def create_test_ou(instance, ou=None, suffix=None):
"""
Creates a new Organizational Unit for testing.
It tries to create a ou that doesn't already exist by using a different
ID each time. However, if it is provided with an existing ou/suffix it
will fail to create a new ou and it will raise an LDAP error.
Returns an OrganizationalUnit object.
"""
global test_ou_id
if ou is None:
ou = "TestOU_" + str(test_ou_id)
test_ou_id += 1
if suffix is None:
suffix = DEFAULT_SUFFIX
dn = ou + "," + suffix
dn = "ou=" + ou + "," + suffix
properties = {
'ou': ou,
}
ou = OrganizationalUnit(instance, dn)
ou.create(properties=properties)
return ou
def test_user_binds_without_any_password_and_cannot_access_the_data(
topo, add_user, aci_of_user):
"""User binds without any password and cannot access the data
:id: 205777fa-7ac5-11e8-ba2f-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
_add_aci(topo, SIMPLE_ACI_KEY)
# Create a new connection for this test.
conn = Anonymous(topo.standalone).bind()
# Perform Operation
org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_dayofweek_keyword_today_can_access(topo, add_user, aci_of_user):
"""
User can access the data one day per week as per the ACI.
:id: 7131dc88-7ac5-11e8-acc2-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
today_1 = time.strftime("%c").split()[0]
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
f'and dayofweek = \'{today_1}\' ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, TODAY_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
org.replace("seeAlso", "cn=1")
def test_dayofweek_keyword_test_everyday_can_access(topo, add_user, aci_of_user):
"""
User can access the data EVERYDAY_KEY as per the ACI.
:id: 6c5922ca-7ac5-11e8-8f01-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{EVERYDAY_KEY}" and '
f'dayofweek = "Sun, Mon, Tue, Wed, Thu, Fri, Sat" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, EVERYDAY_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
org.replace("seeAlso", "cn=1")
def test_user_cannot_access_the_data_if_not_from_a_certain_domain(
topo, add_user, aci_of_user):
"""User cannot access the data if not from a certain domain as per the ACI.
:id: 3d658972-7ac5-11e8-930f-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
f'(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NODNS_KEY}" '
f'and dns = "RAP.rock.SALSA.house.COM" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_ip_keyword_test_noip_cannot(topo, add_user, aci_of_user):
"""
User NoIP cannot assess the data as per the ACI.
:id: 570bc7f6-7ac5-11e8-88c1-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target ="ldap:///{IP_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "IP aci"; allow(all) '
f'userdn = "ldap:///{FULLIP_KEY}" and ip = "*" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NOIP_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, IP_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_user_can_access_the_data_at_any_time(topo, add_user, aci_of_user):
"""
User can access the data at any time as per the ACI.
:id: 5b4da91a-7ac5-11e8-bbda-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{TIMEOFDAY_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Timeofday aci"; '
f'allow(all) userdn ="ldap:///{FULLWORKER_KEY}" and '
f'(timeofday >= "0000" and timeofday <= "2359") ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, FULLWORKER_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, TIMEOFDAY_OU_KEY)
org.replace("seeAlso", "cn=1")
def test_authenticated_but_has_no_rigth_on_the_data(topo, add_user,
aci_of_user):
"""User has a password. He is authenticated but has no rigth on the data.
:id: 11be7ebe-7ac5-11e8-b754-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
_add_aci(topo, NONE_ACI_KEY)
# Create a new connection for this test.
conn = UserAccount(topo.standalone, SIMPLE_1_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user):
"""Dnsalias Keyword NODNS_KEY cannot assess data as per the ACI.
:id: 41b467be-7ac5-11e8-89a3-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr="*")'
f'(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NODNS_KEY}" and '
f'dnsalias = "RAP.rock.SALSA.house.COM" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DNS_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_user_cannot_access_the_data_at_all(topo, add_user, aci_of_user):
"""
User cannot access the data at all as per the ACI.
:id: 75cdac5e-7ac5-11e8-968a-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", f'(target = "ldap:///{DAYOFWEEK_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "Dayofweek aci"; '
f'allow(all) userdn = "ldap:///{TODAY_KEY}" '
f'and dayofweek = "$NEW_DATE" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NODAY_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DAYOFWEEK_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user):
"""Non-regression test for BUG 326000: MemberURL needs to be normalized
:id: a5d172e6-7db8-11e8-aca7-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ou_ou = OrganizationalUnit(topo.standalone,
"ou=PEOPLE,{}".format(DEFAULT_SUFFIX))
ou_ou.set(
'aci', '(targetattr= *)'
'(version 3.0; acl "tester"; allow(all) '
'groupdn = "ldap:///cn =DYNGROUP,ou=PEOPLE, {}";)'.format(
DEFAULT_SUFFIX))
groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=PEOPLE')
groups.create(
properties={
"cn":
"DYNGROUP",
"description":
"DYNGROUP",
'objectClass':
'groupOfURLS',
'memberURL':
"ldap:///ou=PEOPLE,{}??sub?"
"(uid=test_user_2)".format(DEFAULT_SUFFIX)
})
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for demo1 in [(1, "Entry to test rights on."), (2, "Member of DYNGROUP")]:
user = uas.create_test_user(uid=demo1[0], gid=demo1[0])
user.replace_many(('description', demo1[1]), ('userPassword', PW_DM))
##with normal aci
conn = UserAccount(topo.standalone, uas.list()[1].dn).bind(PW_DM)
harry = UserAccount(conn, uas.list()[1].dn)
harry.add('sn', 'FRED')
##with abnomal aci
dygrp = Group(topo.standalone, DYNGROUP)
dygrp.remove(
'memberurl',
"ldap:///ou=PEOPLE,{}??sub?(uid=test_user_2)".format(DEFAULT_SUFFIX))
dygrp.add(
'memberurl',
"ldap:///ou=PEOPLE,{}??sub?(uid=tesT_UsEr_2)".format(DEFAULT_SUFFIX))
harry.add('sn', 'Not FRED')
for i in uas.list():
i.delete()
def test_renaming_target_entry(topo, _add_user, aci_of_user):
"""Test for renaming target entry
:id: 6be1d33a-7932-11e8-9115-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Create a test user entry
3. Create a new ou entry with an aci
4. Make sure uid=$MYUID has the access
5. Rename ou=OU0 to ou=OU1
6. Create another ou=OU2
7. Move ou=OU1 under ou=OU2
8. Make sure uid=$MYUID still has the access
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
6. Operation should succeed
7. Operation should succeed
8. Operation should succeed
"""
properties = {
'uid': 'TRAC340_MODRDN',
'cn': 'TRAC340_MODRDN',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'TRAC340_MODRDN'
}
user = UserAccount(topo.standalone,
'cn=TRAC340_MODRDN,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("userPassword", "password")
ou = OrganizationalUnit(topo.standalone,
'ou=OU0,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'OU0'})
ou.set(
'aci',
'(targetattr="*")(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)'
.format(TRAC340_MODRDN))
conn = UserAccount(topo.standalone, TRAC340_MODRDN).bind(PW_DM)
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU0')
# Test for renaming target entry
OrganizationalUnits(topo.standalone,
DEFAULT_SUFFIX).get('OU0').rename("ou=OU1")
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')
ou = OrganizationalUnit(topo.standalone,
'ou=OU2,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'OU2'})
# Test for renaming target entry
OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).get('OU1').rename(
"ou=OU1", newsuperior=OU2_OU_MODRDN)
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')
def _populate_suffix(instance, suffixname):
o = Organization(instance, 'o={}'.format(suffixname))
o.create(properties={
'o': suffixname,
'description': 'test'
})
ou = OrganizationalUnit(instance, 'ou=people,o={}'.format(suffixname))
ou.create(properties={
'ou': 'people'
})
def test_allow_write_access_to_target_with_wildcards(topo, aci_of_user,
cleanup_tree):
"""
Modify Test 6 Allow write access to target with wildcards
:id:825fe884-7abf-11e8-8541-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target = ldap:///{})(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting', 'Human Resources']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting',
'Kirsten Vaughan, ou=Human Resources'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# Allow write access to target with wildcards
ua = UserAccount(conn, KIRSTENVAUGHAN)
ua.add("title", "Architect")
assert ua.get_attr_val('title')
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Allow write access to target with wildcards
ua = UserAccount(conn, USER_DELADD)
ua.add("title", "Architect")
assert ua.get_attr_val('title')
def fin():
"""
Deletes entries after the test.
"""
users1 = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn=None)
for dn_dn in users1.list():
dn_dn.delete()
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
for dn_dn in groups.list():
dn_dn.delete()
ou_ou = OrganizationalUnit(topo.standalone, f'ou=Accounting,{DEFAULT_SUFFIX}')
ou_ou.delete()
def test_allow_write_access_to_userdnattr(topo, aci_of_user, cleanup_tree,
request):
"""Modify Test 7 Allow write access to userdnattr
:id: 86b418f6-7abf-11e8-ae28-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target = ldap:///{})(targetattr=*)(version 3.0; acl "{}";allow (write) (userdn = "ldap:///anyone"); )'.format(
DEFAULT_SUFFIX, request.node.name)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
UserAccount(topo.standalone,
USER_WITH_ACI_DELADD).add('manager', USER_WITH_ACI_DELADD)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Allow write access to userdnattr
ua = UserAccount(conn, USER_DELADD)
ua.add('uid', 'scoobie')
assert ua.get_attr_val('uid')
ua.add('uid', 'jvedder')
assert ua.get_attr_val('uid')
def test_ticket50234(topology_st):
"""
The fix for ticket 50234
The test sequence is:
- create more than 10 entries with objectclass organizational units ou=org{}
- add an Account in one of them, eg below ou=org5
- do searches with search base ou=org5 and search filter "objectclass=organizationalunit"
- a subtree search should return 1 entry, the base entry
- a onelevel search should return no entry
"""
log.info(
'Testing Ticket 50234 - onelvel search returns not matching entry')
for i in range(1, 15):
ou = OrganizationalUnit(topology_st.standalone,
"ou=Org{},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Org'.format(i)})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': '******'
}
user = UserAccount(topology_st.standalone,
"cn=Jeff Vedder,ou=org5,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
# in a subtree search the entry used as search base matches the filter and shoul be returned
ent = topology_st.standalone.getEntry("ou=org5,{}".format(DEFAULT_SUFFIX),
ldap.SCOPE_SUBTREE,
"(objectclass=organizationalunit)")
# in a onelevel search the only child is an useraccount which does not match the filter
# no entry should be returned, which would cause getEntry to raise an exception we need to handle
found = 1
try:
ent = topology_st.standalone.getEntry(
"ou=org5,{}".format(DEFAULT_SUFFIX), ldap.SCOPE_ONELEVEL,
"(objectclass=organizationalunit)")
except ldap.NO_SUCH_OBJECT:
found = 0
assert (found == 0)
def test_user_can_access_the_data_when_connecting_from_internal_ds_network_only(
topo, add_user, aci_of_user):
"""
User can access the data when connecting from internal ICNC network only as per the ACI.
:id:2cac2136-7ac5-11e8-8328-8c16451d917b
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
dns_name = socket.getfqdn()
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", [f'(target = "ldap:///{DNS_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "DNS aci"; '
f'allow(all) userdn = "ldap:///{SUNDNS_KEY}" and dns = "*redhat.com" ;)',
f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
f'(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{SUNDNS_KEY}" and dns = "{dns_name}" ;)'])
# Create a new connection for this test.
conn = UserAccount(topo.standalone, SUNDNS_KEY).bind(PW_DM)
# Perform Operation
OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_uer(request, topo):
topo.standalone.config.loglevel((ErrorLog.ACL_SUMMARY, ))
for i in ['Product Development', 'Accounting']:
OrganizationalUnit(topo.standalone, "ou={},{}".format(
i, DEFAULT_SUFFIX)).create(properties={'ou': i})
users = UserAccounts(topo.standalone,
DEFAULT_SUFFIX,
rdn='ou=Product Development')
users.create(
properties={
'uid': 'Anuj Borah',
'cn': 'Anuj Borah',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'AnujBorah',
'userPassword': PW_DM
})
users = UserAccounts(topo.standalone, DEFAULT_SUFFIX, rdn='ou=Accounting')
users.create(
properties={
'uid': 'Ananda Borah',
'cn': 'Ananda Borah',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'AnandaBorah',
'userPassword': PW_DM
})
def create_base_orgunit(instance, basedn):
"""Create the base org unit object for a org unit"""
orgunit = OrganizationalUnit(instance, dn=basedn)
# Explode the dn to get the first bit.
avas = dn.str2dn(basedn)
ou_ava = avas[0][0][1]
orgunit.create(
properties={
# I think in python 2 this forces unicode return ...
'ou': ou_ava,
'description': basedn,
})
return orgunit
def test_user_can_access_from_ipv4_or_ipv6_address(topo, add_user, aci_of_user,
ip_addr):
"""User can modify the data when accessing the server from the allowed IPv4 and IPv6 addresses
:id: 461e761e-7ac5-11e8-9ae4-8c16451d917b
:customerscenario: True
:parametrized: yes
:setup: Standalone Server
:steps:
1. Add ACI that has both IPv4 and IPv6
2. Connect from one of the IPs allowed in ACI
3. Modify an attribute
:expectedresults:
1. ACI should be added
2. Conection should be successful
3. Operation should be successful
"""
# Add ACI that contains both IPv4 and IPv6
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target ="ldap:///{IP_OU_KEY}")(targetattr="*") '
f'(version 3.0; aci "IP aci"; allow(all) '
f'userdn = "ldap:///{FULLIP_KEY}" and (ip = "127.0.0.1" or ip = "::1");)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, FULLIP_KEY).bind(
PW_DM, uri=f'ldap://{ip_addr}:{topo.standalone.port}')
# Perform Operation
OrganizationalUnit(conn, IP_OU_KEY).replace("seeAlso", "cn=1")
def test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_network_2(
topo, add_user, aci_of_user):
"""User cannot access the data when connecting from an unauthorized network as per the ACI.
:id: 396bdd44-7ac5-11e8-8014-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
f'and dnsalias != "www.redhat.com" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM)
# Perform Operation
OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_user_can_access_the_data_when_connecting_from_some_network_only(
topo, add_user, aci_of_user):
"""User can access the data when connecting from some network only as per the ACI.
:id: 3098512a-7ac5-11e8-af85-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
dns_name = socket.getfqdn()
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX)\
.add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
f'and dns = "{dns_name}" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM)
# Perform Operation
OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_user_can_access_the_data_when_connecting_from_any_machine(
topo, add_user, aci_of_user):
"""User can access the data when connecting from any machine as per the ACI.
:id: 28cbc008-7ac5-11e8-934e-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX)\
.add("aci", f'(target ="ldap:///{DNS_OU_KEY}")'
f'(targetattr="*")(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{FULLDNS_KEY}" and dns = "*" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, FULLDNS_KEY).bind(PW_DM)
# Perform Operation
OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_allow_selfwrite_access_to_anyone(topo, aci_of_user, cleanup_tree):
"""
Modify Test 8 Allow selfwrite access to anyone
:id:8b3becf0-7abf-11e8-ac34-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
ACI_BODY = '(target = ldap:///cn=group1,ou=Groups,{})(targetattr = "member")(version 3.0; acl "ACI NAME"; allow (selfwrite) (userdn = "ldap:///anyone") ;)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# Allow selfwrite access to anyone
groups = Groups(conn, DEFAULT_SUFFIX)
groups.list()[0].add_member(USER_DELADD)
group.delete()
def test_allow_owner_to_modify_entry(topo, aci_of_user, cleanup_tree):
"""
Modify Test 14 allow userdnattr = owner to modify entry
:id:aa302090-7abf-11e8-811a-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
grp = UniqueGroup(topo.standalone, 'cn=intranet,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'intranet', 'ou': 'groups'})
grp.set('owner', USER_WITH_ACI_DELADD)
ACI_BODY = '(target ="ldap:///cn=intranet, {}") (targetattr ="*")(targetfilter ="(objectclass=groupOfUniqueNames)") (version 3.0;acl "$tet_thistest";allow(read, write, delete, search, compare, add) (userdnattr = "owner");)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# allow userdnattr = owner to modify entry
ua = UserAccount(conn, 'cn=intranet,dc=example,dc=com')
ua.set('uniquemember', "cn=Andy Walker, ou=Accounting,dc=example,dc=com")
assert ua.get_attr_val('uniquemember')
def test_aci_with_both_allow_and_deny(topo, aci_of_user, cleanup_tree):
"""
Modify Test 12 aci with both allow and deny
:id:9dcfe902-7abf-11e8-86dc-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; deny (read, search)userdn = "ldap:///{}"; allow (all) userdn = "ldap:///{}" ;)'.format(
USER_WITH_ACI_DELADD, USER_DELADD)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# aci with both allow and deny, testing allow
assert UserAccount(conn, USER_WITH_ACI_DELADD).get_attr_val('uid')
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# aci with both allow and deny, testing deny
with pytest.raises(IndexError):
UserAccount(conn, USER_WITH_ACI_DELADD).get_attr_val('uid')
def test_entryusn_after_repl_delete(topology_m2):
"""Verify that entryUSN is incremented on 1 after delete operation which creates a tombstone
:id: 1704cf65-41bc-4347-bdaf-20fc2431b218
:setup: An instance with replication, Users, USN enabled
:steps:
1. Try to delete a user
2. Check the tombstone has the incremented USN
3. Try to delete ou=People with users
4. Check the entry has a not incremented entryUSN
:expectedresults:
1. Success
2. Success
3. Should fail with Not Allowed On Non-leaf error
4. Success
"""
inst = topology_m2.ms["supplier1"]
plugin = USNPlugin(inst)
plugin.enable()
inst.restart()
users = UserAccounts(inst, DEFAULT_SUFFIX)
try:
user_1 = users.create_test_user()
user_rdn = user_1.rdn
tombstones = Tombstones(inst, DEFAULT_SUFFIX)
user_1.replace('description', 'update_ts')
user_usn = user_1.get_attr_val_int('entryusn')
user_1.delete()
time.sleep(1) # Gives a little time for tombstone creation to complete
ts = tombstones.get(user_rdn)
ts_usn = ts.get_attr_val_int('entryusn')
assert (user_usn + 1) == ts_usn
user_1 = users.create_test_user()
org = OrganizationalUnit(inst, f"ou=People,{DEFAULT_SUFFIX}")
org.replace('description', 'update_ts')
ou_usn_before = org.get_attr_val_int('entryusn')
try:
org.delete()
except ldap.NOT_ALLOWED_ON_NONLEAF:
pass
ou_usn_after = org.get_attr_val_int('entryusn')
assert ou_usn_before == ou_usn_after
finally:
try:
user_1.delete()
except ldap.NO_SUCH_OBJECT:
pass
def test_allow_write_access_to_userdn_all(topo, aci_of_user, cleanup_tree):
"""
Modify Test 3 Allow write access to userdn 'all'
:id:70c58818-7abf-11e8-afa1-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///all") ;)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
# Allow write access to userdn 'all'
conn = Anonymous(topo.standalone).bind()
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
UserAccount(conn, USER_DELADD).add("title", "Architect")
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
UserAccount(conn, USER_DELADD).add("title", "Architect")
assert UserAccount(conn, USER_DELADD).get_attr_val('title')
def test_user(request, topo):
for demo in ['Product Development', 'Accounting', 'nestedgroup']:
OrganizationalUnit(topo.standalone, "ou={},{}".format(
demo, DEFAULT_SUFFIX)).create(properties={'ou': demo})
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX, 'ou=nestedgroup')
for demo1 in [
'DEEPUSER_GLOBAL', 'scratchEntry', 'DEEPUSER2_GLOBAL',
'DEEPUSER3_GLOBAL', 'GROUPDNATTRSCRATCHENTRY_GLOBAL', 'newChild'
]:
uas.create(
properties={
'uid': demo1,
'cn': demo1,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + demo1,
'userPassword': PW_DM
})
# Add anonymous access aci
ACI_TARGET = "(targetattr=\"*\")(target = \"ldap:///%s\")" % (
DEFAULT_SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = "(userdn=\"ldap:///anyone\");)"
ANON_ACI = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(topo.standalone, DEFAULT_SUFFIX)
suffix.add('aci', ANON_ACI)
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX,
'uid=GROUPDNATTRSCRATCHENTRY_GLOBAL,ou=nestedgroup')
for demo1 in ['c1', 'CHILD1_GLOBAL']:
uas.create(
properties={
'uid': demo1,
'cn': demo1,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + demo1,
'userPassword': PW_DM
})
grp = UniqueGroups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=nestedgroup')
for i in [
('ALLGROUPS_GLOBAL', GROUPA_GLOBAL), ('GROUPA_GLOBAL', GROUPB_GLOBAL),
('GROUPB_GLOBAL', GROUPC_GLOBAL), ('GROUPC_GLOBAL', GROUPD_GLOBAL),
('GROUPD_GLOBAL', GROUPE_GLOBAL), ('GROUPE_GLOBAL', GROUPF_GLOBAL),
('GROUPF_GLOBAL', GROUPG_GLOBAL), ('GROUPG_GLOBAL', GROUPH_GLOBAL),
('GROUPH_GLOBAL', DEEPUSER_GLOBAL)
]:
grp.create(properties={
'cn': i[0],
'ou': 'groups',
'uniquemember': i[1]
})
