From Fedora Project Wiki

Description

UI testing.

Setup

  1. Make sure you have a working FreeIPA server (see QA:Testcase_freeipav2_installation)
  2. Make sure the CLI works as expected (see QA:Testcase_freeipav2_cli)

How to test

Authentication

Unauthenticated User

Verify that an unauthenticated user cannot access the UI.

  • Remove all credentials using kdestroy and check with klist.
  • Open the Web UI.
  • An error message should appear.

Authenticated as Administrator

Verify that the admin has full access to the UI.

  • Authenticate as admin.
  • Open the Web UI.
  • At the top right corner it should say Administrator.
  • There should be 3 tabs: Identity, Policy, IPA Server.
  • The initial page should display a list of users.

Authenticated as User

Verify that a user only has access to the self-service page.

  • Authenticate as admin.
  • Create a new user.
  • Set user's password.
  • Authenticate as the new user.
  • Open the Web UI.
  • The user's name should appear at the top right corner.
  • There should be 1 tab: Identity.
  • The initial page should display user's data.

Expired Credentials

Verify that when the credentials expires the user loses access to the UI.

  • Authenticate as admin or user using kinit.
  • Open the Web UI.
  • The UI should work normally.
  • Remove credentials using kdestroy.
  • Perform any action on the UI.
  • An error message should appear.
  • Authenticate again as admin or user.
  • Click Retry.
  • The action should complete successfully.

Users

Finding Users

Verify that the UI can be used to find users.

  • As admin open the Web UI.
  • Go to Identity -> Users.
  • The page should display a list of all users.
  • The list should contain these columns: user login, first name, last name, UID, email address, telephone number, and job title.
  • Verify the list with the following command:
# ipa user-find
  • Above the list there should be a search field.
  • Enter a keyword which is the partial name of a known user, then click Find.
  • The list should show users with matching names.
  • Verify the list with the following command:
# ipa user-find <keyword>
  • Empty the search field, then click Find.
  • The list should display all users again.

Adding Users

Verify that the UI can be used to add users.

  • As admin open the Web UI.
  • Go to Identity -> Users.
  • The page should display a list of all users.
  • On the left click Add.
  • Enter user login, first name, and last name.
  • Click Add.
  • The list should now contain the new user.
  • Verify the addition with the following command:
# ipa user-show <user login>


Editing Users

Verify that the UI can be used to edit users.

  • As admin open the Web UI.
  • Go to Identity -> Users.
  • Click one of the users in the list.
  • The user details should be displayed.
  • Change the value of some attributes.
  • Undo the changes on some attributes.
  • On the left click Update, the undo links should disappear.
  • Click Back to List.
  • It should display the list of users.
  • Verify the changes with the following command:
# ipa user-show <user login>


Changing User Passwords

Validate that the UI can be used to change user passwords.

  • As admin open the Web UI.
  • Go to Identity -> Users.
  • Click one of the users in the list.
  • Under "Account Settings", click "reset password".
  • Enter a temporary password, then click "Reset Password".
  • Authenticate as the user and enter the temporary password. It will ask for a new password, enter a new password.
# kinit psmith

Password for psmith@IPA: <temporary password> Password expired. You must change it now. Enter new password: <new password> Enter it again: <new password>

  • Reload the Web UI, it should show the self-service page for this user.

Deactivating and Reactivating Users

Verify that the UI can be used to deactivate and reactivate users.

  • As admin open the Web UI.
  • Go to Identity -> Users.
  • Click one of the users in the list.
  • Under "Account Settings", the "Account disabled" should indicate that the user is initially Active.
  • Click Deactivate, the status should change to Inactive.
  • Authenticate as the user, it should fail.
# kinit psmith

kinit: Clients credentials have been revoked while getting initial credentials

  • Click Activate, the status should change back to Active.
  • Authenticate as the user, it should work.

Managing Group Enrollment

Verify that user's group enrollment can be managed via UI.

  • As admin open the Web UI.
  • Go to Identity -> Users.
  • Click one of the users in the list.
  • On the left under Member Of click User Groups.
  • The list of User Groups where the user is enrolled in should be displayed.
  • Click Enroll, a dialog box will appear.
  • Select some User Groups from the available list, then click >>.
  • Click Enroll, the selected User Groups should be added to the list.
  • Verify with the following command:
# ipa user-show <user login>
  • Select some User Groups from the list.
  • Click Delete, a dialog box will appear.
  • Click Delete, the selected User Groups should be deleted from the list.
  • Verify with the following command:
# ipa user-show <user login>


Deleting Users

Verify that the UI can be used to delete users.

  • As admin open the Web UI.
  • Go to Identity -> Users.
  • Check the checkboxes next to some of the users in the list.
  • On the left click Delete.
  • A confirmation message should appear showing the users to be deleted.
  • Click Delete, the selected users should disappear from the list.
  • Verify the deletion with the following command:
# ipa user-show <user login>


User Groups

Managing Member Users Enrollment

Verify that group's member users can be managed via UI.

  • As admin open the Web UI.
  • Go to Identity -> Groups.
  • Click one of the groups in the list.
  • On the left under Member click Users.
  • The list of member users should be displayed.
  • Verify the member users with the following command:
# ipa group-show <group name>
  • Click Enroll, a dialog box will appear.
  • Select some users from the available list, then click >>.
  • Click Enroll, the selected users should be added to the list.
  • Verify the addition with the following command:
# ipa group-show <group name>
  • Select some users from the list.
  • Click Delete, a dialog box will appear.
  • Click Delete, the selected users should be deleted from the list.
  • Verify the deletion with the following command:
# ipa group-show <group name>


Managing Member Groups Enrollment

Verify that group's member groups can be managed via UI.

  • As admin open the Web UI.
  • Go to Identity -> Groups.
  • Click one of the groups in the list.
  • On the left under Member click User Groups.
  • The list of member groups should be displayed.
  • Verify the member groups with the following command:
# ipa group-show <group name>
  • Click Enroll, a dialog box will appear.
  • Select some groups from the available list, then click >>.
  • Click Enroll, the selected groups should be added to the list.
  • Verify the addition with the following command:
# ipa group-show <group name>
  • Select some groups from the list.
  • Click Delete, a dialog box will appear.
  • Click Delete, the selected groups should be deleted from the list.
  • Verify the deletion with the following command:
# ipa group-show <group name>


Managing Group Membership Enrollment

Verify that group's membership in other groups can be managed via UI.

  • As admin open the Web UI.
  • Go to Identity -> Groups.
  • Click one of the groups in the list.
  • On the left under Member Of click User Groups.
  • The list of groups where this group is a member should be displayed.
  • Verify the group membership (member of groups) with the following command:
# ipa group-show <group name>
  • Click Enroll, a dialog box will appear.
  • Select some groups from the available list, then click >>.
  • Click Enroll, the selected groups should be added to the list.
  • Verify the addition with the following command:
# ipa group-show <group name>
  • Select some groups from the list.
  • Click Delete, a dialog box will appear.
  • Click Delete, the selected groups should be deleted from the list.
  • Verify the deletion with the following command:
# ipa group-show <group name>


Hosts

Finding Hosts

Verify that the UI can be used to find hosts.

  • As admin open the Web UI.
  • Go to Identity -> Hosts.
  • The page should display a list of all hosts. Initially there is only one host which is the IPA server itself.
  • The list should contain these columns: hostname, description, enrolled and location.
  • Verify the list with the following command:
# ipa host-find
  • Above the list there should be a search field.
  • Enter a keyword which is the partial name of a known host, then click Find.
  • The list should show hosts with matching names.
  • Verify the list with the following command:
# ipa host-find <keyword>
  • Empty the search field, then click Find.
  • The list should display all hosts.

Adding Hosts

Verify that the UI can be used to add new hosts.

  • As admin open the Web UI.
  • Go to Identity -> Hosts.
  • The page should display a list of all hosts.
  • On the left click Add.
  • Enter the hostname and select Force.
  • Click Add, the list should now contain the new host.
  • Verify the addition with the following command:
# ipa host-show <hostname>


Editing Hosts

Verify that the UI can be used to edit hosts.

  • As admin open the Web UI.
  • Go to Identity -> Hosts.
  • Click one of the hosts in the list.
  • The host details should be displayed.
  • Change the host description, an undo link should appear.
  • On the left click Update, the undo links should disappear.
  • Verify the changes with the following command:
# ipa host-show <hostname>


Managing Host Enrollment

Verify that host enrollment can be managed via the UI.

  • As admin open the Web UI.
  • Go to Identity -> Hosts.
  • Create a new host (e.g. test.example.com), then view the host details. Don't use the IPA server's host for this.
  • Initially the enrollment status should say: Kerberos Key Not Present.
  • Verify the Keytab is False with the following command:
# ipa host-show <hostname>
  • Get the host keytab using the following command:
# ipa-getkeytab -s localhost -p host/test.example.com -k test.keytab
  • Reload the host details page. The status should say: Kerberos Key Present.
  • Verify the Keytab is True with the following command:
# ipa host-show <hostname>
  • Click Delete Key, Unprovision, a dialog box should appear.
  • Click Unprovision to confirm. The status should change back to: Kerberos Key Not Present.
  • Verify the Keytab is False with the following command:
# ipa host-show <hostname>


Managing Host Certificate

Verify that host certificate can be managed via the UI.

  • As admin open the Web UI.
  • Go to Identity -> Hosts.
  • Create a new host (e.g. test.example.com), then view the host details. Don't use the IPA server's host for this.
  • Initially the certificate status should say: No Valid Certificate.
  • Verify there is no certificate with the following command:
# ipa host-show <hostname>
  • Generate private key using the following command:
# openssl genrsa -out test.key 1024
  • Generate CSR using the following command:
# openssl req -new -nodes -subj '/O=IPA/CN=test.example.com' -key test.key -out test.csr
  • Open test.csr, copy the base-64 encoded CSR data not including the BEGIN/END CERTIFICATE REQUEST delimiters.
  • Click New Certificate, paste the CSR data.
  • Click Issue, the status should now say: Valid Certificate Present.
  • Verify new certificate is created with the following command:
# ipa host-show <hostname>
  • Click Get, the base-64 encoded certificate should be displayed.
  • Verify the base-64 encoded certificate against the output of the previous command.
  • Close the dialog box. Click View, the certificate info should be displayed.
  • Verify the certificate info against the output of the previous command.
  • Close the dialog box.

Deleting Hosts

Verify that the UI can be used to delete hosts.

  • As admin open the Web UI.
  • Go to Identity -> Hosts.
  • Check the checkboxes next to some of the hosts in the list.
  • On the left click Delete.
  • A confirmation message should appear showing the hosts to be deleted.
  • Click Delete, the selected hosts should disappear from the list.
  • Verify the deletion with the following command:
# ipa host-show <hostname>


Services

Managing Service Enrollment

Verify that service enrollment can be managed via the UI.

  • As admin open the Web UI.
  • Go to Identity -> Services.
  • Create a new service (e.g. nfs/test.example.com), then view the service details. Don't use existing IPA services for this.
  • Initially the enrollment status should say: Kerberos Key Not Present.
  • Verify the Keytab is False with the following command:
# ipa service-show <service principal>
  • Get the host keytab using the following command:
# ipa-getkeytab -s localhost -p nfs/test.example.com -k test.keytab
  • Reload the service details page. The status should say: Kerberos Key Present.
  • Verify the Keytab is True with the following command:
# ipa service-show <service principal>
  • Click Delete Key, Unprovision, a dialog box should appear.
  • Click Unprovision to confirm. The status should change back to: Kerberos Key Not Present.
  • Verify the Keytab is False with the following command:
# ipa service-show <service principal>


Managing Service Certificate

Verify that service certificate can be managed via the UI.

  • As admin open the Web UI.
  • Go to Identity -> Services.
  • Create a new service (e.g. nfs/test.example.com), then view the service details. Don't use existing IPA services for this.
  • Initially the certificate status should say: No Valid Certificate.
  • Verify there is no certificate with the following command:
# ipa service-show <service principal>
  • Generate private key using the following command:
# openssl genrsa -out test.key 1024
  • Generate CSR using the following command:
# openssl req -new -nodes -subj '/O=IPA/CN=test.example.com' -key test.key -out test.csr
  • Open test.csr, copy the base-64 encoded CSR data not including the BEGIN/END CERTIFICATE REQUEST delimiters.
  • Click New Certificate, paste the CSR data.
  • Click Issue, the status should now say: Valid Certificate Present.
  • Verify new certificate is created with the following command:
# ipa service-show <service principal> --all
  • Click Get, the base-64 encoded certificate should be displayed.
  • Verify the base-64 encoded certificate against the output of the previous command.
  • Close the dialog box. Click View, the certificate info should be displayed.
  • Verify the certificate info against the output of the previous command.
  • Close the dialog box.


HBAC Rules

Finding HBAC Rules

Verify that the UI can be used to find HBAC rules.

  • As admin open the Web UI.
  • Go to Policy -> HBAC.
  • The page should display a list of all HBAC rules.
  • The list should contain these columns: rule name, user category, host category, enabled, service category and source host category.
  • Above the list there should be a search field.
  • Enter a partial name of a known HBAC rule, then click Find.
  • The list should show HBAC rules with matching names.
  • Empty the search field, then click Find.
  • The list should display all HBAC rules.

Adding HBAC Rules

Verify that the UI can be used to add HBAC rules.

  • As admin open the Web UI.
  • Go to Policy -> HBAC.
  • The page should display a list of all HBAC rules.
  • On the left click Add.
  • Enter rule name and rule type.
  • Click Add.
  • The list should now contain the new HBAC rule.

Editing HBAC Rule's General Attributes

Verify that the UI can be used to edit HBAC rule's general attributes.

  • As admin open the Web UI.
  • Go to Policy -> HBAC.
  • Click one of the HBAC rules in the list.
  • The HBAC rule details should be displayed.
  • Under the General section change the value of some attributes.
  • Undo the changes on some attributes.
  • On the left click Update, the Undo links should disappear.

Editing HBAC Rule's Users

Verify that the UI can be used to edit HBAC rule's users (Who).

  • As admin open the Web UI.
  • Go to Policy -> HBAC.
  • Create a new HBAC rule, then edit it.
  • Initially the user category should be: Specified Users and Groups. The list of Users and User Groups should be empty.
  • On the Users list click Add, select some users, click >>, then click Enroll.
  • The users should be added into the list.
  • Select some users from the Users list, then click Remove.
  • A dialog box should appear listing the users to be deleted. Click Delete, the users should disappear from the list.
  • On the User Groups list click Add, select some groups, click >>, then click Enroll.
  • The groups should be added into the list.
  • Select some groups from the User Groups list, then click Remove.
  • A dialog box should appear listing the groups to be deleted. Click Delete, the groups should disappear from the list.
  • Change the user category to: Anyone. An undo link should appear. The Add/Remove links should become disabled.
  • Click Update, the undo link should disappear. The Users and User Groups lists should become empty.
  • Change the user category back to: Specified Users and Groups. An undo link should appear. The Add/Remove links should become enabled again.
  • Click Update, the undo link should disappear.

Editing HBAC Rule's Target Hosts

Verify that the UI can be used to edit HBAC rule's target hosts (Accessing).

Steps: Similar to Editing HBAC Rule's Users.

Editing HBAC Rule's Services

Verify that the UI can be used to edit HBAC rule's target services (Via Service).

Steps: Similar to Editing HBAC Rule's Users.

Editing HBAC Rule's Source Hosts

Verify that the UI can be used to edit HBAC rule's source hosts (From).

Steps: Similar to Editing HBAC Rule's Users.

Deleting HBAC Rules

Verify that the UI can be used to delete HBAC rules.

  • As admin open the Web UI.
  • Go to Policy -> HBAC.
  • Check the checkboxes next to some of the HBAC rules in the list.
  • On the left click Delete.
  • A confirmation message should appear showing the HBAC rules to be deleted.
  • Click Delete, the selected HBAC rules should disappear from the list.

HBAC Services

Finding HBAC Services

Verify that the UI can be used to find HBAC services.

  • As admin open the Web UI.
  • Go to Policy -> HBAC -> HBAC Services.
  • The page should display a list of all HBAC services.
  • The list should contain these columns: service name and description.
  • Above the list there should be a search field.
  • Enter a partial name of a known HBAC service, then click Find.
  • The list should show HBAC services with matching names.
  • Empty the search field, then click Find.
  • The list should display all HBAC services.

Adding HBAC Services

Verify that the UI can be used to add HBAC services.

  • As admin open the Web UI.
  • Go to Policy -> HBAC -> HBAC Services.
  • The page should display a list of all HBAC services.
  • On the left click Add.
  • Enter service name and description.
  • Click Add.
  • The list should now contain the new HBAC service.

Editing HBAC Services

Verify that the UI can be used to edit HBAC services.

  • As admin open the Web UI.
  • Go to Policy -> HBAC -> HBAC Services.
  • Click one of the HBAC services in the list.
  • The HBAC service details should be displayed.
  • Change the description. An Undo link should appear.
  • On the left click Update, the Undo links should disappear.

Deleting HBAC Services

Verify that the UI can be used to delete HBAC services.

  • As admin open the Web UI.
  • Go to Policy -> HBAC -> HBAC Services.
  • Check the checkboxex next to some of the HBAC services in the list.
  • On the left click Delete.
  • A confirmation message should appear showing the HBAC services to be deleted.
  • Click Delete, the selected HBAC services should disappear from the list.

HBAC Service Groups

Finding HBAC Service Groups

Verify that the UI can be used to find HBAC service groups.

  • As admin open the Web UI.
  • Go to Policy -> HBAC -> HBAC Service Groups.
  • The page should display a list of all HBAC service groups.
  • The list should contain these columns: service group name and description.
  • Above the list there should be a search field.
  • Enter a partial name of a known HBAC service group, then click Find.
  • The list should show HBAC service groups with matching names.
  • Empty the search field, then click Find.
  • The list should display all HBAC service groups.

Adding HBAC Service Group

Verify that the UI can be used to add HBAC service groups.

  • As admin open the Web UI.
  • Go to Policy -> HBAC -> HBAC Service Groups.
  • The page should display a list of all HBAC service groups.
  • On the left click Add.
  • Enter service group name and description.
  • Click Add.
  • The list should now contain the new HBAC service group.

Editing HBAC Service Groups

Verify that the UI can be used to edit HBAC service groups.

  • As admin open the Web UI.
  • Go to Policy -> HBAC -> HBAC Service Groups.
  • Click one of the HBAC service groups in the list.
  • The HBAC service group details should be displayed.
  • Change the description. An undo link should appear.
  • On the left click Update, the undo links should disappear.

Deleting HBAC Service Groups

Verify that the UI can be used to delete HBAC service groups.

  • As admin open the Web UI.
  • Go to Policy -> HBAC -> HBAC Service Groups.
  • Check the checkboxes next to some of the HBAC service groups in the list.
  • On the left click Delete.
  • A confirmation message should appear showing the HBAC service groups to be deleted.
  • Click Delete, the selected HBAC service groups should disappear from the list.

SUDO Rules

Finding SUDO Rules

Verify that the UI can be used to find SUDO rules.

  • As admin open the Web UI.
  • Go to Policy -> SUDO.
  • The page should display a list of all SUDO rules.
  • The list should contain these columns: rule name, description, command category.
  • Above the list there should be a search field.
  • Enter a partial name of a known SUDO rule, then click Find.
  • The list should show SUDO rules with matching names.
  • Empty the search field, then click Find.
  • The list should display all SUDO rules.

Adding SUDO Rules

Verify that the UI can be used to add SUDO rules.

  • As admin open the Web UI.
  • Go to Policy -> SUDO.
  • The page should display a list of all SUDO rules.
  • On the left click Add.
  • Enter rule name.
  • Click Add.
  • The list should now contain the new SUDO rule.

Editing SUDO Rule's General Attributes

Verify that the UI can be used to edit SUDO rule's general attributes.

  • As admin open the Web UI.
  • Go to Policy -> SUDO.
  • Click one of the SUDO rules in the list.
  • The SUDO rule details should be displayed.
  • Under the General section change the value of some attributes.
  • Undo the changes on some attributes.
  • On the left click Update, the undo links should disappear.

Editing SUDO Rule's Users

Verify that the UI can be used to edit SUDO rule's users (Who).

  • As admin open the Web UI.
  • Go to Policy -> SUDO.
  • Create a new SUDO rule, then edit it.
  • Initially the user category should be: Specified Users and Groups. The list of Users and User Groups should be empty.
  • On the Users list click Add, select some users, click >>, then click Enroll.
  • The users should be added into the list.
  • Select some users from the Users list, then click Remove.
  • A dialog box should appear listing the users to be deleted. Click Delete, the users should disappear from the list.
  • On the User Groups list click Add, select some groups, click >>, then click Enroll.
  • The groups should be added into the list.
  • Select some groups from the User Groups list, then click Remove.
  • A dialog box should appear listing the groups to be deleted. Click Delete, the groups should disappear from the list.
  • Change the user category to: Anyone. An undo link should appear. The Add/Remove links should become disabled.
  • Click Update, the undo link should disappear. The Users and User Groups lists should become empty.
  • Change the user category back to: Specified Users and Groups. An undo link should appear. The Add/Remove links should become enabled again.
  • Click Update, the undo link should disappear.

Editing SUDO Rule's Hosts

Verify that the UI can be used to edit SUDO rule's hosts (Accessing This Host).

Steps: Similar to Editing SUDO Rule's Users.

Editing SUDO Rule's Allow/Deny Commands

Verify that the UI can be used to edit SUDO rule's allow/deny commands (Run Commands).

  • As admin open the Web UI.
  • Go to Policy -> SUDO.
  • Create a new SUDO rule, then edit it. Go to Run Commands section.
  • There should be 2 subsections: Allow and Deny.
  • The Allow subsection should have a command category.
  • Initially the command category should be: Specified Commands and Groups.
  • Iniitally the list of Allow Commands/Groups should be empty.
  • On the Allow Commands/Groups list click Add, select some commands/groups, click >>, then click Enroll.
  • The commands/groups should be added into the list.
  • Select some commands/groups from the Allow Commands/Groups list, then click Remove.
  • A dialog box should appear listing the commands/groups to be deleted. Click Delete, the commands/groups should disappear from the list.
  • The Deny subsection should not have a command category.
  • Initially the list of Deny Commands/Groups should be empty.
  • On the Deny Commands/Groups list click Add, select some commands/groups, click >>, then click Enroll.
  • The commands/groups should be added into the list.
  • Select some commands/groups from the Deny Commands/Groups list, then click Remove.
  • A dialog box should appear listing the commands/groups to be deleted. Click Delete, the commands/groups should disappear from the list.

Editing SUDO Rule's Run-As Users

Verify that the UI can be used to edit SUDO rule's run-as users (As Whom).

Steps: Similar to Editing SUDO Rule's Users.

Deleting SUDO Rules

Verify that the UI can be used to delete SUDO rules.

  • As admin open the Web UI.
  • Go to Policy -> SUDO.
  • Check the checkboxes next to some of the SUDO rules in the list.
  • On the left click Delete.
  • A confirmation message should appear showing the SUDO rules to be deleted.
  • Click Delete, the selected SUDO rules should disappear from the list.

SUDO Commands

Finding SUDO Commands

Verify that the UI can be used to find SUDO commands.

  • As admin open the Web UI.
  • Go to Policy -> SUDO -> SUDO Commands.
  • The page should display a list of all SUDO commands.
  • The list should contain these columns: SUDO command and description.
  • Above the list there should be a search field.
  • Enter a partial name of a known SUDO command, then click Find.
  • The list should show SUDO commands with matching commands.
  • Empty the search field, then click Find.
  • The list should display all SUDO commands.

Adding SUDO Commands

Verify that the UI can be used to add SUDO commands.

  • As admin open the Web UI.
  • Go to Policy -> SUDO -> SUDO Commands.
  • The page should display a list of all SUDO commands.
  • On the left click Add.
  • Enter SUDO command and description.
  • Click Add.
  • The list should now contain the new SUDO commands.

Editing SUDO Commands

Verify that the UI can be used to edit SUDO commands.

  • As admin open the Web UI.
  • Go to Policy -> SUDO -> SUDO Commands.
  • Click one of the SUDO commands in the list.
  • The SUDO command details should be displayed.
  • Change the description. An Undo link should appear.
  • On the left click Update, the Undo link should disappear.

Deleting SUDO Commands

Verify that the UI can be used to delete SUDO commands.

  • As admin open the Web UI.
  • Go to Policy -> SUDO -> SUDO Commands.
  • Check the checkboxes next to some of the SUDO commands in the list.
  • On the left click Delete.
  • A confirmation message should appear showing the SUDO commands to be deleted.
  • Click Delete, the selected SUDO commands should disappear from the list.

SUDO Command Groups

Finding SUDO Command Groups

Verify that the UI can be used to find SUDO command groups.

  • As admin open the Web UI.
  • Go to Policy -> SUDO -> SUDO Command Groups.
  • The page should display a list of all SUDO command groups.
  • The list should contain these columns: SUDO command group and description.
  • Above the list there should be a search field.
  • Enter a partial name of a known SUDO command group, then click Find.
  • The list should show SUDO command groups with matching names.
  • Empty the search field, then click Find.
  • The list should display all SUDO command groups.

Adding SUDO Command Groups

Verify that the UI can be used to add SUDO command groups.

  • As admin open the Web UI.
  • Go to Policy -> SUDO -> SUDO Command Groups.
  • The page should display a list of all SUDO command groups.
  • On the left click Add.
  • Enter SUDO command group and description.
  • Click Add.
  • The list should now contain the new SUDO command groups.

Editing SUDO Command Groups

Verify that the UI can be used to edit SUDO command groups.

  • As admin open the Web UI.
  • Go to Policy -> SUDO -> SUDO Command Groups.
  • Click one of the SUDO command groups in the list.
  • The SUDO command group details should be displayed.
  • Change the description. An Undo link should appear.
  • On the left click Update, the Undo link should disappear.

Deleting SUDO Command Groups

Verify that the UI can be used to delete SUDO command groups.

  • As admin open the Web UI.
  • Go to Policy -> SUDO -> SUDO Command Groups.
  • Check the checkboxes next to some of the SUDO command groups in the list.
  • On the left click Delete.
  • A confirmation message should appear showing the SUDO command groups to be deleted.
  • Click Delete, the selected SUDO command groups should disappear from the list.


Role Based Access Control

Add subtree permission

  • In tabs click IPA Server->Role Based Access Control
  • In left panel click Permission
  • Click Add
  • set the following fields:
    • permission name:sample-subtree-permission
    • rights: write
    • Target On: Query
    • ldap:///cn=*,cn=roles,cn=accounts,dc=example,dc=com
  • Click Add and Add Another
  • Fields should blank out and be set back to filter

Add filter permission

  • set the following fields:
    • permission name:sample-filter-permission
    • rights: write
    • Target On: Filter
    • ou=engineering
  • Click Add and Add Another
  • Fields should blank out and be set back to filter

Add target group permission

  • set the following fields:
    • permission name:sample-targetgroup-permission
    • rights: write
    • Target On: targetgroup
    • group:editors
  • Click Add
  • Permissions List will update with three new permissions at the end: sample-subtree-permission sample-filter-permission sample-targetgroup-permission

Add type permission

  • Click add in left Panel:
  • set the following fields:
    • permission name:sample-type-permission
    • rights: write
    • Target On: type
    • Type: user
    • attributes: scroll down and click title
  • Click Add and Edit
  • Settings page should display. The type select box should be displayed and set to user, the checkbox next to the title attribute should be checked


Add privilege and assign permissions

  • Click privileges in the left panel
  • click on the add button
  • Fill in the following fields
    • Name: sample-privilege
    • Description: Privilege for testing purposes only.
  • click Add and Edit
  • the privilege settings page should show.
  • in the left panel, under Member Of, click Permissions
  • Click enroll
  • type sample into the text box at the top of the dialog and click Find
  • the left column labeled Available should show the four permissions created above
  • click the checkbox next to the word "Permissions" in the left column
  • all the check boxes in the white area should now be checked
  • click >>
  • he selected permissions should move to to the right column, labeled prospective
  • click enroll
  • the list should now show the four permissions that start with sample

Delete assigned permission

  • click the checkbox next to sample-filter-permission
  • click the deletebutton in the left panel
  • a dialog box should show the selelcted permission
  • click delete
  • the dialog box should close, and a spinner should briefly appear, then the selected permission should disappear from the list.

Create role and assign permissions

  • In the left panel, click roles
  • The list should be prepopulated with some entires.
  • In he left panel, click the add button
  • A dialog should open up
  • fill out the following values:
    • Role Name: sample-role
    • Description: role for testing only
  • click add
  • the role sample-role should be appended to the list
  • click the hyperlink sample-role
  • the role details page should appear, with the name and description
  • in the left panel, under member of click 'Privileges'
  • the list should be empty.
  • in the left panel, click the enroll button
  • in the text box at the top of the dialog, type sample
  • Click the find button
  • The left column labeled privileges should reduce to a single entry, sample-privilege
  • click the checkbox next to sample-privilege
  • click >>
  • click the enroll button
  • The dialog should close, and the list should update with the sample-privilege
  • click the hyperlink 'sample-privilege
  • the privilege settings page should display with the information for sample-privilege

Delete permission assignment

  • You should still be on the settings page for sample-privilege
  • In the left panel, under the word Member of click on the word permissions
  • the four permissions starting with the word sample should be listed
  • click the checkbox at the next to the word sample-type-permission
  • click the delete button in the left panel
  • the sample-type-permission value should be removed from the list

Delete permissions

  • in the left panel, click the word permissions
  • the permission list should show.
  • in the text field at the tope of the page, type the word sample
  • click the find button
  • the list should be reduced to the four permissions starting with the word sample
  • click the checkbox at the top of the page to select all four permissions
  • click delete
  • the list should be empty

Self Service Permissions

Verify that we can add and remove permissions for users to perform self service on various attributes.

# kinit admin
  • open browser
  • navigate to http://server.ipa.example.com
  • Click IPA Server tab
  • Click Self Service Permissions tab:
  • Self Service Permisions should be listed, with only one value in there: user can change own password
  • Click add
  • set to following fields
    • Self-Service name: change-homedir
    • Under attributes, homedirectory
  • Click Add and Edit
  • Close browser

Verify that the permissions are enabled

# kinit psmith
  • open browser, login as psmith
  • user settings page should be displayed. home directory field should now be editable.

Verify that deleting the permission disables the field.

  • close broweser
# kinit admin
  • open browser. go to IPA Server->Self Service Permissions
  • click checkbox next to change-homedir
  • click delete
  • Close browser
  • kinit psmith
  • open browser, login as psmith
  • user settings page should be displayed. home directory field should not be editable anymore.

Delegation

Verify that users assigned to one group can be delegated authority to modify fields for members of another group.

# kinit admin
  • open browser. go to http://server.ipa.example.com
  • click IPA server Top tab
  • click Delegation subtab
  • Should be on delegation list page, and the list should be empty
  • Click Add
  • Fill out the following fileds with the specified values
    • DelegationName: title-delegate
    • scroll down and click title
    • User Group: click editors
    • Member User group: click ipausers
  • Click add and edit.
  • Settyings page should be displayed. Values should be what they were set on 'add'
  • Go to Indentity->User tab.
  • select user psmith
  • User settings page for psmith should show.
  • click on user Groups in the left panel
  • click on the enroll button in the left panel
    • select group editors
    • click >> to move that to the right list of enrollments.
    • click enroll
  • click on Back to List
  • create another user with uid of ptownshend
  • close browser
# kdestroy
# kinit psmith
  • open browser
  • go to http://server.ipa.example.com
  • you should be on the psmith user page. click "Back to List"
  • you should be on the user list page
  • select user ptownshend
  • You should be on that user settings page for ptownshend. Most of the fields should be unwritable, but the title field should be editable.
  • Add the value "Lead Guitar" and click update.
  • Click Back to list
  • The Title field for the user ptownsend should say "Lead Guiter"


Undo and Reset

Verify that the Undo and Reset links can be used to revert attribute values.

  • As admin or user open the Web UI.
  • Open one of the details page (e.g. go to Identity -> Users, click one of the users).
  • Change the value on some of the attributes. An Undo link should appear next to each of the attribute changed.
  • Click the Undo link, the attribute should revert to the original value.
  • Click the Reset link, all attributes should revert to the original values, all Undo links should disappear.

Expected Results

All the test steps should end with the specified results.