def test_mode_default_ger_no_moddn(topology_m2, moddn_setup):
"""mode moddn_aci : Check Get Effective Rights Controls for entries
:id: f4785d73-3b14-49c0-b981-d6ff96fa3496
:setup: MMR with two suppliers,
M1 - staging DIT
M2 - production DIT
add test accounts in staging DIT
:steps:
1. Search for GER controls on M1
2. Check 'n' is not in the entryLevelRights
:expectedresults:
1. It should pass
2. It should pass
"""
topology_m2.ms["supplier1"].log.info("\n\n######## mode moddn_aci : GER no moddn ########\n")
request_ctrl = GetEffectiveRightsControl(criticality=True,
authzId=ensure_bytes("dn: " + BIND_DN))
msg_id = topology_m2.ms["supplier1"].search_ext(PRODUCTION_DN,
ldap.SCOPE_SUBTREE,
"objectclass=*",
serverctrls=[request_ctrl])
rtype, rdata, rmsgid, response_ctrl = topology_m2.ms["supplier1"].result3(msg_id)
# ger={}
value = ''
for dn, attrs in rdata:
topology_m2.ms["supplier1"].log.info("dn: %s" % dn)
value = attrs['entryLevelRights'][0]
topology_m2.ms["supplier1"].log.info("######## entryLevelRights: %r" % value)
assert b'n' not in value
def test_rdn_write_get_ger(topology_m2, rdn_write_setup):
"""This test checks GER rights for anonymous
:id: d5d85f87-b53d-4f50-8fa6-a9e55c75419b
:setup: MMR with two suppliers,
Add entry tuser
:steps:
1. Search for GER controls on M1
2. Check entryLevelRights value for entries
3. Check 'n' is not in the entryLevelRights
:expectedresults:
1. It should pass
2. It should be pass
3. It should pass
"""
ANONYMOUS_DN = ""
topology_m2.ms["supplier1"].log.info("\n\n######## GER rights for anonymous ########\n")
request_ctrl = GetEffectiveRightsControl(criticality=True,
authzId=ensure_bytes("dn:" + ANONYMOUS_DN))
msg_id = topology_m2.ms["supplier1"].search_ext(SUFFIX,
ldap.SCOPE_SUBTREE,
"objectclass=*",
serverctrls=[request_ctrl])
rtype, rdata, rmsgid, response_ctrl = topology_m2.ms["supplier1"].result3(msg_id)
value = ''
for dn, attrs in rdata:
topology_m2.ms["supplier1"].log.info("dn: %s" % dn)
for value in attrs['entryLevelRights']:
topology_m2.ms["supplier1"].log.info("######## entryLevelRights: %r" % value)
assert b'n' not in value
def test_mode_default_ger_with_moddn(topology_m2, moddn_setup):
"""This test case adds the moddn aci and check ger contains 'n'
:id: a752a461-432d-483a-89c0-dfb34045a969
:setup: MMR with two masters,
M1 - staging DIT
M2 - production DIT
add test accounts in staging DIT
:steps:
1. Add moddn ACI on M2
2. Search for GER controls on M1
3. Check entryLevelRights value for entries
4. Check 'n' is in the entryLevelRights
:expectedresults:
1. It should pass
2. It should pass
3. It should pass
4. It should pass
"""
topology_m2.ms["master1"].log.info(
"\n\n######## mode moddn_aci: GER with moddn ########\n")
# successful MOD with the ACI
_bind_manager(topology_m2)
_moddn_aci_staging_to_production(topology_m2,
mod_type=ldap.MOD_ADD,
target_from=STAGING_DN,
target_to=PRODUCTION_DN)
_bind_normal(topology_m2)
request_ctrl = GetEffectiveRightsControl(criticality=True,
authzId=ensure_bytes("dn: " +
BIND_DN))
msg_id = topology_m2.ms["master1"].search_ext(PRODUCTION_DN,
ldap.SCOPE_SUBTREE,
"objectclass=*",
serverctrls=[request_ctrl])
rtype, rdata, rmsgid, response_ctrl = topology_m2.ms["master1"].result3(
msg_id)
# ger={}
value = ''
for dn, attrs in rdata:
topology_m2.ms["master1"].log.info("dn: %s" % dn)
value = attrs['entryLevelRights'][0]
topology_m2.ms["master1"].log.info("######## entryLevelRights: %r" %
value)
assert b'n' in value
# successful MOD with the both ACI
_bind_manager(topology_m2)
_moddn_aci_staging_to_production(topology_m2,
mod_type=ldap.MOD_DELETE,
target_from=STAGING_DN,
target_to=PRODUCTION_DN)
_bind_normal(topology_m2)
def test_mode_legacy_ger_no_moddn2(topology_m2, moddn_setup):
"""This test checks mode legacy : GER no moddn
:id: af87e024-1744-4f1d-a2d3-ea2687e2351d
:setup: MMR with two suppliers,
M1 - staging DIT
M2 - production DIT
add test accounts in staging DIT
:steps:
1. Disable ACI checks - set nsslapd-moddn-aci: off
2. Add moddn ACI on M1
3. Search for GER controls on M1
4. Check entryLevelRights value for entries
5. Check 'n' is not in the entryLevelRights
:expectedresults:
1. It should pass
2. It should pass
3. It should pass
4. It should be pass
5. It should pass
"""
topology_m2.ms["supplier1"].log.info("\n\n######## Disable the moddn aci mod ########\n")
_bind_manager(topology_m2)
topology_m2.ms["supplier1"].config.set(CONFIG_MODDN_ACI_ATTR, 'off')
topology_m2.ms["supplier1"].log.info("\n\n######## mode legacy 2: GER no moddn ########\n")
# successful MOD with the ACI
_bind_manager(topology_m2)
_moddn_aci_staging_to_production(topology_m2, mod_type=ldap.MOD_ADD,
target_from=STAGING_DN, target_to=PRODUCTION_DN)
_bind_normal(topology_m2)
request_ctrl = GetEffectiveRightsControl(criticality=True,
authzId=ensure_bytes("dn: " + BIND_DN))
msg_id = topology_m2.ms["supplier1"].search_ext(PRODUCTION_DN,
ldap.SCOPE_SUBTREE,
"objectclass=*",
serverctrls=[request_ctrl])
rtype, rdata, rmsgid, response_ctrl = topology_m2.ms["supplier1"].result3(msg_id)
# ger={}
value = ''
for dn, attrs in rdata:
topology_m2.ms["supplier1"].log.info("dn: %s" % dn)
value = attrs['entryLevelRights'][0]
topology_m2.ms["supplier1"].log.info("######## entryLevelRights: %r" % value)
assert b'n' not in value
# successful MOD with the both ACI
_bind_manager(topology_m2)
_moddn_aci_staging_to_production(topology_m2, mod_type=ldap.MOD_DELETE,
target_from=STAGING_DN, target_to=PRODUCTION_DN)
_bind_normal(topology_m2)
def test_mode_legacy_ger_no_moddn1(topology_m2, moddn_setup):
"""This test checks mode legacy : GER no moddn
:id: e783e05b-d0d0-4fd4-9572-258a81b7bd24
:setup: MMR with two masters,
M1 - staging DIT
M2 - production DIT
add test accounts in staging DIT
:steps:
1. Disable ACI checks - set nsslapd-moddn-aci: off
2. Search for GER controls on M1
3. Check entryLevelRights value for entries
4. Check 'n' is not in the entryLevelRights
:expectedresults:
1. It should pass
2. It should pass
3. It should pass
4. It should pass
"""
topology_m2.ms["master1"].log.info(
"\n\n######## Disable the moddn aci mod ########\n")
_bind_manager(topology_m2)
topology_m2.ms["master1"].config.set(CONFIG_MODDN_ACI_ATTR, 'off')
topology_m2.ms["master1"].log.info(
"\n\n######## mode legacy 1: GER no moddn ########\n")
request_ctrl = GetEffectiveRightsControl(criticality=True,
authzId=ensure_bytes("dn: " +
BIND_DN))
msg_id = topology_m2.ms["master1"].search_ext(PRODUCTION_DN,
ldap.SCOPE_SUBTREE,
"objectclass=*",
serverctrls=[request_ctrl])
rtype, rdata, rmsgid, response_ctrl = topology_m2.ms["master1"].result3(
msg_id)
# ger={}
value = ''
for dn, attrs in rdata:
topology_m2.ms["master1"].log.info("dn: %s" % dn)
value = attrs['entryLevelRights'][0]
topology_m2.ms["master1"].log.info("######## entryLevelRights: %r" %
value)
assert b'n' not in value
def get_effective_rights(self, dn, attrs_list):
"""Returns the rights the currently bound user has for the given DN.
Returns 2 attributes, the attributeLevelRights for the given list of
attributes and the entryLevelRights for the entry itself.
"""
assert isinstance(dn, DN)
bind_dn = self.conn.whoami_s()[4:]
sctrl = [
GetEffectiveRightsControl(
True, "dn: {0}".format(bind_dn).encode('utf-8'))
]
self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl)
try:
entry = self.get_entry(dn, attrs_list)
finally:
# remove the control so subsequent operations don't include GER
self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, [])
return entry
def get_effective_rights(self, dn, attrs_list):
"""Returns the rights the currently bound user has for the given DN.
Returns 2 attributes, the attributeLevelRights for the given list of
attributes and the entryLevelRights for the entry itself.
"""
assert isinstance(dn, DN)
principal = getattr(context, 'principal')
entry = self.find_entry_by_attr("krbprincipalname",
principal,
"krbPrincipalAux",
base_dn=self.api.env.basedn)
sctrl = [GetEffectiveRightsControl(True, "dn: " + str(entry.dn))]
self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, sctrl)
try:
entry = self.get_entry(dn, attrs_list)
finally:
# remove the control so subsequent operations don't include GER
self.conn.set_option(_ldap.OPT_SERVER_CONTROLS, [])
return entry
def test_mode_legacy_ger_with_moddn(topology_m2, moddn_setup):
"""This test checks mode legacy : GER with moddn
:id: 37c1e537-1b5d-4fab-b62a-50cd8c5b3493
:setup: MMR with two suppliers,
M1 - staging DIT
M2 - production DIT
add test accounts in staging DIT
:steps:
1. Disable ACI checks - set nsslapd-moddn-aci: off
2. Add moddn ACI on M1
3. Search for GER controls on M1
4. Check entryLevelRights value for entries
5. Check 'n' is in the entryLevelRights
6. Try MOD with the both ACI
:expectedresults:
1. It should pass
2. It should pass
3. It should pass
4. It should pass
5. It should pass
6. It should pass
"""
suffix = Domain(topology_m2.ms["supplier1"], SUFFIX)
topology_m2.ms["supplier1"].log.info("\n\n######## Disable the moddn aci mod ########\n")
_bind_manager(topology_m2)
topology_m2.ms["supplier1"].config.set(CONFIG_MODDN_ACI_ATTR, 'off')
topology_m2.ms["supplier1"].log.info("\n\n######## mode legacy : GER with moddn ########\n")
# being allowed to read/write the RDN attribute use to allow the RDN
ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"uid\")" % (PRODUCTION_DN)
ACI_ALLOW = "(version 3.0; acl \"MODDN production changing the RDN attribute\"; allow (read,search,write)"
ACI_SUBJECT = " userdn = \"ldap:///%s\";)" % BIND_DN
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
# successful MOD with the ACI
_bind_manager(topology_m2)
suffix.add('aci', ACI_BODY)
_bind_normal(topology_m2)
request_ctrl = GetEffectiveRightsControl(criticality=True, authzId=ensure_bytes("dn: " + BIND_DN))
msg_id = topology_m2.ms["supplier1"].search_ext(PRODUCTION_DN,
ldap.SCOPE_SUBTREE,
"objectclass=*",
serverctrls=[request_ctrl])
rtype, rdata, rmsgid, response_ctrl = topology_m2.ms["supplier1"].result3(msg_id)
# ger={}
value = ''
for dn, attrs in rdata:
topology_m2.ms["supplier1"].log.info("dn: %s" % dn)
value = attrs['entryLevelRights'][0]
topology_m2.ms["supplier1"].log.info("######## entryLevelRights: %r" % value)
assert b'n' in value
# successful MOD with the both ACI
_bind_manager(topology_m2)
suffix.remove('aci', ACI_BODY)
