def test_deleting_twice(topo_m2):
"""Deleting entry twice crashed a server
:id: 94045560-a64c-11ea-93d6-8c16451d917b
:setup: MMR with 2 masters
:steps:
1. Adding entry
2. Deleting the same entry from s1
3. Deleting the same entry from s2 after some seconds
:expected results:
1. Should succeeds
2. Should succeeds
3. Should succeeds
"""
m1 = topo_m2.ms["master1"]
m2 = topo_m2.ms["master2"]
# Adding entry
user1 = UserAccounts(m1, DEFAULT_SUFFIX, rdn=None).create_test_user(uid=1,
gid=1)
repl_manager = ReplicationManager(DEFAULT_SUFFIX)
repl_manager.wait_for_replication(m1, m2, timeout=100)
user2 = UserAccount(m2, f'uid=test_user_1,{DEFAULT_SUFFIX}')
assert user2.status()
# Deleting the same entry from s1
user1.delete()
repl_manager.wait_for_replication(m1, m2, timeout=100)
# Deleting the same entry from s2 after some seconds
with pytest.raises(ldap.NO_SUCH_OBJECT):
user2.delete()
assert m1.status()
assert m2.status()
def test_deeply_nested_groups_aci_denial(topo, test_user, aci_of_user):
"""
Test deeply nested groups (1)
This aci will not allow search or modify to a user too deep to be detected.
:id: 3d98229c-7840-11e8-9f55-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; acl "ACLGroup"; allow (all) groupdn = "ldap:///{}" ;)'.format(ALLGROUPS_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# ALLGROUPS_GLOBAL have all access
assert UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8('uid') == 'scratchEntry'
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.delete()
def test_allow_delete_access_not_to_userdn(topo, _add_user, _aci_of_user):
"""
Test to Allow delete access to != userdn
:id: 00637f6e-68e3-11e8-92a3-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI that allows userdn not to delete some userdn
3. Delete something using test USER_DELADD
4. Remove ACI
:expectedresults:
1. Entry should be added
2. ACI should be added
3. Operation should not succeed
4. Delete operation for ACI should succeed
"""
# set aci
aci_target = f'(targetattr="*")'
aci_allow = f'(version 3.0; acl "All rights for %s"; allow (delete) ' % USER_DELADD
aci_subject = f'userdn!="ldap:///{USER_WITH_ACI_DELADD}";)'
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))
# create connection with USER_WITH_ACI_DELADD
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Perform delete operation
user = UserAccount(conn, USER_DELADD)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.delete()
def test_deny_group_member_all_rights_to_user(topo, aci_of_user, test_user):
"""
Try deleting user while no access
:id: 0da68a4c-7840-11e8-98c2-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. delete test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; acl "ACLGroup"; deny (all) groupdn = "ldap:///{}" ;)'.format(BIG_GLOBAL))
conn = UserAccount(topo.standalone, "uid=Ted Morris, ou=Accounting, {}".format(DEFAULT_SUFFIX)).bind(PW_DM)
# group BIG_GLOBAL will have no access
user = UserAccount(conn, DEEPUSER3_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.delete()
def fin():
for DN in [USER_DELADD, USER_WITH_ACI_DELADD, FRED, HARRY, KIRSTENVAUGHAN,
HUMAN_OU_GLOBAL, CONTAINER_2_DELADD,CONTAINER_1_DELADD]:
ua = UserAccount(topo.standalone, DN)
try:
ua.delete()
except:
pass
def test_csnpurge_large_valueset(topo_m2):
"""Test csn generator test
:id: 63e2bdb2-0a8f-4660-9465-7b80a9f72a74
:setup: MMR with 2 masters
:steps:
1. Create a test_user
2. add a large set of values (more than 10)
3. delete all the values (more than 10)
4. configure the replica to purge those values (purgedelay=5s)
5. Waiting for 6 second
6. do a series of update
:expectedresults:
1. Should succeeds
2. Should succeeds
3. Should succeeds
4. Should succeeds
5. Should succeeds
6. Should not crash
"""
m1 = topo_m2.ms["master2"]
test_user = UserAccount(m1, TEST_ENTRY_DN)
if test_user.exists():
log.info('Deleting entry {}'.format(TEST_ENTRY_DN))
test_user.delete()
test_user.create(
properties={
'uid': TEST_ENTRY_NAME,
'cn': TEST_ENTRY_NAME,
'sn': TEST_ENTRY_NAME,
'userPassword': TEST_ENTRY_NAME,
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/mmrepl_test',
})
# create a large value set so that it is sorted
for i in range(1, 20):
test_user.add('description', 'value {}'.format(str(i)))
# delete all values of the valueset
for i in range(1, 20):
test_user.remove('description', 'value {}'.format(str(i)))
# set purging delay to 5 second and wait more that 5second
replicas = Replicas(m1)
replica = replicas.list()[0]
log.info('nsds5ReplicaPurgeDelay to 5')
replica.set('nsds5ReplicaPurgeDelay', '5')
time.sleep(6)
# add some new values to the valueset containing entries that should be purged
for i in range(21, 25):
test_user.add('description', 'value {}'.format(str(i)))
def fin():
log.info('Disabling Local accpolicy plugin and removing pwpolicy attrs')
try:
topology_st.standalone.plugins.disable(name=PLUGIN_ACCT_POLICY)
for entry_dn in [LOCL_CONF, TEMPL_COS, DEFIN_COS]:
entry = UserAccount(topology_st.standalone, dn=entry_dn)
entry.delete()
except ldap.LDAPError as e:
log.error('Failed to disable Local accpolicy plugin, {}'.format(e.message['desc']))
assert False
topology_st.standalone.restart(timeout=10)
def test_deletions_are_not_replicated(topo_m2):
"""usn + mmr = deletions are not replicated
:id: aa4f67ce-a64c-11ea-a6fd-8c16451d917b
:setup: MMR with 2 masters
:steps:
1. Enable USN plugin on both servers
2. Enable USN plugin on Supplier 2
3. Add user
4. Check that user propagated to Supplier 2
5. Check user`s USN on Supplier 1
6. Check user`s USN on Supplier 2
7. Delete user
8. Check that deletion of user propagated to Supplier 1
:expected results:
1. Should succeeds
2. Should succeeds
3. Should succeeds
4. Should succeeds
5. Should succeeds
6. Should succeeds
7. Should succeeds
8. Should succeeds
"""
m1 = topo_m2.ms["master1"]
m2 = topo_m2.ms["master2"]
# Enable USN plugin on both servers
usn1 = USNPlugin(m1)
usn2 = USNPlugin(m2)
for usn_usn in [usn1, usn2]:
usn_usn.enable()
for instance in [m1, m2]:
instance.restart()
# Add user
user = UserAccounts(m1, DEFAULT_SUFFIX, rdn=None).create_test_user(uid=1,
gid=1)
repl_manager = ReplicationManager(DEFAULT_SUFFIX)
repl_manager.wait_for_replication(m1, m2, timeout=100)
# Check that user propagated to Supplier 2
assert user.dn in [
i.dn for i in UserAccounts(m2, DEFAULT_SUFFIX, rdn=None).list()
]
user2 = UserAccount(m2, f'uid=test_user_1,{DEFAULT_SUFFIX}')
# Check user`s USN on Supplier 1
assert user.get_attr_val_utf8('entryusn')
# Check user`s USN on Supplier 2
assert user2.get_attr_val_utf8('entryusn')
# Delete user
user2.delete()
repl_manager.wait_for_replication(m1, m2, timeout=100)
# Check that deletion of user propagated to Supplier 1
with pytest.raises(ldap.NO_SUCH_OBJECT):
user.status()
def test_deny_all_access_with_targetattr_set(topo, test_uer, aci_of_user):
"""Search Test 10 Deny all access with targetattr set
:id: e1602ff2-6e11-11e8-8e55-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
testuser = UserAccount(topo.standalone,
"cn=Anuj12,ou=People,{}".format(DEFAULT_SUFFIX))
testuser.create(
properties={
'uid': 'Anuj12',
'cn': 'Anuj12',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Anuj12'
})
ACI_TARGET = '(targetattr="uid")'
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block only uid=*
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block only uid=*
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
# with root there is no aci blockage
assert 4 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
testuser.delete()
def create_entry(topo_m4, request):
"""Add test entry to master1"""
log.info('Adding entry {}'.format(TEST_ENTRY_DN))
test_user = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN)
if test_user.exists():
log.info('Deleting entry {}'.format(TEST_ENTRY_DN))
test_user.delete()
test_user.create(
properties={
'uid': TEST_ENTRY_NAME,
'cn': TEST_ENTRY_NAME,
'sn': TEST_ENTRY_NAME,
'userPassword': TEST_ENTRY_NAME,
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/mmrepl_test',
})
def test_allow_delete_access_not_to_dynamic_group(topo, _add_user,
_aci_of_user):
"""
Test to Allow delete access to != dynamic group
:id: 14ffa452-68ed-11e8-a60d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI that delete access to != dynamic group
3. Delete something using test USER_DELADD
4. Remove ACI
:expectedresults:
1. Entry should be added
2. ACI should be added
3. Operation should not succeed
4. Delete operation for ACI should succeed
"""
# Create dynamic group
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
group.add("objectclass", "groupOfURLs")
group.add(
"memberURL",
f'ldap:///{DEFAULT_SUFFIX}??sub?(&(objectclass=person)(cn=test_user_1000))'
)
# Set ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = ldap:///{DEFAULT_SUFFIX})'
f'(targetattr=*)(version 3.0; acl "$tet_thistest"; '
f'allow (delete) (groupdn != "ldap:///{group.dn}"); )')
# create connection with USER_WITH_ACI_DELADD
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
user = UserAccount(conn, USER_DELADD)
# Perform Allow delete access to != dynamic group
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.delete()
def topology_st_f(topology_st):
# Add our users to the topology_st
users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
for i in range(0, 20):
users.create(properties={
'uid': 'user%s' % i,
'cn': 'user%s' % i,
'sn': '%s' % i,
'uidNumber': '%s' % i,
'gidNumber': '%s' % i,
'homeDirectory': '/home/user%s' % i
})
demo_user = UserAccount(topology_st.standalone, "uid=demo_user,ou=people,dc=example,dc=com")
demo_user.delete()
# return it
# print("ATTACH NOW")
# import time
# time.sleep(30)
return topology_st.standalone
def test_allow_delete_access_not_to_group(topo, _add_user, _aci_of_user):
"""
Test to Allow delete access to != groupdn
:id: f58fc8b0-68e5-11e8-9313-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI that allows groupdn not to delete some userdn
3. Delete something using test USER_DELADD belong to test group
4. Remove ACI
:expectedresults:
1. Entry should be added
2. ACI should be added
3. Operation should not succeed
4. Delete operation for ACI should succeed
"""
# Create group
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
group.add_member(USER_WITH_ACI_DELADD)
# set aci
aci_target = f'(targetattr="*")'
aci_allow = f'(version 3.0; acl "All rights for {group.dn}"; allow (delete)'
aci_subject = f'groupdn!="ldap:///{group.dn}";)'
Domain(topo.standalone,
DEFAULT_SUFFIX).add("aci", (aci_target + aci_allow + aci_subject))
# create connection with USER_WITH_ACI_DELADD
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
user = UserAccount(conn, USER_DELADD)
# Perform delete operation
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.delete()
def test_urp_trigger_substring_search(topo_m2):
"""Test that a ADD of a entry with a '*' in its DN, triggers
an internal search with a escaped DN
:id: 9869bb39-419f-42c3-a44b-c93eb0b77667
:setup: MMR with 2 masters
:steps:
1. enable internal operation loggging for plugins
2. Create on M1 a test_user with a '*' in its DN
3. Check the test_user is replicated
4. Check in access logs that the internal search does not contain '*'
:expectedresults:
1. Should succeeds
2. Should succeeds
3. Should succeeds
4. Should succeeds
"""
m1 = topo_m2.ms["master1"]
m2 = topo_m2.ms["master2"]
# Enable loggging of internal operation logging to capture URP intop
log.info('Set nsslapd-plugin-logging to on')
for inst in (m1, m2):
inst.config.loglevel([AccessLog.DEFAULT, AccessLog.INTERNAL],
service='access')
inst.config.set('nsslapd-plugin-logging', 'on')
inst.restart()
# add a user with a DN containing '*'
test_asterisk_uid = 'asterisk_*_in_value'
test_asterisk_dn = 'uid={},{}'.format(test_asterisk_uid, DEFAULT_SUFFIX)
test_user = UserAccount(m1, test_asterisk_dn)
if test_user.exists():
log.info('Deleting entry {}'.format(test_asterisk_dn))
test_user.delete()
test_user.create(
properties={
'uid': test_asterisk_uid,
'cn': test_asterisk_uid,
'sn': test_asterisk_uid,
'userPassword': test_asterisk_uid,
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/asterisk',
})
# check that the ADD was replicated on M2
test_user_m2 = UserAccount(m2, test_asterisk_dn)
for i in range(1, 5):
if test_user_m2.exists():
break
else:
log.info('Entry not yet replicated on M2, wait a bit')
time.sleep(2)
# check that M2 access logs does not "(&(objectclass=nstombstone)(nscpentrydn=uid=asterisk_*_in_value,dc=example,dc=com))"
log.info('Check that on M2, URP as not triggered such internal search')
pattern = ".*\(Internal\).*SRCH.*\(&\(objectclass=nstombstone\)\(nscpentrydn=uid=asterisk_\*_in_value,dc=example,dc=com.*"
found = m2.ds_access_log.match(pattern)
log.info("found line: %s" % found)
assert not found