def test_on_modrdn_allow(topo, _add_user, aci_of_user):
"""
Testing the targattrfilters keyword that allows access control based on the value of the attributes being
added (or deleted))
"Valueacl Test $tet_thistest Test modrdn still works (2)"
:id:17720562-7aaa-11e8-82ee-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target="ldap:///{}")(targattrfilters = "add=cn:((cn=engineer)), del=cn:((cn=jonny))")' \
'(version 3.0; aci "$tet_thistest"; allow (write) ' \
'userdn = "ldap:///{}";)'.format(DEFAULT_SUFFIX, USER_WITH_ACI_DELADD)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
properties = {
'uid': 'jonny',
'cn': 'jonny',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'jonny'
}
user = UserAccount(topo.standalone, 'cn=jonny,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# aci will allow modrdn_s on cn=engineer
useraccount = UserAccount(conn, "cn=jonny,{}".format(DEFAULT_SUFFIX))
useraccount.rename("cn=engineer")
assert useraccount.dn == 'cn=engineer,dc=example,dc=com'
def create_test_user(instance, cn=None, suffix=None):
"""
Creates a new user for testing.
It tries to create a user that doesn't already exist by using a different
ID each time. However, if it is provided with an existing cn/suffix it
will fail to create a new user and it will raise an LDAP error.
Returns a UserAccount object.
"""
global test_user_id
if cn is None:
cn = "testuser_" + str(test_user_id)
test_user_id += 1
if suffix is None:
suffix = "ou=People," + DEFAULT_SUFFIX
dn = "cn=" + cn + "," + suffix
properties = {
'uid': cn,
'cn': cn,
'sn': 'user',
'uidNumber': str(1000+test_user_id),
'gidNumber': '2000',
'homeDirectory': '/home/' + cn
}
user = UserAccount(instance, dn)
user.create(properties=properties)
return user
def rdn_write_setup(topology_m2):
topology_m2.ms["supplier1"].log.info("\n\n######## Add entry tuser ########\n")
user = UserAccount(topology_m2.ms["supplier1"], SRC_ENTRY_DN)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({'sn': SRC_ENTRY_CN,
'cn': SRC_ENTRY_CN,
'userpassword': BIND_PW})
user.create(properties=user_props, basedn=SUFFIX)
def moddn_setup(topology_m2):
"""Creates
- a staging DIT
- a production DIT
- add accounts in staging DIT
- enable ACL logging (commented for performance reason)
"""
m1 = topology_m2.ms["supplier1"]
o_roles = OrganizationalRoles(m1, SUFFIX)
m1.log.info("\n\n######## INITIALIZATION ########\n")
# entry used to bind with
m1.log.info("Add {}".format(BIND_DN))
user = UserAccount(m1, BIND_DN)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({'sn': BIND_RDN,
'cn': BIND_RDN,
'uid': BIND_RDN,
'userpassword': BIND_PW})
user.create(properties=user_props, basedn=SUFFIX)
# Add anonymous read aci
ACI_TARGET = "(target = \"ldap:///%s\")(targetattr=\"*\")" % (SUFFIX)
ACI_ALLOW = "(version 3.0; acl \"Anonymous Read access\"; allow (read,search,compare)"
ACI_SUBJECT = " userdn = \"ldap:///anyone\";)"
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
suffix = Domain(m1, SUFFIX)
suffix.add('aci', ACI_BODY)
# DIT for staging
m1.log.info("Add {}".format(STAGING_DN))
o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"})
# DIT for production
m1.log.info("Add {}".format(PRODUCTION_DN))
o_roles.create(properties={'cn': PRODUCTION_CN, 'description': "production DIT"})
# DIT for production/except
m1.log.info("Add {}".format(PROD_EXCEPT_DN))
o_roles_prod = OrganizationalRoles(m1, PRODUCTION_DN)
o_roles_prod.create(properties={'cn': EXCEPT_CN, 'description': "production except DIT"})
# enable acl error logging
# mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '128')]
# m1.modify_s(DN_CONFIG, mod)
# topology_m2.ms["supplier2"].modify_s(DN_CONFIG, mod)
# add dummy entries in the staging DIT
staging_users = UserAccounts(m1, SUFFIX, rdn="cn={}".format(STAGING_CN))
user_props = TEST_USER_PROPERTIES.copy()
for cpt in range(MAX_ACCOUNTS):
name = "{}{}".format(NEW_ACCOUNT, cpt)
user_props.update({'sn': name, 'cn': name, 'uid': name})
staging_users.create(properties=user_props)
def moddn_setup(topology_m2):
"""Creates
- a staging DIT
- a production DIT
- add accounts in staging DIT
- enable ACL logging (commented for performance reason)
"""
m1 = topology_m2.ms["master1"]
o_roles = OrganizationalRoles(m1, SUFFIX)
m1.log.info("\n\n######## INITIALIZATION ########\n")
# entry used to bind with
m1.log.info("Add {}".format(BIND_DN))
user = UserAccount(m1, BIND_DN)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({
'sn': BIND_RDN,
'cn': BIND_RDN,
'uid': BIND_RDN,
'userpassword': BIND_PW
})
user.create(properties=user_props, basedn=SUFFIX)
# DIT for staging
m1.log.info("Add {}".format(STAGING_DN))
o_roles.create(properties={'cn': STAGING_CN, 'description': "staging DIT"})
# DIT for production
m1.log.info("Add {}".format(PRODUCTION_DN))
o_roles.create(properties={
'cn': PRODUCTION_CN,
'description': "production DIT"
})
# DIT for production/except
m1.log.info("Add {}".format(PROD_EXCEPT_DN))
o_roles_prod = OrganizationalRoles(m1, PRODUCTION_DN)
o_roles_prod.create(properties={
'cn': EXCEPT_CN,
'description': "production except DIT"
})
# enable acl error logging
# mod = [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '128')]
# m1.modify_s(DN_CONFIG, mod)
# topology_m2.ms["master2"].modify_s(DN_CONFIG, mod)
# add dummy entries in the staging DIT
staging_users = UserAccounts(m1, SUFFIX, rdn="cn={}".format(STAGING_CN))
user_props = TEST_USER_PROPERTIES.copy()
for cpt in range(MAX_ACCOUNTS):
name = "{}{}".format(NEW_ACCOUNT, cpt)
user_props.update({'sn': name, 'cn': name, 'uid': name})
staging_users.create(properties=user_props)
def test_renaming_target_entry(topo, _add_user, aci_of_user):
"""Test for renaming target entry
:id: 6be1d33a-7932-11e8-9115-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Create a test user entry
3. Create a new ou entry with an aci
4. Make sure uid=$MYUID has the access
5. Rename ou=OU0 to ou=OU1
6. Create another ou=OU2
7. Move ou=OU1 under ou=OU2
8. Make sure uid=$MYUID still has the access
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
6. Operation should succeed
7. Operation should succeed
8. Operation should succeed
"""
properties = {
'uid': 'TRAC340_MODRDN',
'cn': 'TRAC340_MODRDN',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'TRAC340_MODRDN'
}
user = UserAccount(topo.standalone,
'cn=TRAC340_MODRDN,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("userPassword", "password")
ou = OrganizationalUnit(topo.standalone,
'ou=OU0,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'OU0'})
ou.set(
'aci',
'(targetattr="*")(version 3.0; acl "$MYUID";allow(read, search, compare) userdn = "ldap:///{}";)'
.format(TRAC340_MODRDN))
conn = UserAccount(topo.standalone, TRAC340_MODRDN).bind(PW_DM)
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU0')
# Test for renaming target entry
OrganizationalUnits(topo.standalone,
DEFAULT_SUFFIX).get('OU0').rename("ou=OU1")
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')
ou = OrganizationalUnit(topo.standalone,
'ou=OU2,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'OU2'})
# Test for renaming target entry
OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX).get('OU1').rename(
"ou=OU1", newsuperior=OU2_OU_MODRDN)
assert OrganizationalUnits(conn, DEFAULT_SUFFIX).get('OU1')
def test_csnpurge_large_valueset(topo_m2):
"""Test csn generator test
:id: 63e2bdb2-0a8f-4660-9465-7b80a9f72a74
:setup: MMR with 2 masters
:steps:
1. Create a test_user
2. add a large set of values (more than 10)
3. delete all the values (more than 10)
4. configure the replica to purge those values (purgedelay=5s)
5. Waiting for 6 second
6. do a series of update
:expectedresults:
1. Should succeeds
2. Should succeeds
3. Should succeeds
4. Should succeeds
5. Should succeeds
6. Should not crash
"""
m1 = topo_m2.ms["master2"]
test_user = UserAccount(m1, TEST_ENTRY_DN)
if test_user.exists():
log.info('Deleting entry {}'.format(TEST_ENTRY_DN))
test_user.delete()
test_user.create(
properties={
'uid': TEST_ENTRY_NAME,
'cn': TEST_ENTRY_NAME,
'sn': TEST_ENTRY_NAME,
'userPassword': TEST_ENTRY_NAME,
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/mmrepl_test',
})
# create a large value set so that it is sorted
for i in range(1, 20):
test_user.add('description', 'value {}'.format(str(i)))
# delete all values of the valueset
for i in range(1, 20):
test_user.remove('description', 'value {}'.format(str(i)))
# set purging delay to 5 second and wait more that 5second
replicas = Replicas(m1)
replica = replicas.list()[0]
log.info('nsds5ReplicaPurgeDelay to 5')
replica.set('nsds5ReplicaPurgeDelay', '5')
time.sleep(6)
# add some new values to the valueset containing entries that should be purged
for i in range(21, 25):
test_user.add('description', 'value {}'.format(str(i)))
def _add_user(request, topo):
ou = OrganizationalUnit(topo.standalone,
'ou=Product Development,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
ou = OrganizationalUnit(topo.standalone,
'ou=Accounting,{}'.format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Accounting'})
groups = Group(topo.standalone, DYNAMIC_MODRDN)
group_properties = {
"cn": "Test DYNAMIC_MODRDN Group 70",
"objectclass": ["top", 'groupofURLs'],
'memberURL': 'ldap:///{}??base?(cn=*)'.format(USER_WITH_ACI_DELADD)
}
groups.create(properties=group_properties)
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
'cn=Jeff Vedder,ou=Product Development,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'Sam Carter',
'cn': 'Sam Carter',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'SamCarter',
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
'cn=Sam Carter,ou=Accounting,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
def fin():
for DN in [
USER_DELADD, USER_WITH_ACI_DELADD, DYNAMIC_MODRDN,
CONTAINER_2_DELADD, CONTAINER_1_DELADD
]:
UserAccount(topo.standalone, DN).delete()
request.addfinalizer(fin)
def create(self):
properties = {
'uid': 'FRED',
'cn': 'FRED',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'FRED'
}
user = UserAccount(self.topo.standalone,
"cn=FRED, ou=Accounting,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("title", [self.title1, self.title2, self.title3])
def test_allow_write_access_to_target_with_wildcards(topo, aci_of_user,
cleanup_tree):
"""
Modify Test 6 Allow write access to target with wildcards
:id:825fe884-7abf-11e8-8541-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target = ldap:///{})(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting', 'Human Resources']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting',
'Kirsten Vaughan, ou=Human Resources'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# Allow write access to target with wildcards
ua = UserAccount(conn, KIRSTENVAUGHAN)
ua.add("title", "Architect")
assert ua.get_attr_val('title')
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Allow write access to target with wildcards
ua = UserAccount(conn, USER_DELADD)
ua.add("title", "Architect")
assert ua.get_attr_val('title')
def test_access_aci_list_contains_any_deny_rule(topo, _add_user, aci_of_user):
"""RHDS denies MODRDN access if ACI list contains any DENY rule
Bug description: If you create a deny ACI for some or more attributes there is incorrect behaviour
as you cannot rename the entry anymore
:id: 62cbbb8a-7932-11e8-96a7-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Adding a new ou ou=People to $BASEDN
3. Adding a user NEWENTRY9_MODRDN to ou=People,$BASEDN
4. Adding an allow rule for NEWENTRY9_MODRDN and for others an aci deny rule
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
"""
properties = {
'uid': 'NEWENTRY9_MODRDN',
'cn': 'NEWENTRY9_MODRDN_People',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'NEWENTRY9_MODRDN'
}
user = UserAccount(
topo.standalone,
'cn=NEWENTRY9_MODRDN,ou=People,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("userPassword", "password")
user.set("telephoneNumber", "989898191")
user.set("mail", "*****@*****.**")
user.set("givenName", "givenName")
user.set("uid", "NEWENTRY9_MODRDN")
OrganizationalUnits(
topo.standalone, DEFAULT_SUFFIX
).get('People').add("aci", [
'(targetattr = "*") '
'(version 3.0;acl "admin";allow (all)(userdn = "ldap:///{}");)'.format(
NEWENTRY9_MODRDN),
'(targetattr = "mail") (version 3.0;acl "deny_mail";deny (write)(userdn = "ldap:///anyone");)',
'(targetattr = "uid") (version 3.0;acl "allow uid";allow (write)(userdn = "ldap:///{}");)'
.format(NEWENTRY9_MODRDN)
])
UserAccount(topo.standalone,
NEWENTRY9_MODRDN).replace("userpassword", "Anuj")
useraccount = UserAccount(topo.standalone, NEWENTRY9_MODRDN)
useraccount.rename("uid=newrdnchnged")
assert 'uid=newrdnchnged,ou=People,dc=example,dc=com' == useraccount.dn
def test_allow_write_access_to_userdnattr(topo, aci_of_user, cleanup_tree,
request):
"""Modify Test 7 Allow write access to userdnattr
:id: 86b418f6-7abf-11e8-ae28-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target = ldap:///{})(targetattr=*)(version 3.0; acl "{}";allow (write) (userdn = "ldap:///anyone"); )'.format(
DEFAULT_SUFFIX, request.node.name)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
UserAccount(topo.standalone,
USER_WITH_ACI_DELADD).add('manager', USER_WITH_ACI_DELADD)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Allow write access to userdnattr
ua = UserAccount(conn, USER_DELADD)
ua.add('uid', 'scoobie')
assert ua.get_attr_val('uid')
ua.add('uid', 'jvedder')
assert ua.get_attr_val('uid')
def test_groupdnattr_value_is_another_group(topo):
"""Search Test 42 groupdnattr value is another group test #1
:id: 52299e16-7944-11e8-b471-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. USER_ANUJ should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
Organization(topo.standalone).create(properties={"o": "nscpRoot"},
basedn=DEFAULT_SUFFIX)
user = UserAccount(topo.standalone,
"cn=dchan,o=nscpRoot,{}".format(DEFAULT_SUFFIX))
user.create(
properties={
'uid': 'dchan',
'cn': 'dchan',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'dchan',
'userPassword': PW_DM
})
grp = UniqueGroup(topo.standalone,
'cn=groupx,o=nscpRoot,' + DEFAULT_SUFFIX)
grp.create(properties={
'cn': 'groupx',
'ou': 'groups',
})
grp.set('uniquemember', 'cn=dchan,o=nscpRoot,{}'.format(DEFAULT_SUFFIX))
grp.set(
'aci',
'(targetattr="*")(version 3.0; acl "Enable Group Expansion"; allow (read, search, compare) groupdnattr="ldap:///o=nscpRoot?uniquemember?sub";)'
)
conn = UserAccount(
topo.standalone,
'cn=dchan,o=nscpRoot,{}'.format(DEFAULT_SUFFIX),
).bind(PW_DM)
# acil will allow ldap:///o=nscpRoot?uniquemember?sub"
assert UserAccount(conn, 'cn=groupx,o=nscpRoot,{}'.format(
DEFAULT_SUFFIX)).get_attr_val_utf8('cn') == 'groupx'
def test_ticket50234(topology_st):
"""
The fix for ticket 50234
The test sequence is:
- create more than 10 entries with objectclass organizational units ou=org{}
- add an Account in one of them, eg below ou=org5
- do searches with search base ou=org5 and search filter "objectclass=organizationalunit"
- a subtree search should return 1 entry, the base entry
- a onelevel search should return no entry
"""
log.info(
'Testing Ticket 50234 - onelvel search returns not matching entry')
for i in range(1, 15):
ou = OrganizationalUnit(topology_st.standalone,
"ou=Org{},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Org'.format(i)})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': '******'
}
user = UserAccount(topology_st.standalone,
"cn=Jeff Vedder,ou=org5,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
# in a subtree search the entry used as search base matches the filter and shoul be returned
ent = topology_st.standalone.getEntry("ou=org5,{}".format(DEFAULT_SUFFIX),
ldap.SCOPE_SUBTREE,
"(objectclass=organizationalunit)")
# in a onelevel search the only child is an useraccount which does not match the filter
# no entry should be returned, which would cause getEntry to raise an exception we need to handle
found = 1
try:
ent = topology_st.standalone.getEntry(
"ou=org5,{}".format(DEFAULT_SUFFIX), ldap.SCOPE_ONELEVEL,
"(objectclass=organizationalunit)")
except ldap.NO_SUCH_OBJECT:
found = 0
assert (found == 0)
def test_allow_selfwrite_access_to_anyone(topo, aci_of_user, cleanup_tree):
"""
Modify Test 8 Allow selfwrite access to anyone
:id:8b3becf0-7abf-11e8-ac34-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
groups = Groups(topo.standalone, DEFAULT_SUFFIX)
group = groups.create(properties={
"cn": "group1",
"description": "testgroup"
})
ACI_BODY = '(target = ldap:///cn=group1,ou=Groups,{})(targetattr = "member")(version 3.0; acl "ACI NAME"; allow (selfwrite) (userdn = "ldap:///anyone") ;)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# Allow selfwrite access to anyone
groups = Groups(conn, DEFAULT_SUFFIX)
groups.list()[0].add_member(USER_DELADD)
group.delete()
def test_allow_owner_to_modify_entry(topo, aci_of_user, cleanup_tree):
"""
Modify Test 14 allow userdnattr = owner to modify entry
:id:aa302090-7abf-11e8-811a-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
grp = UniqueGroup(topo.standalone, 'cn=intranet,' + DEFAULT_SUFFIX)
grp.create(properties={'cn': 'intranet', 'ou': 'groups'})
grp.set('owner', USER_WITH_ACI_DELADD)
ACI_BODY = '(target ="ldap:///cn=intranet, {}") (targetattr ="*")(targetfilter ="(objectclass=groupOfUniqueNames)") (version 3.0;acl "$tet_thistest";allow(read, write, delete, search, compare, add) (userdnattr = "owner");)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# allow userdnattr = owner to modify entry
ua = UserAccount(conn, 'cn=intranet,dc=example,dc=com')
ua.set('uniquemember', "cn=Andy Walker, ou=Accounting,dc=example,dc=com")
assert ua.get_attr_val('uniquemember')
def test_aci_with_both_allow_and_deny(topo, aci_of_user, cleanup_tree):
"""
Modify Test 12 aci with both allow and deny
:id:9dcfe902-7abf-11e8-86dc-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; deny (read, search)userdn = "ldap:///{}"; allow (all) userdn = "ldap:///{}" ;)'.format(
USER_WITH_ACI_DELADD, USER_DELADD)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# aci with both allow and deny, testing allow
assert UserAccount(conn, USER_WITH_ACI_DELADD).get_attr_val('uid')
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# aci with both allow and deny, testing deny
with pytest.raises(IndexError):
UserAccount(conn, USER_WITH_ACI_DELADD).get_attr_val('uid')
def test_deny_all_access_with_targetattr_set(topo, test_uer, aci_of_user):
"""Search Test 10 Deny all access with targetattr set
:id: e1602ff2-6e11-11e8-8e55-8c16451d917b
:setup: Standalone Instance
:steps:
1. Add Entry
2. Add ACI
3. Bind with test USER_ANUJ
4. Try search
5. Delete Entry,test USER_ANUJ, ACI
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should Fail
5. Operation should success
"""
testuser = UserAccount(topo.standalone,
"cn=Anuj12,ou=People,{}".format(DEFAULT_SUFFIX))
testuser.create(
properties={
'uid': 'Anuj12',
'cn': 'Anuj12',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'Anuj12'
})
ACI_TARGET = '(targetattr="uid")'
ACI_ALLOW = '(version 3.0; acl "Name of the ACI"; deny absolute (all)'
ACI_SUBJECT = 'userdn="ldap:///anyone";)'
ACI_BODY = ACI_TARGET + ACI_ALLOW + ACI_SUBJECT
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_ANANDA).bind(PW_DM)
# aci will block only uid=*
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
conn = UserAccount(topo.standalone, USER_ANUJ).bind(PW_DM)
# aci will block only uid=*
assert 0 == len(Accounts(conn, DEFAULT_SUFFIX).filter('(uid=*)'))
# with root there is no aci blockage
assert 4 == len(
Accounts(topo.standalone, DEFAULT_SUFFIX).filter('(uid=*)'))
testuser.delete()
def test_allow_write_access_to_userdn_all(topo, aci_of_user, cleanup_tree):
"""
Modify Test 3 Allow write access to userdn 'all'
:id:70c58818-7abf-11e8-afa1-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///all") ;)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
for i in ['Product Development', 'Accounting']:
ou = OrganizationalUnit(topo.standalone,
"ou={},{}".format(i, DEFAULT_SUFFIX))
ou.create(properties={'ou': i})
for i in [
'Jeff Vedder,ou=Product Development', 'Sam Carter,ou=Accounting'
]:
properties = {
'uid': i,
'cn': i,
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + i,
'userPassword': PW_DM
}
user = UserAccount(topo.standalone,
"cn={},{}".format(i, DEFAULT_SUFFIX))
user.create(properties=properties)
# Allow write access to userdn 'all'
conn = Anonymous(topo.standalone).bind()
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
UserAccount(conn, USER_DELADD).add("title", "Architect")
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
UserAccount(conn, USER_DELADD).add("title", "Architect")
assert UserAccount(conn, USER_DELADD).get_attr_val('title')
def test_allow_write_access_to_targetattr_with_multiple_attibutes(
topo, aci_of_user, cleanup_tree):
"""
Modify Test 2 Allow write access to targetattr with multiple attibutes
:id:6b9f05c6-7abf-11e8-9ba1-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "telephonenumber || roomnumber")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
# Allow write access to targetattr with multiple attibutes
conn = Anonymous(topo.standalone).bind()
ua = UserAccount(conn, USER_DELADD)
ua.add("telephonenumber", "+1 408 555 1212")
assert ua.get_attr_val('telephonenumber')
ua.add("roomnumber", "101")
assert ua.get_attr_val('roomnumber')
def create_entry(topo_m4, request):
"""Add test entry to master1"""
log.info('Adding entry {}'.format(TEST_ENTRY_DN))
test_user = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN)
if test_user.exists():
log.info('Deleting entry {}'.format(TEST_ENTRY_DN))
test_user.delete()
test_user.create(
properties={
'uid': TEST_ENTRY_NAME,
'cn': TEST_ENTRY_NAME,
'sn': TEST_ENTRY_NAME,
'userPassword': TEST_ENTRY_NAME,
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/mmrepl_test',
})
def test_allow_write_access_to_userdn_with_wildcards_in_dn(
topo, aci_of_user, cleanup_tree):
"""
Modify Test 4 Allow write access to userdn with wildcards in DN
:id:766c2312-7abf-11e8-b57d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "*")(version 3.0; acl "ACI NAME"; allow (write)(userdn = "ldap:///cn=*, ou=Product Development,{}") ;)'.format(
DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_DELADD).bind(PW_DM)
# Allow write access to userdn with wildcards in DN
ua = UserAccount(conn, USER_DELADD)
ua.add("title", "Architect")
assert ua.get_attr_val('title')
def aci_setup(topo):
topo.standalone.log.info("Add {}".format(BIND_DN))
user = UserAccount(topo.standalone, BIND_DN)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({'sn': BIND_RDN,
'cn': BIND_RDN,
'uid': BIND_RDN,
'inetUserStatus': '1',
'objectclass': 'extensibleObject',
'userpassword': PASSWORD})
user.create(properties=user_props, basedn=SUFFIX)
topo.standalone.log.info("Add {}".format(BIND_DN2))
user2 = UserAccount(topo.standalone, BIND_DN2)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({'sn': BIND_RDN2,
'cn': BIND_RDN2,
'uid': BIND_RDN2,
'userpassword': PASSWORD})
user2.create(properties=user_props, basedn=SUFFIX)
def test_write_access_to_naming_atributes_two(topo, _add_user, aci_of_user,
request):
"""Test for write access to naming atributes (2)
:id: 5a2077d2-7932-11e8-9e7b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
4. Now try to modrdn it to cn, won't work if request deleteoldrdn.
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should not succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(target ="ldap:///{}")(targetattr != "uid")(version 3.0;acl "{}";allow (write) (userdn = "ldap:///anyone");)'
.format(DEFAULT_SUFFIX, request.node.name))
properties = {
'uid': 'Sam Carter1',
'cn': 'Sam Carter1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'SamCarter1'
}
user = UserAccount(
topo.standalone,
'cn=Sam Carter1,ou=Accounting,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("userPassword", "password")
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Test for write access to naming atributes
useraccount = UserAccount(conn, SAM_DAMMY_MODRDN)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
useraccount.rename("uid=Jeffbo Vedder")
UserAccount(topo.standalone, SAM_DAMMY_MODRDN).delete()
def test_cannot_add_an_entry_with_attribute_values_we_are_not_allowed_add(
topo, _add_user, aci_of_user
):
"""
Testing the targattrfilters keyword that allows access control based on the value of the
attributes being added (or deleted))
"Valueacl Test $tet_thistest Test not allowed add an entry"
:id:0d0effee-7aaa-11e8-b673-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targattrfilters = "add=title:(|(title=engineer)(title=cool dude)(title=scum)) ' \
'&& secretary:(secretary=cn=Meylan, {}), del=title:(|(title=engineer)(title=cool dude)' \
'(title=scum))")(version 3.0; aci "$tet_thistest"; allow (add) userdn = "ldap:///{}";)'.format(
DEFAULT_SUFFIX, DEFAULT_SUFFIX)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
properties = {
'uid': 'FRED',
'cn': 'FRED',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'FRED'
}
user = UserAccount(topo.standalone, 'cn=FRED,ou=Accounting,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set('title', ['anuj', 'kumar', 'borah'])
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# aci will not allow adding objectclass
user = UserAccount(conn, USER_WITH_ACI_DELADD)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user.add("objectclass", "person")
def test_basic_with_hub(topo):
"""Check that basic operations work in cascading replication, this includes
testing plugins that perform internal operatons, and replicated password
policy state attributes.
:id: 4ac85552-45bc-477b-89a4-226dfff8c6cc
:setup: 1 master, 1 hub, 1 consumer
:steps:
1. Enable memberOf plugin and set password account lockout settings
2. Restart the instance
3. Add a user
4. Add a group
5. Test that the replication works
6. Add the user as a member to the group
7. Test that the replication works
8. Issue bad binds to update passwordRetryCount
9. Test that replicaton works
10. Check that passwordRetyCount was replicated
:expectedresults:
1. Should be a success
2. Should be a success
3. Should be a success
4. Should be a success
5. Should be a success
6. Should be a success
7. Should be a success
8. Should be a success
9. Should be a success
10. Should be a success
"""
repl_manager = ReplicationManager(DEFAULT_SUFFIX)
master = topo.ms["master1"]
consumer = topo.cs["consumer1"]
hub = topo.hs["hub1"]
for inst in topo:
config_memberof(inst)
inst.config.set('passwordlockout', 'on')
inst.config.set('passwordlockoutduration', '60')
inst.config.set('passwordmaxfailure', '3')
inst.config.set('passwordIsGlobalPolicy', 'on')
# Create user
user1 = UserAccount(master, BIND_DN)
user_props = TEST_USER_PROPERTIES.copy()
user_props.update({
'sn': BIND_RDN,
'cn': BIND_RDN,
'uid': BIND_RDN,
'inetUserStatus': '1',
'objectclass': 'extensibleObject',
'userpassword': PASSWORD
})
user1.create(properties=user_props, basedn=SUFFIX)
# Create group
groups = Groups(master, DEFAULT_SUFFIX)
group = groups.create(properties={'cn': 'group'})
# Test replication
repl_manager.test_replication(master, consumer)
# Trigger memberOf plugin by adding user to group
group.replace('member', user1.dn)
# Test replication once more
repl_manager.test_replication(master, consumer)
# Issue bad password to update passwordRetryCount
try:
master.simple_bind_s(user1.dn, "badpassword")
except:
pass
# Test replication one last time
master.simple_bind_s(DN_DM, PASSWORD)
repl_manager.test_replication(master, consumer)
# Finally check if passwordRetyCount was replicated to the hub and consumer
user1 = UserAccount(hub, BIND_DN)
count = user1.get_attr_val_int('passwordRetryCount')
if count is None:
log.fatal('PasswordRetyCount was not replicated to hub')
assert False
if int(count) != 1:
log.fatal('PasswordRetyCount has unexpected value: {}'.format(count))
assert False
user1 = UserAccount(consumer, BIND_DN)
count = user1.get_attr_val_int('passwordRetryCount')
if count is None:
log.fatal('PasswordRetyCount was not replicated to consumer')
assert False
if int(count) != 1:
log.fatal('PasswordRetyCount has unexpected value: {}'.format(count))
assert False
def _add_user(request, topo):
org = Organization(topo.standalone).create(properties={"o": "acivattr"}, basedn=DEFAULT_SUFFIX)
org.add('aci', '(targetattr="*")(targetfilter="(nsrole=*)")(version 3.0; aci "tester"; '
'allow(all) userdn="ldap:///cn=enguser1,ou=eng,o=acivattr,{}";)'.format(DEFAULT_SUFFIX))
ou = OrganizationalUnit(topo.standalone, "ou=eng,o=acivattr,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'eng'})
ou = OrganizationalUnit(topo.standalone, "ou=sales,o=acivattr,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'sales'})
roles = FilteredRoles(topo.standalone, DNBASE)
roles.create(properties={'cn':'FILTERROLEENGROLE', 'nsRoleFilter':'cn=eng*'})
roles.create(properties={'cn': 'FILTERROLESALESROLE', 'nsRoleFilter': 'cn=sales*'})
nsContainer(topo.standalone,
'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX)).create(
properties={'cn': 'cosTemplates'})
properties = {'employeeType': 'EngType', 'cn':'"cn=filterRoleEngRole,o=acivattr,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,dc=example,dc=com'}
CosTemplate(topo.standalone,'cn="cn=filterRoleEngRole,o=acivattr,dc=example,dc=com",'
'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX)).\
create(properties=properties)
properties = {'employeeType': 'SalesType', 'cn': '"cn=filterRoleSalesRole,o=acivattr,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,dc=example,dc=com'}
CosTemplate(topo.standalone,
'cn="cn=filterRoleSalesRole,o=acivattr,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,'
'o=acivattr,{}'.format(DEFAULT_SUFFIX)).create(properties=properties)
properties = {
'cosTemplateDn': 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX),
'cosAttribute': 'employeeType', 'cosSpecifier': 'nsrole', 'cn': 'cosClassicGenerateEmployeeTypeUsingnsrole'}
CosClassicDefinition(topo.standalone,
'cn=cosClassicGenerateEmployeeTypeUsingnsrole,o=acivattr,{}'.format(DEFAULT_SUFFIX)).create(
properties=properties)
properties = {
'uid': 'salesuser1',
'cn': 'salesuser1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'salesuser1',
'userPassword': PW_DM
}
user = UserAccount(topo.standalone, 'cn=salesuser1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'salesmanager1',
'cn': 'salesmanager1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'salesmanager1',
'userPassword': PW_DM,
}
user = UserAccount(topo.standalone, 'cn=salesmanager1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'enguser1',
'cn': 'enguser1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'enguser1',
'userPassword': PW_DM
}
user = UserAccount(topo.standalone, 'cn=enguser1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'engmanager1',
'cn': 'engmanager1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'engmanager1',
'userPassword': PW_DM
}
user = UserAccount(topo.standalone, 'cn=engmanager1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
def fin():
for DN in [ENG_USER,SALES_UESER,ENG_MANAGER,SALES_MANAGER,FILTERROLESALESROLE,FILTERROLEENGROLE,ENG_OU,SALES_OU,
'cn="cn=filterRoleEngRole,o=acivattr,dc=example,dc=com",'
'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,dc=example,dc=com',
'cn="cn=filterRoleSalesRole,o=acivattr,dc=example,dc=com",'
'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX), 'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,o=acivattr,{}'.format(DEFAULT_SUFFIX),
'cn=cosClassicGenerateEmployeeTypeUsingnsrole,o=acivattr,{}'.format(DEFAULT_SUFFIX), DNBASE]:
UserAccount(topo.standalone, DN).delete()
request.addfinalizer(fin)
def test_filterrole(topo):
"""Test Filter Role
:id: 8ada4064-786b-11e8-8634-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. Search nsconsole role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
Organization(topo.standalone).create(properties={"o": "acivattr"},
basedn=DEFAULT_SUFFIX)
properties = {
'ou': 'eng',
}
ou_ou = OrganizationalUnit(topo.standalone,
"ou=eng,o=acivattr,{}".format(DEFAULT_SUFFIX))
ou_ou.create(properties=properties)
properties = {'ou': 'sales'}
ou_ou = OrganizationalUnit(topo.standalone,
"ou=sales,o=acivattr,{}".format(DEFAULT_SUFFIX))
ou_ou.create(properties=properties)
roles = FilteredRoles(topo.standalone, DNBASE)
roles.create(properties={
'cn': 'FILTERROLEENGROLE',
'nsRoleFilter': 'cn=eng*'
})
roles.create(properties={
'cn': 'FILTERROLESALESROLE',
'nsRoleFilter': 'cn=sales*'
})
properties = {
'uid': 'salesuser1',
'cn': 'salesuser1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'salesuser1',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
'cn=salesuser1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'salesmanager1',
'cn': 'salesmanager1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'salesmanager1',
'userPassword': PW_DM,
}
user = UserAccount(
topo.standalone,
'cn=salesmanager1,ou=sales,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'enguser1',
'cn': 'enguser1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'enguser1',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
'cn=enguser1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
properties = {
'uid': 'engmanager1',
'cn': 'engmanager1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'engmanager1',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
'cn=engmanager1,ou=eng,o=acivattr,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
# user with cn=sales* will automatically memeber of nsfilterrole
# cn=filterrolesalesrole,o=acivattr,dc=example,dc=com
assert UserAccount(topo.standalone,
'cn=salesuser1,ou=sales,o=acivattr,dc=example,dc=com').\
get_attr_val_utf8('nsrole') == 'cn=filterrolesalesrole,o=acivattr,dc=example,dc=com'
# same goes to SALES_MANAGER
assert UserAccount(topo.standalone, SALES_MANAGER).get_attr_val_utf8(
'nsrole') == 'cn=filterrolesalesrole,o=acivattr,dc=example,dc=com'
# user with cn=eng* will automatically memeber of nsfilterrole
# cn=filterroleengrole,o=acivattr,dc=example,dc=com
assert UserAccount(topo.standalone, 'cn=enguser1,ou=eng,o=acivattr,dc=example,dc=com').\
get_attr_val_utf8('nsrole') == 'cn=filterroleengrole,o=acivattr,dc=example,dc=com'
# same goes to ENG_MANAGER
assert UserAccount(topo.standalone, ENG_MANAGER).get_attr_val_utf8(
'nsrole') == 'cn=filterroleengrole,o=acivattr,dc=example,dc=com'
for dn_dn in [
ENG_USER, SALES_UESER, ENG_MANAGER, SALES_MANAGER,
FILTERROLESALESROLE, FILTERROLEENGROLE, ENG_OU, SALES_OU, DNBASE
]:
UserAccount(topo.standalone, dn_dn).delete()
def test_positive(topo):
"""
:id: ba6d5e9c-786b-11e8-860d-8c16451d917b
:setup: server
:steps:
1. Add filter role entry
2. Add ns container
3. Add cos template
4. Add CosClassic Definition
5. Cos entries should be added and searchable
6. employeeType attribute should be there in user entry as per the cos plugin property
:expectedresults:
1. Operation should success
2. Operation should success
3. Operation should success
4. Operation should success
5. Operation should success
6. Operation should success
"""
# Adding ns filter role
roles = FilterRoles(topo.standalone, DEFAULT_SUFFIX)
roles.create(properties={
'cn': 'FILTERROLEENGROLE',
'nsRoleFilter': 'cn=eng*'
})
# adding ns container
nsContainer(topo.standalone,'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,{}'.format(DEFAULT_SUFFIX))\
.create(properties={'cn': 'cosTemplates'})
# creating cos template
properties = {
'employeeType':
'EngType',
'cn':
'"cn=filterRoleEngRole,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,dc=example,dc=com'
}
CosTemplate(topo.standalone, 'cn="cn=filterRoleEngRole,dc=example,dc=com",cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,{}'.format(DEFAULT_SUFFIX))\
.create(properties=properties)
# creating CosClassicDefinition
properties = {
'cosTemplateDn':
'cn=cosClassicGenerateEmployeeTypeUsingnsroleTemplates,{}'.format(
DEFAULT_SUFFIX),
'cosAttribute':
'employeeType',
'cosSpecifier':
'nsrole',
'cn':
'cosClassicGenerateEmployeeTypeUsingnsrole'
}
CosClassicDefinition(topo.standalone,'cn=cosClassicGenerateEmployeeTypeUsingnsrole,{}'.format(DEFAULT_SUFFIX))\
.create(properties=properties)
# Adding User entry
properties = {
'uid': 'enguser1',
'cn': 'enguser1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'enguser1'
}
user = UserAccount(topo.standalone,
'cn=enguser1,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
# Asserting Cos should be added and searchable
cosdef = CosClassicDefinitions(
topo.standalone,
DEFAULT_SUFFIX).get('cosClassicGenerateEmployeeTypeUsingnsrole')
assert cosdef.dn == 'cn=cosClassicGenerateEmployeeTypeUsingnsrole,dc=example,dc=com'
assert cosdef.get_attr_val_utf8(
'cn') == 'cosClassicGenerateEmployeeTypeUsingnsrole'
# CoS definition entry's cosSpecifier attribute specifies the employeeType attribute
assert user.present('employeeType')
def test_urp_trigger_substring_search(topo_m2):
"""Test that a ADD of a entry with a '*' in its DN, triggers
an internal search with a escaped DN
:id: 9869bb39-419f-42c3-a44b-c93eb0b77667
:setup: MMR with 2 masters
:steps:
1. enable internal operation loggging for plugins
2. Create on M1 a test_user with a '*' in its DN
3. Check the test_user is replicated
4. Check in access logs that the internal search does not contain '*'
:expectedresults:
1. Should succeeds
2. Should succeeds
3. Should succeeds
4. Should succeeds
"""
m1 = topo_m2.ms["master1"]
m2 = topo_m2.ms["master2"]
# Enable loggging of internal operation logging to capture URP intop
log.info('Set nsslapd-plugin-logging to on')
for inst in (m1, m2):
inst.config.loglevel([AccessLog.DEFAULT, AccessLog.INTERNAL],
service='access')
inst.config.set('nsslapd-plugin-logging', 'on')
inst.restart()
# add a user with a DN containing '*'
test_asterisk_uid = 'asterisk_*_in_value'
test_asterisk_dn = 'uid={},{}'.format(test_asterisk_uid, DEFAULT_SUFFIX)
test_user = UserAccount(m1, test_asterisk_dn)
if test_user.exists():
log.info('Deleting entry {}'.format(test_asterisk_dn))
test_user.delete()
test_user.create(
properties={
'uid': test_asterisk_uid,
'cn': test_asterisk_uid,
'sn': test_asterisk_uid,
'userPassword': test_asterisk_uid,
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/asterisk',
})
# check that the ADD was replicated on M2
test_user_m2 = UserAccount(m2, test_asterisk_dn)
for i in range(1, 5):
if test_user_m2.exists():
break
else:
log.info('Entry not yet replicated on M2, wait a bit')
time.sleep(2)
# check that M2 access logs does not "(&(objectclass=nstombstone)(nscpentrydn=uid=asterisk_*_in_value,dc=example,dc=com))"
log.info('Check that on M2, URP as not triggered such internal search')
pattern = ".*\(Internal\).*SRCH.*\(&\(objectclass=nstombstone\)\(nscpentrydn=uid=asterisk_\*_in_value,dc=example,dc=com.*"
found = m2.ds_access_log.match(pattern)
log.info("found line: %s" % found)
assert not found
