From 1d57cf654de99077d7ece28f9210d1a2d5dee5b7 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Mon, 1 Dec 2014 10:15:21 +0100 Subject: [PATCH] add --hosts and --hostgroup options to allow/retrieve keytab methods `--hosts` and `--hostgroup` options added to: * service-allow-create-keytab * service-allow-retrieve-keytab * service-disallow-create-keytab * service-disallow-retrieve-keytab * host-allow-create-keytab * host-allow-retrieve-keytab * host-disallow-create-keytab * host-disallow-retrieve-keytab in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page https://fedorahosted.org/freeipa/ticket/4777 Reviewed-By: Jan Cholasta --- API.txt | 32 ++++++-- VERSION | 4 +- ipalib/plugins/host.py | 28 +++++-- ipalib/plugins/service.py | 28 +++++-- ipatests/test_xmlrpc/test_host_plugin.py | 109 ++++++++++++++++++++++++++-- ipatests/test_xmlrpc/test_service_plugin.py | 92 ++++++++++++++++++++--- 6 files changed, 257 insertions(+), 36 deletions(-) diff --git a/API.txt b/API.txt index 2a63f1e2349f0df69433fa7cb742e269cd42d79f..e9768bf1e87d6679c439b98ed696b720937099d2 100644 --- a/API.txt +++ b/API.txt @@ -1826,10 +1826,12 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: host_allow_create_keytab -args: 1,6,3 +args: 1,8,3 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('user*', alwaysask=True, cli_name='users', csv=True) @@ -1838,10 +1840,12 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: host_allow_retrieve_keytab -args: 1,6,3 +args: 1,8,3 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('user*', alwaysask=True, cli_name='users', csv=True) @@ -1866,10 +1870,12 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: host_disallow_create_keytab -args: 1,6,3 +args: 1,8,3 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('user*', alwaysask=True, cli_name='users', csv=True) @@ -1878,10 +1884,12 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: host_disallow_retrieve_keytab -args: 1,6,3 +args: 1,8,3 arg: Str('fqdn', attribute=True, cli_name='hostname', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('user*', alwaysask=True, cli_name='users', csv=True) @@ -3529,10 +3537,12 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: service_allow_create_keytab -args: 1,6,3 +args: 1,8,3 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('user*', alwaysask=True, cli_name='users', csv=True) @@ -3541,10 +3551,12 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: service_allow_retrieve_keytab -args: 1,6,3 +args: 1,8,3 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('user*', alwaysask=True, cli_name='users', csv=True) @@ -3568,10 +3580,12 @@ output: Output('result', , None) output: Output('summary', (, ), None) output: PrimaryKey('value', None, None) command: service_disallow_create_keytab -args: 1,6,3 +args: 1,8,3 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('user*', alwaysask=True, cli_name='users', csv=True) @@ -3580,10 +3594,12 @@ output: Output('completed', , None) output: Output('failed', , None) output: Entry('result', , Gettext('A dictionary representing an LDAP entry', domain='ipa', localedir=None)) command: service_disallow_retrieve_keytab -args: 1,6,3 +args: 1,8,3 arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True) option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui') option: Str('group*', alwaysask=True, cli_name='groups', csv=True) +option: Str('host*', alwaysask=True, cli_name='hosts', csv=True) +option: Str('hostgroup*', alwaysask=True, cli_name='hostgroups', csv=True) option: Flag('no_members', autofill=True, default=False, exclude='webui') option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui') option: Str('user*', alwaysask=True, cli_name='users', csv=True) diff --git a/VERSION b/VERSION index 750b5058867ca5f073a083009c4aadeeb0240c35..bfbce5604e79008afd2893e406c634718159b1e9 100644 --- a/VERSION +++ b/VERSION @@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000 # # ######################################################## IPA_API_VERSION_MAJOR=2 -IPA_API_VERSION_MINOR=109 -# Last change: npmccallum - display qrcode by default +IPA_API_VERSION_MINOR=110 +# Last change: pvoborni - allow to retrieve keytab by hosts diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index c4d4bdf6473e0f34c8c68754d6c98e93d173d8fa..39a7d3c25b9cb56fca486b2500da5fe7bd4a6fbc 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -211,12 +211,24 @@ host_output_params = ( Str('ipaallowedtoperform_read_keys_group', label=_('Groups allowed to retrieve keytab'), ), + Str('ipaallowedtoperform_read_keys_host', + label=_('Hosts allowed to retrieve keytab'), + ), + Str('ipaallowedtoperform_read_keys_hostgroup', + label=_('Host Groups allowed to retrieve keytab'), + ), Str('ipaallowedtoperform_write_keys_user', label=_('Users allowed to create keytab'), ), Str('ipaallowedtoperform_write_keys_group', label=_('Groups allowed to create keytab'), ), + Str('ipaallowedtoperform_write_keys_host', + label=_('Hosts allowed to create keytab'), + ), + Str('ipaallowedtoperform_write_keys_hostgroup', + label=_('Host Groups allowed to create keytab'), + ), Str('ipaallowedtoperform_read_keys', label=_('Failed allowed to retrieve keytab'), ), @@ -284,8 +296,8 @@ class host(LDAPObject): 'managing': ['host'], 'memberofindirect': ['hostgroup', 'netgroup', 'role', 'hbacrule', 'sudorule'], - 'ipaallowedtoperform_read_keys': ['user', 'group'], - 'ipaallowedtoperform_write_keys': ['user', 'group'], + 'ipaallowedtoperform_read_keys': ['user', 'group', 'host', 'hostgroup'], + 'ipaallowedtoperform_write_keys': ['user', 'group', 'host', 'hostgroup'], } bindable = True relationships = { @@ -1201,7 +1213,8 @@ class host_remove_managedby(LDAPRemoveMember): @register() class host_allow_retrieve_keytab(LDAPAddMember): - __doc__ = _('Allow users or groups to retrieve a keytab of this host.') + __doc__ = _('Allow users, groups, hosts or host groups to retrieve a keytab' + ' of this host.') member_attributes = ['ipaallowedtoperform_read_keys'] has_output_params = LDAPAddMember.has_output_params + host_output_params @@ -1219,7 +1232,8 @@ class host_allow_retrieve_keytab(LDAPAddMember): @register() class host_disallow_retrieve_keytab(LDAPRemoveMember): - __doc__ = _('Disallow users or groups to retrieve a keytab of this host.') + __doc__ = _('Disallow users, groups, hosts or host groups to retrieve a ' + 'keytab of this host.') member_attributes = ['ipaallowedtoperform_read_keys'] has_output_params = LDAPRemoveMember.has_output_params + host_output_params @@ -1236,7 +1250,8 @@ class host_disallow_retrieve_keytab(LDAPRemoveMember): @register() class host_allow_create_keytab(LDAPAddMember): - __doc__ = _('Allow users or groups to create a keytab of this host.') + __doc__ = _('Allow users, groups, hosts or host groups to create a keytab ' + 'of this host.') member_attributes = ['ipaallowedtoperform_write_keys'] has_output_params = LDAPAddMember.has_output_params + host_output_params @@ -1254,7 +1269,8 @@ class host_allow_create_keytab(LDAPAddMember): @register() class host_disallow_create_keytab(LDAPRemoveMember): - __doc__ = _('Disallow users or groups to create a keytab of this host.') + __doc__ = _('Disallow users, groups, hosts or host groups to create a ' + 'keytab of this host.') member_attributes = ['ipaallowedtoperform_write_keys'] has_output_params = LDAPRemoveMember.has_output_params + host_output_params diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 2f703544452c6d7ee2de8eceeb5f2a26afed44f2..b37dc7b4bf56b69df204fd29e9487f1390197bbe 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -137,12 +137,24 @@ output_params = ( Str('ipaallowedtoperform_read_keys_group', label=_('Groups allowed to retrieve keytab'), ), + Str('ipaallowedtoperform_read_keys_host', + label=_('Hosts allowed to retrieve keytab'), + ), + Str('ipaallowedtoperform_read_keys_hostgroup', + label=_('Host Groups allowed to retrieve keytab'), + ), Str('ipaallowedtoperform_write_keys_user', label=_('Users allowed to create keytab'), ), Str('ipaallowedtoperform_write_keys_group', label=_('Groups allowed to create keytab'), ), + Str('ipaallowedtoperform_write_keys_host', + label=_('Hosts allowed to create keytab'), + ), + Str('ipaallowedtoperform_write_keys_hostgroup', + label=_('Host Groups allowed to create keytab'), + ), Str('ipaallowedtoperform_read_keys', label=_('Failed allowed to retrieve keytab'), ), @@ -350,8 +362,8 @@ class service(LDAPObject): attribute_members = { 'managedby': ['host'], 'memberof': ['role'], - 'ipaallowedtoperform_read_keys': ['user', 'group'], - 'ipaallowedtoperform_write_keys': ['user', 'group'], + 'ipaallowedtoperform_read_keys': ['user', 'group', 'host', 'hostgroup'], + 'ipaallowedtoperform_write_keys': ['user', 'group', 'host', 'hostgroup'], } bindable = True relationships = { @@ -711,7 +723,8 @@ class service_remove_host(LDAPRemoveMember): @register() class service_allow_retrieve_keytab(LDAPAddMember): - __doc__ = _('Allow users or groups to retrieve a keytab of this service.') + __doc__ = _('Allow users, groups, hosts or host groups to retrieve a keytab' + ' of this service.') member_attributes = ['ipaallowedtoperform_read_keys'] has_output_params = LDAPAddMember.has_output_params + output_params @@ -729,7 +742,8 @@ class service_allow_retrieve_keytab(LDAPAddMember): @register() class service_disallow_retrieve_keytab(LDAPRemoveMember): - __doc__ = _('Disallow users or groups to retrieve a keytab of this service.') + __doc__ = _('Disallow users, groups, hosts or host groups to retrieve a ' + 'keytab of this service.') member_attributes = ['ipaallowedtoperform_read_keys'] has_output_params = LDAPRemoveMember.has_output_params + output_params @@ -746,7 +760,8 @@ class service_disallow_retrieve_keytab(LDAPRemoveMember): @register() class service_allow_create_keytab(LDAPAddMember): - __doc__ = _('Allow users or groups to create a keytab of this service.') + __doc__ = _('Allow users, groups, hosts or host groups to create a keytab ' + 'of this service.') member_attributes = ['ipaallowedtoperform_write_keys'] has_output_params = LDAPAddMember.has_output_params + output_params @@ -764,7 +779,8 @@ class service_allow_create_keytab(LDAPAddMember): @register() class service_disallow_create_keytab(LDAPRemoveMember): - __doc__ = _('Disallow users or groups to create a keytab of this service.') + __doc__ = _('Disallow users, groups, hosts or host groups to create a ' + 'keytab of this service.') member_attributes = ['ipaallowedtoperform_write_keys'] has_output_params = LDAPRemoveMember.has_output_params + output_params diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py index 67acb765fc1716e10ac7846d8780bf031c9f079e..1c46ce9131554b799d25a15922d26ccb92763e93 100644 --- a/ipatests/test_xmlrpc/test_host_plugin.py +++ b/ipatests/test_xmlrpc/test_host_plugin.py @@ -147,6 +147,9 @@ group1 = u'group1' group1_dn = get_group_dn(group1) group2 = u'group2' group2_dn = get_group_dn(group2) +hostgroup1 = u'testhostgroup1' +hostgroup1_dn = DN(('cn',hostgroup1),('cn','hostgroups'),('cn','accounts'), + api.env.basedn) class test_host(Declarative): @@ -1420,6 +1423,8 @@ class test_host_allowed_to(Declarative): ('group_del', [group1], {}), ('group_del', [group2], {}), ('host_del', [fqdn1], {}), + ('host_del', [fqdn3], {}), + ('hostgroup_del', [hostgroup1], {}), ] tests = [ @@ -1503,6 +1508,49 @@ class test_host_allowed_to(Declarative): ), ), ), + dict( + desc='Create %r' % fqdn3, + command=( + 'host_add', [fqdn3], + dict( + force=True, + ), + ), + expected=dict( + value=fqdn3, + summary=u'Added host "%s"' % fqdn3, + result=dict( + dn=dn3, + fqdn=[fqdn3], + krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)], + objectclass=objectclasses.host, + ipauniqueid=[fuzzy_uuid], + managedby_host=[fqdn3], + has_keytab=False, + has_password=False, + ), + ), + ), + + dict( + desc='Create %r' % hostgroup1, + command=('hostgroup_add', [hostgroup1], + dict(description=u'Test hostgroup 1') + ), + expected=dict( + value=hostgroup1, + summary=u'Added hostgroup "testhostgroup1"', + result=dict( + dn=hostgroup1_dn, + cn=[hostgroup1], + objectclass=objectclasses.hostgroup, + description=[u'Test hostgroup 1'], + ipauniqueid=[fuzzy_uuid], + mepmanagedentry=[DN(('cn',hostgroup1),('cn','ng'),('cn','alt'), + api.env.basedn)], + ), + ), + ), # verify dict( @@ -1513,6 +1561,8 @@ class test_host_allowed_to(Declarative): failed=dict( ipaallowedtoperform_read_keys=dict( group=[], + host=[], + hostgroup=[], user=[], ), ), @@ -1535,6 +1585,8 @@ class test_host_allowed_to(Declarative): failed=dict( ipaallowedtoperform_read_keys=dict( group=[], + host=[], + hostgroup=[], user=[[user1, u'This entry is already a member']], ), ), @@ -1553,20 +1605,25 @@ class test_host_allowed_to(Declarative): desc='Allow %r, %r to a retrieve keytab of %r' % ( group1, group2, fqdn1), command=('host_allow_retrieve_keytab', [fqdn1], - dict(group=[group1, group2])), + dict(group=[group1, group2], host=[fqdn3], + hostgroup=[hostgroup1])), expected=dict( failed=dict( ipaallowedtoperform_read_keys=dict( group=[], + host=[], + hostgroup=[], user=[], ), ), - completed=2, + completed=4, result=dict( dn=dn1, fqdn=[fqdn1], ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1, group2], + ipaallowedtoperform_read_keys_host=[fqdn3], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[fqdn1], ), @@ -1581,6 +1638,8 @@ class test_host_allowed_to(Declarative): failed=dict( ipaallowedtoperform_read_keys=dict( group=[], + host=[], + hostgroup=[], user=[[user2, u'This entry is not a member']], ), ), @@ -1590,6 +1649,8 @@ class test_host_allowed_to(Declarative): fqdn=[fqdn1], ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1, group2], + ipaallowedtoperform_read_keys_host=[fqdn3], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[fqdn1], ), @@ -1604,6 +1665,8 @@ class test_host_allowed_to(Declarative): failed=dict( ipaallowedtoperform_read_keys=dict( group=[], + host=[], + hostgroup=[], user=[], ), ), @@ -1613,6 +1676,8 @@ class test_host_allowed_to(Declarative): fqdn=[fqdn1], ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn3], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[fqdn1], ), @@ -1623,22 +1688,29 @@ class test_host_allowed_to(Declarative): desc='Allow %r, %r to a create keytab of %r' % ( group1, user1, fqdn1), command=('host_allow_create_keytab', [fqdn1], - dict(group=[group1, group2], user=[user1])), + dict(group=[group1, group2], user=[user1], host=[fqdn3], + hostgroup=[hostgroup1])), expected=dict( failed=dict( ipaallowedtoperform_write_keys=dict( group=[], + host=[], + hostgroup=[], user=[], ), ), - completed=3, + completed=5, result=dict( dn=dn1, fqdn=[fqdn1], ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn3], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1, group2], + ipaallowedtoperform_write_keys_host=[fqdn3], + ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[fqdn1], ), @@ -1648,12 +1720,15 @@ class test_host_allowed_to(Declarative): dict( desc='Duplicate add: %r, %r' % (user1, group1), command=('host_allow_create_keytab', [fqdn1], - dict(group=[group1], user=[user1])), + dict(group=[group1], user=[user1], host=[fqdn3], + hostgroup=[hostgroup1])), expected=dict( failed=dict( ipaallowedtoperform_write_keys=dict( group=[[group1, u'This entry is already a member']], + host=[[fqdn3, u'This entry is already a member']], user=[[user1, u'This entry is already a member']], + hostgroup=[[hostgroup1, u'This entry is already a member']], ), ), completed=0, @@ -1662,8 +1737,12 @@ class test_host_allowed_to(Declarative): fqdn=[fqdn1], ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn3], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1, group2], + ipaallowedtoperform_write_keys_host=[fqdn3], + ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[fqdn1], ), @@ -1678,6 +1757,8 @@ class test_host_allowed_to(Declarative): failed=dict( ipaallowedtoperform_write_keys=dict( group=[], + host=[], + hostgroup=[], user=[[user2, u'This entry is not a member']], ), ), @@ -1687,8 +1768,12 @@ class test_host_allowed_to(Declarative): fqdn=[fqdn1], ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn3], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1, group2], + ipaallowedtoperform_write_keys_host=[fqdn3], + ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[fqdn1], ), @@ -1703,6 +1788,8 @@ class test_host_allowed_to(Declarative): failed=dict( ipaallowedtoperform_write_keys=dict( group=[], + host=[], + hostgroup=[], user=[], ), ), @@ -1712,8 +1799,12 @@ class test_host_allowed_to(Declarative): fqdn=[fqdn1], ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn3], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1], + ipaallowedtoperform_write_keys_host=[fqdn3], + ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[fqdn1], ), @@ -1733,8 +1824,12 @@ class test_host_allowed_to(Declarative): has_password=False, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn3], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1], + ipaallowedtoperform_write_keys_host=[fqdn3], + ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[fqdn1], ), @@ -1756,8 +1851,12 @@ class test_host_allowed_to(Declarative): has_password=False, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn3], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1], + ipaallowedtoperform_write_keys_host=[fqdn3], + ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[u'host/%s@%s' % (fqdn1, api.env.realm)], managedby_host=[fqdn1], ), diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py index 927ce73f86a0025b8384cf0126ef00be3598975a..946dc572b0d0e5b3f26cd7bfd6ad8128f113493f 100644 --- a/ipatests/test_xmlrpc/test_service_plugin.py +++ b/ipatests/test_xmlrpc/test_service_plugin.py @@ -54,6 +54,9 @@ group1 = u'group1' group1_dn = get_group_dn(group1) group2 = u'group2' group2_dn = get_group_dn(group2) +hostgroup1 = u'testhostgroup1' +hostgroup1_dn = DN(('cn',hostgroup1),('cn','hostgroups'),('cn','accounts'), + api.env.basedn) class test_service(Declarative): @@ -770,6 +773,7 @@ class test_service_allowed_to(Declarative): ('group_del', [group2], {}), ('host_del', [fqdn1], {}), ('service_del', [service1], {}), + ('hostgroup_del', [hostgroup1], {}), ] tests = [ @@ -858,6 +862,25 @@ class test_service_allowed_to(Declarative): ), ), dict( + desc='Create %r' % hostgroup1, + command=('hostgroup_add', [hostgroup1], + dict(description=u'Test hostgroup 1') + ), + expected=dict( + value=hostgroup1, + summary=u'Added hostgroup "testhostgroup1"', + result=dict( + dn=hostgroup1_dn, + cn=[hostgroup1], + objectclass=objectclasses.hostgroup, + description=[u'Test hostgroup 1'], + ipauniqueid=[fuzzy_uuid], + mepmanagedentry=[DN(('cn',hostgroup1),('cn','ng'),('cn','alt'), + api.env.basedn)], + ), + ), + ), + dict( desc='Create %r' % service1, command=('service_add', [service1_no_realm], dict(force=True)), expected=dict( @@ -882,6 +905,8 @@ class test_service_allowed_to(Declarative): failed=dict( ipaallowedtoperform_read_keys=dict( group=[], + host=[], + hostgroup=[], user=[], ), ), @@ -903,6 +928,8 @@ class test_service_allowed_to(Declarative): failed=dict( ipaallowedtoperform_read_keys=dict( group=[], + host=[], + hostgroup=[], user=[[user1, u'This entry is already a member']], ), ), @@ -917,22 +944,27 @@ class test_service_allowed_to(Declarative): ), dict( - desc='Allow %r, %r to a retrieve keytab of %r' % ( - group1, group2, service1), + desc='Allow %r, %r, %r to a retrieve keytab of %r' % ( + group1, group2, fqdn1, service1), command=('service_allow_retrieve_keytab', [service1], - dict(group=[group1, group2])), + dict(group=[group1, group2], host=[fqdn1], + hostgroup=[hostgroup1])), expected=dict( failed=dict( ipaallowedtoperform_read_keys=dict( group=[], + host=[], + hostgroup=[], user=[], ), ), - completed=2, + completed=4, result=dict( dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1, group2], + ipaallowedtoperform_read_keys_host=[fqdn1], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), @@ -947,6 +979,8 @@ class test_service_allowed_to(Declarative): failed=dict( ipaallowedtoperform_read_keys=dict( group=[], + host=[], + hostgroup=[], user=[[user2, u'This entry is not a member']], ), ), @@ -955,6 +989,8 @@ class test_service_allowed_to(Declarative): dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1, group2], + ipaallowedtoperform_read_keys_host=[fqdn1], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), @@ -969,6 +1005,8 @@ class test_service_allowed_to(Declarative): failed=dict( ipaallowedtoperform_read_keys=dict( group=[], + host=[], + hostgroup=[], user=[], ), ), @@ -977,6 +1015,8 @@ class test_service_allowed_to(Declarative): dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn1], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), @@ -984,24 +1024,31 @@ class test_service_allowed_to(Declarative): ), dict( - desc='Allow %r, %r to a create keytab of %r' % ( - group1, user1, service1), + desc='Allow %r, %r, %r to a create keytab of %r' % ( + group1, user1, fqdn1, service1), command=('service_allow_create_keytab', [service1], - dict(group=[group1, group2], user=[user1])), + dict(group=[group1, group2], user=[user1], host=[fqdn1], + hostgroup=[hostgroup1])), expected=dict( failed=dict( ipaallowedtoperform_write_keys=dict( group=[], + host=[], + hostgroup=[], user=[], ), ), - completed=3, + completed=5, result=dict( dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn1], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1, group2], + ipaallowedtoperform_write_keys_host=[fqdn1], + ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), @@ -1011,12 +1058,15 @@ class test_service_allowed_to(Declarative): dict( desc='Duplicate add: %r, %r' % (user1, group1), command=('service_allow_create_keytab', [service1], - dict(group=[group1], user=[user1])), + dict(group=[group1], user=[user1], host=[fqdn1], + hostgroup=[hostgroup1])), expected=dict( failed=dict( ipaallowedtoperform_write_keys=dict( group=[[group1, u'This entry is already a member']], + host=[[fqdn1, u'This entry is already a member']], user=[[user1, u'This entry is already a member']], + hostgroup=[[hostgroup1, u'This entry is already a member']], ), ), completed=0, @@ -1024,8 +1074,12 @@ class test_service_allowed_to(Declarative): dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn1], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1, group2], + ipaallowedtoperform_write_keys_host=[fqdn1], + ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), @@ -1040,6 +1094,8 @@ class test_service_allowed_to(Declarative): failed=dict( ipaallowedtoperform_write_keys=dict( group=[], + host=[], + hostgroup=[], user=[[user2, u'This entry is not a member']], ), ), @@ -1048,8 +1104,12 @@ class test_service_allowed_to(Declarative): dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn1], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1, group2], + ipaallowedtoperform_write_keys_host=[fqdn1], + ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), @@ -1064,6 +1124,8 @@ class test_service_allowed_to(Declarative): failed=dict( ipaallowedtoperform_write_keys=dict( group=[], + host=[], + hostgroup=[], user=[], ), ), @@ -1072,8 +1134,12 @@ class test_service_allowed_to(Declarative): dn=service1dn, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn1], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1], + ipaallowedtoperform_write_keys_host=[fqdn1], + ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), @@ -1091,8 +1157,12 @@ class test_service_allowed_to(Declarative): has_keytab=False, ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn1], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1], + ipaallowedtoperform_write_keys_host=[fqdn1], + ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], krbprincipalname=[service1], managedby_host=[fqdn1], ), @@ -1110,8 +1180,12 @@ class test_service_allowed_to(Declarative): result=dict( ipaallowedtoperform_read_keys_user=[user1], ipaallowedtoperform_read_keys_group=[group1], + ipaallowedtoperform_read_keys_host=[fqdn1], + ipaallowedtoperform_read_keys_hostgroup=[hostgroup1], ipaallowedtoperform_write_keys_user=[user1], ipaallowedtoperform_write_keys_group=[group1], + ipaallowedtoperform_write_keys_host=[fqdn1], + ipaallowedtoperform_write_keys_hostgroup=[hostgroup1], ipakrbokasdelegate=True, krbprincipalname=[service1], krbticketflags=[u'1048704'], -- 2.1.0