def test_membership_attr(plugin):
"""
Test that the plugin performs integrity updates based on the attributes
defined by referint-membership-attr.
"""
# remove a membership attribute
plugin.remove_membership_attr('uniquemember')
user1 = create_test_user(plugin._instance)
group = create_test_group(plugin._instance, unique_group=True)
group.add_member(user1.dn)
user1.delete()
# assert that the user was not removed from the group
assert group.present(attr='uniquemember', value=user1.dn)
# now put this membership attribute back and try again
plugin.add_membership_attr('uniquemember')
user2 = create_test_user(plugin._instance)
group.add_member(user2.dn)
user2.delete()
# assert that user was removed from the group as well
assert not group.present(attr='uniquemember', value=user2.dn)
# clean up for subsequent test cases
delete_objects([group])
def test_scoping(plugin):
"""
Tests that the MemberOf plugin works on suffixes listed in memberOfEntryScope,
but skips suffixes listed in memberOfEntryScopeExcludeSubtree.
"""
# create a new ou and 2 users under different ous
ou2 = create_test_ou(plugin._instance)
user_p1 = create_test_user(plugin._instance)
user_p2 = create_test_user(plugin._instance, suffix=ou2.dn)
group = create_test_group(plugin._instance)
# define include and exclude suffixes for MemberOf
plugin.add_entryscope(DEFAULT_SUFFIX)
plugin.add_excludescope(ou2.dn)
group.add_member(user_p1.dn)
group.add_member(user_p2.dn)
memberofattr = plugin.get_attr()
# assert that memberOfAttr was set for entry of an included suffix
assert group.dn in user_p1.get_attr_vals(memberofattr)
# assert that memberOfAttr was NOT set for entry of an excluded suffix
assert not memberofattr in user_p2.get_all_attrs()
# clean up for subsequent test cases
delete_objects([user_p1, user_p2, group, ou2])
plugin.remove_all_excludescope()
plugin.remove_all_entryscope()
def test_referint_enable_disable(plugin):
"""
Test that the plugin doesn't do anything while disabled, and functions
properly when enabled.
NOTICE: This test case leaves the plugin enabled for the following tests.
"""
# assert plugin is disabled (by default)
assert plugin.status() == False
user1 = create_test_user(plugin._instance)
group = create_test_group(plugin._instance)
group.add_member(user1.dn)
user1.delete()
# assert that user was not removed from group because the plugin is disabled
assert group.present(attr='member', value=user1.dn)
# enable the plugin and restart the server for the action to take effect
plugin.enable()
plugin._instance.restart()
assert plugin.status() == True
user2 = create_test_user(plugin._instance)
group.add_member(user2.dn)
user2.delete()
# assert that user was removed from the group as well
assert not group.present(attr='member', value=user2.dn)
# clean up for subsequent test cases
delete_objects([group])
def test_memberofallbackends(plugin):
"""
By default the MemberOf plugin only looks for potential members for users
who are in the same database as the group. Test that when memberOfAllBackends
is enabled, memberOf will search across all databases instead.
"""
ou_value = "People2"
ou_suffix = DEFAULT_SUFFIX
# create a new backend
plugin._instance.backends.create(None,
properties={
BACKEND_NAME:
"People2Data",
BACKEND_SUFFIX:
"ou=" + ou_value + "," + ou_suffix,
})
# create a new sub-suffix stored in the new backend
ou2 = create_test_ou(plugin._instance, ou=ou_value, suffix=ou_suffix)
# add a user in the default backend
user_b1 = create_test_user(plugin._instance)
# add a user in the new backend
user_b2 = create_test_user(plugin._instance, suffix=ou2.dn)
# create a group in the default backend
group = create_test_group(plugin._instance)
# configure memberof to search only for users who are in the same backend as the group
plugin.disable_allbackends()
group.add_member(user_b1.dn)
group.add_member(user_b2.dn)
memberofattr = plugin.get_attr()
# assert that memberOfAttr was set for the user stored in the same backend as the group
assert group.dn in user_b1.get_attr_vals(memberofattr)
# assert that memberOfAttr was NOT set for the user stored in a different backend
assert not memberofattr in user_b2.get_all_attrs()
# configure memberof to search across all backends
plugin.enable_allbackends()
# remove users from group and add them again in order to re-trigger the plugin
group.remove_member(user_b1.dn)
group.remove_member(user_b2.dn)
group.add_member(user_b1.dn)
group.add_member(user_b2.dn)
# assert that memberOfAttr was set for users stored in both backends
assert group.dn in user_b1.get_attr_vals(memberofattr)
assert group.dn in user_b2.get_attr_vals(memberofattr)
# clean up for subsequent test cases
delete_objects([user_b1, user_b2, group, ou2])
def test_memberof_enable_disable(plugin):
"""
Test that the plugin doesn't do anything while disabled, and functions
properly when enabled.
NOTICE: This test case leaves the plugin enabled for the following tests.
"""
# assert plugin is disabled (by default)
assert plugin.status() == False
user = create_test_user(plugin._instance)
group = create_test_group(plugin._instance)
# add user to the group (which normally triggers the plugin)
group.add_member(user.dn)
memberofattr = plugin.get_attr()
# assert no memberof attribute was created by the plugin
assert not memberofattr in user.get_all_attrs()
# enable the plugin and restart the server for the action to take effect
plugin.enable()
plugin._instance.restart()
assert plugin.status() == True
# trigger the plugin again
group.remove_member(user.dn)
group.add_member(user.dn)
# assert that the memberof attribute was now properly set
assert memberofattr in user.get_all_attrs()
# clean up for subsequent test cases
delete_objects([user, group])
def test_usn_local_mode(plugin):
"""
Test that when USN is operating in local mode, each backend has an instance
of the USN Plug-in with a USN counter specific to that backend database.
"""
# assert local mode
assert not plugin.is_global_mode_set()
ou_value = "People2"
ou_suffix = DEFAULT_SUFFIX
# create a new backend
plugin._instance.backends.create(None,
properties={
BACKEND_NAME:
"People2Data",
BACKEND_SUFFIX:
"ou=" + ou_value + "," + ou_suffix,
})
# create a new sub-suffix stored in the new backend
ou2 = create_test_ou(plugin._instance, ou=ou_value, suffix=ou_suffix)
root_dse = RootDSE(plugin._instance)
lastusn_b1 = lambda: root_dse.get_attr_val_int("lastusn;userroot")
lastusn_b2 = lambda: root_dse.get_attr_val_int("lastusn;people2data")
assert lastusn_b1() == lastusn_b2() == -1
# add a user in the default backend; trigger the plugin
user_b1 = create_test_user(plugin._instance)
user_b1.replace('sn', 'surname2')
user_b1.replace('sn', 'surname3')
# add a user in the new backend
user_b2 = create_test_user(plugin._instance, suffix=ou2.dn)
# assert the USN counter is different for each backend
assert user_b1.get_attr_val_int("entryusn") == lastusn_b1() == 2
assert user_b2.get_attr_val_int("entryusn") == lastusn_b2() == 0
# reset USN for subsequent test cases
b = Backend(plugin._instance, dn="cn=people2data," + DN_LDBM)
reset_USN(plugin, [user_b1, user_b2, ou2, b])
def test_fixup_task(plugin):
"""
Test that after creating the fix-up task entry, initial memberOf attributes
are created on the member's user entries in the directory automatically.
Also, test that the filter provided to the task is correctly applied.
"""
# disable the plugin and restart the server for the action to take effect
plugin.disable()
plugin._instance.restart()
user1 = create_test_user(plugin._instance)
user2 = create_test_user(plugin._instance, cn="testuser2")
group = create_test_group(plugin._instance)
group.add_member(user1.dn)
group.add_member(user2.dn)
# enable the plugin and restart the server for the action to take effect
plugin.enable()
plugin._instance.restart()
memberofattr = plugin.get_attr()
# memberof attribute should not appear on user entries
assert not memberofattr in user1.get_all_attrs()
assert not memberofattr in user2.get_all_attrs()
# run the fix-up task and provide a filter for the entry
task = plugin.fixup(basedn=DEFAULT_SUFFIX, _filter="(cn=testuser2)")
# wait for the task to complete
task.wait()
assert task.is_complete()
assert task.get_exit_code() == 0
# memberof attribute should now appear on the user entry matching the filter
assert memberofattr in user2.get_all_attrs()
assert group.dn in user2.get_attr_vals(memberofattr)
# but should not appear on user entry that doesn't match the filter
assert not memberofattr in user1.get_all_attrs()
# clean up for subsequent test cases
delete_objects([user1, user2, group])
def test_memberofautoaddocc(plugin):
"""
Test that the MemberOf plugin automatically adds the object class defined
by memberOfAutoAddOC to a user object, if it does not contain an object
class that allows the memberOf attribute.
"""
user = create_test_user(plugin._instance)
group = create_test_group(plugin._instance)
# delete any object classes that allow the memberOf attribute
if "nsMemberOf" in user.get_attr_vals("objectClass"):
user.remove("objectClass", "nsMemberOf")
if "inetUser" in user.get_attr_vals("objectClass"):
user.remove("objectClass", "inetUser")
if "inetAdmin" in user.get_attr_vals("objectClass"):
user.remove("objectClass", "inetAdmin")
# set a valid object class to memberOfAutoAddOC
plugin.set_autoaddoc("nsMemberOf")
# assert that user has not got this object class at the moment
assert not "nsMemberOf" in user.get_attr_vals("objectClass")
# trigger the plugin
group.add_member(user.dn)
# assert that the object class defined by memberOfAutoAddOC now exists
assert "nsMemberOf" in user.get_attr_vals("objectClass")
# reset user entry
group.remove_member(user.dn)
user.remove("objectClass", "nsMemberOf")
# repeat for different object class
plugin.set_autoaddoc("inetUser")
assert not "inetUser" in user.get_attr_vals("objectClass")
# re-trigger the plugin
group.add_member(user.dn)
assert "inetUser" in user.get_attr_vals("objectClass")
group.remove_member(user.dn)
user.remove("objectClass", "inetUser")
# repeat for different object class
plugin.set_autoaddoc("inetAdmin")
assert not "inetAdmin" in user.get_attr_vals("objectClass")
# re-trigger the plugin
group.add_member(user.dn)
assert "inetAdmin" in user.get_attr_vals("objectClass")
# clean up for subsequent test cases
delete_objects([user, group])
def test_usn_enable_disable(plugin):
"""
Test that the plugin doesn't do anything while disabled, but stores
entryusn values properly when enabled.
NOTICE: This test case leaves the plugin enabled for the following tests.
"""
# assert plugin is disabled (by default)
assert plugin.status() == False
root_dse = RootDSE(plugin._instance)
# create a function for returning lastusn every time is called
lastusn = lambda: root_dse.get_attr_val_int("lastusn;userroot")
user1 = create_test_user(plugin._instance)
# assert no entryusn,lastusn values were created while the plugin was disabled
assert not "entryusn" in user1.get_all_attrs()
assert not "lastusn;userroot" in root_dse.get_all_attrs()
# enable the plugin and restart the server for the action to take effect
plugin.enable()
plugin._instance.restart()
assert plugin.status() == True
assert lastusn() == -1
user2 = create_test_user(plugin._instance)
# assert that a new entry now contains the entryusn value
assert user2.get_attr_val_int("entryusn") == lastusn() == 0
# assert that USNs are properly assigned after any write operation
# write operations include add, modify, modrdn and delete operations
user3 = create_test_user(plugin._instance)
assert user3.get_attr_val_int("entryusn") == lastusn() == 1
user2.delete()
assert lastusn() == 2
user3.replace('sn', 'another surname')
assert user3.get_attr_val_int("entryusn") == lastusn() == 3
# reset USN for subsequent test cases
reset_USN(plugin, [user1, user3])
def test_usn_global_mode(plugin):
"""
Test that when USN is operating in global mode, there is a global instance
of the USN Plug-in with a global USN counter that applies to changes made
to the entire directory (all backends).
"""
plugin.enable_global_mode()
plugin._instance.restart()
assert plugin.is_global_mode_set()
# create a new backend and a new sub-suffix stored in the new backend
ou_value = "People4"
ou_suffix = DEFAULT_SUFFIX
plugin._instance.backends.create(None,
properties={
BACKEND_NAME:
"People4Data",
BACKEND_SUFFIX:
"ou=" + ou_value + "," + ou_suffix,
})
root_dse = RootDSE(plugin._instance)
assert "lastusn" in root_dse.get_all_attrs()
ou2 = create_test_ou(plugin._instance, ou=ou_value, suffix=ou_suffix)
assert ou2.get_attr_val_int("entryusn") == 0
# add a user in the default backend
user_b1 = create_test_user(plugin._instance)
# add a user in the new backend
user_b2 = create_test_user(plugin._instance, suffix=ou2.dn)
# assert that a global USN counter is used for all backends
assert user_b1.get_attr_val_int("entryusn") == 1
assert user_b2.get_attr_val_int("entryusn") == 2
# reset USN for subsequent test cases
b = Backend(plugin._instance, dn="cn=people4data," + DN_LDBM)
reset_USN(plugin, [user_b1, user_b2, ou2, b])
def test_memberofskipnested(plugin):
"""
Test that when memberOfSkipNested is off (default) they plugin can properly
handle nested groups (groups that are member of other groups). Respectively
make sure that when memberOfSkipNested is on, the plugin lists only groups
to which a user was added directly.
"""
user = create_test_user(plugin._instance)
group1 = create_test_group(plugin._instance)
group2 = create_test_group(plugin._instance)
# don't skip nested groups (this is the default)
plugin.disable_skipnested()
# create a nested group by listing group1 as a member of group2
group2.add_member(group1.dn)
# add user to group1 only
group1.add_member(user.dn)
memberofattr = plugin.get_attr()
assert group2.dn in group1.get_attr_vals(memberofattr)
# assert that memberOfAttr of user includes both groups
# even though they were not directly added to group2
assert group1.dn in user.get_attr_vals(memberofattr)
assert group2.dn in user.get_attr_vals(memberofattr)
# skip nested groups
plugin.enable_skipnested()
# remove from groups and add again in order to re-trigger the plugin
group2.remove_member(group1.dn)
group1.remove_member(user.dn)
group2.add_member(group1.dn)
group1.add_member(user.dn)
assert group2.dn in group1.get_attr_vals(memberofattr)
# assert that user's memberOfAttr includes only the group to which they were added
assert group1.dn in user.get_attr_vals(memberofattr)
assert not group2.dn in user.get_attr_vals(memberofattr)
# clean up for subsequent test cases
delete_objects([user, group1, group2])
def test_memberofgroupattr(plugin):
"""
memberOfGroupAttr gives the attribute in the group entry to poll to identify
member DNs. Test that the memberOf is set on a user only for groups whose
membership attribute is included in memberOfGroupAttr.
"""
memberofattr = plugin.get_attr()
# initially "member" should be the default and only value of memberOfGroupAttr
assert plugin.get_attr_vals('memberofgroupattr') == ['member']
user = create_test_user(plugin._instance)
group_normal = create_test_group(plugin._instance)
group_unique = create_test_group(plugin._instance, unique_group=True)
# add user to both groups
group_normal.add_member(user.dn)
group_unique.add_member(user.dn)
# assert that the memberof attribute was set for normal group only
assert group_normal.dn in user.get_attr_vals(memberofattr)
assert not group_unique.dn in user.get_attr_vals(memberofattr)
# add another value to memberOfGroupAttr
plugin.add_groupattr('uniqueMember')
# remove user from groups and add them again in order to trigger the plugin
group_normal.remove_member(user.dn)
group_normal.add_member(user.dn)
group_unique.remove_member(user.dn)
group_unique.add_member(user.dn)
# assert that the memberof attribute was set for both groups this time
assert group_normal.dn in user.get_attr_vals(memberofattr)
assert group_unique.dn in user.get_attr_vals(memberofattr)
# clean up for subsequent test cases
delete_objects([user, group_normal, group_unique])
def test_memberofattr(plugin):
"""
Test that the plugin automatically creates an attribute on user entries
declaring membership after adding them to a group. The attribute depends
on the value of memberOfAttr.
"""
memberofattr = "memberOf"
plugin.set_attr(memberofattr)
user = create_test_user(plugin._instance)
group = create_test_group(plugin._instance)
# memberof attribute should not yet appear
assert not memberofattr in user.get_all_attrs()
# trigger the plugin
group.add_member(user.dn)
# assert that the memberof attribute was automatically set by the plugin
assert group.dn in user.get_attr_vals(memberofattr)
# clean up for subsequent test cases
delete_objects([user, group])
def test_tombstone_cleanup(plugin):
"""
Assert that the USN plugin removes tombstone entries when the cleanup task
is run. Test removal for a specific backend, a specific suffix, and up to
a given USN number.
"""
# create a new backend and a new sub-suffix stored in the new backend
ou_value = "People3"
ou_suffix = DEFAULT_SUFFIX
plugin._instance.backends.create(None,
properties={
BACKEND_NAME:
"People3Data",
BACKEND_SUFFIX:
"ou=" + ou_value + "," + ou_suffix,
})
ou2 = create_test_ou(plugin._instance, ou=ou_value, suffix=ou_suffix)
tombstones_b1 = DSLdapObjects(plugin._instance)
tombstones_b1._basedn = "ou=People," + DEFAULT_SUFFIX
tombstones_b1._objectclasses = ['nsTombstone']
tombstones_b2 = DSLdapObjects(plugin._instance)
tombstones_b2._basedn = ou2.dn
tombstones_b2._objectclasses = ['nsTombstone']
root_dse = RootDSE(plugin._instance)
lastusn_b1 = lambda: root_dse.get_attr_val_int("lastusn;userroot")
assert lastusn_b1() == -1
user1_b1 = create_test_user(plugin._instance)
user2_b1 = create_test_user(plugin._instance)
user3_b1 = create_test_user(plugin._instance)
user1_b2 = create_test_user(plugin._instance, suffix=ou2.dn)
user2_b2 = create_test_user(plugin._instance, suffix=ou2.dn)
# assert no tombstones exist at this point
assert not tombstones_b1.list()
assert not tombstones_b2.list()
# create 3 tombstone entries on default backend
user1_b1.delete()
user2_b1.delete()
user3_b1.delete()
# assert there are 3 tombstone entries indeed on default backend
assert len(tombstones_b1.list()) == 3
assert not tombstones_b2.list()
assert lastusn_b1() == 5
# remove all tombstone entries from default backend, with a USN value up to 4
task = plugin.cleanup(suffix=DEFAULT_SUFFIX, max_usn=lastusn_b1() - 1)
task.wait()
# assert all tombstone entries were deleted but the last one on default backend
assert len(tombstones_b1.list()) == 1
assert not tombstones_b2.list()
# create 2 tombstone entries on new backend
user1_b2.delete()
user2_b2.delete()
# assert there are 2 tombstone entries indeed on new backend
assert len(tombstones_b2.list()) == 2
assert len(tombstones_b1.list()) == 1
# remove all tombstone entries from ou2 suffix
task = plugin.cleanup(suffix=ou2.dn)
task.wait()
# assert there are no tombstone entries stored on ou2 suffix
assert not tombstones_b2.list()
assert len(tombstones_b1.list()) == 1
# reset USN for subsequent test cases
b = Backend(plugin._instance, dn="cn=people3data," + DN_LDBM)
reset_USN(plugin, [ou2, b])