeWpr1ZN44JCTuFmAxwaNzynp\r\n" + "YjrDbWXoLzbXEhyPbtT1jui6A1rRhEpc9TydWb4rAgMBAAEwDQYJKoZIhvcNAQEL\r\n" + "BQADggEBAMe/xoqCmmSV/8x+hawb216sv5CX6+WKMlLJTsmB586fQoJWJecn3Wg7\r\n" + "DB1vfLeffayh9b+7g0w0OZnaUJlPNHT6x5P29jH9J6fGOu3CIafCpvEXyamJKyQD\r\n" + "6tER3l4iRBzoqW74BQh3W6rQnVslvM07LlQA0PB9RXYNvEmTCJKOtzA7wcARukvs\r\n" + "s9VS9oBfxjFgcGDKfMPPNaH9IGEZi8QwEnOsSpLUobWPhRENbxwTMwlMspk9QG7N\r\n" + "vTfisqFRXkAov0R/rHPqrAXJTZmkPP+MhrsrbnT0CV2f6bxPkvXknuf+7Xi3h900\r\n" + "BLQOSY+jqmtmGrYjlntsqX1gL4y2e98=", + u"MIICszCCAZugAwIBAgICeicwDQYJKoZIhvcNAQELBQAwIzEUMBIGA1UEChMLRVhB\r\n" + "TVBMRS5PUkcxCzAJBgNVBAMTAkNBMB4XDTE3MDExOTEwMjczOVoXDTE3MDQxOTEw\r\n" + "MjczOVowFjEUMBIGA1UEAxMLc3RhZ2V1c2VyLTUwggEiMA0GCSqGSIb3DQEBAQUA\r\n" + "A4IBDwAwggEKAoIBAQCd1VDwUwkwieLqngX1q2HoOe/tKnPxnr/DrjbXAwFxEDcp\r\n" + "7lfIUXALy33YZTAUGaNhlKzL+5sL3O5RcebSywBvw9Cpg9O4lLPeAwdgnCHpNMaB\r\n" + "jFL9/ySnwrIH0Hpx7chUXt1zz+z4ia1i7ZfVWHlP3D+pudR8MdzKH+1irtLcVL8E\r\n" + "SfIqVsLGf0qV3wi2znqFsul6+e1MLE/RVXFoCmEX7J5mJ77aFm6GgpXR7O3UAGl1\r\n" + "NAfbZUz1Itt/NSrx8lHAYur4tUPQPEEa8XSe/B8hG5J1inw6jm94vvpi2a3GOU6e\r\n" + "Dz4q0nM0/Rbia212tdbpyKdkm4aCQkoyhrJR+DhvAgMBAAEwDQYJKoZIhvcNAQEL\r\n" + "BQADggEBADd5V5BMVY4zBRQiLZ2x+7seDoT7ewyYW6Kk9oMlk7JWXgNyAG5/561v\r\n" + "SkKIBkQG2CTRD3dAX7SbUwkxP7/a9gozJN3VOrLBUDhxyesr3cMuIU9XVyPezT3K\r\n" + "apQjXkxzmJKiRNPc/fope4Xx5ucUwYa6lm9QVCD4gnNElf+RexpI3VwkjmAWS3cv\r\n" + "sKRFFNbZCS5gpCM/rOX76m4lYcBSA8B+jb0FkOJt3u9fwtoMbhv5kdjEDGNWmG1k\r\n" + "J86ybqeWj12BpKGh4G6m4E8ROnyuBt8Bolk4jqR3uCPfD4T+HpkttqrznRaGvroD\r\n" + "020pEjtU22sAKkhBZQ2Wbfkc49wxqpY=", + ] # ] # cert subset to remove from entry cls.certs_subset = cls.certs[:2] From 3f49733e08564c586a8755fe328d40c3ca8c707e Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Wed, 25 Jan 2017 12:43:32 +0100 Subject: [PATCH 6/8] tests: Stageuser-{add,remove}-cert https://fedorahosted.org/freeipa/ticket/6623 --- ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py index 9d9904c..96685c8 100644 --- a/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py +++ b/ipatests/test_xmlrpc/test_add_remove_cert_cmd.py @@ -398,6 +398,25 @@ def remove_caacl(cls): @pytest.mark.tier1 +class TestCertManipCmdStageuser(CertManipCmdTestBase): + entity_class = 'stageuser' + entity_pkey = u'suser' + entity_subject = entity_pkey + entity_principal = u'suser' + non_existent_entity = u'nonexistentstageuser' + + cmd_options = dict( + entity_add=dict(givenname=u'Stage', sn=u'User'), + ) + + cert_add_cmd = api.Command.stageuser_add_cert + cert_del_cmd = api.Command.stageuser_remove_cert + + cert_add_summary = u'Added certificates to stageuser "%s"' + cert_del_summary = u'Removed certificates from stageuser "%s"' + + +@pytest.mark.tier1 class TestCertManipCmdHost(CertManipCmdTestBase): entity_class = 'host' entity_pkey = u'host.example.com' From 9287f5be073967906a49d2ee5592fd9b069b2e80 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Thu, 19 Jan 2017 09:27:52 +0100 Subject: [PATCH 7/8] tests: kerberos_principal_aliases: Deduplicate tests https://fedorahosted.org/freeipa/ticket/6623 --- .../test_xmlrpc/test_kerberos_principal_aliases.py | 62 +++++++++++----------- 1 file changed, 32 insertions(+), 30 deletions(-) diff --git a/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py b/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py index a1973af..95d23ac 100644 --- a/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py +++ b/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py @@ -85,13 +85,6 @@ def krbalias_user_c(request): return tracker.make_fixture(request) -@pytest.fixture(scope='function') -def krbalias_host(request): - tracker = HostTracker(u'testhost-krb') - - return tracker.make_fixture(request) - - @pytest.fixture def krb_service_host(request): tracker = HostTracker(u'krb-srv-host') @@ -108,6 +101,12 @@ def krbalias_service(request, krb_service_host): return tracker.make_fixture(request) +@pytest.fixture(scope='function') +def krbalias(request, tracker_cls, tracker_args, tracker_kwargs): + tracker = tracker_cls(*tracker_args, **tracker_kwargs) + return tracker.make_fixture(request) + + @pytest.fixture def ldapservice(request): tracker = ServiceTracker( @@ -118,29 +117,32 @@ def ldapservice(request): class TestKerberosAliasManipulation(XMLRPC_test): - - def test_add_user_principal_alias(self, krbalias_user): - krbalias_user.ensure_exists() - krbalias_user.add_principal([u'test-user-alias']) - krbalias_user.retrieve() - - def test_remove_user_principal_alias(self, krbalias_user): - krbalias_user.ensure_exists() - krbalias_user.add_principal([u'test-user-alias']) - krbalias_user.remove_principal(u'test-user-alias') - krbalias_user.retrieve() - - def test_add_host_principal_alias(self, krbalias_host): - krbalias_host.ensure_exists() - krbalias_host.add_principal([u'testhost-krb-alias']) - krbalias_host.retrieve() - - def test_remove_host_principal_alias(self, krbalias_host): - krbalias_host.ensure_exists() - krbalias_host.add_principal([u'testhost-krb-alias']) - krbalias_host.retrieve() - krbalias_host.remove_principal([u'testhost-krb-alias']) - krbalias_host.retrieve() + add_remove_test_data = [ + u'testuser-alias', + u'testhost-alias', + ] + tracker_init_data = [ + (UserTracker, (u'krbalias_user', u'krbalias', u'test',), {},), + (HostTracker, (u'testhost-krb',), {},), + ] + + tracker_data = [(add_remove_test_data[i],) + tracker_init_data[i] + for i in range(len(tracker_init_data))] + + @pytest.mark.parametrize('alias,tracker_cls,tracker_args,tracker_kwargs', + tracker_data) + def test_add_principal_alias(self, alias, krbalias): + krbalias.ensure_exists() + krbalias.add_principal([alias]) + krbalias.retrieve() + + @pytest.mark.parametrize('alias,tracker_cls,tracker_args,tracker_kwargs', + tracker_data) + def test_remove_principal_alias(self, alias, krbalias): + krbalias.ensure_exists() + krbalias.add_principal([alias]) + krbalias.remove_principal(alias) + krbalias.retrieve() def test_add_service_principal_alias(self, krbalias_service): krbalias_service.ensure_exists() From fd515ffca5b844cb4545fc12d33e086bc4dbdb8f Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Thu, 19 Jan 2017 09:28:58 +0100 Subject: [PATCH 8/8] tests: Add tests for kerberos principal aliases in stageuser https://fedorahosted.org/freeipa/ticket/6623 --- ipatests/test_xmlrpc/test_kerberos_principal_aliases.py | 3 +++ ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 9 ++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py b/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py index 95d23ac..ed1b159 100644 --- a/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py +++ b/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py @@ -15,6 +15,7 @@ from ipatests.test_xmlrpc.tracker.user_plugin import UserTracker from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker from ipatests.test_xmlrpc.tracker.service_plugin import ServiceTracker +from ipatests.test_xmlrpc.tracker.stageuser_plugin import StageUserTracker from ipatests.test_xmlrpc.mock_trust import ( mocked_trust_containers, get_trust_dn, get_trusted_dom_dict, encode_mockldap_value) @@ -120,10 +121,12 @@ class TestKerberosAliasManipulation(XMLRPC_test): add_remove_test_data = [ u'testuser-alias', u'testhost-alias', + u'teststageuser-alias', ] tracker_init_data = [ (UserTracker, (u'krbalias_user', u'krbalias', u'test',), {},), (HostTracker, (u'testhost-krb',), {},), + (StageUserTracker, (u'krbalias_stageuser', u'krbalias', u'test',), {},), ] tracker_data = [(add_remove_test_data[i],) + tracker_init_data[i] diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py index 27f56d3..fe408af 100644 --- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py +++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py @@ -7,6 +7,7 @@ from ipalib import api, errors from ipatests.test_xmlrpc.tracker.base import Tracker +from ipatests.test_xmlrpc.tracker.kerberos_aliases import KerberosAliasMixin from ipatests.test_xmlrpc import objectclasses from ipatests.test_xmlrpc.xmlrpc_test import ( Fuzzy, fuzzy_string, fuzzy_dergeneralizedtime, raises_exact) @@ -28,7 +29,7 @@ 'public key test (ssh-rsa)') -class StageUserTracker(Tracker): +class StageUserTracker(KerberosAliasMixin, Tracker): """ Tracker class for staged user LDAP object Implements helper functions for host plugin. @@ -292,3 +293,9 @@ def create_from_preserved(self, user): self.dn = DN( ('uid', self.uid), api.env.container_stageuser, api.env.basedn) self.attrs[u'dn'] = self.dn + + def _make_add_alias_cmd(self): + return self.make_command('stageuser_add_principal', self.name) + + def _make_remove_alias_cmd(self): + return self.make_command('stageuser_remove_principal', self.name)
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
