Fix member_format and member_attribute test

conestack · May 6, 2019 · 375242f · 375242f
2 parents 794913f + bf82240
commit 375242f
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 8 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -10,6 +10,9 @@ History
 - Increase Exception verbosity to ease debugging.
   [jensens]
 
+- Add missing object classes from principal config when persisting principals.
+  [rnix]
+
 - Remove attribute from entry if setting it's value to ``node.utils.UNSET`` or
   empty string. Most LDAP implementations not allow setting empty values, thus
   we delete the entire attribute in this case.

diff --git a/src/node/ext/ldap/tests/test_ugm_principals.py b/src/node/ext/ldap/tests/test_ugm_principals.py
@@ -143,6 +143,33 @@ def test_user_basics(self):
             '<cn=n?sty\, User,ou=customers,dc=my-domain,dc=com:cn=n?sty\, User - False>'
         ])
 
+        # test object classes changes in config
+        self.assertEqual(
+            users.context.child_defaults['objectClass'],
+            ['person']
+        )
+        users.context.child_defaults['objectClass'] = [
+            'person',
+            'extensibleObject'
+        ]
+        self.assertEqual(
+            mueller.context.attrs['objectClass'],
+            ['top', 'person']
+        )
+        mueller()
+        self.assertEqual(
+            sorted(mueller.context.attrs['objectClass']),
+            ['extensibleObject', 'person', 'top']
+        )
+        # note, by default, existing object classes missing in configured
+        # creation default object classes are NOT removed.
+        users.context.child_defaults['objectClass'] = ['person']
+        mueller()
+        self.assertEqual(
+            sorted(mueller.context.attrs['objectClass']),
+            ['extensibleObject', 'person', 'top']
+        )
+
     def test_authentication(self):
         props = testing.props
         ucfg = testing.ucfg
@@ -557,19 +584,21 @@ def test_membership(self):
         # Currently, the member relation is computed hardcoded and maps to
         # object classes. This will propably change in future. Right now
         # 'posigGroup', 'groupOfUniqueNames', and 'groupOfNames' are supported
-        self.assertEqual(member_format('groupOfUniqueNames'), 0)
-        self.assertEqual(member_attribute('groupOfUniqueNames'), 'uniqueMember')
+        self.assertEqual(member_format(['groupOfUniqueNames']), 0)
+        self.assertEqual(member_attribute(['groupOfUniqueNames']), 'uniqueMember')
 
-        self.assertEqual(member_format('groupOfNames'), 0)
-        self.assertEqual(member_attribute('groupOfNames'), 'member')
+        self.assertEqual(member_format(['groupOfNames']), 0)
+        self.assertEqual(member_attribute(['groupOfNames']), 'member')
 
-        self.assertEqual(member_format('posixGroup'), 1)
-        self.assertEqual(member_attribute('posixGroup'), 'memberUid')
+        self.assertEqual(member_format(['posixGroup']), 1)
+        self.assertEqual(member_attribute(['posixGroup']), 'memberUid')
 
         err = self.expect_error(Exception, member_format, 'foo')
-        self.assertEqual(str(err), 'Unknown format')
+        expected = 'Can not lookup member format for object-classes: foo'
+        self.assertEqual(str(err), expected)
         err = self.expect_error(Exception, member_attribute, 'foo')
-        self.assertEqual(str(err), 'Unknown member attribute')
+        expected = 'Can not lookup member attribute for object-classes: foo'
+        self.assertEqual(str(err), expected)
 
         self.assertEqual(groups['group1']._member_format, 0)
         self.assertEqual(groups['group1']._member_attribute, 'member')

diff --git a/src/node/ext/ldap/ugm/_api.py b/src/node/ext/ldap/ugm/_api.py
@@ -180,6 +180,18 @@ def principal_attributes_factory(self, name=None, parent=None):
     @default
     @locktree
     def __call__(self):
+        # add object classes from creation defaults. if missing.
+        # happens if object classes are added after principals were already
+        # created with another set of default object classes or if editing
+        # existing principals from a database not created with this
+        # API/configuration.
+        attrs = self.context.attrs
+        ocs = attrs['objectClass']
+        ocs = [ocs] if isinstance(ocs, six.text_type) else ocs
+        default_ocs = self.parent.context.child_defaults['objectClass']
+        if set(ocs) != set(default_ocs):
+            new_ocs = list(set(ocs).union(set(default_ocs)))
+            attrs['objectClass'] = new_ocs
         self.context()