def test_write_access_to_naming_atributes(topo, _add_user, aci_of_user,
request):
"""Test for write access to naming atributes
Test that check for add writes to the new naming attr
:id: 532fc630-7932-11e8-8924-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(target ="ldap:///{}")(targetattr != "uid")(version 3.0;acl "{}";allow (write) (userdn = "ldap:///anyone");)'
.format(DEFAULT_SUFFIX, request.node.name))
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
#Test for write access to naming atributes
useraccount = UserAccount(conn, USER_WITH_ACI_DELADD)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
useraccount.rename("uid=Jeffbo Vedder")
def test_allow_write_privilege_to_anyone(topo, _add_user, aci_of_user,
request):
"""Modrdn Test 1 Allow write privilege to anyone
:id: 4406f12e-7932-11e8-9dea-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(target ="ldap:///{}")(targetattr="*")(version 3.0;acl "{}";allow '
'(write) (userdn = "ldap:///anyone");)'.format(DEFAULT_SUFFIX,
request.node.name))
conn = Anonymous(topo.standalone).bind()
# Allow write privilege to anyone
useraccount = UserAccount(conn, USER_WITH_ACI_DELADD)
useraccount.rename("cn=Jeff Vedder")
assert 'cn=Jeff Vedder,ou=Accounting,dc=example,dc=com' == useraccount.dn
useraccount = UserAccount(
conn, "cn=Jeff Vedder,ou=Accounting,dc=example,dc=com")
useraccount.rename("cn=Sam Carter")
assert 'cn=Sam Carter,ou=Accounting,dc=example,dc=com' == useraccount.dn
def test_allow_write_privilege_to_dynamic_group_with_scope_set_to_base_in_ldap_url(
topo, _add_user, aci_of_user, request):
"""Modrdn Test 2 Allow write privilege to DYNAMIC_MODRDN group with scope set to base in LDAP URL
:id: 4c0f8c00-7932-11e8-8398-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(target = ldap:///{})(targetattr="*")(version 3.0; acl "{}"; allow(all)(groupdn = "ldap:///{}"); )'
.format(DEFAULT_SUFFIX, request.node.name, DYNAMIC_MODRDN))
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Allow write privilege to DYNAMIC_MODRDN group with scope set to base in LDAP URL
useraccount = UserAccount(conn, USER_DELADD)
useraccount.rename("cn=Jeffbo Vedder")
assert 'cn=Jeffbo Vedder,ou=Product Development,dc=example,dc=com' == useraccount.dn
useraccount = UserAccount(conn,
"cn=Jeffbo Vedder,{}".format(CONTAINER_1_DELADD))
useraccount.rename("cn=Jeff Vedder")
assert 'cn=Jeff Vedder,ou=Product Development,dc=example,dc=com' == useraccount.dn
def test_on_modrdn_allow(topo, _add_user, aci_of_user):
"""
Testing the targattrfilters keyword that allows access control based on the value of the attributes being
added (or deleted))
"Valueacl Test $tet_thistest Test modrdn still works (2)"
:id:17720562-7aaa-11e8-82ee-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target="ldap:///{}")(targattrfilters = "add=cn:((cn=engineer)), del=cn:((cn=jonny))")' \
'(version 3.0; aci "$tet_thistest"; allow (write) ' \
'userdn = "ldap:///{}";)'.format(DEFAULT_SUFFIX, USER_WITH_ACI_DELADD)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
properties = {
'uid': 'jonny',
'cn': 'jonny',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'jonny'
}
user = UserAccount(topo.standalone, 'cn=jonny,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# aci will allow modrdn_s on cn=engineer
useraccount = UserAccount(conn, "cn=jonny,{}".format(DEFAULT_SUFFIX))
useraccount.rename("cn=engineer")
assert useraccount.dn == 'cn=engineer,dc=example,dc=com'
def test_on_modrdn(topo, _add_user, aci_of_user):
"""
Testing the targattrfilters keyword that allows access control based on the value of the
attributes being added (or deleted))
Test that valuacls kick in for modrdn operation.
:id:12985dde-7aaa-11e8-abde-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
"""
ACI_BODY = '(target="ldap:///cn=*,ou=Accounting,{}")(targattrfilters = "add=cn:(|(cn=engineer)), ' \
'del=title:(|(title=engineer)(title=cool dude)(title=scum))")(version 3.0; aci "$tet_thistest"; ' \
'allow (write) userdn = "ldap:///{}";)'.format(DEFAULT_SUFFIX, USER_WITH_ACI_DELADD)
Domain(topo.standalone, DEFAULT_SUFFIX).add("aci", ACI_BODY)
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# modrdn_s is not allowed with ou=OU1
useraccount = UserAccount(conn, FRED)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
useraccount.rename("ou=OU1")
def test_locinact_modrdn(topology_st, accpol_local):
"""Verify if user account is inactivated when moved from ou=groups to ou=people subtree.
:id: 5f25bea3-fab0-4db4-b43d-2d47cc6e5ad1
:setup: Standalone instance, ou=people subtree configured for Local account
policy plugin configuration, set accountInactivityLimit to few secs.
:steps:
1. Add few users to ou=groups subtree in the default suffix
2. Plugin configured to ou=people subtree only.
3. Wait for few secs before it reaches accountInactivityLimit and check users.
4. Run ldapsearch as normal user, expected 0
5. Wait till accountInactivityLimit exceeded
6. Move users from ou=groups subtree to ou=people subtree
7. Check if users are inactivated, expected error 19
:assert:
1. Success
2. Success
3. Success
4. Success
5. Success
6. Success
7. Should return error code 0 and 19
"""
suffix = DEFAULT_SUFFIX
subtree = "ou=groups"
userid = "nolockusr"
nousrs = 1
log.info(
'Account should not be inactivated since the subtree is not configured'
)
add_users(topology_st, suffix, subtree, userid, nousrs, 0)
log.info(
'Sleep for 11 secs to check if account is not inactivated, expected value 0'
)
time.sleep(11)
account_status(topology_st, suffix, subtree, userid, nousrs, 0, "Enabled")
log.info('Moving users from ou=groups to ou=people subtree')
user = UserAccount(topology_st.standalone,
dn='uid=nolockusr1,ou=groups,dc=example,dc=com')
try:
user.rename('uid=nolockusr1',
newsuperior='ou=people,dc=example,dc=com')
except ldap.LDAPError as e:
log.error(
'Failed to move user uid=nolockusr1 from ou=groups to ou=people')
raise e
subtree = "ou=people"
log.info('Then wait for 11 secs and check if entries are inactivated')
time.sleep(11)
account_status(topology_st, suffix, subtree, userid, nousrs, 0, "Disabled")
add_time_attr(topology_st, suffix, subtree, userid, nousrs,
'lastLoginTime')
account_status(topology_st, suffix, subtree, userid, nousrs, 0, "Enabled")
del_users(topology_st, suffix, subtree, userid, nousrs)
def test_access_aci_list_contains_any_deny_rule(topo, _add_user, aci_of_user):
"""RHDS denies MODRDN access if ACI list contains any DENY rule
Bug description: If you create a deny ACI for some or more attributes there is incorrect behaviour
as you cannot rename the entry anymore
:id: 62cbbb8a-7932-11e8-96a7-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Adding a new ou ou=People to $BASEDN
3. Adding a user NEWENTRY9_MODRDN to ou=People,$BASEDN
4. Adding an allow rule for NEWENTRY9_MODRDN and for others an aci deny rule
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should succeed
"""
properties = {
'uid': 'NEWENTRY9_MODRDN',
'cn': 'NEWENTRY9_MODRDN_People',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'NEWENTRY9_MODRDN'
}
user = UserAccount(
topo.standalone,
'cn=NEWENTRY9_MODRDN,ou=People,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("userPassword", "password")
user.set("telephoneNumber", "989898191")
user.set("mail", "*****@*****.**")
user.set("givenName", "givenName")
user.set("uid", "NEWENTRY9_MODRDN")
OrganizationalUnits(
topo.standalone, DEFAULT_SUFFIX
).get('People').add("aci", [
'(targetattr = "*") '
'(version 3.0;acl "admin";allow (all)(userdn = "ldap:///{}");)'.format(
NEWENTRY9_MODRDN),
'(targetattr = "mail") (version 3.0;acl "deny_mail";deny (write)(userdn = "ldap:///anyone");)',
'(targetattr = "uid") (version 3.0;acl "allow uid";allow (write)(userdn = "ldap:///{}");)'
.format(NEWENTRY9_MODRDN)
])
UserAccount(topo.standalone,
NEWENTRY9_MODRDN).replace("userpassword", "Anuj")
useraccount = UserAccount(topo.standalone, NEWENTRY9_MODRDN)
useraccount.rename("uid=newrdnchnged")
assert 'uid=newrdnchnged,ou=People,dc=example,dc=com' == useraccount.dn
def test_locact_modrdn(topology_st, accpol_local):
"""Verify if user account is inactivated when users moved from ou=people to ou=groups subtree.
:id: e821cbae-bfc3-40d3-947d-b228c809987f
:setup: Standalone instance, ou=people subtree configured for Local account
policy plugin configuration, set accountInactivityLimit to few secs.
:steps:
1. Add few users to ou=people subtree in the default suffix
2. Wait for few secs and check if users not inactivated, expected 0.
3. Move users from ou=people to ou=groups subtree
4. Wait till accountInactivityLimit is exceeded
5. Check if users are active in ou=groups subtree, expected 0
:assert:
1. Success
2. Success
3. Success
4. Success
5. Success
"""
suffix = DEFAULT_SUFFIX
subtree = "ou=people"
userid = "lockusr"
nousrs = 1
log.info('Account should be inactivated since the subtree is configured')
add_users(topology_st, suffix, subtree, userid, nousrs, 0)
log.info(
'Sleep for 11 secs to check if account is inactivated, expected value 19'
)
time.sleep(11)
account_status(topology_st, suffix, subtree, userid, nousrs, 0, "Disabled")
log.info('Moving users from ou=people to ou=groups subtree')
user = UserAccount(topology_st.standalone,
dn='uid=lockusr1,ou=people,dc=example,dc=com')
try:
user.rename('uid=lockusr1', newsuperior='ou=groups,dc=example,dc=com')
except ldap.LDAPError as e:
log.error(
'Failed to move user uid=lockusr1 from ou=people to ou=groups')
raise e
log.info(
'Sleep for +2 secs and check users from both ou=people and ou=groups subtree'
)
time.sleep(2)
subtree = "ou=groups"
account_status(topology_st, suffix, subtree, userid, 1, 0, "Enabled")
del_users(topology_st, suffix, subtree, userid, nousrs)
def test_write_access_to_naming_atributes_two(topo, _add_user, aci_of_user,
request):
"""Test for write access to naming atributes (2)
:id: 5a2077d2-7932-11e8-9e7b-8c16451d917b
:setup: server
:steps:
1. Add test entry
2. Add ACI
3. User should follow ACI role
4. Now try to modrdn it to cn, won't work if request deleteoldrdn.
:expectedresults:
1. Entry should be added
2. Operation should succeed
3. Operation should succeed
4. Operation should not succeed
"""
Domain(topo.standalone, DEFAULT_SUFFIX).add(
"aci",
'(target ="ldap:///{}")(targetattr != "uid")(version 3.0;acl "{}";allow (write) (userdn = "ldap:///anyone");)'
.format(DEFAULT_SUFFIX, request.node.name))
properties = {
'uid': 'Sam Carter1',
'cn': 'Sam Carter1',
'sn': 'user',
'uidNumber': '1000',
'gidNumber': '2000',
'homeDirectory': '/home/' + 'SamCarter1'
}
user = UserAccount(
topo.standalone,
'cn=Sam Carter1,ou=Accounting,{}'.format(DEFAULT_SUFFIX))
user.create(properties=properties)
user.set("userPassword", "password")
conn = UserAccount(topo.standalone, USER_WITH_ACI_DELADD).bind(PW_DM)
# Test for write access to naming atributes
useraccount = UserAccount(conn, SAM_DAMMY_MODRDN)
with pytest.raises(ldap.INSUFFICIENT_ACCESS):
useraccount.rename("uid=Jeffbo Vedder")
UserAccount(topo.standalone, SAM_DAMMY_MODRDN).delete()
def test_multiple_scopes(topo):
"""Specify memberOf works when multiple include scopes are defined
:id: fbcd70cc-c83d-4c79-bd5b-2d8f017545ae
:setup: Standalone Instance
:steps:
1. Set multiple include scopes
2. Test members added to both scopes are correctly updated
3. Test user outside of scope was not updated
4. Set exclude scope
5. Move user into excluded subtree and check the membership is correct
:expectedresults:
1. Success
2. Success
3. Success
4. Success
5. Success
"""
inst = topo.standalone
# configure plugin
memberof = MemberOfPlugin(inst)
memberof.enable()
memberof.add('memberOfEntryScope', SUBTREE_1)
memberof.add('memberOfEntryScope', SUBTREE_2)
inst.restart()
# Add setup entries
add_container(inst, SUFFIX, 'sub1')
add_container(inst, SUFFIX, 'sub2')
add_container(inst, SUFFIX, 'sub3')
add_member_and_group(inst, 'm1', 'g1', SUBTREE_1)
add_member_and_group(inst, 'm2', 'g2', SUBTREE_2)
add_member_and_group(inst, 'm3', 'g3', SUBTREE_3)
# Check users 1 and 2 were correctly updated
check_membership(inst, f'uid=test_m1,{SUBTREE_1}', f'cn=g1,{SUBTREE_1}',
True)
check_membership(inst, f'uid=test_m2,{SUBTREE_2}', f'cn=g2,{SUBTREE_2}',
True)
# Check that user3, which is out of scope, was not updated
check_membership(inst, f'uid=test_m3,{SUBTREE_3}', f'cn=g1,{SUBTREE_1}',
False)
check_membership(inst, f'uid=test_m3,{SUBTREE_3}', f'cn=g2,{SUBTREE_2}',
False)
check_membership(inst, f'uid=test_m3,{SUBTREE_3}', f'cn=g3,{SUBTREE_3}',
False)
# Set exclude scope
EXCLUDED_SUBTREE = 'cn=exclude,%s' % SUFFIX
EXCLUDED_USER = f"uid=test_m1,{EXCLUDED_SUBTREE}"
INCLUDED_USER = f"uid=test_m1,{SUBTREE_1}"
GROUP_DN = f'cn=g1,{SUBTREE_1}'
add_container(inst, SUFFIX, 'exclude')
memberof.add('memberOfEntryScopeExcludeSubtree', EXCLUDED_SUBTREE)
# Move user to excluded scope
user = UserAccount(topo.standalone, dn=INCLUDED_USER)
user.rename("uid=test_m1", newsuperior=EXCLUDED_SUBTREE)
# Check memberOf and group are cleaned up
check_membership(inst, EXCLUDED_USER, GROUP_DN, False)
group = Group(topo.standalone, dn=GROUP_DN)
assert not group.present("member", EXCLUDED_USER)
assert not group.present("member", INCLUDED_USER)
