From 44132f1f51337653c8ae21e6253f1a251b391c41 Mon Sep 17 00:00:00 2001
From: Erik Belko <ebelko@redhat.com>
Date: Fri, 10 Feb 2023 00:23:11 +0100
Subject: [PATCH 1/2] ipatests: Test MemberManager ACI to allow managers from a
 specified group after upgrade scenario

Testing if manager whose rights defined by the group membership
is able to add group members, after upgrade of ipa server.
Using ACI modification to demonstrate unability before upgrading
ipa server.
Related: https://pagure.io/freeipa/issue/9286

Also added some generally helpful functions to tasks.py

Signed-off-by: Erik Belko <ebelko@redhat.com>
---
 ipatests/pytest_ipa/integration/tasks.py      | 19 +++++
 .../test_integration/test_membermanager.py    | 81 +++++++++++++++++++
 2 files changed, 100 insertions(+)

diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 8cacf8d152d..25e14fc3f53 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2081,6 +2081,25 @@ def group_add(host, groupname, extra_args=()):
     return host.run_command(cmd)
 
 
+def group_del(host, groupname):
+    cmd = [
+        "ipa", "group-del", groupname,
+    ]
+    return host.run_command(cmd)
+
+
+def group_add_member(host, groupname, users=None,
+                     raiseonerr=True, extra_args=()):
+    cmd = [
+        "ipa", "group-add-member", groupname
+    ]
+    if users:
+        cmd.append("--users")
+        cmd.append(users)
+    cmd.extend(extra_args)
+    return host.run_command(cmd, raiseonerr=raiseonerr)
+
+
 def ldapmodify_dm(host, ldif_text, **kwargs):
     """Run ldapmodify as Directory Manager
 
diff --git a/ipatests/test_integration/test_membermanager.py b/ipatests/test_integration/test_membermanager.py
index bd26b20d3f2..7a85eb84c64 100644
--- a/ipatests/test_integration/test_membermanager.py
+++ b/ipatests/test_integration/test_membermanager.py
@@ -212,3 +212,84 @@ def test_hostgroup_member_manager_nopermission(self):
             "'write' privilege to the 'memberManager' attribute of entry"
         )
         assert expected in result.stdout_text
+
+    @tasks.pytest.fixture
+    def prepare_mbr_manager_upgrade(self):
+        user = "idmuser"
+        password = "Secret123"
+        group1 = "role-groupmanager"
+        group2 = "role-usergroup-A"
+
+        master = self.master
+
+        tasks.kinit_admin(master)
+        tasks.group_add(master, group1)
+        tasks.group_add(master, group2)
+        tasks.create_active_user(master, user, password)
+
+        tasks.kinit_admin(master)
+        tasks.group_add_member(master, group1, user)
+        master.run_command(["ipa", "group-add-member-manager", "--groups",
+                            group1, group2])
+
+        yield user, password, group2
+
+        # cleanup
+        tasks.kinit_admin(master)
+        tasks.user_del(master, user)
+        tasks.group_del(master, group1)
+        tasks.group_del(master, group2)
+
+    def test_member_manager_upgrade_scenario(self, prepare_mbr_manager_upgrade):
+        """
+        Testing if manager whose rights defined by the group membership
+        is able to add group members, after upgrade of ipa server.
+        Using ACI modification to demonstrate unability before upgrading
+        ipa server.
+
+        Related: https://pagure.io/freeipa/issue/9286
+        """
+        user, password, group2 = prepare_mbr_manager_upgrade
+
+        master = self.master
+
+        base_dn = self.master.domain.basedn
+        aci_hostgroup = (
+            '(targetattr = "member")(targetfilter = '
+            '"(objectclass=ipaHostGroup)")'
+            '(version 3.0; acl "Allow member managers '
+            'to modify members of host groups"; allow (write) userattr = '
+            '"memberManager#USERDN" or userattr = "memberManager#GROUPDN";)'
+        )
+        aci_usergroup = (
+            '(targetattr = "member")(targetfilter = '
+            '"(objectclass=ipaUserGroup)")'
+            '(version 3.0; acl "Allow member managers '
+            'to modify members of user groups"; allow (write) userattr = '
+            '"memberManager#USERDN" or userattr = "memberManager#GROUPDN";)'
+        )
+        ldif_entry = tasks.textwrap.dedent(
+            """
+            dn: cn=hostgroups,cn=accounts,{base_dn}
+            changetype: modify
+            delete: aci
+            aci: {aci_hostgroup}
+
+            dn: cn=groups,cn=accounts,{base_dn}
+            changetype: modify
+            delete: aci
+            aci: {aci_usergroup}
+""").format(base_dn=base_dn,
+            aci_hostgroup=aci_hostgroup,
+            aci_usergroup=aci_usergroup)
+        tasks.ldapmodify_dm(master, ldif_entry)
+
+        tasks.kinit_as_user(master, user, password)
+        # in this point this command should fail
+        result = tasks.group_add_member(master, group2, "admin",
+                                        raiseonerr=False)
+        assert result.returncode == 1
+        assert "Insufficient access" in result.stdout_text
+
+        master.run_command(['ipa-server-upgrade'])
+        tasks.group_add_member(master, group2, "admin")

From b504ed43cc6708cd04f88f7e65218e7bee9e4444 Mon Sep 17 00:00:00 2001
From: root <root@production-prci-automation>
Date: Tue, 26 Nov 2024 23:00:10 +0000
Subject: [PATCH 2/2] automated commit

---
 .freeipa-pr-ci.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b634..1953b6361c8 120000
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/nightly_previous.yaml
\ No newline at end of file