-
Notifications
You must be signed in to change notification settings - Fork 89
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: admins no longer inherited superowner powers
Regression since rc1
- Loading branch information
Showing
2 changed files
with
93 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,92 @@ | ||
| # vim: set filetype=sh ts=4 sw=4 sts=4 et: | ||
| # shellcheck shell=bash | ||
| # shellcheck disable=SC2086,SC2016,SC2046 | ||
| # below: convoluted way that forces shellcheck to source our caller | ||
| # shellcheck source=tests/functional/launch_tests_on_instance.sh | ||
| . "$(dirname "${BASH_SOURCE[0]}")"/dummy | ||
|
|
||
| testsuite_admin_superowner() | ||
| { | ||
| grant accountCreate | ||
| grant groupCreate | ||
|
|
||
| # create account1 | ||
| success admin_superowner create_a1 $a0 --osh accountCreate --always-active --account $account1 --uid $uid1 --public-key "\"$(cat $account1key1file.pub)\"" | ||
| json .error_code OK .command accountCreate .value null | ||
|
|
||
| # create a group, account1 is not a member or anything | ||
| success admin_superowner create_g1 $a0 --osh groupCreate --owner $account0 --no-key --group $group1 | ||
| json .error_code OK .command groupCreate | ||
|
|
||
| # account1 can't add members | ||
| run admin_superowner a1_add_members_g1_fail $a1 --osh groupAddMember --group $group1 --account $account1 | ||
| retvalshouldbe 106 | ||
| json .error_code KO_RESTRICTED_COMMAND .command null | ||
|
|
||
| # now set account1 as superowner | ||
| success admin_superowner set_a1_as_superowner $r0 "\". $remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account1 osh-superowner\"" | ||
| configchg 's=^\\\\x22superOwnerAccounts\\\\x22.+=\\\\x22superOwnerAccounts\\\\x22:[\\\\x22'"$account1"'\\\\x22],=' | ||
|
|
||
| # account1 now can add/del members | ||
| success admin_superowner a1_add_members_g1_ok $a1 --osh groupAddMember --group $group1 --account $account1 | ||
| json .error_code OK .command groupAddMember | ||
| contain OVERRIDE | ||
|
|
||
| success admin_superowner a1_del_members_g1_ok $a1 --osh groupDelMember --group $group1 --account $account1 | ||
| json .error_code OK .command groupDelMember | ||
| contain OVERRIDE | ||
|
|
||
| # now set account1 as admin | ||
| success admin_superowner set_a1_as_admin $r0 "\". $remote_basedir/lib/shell/functions.inc; add_user_to_group_compat $account1 osh-admin\"" | ||
| configchg 's=^\\\\x22adminAccounts\\\\x22.+=\\\\x22adminAccounts\\\\x22:[\\\\x22'"$account0"'\\\\x22,\\\\x22'"$account1"'\\\\x22],=' | ||
|
|
||
| # account1 now can add/del aclkeepers | ||
| success admin_superowner a1_add_gk_g1_ok $a1 --osh groupAddAclkeeper --group $group1 --account $account1 | ||
| json .error_code OK .command groupAddAclkeeper | ||
| contain OVERRIDE | ||
|
|
||
| success admin_superowner a1_del_gk_g1_ok $a1 --osh groupDelAclkeeper --group $group1 --account $account1 | ||
| json .error_code OK .command groupDelAclkeeper | ||
| contain OVERRIDE | ||
|
|
||
| # now remove superowner grant from a1, the account is still admin so it should inherhit superowner powers | ||
| success admin_superowner del_a1_as_superowner $r0 "\". $remote_basedir/lib/shell/functions.inc; del_user_from_group_compat $account1 osh-superowner\"" | ||
| configchg 's=^\\\\x22superOwnerAccounts\\\\x22.+=\\\\x22superOwnerAccounts\\\\x22:[],=' | ||
|
|
||
| # account1 can add/del gatekeepers | ||
| success admin_superowner a1_add_members_g1_ok2 $a1 --osh groupAddGatekeeper --group $group1 --account $account1 | ||
| json .error_code OK .command groupAddGatekeeper | ||
| contain OVERRIDE | ||
|
|
||
| success admin_superowner a1_del_members_g1_ok2 $a1 --osh groupDelGatekeeper --group $group1 --account $account1 | ||
| json .error_code OK .command groupDelGatekeeper | ||
| contain OVERRIDE | ||
|
|
||
| # and finally remove admin grant | ||
| success admin_superowner del_a1_as_admin $r0 "\". $remote_basedir/lib/shell/functions.inc; del_user_from_group_compat $account1 osh-admin\"" | ||
| configchg 's=^\\\\x22adminAccounts\\\\x22.+=\\\\x22adminAccounts\\\\x22:[\\\\x22'"$account0"'\\\\x22],=' | ||
|
|
||
| # account1 can no longer add members | ||
| run admin_superowner a1_add_members_g1_fail2 $a1 --osh groupAddMember --group $group1 --account $account1 | ||
| retvalshouldbe 106 | ||
| json .error_code KO_RESTRICTED_COMMAND .command null | ||
|
|
||
| revoke accountCreate | ||
| revoke groupCreate | ||
| grant accountDelete | ||
| grant groupDelete | ||
|
|
||
| script admin_superowner delete_a1 $a0 --osh accountDelete --account $account1 "<<< \"Yes, do as I say and delete $account1, kthxbye\"" | ||
| retvalshouldbe 0 | ||
| json .command accountDelete .error_code OK | ||
|
|
||
| script admin_superowner delete_g1 "$a0 --osh groupDelete --group $group1 <<< $group1" | ||
| retvalshouldbe 0 | ||
| json .command groupDelete .error_code OK | ||
|
|
||
| revoke accountDelete | ||
| revoke groupDelete | ||
| } | ||
|
|
||
| testsuite_admin_superowner | ||
| unset -f testsuite_admin_superowner |