Beispiel #1
0
def aci_of_user(request, topo):
    """
    :param request:
    :param topo:
    """

    # Add anonymous access aci
    ACI_TARGET = "(targetattr != \"userpassword\")(target = \"ldap:///%s\")" % (
        DEFAULT_SUFFIX)
    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
    try:
        suffix.add('aci', ANON_ACI)
    except ldap.TYPE_OR_VALUE_EXISTS:
        pass

    aci_list = suffix.get_attr_vals('aci')

    def finofaci():
        """
        Removes and Restores ACIs after the test.
        """
        domain = Domain(topo.standalone, DEFAULT_SUFFIX)
        domain.remove_all('aci')
        for i in aci_list:
            domain.add("aci", i)

    request.addfinalizer(finofaci)
Beispiel #2
0
def test_connection_from_an_unauthorized_network(topo, add_user, aci_of_user):
    """
    User cannot access the data when connectin from an unauthorized network as per the ACI.

    :id: 52d1ecce-7ac5-11e8-9ad9-8c16451d917b
    :customerscenario: True
    :setup: Standalone Server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    old_hostname = socket.gethostname()
    socket.sethostname('localhost')
    hostname = socket.gethostname()

    # Add ACI
    domain = Domain(topo.standalone, DEFAULT_SUFFIX)
    domain.add("aci", f'(target = "ldap:///{IP_OU_KEY}")'
                      f'(targetattr="*")(version 3.0; aci "IP aci"; '
                      f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" '
                      f'and (ip != "127.0.0.1" and ip != "::1") ;)')

    # create a new connection for the test
    new_uri = topo.standalone.ldapuri.replace(old_hostname, hostname)
    topo.standalone.ldapuri = new_uri
    conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)

    # Perform Operation
    topo.standalone.config.set('nsslapd-errorlog-level', '128')
    org = OrganizationalUnit(conn, IP_OU_KEY)
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        org.replace("seeAlso", "cn=1")

    # Remove the ACI
    domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1])
    # Add new ACI
    domain.add('aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")'
                      f'(version 3.0; aci "IP aci"; allow(all) '
                      f'userdn = "ldap:///{NETSCAPEIP_KEY}" and (ip = "127.0.0.1" or ip = "::1") ;)')
    time.sleep(1)

    # now user can access data
    org.replace("seeAlso", "cn=1")
Beispiel #3
0
def test_connectin_from_an_unauthorized_network(topo, add_user, aci_of_user):
    """
    User cannot access the data when connectin from an unauthorized network as per the ACI.

    :id:52d1ecce-7ac5-11e8-9ad9-8c16451d917b
    :setup: Standalone Server
    :steps:
        1. Add test entry
        2. Add ACI
        3. User should follow ACI role
    :expectedresults:
        1. Entry should be added
        2. Operation should  succeed
        3. Operation should  succeed
    """
    # Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
    ip_ip = topo.standalone.ds_access_log.match(
        '.* connection from ')[0].split()[-1]
    # Add ACI
    domain = Domain(topo.standalone, DEFAULT_SUFFIX)
    domain.add(
        "aci", f'(target = "ldap:///{IP_OU_KEY}")'
        f'(targetattr=*)(version 3.0; aci "IP aci"; '
        f'allow(all) userdn = "ldap:///{NETSCAPEIP_KEY}" '
        f'and ip != "{ip_ip}" ;)')

    # create a new connection for the test
    conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
    # Perform Operation
    org = OrganizationalUnit(conn, IP_OU_KEY)
    with pytest.raises(ldap.INSUFFICIENT_ACCESS):
        org.replace("seeAlso", "cn=1")
    # Remove the ACI
    domain.ensure_removed('aci', domain.get_attr_vals('aci')[-1])
    # Add new ACI
    domain.add(
        'aci', f'(target = "ldap:///{IP_OU_KEY}")(targetattr=*)'
        f'(version 3.0; aci "IP aci"; allow(all) '
        f'userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "{ip_ip}" ;)')

    # now user can access data
    org.replace("seeAlso", "cn=1")
Beispiel #4
0
def aci_of_user(request, topo):
    # Add anonymous access aci
    ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (
        DEFAULT_SUFFIX)
    ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
    ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
    ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
    suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
    try:
        suffix.add('aci', ANON_ACI)
    except ldap.TYPE_OR_VALUE_EXISTS:
        pass

    aci_list = suffix.get_attr_vals('aci')

    def finofaci():
        domain = Domain(topo.standalone, DEFAULT_SUFFIX)
        domain.set('aci', None)
        for i in aci_list:
            domain.add("aci", i)

    request.addfinalizer(finofaci)