def setupSSL_test():
ssl_args = {
'dirsrv': conn,
'secport': 22636,
'sourcedir': None,
'secargs': {
'nsSSLPersonalitySSL': 'localhost'
},
}
cert_dir = conn.getDseAttr('nsslapd-certdir')
assert cert_dir, "Cannot retrieve cert dir"
log.info("Initialize the cert store with an empty password: %r", cert_dir)
fd_null = open('/dev/null', 'w')
open('%s/pin.txt' % cert_dir, 'w').close()
cmd_initialize = 'certutil -d %s -N -f %s/pin.txt' % (cert_dir, cert_dir)
Popen(cmd_initialize.split(), stderr=fd_null)
log.info("Creating a self-signed cert for the server in %r" % cert_dir)
cmd_mkcert = ('certutil -d %s -S -n localhost -t CTu,Cu,Cu '
'-s cn=localhost -x' % cert_dir)
Popen(cmd_mkcert.split(), stdin=open("/dev/urandom"), stderr=fd_null)
log.info("Testing ssl configuration")
ssl_args.update({'dirsrv': conn})
DirSrvTools.setupSSL(**ssl_args)
def stop_start_test():
# dunno why DirSrv.start|stop writes to dirsrv error-log
conn.errlog = "/tmp/dirsrv-errlog"
open(conn.errlog, "w").close()
DirSrvTools.stop(conn)
log.info("server stopped")
DirSrvTools.start(conn)
log.info("server start")
time.sleep(5)
# save and restore conn settings after restart
tmp = conn.added_backends, conn.added_entries
setup()
conn.added_backends, conn.added_entries = tmp
assert conn.search_s(
*utils.searches['NAMINGCONTEXTS']), "Missing namingcontexts"
def stop_start_test():
# dunno why DirSrv.start|stop writes to dirsrv error-log
conn.errlog = "/tmp/dirsrv-errlog"
open(conn.errlog, "w").close()
DirSrvTools.stop(conn)
log.info("server stopped")
DirSrvTools.start(conn)
log.info("server start")
time.sleep(5)
# save and restore conn settings after restart
tmp = conn.added_backends, conn.added_entries
setup()
conn.added_backends, conn.added_entries = tmp
assert conn.search_s(
*utils.searches['NAMINGCONTEXTS']), "Missing namingcontexts"
def setupSSL_test():
ssl_args = {
'dirsrv': conn,
'secport': 22636,
'sourcedir': None,
'secargs': {'nsSSLPersonalitySSL': 'localhost'},
}
cert_dir = conn.getDseAttr('nsslapd-certdir')
assert cert_dir, "Cannot retrieve cert dir"
log.info("Initialize the cert store with an empty password: %r", cert_dir)
fd_null = open('/dev/null', 'w')
open('%s/pin.txt' % cert_dir, 'w').close()
cmd_initialize = 'certutil -d %s -N -f %s/pin.txt' % (cert_dir, cert_dir)
Popen(cmd_initialize.split(), stderr=fd_null)
log.info("Creating a self-signed cert for the server in %r" % cert_dir)
cmd_mkcert = 'certutil -d %s -S -n localhost -t CTu,Cu,Cu -s cn=localhost -x' % cert_dir
Popen(cmd_mkcert.split(), stdin=open("/dev/urandom"), stderr=fd_null)
log.info("Testing ssl configuration")
ssl_args.update({'dirsrv': conn})
DirSrvTools.setupSSL(**ssl_args)
def validate_hostname(self):
if getdomainname() == "":
# Should we return a message?
raise AssertionError("Host does not have a domain name.")
DirSrvTools.searchHostsFile(getfqdn())
from lib389.properties import *
from lib389.tasks import *
from lib389.utils import *
from lib389.idm.directorymanager import DirectoryManager
from lib389.idm.user import UserAccounts
from lib389.topologies import topology_st
pytestmark = pytest.mark.tier3
logging.getLogger(__name__).setLevel(logging.DEBUG)
log = logging.getLogger(__name__)
MAX_CONNS = 10000000
MAX_THREADS = 20
STOP = False
HOSTNAME = DirSrvTools.getLocalhost()
PORT = 389
NUNC_STANS = False
def signalHandler(signal, frame):
"""
handle control-C cleanly
"""
global STOP
STOP = True
sys.exit(0)
def init(inst):
"""Set the idle timeout, and add sample entries
def default_test():
host = socket.gethostname()
port = 10200
binddn = "cn=directory manager"
bindpw = "password"
suffix = 'dc=example,dc=com'
basedn = DN_CONFIG
scope = ldap.SCOPE_BASE
filt = "(objectclass=*)"
instance_name = ['m1', 'm2']
instance_config = {
'cfgdshost': host,
'cfgdsport': port,
'cfgdsuser': '******',
'cfgdspwd': 'admin',
'newrootpw': 'password',
'newhost': host,
'newport': port,
'newinstance': instance_name[0],
'newsuffix': suffix,
'setup_admin': True,
}
try:
m1 = DirSrv(host, port, binddn, bindpw)
except:
m1 = DirSrvTools.createInstance(instance_config, verbose=0)
added_instances.append(instance_config['newinstance'])
# filename = "%s/slapd-%s/ldif/Example.ldif" % (m1.sroot, m1.inst)
# m1.importLDIF(filename, "dc=example,dc=com", None, True)
# m1.exportLDIF('/tmp/ldif', "dc=example,dc=com", False, True)
print (m1.sroot, m1.inst, m1.errlog)
ent = m1.getEntry(basedn, scope, filt, None)
if ent:
print (ent.passwordmaxage)
instance_config.update({
'newinstance': instance_name[1],
'newport': port + 10,
})
m1 = DirSrvTools.createInstance(instance_config, verbose=0)
added_instances.append(instance_config['newinstance'])
# m1.stop(True)
# m1.start(True)
suffix = "dc=example2,dc=com"
bename = "example2db"
backendEntry, dummy = m1.backend.add(suffix, bename)
suffixEntry = m1.backend.setup_mt(suffix, bename)
cn = backendEntry.getValue('cn')
print (cn)
entry = m1.getEntry(DN_CONFIG, ldap.SCOPE_SUBTREE, "(cn=" + cn + ")")
print ("new backend entry is:")
print (entry)
print (entry.getValues('objectclass'))
print (entry.OBJECTCLASS)
results = m1.search_s("cn=monitor", ldap.SCOPE_SUBTREE)
print (results)
results = m1.getBackendsForSuffix("dc=example,dc=com")
print (results)
print ("done")
def test_rootdn_access_allowed_host(topology):
'''
Test allowed ip feature
'''
log.info('Running test_rootdn_access_allowed_host...')
#
# Set allowed host to an unknown host - blocks the Root DN
#
try:
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_REPLACE, 'rootdn-allow-host', 'i.dont.exist.com')])
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: Failed to set allowed host: error ' +
e.message['desc'])
assert False
#
# Bind as Root DN - should fail
#
try:
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
succeeded = True
except ldap.LDAPError as e:
succeeded = False
if succeeded:
log.fatal('test_rootdn_access_allowed_host: Root DN was incorrectly able to bind')
assert False
#
# Allow localhost
#
try:
topology.standalone.simple_bind_s(USER1_DN, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: : failed to bind as user1')
assert False
hostname = socket.gethostname()
localhost = DirSrvTools.getLocalhost()
try:
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD,
'rootdn-allow-host',
localhost)])
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD,
'rootdn-allow-host',
hostname)])
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: Failed to set allowed host: error ' +
e.message['desc'])
assert False
try:
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error ' +
e.message['desc'])
assert False
#
# Cleanup - undo everything we did so the next test has a clean slate
#
try:
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-allow-host', None)])
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: Failed to delete(rootdn-allow-host): error ' +
e.message['desc'])
assert False
try:
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error ' +
e.message['desc'])
assert False
log.info('test_rootdn_access_allowed_host: PASSED')
def test_rootdn_access_denied_host(topology):
'''
Test denied Host feature - we can just test denying localhost
'''
log.info('Running test_rootdn_access_denied_host...')
hostname = socket.gethostname()
localhost = DirSrvTools.getLocalhost()
try:
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD,
'rootdn-deny-host',
hostname)])
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_ADD,
'rootdn-deny-host',
localhost)])
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: Failed to set deny host: error ' +
e.message['desc'])
assert False
#
# Bind as Root DN - should fail
#
try:
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
succeeded = True
except ldap.LDAPError as e:
succeeded = False
if succeeded:
log.fatal('test_rootdn_access_denied_host: Root DN was incorrectly able to bind')
assert False
#
# Change the denied host so root DN succeeds
#
try:
topology.standalone.simple_bind_s(USER1_DN, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: : failed to bind as user1')
assert False
try:
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_REPLACE, 'rootdn-deny-host', 'i.dont.exist.com')])
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: Failed to set rootDN plugin config: error ' +
e.message['desc'])
assert False
try:
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error ' +
e.message['desc'])
assert False
#
# Cleanup - undo the changes we made so the next test has a clean slate
#
try:
topology.standalone.modify_s(PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-deny-host', None)])
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: Failed to set rootDN plugin config: error ' +
e.message['desc'])
assert False
try:
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error ' +
e.message['desc'])
assert False
log.info('test_rootdn_access_denied_host: PASSED')
import pytest
import uuid
from lib389.utils import *
from lib389.tasks import *
from lib389.tools import DirSrvTools
from lib389.topologies import topology_st
from lib389._constants import DEFAULT_SUFFIX, DN_DM, PASSWORD
from lib389.idm.user import UserAccounts, TEST_USER_PROPERTIES
from lib389.plugins import RootDNAccessControlPlugin
pytestmark = pytest.mark.tier1
logging.getLogger(__name__).setLevel(logging.DEBUG)
log = logging.getLogger(__name__)
localhost = DirSrvTools.getLocalhost()
hostname = socket.gethostname()
@pytest.fixture(scope="function")
def rootdn_cleanup(topology_st):
"""Do a cleanup of the config area before the test """
log.info('Cleaning up the config area')
plugin = RootDNAccessControlPlugin(topology_st.standalone)
plugin.remove_all_allow_host()
plugin.remove_all_deny_host()
plugin.remove_all_allow_ip()
plugin.remove_all_deny_ip()
@pytest.fixture(scope="module")
from lib389.properties import *
from lib389.tasks import *
from lib389.utils import *
DEBUGGING = False
if DEBUGGING:
logging.getLogger(__name__).setLevel(logging.DEBUG)
else:
logging.getLogger(__name__).setLevel(logging.INFO)
log = logging.getLogger(__name__)
MAX_CONNS = 10000000
MAX_THREADS = 20
STOP = False
HOSTNAME = DirSrvTools.getLocalhost()
PORT = 389
class TopologyStandalone(object):
"""The DS Topology Class"""
def __init__(self, standalone):
"""Init"""
standalone.open()
self.standalone = standalone
@pytest.fixture(scope="module")
def topology(request):
"""Create DS Deployment"""
def validate_hostname(self):
if getdomainname() == "":
# Should we return a message?
raise AssertionError("Host does not have a domain name.")
DirSrvTools.searchHostsFile(getfqdn())
def test_rootdn_access_allowed_host(topology_st):
'''
Test allowed ip feature
'''
log.info('Running test_rootdn_access_allowed_host...')
#
# Set allowed host to an unknown host - blocks the Root DN
#
try:
topology_st.standalone.modify_s(
PLUGIN_DN,
[(ldap.MOD_REPLACE, 'rootdn-allow-host', b'i.dont.exist.com')])
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_allowed_host: Failed to set allowed host: error {}'
.format(e))
assert False
#
# Bind as Root DN - should fail
#
try:
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
succeeded = True
except ldap.LDAPError as e:
succeeded = False
if succeeded:
log.fatal(
'test_rootdn_access_allowed_host: Root DN was incorrectly able to bind'
)
assert False
#
# Allow localhost
#
try:
topology_st.standalone.simple_bind_s(USER1_DN, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_allowed_host: : failed to bind as user1')
assert False
hostname = socket.gethostname()
localhost = DirSrvTools.getLocalhost()
try:
topology_st.standalone.modify_s(
PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-allow-host', None)])
topology_st.standalone.modify_s(
PLUGIN_DN,
[(ldap.MOD_ADD, 'rootdn-allow-host', ensure_bytes(localhost))])
if hostname != localhost:
topology_st.standalone.modify_s(
PLUGIN_DN,
[(ldap.MOD_ADD, 'rootdn-allow-host', ensure_bytes(hostname))])
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_allowed_host: Failed to set allowed host: error {}'
.format(e))
assert False
try:
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error {}'
.format(e))
assert False
#
# Cleanup - undo everything we did so the next test has a clean slate
#
try:
topology_st.standalone.modify_s(
PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-allow-host', None)])
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_allowed_host: Failed to delete(rootdn-allow-host): error {}'
.format(e))
assert False
try:
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_allowed_host: Root DN bind failed unexpectedly failed: error {}'
.format(e))
assert False
log.info('test_rootdn_access_allowed_host: PASSED')
def test_rootdn_access_denied_host(topology_st):
'''
Test denied Host feature - we can just test denying localhost
'''
log.info('Running test_rootdn_access_denied_host...')
hostname = socket.gethostname()
localhost = DirSrvTools.getLocalhost()
try:
topology_st.standalone.modify_s(
PLUGIN_DN,
[(ldap.MOD_ADD, 'rootdn-deny-host', ensure_bytes(hostname))])
if localhost != hostname:
topology_st.standalone.modify_s(
PLUGIN_DN,
[(ldap.MOD_ADD, 'rootdn-deny-host', ensure_bytes(localhost))])
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_denied_host: Failed to set deny host: error {}'
.format(e))
assert False
#
# Bind as Root DN - should fail
#
try:
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
succeeded = True
except ldap.LDAPError as e:
succeeded = False
if succeeded:
log.fatal(
'test_rootdn_access_denied_host: Root DN was incorrectly able to bind'
)
assert False
#
# Change the denied host so root DN succeeds
#
try:
topology_st.standalone.simple_bind_s(USER1_DN, PASSWORD)
except ldap.LDAPError as e:
log.fatal('test_rootdn_access_denied_host: : failed to bind as user1')
assert False
try:
topology_st.standalone.modify_s(
PLUGIN_DN,
[(ldap.MOD_REPLACE, 'rootdn-deny-host', b'i.dont.exist.com')])
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_denied_host: Failed to set rootDN plugin config: error {}'
.format(e))
assert False
try:
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error {}'
.format(e))
assert False
#
# Cleanup - undo the changes we made so the next test has a clean slate
#
try:
topology_st.standalone.modify_s(
PLUGIN_DN, [(ldap.MOD_DELETE, 'rootdn-deny-host', None)])
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_denied_host: Failed to set rootDN plugin config: error {}'
.format(e))
assert False
try:
topology_st.standalone.simple_bind_s(DN_DM, PASSWORD)
except ldap.LDAPError as e:
log.fatal(
'test_rootdn_access_denied_host: Root DN bind failed unexpectedly failed: error {}'
.format(e))
assert False
log.info('test_rootdn_access_denied_host: PASSED')
