[Freeipa-devel] [TEST PLAN] User lifecycle plugin

Wed May 20 09:02:01 UTC 2015

On 05/20/2015 10:38 AM, Martin Kosek wrote:
> On 05/19/2015 05:54 PM, thierry bordaz wrote:
>> On 05/13/2015 05:54 PM, Martin Basti wrote:
>>> On 13/05/15 17:44, David Kupka wrote:
>>>> On 05/13/2015 02:57 PM, Lenka Ryznarova wrote:
>>>>> Hi,
>>>>>
>>>>> I've prepared test plan design for User Lifecycle Plugin - [1]. Please
>>>>> review and let me know if you have any comments on that.
>>>>>
>>>>> Thanks,
>>>>> Lenka
>>>>>
>>>>> [1] http://www.freeipa.org/page/V4/User_Life-Cycle_Management/Test_Plan
>>>>>
>>>>>
>>>> Hi,
>>>> thanks for sharing the test plan. I've quickly looked at it and have just 2
>>>> notes:
>>>>
>>>> 1) please add "Verify that specific GID number of a staged entry is
>>>> preserved after activation"
>>>>
>>>> 2) In a block of tests "Try activating staged entry with
>>>> <every-possible-attribute>" please add a activation tests. It should be
>>>> possible to add/modify the attributes in staging are freely all the check
>>>> must be applied when the user is activated.
>>>>
>>> Hello, following tests are out of scope of API tests, but would be nice to have:
>>> * test to make sure the staged/deleted user is unable to kinit
>>> * opposite case the reactivated user is able to kinit (if this case is valid)
>>> * ACI tests: to make sure only proper roles can manipulate with staged users.
>>>
>> Hello Lenka,
>>
>> This is looking as a very good set of tests. If you have time, you may also add
>> those tests:
>>
>>   * try do a simple bind with a stage/delete user
>>   * option only-delete, also-delete and --deleted are deprecated.. sorry
>>     the design is not up-to-date, now it is --preserved flag
>>   * Run the tests as admin
> +1 for above
>
>>   * Run the tests as a stageadm (member of 'User administrator')
> I would not push on this for version 1, IIRC we still miss the infrastructure
> to easily run tests like this. But +1 for the intent.
If test infrastructure require 'admin', no problem. But I usually simply 
do the following commands before running the ULC CLI tests.

(echo "hello";echo "hello") | ipa user-add --first=stage 
--last=administrator stageadm --password

ipa role-add-member "User Administrator" --users=stageadm

(echo "hello";echo "Secret123";echo "Secret123")  | kinit stageadm

>
>>   * Try to update a stageuser with invalid uid/gidnumber (<0 , or string)
>>   * Check that activated and undelete users are member of ipausers
>>   * Being authenticated with a newly activated user, check you have
>>     limited access to entries (only modify yourself)
>>   * Try to add (ldapadd) an entry directly in delete container, should
>>     not be allowed even for admin.
>>   * Create a user that is member of a 'system provisioning' role.
>>     'system provisioning' role has the 'Stage user provisioning' priviledge.
>>     This user should only be allow to add 'stage' user (no read, delete,
>>     mod)
> I quickly checked the test case, I think it misses some of the basic test cases:
> - Add user, add him as a member of a custom group. Delete/preserve the user,
> check that he is no longer a member of that custom group
> - Add staged user via LDAP directly as this is the primary use case. Then try
> to activate it. The user may have different/minimal formats (more minimal than
> with stageuser-add), see design for examples.
+1

Yes I forgot the DS plugins (uniqueness, ref. int., memberof).
uniqueness is scoping Active/Delete user (uid and ipaUniqueID).
referential integrity scopes Active user for (member, manager, 
managedby, secretary, uniquemember...), so preserving a user should 
update those attributes.
memberof scopes Active user, so preserving a user should update its 
memberof values