Example #1
0
def test_nestedrole(topo, _final):
    """
        :id: d52a9cw0-3bg6-11e9-9b7b-8c16451d917t
        :setup: Standalone server
        :steps:
            1. Add test entry
            2. Add ACI
            3. Search managed role entries
        :expectedresults:
            1. Entry should be added
            2. Operation should  succeed
            3. Operation should  succeed
    """
    # Create Managed role entry
    managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
    managed_role1 = managed_roles.create(properties={"cn": 'managed_role1'})
    managed_role2 = managed_roles.create(properties={"cn": 'managed_role2'})

    # Create nested role entry
    nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
    nested_role = nested_roles.create(
        properties={
            "cn": 'nested_role',
            "nsRoleDN": [managed_role1.dn, managed_role2.dn]
        })

    # Create user and assign managed role to it
    users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)
    user1 = users.create_test_user(uid=1, gid=1)
    user1.set('nsRoleDN', managed_role1.dn)
    user1.set('userPassword', PW_DM)

    # Create another user and assign managed role to it
    user2 = users.create_test_user(uid=2, gid=2)
    user2.set('nsRoleDN', managed_role2.dn)
    user2.set('userPassword', PW_DM)

    # Create another user and do not assign any role to it
    user3 = users.create_test_user(uid=3, gid=3)
    user3.set('userPassword', PW_DM)

    # Create a ACI with deny access to nested role entry
    Domain(topo.standalone, DEFAULT_SUFFIX).\
        add('aci', f'(targetattr=*)(version 3.0; aci '
                   f'"role aci"; deny(all) roledn="ldap:///{nested_role.dn}";)')

    # Create connection with 'uid=test_user_1,ou=People,dc=example,dc=com' member of managed_role1
    # and search while bound as the user
    conn = users.get('test_user_1').bind(PW_DM)
    assert not UserAccounts(conn, DEFAULT_SUFFIX).list()

    # Create connection with 'uid=test_user_2,ou=People,dc=example,dc=com' member of managed_role2
    # and search while bound as the user
    conn = users.get('test_user_2').bind(PW_DM)
    assert not UserAccounts(conn, DEFAULT_SUFFIX).list()

    # Create connection with 'uid=test_user_3,ou=People,dc=example,dc=com' and
    # search while bound as the user
    conn = users.get('test_user_3').bind(PW_DM)
    assert UserAccounts(conn, DEFAULT_SUFFIX).list()
Example #2
0
def test_usandsconf_dbgen_nested_role(topology_st, set_log_file_and_ldif):
    """Test ldifgen (formerly dbgen) tool to create a nested role

        :id: 97fff0a8-3103-4adb-be04-2799ff58d8f1
        :setup: Standalone instance
        :steps:
             1. Create DS instance
             2. Run ldifgen to generate ldif with nested role
             3. Import generated ldif to database
             4. Check it was properly imported
        :expectedresults:
             1. Success
             2. Success
             3. Success
             4. Success
        """

    LDAP_RESULT = 'adding new entry "cn=My_Nested_Role,ou=nested roles,dc=example,dc=com"'

    standalone = topology_st.standalone

    args = FakeArgs()
    args.NAME = 'My_Nested_Role'
    args.parent = 'ou=nested roles,dc=example,dc=com'
    args.create_parent = True
    args.type = 'nested'
    args.filter = None
    args.role_dn = ['cn=some_role,ou=roles,dc=example,dc=com']
    args.ldif_file = ldif_file

    content_list = [
        'Generating LDIF with the following options:',
        'NAME={}'.format(args.NAME), 'parent={}'.format(args.parent),
        'create-parent={}'.format(args.create_parent),
        'type={}'.format(args.type), 'role-dn={}'.format(args.role_dn),
        'ldif-file={}'.format(args.ldif_file), 'Writing LDIF',
        'Successfully created LDIF file: {}'.format(args.ldif_file)
    ]

    log.info('Run ldifgen to create nested role ldif')
    dbgen_create_role(standalone, log, args)

    log.info('Check if file exists')
    assert os.path.exists(ldif_file)

    check_value_in_log_and_reset(content_list)

    # Groups, COS, Roles and modification ldifs are designed to be used by ldapmodify, not ldif2db
    run_ldapmodify_from_file(standalone, ldif_file, LDAP_RESULT)

    log.info('Check that nested role is imported')
    roles = NestedRoles(standalone, DEFAULT_SUFFIX)
    assert roles.exists(args.NAME)
    new_role = roles.get(args.NAME)
    assert new_role.present('nsRoleDN', args.role_dn[0])
Example #3
0
    def finofaci():
        """
        Removes and Restores ACIs and other users after the test.
        """
        domain = Domain(topo.standalone, DEFAULT_SUFFIX)
        domain.remove_all('aci')

        managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
        nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
        users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)

        for i in managed_roles.list() + nested_roles.list() + users.list():
            i.delete()

        for i in aci_list:
            domain.add("aci", i)
Example #4
0
    def finofaci():
        """
        Removes and Restores ACIs and other users after the test.
        And restore nsslapd-ignore-virtual-attrs to default
        """
        domain = Domain(topo.standalone, DEFAULT_SUFFIX)
        domain.remove_all('aci')

        managed_roles = ManagedRoles(topo.standalone, DEFAULT_SUFFIX)
        nested_roles = NestedRoles(topo.standalone, DEFAULT_SUFFIX)
        users = UserAccounts(topo.standalone, DEFAULT_SUFFIX)

        for i in managed_roles.list() + nested_roles.list() + users.list():
            i.delete()

        for i in aci_list:
            domain.add("aci", i)

        topo.standalone.config.set('nsslapd-ignore-virtual-attrs', 'on')
Example #5
0
def _add_user(request, topo):
    """
    A Function that will create necessary users delete the created user
    """
    ous = OrganizationalUnits(topo.standalone, DEFAULT_SUFFIX)
    ou_ou = ous.create(properties={'ou': 'roledntest'})
    ou_ou.set('aci', [
        f'(target="ldap:///{NESTED_ROLE_TESTER}")(targetattr="*") '
        f'(version 3.0; aci "nested role aci"; allow(all)'
        f'roledn = "ldap:///{ROLE2}";)',
        f'(target="ldap:///{OR_RULE_ACCESS}")(targetattr="*")'
        f'(version 3.0; aci "or role aci"; allow(all) '
        f'roledn = "ldap:///{ROLE1} || ldap:///{ROLE21}";)',
        f'(target="ldap:///{ALL_ACCESS}")(targetattr=*)'
        f'(version 3.0; aci "anyone role aci"; allow(all) '
        f'roledn = "ldap:///anyone";)',
        f'(target="ldap:///{NOT_RULE_ACCESS}")(targetattr=*)'
        f'(version 3.0; aci "not role aci"; allow(all)'
        f'roledn != "ldap:///{ROLE1} || ldap:///{ROLE21}";)'
    ])

    nestedroles = NestedRoles(topo.standalone, OU_ROLE)
    for i in [('role2', [ROLE1, ROLE21]), ('role3', [ROLE2, ROLE31])]:
        nestedroles.create(properties={'cn': i[0], 'nsRoleDN': i[1]})

    managedroles = ManagedRoles(topo.standalone, OU_ROLE)
    for i in ['ROLE1', 'ROLE21', 'ROLE31']:
        managedroles.create(properties={'cn': i})

    filterroles = FilteredRoles(topo.standalone, OU_ROLE)
    filterroles.create(
        properties={
            'cn': 'filterRole',
            'nsRoleFilter': 'sn=Dr Drake',
            'description': 'filter role tester'
        })

    users = UserAccounts(topo.standalone, OU_ROLE, rdn=None)
    for i in [('STEVE_ROLE', ROLE1, 'Has roles 1, 2 and 3.'),
              ('HARRY_ROLE', ROLE21, 'Has roles 21, 2 and 3.'),
              ('MARY_ROLE', ROLE31, 'Has roles 31 and 3.')]:
        users.create(
            properties={
                'uid': i[0],
                'cn': i[0],
                'sn': 'user',
                'uidNumber': '1000',
                'gidNumber': '2000',
                'homeDirectory': '/home/' + i[0],
                'userPassword': PW_DM,
                'nsRoleDN': i[1],
                'Description': i[2]
            })

    for i in [('JOE_ROLE', 'Has filterRole.'), ('NOROLEUSER', 'Has no roles.'),
              ('SCRACHENTRY', 'Entry to test rights on.'),
              ('all access', 'Everyone has acccess (incl anon).'),
              ('not rule access', 'Only accessible to mary.'),
              ('or rule access',
               'Only to steve and harry but nbot mary or anon'),
              ('nested role tester', 'Only accessible to harry and steve.')]:
        users.create(
            properties={
                'uid': i[0],
                'cn': i[0],
                'sn': 'user',
                'uidNumber': '1000',
                'gidNumber': '2000',
                'homeDirectory': '/home/' + i[0],
                'userPassword': PW_DM,
                'Description': i[1]
            })

    # Setting SN for user JOE
    UserAccount(topo.standalone,
                f'uid=JOE_ROLE,ou=roledntest,{DEFAULT_SUFFIX}').set(
                    'sn', 'Dr Drake')

    def fin():
        """
        It will delete the created users
        """
        for i in users.list() + managedroles.list() + nestedroles.list():
            i.delete()

    request.addfinalizer(fin)