def test_deeply_nested_groups_aci_allow(topo, test_user, aci_of_user):
"""
Test deeply nested groups (3)
This aci will allow search and modify
:id: 8d338210-7840-11e8-8584-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ['(targetattr="*")(version 3.0; acl "ACLGroup"; allow (all) groupdn = "ldap:///{}" ;)'.format(ALLGROUPS_GLOBAL), '(targetattr="*")(version 3.0; acl "ACLGroup"; allow (all) groupdn = "ldap:///{}" ;)'.format(GROUPE_GLOBAL)])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# test deeply nested groups
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
user.add("sn", "Fred")
user.remove("sn", "Fred")
def test_undefined_in_group_eval_two(topo, test_user, aci_of_user):
"""
This aci will allow access
:id: fcfbcce2-7840-11e8-ba77-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci",'(targetattr="*")(version 3.0; aci "tester"; allow(all) groupdn = "ldap:///{}\ || ldap:///{}";)'.format(ALLGROUPS_GLOBAL, GROUPG_GLOBAL))
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
user = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
# This aci should allow access
user.add("sn", "Fred")
assert UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8('uid') == 'scratchEntry'
user.remove("sn", "Fred")
def test_undefined_in_group_eval_seventeen(topo, test_user, aci_of_user):
"""
Test with the parent keyord that Yields TRUE as description is present in tested entry
:id: 7054d1c0-7841-11e8-8177-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)'
)
user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
# Test with the parent keyord
user.add("description", [ALLGROUPS_GLOBAL, GROUPD_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
UserAccount(conn, CHILD1_GLOBAL).add("description", DEEPUSER_GLOBAL)
user.remove("description", [ALLGROUPS_GLOBAL, GROUPD_GLOBAL])
def test_undefined_in_group_eval_fourteen(topo, test_user, aci_of_user):
"""
Test with parent keyword that Yields FALSE as description is not present in tested entry
:id: 5c527218-7841-11e8-8909-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "parent[0,1].description#GROUPDN";)'
)
user = UserAccount(topo.standalone, GROUPDNATTRSCRATCHENTRY_GLOBAL)
user.add("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER2_GLOBAL).bind(PW_DM)
# Test with parent keyword
user1 = UserAccount(conn, GROUPDNATTRCHILDSCRATCHENTRY_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user1.add("sn", "Fred")
assert UserAccount(conn,
DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8('cn')
user.remove("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
def test_undefined_in_group_eval_eleven(topo, test_user, aci_of_user):
"""
Aci will not allow access as description is there with the user entry which is not allowed in ACI
:id: 4cfa28e2-7841-11e8-8117-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(targetattr=*)(version 3.0; aci "tester"; allow(all) not( userattr = "description#GROUPDN");)'
)
user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)
user.add("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# Test that not(UNDEFINED(attrval1))
user1 = UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
user1.add("sn", "Fred1")
assert user.get_attr_val_utf8('cn')
user.remove("description", [ALLGROUPS_GLOBAL, GROUPH_GLOBAL])
def test_undefined_in_group_eval_ten(topo, test_user, aci_of_user):
"""
Test the userattr keyword to ensure that it evaluates correctly.
:id: 46c0fb72-7841-11e8-af1d-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Take a count of users using DN_DM
3. Add test user
4. add aci
5. test should fullfil the aci rules
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
5. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(targetattr=*)(version 3.0; aci "tester"; allow(all) userattr = "description#GROUPDN";)'
)
user = UserAccount(topo.standalone, DEEPGROUPSCRATCHENTRY_GLOBAL)
user.add("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
conn = UserAccount(topo.standalone, DEEPUSER_GLOBAL).bind(PW_DM)
# Test the userattr keyword
user.add("sn", "Fred")
assert UserAccount(conn, DEEPGROUPSCRATCHENTRY_GLOBAL).get_attr_val_utf8(
'uid') == 'scratchEntry'
user.remove("description", [ALLGROUPS_GLOBAL, GROUPG_GLOBAL])
def test_allowed_add_one_attribute(topo, _add_user, aci_of_user):
"""
Testing the targattrfilters keyword that allows access control based on the value of the
attributes being added (or deleted))
"Valueacl Test $tet_thistest Allowed add one attribute (in presence of multiple filters)"
:id:086c7f0c-7aaa-11e8-b69f-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targattrfilters = "add=title:(title=architect) && secretary:(secretary=cn=Meylan, {}), ' \
'del=title:(title=architect) && secretary:(secretary=cn=Meylan, {})")(version 3.0; acl "$tet_thistest"; ' \
'allow (write) (userdn = "ldap:///{}") ;)'.format(
DEFAULT_SUFFIX, DEFAULT_SUFFIX, USER_WITH_ACI_DELADD)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
user = UserAccount(conn, USER_DELADD)
# aci will allow add ad delete
user.add('title', 'architect')
assert user.get_attr_val('title')
user.remove('title', 'architect')
def test_csnpurge_large_valueset(topo_m2):
"""Test csn generator test
:id: 63e2bdb2-0a8f-4660-9465-7b80a9f72a74
:setup: MMR with 2 masters
:steps:
1. Create a test_user
2. add a large set of values (more than 10)
3. delete all the values (more than 10)
4. configure the replica to purge those values (purgedelay=5s)
5. Waiting for 6 second
6. do a series of update
:expectedresults:
1. Should succeeds
2. Should succeeds
3. Should succeeds
4. Should succeeds
5. Should succeeds
6. Should not crash
"""
m1 = topo_m2.ms["master2"]
test_user = UserAccount(m1, TEST_ENTRY_DN)
if test_user.exists():
log.info('Deleting entry {}'.format(TEST_ENTRY_DN))
test_user.delete()
test_user.create(
properties={
'uid': TEST_ENTRY_NAME,
'cn': TEST_ENTRY_NAME,
'sn': TEST_ENTRY_NAME,
'userPassword': TEST_ENTRY_NAME,
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/mmrepl_test',
})
# create a large value set so that it is sorted
for i in range(1, 20):
test_user.add('description', 'value {}'.format(str(i)))
# delete all values of the valueset
for i in range(1, 20):
test_user.remove('description', 'value {}'.format(str(i)))
# set purging delay to 5 second and wait more that 5second
replicas = Replicas(m1)
replica = replicas.list()[0]
log.info('nsds5ReplicaPurgeDelay to 5')
replica.set('nsds5ReplicaPurgeDelay', '5')
time.sleep(6)
# add some new values to the valueset containing entries that should be purged
for i in range(21, 25):
test_user.add('description', 'value {}'.format(str(i)))
def test_modify_entry(topo_m4, create_entry):
"""Check that entries are replicated after modify operation
:id: 36764053-622c-43c2-a132-d7a3ab7d9aaa
:setup: Four masters replication setup, an entry
:steps:
1. Modify the entry on master1 - add attribute
2. Wait for replication to happen
3. Check entry on all other masters
4. Modify the entry on master1 - replace attribute
5. Wait for replication to happen
6. Check entry on all other masters
7. Modify the entry on master1 - delete attribute
8. Wait for replication to happen
9. Check entry on all other masters
:expectedresults:
1. Attribute should be successfully added
2. Some time should pass
3. The change should be present on all masters
4. Attribute should be successfully replaced
5. Some time should pass
6. The change should be present on all masters
7. Attribute should be successfully deleted
8. Some time should pass
9. The change should be present on all masters
"""
log.info('Modifying entry {} - add operation'.format(TEST_ENTRY_DN))
test_user = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN)
test_user.add('mail', '{}@redhat.com'.format(TEST_ENTRY_NAME))
time.sleep(1)
all_user = topo_m4.all_get_dsldapobject(TEST_ENTRY_DN, UserAccount)
for u in all_user:
assert "{}@redhat.com".format(TEST_ENTRY_NAME) in u.get_attr_vals_utf8(
'mail')
log.info('Modifying entry {} - replace operation'.format(TEST_ENTRY_DN))
test_user.replace('mail', '{}@greenhat.com'.format(TEST_ENTRY_NAME))
time.sleep(1)
all_user = topo_m4.all_get_dsldapobject(TEST_ENTRY_DN, UserAccount)
for u in all_user:
assert "{}@greenhat.com".format(
TEST_ENTRY_NAME) in u.get_attr_vals_utf8('mail')
log.info('Modifying entry {} - delete operation'.format(TEST_ENTRY_DN))
test_user.remove('mail', '{}@greenhat.com'.format(TEST_ENTRY_NAME))
time.sleep(1)
all_user = topo_m4.all_get_dsldapobject(TEST_ENTRY_DN, UserAccount)
for u in all_user:
assert "{}@greenhat.com".format(
TEST_ENTRY_NAME) not in u.get_attr_vals_utf8('mail')
class _AddTitleWithRoot:
def __init__(self, topo, value):
self.topo = topo
self.value = value
self.user = UserAccount(self.topo.standalone, USER_DELADD)
def add(self):
self.user.add("title", self.value)
def delete(self):
self.user.remove("title", self.value)
class _ModTitleArchitectJeffVedder:
def __init__(self, topo, value, conn):
self.topo = topo
self.value = value
self.conn = conn
self.user = UserAccount(self.conn, USER_DELADD)
def add(self):
self.user.add("title", self.value)
def delete(self):
self.user.remove("title", self.value)
def test_many_attrs(topo_m4, create_entry):
"""Check a replication with many attributes (add and delete)
:id: d540b358-f67a-43c6-8df5-7c74b3cb7523
:setup: Four masters replication setup, a test entry
:steps:
1. Add 10 new attributes to the entry
2. Delete few attributes: one from the beginning,
two from the middle and one from the end
3. Check that the changes were replicated in the right order
:expectedresults:
1. The attributes should be successfully added
2. Delete operations should be successful
3. The changes should be replicated in the right order
"""
m1 = topo_m4.ms["master1"]
add_list = ensure_list_bytes(map(lambda x: "test{}".format(x), range(10)))
delete_list = ensure_list_bytes(
map(lambda x: "test{}".format(x), [0, 4, 7, 9]))
test_user = UserAccount(topo_m4.ms["master1"], TEST_ENTRY_DN)
log.info('Modifying entry {} - 10 add operations'.format(TEST_ENTRY_DN))
for add_name in add_list:
test_user.add('description', add_name)
log.info(
'Check that everything was properly replicated after an add operation')
entries = get_repl_entries(topo_m4, TEST_ENTRY_NAME, ["description"])
for entry in entries:
assert all(
entry.getValues("description")[i] == add_name
for i, add_name in enumerate(add_list))
log.info('Modifying entry {} - 4 delete operations for {}'.format(
TEST_ENTRY_DN, str(delete_list)))
for delete_name in delete_list:
test_user.remove('description', delete_name)
log.info(
'Check that everything was properly replicated after a delete operation'
)
entries = get_repl_entries(topo_m4, TEST_ENTRY_NAME, ["description"])
for entry in entries:
for i, value in enumerate(entry.getValues("description")):
assert value == [
name for name in add_list if name not in delete_list
][i]
assert value not in delete_list
def test_allow_write_access_to_targetattr_with_a_single_attribute(
topo, aci_of_user, cleanup_tree):
"""
Modify Test 1 Allow write access to targetattr with a single attribute
:id:620d7b82-7abf-11e8-a4db-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(targetattr = "title")(version 3.0; acl "ACI NAME"; allow (write) (userdn = "ldap:///anyone") ;)'
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
ou = OrganizationalUnit(topo.standalone,
"ou=Product Development,{}".format(DEFAULT_SUFFIX))
ou.create(properties={'ou': 'Product Development'})
properties = {
'uid': 'Jeff Vedder',
'cn': 'Jeff Vedder',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'JeffVedder',
'userPassword': PW_DM
}
user = UserAccount(
topo.standalone,
"cn=Jeff Vedder,ou=Product Development,{}".format(DEFAULT_SUFFIX))
user.create(properties=properties)
# Allow write access to targetattr with a single attribute
conn = Anonymous(topo.standalone).bind()
ua = UserAccount(conn, USER_DELADD)
ua.add("title", "Architect")
assert ua.get_attr_val('title')
ua.remove("title", "Architect")
