From da4c12c3e6ac978afc1a365c3aed87eae5832a96 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Nov 13 2018 11:40:44 +0000
Subject: ipatests: add integration test for "Read radius servers" perm


Add a new integration test for the following scenario:
- create a user with the "User Administrator" role
- as this user, create a user with a --radius=<radius_proxy_server>

This scenario was previously failing because ipa user-add --radius
requires read access to the radius server entries, and there was no
permission granting this access.

Related to https://pagure.io/freeipa/issue/7570

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>

---

diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py
index 38e72fd..13a0c98 100644
--- a/ipatests/test_integration/test_user_permissions.py
+++ b/ipatests/test_integration/test_user_permissions.py
@@ -98,6 +98,49 @@ class TestUserPermissions(IntegrationTest):
         result = self.master.run_command(['ipa', 'stageuser-show', stageuser])
         assert 'Kerberos keys available: True' in result.stdout_text
 
+    def test_user_add_withradius(self):
+        """
+        Test that a user with User Administrator role can call
+        ipa user-add --radius myradius
+        to create a user with an assigned Radius Proxy Server.
+
+        This is a test case for issue 7570
+        """
+        # kinit admin
+        tasks.kinit_admin(self.master)
+
+        # Create a radius proxy server
+        radiusproxy = 'myradius'
+        secret = 'Secret123'
+        radius_secret_confirmation = "%s\n%s\n" % (secret, secret)
+        self.master.run_command(
+            ['ipa', 'radiusproxy-add', radiusproxy,
+             '--server', 'radius.example.com', '--secret'],
+            stdin_text=radius_secret_confirmation)
+
+        # Create a user with 'User Administrator' role
+        altuser = 'specialuser'
+        password = 'SpecialUser123'
+        password_confirmation = "%s\n%s\n" % (password, password)
+        self.master.run_command(
+            ['ipa', 'user-add', altuser, '--first', altuser, '--last', altuser,
+             '--password'],
+            stdin_text=password_confirmation)
+        self.master.run_command(
+            ['ipa', 'role-add-member', "User Administrator",
+             '--user', altuser])
+
+        # kinit as altuser to initialize the password
+        altuser_kinit = "%s\n%s\n%s\n" % (password, password, password)
+        self.master.run_command(['kinit', altuser], stdin_text=altuser_kinit)
+        # call ipa user-add with --radius=...
+        # this call requires read access to radius proxy servers
+        self.master.run_command(
+            ['ipa', 'user-add', '--first', 'test', '--last', 'test',
+             '--user-auth-type', 'radius', '--radius-username', 'testradius',
+             'testradius', '--radius', radiusproxy])
+
+
 
 class TestInstallClientNoAdmin(IntegrationTest):
     num_clients = 1