This is an automated email from the git hooks/post-receive script.
spichugi pushed a commit to branch 389-ds-base-1.4.3
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.3 by this push:
new 444fe6f Issue 50260 - Fix test according to #51222 fix
444fe6f is described below
commit 444fe6fbf16a14da161c69be5b7a9f2ca6422462
Author: Simon Pichugin <spichugi@redhat.com>
AuthorDate: Wed Aug 5 14:35:06 2020 +0200
Issue 50260 - Fix test according to #51222 fix
Description: Managed Entry plugin behaviour was fixed and
returned codes were cleaned up. Now we allow to continue
modrdn and delete managing entry operations execution
even when managed entry doesn't exists.
Also allow 'cn=directory manager' to delete managed entry
on direct update.
Make the updates fail using another way.
https://pagure.io/389-ds-base/issue/50260
https://pagure.io/389-ds-base/issue/51222
Reviewed by: mreynolds (Thanks!)
---
dirsrvtests/tests/suites/betxns/betxn_test.py | 38 +++++++++++++++++++--------
1 file changed, 27 insertions(+), 11 deletions(-)
diff --git a/dirsrvtests/tests/suites/betxns/betxn_test.py b/dirsrvtests/tests/suites/betxns/betxn_test.py
index aab2392..b5ca010 100644
--- a/dirsrvtests/tests/suites/betxns/betxn_test.py
+++ b/dirsrvtests/tests/suites/betxns/betxn_test.py
@@ -18,12 +18,14 @@ from lib389.plugins import (SevenBitCheckPlugin, AttributeUniquenessPlugin,
from lib389.idm.user import UserAccounts, TEST_USER_PROPERTIES
from lib389.idm.organizationalunit import OrganizationalUnits
from lib389.idm.group import Groups, Group
+from lib389.idm.domain import Domain
from lib389._constants import DEFAULT_SUFFIX
pytestmark = pytest.mark.tier1
logging.getLogger(__name__).setLevel(logging.DEBUG)
log = logging.getLogger(__name__)
+USER_PASSWORD = 'password'
def test_betxt_7bit(topology_st):
@@ -253,6 +255,15 @@ def test_ri_and_mep_cache_corruption(topology_st):
5. Success
"""
+ # Add ACI so we can test that non-DM user can't delete managed entry
+ domain = Domain(topology_st.standalone, DEFAULT_SUFFIX)
+ ACI_TARGET = f"(target = \"ldap:///{DEFAULT_SUFFIX}\")"
+ ACI_TARGETATTR = "(targetattr = *)"
+ ACI_ALLOW = "(version 3.0; acl \"Admin Access\"; allow (all) "
+ ACI_SUBJECT = "(userdn = \"ldap:///anyone\");)"
+ ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT
+ domain.add('aci', ACI_BODY)
+
# Start plugins
topology_st.standalone.config.set('nsslapd-dynamic-plugins', 'on')
mep_plugin = ManagedEntriesPlugin(topology_st.standalone)
@@ -270,15 +281,15 @@ def test_ri_and_mep_cache_corruption(topology_st):
mep_template1 = mep_templates.create(properties={
'cn': 'MEP template',
'mepRDNAttr': 'cn',
- 'mepStaticAttr': 'objectclass: posixGroup|objectclass: extensibleObject'.split('|'),
+ 'mepStaticAttr': 'objectclass: groupOfNames|objectclass: extensibleObject'.split('|'),
'mepMappedAttr': 'cn: $cn|uid: $cn|gidNumber: $uidNumber'.split('|')
})
mep_configs = MEPConfigs(topology_st.standalone)
mep_configs.create(properties={'cn': 'config',
- 'originScope': ou_people.dn,
- 'originFilter': 'objectclass=posixAccount',
- 'managedBase': ou_groups.dn,
- 'managedTemplate': mep_template1.dn})
+ 'originScope': ou_people.dn,
+ 'originFilter': 'objectclass=posixAccount',
+ 'managedBase': ou_groups.dn,
+ 'managedTemplate': mep_template1.dn})
# Add an entry that meets the MEP scope
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX,
@@ -291,6 +302,8 @@ def test_ri_and_mep_cache_corruption(topology_st):
'gidNumber': '20011',
'homeDirectory': '/home/test-user1'
})
+ user.reset_password(USER_PASSWORD)
+ user_bound_conn = user.bind(USER_PASSWORD)
# Add group
groups = Groups(topology_st.standalone, DEFAULT_SUFFIX)
@@ -304,22 +317,25 @@ def test_ri_and_mep_cache_corruption(topology_st):
# Test MEP be txn pre op failure does not corrupt entry cache
# Should get the same exception for both rename attempts
+ # Try to remove the entry while bound as Admin (non-DM)
+ managed_groups_user_conn = Groups(user_bound_conn, ou_groups.dn, rdn=None)
+ managed_entry_user_conn = managed_groups_user_conn.get(user.rdn)
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
- mep_group.rename("cn=modrdn group")
-
+ managed_entry_user_conn.rename("cn=modrdn group")
with pytest.raises(ldap.UNWILLING_TO_PERFORM):
- mep_group.rename("cn=modrdn group")
+ managed_entry_user_conn.rename("cn=modrdn group")
# Mess with MEP so it fails
mep_plugin.disable()
- mep_group.delete()
+ users_mep_group = UserAccounts(topology_st.standalone, mep_group.dn, rdn=None)
+ users_mep_group.create_test_user(1001)
mep_plugin.enable()
# Add another group to verify entry cache is not corrupted
test_group = groups.create(properties={'cn': 'test_group'})
- # Delete user, should fail in MEP be txn post op, and user should still be a member
- with pytest.raises(ldap.NO_SUCH_OBJECT):
+ # Try to delete user - it fails because managed entry can't be deleted
+ with pytest.raises(ldap.NOT_ALLOWED_ON_NONLEAF):
user.delete()
# Verify membership is intact
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
_______________________________________________
389-commits mailing list -- 389-commits@lists.fedoraproject.org
To unsubscribe send an email to 389-commits-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-commits@lists.fedoraproject.org
No comments:
Post a Comment