def test_membership_attr(plugin): """ Test that the plugin performs integrity updates based on the attributes defined by referint-membership-attr. """ # remove a membership attribute plugin.remove_membership_attr('uniquemember') user1 = create_test_user(plugin._instance) group = create_test_group(plugin._instance, unique_group=True) group.add_member(user1.dn) user1.delete() # assert that the user was not removed from the group assert group.present(attr='uniquemember', value=user1.dn) # now put this membership attribute back and try again plugin.add_membership_attr('uniquemember') user2 = create_test_user(plugin._instance) group.add_member(user2.dn) user2.delete() # assert that user was removed from the group as well assert not group.present(attr='uniquemember', value=user2.dn) # clean up for subsequent test cases delete_objects([group])
def test_scoping(plugin): """ Tests that the MemberOf plugin works on suffixes listed in memberOfEntryScope, but skips suffixes listed in memberOfEntryScopeExcludeSubtree. """ # create a new ou and 2 users under different ous ou2 = create_test_ou(plugin._instance) user_p1 = create_test_user(plugin._instance) user_p2 = create_test_user(plugin._instance, suffix=ou2.dn) group = create_test_group(plugin._instance) # define include and exclude suffixes for MemberOf plugin.add_entryscope(DEFAULT_SUFFIX) plugin.add_excludescope(ou2.dn) group.add_member(user_p1.dn) group.add_member(user_p2.dn) memberofattr = plugin.get_attr() # assert that memberOfAttr was set for entry of an included suffix assert group.dn in user_p1.get_attr_vals(memberofattr) # assert that memberOfAttr was NOT set for entry of an excluded suffix assert not memberofattr in user_p2.get_all_attrs() # clean up for subsequent test cases delete_objects([user_p1, user_p2, group, ou2]) plugin.remove_all_excludescope() plugin.remove_all_entryscope()
def test_referint_enable_disable(plugin): """ Test that the plugin doesn't do anything while disabled, and functions properly when enabled. NOTICE: This test case leaves the plugin enabled for the following tests. """ # assert plugin is disabled (by default) assert plugin.status() == False user1 = create_test_user(plugin._instance) group = create_test_group(plugin._instance) group.add_member(user1.dn) user1.delete() # assert that user was not removed from group because the plugin is disabled assert group.present(attr='member', value=user1.dn) # enable the plugin and restart the server for the action to take effect plugin.enable() plugin._instance.restart() assert plugin.status() == True user2 = create_test_user(plugin._instance) group.add_member(user2.dn) user2.delete() # assert that user was removed from the group as well assert not group.present(attr='member', value=user2.dn) # clean up for subsequent test cases delete_objects([group])
def test_memberofallbackends(plugin): """ By default the MemberOf plugin only looks for potential members for users who are in the same database as the group. Test that when memberOfAllBackends is enabled, memberOf will search across all databases instead. """ ou_value = "People2" ou_suffix = DEFAULT_SUFFIX # create a new backend plugin._instance.backends.create(None, properties={ BACKEND_NAME: "People2Data", BACKEND_SUFFIX: "ou=" + ou_value + "," + ou_suffix, }) # create a new sub-suffix stored in the new backend ou2 = create_test_ou(plugin._instance, ou=ou_value, suffix=ou_suffix) # add a user in the default backend user_b1 = create_test_user(plugin._instance) # add a user in the new backend user_b2 = create_test_user(plugin._instance, suffix=ou2.dn) # create a group in the default backend group = create_test_group(plugin._instance) # configure memberof to search only for users who are in the same backend as the group plugin.disable_allbackends() group.add_member(user_b1.dn) group.add_member(user_b2.dn) memberofattr = plugin.get_attr() # assert that memberOfAttr was set for the user stored in the same backend as the group assert group.dn in user_b1.get_attr_vals(memberofattr) # assert that memberOfAttr was NOT set for the user stored in a different backend assert not memberofattr in user_b2.get_all_attrs() # configure memberof to search across all backends plugin.enable_allbackends() # remove users from group and add them again in order to re-trigger the plugin group.remove_member(user_b1.dn) group.remove_member(user_b2.dn) group.add_member(user_b1.dn) group.add_member(user_b2.dn) # assert that memberOfAttr was set for users stored in both backends assert group.dn in user_b1.get_attr_vals(memberofattr) assert group.dn in user_b2.get_attr_vals(memberofattr) # clean up for subsequent test cases delete_objects([user_b1, user_b2, group, ou2])
def test_memberof_enable_disable(plugin): """ Test that the plugin doesn't do anything while disabled, and functions properly when enabled. NOTICE: This test case leaves the plugin enabled for the following tests. """ # assert plugin is disabled (by default) assert plugin.status() == False user = create_test_user(plugin._instance) group = create_test_group(plugin._instance) # add user to the group (which normally triggers the plugin) group.add_member(user.dn) memberofattr = plugin.get_attr() # assert no memberof attribute was created by the plugin assert not memberofattr in user.get_all_attrs() # enable the plugin and restart the server for the action to take effect plugin.enable() plugin._instance.restart() assert plugin.status() == True # trigger the plugin again group.remove_member(user.dn) group.add_member(user.dn) # assert that the memberof attribute was now properly set assert memberofattr in user.get_all_attrs() # clean up for subsequent test cases delete_objects([user, group])
def test_usn_local_mode(plugin): """ Test that when USN is operating in local mode, each backend has an instance of the USN Plug-in with a USN counter specific to that backend database. """ # assert local mode assert not plugin.is_global_mode_set() ou_value = "People2" ou_suffix = DEFAULT_SUFFIX # create a new backend plugin._instance.backends.create(None, properties={ BACKEND_NAME: "People2Data", BACKEND_SUFFIX: "ou=" + ou_value + "," + ou_suffix, }) # create a new sub-suffix stored in the new backend ou2 = create_test_ou(plugin._instance, ou=ou_value, suffix=ou_suffix) root_dse = RootDSE(plugin._instance) lastusn_b1 = lambda: root_dse.get_attr_val_int("lastusn;userroot") lastusn_b2 = lambda: root_dse.get_attr_val_int("lastusn;people2data") assert lastusn_b1() == lastusn_b2() == -1 # add a user in the default backend; trigger the plugin user_b1 = create_test_user(plugin._instance) user_b1.replace('sn', 'surname2') user_b1.replace('sn', 'surname3') # add a user in the new backend user_b2 = create_test_user(plugin._instance, suffix=ou2.dn) # assert the USN counter is different for each backend assert user_b1.get_attr_val_int("entryusn") == lastusn_b1() == 2 assert user_b2.get_attr_val_int("entryusn") == lastusn_b2() == 0 # reset USN for subsequent test cases b = Backend(plugin._instance, dn="cn=people2data," + DN_LDBM) reset_USN(plugin, [user_b1, user_b2, ou2, b])
def test_fixup_task(plugin): """ Test that after creating the fix-up task entry, initial memberOf attributes are created on the member's user entries in the directory automatically. Also, test that the filter provided to the task is correctly applied. """ # disable the plugin and restart the server for the action to take effect plugin.disable() plugin._instance.restart() user1 = create_test_user(plugin._instance) user2 = create_test_user(plugin._instance, cn="testuser2") group = create_test_group(plugin._instance) group.add_member(user1.dn) group.add_member(user2.dn) # enable the plugin and restart the server for the action to take effect plugin.enable() plugin._instance.restart() memberofattr = plugin.get_attr() # memberof attribute should not appear on user entries assert not memberofattr in user1.get_all_attrs() assert not memberofattr in user2.get_all_attrs() # run the fix-up task and provide a filter for the entry task = plugin.fixup(basedn=DEFAULT_SUFFIX, _filter="(cn=testuser2)") # wait for the task to complete task.wait() assert task.is_complete() assert task.get_exit_code() == 0 # memberof attribute should now appear on the user entry matching the filter assert memberofattr in user2.get_all_attrs() assert group.dn in user2.get_attr_vals(memberofattr) # but should not appear on user entry that doesn't match the filter assert not memberofattr in user1.get_all_attrs() # clean up for subsequent test cases delete_objects([user1, user2, group])
def test_memberofautoaddocc(plugin): """ Test that the MemberOf plugin automatically adds the object class defined by memberOfAutoAddOC to a user object, if it does not contain an object class that allows the memberOf attribute. """ user = create_test_user(plugin._instance) group = create_test_group(plugin._instance) # delete any object classes that allow the memberOf attribute if "nsMemberOf" in user.get_attr_vals("objectClass"): user.remove("objectClass", "nsMemberOf") if "inetUser" in user.get_attr_vals("objectClass"): user.remove("objectClass", "inetUser") if "inetAdmin" in user.get_attr_vals("objectClass"): user.remove("objectClass", "inetAdmin") # set a valid object class to memberOfAutoAddOC plugin.set_autoaddoc("nsMemberOf") # assert that user has not got this object class at the moment assert not "nsMemberOf" in user.get_attr_vals("objectClass") # trigger the plugin group.add_member(user.dn) # assert that the object class defined by memberOfAutoAddOC now exists assert "nsMemberOf" in user.get_attr_vals("objectClass") # reset user entry group.remove_member(user.dn) user.remove("objectClass", "nsMemberOf") # repeat for different object class plugin.set_autoaddoc("inetUser") assert not "inetUser" in user.get_attr_vals("objectClass") # re-trigger the plugin group.add_member(user.dn) assert "inetUser" in user.get_attr_vals("objectClass") group.remove_member(user.dn) user.remove("objectClass", "inetUser") # repeat for different object class plugin.set_autoaddoc("inetAdmin") assert not "inetAdmin" in user.get_attr_vals("objectClass") # re-trigger the plugin group.add_member(user.dn) assert "inetAdmin" in user.get_attr_vals("objectClass") # clean up for subsequent test cases delete_objects([user, group])
def test_usn_enable_disable(plugin): """ Test that the plugin doesn't do anything while disabled, but stores entryusn values properly when enabled. NOTICE: This test case leaves the plugin enabled for the following tests. """ # assert plugin is disabled (by default) assert plugin.status() == False root_dse = RootDSE(plugin._instance) # create a function for returning lastusn every time is called lastusn = lambda: root_dse.get_attr_val_int("lastusn;userroot") user1 = create_test_user(plugin._instance) # assert no entryusn,lastusn values were created while the plugin was disabled assert not "entryusn" in user1.get_all_attrs() assert not "lastusn;userroot" in root_dse.get_all_attrs() # enable the plugin and restart the server for the action to take effect plugin.enable() plugin._instance.restart() assert plugin.status() == True assert lastusn() == -1 user2 = create_test_user(plugin._instance) # assert that a new entry now contains the entryusn value assert user2.get_attr_val_int("entryusn") == lastusn() == 0 # assert that USNs are properly assigned after any write operation # write operations include add, modify, modrdn and delete operations user3 = create_test_user(plugin._instance) assert user3.get_attr_val_int("entryusn") == lastusn() == 1 user2.delete() assert lastusn() == 2 user3.replace('sn', 'another surname') assert user3.get_attr_val_int("entryusn") == lastusn() == 3 # reset USN for subsequent test cases reset_USN(plugin, [user1, user3])
def test_usn_global_mode(plugin): """ Test that when USN is operating in global mode, there is a global instance of the USN Plug-in with a global USN counter that applies to changes made to the entire directory (all backends). """ plugin.enable_global_mode() plugin._instance.restart() assert plugin.is_global_mode_set() # create a new backend and a new sub-suffix stored in the new backend ou_value = "People4" ou_suffix = DEFAULT_SUFFIX plugin._instance.backends.create(None, properties={ BACKEND_NAME: "People4Data", BACKEND_SUFFIX: "ou=" + ou_value + "," + ou_suffix, }) root_dse = RootDSE(plugin._instance) assert "lastusn" in root_dse.get_all_attrs() ou2 = create_test_ou(plugin._instance, ou=ou_value, suffix=ou_suffix) assert ou2.get_attr_val_int("entryusn") == 0 # add a user in the default backend user_b1 = create_test_user(plugin._instance) # add a user in the new backend user_b2 = create_test_user(plugin._instance, suffix=ou2.dn) # assert that a global USN counter is used for all backends assert user_b1.get_attr_val_int("entryusn") == 1 assert user_b2.get_attr_val_int("entryusn") == 2 # reset USN for subsequent test cases b = Backend(plugin._instance, dn="cn=people4data," + DN_LDBM) reset_USN(plugin, [user_b1, user_b2, ou2, b])
def test_memberofskipnested(plugin): """ Test that when memberOfSkipNested is off (default) they plugin can properly handle nested groups (groups that are member of other groups). Respectively make sure that when memberOfSkipNested is on, the plugin lists only groups to which a user was added directly. """ user = create_test_user(plugin._instance) group1 = create_test_group(plugin._instance) group2 = create_test_group(plugin._instance) # don't skip nested groups (this is the default) plugin.disable_skipnested() # create a nested group by listing group1 as a member of group2 group2.add_member(group1.dn) # add user to group1 only group1.add_member(user.dn) memberofattr = plugin.get_attr() assert group2.dn in group1.get_attr_vals(memberofattr) # assert that memberOfAttr of user includes both groups # even though they were not directly added to group2 assert group1.dn in user.get_attr_vals(memberofattr) assert group2.dn in user.get_attr_vals(memberofattr) # skip nested groups plugin.enable_skipnested() # remove from groups and add again in order to re-trigger the plugin group2.remove_member(group1.dn) group1.remove_member(user.dn) group2.add_member(group1.dn) group1.add_member(user.dn) assert group2.dn in group1.get_attr_vals(memberofattr) # assert that user's memberOfAttr includes only the group to which they were added assert group1.dn in user.get_attr_vals(memberofattr) assert not group2.dn in user.get_attr_vals(memberofattr) # clean up for subsequent test cases delete_objects([user, group1, group2])
def test_memberofgroupattr(plugin): """ memberOfGroupAttr gives the attribute in the group entry to poll to identify member DNs. Test that the memberOf is set on a user only for groups whose membership attribute is included in memberOfGroupAttr. """ memberofattr = plugin.get_attr() # initially "member" should be the default and only value of memberOfGroupAttr assert plugin.get_attr_vals('memberofgroupattr') == ['member'] user = create_test_user(plugin._instance) group_normal = create_test_group(plugin._instance) group_unique = create_test_group(plugin._instance, unique_group=True) # add user to both groups group_normal.add_member(user.dn) group_unique.add_member(user.dn) # assert that the memberof attribute was set for normal group only assert group_normal.dn in user.get_attr_vals(memberofattr) assert not group_unique.dn in user.get_attr_vals(memberofattr) # add another value to memberOfGroupAttr plugin.add_groupattr('uniqueMember') # remove user from groups and add them again in order to trigger the plugin group_normal.remove_member(user.dn) group_normal.add_member(user.dn) group_unique.remove_member(user.dn) group_unique.add_member(user.dn) # assert that the memberof attribute was set for both groups this time assert group_normal.dn in user.get_attr_vals(memberofattr) assert group_unique.dn in user.get_attr_vals(memberofattr) # clean up for subsequent test cases delete_objects([user, group_normal, group_unique])
def test_memberofattr(plugin): """ Test that the plugin automatically creates an attribute on user entries declaring membership after adding them to a group. The attribute depends on the value of memberOfAttr. """ memberofattr = "memberOf" plugin.set_attr(memberofattr) user = create_test_user(plugin._instance) group = create_test_group(plugin._instance) # memberof attribute should not yet appear assert not memberofattr in user.get_all_attrs() # trigger the plugin group.add_member(user.dn) # assert that the memberof attribute was automatically set by the plugin assert group.dn in user.get_attr_vals(memberofattr) # clean up for subsequent test cases delete_objects([user, group])
def test_tombstone_cleanup(plugin): """ Assert that the USN plugin removes tombstone entries when the cleanup task is run. Test removal for a specific backend, a specific suffix, and up to a given USN number. """ # create a new backend and a new sub-suffix stored in the new backend ou_value = "People3" ou_suffix = DEFAULT_SUFFIX plugin._instance.backends.create(None, properties={ BACKEND_NAME: "People3Data", BACKEND_SUFFIX: "ou=" + ou_value + "," + ou_suffix, }) ou2 = create_test_ou(plugin._instance, ou=ou_value, suffix=ou_suffix) tombstones_b1 = DSLdapObjects(plugin._instance) tombstones_b1._basedn = "ou=People," + DEFAULT_SUFFIX tombstones_b1._objectclasses = ['nsTombstone'] tombstones_b2 = DSLdapObjects(plugin._instance) tombstones_b2._basedn = ou2.dn tombstones_b2._objectclasses = ['nsTombstone'] root_dse = RootDSE(plugin._instance) lastusn_b1 = lambda: root_dse.get_attr_val_int("lastusn;userroot") assert lastusn_b1() == -1 user1_b1 = create_test_user(plugin._instance) user2_b1 = create_test_user(plugin._instance) user3_b1 = create_test_user(plugin._instance) user1_b2 = create_test_user(plugin._instance, suffix=ou2.dn) user2_b2 = create_test_user(plugin._instance, suffix=ou2.dn) # assert no tombstones exist at this point assert not tombstones_b1.list() assert not tombstones_b2.list() # create 3 tombstone entries on default backend user1_b1.delete() user2_b1.delete() user3_b1.delete() # assert there are 3 tombstone entries indeed on default backend assert len(tombstones_b1.list()) == 3 assert not tombstones_b2.list() assert lastusn_b1() == 5 # remove all tombstone entries from default backend, with a USN value up to 4 task = plugin.cleanup(suffix=DEFAULT_SUFFIX, max_usn=lastusn_b1() - 1) task.wait() # assert all tombstone entries were deleted but the last one on default backend assert len(tombstones_b1.list()) == 1 assert not tombstones_b2.list() # create 2 tombstone entries on new backend user1_b2.delete() user2_b2.delete() # assert there are 2 tombstone entries indeed on new backend assert len(tombstones_b2.list()) == 2 assert len(tombstones_b1.list()) == 1 # remove all tombstone entries from ou2 suffix task = plugin.cleanup(suffix=ou2.dn) task.wait() # assert there are no tombstone entries stored on ou2 suffix assert not tombstones_b2.list() assert len(tombstones_b1.list()) == 1 # reset USN for subsequent test cases b = Backend(plugin._instance, dn="cn=people3data," + DN_LDBM) reset_USN(plugin, [ou2, b])