Ejemplo n.º 1
0
def test_managed_entry_removal(topo):
    """Check that we can't remove managed entry manually

    :id: cf9c5be5-97ef-46fc-b199-8346acf4c296
    :setup: Standalone Instance
    :steps:
        1. Enable the plugin
        2. Restart the instance
        3. Add our org units
        4. Set up config entry and template entry for the org units
        5. Add an entry that meets the MEP scope
        6. Check if a managed group entry was created
        7. Try to remove the entry while bound as Admin (non-DM)
        8. Remove the entry while bound as DM
        9. Check that the managing entry can be deleted too
    :expectedresults:
        1. Success
        2. Success
        3. Success
        4. Success
        5. Success
        6. Success
        7. Should fail
        8. Success
        9. Success
    """

    inst = topo.standalone

    # Add ACI so we can test that non-DM user can't delete managed entry
    domain = Domain(inst, DEFAULT_SUFFIX)
    ACI_TARGET = f"(target = \"ldap:///{DEFAULT_SUFFIX}\")"
    ACI_TARGETATTR = "(targetattr = *)"
    ACI_ALLOW = "(version 3.0; acl \"Admin Access\"; allow (all) "
    ACI_SUBJECT = "(userdn = \"ldap:///anyone\");)"
    ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT
    domain.add('aci', ACI_BODY)

    # stop the plugin, and start it
    plugin = ManagedEntriesPlugin(inst)
    plugin.disable()
    plugin.enable()

    # Add our org units
    ous = OrganizationalUnits(inst, DEFAULT_SUFFIX)
    ou_people = ous.create(properties={'ou': 'managed_people'})
    ou_groups = ous.create(properties={'ou': 'managed_groups'})

    mep_templates = MEPTemplates(inst, DEFAULT_SUFFIX)
    mep_template1 = mep_templates.create(
        properties={
            'cn':
            'MEP template',
            'mepRDNAttr':
            'cn',
            'mepStaticAttr':
            'objectclass: groupOfNames|objectclass: extensibleObject'.split(
                '|'),
            'mepMappedAttr':
            'cn: $cn|uid: $cn|gidNumber: $uidNumber'.split('|')
        })
    mep_configs = MEPConfigs(inst)
    mep_configs.create(
        properties={
            'cn': 'config',
            'originScope': ou_people.dn,
            'originFilter': 'objectclass=posixAccount',
            'managedBase': ou_groups.dn,
            'managedTemplate': mep_template1.dn
        })
    inst.restart()

    # Add an entry that meets the MEP scope
    test_users_m1 = UserAccounts(inst,
                                 DEFAULT_SUFFIX,
                                 rdn='ou={}'.format(ou_people.rdn))
    managing_entry = test_users_m1.create_test_user(1001)
    managing_entry.reset_password(USER_PASSWORD)
    user_bound_conn = managing_entry.bind(USER_PASSWORD)

    # Get the managed entry
    managed_groups = Groups(inst, ou_groups.dn, rdn=None)
    managed_entry = managed_groups.get(managing_entry.rdn)

    # Check that the managed entry was created
    assert managed_entry.exists()

    # Try to remove the entry while bound as Admin (non-DM)
    managed_groups_user_conn = Groups(user_bound_conn, ou_groups.dn, rdn=None)
    managed_entry_user_conn = managed_groups_user_conn.get(managed_entry.rdn)
    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
        managed_entry_user_conn.delete()
    assert managed_entry_user_conn.exists()

    # Remove the entry while bound as DM
    managed_entry.delete()
    assert not managed_entry.exists()

    # Check that the managing entry can be deleted too
    managing_entry.delete()
    assert not managing_entry.exists()
Ejemplo n.º 2
0
def test_ri_and_mep_cache_corruption(topology_st):
    """Test RI plugin aborts change after MEP plugin fails.
    This is really testing the entry cache for corruption

    :id: 70d0b96e-b693-4bf7-bbf5-102a66ac5995

    :setup: Standalone instance

    :steps: 1. Enable and configure mep and ri plugins
            2. Add user and add it to a group
            3. Disable MEP plugin and remove MEP group
            4. Delete user
            5. Check that user is still a member of the group

    :expectedresults:
            1. Success
            2. Success
            3. Success
            4. It fails with NO_SUCH_OBJECT
            5. Success

    """
    # Start plugins
    topology_st.standalone.config.set('nsslapd-dynamic-plugins', 'on')
    mep_plugin = ManagedEntriesPlugin(topology_st.standalone)
    mep_plugin.enable()
    ri_plugin = ReferentialIntegrityPlugin(topology_st.standalone)
    ri_plugin.enable()

    # Add our org units
    ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
    ou_people = ous.create(properties={'ou': 'managed_people'})
    ou_groups = ous.create(properties={'ou': 'managed_groups'})

    # Configure MEP
    mep_templates = MEPTemplates(topology_st.standalone, DEFAULT_SUFFIX)
    mep_template1 = mep_templates.create(
        properties={
            'cn':
            'MEP template',
            'mepRDNAttr':
            'cn',
            'mepStaticAttr':
            'objectclass: posixGroup|objectclass: extensibleObject'.split('|'),
            'mepMappedAttr':
            'cn: $cn|uid: $cn|gidNumber: $uidNumber'.split('|')
        })
    mep_configs = MEPConfigs(topology_st.standalone)
    mep_configs.create(
        properties={
            'cn': 'config',
            'originScope': ou_people.dn,
            'originFilter': 'objectclass=posixAccount',
            'managedBase': ou_groups.dn,
            'managedTemplate': mep_template1.dn
        })

    # Add an entry that meets the MEP scope
    users = UserAccounts(topology_st.standalone,
                         DEFAULT_SUFFIX,
                         rdn='ou={}'.format(ou_people.rdn))
    user = users.create(
        properties={
            'uid': 'test-user1',
            'cn': 'test-user',
            'sn': 'test-user',
            'uidNumber': '10011',
            'gidNumber': '20011',
            'homeDirectory': '/home/test-user1'
        })

    # Add group
    groups = Groups(topology_st.standalone, DEFAULT_SUFFIX)
    user_group = groups.ensure_state(properties={
        'cn': 'group',
        'member': user.dn
    })

    # Check if a managed group entry was created
    mep_group = Group(topology_st.standalone,
                      dn='cn={},{}'.format(user.rdn, ou_groups.dn))
    if not mep_group.exists():
        log.fatal("MEP group was not created for the user")
        assert False

    # Test MEP be txn pre op failure does not corrupt entry cache
    # Should get the same exception for both rename attempts
    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
        mep_group.rename("cn=modrdn group")

    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
        mep_group.rename("cn=modrdn group")

    # Mess with MEP so it fails
    mep_plugin.disable()
    mep_group.delete()
    mep_plugin.enable()

    # Add another group to verify entry cache is not corrupted
    test_group = groups.create(properties={'cn': 'test_group'})

    # Delete user, should fail in MEP be txn post op, and user should still be a member
    with pytest.raises(ldap.NO_SUCH_OBJECT):
        user.delete()

    # Verify membership is intact
    if not user_group.is_member(user.dn):
        log.fatal(
            "Member was incorrectly removed from the group!!  Or so it seems")

        # Restart server and test again in case this was a cache issue
        topology_st.standalone.restart()
        if user_group.is_member(user.dn):
            log.info("The entry cache was corrupted")
            assert False

        assert False

    # Verify test group is still found in entry cache by deleting it
    test_group.delete()

    # Success
    log.info("Test PASSED")
Ejemplo n.º 3
0
def test_mentry01(topo, _create_inital):
    """Test Managed Entries basic functionality

    :id: 9b87493b-0493-46f9-8364-6099d0e5d806
    :setup: Standalone Instance
    :steps:
        1. Check the plug-in status
        2. Add Template and definition entry
        3. Add our org units
        4. Add users with PosixAccount ObjectClass and verify creation of User Private Group
        5. Disable the plug-in and check the status
        6. Enable the plug-in and check the status the plug-in is disabled and creation of UPG should fail
        7. Add users with PosixAccount ObjectClass and verify creation of User Private Group
        8. Add users, run ModRDN operation and check the User Private group
        9. Add users, run LDAPMODIFY to change the gidNumber and check the User Private group
        10. Checking whether creation of User Private group fails for existing group entry
        11. Checking whether adding of posixAccount objectClass to existing user creates UPG
        12. Running ModRDN operation and checking the user private groups mepManagedBy attribute
        13. Deleting mepManagedBy attribute and running ModRDN operation to check if it creates a new UPG
        14. Change the RDN of template entry, DSA Unwilling to perform error expected
        15. Change the RDN of cn=Users to cn=TestUsers and check UPG are deleted
    :expected results:
        1. Success
        2. Success
        3. Success
        4. Success
        5. Success
        6. Success
        7. Success
        8. Success
        9. Success
        10. Success
        11. Success
        12. Success
        13. Success
        14. Fail(Unwilling to perform )
        15. Success
    """
    # Check the plug-in status
    mana = ManagedEntriesPlugin(topo.standalone)
    assert mana.status()

    # Add Template and definition entry
    org1 = OrganizationalUnits(
        topo.standalone, DEFAULT_SUFFIX).create(properties={'ou': 'Users'})
    org2 = OrganizationalUnit(topo.standalone, f'ou=Groups,{DEFAULT_SUFFIX}')
    meps = MEPTemplates(topo.standalone, DEFAULT_SUFFIX)
    mep_template1 = meps.create(
        properties={
            'cn':
            'UPG Template1',
            'mepRDNAttr':
            'cn',
            'mepStaticAttr':
            'objectclass: posixGroup',
            'mepMappedAttr':
            'cn: $uid|gidNumber: $gidNumber|description: User private group for $uid'
            .split('|')
        })
    conf_mep = MEPConfigs(topo.standalone)
    conf_mep.create(
        properties={
            'cn': 'UPG Definition2',
            'originScope': org1.dn,
            'originFilter': 'objectclass=posixaccount',
            'managedBase': org2.dn,
            'managedTemplate': mep_template1.dn
        })

    # Add users with PosixAccount ObjectClass and verify creation of User Private Group
    user = UserAccounts(topo.standalone,
                        f'ou=Users,{DEFAULT_SUFFIX}',
                        rdn=None).create_test_user()
    assert user.get_attr_val_utf8(
        'mepManagedEntry') == f'cn=test_user_1000,ou=Groups,{DEFAULT_SUFFIX}'

    # Disable the plug-in and check the status
    mana.disable()
    user.delete()
    topo.standalone.restart()

    # Add users with PosixAccount ObjectClass when the plug-in is disabled and creation of UPG should fail
    user = UserAccounts(topo.standalone,
                        f'ou=Users,{DEFAULT_SUFFIX}',
                        rdn=None).create_test_user()
    assert not user.get_attr_val_utf8('mepManagedEntry')

    # Enable the plug-in and check the status
    mana.enable()
    user.delete()
    topo.standalone.restart()

    # Add users with PosixAccount ObjectClass and verify creation of User Private Group
    user = UserAccounts(topo.standalone,
                        f'ou=Users,{DEFAULT_SUFFIX}',
                        rdn=None).create_test_user()
    assert user.get_attr_val_utf8(
        'mepManagedEntry') == f'cn=test_user_1000,ou=Groups,{DEFAULT_SUFFIX}'

    # Add users, run ModRDN operation and check the User Private group
    # Add users, run LDAPMODIFY to change the gidNumber and check the User Private group
    user.rename(new_rdn='uid=UserNewRDN',
                newsuperior='ou=Users,dc=example,dc=com')
    assert user.get_attr_val_utf8(
        'mepManagedEntry') == f'cn=UserNewRDN,ou=Groups,{DEFAULT_SUFFIX}'
    user.replace('gidNumber', '20209')
    entry = Account(topo.standalone,
                    f'cn=UserNewRDN,ou=Groups,{DEFAULT_SUFFIX}')
    assert entry.get_attr_val_utf8('gidNumber') == '20209'
    user.replace_many(('sn', 'new_modified_sn'), ('gidNumber', '31309'))
    assert entry.get_attr_val_utf8('gidNumber') == '31309'
    user.delete()

    # Checking whether creation of User Private group fails for existing group entry
    Groups(topo.standalone, f'ou=Groups,{DEFAULT_SUFFIX}',
           rdn=None).create(properties={'cn': 'MENTRY_14'})
    user = UserAccounts(topo.standalone,
                        f'ou=Users,{DEFAULT_SUFFIX}',
                        rdn=None).create_test_user()
    with pytest.raises(ldap.NO_SUCH_OBJECT):
        entry.status()
    user.delete()

    # Checking whether adding of posixAccount objectClass to existing user creates UPG
    # Add Users without posixAccount objectClass
    users = WithObjectClass(topo.standalone,
                            f'uid=test_test, ou=Users,{DEFAULT_SUFFIX}')
    user_properties1 = {
        'uid': 'test_test',
        'cn': 'test',
        'sn': 'test',
        'mail': '*****@*****.**',
        'telephoneNumber': '123'
    }
    user = users.create(properties=user_properties1)
    assert not user.get_attr_val_utf8('mepManagedEntry')

    # Add posixAccount objectClass
    user.replace_many(
        ('objectclass', ['top', 'person', 'inetorgperson', 'posixAccount']),
        ('homeDirectory', '/home/ok'), ('uidNumber', '61603'),
        ('gidNumber', '61603'))
    assert not user.get_attr_val_utf8('mepManagedEntry')
    user = UserAccounts(topo.standalone,
                        f'ou=Users,{DEFAULT_SUFFIX}',
                        rdn=None).create_test_user()
    entry = Account(topo.standalone,
                    'cn=test_user_1000,ou=Groups,dc=example,dc=com')

    # Add inetuser objectClass
    user.replace_many(('objectclass', [
        'top', 'account', 'posixaccount', 'inetOrgPerson',
        'organizationalPerson', 'nsMemberOf', 'nsAccount', 'person',
        'mepOriginEntry', 'inetuser'
    ]), ('memberOf', entry.dn))
    assert entry.status()
    user.delete()
    user = UserAccounts(topo.standalone,
                        f'ou=Users,{DEFAULT_SUFFIX}',
                        rdn=None).create_test_user()
    entry = Account(topo.standalone,
                    'cn=test_user_1000,ou=Groups,dc=example,dc=com')

    # Add groupofNames objectClass
    user.replace_many(('objectclass', [
        'top', 'account', 'posixaccount', 'inetOrgPerson',
        'organizationalPerson', 'nsMemberOf', 'nsAccount', 'person',
        'mepOriginEntry', 'groupofNames'
    ]), ('memberOf', user.dn))
    assert entry.status()

    # Running ModRDN operation and checking the user private groups mepManagedBy
    # attribute was also reset because the modrdn on the origin will do a modrdn
    # on checkManagedEntry to match the new rdn value of the origin entry
    checkManagedEntry = UserAccounts(topo.standalone,
                                     f'ou=Groups,{DEFAULT_SUFFIX}',
                                     rdn=None)
    check_entry = checkManagedEntry.create(
        properties={
            'objectclass': ['top', 'extensibleObject'],
            'uid': 'CheckModRDN',
            'uidNumber': '12',
            'gidNumber': '12',
            'homeDirectory': '/home',
            'sn': 'tmp',
            'cn': 'tmp',
        })
    user.replace('mepManagedEntry', check_entry.dn)
    user.rename(new_rdn='uid=UserNewRDN',
                newsuperior='ou=Users,dc=example,dc=com')
    assert user.get_attr_val_utf8_l(
        'mepManagedEntry'
    ) == f'cn=UserNewRDN,ou=Groups,{DEFAULT_SUFFIX}'.lower()

    # Deleting mepManagedBy attribute and running ModRDN operation to check if it creates a new UPG
    user.remove('mepManagedEntry', f'cn=UserNewRDN,ou=Groups,{DEFAULT_SUFFIX}')
    user.rename(new_rdn='uid=UserNewRDN1',
                newsuperior='ou=Users,dc=example,dc=com')
    assert user.get_attr_val_utf8(
        'mepManagedEntry') == f'cn=UserNewRDN1,ou=Groups,{DEFAULT_SUFFIX}'

    # Change the RDN of template entry, DSA Unwilling to perform error expected
    mep = MEPTemplate(topo.standalone, f'cn=UPG Template,{DEFAULT_SUFFIX}')
    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
        mep.rename(new_rdn='cn=UPG Template2', newsuperior='dc=example,dc=com')

    # Change the RDN of cn=Users to cn=TestUsers and check UPG are deleted
    before = user.get_attr_val_utf8('mepManagedEntry')
    user.rename(new_rdn='uid=Anuj', newsuperior='ou=Users,dc=example,dc=com')
    assert user.get_attr_val_utf8('mepManagedEntry') != before
Ejemplo n.º 4
0
def test_ri_and_mep_cache_corruption(topology_st):
    """Test RI plugin aborts change after MEP plugin fails.
    This is really testing the entry cache for corruption

    :id: 70d0b96e-b693-4bf7-bbf5-102a66ac5995

    :setup: Standalone instance

    :steps: 1. Enable and configure mep and ri plugins
            2. Add user and add it to a group
            3. Disable MEP plugin and remove MEP group
            4. Delete user
            5. Check that user is still a member of the group

    :expectedresults:
            1. Success
            2. Success
            3. Success
            4. It fails with NO_SUCH_OBJECT
            5. Success

    """
    # Add ACI so we can test that non-DM user can't delete managed entry
    domain = Domain(topology_st.standalone, DEFAULT_SUFFIX)
    ACI_TARGET = f"(target = \"ldap:///{DEFAULT_SUFFIX}\")"
    ACI_TARGETATTR = "(targetattr = *)"
    ACI_ALLOW = "(version 3.0; acl \"Admin Access\"; allow (all) "
    ACI_SUBJECT = "(userdn = \"ldap:///anyone\");)"
    ACI_BODY = ACI_TARGET + ACI_TARGETATTR + ACI_ALLOW + ACI_SUBJECT
    domain.add('aci', ACI_BODY)

    # Start plugins
    topology_st.standalone.config.set('nsslapd-dynamic-plugins', 'on')
    mep_plugin = ManagedEntriesPlugin(topology_st.standalone)
    mep_plugin.enable()
    ri_plugin = ReferentialIntegrityPlugin(topology_st.standalone)
    ri_plugin.enable()

    # Add our org units
    ous = OrganizationalUnits(topology_st.standalone, DEFAULT_SUFFIX)
    ou_people = ous.create(properties={'ou': 'managed_people'})
    ou_groups = ous.create(properties={'ou': 'managed_groups'})

    # Configure MEP
    mep_templates = MEPTemplates(topology_st.standalone, DEFAULT_SUFFIX)
    mep_template1 = mep_templates.create(properties={
        'cn': 'MEP template',
        'mepRDNAttr': 'cn',
        'mepStaticAttr': 'objectclass: groupOfNames|objectclass: extensibleObject'.split('|'),
        'mepMappedAttr': 'cn: $cn|uid: $cn|gidNumber: $uidNumber'.split('|')
    })
    mep_configs = MEPConfigs(topology_st.standalone)
    mep_configs.create(properties={'cn': 'config',
                                   'originScope': ou_people.dn,
                                   'originFilter': 'objectclass=posixAccount',
                                   'managedBase': ou_groups.dn,
                                   'managedTemplate': mep_template1.dn})

    # Add an entry that meets the MEP scope
    users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX,
                         rdn='ou={}'.format(ou_people.rdn))
    user = users.create(properties={
        'uid': 'test-user1',
        'cn': 'test-user',
        'sn': 'test-user',
        'uidNumber': '10011',
        'gidNumber': '20011',
        'homeDirectory': '/home/test-user1'
    })
    user.reset_password(USER_PASSWORD)
    user_bound_conn = user.bind(USER_PASSWORD)

    # Add group
    groups = Groups(topology_st.standalone, DEFAULT_SUFFIX)
    user_group = groups.ensure_state(properties={'cn': 'group', 'member': user.dn})

    # Check if a managed group entry was created
    mep_group = Group(topology_st.standalone, dn='cn={},{}'.format(user.rdn, ou_groups.dn))
    if not mep_group.exists():
        log.fatal("MEP group was not created for the user")
        assert False

    # Test MEP be txn pre op failure does not corrupt entry cache
    # Should get the same exception for both rename attempts
    # Try to remove the entry while bound as Admin (non-DM)
    managed_groups_user_conn = Groups(user_bound_conn, ou_groups.dn, rdn=None)
    managed_entry_user_conn = managed_groups_user_conn.get(user.rdn)
    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
        managed_entry_user_conn.rename("cn=modrdn group")
    with pytest.raises(ldap.UNWILLING_TO_PERFORM):
        managed_entry_user_conn.rename("cn=modrdn group")

    # Mess with MEP so it fails
    mep_plugin.disable()
    users_mep_group = UserAccounts(topology_st.standalone, mep_group.dn, rdn=None)
    users_mep_group.create_test_user(1001)
    mep_plugin.enable()

    # Add another group to verify entry cache is not corrupted
    test_group = groups.create(properties={'cn': 'test_group'})

    # Try to delete user - it fails because managed entry can't be deleted
    with pytest.raises(ldap.NOT_ALLOWED_ON_NONLEAF):
        user.delete()

    # Verify membership is intact
    if not user_group.is_member(user.dn):
        log.fatal("Member was incorrectly removed from the group!!  Or so it seems")

        # Restart server and test again in case this was a cache issue
        topology_st.standalone.restart()
        if user_group.is_member(user.dn):
            log.info("The entry cache was corrupted")
            assert False

        assert False

    # Verify test group is still found in entry cache by deleting it
    test_group.delete()

    # Success
    log.info("Test PASSED")