def test_dnsalias_keyword_test_nodns_cannot(topo, add_user, aci_of_user):
"""Dnsalias Keyword NODNS_KEY cannot assess data as per the ACI.
:id: 41b467be-7ac5-11e8-89a3-8c16451d917b
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
f'(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NODNS_KEY}" and '
f'dnsalias = "RAP.rock.SALSA.house.COM" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, DNS_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_user_cannot_access_the_data_if_not_from_a_certain_domain(
topo, add_user, aci_of_user):
"""User cannot access the data if not from a certain domain as per the ACI.
:id: 3d658972-7ac5-11e8-930f-8c16451d917b
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")(targetattr=*)'
f'(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NODNS_KEY}" '
f'and dns = "RAP.rock.SALSA.house.COM" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NODNS_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, AUTHMETHOD_OU_KEY)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def test_user_cannot_access_the_data_when_connecting_from_an_unauthorized_network_2(
topo, add_user, aci_of_user):
"""User cannot access the data when connecting from an unauthorized network as per the ACI.
:id: 396bdd44-7ac5-11e8-8014-8c16451d917b
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX).\
add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
f'and dnsalias != "www.redhat.com" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM)
# Perform Operation
OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_user_can_access_the_data_when_connecting_from_some_network_only(
topo, add_user, aci_of_user):
"""User can access the data when connecting from some network only as per the ACI.
:id: 3098512a-7ac5-11e8-af85-8c16451d917b
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
dns_name = socket.getfqdn()
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX)\
.add("aci", f'(target = "ldap:///{DNS_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{NETSCAPEDNS_KEY}" '
f'and dns = "{dns_name}" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, NETSCAPEDNS_KEY).bind(PW_DM)
# Perform Operation
OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_user_can_access_the_data_when_connecting_from_any_machine(
topo, add_user, aci_of_user):
"""User can access the data when connecting from any machine as per the ACI.
:id: 28cbc008-7ac5-11e8-934e-8c16451d917b
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Add ACI
Domain(topo.standalone, DEFAULT_SUFFIX)\
.add("aci", f'(target ="ldap:///{DNS_OU_KEY}")'
f'(targetattr=*)(version 3.0; aci "DNS aci"; allow(all) '
f'userdn = "ldap:///{FULLDNS_KEY}" and dns = "*" ;)')
# Create a new connection for this test.
conn = UserAccount(topo.standalone, FULLDNS_KEY).bind(PW_DM)
# Perform Operation
OrganizationalUnit(conn, DNS_OU_KEY).replace("seeAlso", "cn=1")
def test_allow_selfwrite_access_to_anyone(topo, aci_of_user, cleanup_tree):
"""
Modify Test 8 Allow selfwrite access to anyone
:id:8b3becf0-7abf-11e8-ac34-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
ACI_BODY = '(target = ldap:///cn=group1,ou=Groups,{})(targetattr = "member")(version 3.0; acl "ACI NAME"; allow (selfwrite) (userdn = "ldap:///anyone") ;)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# Allow selfwrite access to anyone
groups = Groups(conn, DEFAULT_SUFFIX)
groups.list()[0].add_member(USER_DELADD)
group.delete()
def test_allow_owner_to_modify_entry(topo, aci_of_user, cleanup_tree):
"""
Modify Test 14 allow userdnattr = owner to modify entry
:id:aa302090-7abf-11e8-811a-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
grp = UniqueGroup(topo.standalone, 'cn=intranet,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'intranet', 'ou': 'groups'})
grp.set('owner', USER_WITH_ACI_DELADD)
ACI_BODY = '(target ="ldap:///cn=intranet, {}") (targetattr ="*")(targetfilter ="(objectclass=groupOfUniqueNames)") (version 3.0;acl "$tet_thistest";allow(read, write, delete, search, compare, add) (userdnattr = "owner");)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# allow userdnattr = owner to modify entry
ua = UserAccount(conn, 'cn=intranet,dc=example,dc=com')
ua.set('uniquemember', "cn=Andy Walker, ou=Accounting,dc=example,dc=com")
assert ua.get_attr_val('uniquemember')
def fin():
for DN in [ENG_USER,SALES_UESER,ENG_MANAGER,SALES_MANAGER,FILTERROLESALESROLE,FILTERROLEENGROLE,ENG_OU,SALES_OU,
'cn="cn=filterRoleEngRole,o=acivattr,dc=example,dc=com",'
'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,dc=example,dc=com',
'cn="cn=filterRoleSalesRole,o=acivattr,dc=example,dc=com",'
'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX), 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX),
'cn=cosClassicGenerateEmployeeTypeUsingnsrole,o=acivattr,{}'.format(DEFAULT_SUFFIX), DNBASE]:
UserAccount(topo.standalone, DN).delete()
def rdn_write_setup(topology_m2):
topology_m2.ms["supplier1"].log.info("\n\n######## Add entry tuser ########\n")
user = UserAccount(topology_m2.ms["supplier1"], SRC_ENTRY_DN)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({'sn': SRC_ENTRY_CN,
'cn': SRC_ENTRY_CN,
'userpassword': BIND_PW})
user.create(properties=user_props, basedn=SUFFIX)
def test_mod_see_also_positive(topo, _add_user, user, entry):
"""
Try to set seeAlso on entry with binding specific user, it will success
as per the ACI .
:id: 65745426-7a01-11e8-8ac2-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
conn = UserAccount(topo.standalone, user).bind(PW_DM)
UserAccount(conn, entry).replace('seeAlso', 'cn=1')
def test_aci_with_both_allow_and_deny(topo, aci_of_user, cleanup_tree):
"""
Modify Test 12 aci with both allow and deny
:id:9dcfe902-7abf-11e8-86dc-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; deny (read, search)userdn = "ldap:///{}"; allow (all) userdn = "ldap:///{}" ;)'.format(
USER_WITH_ACI_DELADD, USER_DELADD)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# aci with both allow and deny, testing allow
assert UserAccount(conn, USER_WITH_ACI_DELADD).get_attr_val('uid')
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# aci with both allow and deny, testing deny
with pytest.raises(IndexError):
UserAccount(conn, USER_WITH_ACI_DELADD).get_attr_val('uid')
def test_mod_seealso_positive(topo, _add_user, _aci_of_user, user, entry):
"""
Testing the roledn keyword that allows access control
based on the role of the bound user.
:id: a33c5d6a-79f4-11e8-8551-8c16451d917b
:setup: Standalone server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
conn = UserAccount(topo.standalone, user).bind(PW_DM)
UserAccount(conn, entry).replace('seeAlso', 'cn=1')
def fin():
for DN in [USER_DELADD, USER_WITH_ACI_DELADD, FRED, HARRY, KIRSTENVAUGHAN,
HUMAN_OU_GLOBAL, CONTAINER_2_DELADD,CONTAINER_1_DELADD]:
ua = UserAccount(topo.standalone, DN)
try:
ua.delete()
except:
pass
def test_deny_all_access_with_targetattr_set(topo, test_uer, aci_of_user):
"""Search Test 10 Deny all access with targetattr set
:id: e1602ff2-6e11-11e8-8e55-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
testuser = UserAccount(topo.standalone,
"cn=Anuj12,ou=People,{}".format(DEFAULT_SUFFIX))
testuser.create(
properties={
'uid': 'Anuj12',
'cn': 'Anuj12',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Anuj12'
})
ACI_TARGET = '(targetattr="uid")'
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block only uid=*
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block only uid=*
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
# with root there is no aci blockage
assert 4 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
testuser.delete()
def test_allow_write_access_to_userdn_all(topo, aci_of_user, cleanup_tree):
"""
Modify Test 3 Allow write access to userdn 'all'
:id:70c58818-7abf-11e8-afa1-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///all") ;)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
# Allow write access to userdn 'all'
conn = Anonymous(topo.standalone).bind()
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
UserAccount(conn, USER_DELADD).add("title", "Architect")
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
UserAccount(conn, USER_DELADD).add("title", "Architect")
assert UserAccount(conn, USER_DELADD).get_attr_val('title')
def finofaci():
accounts = Accounts(topo.standalone, DEFAULT_SUFFIX)
for i in accounts.filter('(uid=*)'):
UserAccount(topo.standalone, i.dn).delete()
ldif_dir = topo.standalone.get_ldif_dir()
import_ldif = ldif_dir + '/basic_import.ldif'
if os.path.exists(import_ldif):
os.remove(import_ldif)
def fin():
for i in [
USER_DELADD, USER_WITH_ACI_DELADD, KIRSTENVAUGHAN,
CONTAINER_1_DELADD, CONTAINER_2_DELADD, HUMAN_OU_GLOBAL
]:
try:
UserAccount(topo.standalone, i).delete()
except:
pass
def _find_memberof(server, member_dn, group_dn):
#To get the specific server's (M1, C1 and H1) user and group
user = UserAccount(server, member_dn)
assert user.exists()
group = Group(server, group_dn)
assert group.exists()
#test that the user entry should have memberof attribute with sepecified group dn value
assert group._dn in user.get_attr_vals_utf8('memberOf')
def test_memberurl_needs_to_be_normalized(topo, clean, aci_of_user):
"""
Non-regression test for BUG 326000: MemberURL needs to be normalized
:id:a5d172e6-7db8-11e8-aca7-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ou_ou = OrganizationalUnit(topo.standalone, "ou=PEOPLE,{}".format(DEFAULT_SUFFIX))
ou_ou.set('aci', '(targetattr= *)'
'(version 3.0; acl "tester"; allow(all) '
'groupdn = "ldap:///cn =DYNGROUP,ou=PEOPLE, {}";)'.format(DEFAULT_SUFFIX))
groups = Groups(topo.standalone, DEFAULT_SUFFIX, rdn='ou=PEOPLE')
groups.create(properties={"cn": "DYNGROUP",
"description": "DYNGROUP",
'objectClass': 'groupOfURLS',
'memberURL': "ldap:///ou=PEOPLE,{}??sub?"
"(uid=test_user_2)".format(DEFAULT_SUFFIX)})
uas = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
for demo1 in [(1, "Entry to test rights on."), (2, "Member of DYNGROUP")]:
user = uas.create_test_user(uid=demo1[0], gid=demo1[0])
user.replace_many(('description', demo1[1]), ('userPassword', PW_DM))
##with normal aci
conn = UserAccount(topo.standalone, uas.list()[1].dn).bind(PW_DM)
harry = UserAccount(conn, uas.list()[1].dn)
harry.add('sn', 'FRED')
##with abnomal aci
dygrp = Group(topo.standalone, DYNGROUP)
dygrp.remove('memberurl', "ldap:///ou=PEOPLE,{}??sub?(uid=test_user_2)".format(DEFAULT_SUFFIX))
dygrp.add('memberurl', "ldap:///ou=PEOPLE,{}??sub?(uid=tesT_UsEr_2)".format(DEFAULT_SUFFIX))
harry.add('sn', 'Not FRED')
for i in uas.list():
i.delete()
def test_access_from_certain_network_only_ip(topo, add_user, aci_of_user):
"""
User can access the data when connecting from certain network only as per the ACI.
:id: 4ec38296-7ac5-11e8-9816-8c16451d917b
:customerscenario: True
:setup: Standalone Server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
# Turn access log buffering off to make less time consuming
topo.standalone.config.set('nsslapd-accesslog-logbuffering', 'off')
# Find the ip from ds logs , as we need to know the exact ip used by ds to run the instances.
# Wait till Access Log is generated
topo.standalone.restart()
hostname = socket.gethostname()
IP = socket.gethostbyname(hostname)
# Add ACI
domain = Domain(topo.standalone, DEFAULT_SUFFIX)
domain.add(
"aci",
f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci "IP aci"; '
f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and (ip = "127.0.0.1" or ip = "::1" or ip = "{IP}") ;)'
)
# create a new connection for the test
conn = UserAccount(topo.standalone, NETSCAPEIP_KEY).bind(PW_DM)
# Perform Operation
org = OrganizationalUnit(conn, IP_OU_KEY)
org.replace("seeAlso", "cn=1")
# remove the aci
domain.ensure_removed(
"aci",
f'(target = "ldap:///{IP_OU_KEY}")(targetattr=\"*\")(version 3.0; aci '
f'"IP aci"; allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and '
f'(ip = "127.0.0.1" or ip = "::1" or ip = "{IP}") ;)')
# Now add aci with new ip
domain.add(
"aci",
f'(target = "ldap:///{IP_OU_KEY}")(targetattr="*")(version 3.0; aci "IP aci"; '
f'allow(all)userdn = "ldap:///{NETSCAPEIP_KEY}" and ip = "100.1.1.1" ;)'
)
# After changing the ip user cant access data
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
org.replace("seeAlso", "cn=1")
def moddn_setup(topology_m2):
"""Creates
- a staging DIT
- a production DIT
- add accounts in staging DIT
- enable ACL logging (commented for performance reason)
"""
m1 = topology_m2.ms["supplier1"]
o_roles = OrganizationalRoles(m1, SUFFIX)
m1.log.info("\n\n######## INITIALIZATION ########\n")
# entry used to bind with
m1.log.info("Add {}".format(BIND_DN))
user = UserAccount(m1, BIND_DN)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({'sn': BIND_RDN,
'cn': BIND_RDN,
'uid': BIND_RDN,
'userpassword': BIND_PW})
user.create(properties=user_props, basedn=SUFFIX)
# Add anonymous read aci
ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"*\")" % (SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = " userdn = \"ldap:///anyone\";)"
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(m1, SUFFIX)
suffix.add('aci', ACI_BODY)
# DIT for staging
m1.log.info("Add {}".format(STAGING_DN))
o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"})
# DIT for production
m1.log.info("Add {}".format(PRODUCTION_DN))
o_roles.create(properties={'cn': PRODUCTION_CN, 'description': "production DIT"})
# DIT for production/except
m1.log.info("Add {}".format(PROD_EXCEPT_DN))
o_roles_prod = OrganizationalRoles(m1, PRODUCTION_DN)
o_roles_prod.create(properties={'cn': EXCEPT_CN, 'description': "production except DIT"})
# enable acl error logging
# mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '128')]
# m1.modify_s(DN_CONFIG, mod)
# topology_m2.ms["supplier2"].modify_s(DN_CONFIG, mod)
# add dummy entries in the staging DIT
staging_users = UserAccounts(m1, SUFFIX, rdn="cn={}".format(STAGING_CN))
user_props = TEST_USER_PROPERTIES.copy()
for cpt in range(MAX_ACCOUNTS):
name = "{}{}".format(NEW_ACCOUNT, cpt)
user_props.update({'sn': name, 'cn': name, 'uid': name})
staging_users.create(properties=user_props)
def moddn_setup(topology_m2):
"""Creates
- a staging DIT
- a production DIT
- add accounts in staging DIT
- enable ACL logging (commented for performance reason)
"""
m1 = topology_m2.ms["master1"]
o_roles = OrganizationalRoles(m1, SUFFIX)
m1.log.info("\n\n######## INITIALIZATION ########\n")
# entry used to bind with
m1.log.info("Add {}".format(BIND_DN))
user = UserAccount(m1, BIND_DN)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({
'sn': BIND_RDN,
'cn': BIND_RDN,
'uid': BIND_RDN,
'userpassword': BIND_PW
})
user.create(properties=user_props, basedn=SUFFIX)
# DIT for staging
m1.log.info("Add {}".format(STAGING_DN))
o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"})
# DIT for production
m1.log.info("Add {}".format(PRODUCTION_DN))
o_roles.create(properties={
'cn': PRODUCTION_CN,
'description': "production DIT"
})
# DIT for production/except
m1.log.info("Add {}".format(PROD_EXCEPT_DN))
o_roles_prod = OrganizationalRoles(m1, PRODUCTION_DN)
o_roles_prod.create(properties={
'cn': EXCEPT_CN,
'description': "production except DIT"
})
# enable acl error logging
# mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '128')]
# m1.modify_s(DN_CONFIG, mod)
# topology_m2.ms["master2"].modify_s(DN_CONFIG, mod)
# add dummy entries in the staging DIT
staging_users = UserAccounts(m1, SUFFIX, rdn="cn={}".format(STAGING_CN))
user_props = TEST_USER_PROPERTIES.copy()
for cpt in range(MAX_ACCOUNTS):
name = "{}{}".format(NEW_ACCOUNT, cpt)
user_props.update({'sn': name, 'cn': name, 'uid': name})
staging_users.create(properties=user_props)
def test_mod_seealso_negative(topo, _add_user, _aci_of_user, user, entry):
"""
Testing the roledn keyword that do not allows access control
based on the role of the bound user.
:id: b2444aa2-79f4-11e8-a2c3-8c16451d917b
:setup: Standalone server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
conn = UserAccount(topo.standalone, user).bind(PW_DM)
user = UserAccount(conn, entry)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.replace('seeAlso', 'cn=1')
def test_mod_see_also_negative(topo, _add_user, user, entry):
"""
Try to set seeAlso on entry with binding specific user, it will Fail
as per the ACI.
:id: 9ea93252-7a01-11e8-a85b-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
conn = UserAccount(topo.standalone, user).bind(PW_DM)
user = UserAccount(conn, entry)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.replace('seeAlso', 'cn=1')
def test_allow_write_access_to_targetattr_with_multiple_attibutes(
topo, aci_of_user, cleanup_tree):
"""
Modify Test 2 Allow write access to targetattr with multiple attibutes
:id:6b9f05c6-7abf-11e8-9ba1-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "telephonenumber || roomnumber")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
# Allow write access to targetattr with multiple attibutes
conn = Anonymous(topo.standalone).bind()
ua = UserAccount(conn, USER_DELADD)
ua.add("telephonenumber", "+1 408 555 1212")
assert ua.get_attr_val('telephonenumber')
ua.add("roomnumber", "101")
assert ua.get_attr_val('roomnumber')
def test_deny_read_access_to_dynamic_group_with_scope_set_to_one_in_ldap_url(
topo, test_uer, aci_of_user):
"""Search Test 28 Deny read access to dynamic group with scope set to "one" in LDAP URL
:id: ddb30432-6e12-11e8-94db-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
group.add('objectClass', 'groupOfURLS')
group.set(
'memberURL',
"ldap:///{}??sub?(&(ou=Accounting)(cn=Sam*))".format(DEFAULT_SUFFIX))
group.add_member(USER_ANANDA)
ACI_TARGET = '(targetattr = "*")'
ACI_ALLOW = '(version 3.0; acl "All rights for %s"; deny(read) ' % "Unknown"
ACI_SUBJECT = 'groupdn != "ldap:///cn=group1,ou=Groups,{}";)'.format(
DEFAULT_SUFFIX)
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will allow only 'memberURL', "ldap:///{dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"
assert 2 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will allow only 'memberURL', "ldap:///{dc=example,dc=com??sub?(&(ou=Accounting)(cn=Sam*))"
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(cn=*)'))
group.delete()
def test_password_repl_error(topo_m4, create_entry):
"""Check that error about userpassword replication is properly logged
:id: d4f12dc0-cd2c-4b92-9b8d-d764a60f0698
:feature: Multi master replication
:setup: Four masters replication setup, a test entry
:steps: 1. Change userpassword on master 1
2. Restart the servers to flush the logs
3. Check the error log for an replication error
:expectedresults: We don't have a replication error in the error log
"""
m1 = topo_m4.ms["master1"]
m2 = topo_m4.ms["master2"]
TEST_ENTRY_NEW_PASS = '******'.format(TEST_ENTRY_NAME)
log.info('Clean the error log')
m2.deleteErrorLogs()
log.info('Set replication loglevel')
m2.config.loglevel((ErrorLog.REPLICA, ))
log.info('Modifying entry {} - change userpassword on master 2'.format(
TEST_ENTRY_DN))
test_user_m1 = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN)
test_user_m2 = UserAccount(topo_m4.ms["master2"], TEST_ENTRY_DN)
test_user_m3 = UserAccount(topo_m4.ms["master3"], TEST_ENTRY_DN)
test_user_m4 = UserAccount(topo_m4.ms["master4"], TEST_ENTRY_DN)
test_user_m1.set('userpassword', TEST_ENTRY_NEW_PASS)
log.info('Restart the servers to flush the logs')
for num in range(1, 5):
topo_m4.ms["master{}".format(num)].restart(timeout=10)
m1_conn = test_user_m1.bind(TEST_ENTRY_NEW_PASS)
m2_conn = test_user_m2.bind(TEST_ENTRY_NEW_PASS)
m3_conn = test_user_m3.bind(TEST_ENTRY_NEW_PASS)
m4_conn = test_user_m4.bind(TEST_ENTRY_NEW_PASS)
log.info('Check the error log for the error with {}'.format(TEST_ENTRY_DN))
assert not m2.ds_error_log.match(
'.*can.t add a change for uid={}.*'.format(TEST_ENTRY_NAME))
def test_locinact_modrdn(topology_st, accpol_local):
"""Verify if user account is inactivated when moved from ou=groups to ou=people subtree.
:id: 5f25bea3-fab0-4db4-b43d-2d47cc6e5ad1
:setup: Standalone instance, ou=people subtree configured for Local account
policy plugin configuration, set accountInactivityLimit to few secs.
:steps:
1. Add few users to ou=groups subtree in the default suffix
2. Plugin configured to ou=people subtree only.
3. Wait for few secs before it reaches accountInactivityLimit and check users.
4. Run ldapsearch as normal user, expected 0
5. Wait till accountInactivityLimit exceeded
6. Move users from ou=groups subtree to ou=people subtree
7. Check if users are inactivated, expected error 19
:assert:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Should return error code 0 and 19
"""
suffix = DEFAULT_SUFFIX
subtree = "ou=groups"
userid = "nolockusr"
nousrs = 1
log.info(
'Account should not be inactivated since the subtree is not configured'
)
add_users(topology_st, suffix, subtree, userid, nousrs, 0)
log.info(
'Sleep for 11 secs to check if account is not inactivated, expected value 0'
)
time.sleep(11)
account_status(topology_st, suffix, subtree, userid, nousrs, 0, "Enabled")
log.info('Moving users from ou=groups to ou=people subtree')
user = UserAccount(topology_st.standalone,
dn='uid=nolockusr1,ou=groups,dc=example,dc=com')
try:
user.rename('uid=nolockusr1',
newsuperior='ou=people,dc=example,dc=com')
except ldap.LDAPError as e:
log.error(
'Failed to move user uid=nolockusr1 from ou=groups to ou=people')
raise e
subtree = "ou=people"
log.info('Then wait for 11 secs and check if entries are inactivated')
time.sleep(11)
account_status(topology_st, suffix, subtree, userid, nousrs, 0, "Disabled")
add_time_attr(topology_st, suffix, subtree, userid, nousrs,
'lastLoginTime')
account_status(topology_st, suffix, subtree, userid, nousrs, 0, "Enabled")
del_users(topology_st, suffix, subtree, userid, nousrs)
def test_csnpurge_large_valueset(topo_m2):
"""Test csn generator test
:id: 63e2bdb2-0a8f-4660-9465-7b80a9f72a74
:setup: MMR with 2 masters
:steps:
1. Create a test_user
2. add a large set of values (more than 10)
3. delete all the values (more than 10)
4. configure the replica to purge those values (purgedelay=5s)
5. Waiting for 6 second
6. do a series of update
:expectedresults:
1. Should succeeds
2. Should succeeds
3. Should succeeds
4. Should succeeds
5. Should succeeds
6. Should not crash
"""
m1 = topo_m2.ms["master2"]
test_user = UserAccount(m1, TEST_ENTRY_DN)
if test_user.exists():
log.info('Deleting entry {}'.format(TEST_ENTRY_DN))
test_user.delete()
test_user.create(
properties={
'uid': TEST_ENTRY_NAME,
'cn': TEST_ENTRY_NAME,
'sn': TEST_ENTRY_NAME,
'userPassword': TEST_ENTRY_NAME,
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/mmrepl_test',
})
# create a large value set so that it is sorted
for i in range(1, 20):
test_user.add('description', 'value {}'.format(str(i)))
# delete all values of the valueset
for i in range(1, 20):
test_user.remove('description', 'value {}'.format(str(i)))
# set purging delay to 5 second and wait more that 5second
replicas = Replicas(m1)
replica = replicas.list()[0]
log.info('nsds5ReplicaPurgeDelay to 5')
replica.set('nsds5ReplicaPurgeDelay', '5')
time.sleep(6)
# add some new values to the valueset containing entries that should be purged
for i in range(21, 25):
test_user.add('description', 'value {}'.format(str(i)))
def test_modify_entry(topo_m4, create_entry):
"""Check that entries are replicated after modify operation
:id: 36764053-622c-43c2-a132-d7a3ab7d9aaa
:setup: Four masters replication setup, an entry
:steps:
1. Modify the entry on master1 - add attribute
2. Wait for replication to happen
3. Check entry on all other masters
4. Modify the entry on master1 - replace attribute
5. Wait for replication to happen
6. Check entry on all other masters
7. Modify the entry on master1 - delete attribute
8. Wait for replication to happen
9. Check entry on all other masters
:expectedresults:
1. Attribute should be successfully added
2. Some time should pass
3. The change should be present on all masters
4. Attribute should be successfully replaced
5. Some time should pass
6. The change should be present on all masters
7. Attribute should be successfully deleted
8. Some time should pass
9. The change should be present on all masters
"""
log.info('Modifying entry {} - add operation'.format(TEST_ENTRY_DN))
test_user = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN)
test_user.add('mail', '{}@redhat.com'.format(TEST_ENTRY_NAME))
time.sleep(1)
all_user = topo_m4.all_get_dsldapobject(TEST_ENTRY_DN, UserAccount)
for u in all_user:
assert "{}@redhat.com".format(TEST_ENTRY_NAME) in u.get_attr_vals_utf8(
'mail')
log.info('Modifying entry {} - replace operation'.format(TEST_ENTRY_DN))
test_user.replace('mail', '{}@greenhat.com'.format(TEST_ENTRY_NAME))
time.sleep(1)
all_user = topo_m4.all_get_dsldapobject(TEST_ENTRY_DN, UserAccount)
for u in all_user:
assert "{}@greenhat.com".format(
TEST_ENTRY_NAME) in u.get_attr_vals_utf8('mail')
log.info('Modifying entry {} - delete operation'.format(TEST_ENTRY_DN))
test_user.remove('mail', '{}@greenhat.com'.format(TEST_ENTRY_NAME))
time.sleep(1)
all_user = topo_m4.all_get_dsldapobject(TEST_ENTRY_DN, UserAccount)
for u in all_user:
assert "{}@greenhat.com".format(
TEST_ENTRY_NAME) not in u.get_attr_vals_utf8('mail')
