pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone

Blame SOURCES/0030-Fix-systemd-user-HBAC-rule.patch

b01884
From b3f06994b7b44a0f9cd0c6bd0302c9db87dc2502 Mon Sep 17 00:00:00 2001
b01884
From: Christian Heimes <cheimes@redhat.com>
b01884
Date: Tue, 15 Jan 2019 17:33:56 +0100
b01884
Subject: [PATCH] Fix systemd-user HBAC rule
b01884
b01884
2ef6e14c5a87724a3b37dd5f0817af48c4411e03 added an invalid HBAC rule that
b01884
encoded the service wrongly.
b01884
b01884
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
b01884
Fixes: https://pagure.io/freeipa/issue/7831
b01884
Signed-off-by: Christian Heimes <cheimes@redhat.com>
b01884
---
b01884
 install/share/default-hbac.ldif            |  2 +-
b01884
 ipatests/test_integration/test_commands.py | 12 +++++++++---
b01884
 2 files changed, 10 insertions(+), 4 deletions(-)
b01884
b01884
diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif
b01884
index 8dd90685c..c89bd3eef 100644
b01884
--- a/install/share/default-hbac.ldif
b01884
+++ b/install/share/default-hbac.ldif
b01884
@@ -21,7 +21,7 @@ cn: allow_systemd-user
b01884
 accessruletype: allow
b01884
 usercategory: all
b01884
 hostcategory: all
b01884
-servicecategory: systemd-user
b01884
+memberService: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
b01884
 ipaenabledflag: TRUE
b01884
 description: Allow pam_systemd to run user@.service to create a system user session
b01884
 ipauniqueid: autogenerate
b01884
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
b01884
index 1fb6450a2..8b2c84fc6 100644
b01884
--- a/ipatests/test_integration/test_commands.py
b01884
+++ b/ipatests/test_integration/test_commands.py
b01884
@@ -500,12 +500,18 @@ class TestIPACommand(IntegrationTest):
b01884
         # https://pagure.io/freeipa/issue/7831
b01884
         tasks.kinit_admin(self.master)
b01884
         # check for presence
b01884
-        self.master.run_command(
b01884
-            ['ipa', 'hbacrule-show', 'allow_systemd-user']
b01884
-        )
b01884
         self.master.run_command(
b01884
             ['ipa', 'hbacsvc-show', 'systemd-user']
b01884
         )
b01884
+        result = self.master.run_command(
b01884
+            ['ipa', 'hbacrule-show', 'allow_systemd-user', '--all']
b01884
+        )
b01884
+        lines = set(l.strip() for l in result.stdout_text.split('\n'))
b01884
+        assert 'User category: all' in lines
b01884
+        assert 'Host category: all' in lines
b01884
+        assert 'Enabled: TRUE' in lines
b01884
+        assert 'Services: systemd-user' in lines
b01884
+        assert 'accessruletype: allow' in lines
b01884
 
b01884
         # delete both
b01884
         self.master.run_command(
b01884
-- 
b01884
2.20.1
b01884