[Freeipa-devel] [TEST PLAN] User lifecycle plugin

Martin Kosek mkosek at redhat.com
Wed May 20 08:38:46 UTC 2015 

On 05/19/2015 05:54 PM, thierry bordaz wrote:
> On 05/13/2015 05:54 PM, Martin Basti wrote:
>> On 13/05/15 17:44, David Kupka wrote:
>>> On 05/13/2015 02:57 PM, Lenka Ryznarova wrote:
>>>> Hi,
>>>>
>>>> I've prepared test plan design for User Lifecycle Plugin - [1]. Please
>>>> review and let me know if you have any comments on that.
>>>>
>>>> Thanks,
>>>> Lenka
>>>>
>>>> [1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management/Test_Plan
>>>>
>>>>
>>> Hi,
>>> thanks for sharing the test plan. I've quickly looked at it and have just 2
>>> notes:
>>>
>>> 1) please add "Verify that specific GID number of a staged entry is
>>> preserved after activation"
>>>
>>> 2) In a block of tests "Try activating staged entry with
>>> <every-possible-attribute>" please add a activation tests. It should be
>>> possible to add/modify the attributes in staging are freely all the check
>>> must be applied when the user is activated.
>>>
>> Hello, following tests are out of scope of API tests, but would be nice to have:
>> * test to make sure the staged/deleted user is unable to kinit
>> * opposite case the reactivated user is able to kinit (if this case is valid)
>> * ACI tests: to make sure only proper roles can manipulate with staged users.
>>
> Hello Lenka,
> 
> This is looking as a very good set of tests. If you have time, you may also add
> those tests:
> 
>  * try do a simple bind with a stage/delete user
>  * option only-delete, also-delete and --deleted are deprecated.. sorry
>    the design is not up-to-date, now it is --preserved flag
>  * Run the tests as admin

+1 for above

>  * Run the tests as a stageadm (member of 'User administrator')

I would not push on this for version 1, IIRC we still miss the infrastructure
to easily run tests like this. But +1 for the intent.

>  * Try to update a stageuser with invalid uid/gidnumber (<0 , or string)
>  * Check that activated and undelete users are member of ipausers
>  * Being authenticated with a newly activated user, check you have
>    limited access to entries (only modify yourself)
>  * Try to add (ldapadd) an entry directly in delete container, should
>    not be allowed even for admin.
>  * Create a user that is member of a 'system provisioning' role.
>    'system provisioning' role has the 'Stage user provisioning' priviledge.
>    This user should only be allow to add 'stage' user (no read, delete,
>    mod)

I quickly checked the test case, I think it misses some of the basic test cases:
- Add user, add him as a member of a custom group. Delete/preserve the user,
check that he is no longer a member of that custom group
- Add staged user via LDAP directly as this is the primary use case. Then try
to activate it. The user may have different/minimal formats (more minimal than
with stageuser-add), see design for examples.

More information about the Freeipa-devel mailing list