From 9f59b3cfd8c97374edd365e1aa39bc4edbac5a74 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Jul 18 2019 06:58:18 +0000
Subject: certmaprule: add negative test for altSecurityIdentities


Try to create a certmap rule that mentiones altSecurityIdentities in its
mapping rule but uses IPA domain to apply to. It should fail with
ValidationError.

Related: https://pagure.io/freeipa/issue/7932
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>

---

diff --git a/ipatests/test_xmlrpc/test_certmap_plugin.py b/ipatests/test_xmlrpc/test_certmap_plugin.py
index 2ce1a5e..73d8bc1 100644
--- a/ipatests/test_xmlrpc/test_certmap_plugin.py
+++ b/ipatests/test_xmlrpc/test_certmap_plugin.py
@@ -27,6 +27,17 @@ certmaprule_create_params = {
         u'ipacertmappriority': u'1',
 }
 
+certmaprule_create_trusted_params = {
+    u'cn': u'test_trusted_rule',
+    u'description': u'Certificate mapping and matching rule for test '
+                    u'purposes for trusted domain',
+    u'ipacertmapmaprule': u'altsecurityidentities=X509:<some map>',
+    u'ipacertmapmatchrule': u'arbitrary free-form matching rule defined '
+                            u'and consumed by SSSD',
+    u'associateddomain': api.env.domain,
+    u'ipacertmappriority': u'1',
+}
+
 certmaprule_update_params = {
         u'description': u'Changed description',
         u'ipacertmapmaprule': u'changed arbitrary mapping rule',
@@ -77,6 +88,12 @@ def certmap_rule(request):
 
 
 @pytest.fixture(scope='class')
+def certmap_rule_trusted_domain(request):
+    tracker = CertmapruleTracker(**certmaprule_create_trusted_params)
+    return tracker.make_fixture(request)
+
+
+@pytest.fixture(scope='class')
 def certmap_config(request):
     tracker = CertmapconfigTracker()
     return tracker.make_fixture(request)
@@ -122,6 +139,18 @@ class TestCRUD(XMLRPC_test):
         certmap_rule.ensure_exists()
         certmap_rule.delete()
 
+    def test_failed_create(self, certmap_rule_trusted_domain):
+        certmap_rule_trusted_domain.ensure_missing()
+        try:
+            certmap_rule_trusted_domain.create([])
+        except errors.ValidationError:
+            certmap_rule_trusted_domain.exists = False
+        else:
+            certmap_rule_trusted_domain.exists = True
+            certmap_rule_trusted_domain.ensure_missing()
+            raise AssertionError("Expected validation error for "
+                                 "altSecurityIdentities used for IPA domain")
+
 
 class TestEnableDisable(XMLRPC_test):
     def test_disable(self, certmap_rule):